Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community
SOLVED

Enroll

Copper Contributor

My devices is AD connected to my OnPrem AD.
We have MS 365 Business.
I have onboarded them to Endpoints / Defender with GPO.
All my devices can be seen in Assets --> Devices in security.microsoft.com
The devices is Microsoft Entra registered and we have no plans to enroll them to Intune.
Where do I go frome here, how can I set Endpoint Security Policies? For example Defender Antivirus, Attack Surface Rule, Firewall, EDR and Device Control?
Do I need to that via GPO in my onprem AD?
Would really appreciate some guidance.

2 Replies
best response confirmed by PatrikStar73 (Copper Contributor)
Solution
hi Patrik,

Since you stated that you do not want to use Intune, you can use GPO to manage some of the settings that you specified such as Defender AV, ASR, and Firewall. However, since you have M365 Business then you should consider using Intune since that is included in Premium. I assume you have Premium because you mentioned that you want to manage EDR, which is a Premium feature.
Using Intune to manage Windows AV, Firewall, ASR, EDR, and Device Control is significantly easier in Intune. Also, GPO is only effective if your users have direct line of sight to the domain controller, whereas Intune can manage your machines even when they are not on the network (disconnected from VPN at home).
However, if you have other reasons for avoiding Intune, here is the GPO Documentation for the features you requested:
ASR: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-attack-surface-red...
Windows Firewall: https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/window...
Defender AV: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/use-group-policy-microsof...

Note: You may be able to manage some of the AV settings within the Defender Console as announced here:
https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/security-settings-management-...
note: You posted this question in the wrong forum, I suggest that you post your question in Defender for Endpoint here:
https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/bd-p/MicrosoftDefenderATP
Thank you very much.
For now we don't enroll the device to Intune.
The guides you shared here will be much help.
1 best response

Accepted Solutions
best response confirmed by PatrikStar73 (Copper Contributor)
Solution
hi Patrik,

Since you stated that you do not want to use Intune, you can use GPO to manage some of the settings that you specified such as Defender AV, ASR, and Firewall. However, since you have M365 Business then you should consider using Intune since that is included in Premium. I assume you have Premium because you mentioned that you want to manage EDR, which is a Premium feature.
Using Intune to manage Windows AV, Firewall, ASR, EDR, and Device Control is significantly easier in Intune. Also, GPO is only effective if your users have direct line of sight to the domain controller, whereas Intune can manage your machines even when they are not on the network (disconnected from VPN at home).
However, if you have other reasons for avoiding Intune, here is the GPO Documentation for the features you requested:
ASR: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-attack-surface-red...
Windows Firewall: https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/window...
Defender AV: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/use-group-policy-microsof...

Note: You may be able to manage some of the AV settings within the Defender Console as announced here:
https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/security-settings-management-...
note: You posted this question in the wrong forum, I suggest that you post your question in Defender for Endpoint here:
https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/bd-p/MicrosoftDefenderATP

View solution in original post