How does Microsoft Defender for Endpoint recommendations & Intune security tasks work together?


Consider a scenario where an organization has different teams for managing security of devices across the board using Defender portal and another team for managing endpoints using MEM admin portal. When you have Intune integrated with Microsoft Defender for Endpoint, the security team can request remediation from MEM team in form of a ticket, which will then open a security task for action in the MEM admin portal. The activity of the same can then be monitored in MDE portal by the security team. This integration allows synergy across different teams in an organization by leveraging vulnerability management capabilities within Defender for Endpoint.

After you connect Intune to Microsoft Defender for Endpoint, Defender for Endpoint receives threat and vulnerability details from managed devices. There are obviously some pre-requisites involved that you need to take care of -

1. Configure a service-to-service connection with Microsoft Defender for Endpoint.

2. Deploy a device configuration policy with a profile type of Microsoft Defender for Endpoint (desktop devices running Windows 10 or later) to devices that will have risk assessed by Defender for Endpoint. You can also use Endpoint Detection & Response profile under Endpoint Security in Intune to configure this policy.

Through this blog post, I will demonstrate the complete process of requesting remediation and taking necessary actions on the security task using recommendation 'Enabled Controlled Folder Access' as an example.

Here is a little something on Controlled folder access - It helps in protecting valuable data from malicious apps and threats, such as ransomware. It works by only allowing trusted apps to access protected folders. Typically, commonly used folders, such as those used for documents, pictures, downloads, are included in the list of controlled folders.

To enable Controlled Folder access, you also need to enable Microsoft Defender AV real time protection. Since it is already enabled in my tenant, none of the devices flagged as exposed in Defender Portal.

Creating a MEM security task through MDE recommendations

2. On the left most blade, click on Endpoints > Vulnerability Management > Recommendations.
3. Click on the recommendation to bring up the details.
4. Then click on Request remediation.


5. Make a note of  the remediation details and click next.


6. Provide the necessary details for creating a remediation request and opening a ticket in MEM.

7. Review and submit.


Once done, the activity will reflect under Remediation section on the Defender portal.


A security task will get created in MEM admin portal.


Security Tasks in Intune

Now that a security task has been created, the next step is to take action on the security task. After reviewing the details, click on Accept to move the status of the task from Pending to Active


Next step is to carry out the relevant remediation actions. In our case, even though the recommendation suggest to configure the registry setting, we are going to enable Controlled Folder Access using an Endpoint security policy as the setting is available in Intune natively.

1. On the MEM admin portal, navigate to Endpoint Security > Attack Surface Reduction.
2. Click on Create policy and select platform as Windows 10 and later.
3. Then select Attack Surface Reduction Rules under the profile.
5. Give a name and click next.
6. Under Configuration settings, select the following:


Note: You can configure other ASR settings if needed, but for all intent and purposes, I am just enabling Controlled Folder Access.

7. Assign to a device or user based group.

End Result

Once the devices sync, they will receive the policy and the detection for the exposed devices against the recommendation will drop.


The compliance for the setting can also be verified in MEM admin portal using the new reporting experience.


As the last step, complete the security task which will also update the status under the recommendations in the Defender portal.




Conclusion

It is important to note that vulnerabilities that are discovered, aren't based on configurations from Intune. They're based on Microsoft Defender for Endpoint configurations and scan details. Also, not all issues that Defender for Endpoint flags for remediation, support remediation through the creation of a security task for Intune. But the ones that are supported, can be addressed using the process covered in this blog.

Until next time..

Comments

Post a Comment

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

Intune: Configure Printers for Non-Administrative Users

Intune: UAC Elevation Prompt Behavior for Standard Users