We know that we can integrate Microsoft Defender for Endpoint with Microsoft Intune. This is a Mobile Threat Defender solution for all your devices that you enroll to Intune. In this blog post I will just show you the process on how to configure Intune and then onboard devices into MD ATP. MD ATP is not only a good solution for Windows devices but it acts as a pretty good threat defence solution for both iOS and Android. Even Mac devices can be on-boarded into it and you can create security baselines accordingly. So, without wasting much time lets get into it. 😎 Pre-Requisites Lets first checkout the pre-requisites for this and lets see what are the different subscriptions that we need. 1. Microsoft Azure Premium P1/P2 2. Microsoft Intune (M365 E5/ EMS E5) 3. Microsoft Defender for Endpoint P2(if you want to manage endpoints from security center then please get this P2 license) If you are asking why P2 then just checkout the table below and see the offerings from Microsoft, it’s better to have more services right, yeah 😉 Make sure you have the below license, this is Trial license for my lab purposes but you get an idea now which one to select for your tenant or Prod environment. At the End when you check your license subscription the screen should look something like this. NOTE : Although instead of Developer E5 you should have M365 E5/EMS E5. Your End-user should have assigned licenses like below: Configuring MS Defender for Endpoint with Intune Now, let's checkout the process to configure MD ATP with Intune. At this stage the assumption is, that you have let your devices enroll into Intune or if you are migrating devices then at least you are in the process to enroll them with using Hybrid Azure AD or Standalone Azure AD. When you open the Intune and navigate to Endpoint Security > Microsoft Defender for Endpoint you will see something like below. There is another way to configure it but let's just stick to our process, I feel this is simple way to do it. When you are in the above screen under Configuring Microsoft Defender for Endpoint Click on point number 1 link – Connect Microsoft Defender for Endpoint to Microsoft Intune in the Microsoft Defender Security Center . Also in the same page if you drag down below, you will find another link under Common shared settings – Open the Microsoft Defender Security Center . Clicking on this link will also take you to same page. When you have all the licenses assigned and configured and click on the above links it will open Microsoft Security Center for you like this. NOTE : It takes around 24 hrs to enable this Endpoints tab, also under settings once you have purchased the P2 license then it takes mentioned time to enable Endpoints tab. Next, on the right hand side scroll down and find Settings tab and click on it, the below screen appears Click on the Endpoints above, it will open the screen like below: Click on the Advanced features , then checkout the list, you have some very important features like web content filtering, Device Discovery and Microsoft Intune Connection . Enable Microsoft Intune Connection from here. You can also enable other features as per your requirement. Once you enable and click on Save Preferences, below temporary pop-up will show that your Settings are saved and that’s it you are done configuring Intune with MD ATP. Now, once you are done with above steps go back to your Intune and navigate back to Endpoint Security > Microsoft Defender for Endpoint . You will see that Connection Status is now shown as available and there would be a date to show you when it last synchronised. Under MDM Compliance Policy Settings enable each platform connection and that’s it you are now ready to onboard devices from different platform to MD ATP. On-Board Windows Devices to MD ATP When you enable this below button Windows devices start on-boarding to MD ATP automatically, but if you still face some issue then you can enable a configuration profile for Endpoint Detection and Response . Click on Create Policy on above screen. This will help you create a config profile like below:- Configure as per requirement, click Next and deploy to all Windows devices: NOTE : When you configure EDR policy after connecting Intune and Microsoft Defender for Endpoint, the policy setting Microsoft Defender for Endpoint client configuration package type has a new configuration option: Auto from connector. With this option, Intune automatically gets the onboarding package (blob) from your Defender for Endpoint deployment, replacing the need to manually configure an Onboard package. You can also enable this using Group Policy in Hybrid environment. Onboarding MacOS devices To onboard MacOS devices you would need to create an also configure some extensions. Follow the steps below to onboard Mac Devices. This step enables deploying Microsoft Defender for Endpoint to enrolled machines. In the Microsoft Endpoint Manager admin center, open Apps. Select By platform > macOS > Add. Choose App type=macOS, click Select. Keep default values, click Next. Add assignments, click Next. Review and Create. You can visit Apps > By platform > macOS to see it on the list of all applications. Just deploying the app may not work and you may need to also deploy different configuration profile for Extensions. You need to send Kernel Extension, Approve system Extensions and also provide Full Disk Access to MDATP. Follow the below link for more details from Microsoft. https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-install-with-intune?view=o365-worldwide Onboard iOS and Android Devices In both these cases you can download MD ATP app from iOS app Store/Managed Google Playstore and configure it with Intune and then Deploy accordingly. For iOS device you will find more information in this link: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-ios?view=o365-worldwide For Android devices find the steps and more information under: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-android?view=o365-worldwide That’s it for this time guys, hope this help you configure Intune with MD ATP and onboard your devices. See you next time, until then Cheers 🤔

As we all know, recently Intune has changed many features, well to be accurate added some features and removed some features. One of the features that got removed recently is setting up the servicing channel for Windows Update for Business. To be honest, I liked this feature previously and it was good that everything was at one place and I could select my servicing channel from one place. Under Update rings for Windows 10 we could see this below feature available:- But now, from latest update of Intune this feature is gone. It is not properly mentioned and documented under Microsoft that they have removed this. When we reached out to Microsoft regarding this they mentioned that many of the popularly not used features have been removed from this latest version. I was really in shock that really this was not a popular property. 😣 But, we had to accept and move on 😏 and find other ways to set it. Well, since we are talking about the ways to move on and other ways to set it, there is one which I feel is good if you want these to be pushed from Intune and not using Group Policies. This is helpful for those who use Standalone Intune to manage there Windows 10/11 devices. Lets see now how we can still set the Windows Servicing Channels without Group Policies. Navigate to Devices - Windows - Configuration profiles - Click on Create Profile From the new blade on the right hand side drop down Platform, Select Windows 10 and later - under Profile Types - select Settings Catalog (preview) - click on Create Provide proper Name and Description and click Next Under Configuration Settings - click on Add Settings A new blade for Settings Picker will open on the right, now either you can search for the Category required or what you can do is just scroll down from the list and select Windows Update for Business (WUfB). When you select WUfB, there will be 62 settings under it. For this blog I am only choosing the one setting that is required but you can go ahead and check all the settings that are required. So, for setting up the servicing channel, you will see that Branch Readiness Level is the one where you get that option with drop down to choose from. Check the setting from below and once you have selected the required settings close the setting picker. Under Configuration settings now you can find the Branch Readiness Level drop down options like below:- Please make a note here which is very important that if you select Semi annual Channel its only applicable till 1903. After 1903 Semi-annual channel and semi-annual targeted has been merged to one and there value is 16. So, choose your options wisely. After selecting your channel select Next and choose groups to assign deployments too. Use Device groups for this kind of deployment. Click on Next to move on. Select Scope tags if any and then click next Review the settings you selected and click on Create That’s all folks, you have selected the servicing channel with an alternate option and deployed it in your environment. If you have other ways to set it up let me know. Also, lets wait for Microsoft to provide better options with Windows Update for Business. See you guys next time then with some new blog post. 😉 😎

When you start managing devices from Intune, obviously you would start having requirement to check the reports for various purposes, like if you are doing patching using WUfB you need to check how many devices are compliant, if you are deploying an application you may want to check its compliance count. We had many reports in MECM which made our tasks easy. But in Intune I still feel we lack few important reports. Yes we do have many reports under Device Monitoring but we may still need to create some dashboards as per our requirements. Now, Intune may not have much inbuilt reports but it certainly gives you opportunity to build some dashboards by exploring the Data warehouse data model which you can get access to. This blog post helps you reach there where you should be able to create a report or dashboard. It seemed pretty straightforward to me. So, here we go... The first thing you would require here is Power BI Desktop app. Now that's free either you can download it and install from App store or you can check the below link, download and install manually the latest version: https://powerbi.microsoft.com/en-us/downloads/ When the installation is complete and you have opened the app you will find the below screen. There are generally 2 ways to connect to OData feed of Intune, one by clicking on Get Data from Home menu or you can just click on the Get data from another source pointed by the red arrow above. Both will open the same window like below. so, when you see this window come to the last option Other and select oData Feed . When you click on this it will ask you for the link of the OData feed: Select Basic or Advanced as per your need, I am gonna go with Basic for demo purposes. To get the URL for OData Feed of Intune you need to got to your Intune Console -> goto Reports -> under I ntune Data Warehouse select Data Warehouse and the copy the URL from OData feed for reporting service . Now come back to Power Bi Desktop and paste the URL on the required window and click OK . New window opens for authentication and it will ask you to sign in to connect to this OData Feed. Now, remember here to use Organizational account and then click on Sign In and provide your creds for Intune. Make sure you have enough permissions to do this in Intune when doing in Production. In my test environment I have not faced any issue with connection or any slowness, but when I tried to connect using my prod credentials it threw error one time and the loading of tables or data seemed a bit laggy, but it can be anything maybe my internet connection was not good enough. 😂 Anyways, you will now see the tables loading with all the required data under Navigator. looking pretty good up until now huh. 😎 if you want to check some data on these tables, just click on any one and you can see like above on the right hand side you corresponding values stored in them. Now, if you want to create a dashboard, based on your requirement just select the tables and you will check boxes highlighted once you select them. Once done click on Load. This will begin to load your tables with values on your workspace. When loading of data is complete you can then work with them click on Visualisations to select the type of graph or data representation according to your needs and then work with columns under Fields and create your own dashboards like below: That's it done, now you can create your own dashboards/reports as per your requirement. I am not that much good with Power BI so digging down deep to create reports and dashboards is lil difficult for me here but you guys are expert so go on and create reports and help people like me in need. 😊 That will be all folks for this time, see you guys in my next post. Until then, Cheers 😉