In this post we will look at moving your Windows servers into being managed directly by Defender security policies rather than Configmgr.
Overview
Many enterprises have been using Microsoft Configuration Manager to manage Microsoft Defender on Windows Servers, possibly with a history of managing more or less the same policies under what was SCEP. Having utilized Defender enrollment you now get great visibility in the Microsoft Security console for insights and alerting for servers alongside your Workstations.
In the above scenario above
- Workstations currently get their Defender policies from Intune or defender security console itself.
- You’ve already added servers to Defender and although visible in the security console, policies for defender are still coming from ConfigMgr.
To see this, in the security console and opening a device we can see the device management Managed by tab servers currently managed by configmgr
Goal
We may start to see some defender settings and features get phased out or not added to Configmgr console, this along with one place of management for defender its a good idea to start planning to make the move.
We will move servers from Configmgr management of defender to MDE Management by…
- Setting up the same policies for Defender you have in Configmgr for your servers in the console
- Change the settings in security console to change to management from MDE rather than configmgr
- Move the servers in a controlled manner at first until we are happy with policies not causing issues
- Finally move all windows servers across to MDE Management
Steps
First thing to do is go through your ConfigMgr console and audit your Defender policies for servers you may have multiple policies for server types i.e SQL Servers , iis Servers etc. If you do have multiple policies a decision will need to be made if you are now going to put all the policies into one big policy for servers or you still want to divide them (the main problem with dividing the policies up in Defender Azure is there currently isn’t as many options for detecting server types like in Configmr
Audit your Current Policies in ConfigMgr
Create a policy for Servers in the Defender Console (From the audit in ConfigMgr you can now set the same policies in Defender
Security.microsoft.com > Endpoints > Endpoint Security Policies > Create New Policy > Windows 10,11 and Server > Windows Defender Antivirus.. ****No need to Asign this policy to a group yet.****
I’d advise you not to put your AV Exclusions into this policy instead keep them separate in another policy
From your Audit, Create Exclusions Policy (policies) (there are options to import if you have a lot of exclusions you can use the import) This may be a good time to try and review your exclusions as defender has improved alot and many exclusions may no longer be needed.
Again you may want to create multiple different exclusion policies if you are going to divide up your servers i.e SQL, iis etc by exclusions
Create an Azure group or Groups for your servers (you may want to create multiple groups for server types) Further on I will talk about the more difficult task of dividing servers automatically in Azure
Add your first servers to this group that you want to start testing the move to MDE
Go back to your Server and Exclusion Policy and deploy it to the new group you created ****Again if you have multiple Exclusion Policies youll need to assign them to a group for each which you will then put your servers for that policy into the group. i.e a SQL Server group etc
Gradual Change to MDE Management
As your servers are likely essential to your business operations you do not want to move them all at once so you can move them gradually across to MDE Management
Settings > Configuration Management > Enforcement Scope
Firstly your console should look something like the above,
if it doesn’t you will need to set Use MDE to Enforce Security Configuration settings from Intune. VERY IMPORTANT IF YOU ARE NOT ALREADY USING INTUNE FOR WORKSTATIONS MAKE SURE YOU KEEP WINDOWS CLIENT ON TAGGED DEVICES ONLY otherwise if you have any security policies in Intune that are setup and you are wondering why they never applied they may start applying now.
Also for Servers for the few people who are using Firewall or other security policies from Configmgr i.e Firewall Policies you will need to set these up in Defender Security console as well. Most often the scenario for this is GPO rather than ConfigMgr and this will be unaffected and will continue to apply.
I’d Advise setting the Above Settings to Windows Server on Tagged Devices rather than all so that we can gradually test out the policies coming from MDE rather than Configmgr
Tag Devices
Now we can Tag Devices to change them to MDE Management
Open the Device Page > Device Tags
Add the Tag MDE-Management
You can also Tag a Groups of devices in asset rules, i.e anything with a certain OS gets the MDE-Management tag
After around 30mins to 1 hour you should see your device change to MDE Management
It may be a good time to monitor your MDE Managed servers now making sure you are not seeing any bad effects like CPU usage spiking etc and ensure functionality with users etc,
Now that you’re happy that you are not seeing ill affects, move more and more of your servers into Tagged MDE-Managed by tagging devices putting them in the groups you created.
Move all Windows Servers to MDE Management
Once you are at say 80% of your server estate you can now move the switches over to all Windows Servers
Move Windows Server Devices to All Devices and you can now turn off Manage Security Settings using Configuration Manager
Review And Conclusion
Ideally as we move more and more to the cloud, policies should be coming directly from MDE, there are a few hurdles to overcome, mainly dividing servers up automatically. In Configmgr we had nice SQL queries that automatically added servers to collections so you could have AV policies deployed to different collections that get automatically populated. This is not so easy in Azure / Defender, there are things like Dynamic Device Groups but there are limitations to this i.e Server Types or naming types etc easily dividing your server AV policies up may not be so easy.
Important Notes * Domain Controllers cannot be moved to MDE management, older unsupported servers cannot be moved 2008 and 2012 non r2 Servers