Azure Endpoint Security

Sample resources for Intune, Defender for Endpoint, and more.

Set the variables file:

cp config/template.tfvars .auto.tfvars

Check for the latest Windows images available.

Create the resources:

terraform init
terraform apply -auto-approve

A user IntuneAdmin@yourdomain will be created with the following permissions:

• Intune Administrator
• Security Administrator

This will allow access to the following applications:

• https://intune.microsoft.com
• https://security.microsoft.com

An appropriate license needs to be assigned to the user in order to activate Intune.

Defender for Endpoint

Connect MDE with Intune. (Microsoft Intune Plan)

💡 An addon or equivalent license needs to be purchased for this integration.

Microsoft Defender Antivirus works together with Microsoft Defender for Endpoint

Intune EDR policy (onboard)

This video shows how to configure Device Guard with Microsoft Intune.

💡 Device guard - Prevents malicious code from running by ensuring only allowed and known good code can run, such as malware or ransomware. (Only Windows Enterprise client)

Among other available services is controlled folder access.

Company Portal

A license is also required. EDR enables Azure Advanced Threat Protection

Make sure to also allow MDM user scope to enroll (Mobility MDM and WIP) - Microsoft Intune

💡 This helpful video shows how to enable Defender for Endpoint.

LAPS

For Local Administrator Password Solution (LAPS), make sure you've enabled it in the device settings blade:

In Intune, create an account protection policy:

1. Select Endpoint security > Account protection > Create policy
2. Select Windows 10 and Windows LAPS
3. Create the policy for all devices

Intune

If MDE is enabled, it can take a while after joining Intune until everything is synced.

Access will be granted after the compliance check:

Web protection

This section shows web protection.

Attack Surface Reduction - Web protection

An example with Microsoft Edge:

Select the appropriate configuration for the profile:

To test SmartScreen, use a sample URL, such as this demo malware page.

Security can be further enhanced with Alerts, and monitoring can use Reports.

Defender - Web content filtering

With MDE, it is also possible to turn on web content filtering:

Protection includes: adult content, high bandwidth, legal liability, leisure, and uncategorized.

A policy can be created using a blade in the same view above, like this:

Device Guard

Credential guard, VBS, and UEFI, memory integrity, etc.

Windows 11 images

To find updated Windows 11 images:

az vm image list-skus -l eastus2 -f Windows-11 -p MicrosoftWindowsDesktop --query [].name

Suffix are:

Code	Column 2 Header
avd	Azure Virtual Desktop
ent	Enterprise
entn	Enterprise (not with media player)
pro	Professional
pro-zh-cn	Simplified Chinese
pron	Professional (not with media player)