MDE Deployment and Configuration Steps with Security Policy Details

congcong • 3天前 • 好物分享

The following steps is only used for a selected environment to have a simplified deployments which is to target bringing MDE to all devices as fast as we can (in a week for 1k devices including windows, macOS, linux, servers, workstations, etc), also remove existing expired antimalware software, at the same time, has maximum possible security on the end point devices.

The idea deployment will take 2-3 months with all thorough testing, planning and verifying.

Background

Third Party Antivirus / Malicious program already deployed into all Workstations and Servers.

Microsoft Defender for Endpoints (P2) and Defender for Servers (P1) has been selected to replace this third party security software on all workstations (Windows and Mac) and all servers (Windows and Linux)

From Microsoft learn, https://learn.microsoft.com/en-us/defender-endpoint/mde-planning-guide, the steps to deploy Defender for Endpoint are:

Step 1 - Set up Microsoft Defender for Endpoint deployment: This step focuses on getting your environment ready for deployment.
Step 2 - Assign roles and permissions: Identify and assign roles and permissions to view and manage Defender for Endpoint.
Step 3 - Identify your architecture and choose your deployment method: Identify your architecture and the deployment method that best suits your organization.
Step 4 - Onboard devices: Assess and onboard your devices to Defender for Endpoint.
Step 5 - Configure capabilities: You're now ready to configure Defender for Endpoint security capabilities to protect your devices.

High Level Deployment Steps for Workstation

1 Generating onboarding code

Onboard devices to Microsoft Defender for Endpoint using the onboarding configuration package that matches your preferred deployment method. For other device preparation instructions, read Onboard and set up.

Deployment methods:

Group Policy

You can configure your devices using Group Policy.
For more information on how to configure and monitor Microsoft Defender for Endpoint devices see Configure devices using Group Policy section in the Microsoft Defender for Endpoint guide.

Local Script (for up to 10 devices)

You can configure a single device by running a script locally.
Note: This script has been optimized for usage with a limited number of devices (1-10). To deploy at scale, please see other deployment options above.
For more information on how to configure and monitor Microsoft Defender for Endpoint devices, see Configure devices using a local script
section in the Microsoft Defender for Endpoint guide.

2 Deploy onboarding package (script) to all workstations

It can be done phase by phase, starting from pilot machines, then departments by departments, or location by location.

Check MDE portal https://security.microsoft.com/ - Assets - Devices page to get the list of all machines and get the status of machines.

You can use Group Policy or third party deployment tools for your patching and software installation to deploy this script.

1 C

High Level Deployment Steps for Servers

1 C

2 C

3 C

4 O

Security Policies for Windows Workstation

Learn about using Intune to manage Microsoft Defender settings on devices that aren't enrolled with Intune | Microsoft Learn

Intune - Endpoint Security - Manage - AntiVirus

Security Policies for Windows Servers

Configuration Setttings:

Intune - Endpoint Security - Manage - Attack surface reduction

Security Policies for Mac

Security Policies for Linux

Microsoft Defender for Endpoint client analyzer

The latest stable edition is available for download from following URL: https://aka.ms/MDEAnalyzer
The latest preview edition is available for download from following URL: https://aka.ms/MDEClientAnalyzerPreview
The latest stable edition will be integrated into the MDE for Endpoint agent. Ensure that you are running the latest edition for either macOS or Linux.
The latest preview edition is available for direct download from following URL: https://aka.ms/XMDEClientAnalyzer

MDE VDI Deployments

https://learn.microsoft.com/en-us/defender-endpoint/configure-endpoints-vdi

Onboard non-persistent virtual desktop infrastructure (VDI) devices in Microsoft Defender XDR

Open the VDI configuration package file (WindowsDefenderATPOnboardingPackage.zip) that you downloaded from the service onboarding wizard. You can also get the package from the Microsoft Defender portal.
1. In the navigation pane, select Settings > Endpoints > Device management > Onboarding.
2. Select the operating system.
3. In the Deployment method field, select VDI onboarding scripts for non-persistent endpoints.
4. Select Download package and save the file.
Copy the files from the WindowsDefenderATPOnboardingPackage folder extracted from the zipped folder into the golden/primary image under the path C:/WINDOWS/System32/GroupPolicy/Machine/Scripts/Startup. (The folder will be generated by local group policy from next step, if the folder is not presented in the system)
- If you're implementing multiple entries for each device - one for each session, copy WindowsDefenderATPOnboardingScript.cmd.
- If you're implementing a single entry for each device, copy both Onboard-NonPersistentMachine.ps1 and WindowsDefenderATPOnboardingScript.cmd.
Open a Local Group Policy Editor window and navigate to Computer Configuration > Windows Settings > Scripts > Startup.

Note

Domain Group Policy may also be used for onboarding non-persistent VDI devices.

Depending on the method you'd like to implement, follow the appropriate steps:

Method	Steps
Single entry for each device	1. Select the PowerShell Scripts tab, then select Add (Windows Explorer opens directly in the path where you copied the onboarding script earlier). 2. Navigate to onboarding PowerShell script `Onboard-NonPersistentMachine.ps1`. There's no need to specify the other file, as it's triggered automatically.
Multiple entries for each device	1. Select the Scripts tab, then select Add (Windows Explorer opens directly in the path where you copied the onboarding script earlier). 2. Navigate to the onboarding bash script `WindowsDefenderATPOnboardingScript.cmd`.

Test your solution

For VDI Master image, it will not be onboarded into MDE portal. To avoid it to be onboarded, following scrip will check the hostname of machines before run VDI start up script.

Write-Host "INFO: Checking hostname against a list of known master images... Please wait..." # Get the current hostname $CURRENT_HOSTNAME = (hostname) # Define the target hostnames $TARGET_HOSTNAMES = @("example1", "example2", "example3", "example4", "MDLT2") Write-Host "INFO: Current hostname is $CURRENT_HOSTNAME" Write-Host "INFO: Target hostnames are $($TARGET_HOSTNAMES -join ', ')" # Initialize a flag to indicate if a match is found $MATCH_FOUND = $false # Check if the current hostname matches any of the target hostnames foreach ($TARGET_HOSTNAME in $TARGET_HOSTNAMES) { if ($CURRENT_HOSTNAME -eq $TARGET_HOSTNAME) { $MATCH_FOUND = $true Write-Host "INFO: Hostname matches one of the target hostnames" Write-Host "WARNING: This machine is a master image... Exiting..." exit } } if (-not $MATCH_FOUND) { Write-Host "INFO: Hostname does not match any of the target hostnames" $script = $PSScriptRoot+"/Onboard-NonPersistentMachine.ps1" & $script } 
For

For Windows 2012 R2 and Windows 2016, the onboarding script for VDI master image will be modified with :

@echo off
echo INFO: Checking hostname against a list of known master images... Please wait...
for /f "tokens=*" %%i in ('hostname') do set CURRENT_HOSTNAME=%%i
set TARGET_HOSTNAMES=example1 exampl2 example3 exampel4
echo INFO: Current hostname is %CURRENT_HOSTNAME%
echo INFO: Target hostnames are %TARGET_HOSTNAMES%
set MATCH_FOUND=false
for %%h in (%TARGET_HOSTNAMES%) do (
if "%CURRENT_HOSTNAME%"=="%%h" (
set MATCH_FOUND=true
echo INFO: Hostname matches one of the target hostnames
echo WARNING: This machine is a master image... Exiting...
exit
)
)

echo This script is for onboarding machines to the Microsoft Defender for Endpoint services, including security and compliance products.

echo Once completed, the machine should light up in the portal within 5-30 minutes, depending on this machine's Internet connectivity availability and machine power state (plugged in vs. battery powered).

echo IMPORTANT: This script is optimized for onboarding a single machine and should not be used for large scale deployment.

echo For more information on large scale deployment, please consult the MDE documentation (links available in the MDE portal under the endpoint onboarding section).

echo.

:USER_CONSENT

...

...(omitted)

Device Groups / User Groups

Many users ask when to use user groups and when to use device groups. The answer depends on your goal. Here's some guidance to get you started.

Device groups

If you want to apply settings on a device, regardless of who's signed in, then assign your policies to a devices group. Settings applied to device groups always go with the device, not the user.

For example:

Device groups are useful for managing devices that don't have a dedicated user. For example, you have devices that print tickets, scan inventory, are shared by shift workers, are assigned to a specific warehouse, and so on. Put these devices in a devices group, and assign your policies to this devices group.
You create a Device Firmware Configuration Interface (DFCI) Intune profile that updates settings in the BIOS. For example, you configure this policy to disable the device camera, or lock down the boot options to prevent users from booting up another OS. This policy is a good scenario to assign to a devices group.
On some specific Windows devices, you always want to control some Microsoft Edge settings, regardless of who's using the device. For example, you want to block all downloads, limit all cookies to the current browsing session, and delete the browsing history. For this scenario, put these specific Windows devices in a devices group. Then, create an Administrative Template in Intune, add these device settings, and then assign this policy to the devices group.

To summarize, use device groups when you don't care who's signed in on the device, or if anyone signs in. You want your settings to always be on the device.

User groups

Policy settings applied to user groups always go with the user, and go with the user when signed in to their many devices. It's normal for users to have many devices, such as a Surface Pro for work, and a personal iOS/iPadOS device. And, it's normal for a person to access email and other organization resources from these devices.

If a user has multiple devices on the same platform, then you can use filters on the group assignment. For example, a user has a personal iOS/iPadOS device, and an organization-owned iOS/iPadOS. When you assign a policy for that user, you can use filters to target only the organization-owned device.

Follow this general rule: If a feature belongs to a user, such as email or user certificates, then assign to user groups.

For example:

You want to put a Help Desk icon for all users on all their devices. In this scenario, put these users in a users group, and assign your Help Desk icon policy to this users group.
A user receives a new organization-owned device. The user signs in to the device with their domain account. The device is automatically registered in Microsoft Entra ID, and automatically managed by Intune. This policy is a good scenario to assign to a users group.
Whenever a user signs in to a device, you want to control features in apps, such as OneDrive or Office. In this scenario, assign your OneDrive or Office policy settings to a users group.

For example, you want to block untrusted ActiveX controls in your Office apps. You can create an Administrative Template in Intune, configure this setting, and then assign this policy to a users group.

To summarize, use user groups when you want your settings and rules to always go with the user, whatever device they use.

Sample Device Groups: