Manage Windows Servers with Defender for Endpoint and Intune
Dean Ellerby
wpninjas.uk | robopack.com | learn.alpenshield.io | Speaker | Author | Microsoft MVP | MCT
Windows Server devices can’t be enrolled into Intune, but Intune is a very neat way to deploy Defender for Endpoint configuration such as Attack Surface Reduction and stuff.
Luckily we can simply manage Windows Servers via Intune via Defender for Endpoint using a clever technique called Security Management for Microsoft Defender for Endpoint.
With this capability, devices that aren’t managed by a Microsoft Intune service can receive security configurations for Microsoft Defender for Endpoint directly from Intune.
This has been possible for over a year - I made a video of it back then - but it was only possible for devices that were Hybrid or Azure AD joined, meaning some devices such as kiosks or even Domain Controllers weren’t possible to manage.
Last week, Microsoft announced that they have updated the enrollment requirements - and Azure AD Join is no longer required. They’ve done some magic in the background so that the Defender for Endpoint agent itself is joining Azure AD in some stealthy way, which means the device doesn’t need to.
It’s in preview at the moment, but let’s jump in and take a look. I started recording a video for the channel covering this, but the portals took over an hour to update and confirm the onboarding, so I ran out of time before I had to catch my train to InfoSec London. Watch out for the video coming on Friday.
Once you’ve enrolled to the public preview and onboarded some devices (check out my upcoming video on how to do that!), we’ll see the devices appear in the various portals after a few minutes, and sometimes hours.
Here’s what the Azure AD (or Entra) experience will be:
领英推荐
Notice the devices (AVM-055500-6 and AVM-055500-7) sow up as Azure AD joined, even though they are not at all Azure AD Joined. The MDM is showing as Intune, but they are not enrolled in Intune.
It’s a different story from the Intune portal perspective:
Here, we see that the devices (6 and 7) are managed by MDE, not Intune, and Ownership, Compliance and Primary User information is not populated.
From Security portal it’s still not very clear what state these devices are in:
They’re showing as Azure AD Joined (they’re not, although technically the MDE component of them is). We see that the exposure level has been assessed, we we are shown the OS version. These devices are fully onboarded to MDE, as shown in the detailed device screen:
The removal of the Azure AD Join enrollment requirement for this feature is a game-changer, and is a big step forward to allow organizations to secure all their devices with Defender for Endpoint.
Copilot, Endpoint Architecture and Cloud Security specialist
1 年Great Dean. I'm working for a customer with this and we now have a test server listed as device in Intune but it says it is managed by ConfigMgr. I cant find out to switch the server to be managed by MDE. Do you know how? (The server is hybrid joined)
Senior Consultant at Ergo Technology Group | 3x Microsoft MVP
1 年Sadly DCs are not supported just yet..https://learn.microsoft.com/en-us/mem/intune/protect/mde-security-integration?view=o365-worldwide&pivots=mdssc-preview#use-of-security-settings-management-on-domain-controllers
Mentoring Next-gen Network security professionals
1 年Can you deploy mde without intune?
Love it! Thanks for the information!!
wpninjas.uk | robopack.com | learn.alpenshield.io | Speaker | Author | Microsoft MVP | MCT
1 年Aaaand here is the video... https://www.youtube.com/watch?v=O9Ee1N8b068