Skip to content

epomatti/azure-endpoint-security

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

19 Commits
.assets
.assets
 
 
config
config
 
 
modules
modules
 
 
.gitignore
.gitignore
 
 
.terraform.lock.hcl
.terraform.lock.hcl
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
backend.tf
backend.tf
 
 
cspell.json
cspell.json
 
 
main.tf
main.tf
 
 
output.tf
output.tf
 
 
provider.tf
provider.tf
 
 
variables.tf
variables.tf
 
 

Repository files navigation

Azure Endpoint Security

Sample resources for Intune, Defender for Endpoint, and more.

Set the variables file:

cp config/template.tfvars .auto.tfvars

Check for the latest Windows images available.

Create the resources:

terraform init
terraform apply -auto-approve

A user IntuneAdmin@yourdomain will be created with the following permissions:

  • Intune Administrator
  • Security Administrator

This will allow access to the following applications:

An appropriate license needs to be assigned to the user in order to activate Intune.

Defender for Endpoint

Connect MDE with Intune. (Microsoft Intune Plan)

💡 An addon or equivalent license needs to be purchased for this integration.

Microsoft Defender Antivirus works together with Microsoft Defender for Endpoint

Intune EDR policy (onboard)

This video shows how to configure Device Guard with Microsoft Intune.

💡 Device guard - Prevents malicious code from running by ensuring only allowed and known good code can run, such as malware or ransomware. (Only Windows Enterprise client)

Among other available services is controlled folder access.

Company Portal

A license is also required. EDR enables Azure Advanced Threat Protection

Make sure to also allow MDM user scope to enroll (Mobility MDM and WIP) - Microsoft Intune

💡 This helpful video shows how to enable Defender for Endpoint.

LAPS

For Local Administrator Password Solution (LAPS), make sure you've enabled it in the device settings blade:

In Intune, create an account protection policy:

  1. Select Endpoint security > Account protection > Create policy
  2. Select Windows 10 and Windows LAPS
  3. Create the policy for all devices

Intune

If MDE is enabled, it can take a while after joining Intune until everything is synced.

Access will be granted after the compliance check:

Web protection

This section shows web protection.

Attack Surface Reduction - Web protection

An example with Microsoft Edge:

Select the appropriate configuration for the profile:

To test SmartScreen, use a sample URL, such as this demo malware page.

Security can be further enhanced with Alerts, and monitoring can use Reports.

Defender - Web content filtering

With MDE, it is also possible to turn on web content filtering:

Protection includes: adult content, high bandwidth, legal liability, leisure, and uncategorized.

A policy can be created using a blade in the same view above, like this:

Device Guard

Credential guard, VBS, and UEFI, memory integrity, etc.

Windows 11 images

To find updated Windows 11 images:

az vm image list-skus -l eastus2 -f Windows-11 -p MicrosoftWindowsDesktop --query [].name

Suffix are:

Code Column 2 Header
avd Azure Virtual Desktop
ent Enterprise
entn Enterprise (not with media player)
pro Professional
pro-zh-cn Simplified Chinese
pron Professional (not with media player)

About

Microsoft Endpoint reference resources

Topics

azure terraform intune azure-security laps company-portal entra defender-for-endpoint entra-id

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Languages