Defender for Endpoint security settings management summary

by Niklas Tinner 13 days ago 7 min read

Introduction

This post is a summary for Defender for Endpoint security settings management, also known as Unified Settings Management. It will walk through all necessary steps to understand, plan, setup and use the features. Furthermore I will give recommendations for field deployments, tips and more. There are already some good posts on this topic, but I wanted to make my own summary, also as part of a learning process.

What is Unified Settings Management?

Defender for Endpoint (MDE) is a cloud-based extended detection and response (XDR) product that lives in the Microsoft cloud ecosystem. Security settings management is a feature part of it.

Intune plays an important role for this feature, since device management is originally reserved to Intune. Device management i.a. means configuration management, which is the process of applying policies that contain settings to configure a system.

Security settings management leverages concepts of Intune to deploy security settings to endpoints/devices, without the need of Intune 😉 That means, settings management from Defender can be used to deploy policies to devices which are only known to Defender for Endpoint. In a nutshell:

Device is only onboarded to Microsoft Defender for Endpoint
In Defender for Endpoint you can configure security configuration policies
Defender for Endpoint can apply those client-side security policies on those systems

Management comparison 🧭

It might be helpful to understand the scope of different management scenarios.

Option	MDE Settings Management	"Classic" Intune onboarding
Configuration management scope	Minimal -> only security policies	Full configuration of every system aspect
Onboarding	With package and installation script	User- / device onboarding
Remote actions	Defender for Endpoint supported ones > security related	Intune > more system and general
Client deployment mechanism	New DM / MMP-C (read more)	Classic MDM + IME
Prerequisites	URL availability (dm.microsoft.com) and MDE configuration	URL endpoints, MDM scope, enrollment settings, policies in Intune
Licensing	Defender for Endpoint license	Intune license (at least plan 1)

Use cases

There are a few scenarios to choose Defender security settings management, such as:

☁️ Secure with cloud-only: Apply policies and manage with fully cloud-based Defender for Endpoint. Onboarded devices have no dependencies.
🪶 Secure non-enrolled endpoints: No full enrollment into Intune or other MDM is needed. Any endpoint can be equipped with this feature, ranging from BYOD up to corporate endpoints that are not (yet) in Intune.
🛂 Securing non-domain endpoints: Devices, particularly servers may be outside of the corporate domain, in a DMZ or similar. Since no other management system is in that zone, you can use security settings management and configure from the cloud.

Advantages

The advantages of this feature include:

Only Defender for Endpoint onboarding needed, no Intune enrollment
Fully cloud-based, no dependency to network or on-premises resources
Easy configuration and management
Central settings monitoring
Cross-platform support

Prerequisites

Licenses: Defender for Endpoint
Roles and RBAC: Security administrator
Supported platforms: Windows 10/11, Windows Server, macOS, Linux
Connectivity: new network endpoint: *.dm.microsoft.com and ideally also to Intune + Defender network endpoints
Join state: No need to join via Entra or hybrid -> synthetic registration read more - Devices that are already joined will be satisfied.

Concept

Intune and Defender for Endpoint work together to apply endpoint security policies on MDE onboarded devices. A specialty is in step 2./3.: Devices will get a record in Intune in order to target them with policies. In case it is not yet in Intune or not fully registered in Entra ID, it will automatically generate a so-called synthetic object. This is nothing more than just a representation of that MDE only device in Entra ID.

Synthethic endpoint in Entra

See the OS identification of 'Windows Server', which is new
See the security settings management value which states it is Defender for Endpoint

MDE managed endpoint in Intune

See the managed by value 'MDE'
Remote tasks are not possible, however monitoring of policy assignment is possible

Supported profiles by platform

⚠️

Intune endpoint security configuration and Defender security settings management don't have feature parity, which means that Defender doesn't support all profile types of security areas (yet). Please check these links for supported profiles: Linux, macOS, Windows 10, Windows 11, and Windows Server

Setup

Enable tenant settings

First, we need to enable the tenant feature of unified security settings management in both Intune and Defender for Endpoint. At this point the fundamental connection should already be established, as I describe in this post:

Intune

Go to Tenant administration > Connectors and tokens > Microsoft Defender for Endpoint and enable 'Allow Microsoft Defender for Endpoint to enforce Endpoint Security Configurations'

⚠️

While in Intune, check if you have policies that are assigned to 'All Devices'. Be aware, that those policies will also target MDE settings management onboarded endpoints.

Defender for Endpoint

Go to Settings > Endpoints > Enforcement scope > enable 'Use MDE to enforce security configuration settings from Intune' and also enable the platforms you want. Either choose all devices or only tagged devices.

🗒️

To try out the features, I suggest beginning with tagged devices. The endpoints won't get any policies until you create and assign them.

Tagging endpoint

If you choose to manually tag endpoints in MDE, you need to add the tag:

MDE-Management

To endpoints, that should be onboarding with settings management into Entra and Intune (showed above).

Create policies

In Microsoft Defender, navigate to Configuration management > Endpoint security policies and create a new policy.

Depending on the platform and template you can now configure:

Policy name (recommendation: MDE-EndpointSecurity-Type-Policyname)
Settings configuration - configure the available settings according to the platform and template
Assignments - include/exclude to Entra security groups > create a new one and include the endpoints you want to target

💡

Note, that policies displayed in both Intune and Defender with the target 'microsoftSense' are applicable to MDE settings management.

Settings configuration

Equipping endpoints with endpoint security policies is the goal. Although not all templates/policy types are supported, you should strive to the best possible protection. Orientate with frameworks and best practices to apply security configuration based upon the platform. To dive more into it, read my blog post on security baselines

For cross-platform security I can recommend the following frameworks:

Windows & Windows Server = Security Compliance Toolkit, STIG, CIS
macOS = Security Compliance Project
Linux = Guide to Infrastructure Hardening

Targeting endpoints

Targeting the endpoints you want to protect with policies works conventionally with including Entra group assignments on policies.

If you want to identify the MDE settings management onboarded devices dynamically check out this rule:

The dynamic membership rule syntax:

(device.managementType -eq "MicrosoftSense")

Monitoring

The policy sync interval from the endpoint to the MDE service is 90 minutes. It is also possible to trigger the sync manually as a remote action on the endpoint inventory. Monitor the deployment status and settings application of the policy to the endpoint from both the Intune and Defender portal:

💡

Check out the FAQ from Microsoft for more details.