Category: Thought experiment

App Categories within Intune – Manage applications

An organization with many apps can become overwhelming for users. To help users find an app in the company portal, you can assign apps to one or more categories, such as Accounting apps or Marketing apps.
When adding apps, you can assign a category in Intune using the following procedure:

  1. Sign in to the Microsoft Intune admin center as a Global Administrator.
  2. Select Apps, then select App categories.
  3. The App categories pane displays a list of current categories.
  4. To add a category, select Add in the Create category pane, and then provide a name for the category.
  5. To edit a category, select the ellipsis (…) next to the category, and then select Pin to dashboard or Delete.
  6. Select Create.

Add Android store apps to Microsoft Intune
Use the following procedure to add an Android store app to Intune:

  1. Sign in to the Microsoft Intune admin center as a Global Administrator.
  2. Select Apps > All apps > Add.
  3. In the Select app type pane, under Store app, select Android store app.
  4. Click Select.
  5. To configure the app information for the Android app, you must provide the Google Play store’s app details. (The Google Play store is located at https://play.google.com.)
  6. In the App information page, add the app details, as shown in Figure 4-18:
    • Name
    • Description
    • Publisher
    • Appstore URL
    • Minimum operating system
    • Category (Optional)
    • Show this as a featured app in the Company Portal
    • Information URL (Optional)
    • Privacy URL (Optional)
    • Developer (Optional)
    • Owner (Optional)
    • Notes (Optional)
    • Logo (Optional)

FIGURE 4-18 Adding a Windows 10 Line-of-business app

  1. Select Next.
  2. On the Assignments page, select the group assignments for the append and select Next.
  3. On the Review + create page, review the values and settings you entered for the app and select Create to add the app to Intune.
  4. The app’s Overview blade is displayed.

Configure policies for Office apps by using Group Policy or Intune – Manage applications-2

Verify that the Administrative Templates installation is successful by viewing the new templates within Group Policy Management using the following steps.

  1. On your domain controller, select Start > Windows Administrative Tools > Group Policy Management.
  2. Right-click the Default Domain Policy and click Edit.
  3. Expand the Computer Configuration\Policies\Administrative Templates Policy definiations folder.
  4. You should see Office policies appear in the Group Policy Management console, as shown in Figure 4-14.

FIGURE 4-14 Verify Office Administrative Templates

  1. You can verify that Office policies also appear in the User Configuration\Policies\Administrative Templates folder.
  2. The policies can now be configured using Group Policy.
    Once you have installed the Administrative Template files for Microsoft Office, you can manage Microsoft Office settings with Group Policy. Group Policy allows you to control thousands of settings by configuring Group Policy Objects (GPO) in the Group Policy Management Console and then applying the GPOs to users and devices in your domain.

In the following example, we will create a new policy to enable week numbers in the Outlook calendar using the following procedure.

  1. On your domain controller, select Start, Windows Administrative Tools, Group Policy Management.
  2. Expand the Group Policy Management tree, right-click Group Policy Objects, and click New.
  3. Name the new GPO User_Outlook and select OK.
  4. Expand Group Policy Objects. Right-click User_Outlook GPO and select GPO Status. Ensure that Computer Configuration Settings is set to Disabled.
  5. Right-click User_Outlook and click Edit.
  6. In the Group Policy Management Editor, navigate to User Configuration\Policies\Administrative Templates to view the Microsoft Office ADMX templates you imported earlier.
  7. Navigate to User Configuration\Administrate Templates\Microsoft Outlook 2016\Outlook Options\Preferences\Calendar Options and double-click Calendar week numbers.
  8. Select Enabled and select OK, as shown in Figure 4-15.

FIGURE 4-15 Enable the Outlook week numbers Group Policy setting

  1. Close the Group Policy Management Editor.
  2. In Group Policy Management, right-click the Organizational Unit (OU) containing the users to which you want the GPO to apply and select Link an Existing GPO.
  3. On the Select GPO dialog box, select the User_Outlook GPO and select OK.

The group policy is now configured and will be applied to users within the OU when they next log in to their Windows computers. By default, Group Policy refreshes in the background every 90 minutes. You can force an individual computer to update the polices by using the gpupdate /force command from an elevated command prompt. You can then start Outlook and verify that the calendar week numbers are visible, as shown in Figure 4-16.

FIGURE 4-16 Display week numbers in Outlook

Note Microsoft 365 Apps ADMX/ADML Templates

The Group Policy settings you configure for Microsoft 365 Apps are included in the Administrative Template files (ADMX/ADML) for Microsoft 365 Apps. You configure the Microsoft 365 Apps settings using the Microsoft Office 2016 settings in Group Policy.

Deploy and update apps for all supported device platforms – Manage applications-2

In an earlier version of Intune, the following settings were also accessible through the Apps node. However, they now reside in the Tenant Administration node. Select Tenant Administration, and then select Connectors And Tokens. In this node, the following app-related options are available:

  • Windows enterprise certificate Enables you to view and apply your code-signing certificate. This certificate is used to distribute your line-of-business (LOB) apps to managed Windows devices.
  • Windows 365 Citrix connector Enables you to integrate Citrix Cloud with Windows 365. to access Citrix HDX technologies for enhanced Cloud PC security and manageability.
  • Apple VPP Tokens Enables you to view and apply your iOS Volume Purchase Program (VPP) licenses.
  • Managed Google Play Enables you to approve Google Android apps for your organization.

Other options are accessible in Connectors and Tokens, but they do not relate to app management.

Need More Review? What is Microsoft Intune APP Management?

To review further details about using Intune for app management, refer to the Microsoft website at https://learn.microsoft.com/mem/intune/apps/app-management.

When you deploy apps to your devices, there are several different app types that you can select, as shown in Figure 4-2.

FIGURE 4-2 Adding a new client app

These app types are as follows:

  • Store App Use this option to deploy apps to your users’ devices to avoid requiring users to directly deploy the apps from the specified store. The available options are as follows:
    • Android store app Enter the app’s Google Play Appstore URL and then define its minimum operating system level.
    • iOS store app Enter a search string, and search the Apple Store directly for the appropriate app. Then configure the requirements for the app, including the operating system version.
    • Microsoft Store app (new) Enter the app’s URL.
    • Microsoft Store app (legacy) Enter the app’s URL.
    • Managed Google Play app Approve apps in Managed Google Play and then assign the apps.
  • Microsoft 365 Apps Use this option to assign Microsoft 365 apps to your users’ devices. Available options are:
    • Windows 10 and later Specify which apps within Microsoft 365 you want to deploy. Then define a suite name, description, and options, such as whether the app suite will be displayed in the Company Portal. You also must choose the architecture (32-bit or 64-bit), Update channel [Current Channel (Preview), Current Channel, Monthly Enterprise Channel, Semi-Annual Enterprise Channel (Preview), and Semi-Annual Enterprise Channel], and other options (Software License Terms Acceptance and Languages).
    • macOS You cannot control which apps are deployed from the suite. However, you must define a name, description, and whether the app displays in the Company Portal.
  • Microsoft Edge, version 77 and later
    • Windows 10 and later Add Microsoft Edge for Windows to install the Microsoft Edge browser on managed devices running Windows 10 or later.
    • macOS Add Microsoft Edge for macOS to install the Microsoft Edge browser on managed macOS devices.
  • Microsoft Defender for Endpoint
    • macOS Add Microsoft Defender for Endpoint to managed macOS devices.
  • Web Application
    • iO/iPadOS web clip Add a website URL into App information to place a shortcut to the web clip to the Home screen.
    • Windows web link Add a website URL into App information. A shortcut to the website is added to the Start menu.
  • Other Use for any other type of app. The options are as follows:
    • Web link Use to assign a web app for which you have a valid URL. These are client-server apps, and the URL identifies the server that contains the web app.
    • Built-In app Use to assign curated apps to iOS or Android devices. After you assign the app(s), it appears as either a built-in iOS app or a built-in Android app.
    • Line-of-business app Use to assign a Line-Of-Business (LOB) app. You can use this approach to sideload apps for which you have the application package file. Windows devices use .appx packages. Browse and select the package file, then configure supplemental options such as category and description.
    • Windows app (Win32) Use to assign apps to Windows devices. Like an LOB app, you browse and select the package file (in this case, a file with an .intunewin file extension), then complete the configuration as above. Note that to create a file with the appropriate extension, you must convert your Win32 app to the Intune format using the Microsoft Win32 Content Prep Tool. This tool packages the app correctly for upload to Intune and is available at https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool.
    • macOS app (DMG) To add a macOS application, upload the app’s installation file. Intune supports .dmg files containing .app files.
    • Android Enterprise system app Use to assign an Android Enterprise system app to your users’ devices.

Thought experiment answers – Manage, maintain, and protect devices

This section contains the solution to the thought experiment. Each answer explains why the answer choice is correct.

Scenario 1

  1. Microsoft Intune with Mobile Device Management enabled.
  2. Enable and configure Windows Autoenrollment.
  3. You require an Apple MDM Push Certificate for your organization.

Scenario 2

  1. You can monitor Threat Agent Status to determine the current status of Microsoft Defender on your users’ enrolled Windows devices.
  2. You can use the Microsoft Intune admin center to create an Endpoint Protection Profile that contains the necessary Microsoft Defender Application Guard settings and assign the profile to the appropriate group(s) of devices.
  3. In the Microsoft Intune admin center, create a Device Enrollment Restriction and define a Platform Restriction that prevents the enrollment of Android devices.

Scenario 3

  1. You should configure Delivery Optimization and select that updates are downloaded from Devices on my local network on all devices except one device which needs to receive the updates from the Microsoft update service.
  2. You can implement Delivery Optimization for the head office devices so that updates are received from other devices on the network. You can also configure bandwidth optimization measures that restrict the bandwidth consumed by updates during defined business hours.
  3. You should install Windows 11 Enterprise, version 22H2 (General Availability Channel), and then implement policy using Windows Update to defer Windows Feature Updates for the maximum allowed duration of 365 days.
  4. Enroll into the Windows Insider Program and install Windows 11 preview builds. Test these builds for compatibility issues. This should allow you to be ready to test the next General Availability Channel release and obtain compliance sign-off.

Scenario 4

1. You could implement Microsoft Tunnel for Intune. Microsoft Tunnel provides a VPN gateway for Android and iOS devices in your organization for access to on-premises resources.

  1. You must perform the following high-level steps:
    • Create a server configuration on Intune.
    • Create a site in Intune.
    • Install a Microsoft Tunnel Gateway on a Linux server in your on-premises environment (by using an Intune script).
    • Deploy the Microsoft Tunnel client app to your iOS and Android devices.
    • Create and deploy VPN profiles to your iOS and Android devices.

Review and respond to device issues identified in the Microsoft Defender Vulnerability Management dashboard – Manage, maintain, and protect devices

The Microsoft Defender Vulnerability Management Dashboard in Microsoft 365 Defender provides a wide variety of useful information that can help you identify issues and respond to those issues. Figure 3-64 displays a typical dashboard for an enterprise organization.

FIGURE 3-64 Reviewing the Microsoft Defender Vulnerability Management Dashboard

Use the information summary in Table 3-20 to determine how to use the Microsoft Defender Vulnerability Management Dashboard.

TABLE 3-20 The features and elements in the Microsoft Defender Vulnerability Management Dashboard

AreaDescription
Selected device groups (#/#)Enables you to filter the data you want to review.
Organization exposure scoreDisplays a headline figure that indicates your organization’s device exposure to threats and vulnerabilities. Click Improve score to review insights that can help you improve the score and your security posture.
Microsoft Secure Score for DevicesEnables you to review the security relating to your organization’s operating system, applications, network, accounts, and security controls. Again, you can use the Improve score link to review insights and suggestions for improvements in this area.
Device exposure distributionDisplays the number of devices that are exposed to threats based on their configuration. Presented graphically as a doughnut chart. By selecting sections of the chart, you can review
•Device names
•Exposure level and risk levels
•Details such as operating system, health state, and tags
Expiring certificatesDisplays a list of expired certificates or those imminently expiring in the next 30, 60, or 90 days.
Top security recommendationsReview top recommendations for improving the security posture of your organization’s devices.
Top vulnerable softwareReview your software inventory. Identify those apps with security vulnerabilities.
Top remediation activitiesReview the security remediations that are recommended in one convenient location. This enables you to track changes as you make them more easily.
Top exposed devicesReview devices and their details that have a high security exposure score. From Device details, you can
•Manage tags
•Initiate automated investigations
•Initiate a live response session
•Collect an investigation package
•Run antivirus scan
•Restrict app execution
•Isolate devices

Need More Review? Dashboard Insights

To learn more about the dashboard in Microsoft Defender, refer to the Microsoft website at https://learn.microsoft.com/microsoft-365/security/defender-vulnerability-management/tvm-dashboard-insights.

Chapter summary

  • Intune device configuration policies are used to configure device settings using MDM.
  • Intune can deploy PowerShell scripts to Windows devices using an MDM extension. This allows administrators to deploy Win32 apps if required.
  • Scope tags are used to assign and filter Intune policies to specific Azure AD groups.
  • You can configure custom policies with Intune by configuring an Open Mobile Alliance Uniform Resource Identifier (OMA-URI) policy.
  • Microsoft Defender Credential Guard requires a TPM and virtualization features to be enabled in a 64-bit edition of either Windows 11 Enterprise or Windows 11 Education.
  • Microsoft Defender Exploit Guard consists of four components: Exploit Protection, Attack Surface Reduction Rules, Network Protection, and Controlled Folder Access.
  • Microsoft Defender Application Guard has similar requirements to Credential Guard, enabling you to open new browser windows in a virtualized environment.
  • Microsoft Defender Application Control lets you determine which apps are safe to run in your organization.
  • Most of these Windows Defender features are managed through Windows PowerShell, Group Policy, and Microsoft Intune.
  • Automatic enrollment lets you enroll Windows devices when they register with or join Azure AD.
  • Device Enrollment Manager Accounts enable a specified account to enroll up to 1,000 devices.
  • There are a number of ways to enroll Windows devices:
    • Add a Work Or School account
    • Enroll In MDM Only (user-driven)
    • Azure AD Join during OOBE
    • Azure AD Join using Windows Autopilot
    • Enroll In MDM only (using a Device Enrollment Manager)
    • Azure AD Join using bulk enrollment
  • To enroll Android and iOS devices, you can download the Company Portal app from the relevant device store and sign in to the app using an organizational or school account.
  • Log Analytics requires an Azure subscription.
  • Windows Update Delivery Optimization is a method of peer-to-peer sharing of Windows update files.
  • Administrators can use Intune to centrally configure and manage Windows Update behavior and Windows Update Delivery Optimization settings.
  • Scope tags enable you to more specifically target the application of configuration profiles.
  • You can configure Kiosk mode by using the Settings app and by using Intune.
  • The Microsoft Tunnel for Intune enables iOS and Android devices to access your on-premises resources and apps.
  • You can use Endpoint analytics to gain insights into Startup Performance, Proactive remediations, Recommended software, and Application reliability.
  • You configure the application of updates for iOS, macOS, and Windows by using update rings in Intune.
  • You configure the application of updates for Android by using a Device Restrictions configuration profile.
  • Microsoft Defender Exploit Guard provides four functions: Exploit protection, Attack surface reduction rules, Network protection, and Controlled folder access.

Update a profile – Manage, maintain, and protect devices

If you create a profile on an earlier baseline and Microsoft releases a newer version of that baseline, you might decide to update the profiles. However, existing profiles do not update automatically.

In fact, profiles using an older version of a baseline become read-only. They can still be used to secure your devices, and you can edit their name, description, and assignments. But you should consider updating them to the new baseline.

If Microsoft releases a baseline update, you can choose to update the baseline version used for a profile. You do this by using the following procedure:

  1. In the Microsoft Intune admin center, navigate to Endpoint security.
  2. Select Security baselines.
  3. Select the appropriate baseline.
  4. Select the check box next to the target profile.
  5. Click Change Version on the toolbar (see Figure 3-63).

FIGURE 3-63 Changing the version for a security profile based on a baseline

  1. If a new baseline is available (none are in the screenshot), then choose either
    • Accept baseline changes but keep my existing setting customizations
    • Accept baseline changes and discard existing setting customizations
  2. Click Submit.
    Need More Review? Use Security Baselines to Configure Windows Devices in Intune
    To review further details about managing security baselines, refer to the Microsoft website at https://learn.microsoft.com/mem/intune/protect/security-baselines.

Onboard devices to Defender for Endpoint

Microsoft Defender for Endpoint (formerly Windows Defender Advanced Threat Protection) is a security platform built into Windows 11 and integrated with Microsoft cloud-based security services. Microsoft Defender for Endpoint integrates many of the security features we have already discussed to help you secure your devices.

Requirements

To use Microsoft Defender for Endpoint, you require one of the following Microsoft Volume licensing options:

  • Windows 10/11 Enterprise E5
  • Windows 10/11 Education A5
  • Microsoft 365 E5 (M365 E5), which includes Windows 11 Enterprise E5
  • Microsoft 365 A5 (M365 A5)
  • Microsoft 365 E5 Security
  • Microsoft 365 A5 Security
  • Microsoft Defender for Endpoint

The Portal

You use the Microsoft 365 Defender portal to manage Microsoft Defender for Endpoint settings and to view reports and alerts. You can access the portal at https://securitycenter.windows.com.

Need More Review? Microsoft Defender for Endpoint Portal Overview

To learn how to use the portal, refer to the Microsoft website at https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-security-center-mde.

Implement and manage security baselines in Microsoft Intune – Manage, maintain, and protect devices

Implementing security and related settings is one of the more important tasks you’ll need to perform. As discussed, Microsoft has begun consolidating the security-related settings into a single Intune: Endpoint security folder.

Here, you’ll find options to manage the various security settings we’ve been discussing. But you’ll also find a link to review security baselines.

You can use the security baselines to manage and monitor the security status of enrolled devices within your organization. By default, there are three security baselines, as shown in Figure 3-61:

  • Security Baseline for Windows 10 and later
  • Microsoft Defender for Endpoint Baseline
  • Microsoft Edge Baseline
  • Windows 365 Security Baseline

FIGURE 3-61 Configuring Security Baselines in Intune

The security baselines provide preconfigured groups of settings that enable you to configure security on your devices more easily. When you create and apply a security baseline profile, you create multiple device configuration profiles.

Periodically, Microsoft releases new baselines. When viewing profile details, the baseline used is identified in the Current Baseline column, displayed in Figure 3-62.

FIGURE 3-62 Reviewing versions for a security baseline

Create a profile

To create a profile based on a security baseline, use the following procedure:

  1. In the Microsoft Intune admin center, select Endpoint security in the navigation pane.
  2. Select Security baselines, and then select the appropriate baseline.
  3. Select the Profiles tab, and then select Create profile.
  4. On the Create profile page, on the Basics tab, enter the Name and Description and select Next.
  5. On the Configuration settings tab, configure the appropriate settings. These will vary based on the baseline you select. When you’ve completed the configuration, select Next.
  6. Optionally, use the Scope tags tab to scope the profile, select Next, and then assign the profile in the usual way.
  7. Select Next, and then on the Review + create tab, select Create.

Your profile displays in the list of profiles. Notice that the Current Baseline column indicates the baseline used to create the profile.

Setup and onboarding – Manage, maintain, and protect devices

To onboard your devices, use the following procedure:

  1. In the Microsoft Intune admin center, navigate to Endpoint security.
  2. Select Microsoft Defender for Endpoint.
  3. In the Details pane, click the link for Connect Microsoft Defender for Endpoint to Microsoft Intune in the Microsoft Defender Security Center.
  4. In Microsoft 365 Defender, select Settings > Endpoints >Advanced features.
  5. Turn on the Microsoft Intune connection.
  6. Click Save preferences.

After you’ve enabled the connection, Microsoft 365 Defender sends an onboarding configuration package to Intune. Deploy this package to your Windows devices. Alternatively, you can create and assign an Endpoint detection and response profile from Endpoint security in Intune. Use the following procedure:

  1. In the Microsoft Intune admin center, navigate to Endpoint security.
  2. Select Endpoint detection and response.
  3. In the details pane, click Create Policy.
  4. On the Create a profile page, in Platform, select Windows 10 and later.
  5. In the Profile, select Endpoint detection and response, and then select Create.
  6. On the Basics tab, enter a Name and Description and click Next.
  7. On the Configuration settings page, in the Microsoft Defender for Endpoint client configuration package type list, choose the appropriate file type, and then browse and select the onboarding file. Click Next.
  8. Configure scope tags and assignments, and then Create the profile.

Need More Review? Configure Microsoft Defender for Endpoint in Intune

To learn more about setup and onboarding, refer to the Microsoft website at https://learn.microsoft.com/mem/intune/protect/advanced-threat-protection-configure.

Implement automated response capabilities in Defender for Endpoint

Microsoft Defender for Endpoint provides numerous capabilities that can help you secure your endpoint devices. Table 3-19 describes some of these capabilities.

TABLE 3-19 Capabilities of Microsoft Defender for Endpoint

CapabilityDescription
Attack surface reductionImplementing several Windows Defender ATP features helps reduce the attack surface of a computer, its applications, and the data it consumes.
Endpoint detection and responseContinuously monitors your organization’s endpoints for possible attacks against devices or networks in your organization and provides the features you can use to mitigate and remediate threats.
Automated investigation and remediationOffers automatic investigation and remediation capabilities that help reduce the volume of alerts and actions an administrator needs to perform to fix breaches.
Secure scoreEnables you to assess the security posture of your organization and identify devices that might need attention, as well as recommendations for actions to improve your score
Management and APIsProvides a means for you to interact with the platform by providing APIs.

Need More Review? Overview of Microsoft Defender for Endpoint Capabilities

To learn more about the capabilities of Microsoft Defender for Endpoint, refer to the Microsoft website at https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint.

Manage Microsoft 365 Apps by using the Microsoft 365 Apps admin center – Manage applications

Microsoft 365 includes Microsoft 365 Apps. Microsoft 365 Apps includes the following apps: Access, Excel, OneNote, Outlook, PowerPoint, Publisher, Skype for Business, and Word. Microsoft 365 Apps installs as a single package, although you have some control over the details.

Users who have an Office 365 license associated with their accounts can download and install Microsoft 365 Apps, depending on the subscription. To do this, they must sign in to www.office.com using their Microsoft 365 accounts. Then on the Microsoft 365 homepage, they can select the Install apps link, as shown in Figure 4-6).

FIGURE 4-6 Installing Microsoft 365 Apps manually from the Microsoft 365 portal

Users can select from these two options:

  • Microsoft 365 apps Installs the default apps. The defaults are configurable by the Microsoft 365 administrator.
  • Other install options Enables users to choose additional options, as shown in Figure 4-7.

FIGURE 4-7 Choosing the Office 365 components for installation

Users can choose to install Office in either 32-bit or 64-bit versions. Skype For Business can install the Basic (for Office 365) or 2015 versions. Optionally, users can also install Office on their iOS, Android, or Windows mobile devices and tablets. (As of June 11, 2019, Windows 10 Mobile is no longer supported.) Users can install Office on up to five PCs or Macs, five tablets, and five smartphones.

Administrative control over deployment options

As an administrator, you can control what users can install. Open the Microsoft 365 admin center by navigating to https://admin.microsoft.com and signing in using your Global Administrator account. On the Home page, search for and select Microsoft 365 installation options.

On the Microsoft 365 app installation options blade shown in Figure 4-8, select the update interval for Microsoft 365 app updates. When you have finished configuring the options, select Save.

FIGURE 4-8 Configuring Microsoft 365 App update interval settings

Note After Installing Office

After installation, if users open Control Panel and review the Programs and Features installed on their computer, Office is listed as Microsoft 365 Apps for Enterprise.

How to apply the required security settings to your endpoints – Manage, maintain, and protect devices

During this skill, you’ve learned about the various security features in Windows 11. You’ve also learned how to use either Endpoint security policies or a device configuration profile (using the Endpoint protection template) to enforce the required configurations.

In fact, you can generally use either of these methods. An advantage of using the Endpoint security policies is that you can also implement security baselines to help keep those policies aligned with security improvements. By using Endpoint security policies, you can configure the following:

  • Antivirus Enables you to review Windows 11 unhealthy endpoints and devices with active malware. You also can use this option to create and assign antivirus profiles:
    • Microsoft Defender Antivirus exclusions
    • Microsoft Defender Antivirus
    • Windows Security Experience
  • Disk Encryption Enables you to create and configure BitLocker profiles for Windows 11 devices and macOS encryption settings.
  • Firewall Enables you to create and configure firewall profiles and firewall rules.
  • Endpoint Detection and Response Enables you to create profiles that provide advanced attack detections that are near real-time and actionable.
  • Attack Surface Reduction Enables you to create and configure the following profiles to help reduce the attack surface on your managed devices:
    • App and browser isolation
    • Device control
    • Attack surface reduction rules
    • Exploit protection
    • Web protection (for legacy Edge)
    • Application control
  • Account Protection Enables you to create profiles that help protect user credentials by using Windows Hello for Business and Credential Guard technology.
  • Device Compliance Enables you to create and manage device compliance settings. These include
    • Policies
    • Notifications
    • Retire Noncompliant devices
    • Locations
    • Compliance policy settings
  • Conditional access Enables you to create and configure conditional access policies. These policies enable you to enforce access requirements when specific conditions occur. For example, deny access to cloud apps for non-compliant devices.

In fact, some elements can only be configured in these settings, such as Local user group membership and Local admin password solution (Windows LAPS).

An advantage of using an Endpoint protection configuration profile is combining and configuring all your Microsoft Defender security settings in a single profile. These settings are

  • Microsoft Defender Application Guard
  • Windows Defender Firewall
  • Microsoft Defender SmartScreen
  • Windows Encryption
  • Microsoft Defender Exploit Guard
  • Microsoft Defender Application Control
  • Microsoft Defender Credential Guard
  • Microsoft Defender Security Center
  • Xbox services
  • User Rights

Familiarize yourself with the available options in each of these methods for securing your endpoints.