Thought experiment answers – Manage, maintain, and protect devices

This section contains the solution to the thought experiment. Each answer explains why the answer choice is correct.

Scenario 1

  1. Microsoft Intune with Mobile Device Management enabled.
  2. Enable and configure Windows Autoenrollment.
  3. You require an Apple MDM Push Certificate for your organization.

Scenario 2

  1. You can monitor Threat Agent Status to determine the current status of Microsoft Defender on your users’ enrolled Windows devices.
  2. You can use the Microsoft Intune admin center to create an Endpoint Protection Profile that contains the necessary Microsoft Defender Application Guard settings and assign the profile to the appropriate group(s) of devices.
  3. In the Microsoft Intune admin center, create a Device Enrollment Restriction and define a Platform Restriction that prevents the enrollment of Android devices.

Scenario 3

  1. You should configure Delivery Optimization and select that updates are downloaded from Devices on my local network on all devices except one device which needs to receive the updates from the Microsoft update service.
  2. You can implement Delivery Optimization for the head office devices so that updates are received from other devices on the network. You can also configure bandwidth optimization measures that restrict the bandwidth consumed by updates during defined business hours.
  3. You should install Windows 11 Enterprise, version 22H2 (General Availability Channel), and then implement policy using Windows Update to defer Windows Feature Updates for the maximum allowed duration of 365 days.
  4. Enroll into the Windows Insider Program and install Windows 11 preview builds. Test these builds for compatibility issues. This should allow you to be ready to test the next General Availability Channel release and obtain compliance sign-off.

Scenario 4

1. You could implement Microsoft Tunnel for Intune. Microsoft Tunnel provides a VPN gateway for Android and iOS devices in your organization for access to on-premises resources.

  1. You must perform the following high-level steps:
    • Create a server configuration on Intune.
    • Create a site in Intune.
    • Install a Microsoft Tunnel Gateway on a Linux server in your on-premises environment (by using an Intune script).
    • Deploy the Microsoft Tunnel client app to your iOS and Android devices.
    • Create and deploy VPN profiles to your iOS and Android devices.

Review and respond to device issues identified in the Microsoft Defender Vulnerability Management dashboard – Manage, maintain, and protect devices

The Microsoft Defender Vulnerability Management Dashboard in Microsoft 365 Defender provides a wide variety of useful information that can help you identify issues and respond to those issues. Figure 3-64 displays a typical dashboard for an enterprise organization.

FIGURE 3-64 Reviewing the Microsoft Defender Vulnerability Management Dashboard

Use the information summary in Table 3-20 to determine how to use the Microsoft Defender Vulnerability Management Dashboard.

TABLE 3-20 The features and elements in the Microsoft Defender Vulnerability Management Dashboard

AreaDescription
Selected device groups (#/#)Enables you to filter the data you want to review.
Organization exposure scoreDisplays a headline figure that indicates your organization’s device exposure to threats and vulnerabilities. Click Improve score to review insights that can help you improve the score and your security posture.
Microsoft Secure Score for DevicesEnables you to review the security relating to your organization’s operating system, applications, network, accounts, and security controls. Again, you can use the Improve score link to review insights and suggestions for improvements in this area.
Device exposure distributionDisplays the number of devices that are exposed to threats based on their configuration. Presented graphically as a doughnut chart. By selecting sections of the chart, you can review
•Device names
•Exposure level and risk levels
•Details such as operating system, health state, and tags
Expiring certificatesDisplays a list of expired certificates or those imminently expiring in the next 30, 60, or 90 days.
Top security recommendationsReview top recommendations for improving the security posture of your organization’s devices.
Top vulnerable softwareReview your software inventory. Identify those apps with security vulnerabilities.
Top remediation activitiesReview the security remediations that are recommended in one convenient location. This enables you to track changes as you make them more easily.
Top exposed devicesReview devices and their details that have a high security exposure score. From Device details, you can
•Manage tags
•Initiate automated investigations
•Initiate a live response session
•Collect an investigation package
•Run antivirus scan
•Restrict app execution
•Isolate devices

Need More Review? Dashboard Insights

To learn more about the dashboard in Microsoft Defender, refer to the Microsoft website at https://learn.microsoft.com/microsoft-365/security/defender-vulnerability-management/tvm-dashboard-insights.

Chapter summary

  • Intune device configuration policies are used to configure device settings using MDM.
  • Intune can deploy PowerShell scripts to Windows devices using an MDM extension. This allows administrators to deploy Win32 apps if required.
  • Scope tags are used to assign and filter Intune policies to specific Azure AD groups.
  • You can configure custom policies with Intune by configuring an Open Mobile Alliance Uniform Resource Identifier (OMA-URI) policy.
  • Microsoft Defender Credential Guard requires a TPM and virtualization features to be enabled in a 64-bit edition of either Windows 11 Enterprise or Windows 11 Education.
  • Microsoft Defender Exploit Guard consists of four components: Exploit Protection, Attack Surface Reduction Rules, Network Protection, and Controlled Folder Access.
  • Microsoft Defender Application Guard has similar requirements to Credential Guard, enabling you to open new browser windows in a virtualized environment.
  • Microsoft Defender Application Control lets you determine which apps are safe to run in your organization.
  • Most of these Windows Defender features are managed through Windows PowerShell, Group Policy, and Microsoft Intune.
  • Automatic enrollment lets you enroll Windows devices when they register with or join Azure AD.
  • Device Enrollment Manager Accounts enable a specified account to enroll up to 1,000 devices.
  • There are a number of ways to enroll Windows devices:
    • Add a Work Or School account
    • Enroll In MDM Only (user-driven)
    • Azure AD Join during OOBE
    • Azure AD Join using Windows Autopilot
    • Enroll In MDM only (using a Device Enrollment Manager)
    • Azure AD Join using bulk enrollment
  • To enroll Android and iOS devices, you can download the Company Portal app from the relevant device store and sign in to the app using an organizational or school account.
  • Log Analytics requires an Azure subscription.
  • Windows Update Delivery Optimization is a method of peer-to-peer sharing of Windows update files.
  • Administrators can use Intune to centrally configure and manage Windows Update behavior and Windows Update Delivery Optimization settings.
  • Scope tags enable you to more specifically target the application of configuration profiles.
  • You can configure Kiosk mode by using the Settings app and by using Intune.
  • The Microsoft Tunnel for Intune enables iOS and Android devices to access your on-premises resources and apps.
  • You can use Endpoint analytics to gain insights into Startup Performance, Proactive remediations, Recommended software, and Application reliability.
  • You configure the application of updates for iOS, macOS, and Windows by using update rings in Intune.
  • You configure the application of updates for Android by using a Device Restrictions configuration profile.
  • Microsoft Defender Exploit Guard provides four functions: Exploit protection, Attack surface reduction rules, Network protection, and Controlled folder access.

Update a profile – Manage, maintain, and protect devices

If you create a profile on an earlier baseline and Microsoft releases a newer version of that baseline, you might decide to update the profiles. However, existing profiles do not update automatically.

In fact, profiles using an older version of a baseline become read-only. They can still be used to secure your devices, and you can edit their name, description, and assignments. But you should consider updating them to the new baseline.

If Microsoft releases a baseline update, you can choose to update the baseline version used for a profile. You do this by using the following procedure:

  1. In the Microsoft Intune admin center, navigate to Endpoint security.
  2. Select Security baselines.
  3. Select the appropriate baseline.
  4. Select the check box next to the target profile.
  5. Click Change Version on the toolbar (see Figure 3-63).

FIGURE 3-63 Changing the version for a security profile based on a baseline

  1. If a new baseline is available (none are in the screenshot), then choose either
    • Accept baseline changes but keep my existing setting customizations
    • Accept baseline changes and discard existing setting customizations
  2. Click Submit.
    Need More Review? Use Security Baselines to Configure Windows Devices in Intune
    To review further details about managing security baselines, refer to the Microsoft website at https://learn.microsoft.com/mem/intune/protect/security-baselines.

Onboard devices to Defender for Endpoint

Microsoft Defender for Endpoint (formerly Windows Defender Advanced Threat Protection) is a security platform built into Windows 11 and integrated with Microsoft cloud-based security services. Microsoft Defender for Endpoint integrates many of the security features we have already discussed to help you secure your devices.

Requirements

To use Microsoft Defender for Endpoint, you require one of the following Microsoft Volume licensing options:

  • Windows 10/11 Enterprise E5
  • Windows 10/11 Education A5
  • Microsoft 365 E5 (M365 E5), which includes Windows 11 Enterprise E5
  • Microsoft 365 A5 (M365 A5)
  • Microsoft 365 E5 Security
  • Microsoft 365 A5 Security
  • Microsoft Defender for Endpoint

The Portal

You use the Microsoft 365 Defender portal to manage Microsoft Defender for Endpoint settings and to view reports and alerts. You can access the portal at https://securitycenter.windows.com.

Need More Review? Microsoft Defender for Endpoint Portal Overview

To learn how to use the portal, refer to the Microsoft website at https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-security-center-mde.

Implement and manage security baselines in Microsoft Intune – Manage, maintain, and protect devices

Implementing security and related settings is one of the more important tasks you’ll need to perform. As discussed, Microsoft has begun consolidating the security-related settings into a single Intune: Endpoint security folder.

Here, you’ll find options to manage the various security settings we’ve been discussing. But you’ll also find a link to review security baselines.

You can use the security baselines to manage and monitor the security status of enrolled devices within your organization. By default, there are three security baselines, as shown in Figure 3-61:

  • Security Baseline for Windows 10 and later
  • Microsoft Defender for Endpoint Baseline
  • Microsoft Edge Baseline
  • Windows 365 Security Baseline

FIGURE 3-61 Configuring Security Baselines in Intune

The security baselines provide preconfigured groups of settings that enable you to configure security on your devices more easily. When you create and apply a security baseline profile, you create multiple device configuration profiles.

Periodically, Microsoft releases new baselines. When viewing profile details, the baseline used is identified in the Current Baseline column, displayed in Figure 3-62.

FIGURE 3-62 Reviewing versions for a security baseline

Create a profile

To create a profile based on a security baseline, use the following procedure:

  1. In the Microsoft Intune admin center, select Endpoint security in the navigation pane.
  2. Select Security baselines, and then select the appropriate baseline.
  3. Select the Profiles tab, and then select Create profile.
  4. On the Create profile page, on the Basics tab, enter the Name and Description and select Next.
  5. On the Configuration settings tab, configure the appropriate settings. These will vary based on the baseline you select. When you’ve completed the configuration, select Next.
  6. Optionally, use the Scope tags tab to scope the profile, select Next, and then assign the profile in the usual way.
  7. Select Next, and then on the Review + create tab, select Create.

Your profile displays in the list of profiles. Notice that the Current Baseline column indicates the baseline used to create the profile.

Setup and onboarding – Manage, maintain, and protect devices

To onboard your devices, use the following procedure:

  1. In the Microsoft Intune admin center, navigate to Endpoint security.
  2. Select Microsoft Defender for Endpoint.
  3. In the Details pane, click the link for Connect Microsoft Defender for Endpoint to Microsoft Intune in the Microsoft Defender Security Center.
  4. In Microsoft 365 Defender, select Settings > Endpoints >Advanced features.
  5. Turn on the Microsoft Intune connection.
  6. Click Save preferences.

After you’ve enabled the connection, Microsoft 365 Defender sends an onboarding configuration package to Intune. Deploy this package to your Windows devices. Alternatively, you can create and assign an Endpoint detection and response profile from Endpoint security in Intune. Use the following procedure:

  1. In the Microsoft Intune admin center, navigate to Endpoint security.
  2. Select Endpoint detection and response.
  3. In the details pane, click Create Policy.
  4. On the Create a profile page, in Platform, select Windows 10 and later.
  5. In the Profile, select Endpoint detection and response, and then select Create.
  6. On the Basics tab, enter a Name and Description and click Next.
  7. On the Configuration settings page, in the Microsoft Defender for Endpoint client configuration package type list, choose the appropriate file type, and then browse and select the onboarding file. Click Next.
  8. Configure scope tags and assignments, and then Create the profile.

Need More Review? Configure Microsoft Defender for Endpoint in Intune

To learn more about setup and onboarding, refer to the Microsoft website at https://learn.microsoft.com/mem/intune/protect/advanced-threat-protection-configure.

Implement automated response capabilities in Defender for Endpoint

Microsoft Defender for Endpoint provides numerous capabilities that can help you secure your endpoint devices. Table 3-19 describes some of these capabilities.

TABLE 3-19 Capabilities of Microsoft Defender for Endpoint

CapabilityDescription
Attack surface reductionImplementing several Windows Defender ATP features helps reduce the attack surface of a computer, its applications, and the data it consumes.
Endpoint detection and responseContinuously monitors your organization’s endpoints for possible attacks against devices or networks in your organization and provides the features you can use to mitigate and remediate threats.
Automated investigation and remediationOffers automatic investigation and remediation capabilities that help reduce the volume of alerts and actions an administrator needs to perform to fix breaches.
Secure scoreEnables you to assess the security posture of your organization and identify devices that might need attention, as well as recommendations for actions to improve your score
Management and APIsProvides a means for you to interact with the platform by providing APIs.

Need More Review? Overview of Microsoft Defender for Endpoint Capabilities

To learn more about the capabilities of Microsoft Defender for Endpoint, refer to the Microsoft website at https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint.

Thought experiment – Manage, maintain, and protect devices

In this thought experiment, demonstrate your skills and knowledge of the topics covered in this chapter. You can find the answers in the section that follows.

Scenario 1

Your organization has 500 employees and has implemented a bring-your-own-device (BYOD) strategy that enables users to use their personal mobile phones and tablets for corporate purposes as long as they comply with company policy regarding security and management features. After consulting an employee survey, you find that the users in your organization have iOS, Android, or Windows 11 devices.

  1. What technology should you use to manage the devices?
  2. You want to simplify enrollment for your Windows device users. What should you do?
  3. To support your iOS devices, what additional step is required to enable MDM?

Scenario 2

Like many large organizations, security is a big concern at Contoso. You decide to implement MDM with Intune to help to manage and secure your users’ devices.

  1. What feature of Intune could you use to verify the current status of Microsoft Defender on your users’ Windows 11 devices?
  2. You want to be able to configure Microsoft Defender Application Guard settings for enrolled Windows 11 devices. How can you achieve this in Intune?
  3. You don’t want users with Android devices to be able to enroll them. How could you enforce this restriction?

Scenario 3

Adatum Corporation uses Microsoft 365 and has implemented Windows 11 Enterprise for all devices. You configure Windows Update and deploy update rings using Microsoft Intune.

Answer the following questions for your manager:

  1. Two remote offices are in an area with poor Internet bandwidth, and the IT team is concerned that operational requirements might be difficult to maintain. What measure could you implement for the devices located at the remote locations to reduce bandwidth consumption from Windows updates?
  2. Windows updates received by the head office devices are consuming too much of the available bandwidth. Users are reporting that access to the Internet is slow. What settings can you configure within Microsoft Intune to help relieve congestion at the head office?
  3. Your Compliance Manager has received confirmation that your regulatory body has approved Windows 11 Enterprise, version 22H2 as being compliant. You need to ensure that all devices use only this version of Windows until the Compliance Manager confirms that a new version is compliant. How will you proceed?
  4. You need to work with the Compliance Manager to ensure that future versions of Windows 11 Enterprise obtain regulatory compliance before the deployed version of Windows 11 becomes unsupported. What will you do to ensure that you can proactively evaluate the compatibility of new versions of Windows 11?

Scenario 4

Your users use both Android and iOS devices. Lately, it’s been necessary for these users to access a database application that runs on an on-premises server. Intune manages your users’ devices.

Answer the following questions:

  1. How could you facilitate access for your users?
  2. What high-level steps are necessary to facilitate your solution?

Deploy and update apps for all supported device platforms – Manage applications-1

Within an organization, you can use on-premises tools, such as Microsoft Endpoint Configuration Manager (CM) and the Microsoft Deployment Toolkit (MDT), to manage Windows desktop images. Using these tools, you can integrate your organization’s applications into standard desktop builds and deploy and manage additional applications and updates.

You might consider using Microsoft Intune to deploy and manage apps for devices not part of your on-premises Active Directory Domain Services (AD DS) environment or cloud-managed. If enrolled in Intune, you can deploy apps to Windows, iOS, Android, and macOS devices. The Microsoft Store for Business provides another method for distributing apps for your organizational users.

Windows Configuration Designer, part of the Windows Assessment and Deployment Toolkit (Windows ADK) mentioned in chapter 1, enables you to create provisioning packages for your Windows devices. You can use these packages to add, remove, and configure applications on your users’ Windows devices.

This skill covers how to:

Deploy apps by using Intune

Using Intune, you can deploy and maintain apps from the cloud onto your users’ devices. A copy of the software can be made available across multiple devices such as their iPhone, Windows laptop, or tablet. You deploy, configure, and manage apps in Intune using the Apps node in the Microsoft Intune admin center, displayed in Figure 4-1.

FIGURE 4-1 Managing apps in Microsoft Intune

From the Apps node, the following options are available:

  • All apps Use this node to add, configure, and assign apps to your enrolled devices, irrespective of operating system (platform).
  • Monitor Select this node to review:
    • App licenses Enables you to identify volume-purchased apps from the app stores.
    • Discovered apps Displays information about apps assigned by Intune or installed on devices.
    • App installation status Reports on the status of assigned apps.
    • App protection status Displays information about app protection policy status.
  • Windows, iOS/iPadOS, macOS, and Android Under By Platform, select one of the listed operating systems to review and manage apps for a specific operating system.
  • App protection policies Use this node to configure policies that help to protect against data leakage from deployed apps. You can create policies for iOS/iPadOS, Android, and Windows.
  • App configuration policies You can create app configuration policies to configure apps on both iOS and Android devices, enabling you to customize the targeted app. You can create a policy that targets either the platform, or a specific app.
  • iOS app provisioning profiles When you deploy apps to iOS devices by using Intune, you must use an enterprise signing certificate. This certificate helps ensure the integrity of apps you deploy and typically has a lifetime of three years. However, the provisioning profile used to deploy the app lasts for a year. You can only assign and use a new app provisioning profile while the certificate is still valid.
  • S Mode supplemental policies Windows S Mode helps protect Windows computers by limiting configured devices to only installing and running apps distributed from the Microsoft Store. By using these policies, you can authorize additional apps so that S Mode–protected devices can run those additional apps. You must sign these policies using the Device Guard Signing Portal.
  • Policies for Office apps Create policies that enable you to manage Office app features and capabilities on mobile devices. There are currently more than 2,000 settings that you can assign.
  • Policy sets Using Policy sets enables you to group application management, device management, and device enrollment policies into a single grouping for assignment to specified groups of users or devices. This can help streamline the application process.
  • App selective wipe Enables you to create a wipe request that will remove company app data from a selected user and device.
  • App categories Enables you to define app category names to help your users locate suitable apps.
  • E-books Enables you to access your organization’s e-books and related settings.
  • Filters Enables you to filter apps by platform and other criteria to assign a policy based on rules you create.

Add a Microsoft Store app – Manage applications

To add a Microsoft Store app, use the following procedure:

  1. Open the Microsoft Intune admin center and select Apps in the navigation pane.
  2. Select All apps, and then select Add.
  3. On the Select add type blade displayed in Figure 4-2, in the App Type list, under the Store app heading, select Microsoft Store app (new) and click Select.
  4. On the Add App blade, select Search the Microsoft Store app (new).

On the Search the Microsoft Store app (new) blade, search for an app and then choose Select. as displayed in Figure 4-3.

FIGURE 4-3 Adding a Microsoft Store app

To obtain the URL, visit the Appstore using a web browser, locate the app you want, and then copy the URL for the app’s page.

  1. Select Next, and on the Assignments tab select the appropriate groups for assignment, or select Add all users as displayed in Figure 4-4. Then select Next.

FIGURE 4-4 Assigning a Microsoft Store app

    1. On the Review + create tab, select Create.

    After you create the app, you can use the Device install status and User install status options in the Monitor section to monitor the installation of the selected app.

    Note Installing IOS and Android Store Apps
    Installing store apps for iOS and Android is fairly similar to this process.
    Note ARM64 APPS
    Microsoft Store apps do not support any app with an ARM64 installer.

    Configure Microsoft 365 Apps deployment by using the Microsoft Office Deployment Tool or Office Customization Tool (OCT)

    You can configure Microsoft 365 Apps by using specialist tools that allow you to customize and configure the Office installation for your company’s needs. Two tools are available:

    • Office Deployment Toolkit (ODT)
    • Office Customization Tool

    Using the Microsoft Office Deployment Tool

    The ODT is a command-line utility that can deploy Microsoft 365 Apps to client devices. The ODT provides granular control over how to install Office installation. For example, you can configure the following:

    • Which products are installed
    • Language options
    • Office updates
    • Whether the install experience is displayed to users

    Note ODT Download

    You can download the ODT at www.microsoft.com/download/details.aspx?id=49117.

    The installer file will create the setup.exe and the following sample configuration files:

    • configuration-Office365-x64.xml
    • configuration-Office365-x86.xml
    • configuration-Office2019Enterprise.xml
    • configuration-Office2021Enterprise.xml

    The configuration-Office365-x64.xml sample configuration file looks like this:

    Click here to view code image

    Manage Microsoft 365 Apps by using the Microsoft 365 Apps admin center – Manage applications

    Microsoft 365 includes Microsoft 365 Apps. Microsoft 365 Apps includes the following apps: Access, Excel, OneNote, Outlook, PowerPoint, Publisher, Skype for Business, and Word. Microsoft 365 Apps installs as a single package, although you have some control over the details.

    Users who have an Office 365 license associated with their accounts can download and install Microsoft 365 Apps, depending on the subscription. To do this, they must sign in to www.office.com using their Microsoft 365 accounts. Then on the Microsoft 365 homepage, they can select the Install apps link, as shown in Figure 4-6).

    FIGURE 4-6 Installing Microsoft 365 Apps manually from the Microsoft 365 portal

    Users can select from these two options:

    • Microsoft 365 apps Installs the default apps. The defaults are configurable by the Microsoft 365 administrator.
    • Other install options Enables users to choose additional options, as shown in Figure 4-7.

    FIGURE 4-7 Choosing the Office 365 components for installation

    Users can choose to install Office in either 32-bit or 64-bit versions. Skype For Business can install the Basic (for Office 365) or 2015 versions. Optionally, users can also install Office on their iOS, Android, or Windows mobile devices and tablets. (As of June 11, 2019, Windows 10 Mobile is no longer supported.) Users can install Office on up to five PCs or Macs, five tablets, and five smartphones.

    Administrative control over deployment options

    As an administrator, you can control what users can install. Open the Microsoft 365 admin center by navigating to https://admin.microsoft.com and signing in using your Global Administrator account. On the Home page, search for and select Microsoft 365 installation options.

    On the Microsoft 365 app installation options blade shown in Figure 4-8, select the update interval for Microsoft 365 app updates. When you have finished configuring the options, select Save.

    FIGURE 4-8 Configuring Microsoft 365 App update interval settings

    Note After Installing Office

    After installation, if users open Control Panel and review the Programs and Features installed on their computer, Office is listed as Microsoft 365 Apps for Enterprise.

    How to apply the required security settings to your endpoints – Manage, maintain, and protect devices

    During this skill, you’ve learned about the various security features in Windows 11. You’ve also learned how to use either Endpoint security policies or a device configuration profile (using the Endpoint protection template) to enforce the required configurations.

    In fact, you can generally use either of these methods. An advantage of using the Endpoint security policies is that you can also implement security baselines to help keep those policies aligned with security improvements. By using Endpoint security policies, you can configure the following:

    • Antivirus Enables you to review Windows 11 unhealthy endpoints and devices with active malware. You also can use this option to create and assign antivirus profiles:
      • Microsoft Defender Antivirus exclusions
      • Microsoft Defender Antivirus
      • Windows Security Experience
    • Disk Encryption Enables you to create and configure BitLocker profiles for Windows 11 devices and macOS encryption settings.
    • Firewall Enables you to create and configure firewall profiles and firewall rules.
    • Endpoint Detection and Response Enables you to create profiles that provide advanced attack detections that are near real-time and actionable.
    • Attack Surface Reduction Enables you to create and configure the following profiles to help reduce the attack surface on your managed devices:
      • App and browser isolation
      • Device control
      • Attack surface reduction rules
      • Exploit protection
      • Web protection (for legacy Edge)
      • Application control
    • Account Protection Enables you to create profiles that help protect user credentials by using Windows Hello for Business and Credential Guard technology.
    • Device Compliance Enables you to create and manage device compliance settings. These include
      • Policies
      • Notifications
      • Retire Noncompliant devices
      • Locations
      • Compliance policy settings
    • Conditional access Enables you to create and configure conditional access policies. These policies enable you to enforce access requirements when specific conditions occur. For example, deny access to cloud apps for non-compliant devices.

    In fact, some elements can only be configured in these settings, such as Local user group membership and Local admin password solution (Windows LAPS).

    An advantage of using an Endpoint protection configuration profile is combining and configuring all your Microsoft Defender security settings in a single profile. These settings are

    • Microsoft Defender Application Guard
    • Windows Defender Firewall
    • Microsoft Defender SmartScreen
    • Windows Encryption
    • Microsoft Defender Exploit Guard
    • Microsoft Defender Application Control
    • Microsoft Defender Credential Guard
    • Microsoft Defender Security Center
    • Xbox services
    • User Rights

    Familiarize yourself with the available options in each of these methods for securing your endpoints.