Microsoft defender setup for windows 10 devices in Intune and Windows defender

Steps

  • Setting up Security Baselines for Windows Devices
  • Review Security Tasks
  • Setup Microsoft Defender Antivirus for Windows Devices
  • Setup Disk Encryption for Windows Devices using Bitlocker
  • Setup Microsoft Defender Firewall for Windows Devices
  • Setup Microsoft Defender Endpoint Detection and Response (EDR)/Defender Onboarding Policy
  • App Control for Business- Review and Test This Carefully Before Applying to Production Devices
  • Setup Microsoft Defender Attack Surface Reduction (ASR)
  • Conditional Access Policies for Windows Devices
  • Microsoft Defender for Endpoint Setup in Microsoft Defender Portal

Setting up Security Baselines for Windows Devices

  • The security baselines are usually used to set Microsoft-recommended security configurations for devices enrolled into Intune and they include Security Baseline for Windows 10 and later, Microsoft Defender for Endpoint Baseline, Security Baseline for Microsoft Edge and Microsoft 365 Apps for Enterprise Security Baseline. 
  • When you obtain your Intune tenant, the baselines may be outdated and so you may need to use the “Change Version” feature to update the templates that you create. 
  • Do not use the “Change Version” feature on security baselines that have been applied to groups with production devices; this could cause issues on your production computers if the default configurations are not favorable to the devices in your environment. You will need to configure and test any new configurations from a newer version before applying the baseline to the devices. 
  • In my environment, I only use the security baselines to set the Microsoft-recommended settings and use them as templates for creating individual security policies under the Manage area in Endpoint Security as well as templates for creating Configuration Profiles or Policies. I do not apply security baselines to groups with production computers. 
  • Configuration profiles and security policies under the Manage area in Endpoint Security in Intune have more granular settings than the Security baselines and so I prefer to use them instead. 
  • Also, if you are using security baselines in addition to configuration policies and other security settings, you will need to make sure that you avoid any conflicts since the same security settings are available in different areas which may make troubleshooting difficult, because you may not be able to identify where the issue could be coming from unless you do further digging for information. 

Review Security Tasks

From the Microsoft Intune portal, click on Endpoint Security and then click on Security Tasks to view tasks you created in the Microsoft Defender portal for managing identified vulnerabilities. 

Setup Microsoft Defender Antivirus for Windows Devices

Under the Antivirus subsection, under Manage section in Endpoint Security in Intune, you can create four (4) different types of antivirus policies for Windows devices including Defender Update Controls, Microsoft Defender Antivirus Exclusions, Microsoft Defender Antivirus, and Windows Security Experience.

Defender Update Controls

  • The Defender Update Controls are used to set the Microsoft Defender security intelligence, engine, and platform update channels.
  • In Intune, navigate to Endpoint Security, under Manage, click on Antivirus.
  • Under AV Policies, click on Create Policy>>> Platform (Windows 10, Windows 11, and Windows Server); Profile (Defender Update Controls)>>>click Create.
  • Under the Basics tab, Name (Microsoft Defender Update Controls); Description (This is used to update Microsoft Defender platform, security intelligence and security engine)>>>click Next.
  • Under the Configuration Settings tab, Engine Updates Channel [Current Channel(Broad); Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%)] ; Platform Updates Channel  [Current Channel(Broad); Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%)] ; Security Intelligence Updates Channel  [Current Channel(Broad); Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%)]>>>click Next to go to Scope Tags.
  • Under the Scope Tags tab, click Next to use the Default scope tag or you can select custom scope tags that you have set.
  • In the Assignments section, search for the desired security group in the space provided, select it and then click Next.
  • Now you can review your settings under the Review tab and then click Save to complete the setup process.   
  • You can use the Current Channel (Preview) or the Current Channel (Staged) settings for testing purposes before the updates are deployed to production devices. 
  • Note: The Engine Updates Channel, Platform Updates Channel, and Security Intelligence Updates Channel also exist in the Microsoft Defender Antivirus settings and so you can decide to which one you want to use to control those settings otherwise there would be conflicts.  

Microsoft Defender Antivirus Exclusions

  • These is used to set the Microsoft Defender Antivirus exclusions to ensure it is able to work alongside any other security tools such other antivirus applications such as McAfee/Trellix or Crowdstrike, VPN applications such as Cisco AnyConnect Mobility Client, and monitoring tools such as Cisco Secure Endpoint. 
  • You can get the information from the vendors website and add them in this area. 
  • To create the exclusions for Microsoft Defender antivirus, under AV Policies, click on Create Policy>>> Platform (Windows 10, Windows 11, and Windows Server); Profile (Microsoft Defender Antivirus exclusions)>>>click Create.
  • Under the Basics tab, Name (Microsoft Defender Antivirus Exclusions for Windows Computers); Description (This is used to set the application extensions, processes, and folder paths that need to indicated to prevent Microsoft Defender from blocking them and hence ensuring coexistence and compatibility of the applications.)>>>click Next.
  • For the Configuration Setting, under DefenderExcluded Extensions (Add all the extensions that should not be blocked by Microsoft Defender antivirus); Excluded Paths (Add all the folder paths that should not be blocked by Microsoft Defender antivirus); Excluded Processes (Add all the application processes that should not be blocked by Microsoft Defender antivirus)>>>click Next to go to Scope Tags.
  • Under the Scope Tags tab, click Next to use the Default scope tag or you can select custom scope tags that you have set.
  • In the Assignments section, search for the desired security group in the space provided, select it and then click Next.
  • Now you can review your settings under the Review tab and then click Save to complete the setup process. 

Microsoft Defender Antivirus

  • The Microsoft Defender Antivirus allows you to set antivirus settings for the endpoints in addition to what will be set in the Microsoft Defender portal.
  • Under AV Policies, click on Create Policy>>> Platform (Windows 10, Windows 11, and Windows Server); Profile (Microsoft Defender Antivirus)>>>click Create.
  • Under the Basics tab, Name (Microsoft Defender Antivirus for Windows Computers); Description (This is used set the Microsoft Defender parameters on Windows computers)>>>click Next.
  • The Configuration Setting, under Defender; Allow Archive Scanning (Allowed.Scans the archive files); Allow Behavior Monitoring (Allowed. Turns on real-time behavior monitoring); Allow Cloud Protection (Allowed. Turns on Cloud Protection); Allow Email Scanning (Allowed. Turns on email scanning);  Allow Full Scan on Mapped Network Drives (Not allowed. Disables scanning on mapped network drives); Allow Full Scan Removal Drive Scanning (Allowed. Scans removal drives);  [Deprecated] Allow Intrusion Prevention System (Not Configured); Allow scanning of all downloaded files and attachments (Allowed); Allow Real-time Monitoring (Allowed).Turns on and runs the real-time monitoring service.); Allow Script Scanning (Allowed); Allow User UI Access (Allowed. Lets users UI); Avg CPU Load Factor [Configured (50)]; Check for Signatures Before Running Scan (Enabled); Cloud Block Level (High); Cloud Extended Timeout [Cloud Extended Timeout(50)]; Days to Retain Cleaned Malware (10); Disable Catchup Full Scan (Enabled); Disable Catchup Quick Scan (Enabled); Enable Low CPU Priority (Enabled); Enable Network Protection [Enabled (block mode)]; [Excluded Extensions (Not Configured); Excluded Paths (Not Configured); Excluded Processes (Not Configured); you can configure the antivirus exclusions as a separate policy or include it here and not configure a separate policy for it otherwise there could be conflicts]; PUA Protection (Audit Mode; Windows Defender will detect potentially unwanted applications but take no action. You can review information about the applications Windows Defender would have take action against by searching for events created by Windows Defender in the Event Viewer.); Real Time Scan Direction [Monitor all the files (bi-directional)]; Scan Parameter (Quick Scan); Schedule Quick Scan Time (1200; this is equivalent to 8:00PM; 6:00AM is 360; 6:00PM is 1080.); Scheduled Scan Day (Everyday); Schedule Scan Time (Not Configured; If you selected Quick Scan as the Scan Parameter and set the time for Schedule Quick Scan Time you do not need to set this parameter; if you selected Full Scan as the Scan Parameter then you can set Schedule Quick Scan Time to Not Configured and Scheduled Scan Time to Configured); Signature Update Fallback Order (Not Configured); Signature Update File Shares Sources (Not Configured); Signature Update Interval [Configured (24)]; Submit Samples Consent (Never Send);  Disable Local Admin Merge (Disable Local Admin Merge); Allow On Access Protection (Allowed); Remediation Action for Severe Threats (Block. Blocks file execution); Remediation Action for Moderate Severity Threats (Quarantine. Moves files to quarantine); Remediation for Low Severity Threats (Clean. Service tries to recover files and try to disinfect.); Remediation for Action for High Severity Threats (Remove. Removes files from system); Allow Network Protection Down Level (Not Configured); Allow Datagram Processing On Win Server (Not Configured); Disable DNS Over TCP Parsing(Not Configured);Disable HTTP Parsing(Not Configured); Disable SSH Parsing(Not Configured); Disable TLS Parsing (Not Configured); Enable DNS Sinkhole (Not Configured); [Engine Updates Channel (Not Configured); Platform Updates Channel (Not Configured); Security Intelligence Updates Channel (Not Configured); these have already been configured as Defender Updates Control but if you want to keep all the updates in one area, then you can configure them here and unassign the Defender Updates Control policy]; Metered Connection Updates (Not Configured); Randomize Schedule task Time (Not Configured); Scheduler Randomization Time (Not Configured)>>>click Next to go to Scope Tags.
  • Under the Scope Tags tab, click Next to use the Default scope tag or you can select custom scope tags that you have set.
  • In the Assignments section, search for the desired security group in the space provided, select it and then click Next.
  • Now you can review your settings under the Review tab and then click Save to complete the setup process. 

 Windows Security Experience

  • The Windows Security Experience, sets the configurations that indicate how users would be allowed to interact with the Microsoft Defender Antivirus. 
  • In Intune, navigate to Endpoint Security, under Manage, click on Antivirus.
  • Under AV Policies, click on Create Policy>>> Platform (Windows 10, Windows 11, and Windows Server); Profile (Windows Security Experience)>>>click Create.
  • Under the Basics tab, Name (Intune Windows Security Experience); Description (Sets the configurations that indicate how users would be allowed to interact with the Microsoft Defender Antivirus)>>>click Next.
  • Under the Configuration Settings tab, click Defender to expand it; Tamper Protection (Not Configured; this is configured in other areas like); click on Windows Defender Security Center to expand it; Disable Account Protection UI (Not Configured); Disable App Browser UI (Not Configured); Disable Clear TPM Button (Not Configured); Disable Device Security UI (Not Configured); Disable Family UI (Not Configured); Disable Network UI (Not Configured); Disable Enhanced Notifications (Not Configured); Disable TPM Firmware Update Warning (Not Configured); Disable Virus UI (Not Configured); Hide Ransomware Data Recovery (Not Configured); Enable Customized Data [(Enable) Notifications contain the company name and contact options]; Enable In App Customization (Not Configured); Company Name [(Configured) SkoaNow Technologies LLC]; Email [(email@skoanowtechnologies.com)]; Phone [(678-200-0000)]; URL [(Configured) https://www.skoanowtechnologies.com]>>>click Next to go to Scope Tags.
  • Under the Scope Tags tab, click Next to use the Default scope tag or you can select custom scope tags that you have set.
  • In the Assignments section, search for the desired security group in the space provided, select it and then click Next.
  • Now you can review your settings under the Review tab and then click Save to complete the setup process. 

Setup Disk Encryption for Windows Devices Using Bitlocker-Silent Encryption

  • In Intune, navigate to Endpoint Security, under Manage, click on Disk Encryption>>>>Click on Create Policy>>> Platform (Windows 10, Windows 11, and Windows Server); Profile (Bitlocker)>>>click Create.
  • Under the Basics tab, Name (Intune Disk Encryption For Windows Devices); Description (Sets the configurations that indicate how users would be allowed to interact with the Microsoft Defender Antivirus)>>>click Next.
  • Under Configuration Settings, click Bitlocker to expand it; Require Device Encryption (Enabled); Allow Warning For Other Disk Encryption (Enabled); [Allow Standard User Encryption (Enabled), displayed when you Allow Warning For Other Disk Encryption (Disabled)] ; Configure Recovery Password Rotation (Refresh on for both Azure AD and hybrid-joined devices); 
  • Click on Administrative Templates to expand it;  under Windows Components/Bitlocker Drive Encryption; Choose Drive Encryption Method and Cipher Strength (Windows 10 version 1511 and later)(Enabled); Select the Encryption Method For Removable Data Drives (XTS-AES-256-bit); Select the encryption method for fixed data drives (XTS-AES-256-bit); Select the encryption method for operation system drives (XTS-AES-256-bit); Provide the unique identifies for your organization (Not Configuration)
  • Under Windows Components>Bitlocker Drive Encryption>Operation System Drives; [Enforce Drive Encryption type on operating system drives (Enabled; displays Select The Encryption Type(Device)); Select The Encryption Type(Device)(Full Encryption)]; [Require Additional Authentication at Startup (Enabled; displays Configure TPM Startup key and PIN, Configure TPM Startup PIN, Configure TPM Startup, Allow Bitlocker Without a Compatible TPM, and Configure TPM Startup Key); Configure TPM Startup key and PIN (Do not allow startup Key and PIN with TPM); Configure TPM Startup PIN (Do not allow startup PIN with TPM); Configure TPM Startup (Allow TPM); Allow Bitlocker Without a Compatible TPM (Requires a password or a startup key on a USB Flash Drive) (False); Configure TPM Startup Key (Do not allow Startup key for TPM); Configure Minimum PIN Length for Startup (Not Configured/Disabled; this will hide  Minimum Characters; Allow Enhanced PINs for Startup (Not Configured/Disabled); Disallow Standard users from changing the PIN or password (Not Configured/Disabled); Allow Devices compliant with InstantGo or HSTI to opt out of pre-boot PIN (Not Configured/Disabled); Enable user of Bitlocker Authentication Requiring Preboot keyboard Input On Slates (Not Configured/Disabled); Choose how Bitlocker-protected operating system drives can be recovered (Enable; displays the Omit recovery options from the BitLocker setup wizard, Allow data recovery agent, Configure storage of Bitlocker recovery information for ADDS, Do not enable BitLocker until recovery information is stored to AD DS for operating system drives, Save BitLocker recovery information to AD DS for operating system drives, Configure user storage of Bitlocker recovery information); Omit recovery options from the BitLocker setup wizard(True)Allow data recovery agent(False), Configure storage of Bitlocker recovery information for ADDS(Store recovery passwords and key packages), Do not enable BitLocker until recovery information is stored to AD DS for operating system drives(True), Save BitLocker recovery information to AD DS for operating system drives (True), Configure user storage of Bitlocker recovery information (Allow 48-digit recovery password); Configure Pre-boot Recovery Message and URL (Not Configured/Disabled).
  • Under Windows Component/Bitlocker Drive Encryption/Fixed Data Drives; Enforce Drive encryption type on fixed data drives (Enabled); Select the encryption type; Device(Full encryption); Choose how Bitlocker-protected fixed drives can be recovered (Enabled; this displays Do not enable Bitlocker until recovery information is stored to ADDS for fixed data drives, Allow data recovery agent, Configure storage of Bitlocker recovery information to ADDS, Save Bitlocker recovery information to ADDS for fixed data drives, Omit recovery options from the Bitlocker setup wizard; Configured user storage of Bitlocker recovery information); Do not enable Bitlocker until recovery information is stored to ADDS for fixed data drives(True); Allow data recovery agent (False);Configure storage of Bitlocker recovery information to ADDS (Backup recovery passwords and key packages)(Allow 256-bit recovery key); Save Bitlocker recovery information to ADDS for fixed data drives(True); Omit recovery options from the Bitlocker setup wizard (True); Configured user storage of Bitlocker recovery information (Allow 48-digit recovery password)Deny write access to fixed drives not protected by Bitlocker (Not configured/Disabled).
  • Under Windows Components\Bitlocker Drive Encryption\Removal Data DrivesControl use of Bitlocker on Removal Drives (Enabled; this displays Allow users to apply BitLocker protection on removable data drives (Device), Allow users to suspend and decrypt BitLocker protection on removable data drives (Device)); Allow users to apply BitLocker protection on removable data drives (Device)(True; this displays Enforce drive encryption type on removable data drives); Enforce drive encryption type on removable data drives [Enabled; this Select the encryption type:(Device)], Select the encryption type:(Device)(Used space only encryption); Allow users to suspend and decrypt BitLocker protection on removable data drives (Device)(True); Deny write access to Removal Drives not protected by Bitlocker (Enabled; this displays Do not allow write access to devices configured in another organization); Do not allow write access to devices configured in another organization (False)>>>click Next to go to Scope Tags.
  • Under the Scope Tags tab, click Next to use the Default scope tag or you can select custom scope tags that you have set.
  • In the Assignments section, search for the desired security group in the space provided, select it and then click Next.
  • Now you can review your settings under the Review tab and then click Save to complete the setup process

Non-silent Encryption with User Interaction with Bitlocker Setup Wizard

  • In Intune, navigate to Endpoint Security, under Manage, click on Disk Encryption>>>>Click on Create Policy>>> Platform (Windows 10, Windows 11, and Windows Server); Profile (Bitlocker)>>>click Create.
  • Under the Basics tab, Name (Intune Disk Encryption For Windows Devices); Description (Sets the configurations that indicate how users would be allowed to interact with the Microsoft Defender Antivirus)>>>click Next.
  • Under Configuration Settings, click Bitlocker to expand it; Require Device Encryption (Enabled); Allow Warning For Other Disk Encryption (Enabled); [Allow Standard User Encryption (Not Configured), displayed when you Allow Warning For Other Disk Encryption (Disabled)] ; Configure Recovery Password Rotation (Refresh on for both Azure AD and hybrid-joined devices); 
  • Click on Administrative Templates to expand it;  under Windows Components/Bitlocker Drive Encryption; Choose Drive Encryption Method and Cipher Strength (Windows 10 version 1511 and later)(Enabled); Select the Encryption Method For Removable Data Drives (XTS-AES-256-bit); Select the encryption method for fixed data drives (XTS-AES-256-bit); Select the encryption method for operation system drives (XTS-AES-256-bit); Provide the unique identifies for your organization (Not Configuration)
  • Under Windows Components>Bitlocker Drive Encryption>Operation System Drives; [Enforce Drive Encryption type on operating system drives (Enabled; displays Select The Encryption Type(Device)); Select The Encryption Type(Device)(Full Encryption)]; [Require Additional Authentication at Startup (Enabled; displays Configure/Compatible TPM Startup key and PIN, Configure/Compatible  TPM Startup PIN, Configure/Compatible TPM Startup, Allow Bitlocker Without a Compatible TPM, and Configure/Compatible TPM Startup Key); Configure/Compatible TPM Startup key and PIN (Do not allow startup Key and PIN with TPM); Configure/Compatible TPM Startup PIN (Allow startup PIN with TPM); Configure/Compatible TPM Startup (Allow TPM); Allow Bitlocker Without a Compatible TPM (Requires a password or a startup key on a USB Flash Drive) (False); Configure/Compatible TPM Startup Key (Allow Startup key for TPM); Configure Minimum PIN Length for Startup (Enabled; this will display Minimum Characters); Minimum Characters (8); Allow Enhanced PINs for Startup (Not Configured/Disabled); Disallow Standard users from changing the PIN or password (Not Configured/Disabled); Allow Devices compliant with InstantGo or HSTI to opt out of pre-boot PIN (Not Configured/Disabled); Enable user of Bitlocker Authentication Requiring Preboot keyboard Input On Slates (Not Configured/Disabled); Choose how Bitlocker-protected operating system drives can be recovered (Enable; displays the Omit recovery options from the BitLocker setup wizard, Allow data recovery agent, Configure storage of Bitlocker recovery information for ADDS, Do not enable BitLocker until recovery information is stored to AD DS for operating system drives, Save BitLocker recovery information to AD DS for operating system drives, Configure user storage of Bitlocker recovery information); Omit recovery options from the BitLocker setup wizard(True)Allow data recovery agent(False), Configure storage of Bitlocker recovery information for ADDS(Store recovery passwords and key packages), Do not enable BitLocker until recovery information is stored to AD DS for operating system drives(True), Save BitLocker recovery information to AD DS for operating system drives (True), Configure user storage of Bitlocker recovery information (Allow 48-digit recovery password); Configure Pre-boot Recovery Message and URL (Not Configured/Disabled).
  • Under Windows Component/Bitlocker Drive Encryption/Fixed Data Drives; Enforce Drive encryption type on fixed data drives (Enabled); Select the encryption type; Device(Full encryption); Choose how Bitlocker-protected fixed drives can be recovered (Enabled; this displays Do not enable Bitlocker until recovery information is stored to ADDS for fixed data drives, Allow data recovery agent, Configure storage of Bitlocker recovery information to ADDS, Save Bitlocker recovery information to ADDS for fixed data drives, Omit recovery options from the Bitlocker setup wizard; Configured user storage of Bitlocker recovery information); Do not enable Bitlocker until recovery information is stored to ADDS for fixed data drives(True); Allow data recovery agent (False);Configure storage of Bitlocker recovery information to ADDS (Backup recovery passwords and key packages)(Allow 256-bit recovery key); Save Bitlocker recovery information to ADDS for fixed data drives(True); Omit recovery options from the Bitlocker setup wizard (True); Configured user storage of Bitlocker recovery information (Allow 48-digit recovery password)Deny write access to fixed drives not protected by Bitlocker (Not configured/Disabled).
  • Under Windows Components\Bitlocker Drive Encryption\Removal Data Drives; Control use of Bitlocker on Removal Drives (Enabled; this displays Allow users to apply BitLocker protection on removable data drives (Device), Allow users to suspend and decrypt BitLocker protection on removable data drives (Device)); Allow users to apply BitLocker protection on removable data drives (Device)(True; this displays Enforce drive encryption type on removable data drives); Enforce drive encryption type on removable data drives [Enabled; this Select the encryption type:(Device)], Select the encryption type:(Device)(Used space only encryption); Allow users to suspend and decrypt BitLocker protection on removable data drives (Device)(True); Deny write access to Removal Drives not protected by Bitlocker (Enabled; this displays Do not allow write access to devices configured in another organization); Do not allow write access to devices configured in another organization (False)>>>click Next to go to Scope Tags.
  • Under the Scope Tags tab, click Next to use the Default scope tag or you can select custom scope tags that you have set.
  • In the Assignments section, search for the desired security group in the space provided, select it and then click Next.
  • Now you can review your settings under the Review tab and then click Save to complete the setup process

Setup Microsoft Defender Firewall for Windows Devices

Windows Defender Firewall

  • Within the Intune portal, navigate to Endpoint Security, under Manage, click on Firewall>>>>Click on Create Policy>>> Platform (Windows 10, Windows 11, and Windows Server); Profile (Windows Firewall)>>>click Create.
  • Under the Basics tab, Name (Intune Windows Firewall For Windows Devices); Description (Sets the firewall rules for  Microsoft Defender)>>>click Next.
  • Under Configuration Settings, click Firewall to expand it; Certificate Revocation List Verification (Not configured); Disable Stateful FTP (Not configured); Enable Packet Queue (Not configured); IPSec Exceptions (Not configured); Opportunity Match Auth Set Per KM (Not configured); Preshared Key Encoding (Not configured); Security Association Idle Time [Configured (300)]; Enable Domain Network Firewall (True); Allow Local IPSEC Policy Merge (True); Log File Path [Configured (%systemroot%\system32\LogFiles\Firewall\pfirewall.log)]; Disable Stealth mode (False); Auth Apps Allow User Pref Merge (True); Enable Log Dropped Packets(Disable logging of dropped packets);  Shielded (False); Default Outbound Action (Allow); Disable Inbound Notifications (False); Log Max File Size [Configured(1024)]; Disable Unicast Responses To Multicast Broadcast (False); Enable Log Ignored Rules (Disable Logging of Ignored Rules); Allow Local IPSEC Policy Merge (True); Target (Not Configured)
  • Click Auditing to expand it; Object Access Audit Filtering Platform Connection (Not Configured); Object Access Audit Filtering Platform Packet Drop (Not Configured)
  • Click Network Manager to expand it; Allowed TLS Authentication Endpoints (Not Configured); Configured TLS Authentication Network Name (Not Configured)>>>click Next to go to Scope Tags.
  • Under the Scope Tags tab, click Next to use the Default scope tag or you can select custom scope tags that you have set.
  • In the Assignments section, search for the desired security group in the space provided, select it and then click Next.
  • Now you can review your settings under the Review tab and then click Save to complete the setup process. 

 Windows Defender Firewall Rules

  • Within the Intune portal, navigate to Endpoint Security, under Manage, click on Firewall>>>>Click on Create Policy>>> Platform (Windows 10, Windows 11, and Windows Server); Profile (Windows Firewall Rules)>>>click Create.
  • Under the Basics tab, Name (Intune Windows Firewall Rules For Windows Devices); Description (Sets additional firewall rules for  Microsoft Defender)>>>click Next.
  • Under Configuration Settings, click Firewall to expand it; click the Add button and fill out the form; Enabled (Configured); Name (Inbound Rules); Interface Type (LAN); File Path (Not Configured); Remote Port Range (Not Configured); Edge Traversal (Not Configured); Local User Authorized List (Not Configured); Network Types (FW_PROFILE_TYPE_DOMAIN: This  value represents the profile for networks that are connected to domains); Local Port Ranges (Not Configured); Description (Not Configured); Policy App Id (Not Configured); Package Family Name(Not Configured); Local Address Ranges (Not Configured); Direction (The rule applies to inbound traffic); Service Name (Not Configured); Remote Address Range (Not Configured); Action (Allow); Protocol [Configured(589)]; ICMP Types and Codes (Not Configured)>>>click Save to save this rule. This is only a sample rule, you can customize it as you desire or based on your organizational requirements.
  • You can create some more custom rules and when you are done>>>click Next to go to Scope Tags.
  • Under the Scope Tags tab, click Next to use the Default scope tag or you can select custom scope tags that you have set.
  • In the Assignments section, search for the desired security group in the space provided, select it and then click Next.
  • Now you can review your settings under the Review tab and then click Save to complete the setup process. 

Setup Microsoft Defender Endpoint Detection and Response (EDR)/Defender Onboarding Policy

  • Before setting up the Endpoint Detection and Response, navigate to Tenant Administration>>>Tenant Status>>>Connector Status>>>click on Microsoft Defender for Endpoint Connector and enable Connect Windows devices version 10.0.15063 and above to Microsoft Defender for Endpoint. 
  • Within the Intune portal, navigate to Endpoint Security, under Manage, click on Endpoint Detection and Response. Click Create Policy>>>Platform (Windows 10, Windows 11 and Windows server); Profile (Endpoint detection and response) and click on Create.
  • Name (SkoaNow Defender Onboarding Policy); Description (Microsoft Defender Endpoint Detection and Response (EDR)/Defender Onboarding Policy) and click on Next to go to the Configuration Settings page.
  • On the Configuration Settings page, expand Microsoft Defender for Endpoint; Microsoft Defender for Endpoint client configuration package type; Sample Sharing (All);[Deprecated] Telemetry Reporting Frequency (Not Configured)

 

  • Within the Microsoft Endpoint Manager, click Devices>>>Windows>>>Configuration Profiles>>>click Create and in the drop down, click New Policy
  • Platform (Windows 10 and Later); Profile Type(Templates); search for Custom, click on it to select it and click Create.
  • Name (Intune_Kiosk_MultiApp_Restricted_Settings); Description(This restricts the Settings application so that only Network and Internet, Windows Updates, Access Work or School Settings can be accessed on the computer); Platform (Windows 10 and Later); Profile Type(Custom) >>> click NEXT.  
  • Within the Microsoft Endpoint Manager, click Devices>>>Windows>>>Configuration Profiles>>>click Create and in the drop down, click New Policy
  • Platform (Windows 10 and Later); Profile Type(Templates); search for Custom, click on it to select it and click Create.
  • Name (Intune_Kiosk_MultiApp_Restricted_Settings); Description(This restricts the Settings application so that only Network and Internet, Windows Updates, Access Work or School Settings can be accessed on the computer); Platform (Windows 10 and Later); Profile Type(Custom) >>> click NEXT.  
  • Within the Microsoft Endpoint Manager, click Devices>>>Windows>>>Configuration Profiles>>>click Create and in the drop down, click New Policy
  • Platform (Windows 10 and Later); Profile Type(Templates); search for Custom, click on it to select it and click Create.
  • Name (Intune_Kiosk_MultiApp_Restricted_Settings); Description(This restricts the Settings application so that only Network and Internet, Windows Updates, Access Work or School Settings can be accessed on the computer); Platform (Windows 10 and Later); Profile Type(Custom) >>> click NEXT.  

Review Security Tasks

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.