End-to-End automation of Onboarding a Virtual Machine to a Defender for servers.

Overview:

The Defender for Servers plan in Microsoft Defender for Cloud reduces security risk and exposure for machines in your organization by providing actionable recommendations to improve and remediate security posture. Defender for Servers also helps to protect machines against real-time security threats and attacks.

Defender for servers Plan1 focuses on the EDR capabilities provided by the Defender for Endpoint integration.  Microsoft Defender for Endpoint (MDE) is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. For more information about MDE refer Microsoft Defender for Endpoint - Microsoft Defender for Endpoint | Microsoft Learn.

This article focuses on the End-to-End automation of Onboarding a Virtual Mahine to a Defender for servers, MDE extension deployment and adding to a dynamic group to receive the desired MDE policy.

High level steps include below.

1. Deploy a virtual Machine (example Name: MDE) in Azure subscription.
2. Create a dynamic group (example Name: MDE-Dynamic Group) in Intune (Endpoint.Microsoft.com) with a rule that Display Name starts with “MDE” add to “MDE-Dynamic Group”.
3. Enable Microsoft Defender for Endpoint (MDE) security settings management.
4. Create a AV policy (example Name: MDE-AV) in Intune and assigned to “MDE-Dynamic group”.
5. Enabled Defender for servers plan on a subscription.
6. Configure Endpoint protection auto provisioning in Settings & Monitoring.
7. Device get onboarded to MDE (security.microsoft.com) automatically.
8. Device get automatically added to MDE-Dynamic group.
9. Device received the MDE-AV policy as it is part of MDE-Dynamic group.

Let us go through the details steps of this Defender for servers onboarding and policy configuration.

1. Deploy a virtual Machine (example Name: MDE) in Azure subscription.

The below picture shows the Virtual Machine deployed in Azure Subscription. For instructions you can go through the link. Quickstart - Create a Windows VM in the Azure portal - Azure Virtual Machines | Microsoft Learn

 

 

 

2. Create a dynamic group (example Name: MDE-Dynamic Group) in Intune

• To create a dynamic group in Intune:
• Sign in to the Microsoft Intune admin center.
• Go to Groups, then select New group.
• Set the following in the New Group pane:

o   Group type: Security

o   Group name: e.g., MDE-Dynamic Group

o   Group description: Optional

o   Membership type: Dynamic Device or Dynamic User

• Click Add dynamic query to define membership rules.
• In the Dynamic membership rules pane, use the rule builder or enter a custom query to specify criteria, e.g., (device.deviceOSType -eq "Windows") -and ((device.displayName -startsWith "MDE").
• Save the query and Create the group.

This will create a dynamic group that automatically includes devices or users based on your criteria.

 

3. Enable Microsoft Defender for Endpoint (MDE) security settings management. 

When you integrate Microsoft Intune with Microsoft Defender for Endpoint, you can use Intune endpoint security policies to manage the Defender security settings on devices that are not enrolled with Intune. This capability is known as Defender for Endpoint security settings management.

To support security settings management through the Microsoft Intune admin center, you must enable communication between them from within each console.

The following sections guide you through that process.

 

Configure Microsoft Defender for Endpoint

In the Microsoft Defender portal, as a security administrator:

a) Sign in to the Microsoft Defender portal and go to Settings > Endpoints > Configuration Management > Enforcement Scope and enable the platforms for security settings management.

 

 

b) Initially, we recommend testing the feature for each platform by selecting the platforms option for On tagged devices and then tagging the devices with the MDE-Management tag.

 

c) Configure the feature for Microsoft Defender for Cloud onboarded devices and Configuration Manager authority settings to fit your organization's needs:

 

 

Configure Intune

a) In the Microsoft Intune admin center, your account needs permissions equal to Endpoint Security Manager built-in Role based access control (RBAC) role.

b) Sign in to the Microsoft Intune admin center.

c) Select Endpoint security> Microsoft Defender for Endpoint, and set Allow Microsoft Defender for Endpoint to enforce Endpoint Security Configurations to On.

 

 

d) When you set this option to On, all devices in the platform scope for Microsoft Defender for Endpoint that are not managed by Microsoft Intune qualify to onboard to Microsoft Defender for Endpoint.

 

For detailed information click on the link Learn about using Intune to manage Microsoft Defender settings on devices that aren't enrolled with Intune | Microsoft Learn

 

4. Create a AV policy(example Name :MDE-AV) in Intune and assigned to “MDE-Dynamic group”.

Step 1: Create the AV Policy

• Sign in to the Microsoft Intune admin center.
• Navigate to Endpoint security and select Antivirus.Integrating Microsoft Intune with Microsoft Defender for Endpoint allows you to manage Defender security settings on non-enrolled devices using Intune's endpoint security policies. This feature is called Defender for Endpoint security settings management.
• Click on Create Policy.
• For the Platform, select Windows 10 and later.
• For the Profile, select Microsoft Defender Antivirus and then click Create.
• On the Basics page, provide a Name (e.g., MDE-AV) and an optional Description.
• On the Configuration settings page, configure the antivirus settings as needed.
• Click Next to proceed through the remaining pages and then click Create to finalize the policy.

 

Step 2: Assign the AV Policy to the Dynamic Group

• After creating the policy, go to Devices > Configuration profiles.
• Select the MDE-AV policy you created.
• In the Properties pane, select Assignments > Edit.
• Under Included groups, click Add groups and select the MDE-Dynamic Group.
• Click Select and then Review + Save to apply the assignment.
• This will ensure that the AV policy is applied to all devices in the "MDE-Dynamic Group."

 

5. Enabling Defender for server’s plan on a subscription.

To enable the Defender for Servers plan in Microsoft Defender for Cloud:

• Sign in to the Azure portal.
• Search for and select "Microsoft Defender for Cloud".
• Go to Environment settings in the menu.
• Choose the relevant Azure subscription, AWS account, or GCP project.
• On the Defender plans page, toggle the Servers switch to On.
• By default, this activates Defender for Servers Plan 2. You can choose Plan 1 or Plan 2 in the popup window.

 

 

 

6. Configured Endpoint protection auto provisioning in Settings & Monitoring. 

To configure Endpoint protection auto-provisioning in Microsoft Defender for Cloud, follow these steps: 

• Sign in to the Azure portal.
• Navigate to Microsoft Defender for Cloud.
• In the Defender for Cloud menu, select Environment settings.
• Select the relevant subscription.
• Go to the Auto-provisioning page.
• For the Log Analytics agent / Azure Monitoring Agent, select Edit Configuration.
• Set the Auto-provisioning switch to On for the desired agents.

 

 

 

 

7. Device got onboarded to MDE (security.microsoft.com)

Once above steps performed the machine MDE gets onboarded to the security.microsoft.com portal automatically along with the MDE extension deployed.

 

 

 

 

8. Device got automatically added to MDE-Dynamic group.

You will observe that device “MDE” gets added to the Dynamic group named “MDE-Dynamic”  automatically.

 

 

 

9. Device received the MDE-AV policy as it is part of MDE-Dynamic group.

You will also observe that the device gets the AV policy configured and assigned to the dynamic group.

 

 

 

Policies are deployed successfully

 

 

 

Below is the status of device in Intune portal

 

 

 

Below is the status of device in MDE portal

 

 

 

Summary

When Defender for server's plan is enabled, the device was successfully onboarded to MDE (security.microsoft.com) and automatically added to the MDE-Dynamic group. It received the MDE-AV policy as part of this group, with policies deployed successfully. The status of the device can be viewed in both the Intune and MDE portals.