If you are using Windows 365 Cloud PC and Azure Virtual Desktop, the Microsoft Defender for Endpoint (MDE) is a security solution designed for protecting endpoints, such as Windows 11/Windows 11 Mutli-Session computers, servers, Azure Virtual Desktops and more from various types of cyber threats. The main reason it’s evident to use MDE is that it seamlessly integrates with the solution with minimal to less effort compared to other solutions. This blog post will discuss how to get started with Microsoft Defender for Endpoint in the Windows 365 Cloud and Azure Virtual Desktop.
Prerequisites
- Rights to use and deploy Windows 365 Cloud PC and Azure Virtual Desktop and the ncessary licenses
- Microsoft Defender for Endpoint Plan 1 or Plan 2 depending upon the requirements and $$$.
- Make sure the license is available and listed Microsoft admin center
Enable MDE in Microsoft 365 Security Portal/Intune
To enable Microsoft Defender for Endpoint (MDE) in the Microsoft Defender Security Center, you need to follow these steps:
- Log in to the Microsoft Defender Security Center: Go to https://security.microsoft.com/ and log in with your Microsoft 365 account.
- Navigate to Settings and select Endpoints
- Click on On for Microsoft Intune Connection & Device Discovery
- Scroll to the bottom and select Save Preferences
We will manage the endpoints via Intune, so all the rest of the actions and fun will be within the https://endpoint.microsoft.com/ and Endpoint Security. After a brief period of 10-15 mins, you can see the connection status being Available and synchronized.
Create the Endpoint detection and response policy (onboarding)
Our environment is managed via Modern Management, and we don’t have the overhead of legacy setup. We will use the Intune Endpoint detection response (EDR) policy to onboard the devices. This is the simplest method as it doesn’t involve installing the agent manually or via GPOs.
Sign in to the Microsoft Endpoint Manager admin center.
- Login to the MEM Portal – https://endpoint.microsoft.com/
- Select Endpoint security > Endpoint detection and response > Create Policy.
- For Platform, select Windows 10, Windows 11, and Windows Servers.
- For Profile type, select Endpoint detection and response, and then select Create.
- Enter a Name – W365-AVD-EDR-P01 and description and choose Next
- Under the Configuration Settings
- MDE client configuration package type – Auto from connector (We are a 100% modern managed environment we can leverage this simple option)
- Sample Sharing – Not configured
- Telemetry Reporting Frequency – Expedite (We want reporting to be lightning-fast)
- Next, the most critical part is the target assignments. I am explicitly creating this policy to target Windows 365 Cloud PC and Azure Virtual Desktop
- Review and Create the policy and it will go ahead and enable MDE on the fleet.
- After sometime all your devices will show whether they are onboarded or not.
Many ways to carry out the onboarding. This is just one way and the most straightforward. Read more options here – https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/onboarding-endpoint-manager?view=o365-worldwide
On the onboarded device, go and run the following command to verify the status
Get-MpComputerStatus
Device Compliance Policy (Update)
I already have my existing Windows 10/11 compliance policy after enabling MDE, and I will go ahead and update the compliance policy to accommodate the changes further. This will allow reporting within the tenant on what device compliance level the endpoints are on and whether corporate governance is maintained.
Create Antivirus Policy in Intune
The next step is creating the Antivirus (AV) Policy with the options that your organization demands. I am starting with a few, but remember most choices will require nailing out with internal security/endpoint/governance teams.
Below configurations are not an exhaustive list – Consult with the endpoint/security teams to meet the organization’s requirements.
Sign in to the Microsoft Endpoint Manager admin center.
- Login to the MEM Portal – https://endpoint.microsoft.com/
- Select Endpoint security > Antivirus > Create Policy.
- For Platform, select Windows 10, Windows 11, and Windows Servers.
- For Profile type, select Microsoft Defender Antivirus, and then select Create.
- Enter a Name – W365-AVD-AV-P01 and description and choose Next
- Under the Configuration Settings
| Configuration Settings | Status (Value) |
| Allow Archive Scanning (Scanning through zip and cab files) | Allowed |
| Allow Behaviour Monitoring | Allowed |
| Allow Cloud Protection (Joining Microsoft MAPS Community) | Allowed |
| Allow Email Scanning (Very useful if you are using Microsoft 365) | Allowed |
| Allow Full Scan Removable Drive Scanning (Scanning of Pen Drives) | Allowed |
| Allow Intrusion Prevention System | Allowed |
| Allow scanning of all downloaded files and attachments | Allowed |
| Allow Realtime Monitoring | Allowed |
| Cloud Block Level | High |
| Allow Users UI Access (Defender Client) | Allowed |
| Enable Network Protection | Enabled (Audit mode) |
| Avg CPU Load Factor | Enabled (30%) |
| Schedule Quick Scan Time | Enable (120) |
| Signature Update Interval | Enable (8 hours) |
- Next, the most critical part is the target assignments. I am explicitly creating this policy to target Windows 365 Cloud PC and Azure Virtual Desktop
- Review and Create the policy and it will go ahead and enable AV across the fleet.
- After sometime all your devices will show whether they are onboarded or not.
Create Attack surface reduction (ASR) Policy in Intune
The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitation. This set of capabilities also includes network protection and web protection, which regulate access to malicious IP addresses, domains, and URLs. In my case I am starting with few, but remember most of the options will require nailing out with internal security/endpoint/governeance teams.
Below configurations are not an exhaustive list – Consult with the endpoint/security teams to meet the organization’s requirements. Here I would like to take the approach of Audit mode first, followed by adding exclusions to refine the block rules (production).
Sign in to the Microsoft Endpoint Manager admin center.
- Login to the MEM Portal – https://endpoint.microsoft.com/
- Select Endpoint security > Antivirus > Create Policy.
- For Platform, select Windows 10, Windows 11, and Windows Servers.
- For Profile type, select Attack Surface Reduction Rules, and then select Create.
- Enter a Name – W365-AVD-ASR-P01 and description and choose Next
- Under the Configuration Settings
| Configuration Settings | Status (Value) |
| Block Adobe Reader from creating child processes | Audit |
| Block execution of potentially obfuscated scripts | Audit |
| Block Win32 API calls from office macros | Audit |
| Block credential stealing from the Windows local security authority subsystem | Audit |
| Block JavaScript or VBScript from launching downloaded executable content | Audit |
| Block process creatons originating from PSExec and WMI commands | Audit |
| Block untrusted and unsigned processes that run from USB | Audit |
| Block abuse of exploited vulnerable signed drivers (Devices) | Audit |
- Next, the most critical part is the target assignments. I am explicitly creating this policy to target Windows 365 Cloud PC and Azure Virtual Desktop
- Review and Create the policy and it will go ahead and enable ASR across the fleet.
- After sometime all your devices will show whether they are onboarded or not.
References & Useful Links
| Useful Links | Credits |
| Microsoft Defender for Endpoint series – Tips and tricks/ common mistakes – Part10 (jeffreyappel.nl) – The most mind blowing and detailed blog post series on MDE. I think I only scratch the surface here however, Jeffrey takes an indept approach. | Jeffrey Appel |
| Configure Microsoft Defender for Endpoint in Intune | Microsoft |
| Defend Cloud PCs against threats with Microsoft Defender for Endpoint | Windows in the Cloud – YouTube | Christiaan Brinkhoff | LinkedIn and Paul Huijbregts | LinkedIn |
Next step, I plan to write a few blog posts on specific topics like URLs, Networks etc, blocking (TikTok, Facebook etc,) concerning MDE. I hope you will find this helpful information towards your journey to secure your Windows 365 and AVD environments using Microsoft Defender for Endpoint. Please let me know if I have missed any steps or details, and I will be happy to update the post.
Thanks,
Aresh Sarkari