Sample resources for Intune, Defender for Endpoint, and more.
Set the variables file:
cp config/local.auto.tfvars .auto.tfvarsSet the required variables:
subscription_id = ""
entraid_tenant_domain = ""
allowed_public_ips = [""]Tip
Check for the latest Windows images available.
Create the resources:
terraform init
terraform apply -auto-approveImportant
You must manually assign an Intune license to all users.
The users described in this section will be created.
A user named IntuneAdmin@example.com will be created to manage Intune.
The following roles will be assigned:
Intune AdministratorSecurity Administrator
This will allow access to the following applications:
A user named EndpointUser@example.com will be created to operate the endpoint.
Depending on the architecture, the device enrollment can take one of these forms:
Connect MDE with Intune. (Microsoft Intune Plan)
π‘ An addon or equivalent license needs to be purchased for this integration.
Microsoft Defender Antivirus works together with Microsoft Defender for Endpoint
Intune EDR policy (onboard)
This video shows how to configure Device Guard with Microsoft Intune.
π‘ Device guard - Prevents malicious code from running by ensuring only allowed and known good code can run, such as malware or ransomware. (Only Windows Enterprise client)
Among other available services is controlled folder access.
Guests may be allowed as administrators through the unlicensed admins option.
Device-only licenses are also available for devices that are not associated with a user.
A license is also required. EDR enables Azure Advanced Threat Protection
Make sure to also allow MDM user scope to enroll (Mobility MDM and WIP) - Microsoft Intune
π‘ This helpful video shows how to enable Defender for Endpoint.
For Local Administrator Password Solution (LAPS), make sure you've enabled it in the device settings blade:
In Intune, create an account protection policy:
- Select Endpoint security > Account protection > Create policy
- Select Windows 10 and Windows LAPS
- Create the policy for all devices
If MDE is enabled, it can take a while after joining Intune until everything is synced.
Access will be granted after the compliance check:
Microsoft has provided instructions on how to manage configuration as code for Intune.
This section shows web protection.
An example with Microsoft Edge:
Select the appropriate configuration for the profile:
To test SmartScreen, use a sample URL, such as this demo malware page.
Security can be further enhanced with Alerts, and monitoring can use Reports.
With MDE, it is also possible to turn on web content filtering:
Protection includes: adult content, high bandwidth, legal liability, leisure, and uncategorized.
A policy can be created using a blade in the same view above, like this:
Credential guard, VBS, and UEFI, memory integrity, etc.
When using a virtual machine as opposed to the real device, follow this procedure to enable Entra ID authentication.
Note
The required RBAC roles already already added by the Terraform configuration
Example using the Azure CLI command:
az vm extension set --publisher Microsoft.Azure.ActiveDirectory --name AADLoginForWindows --resource-group rg-endpoint --vm-name vm-win11Important
Before signing in to the VM, make sure to do the first login with the user account and register the MFA.
Download the RPD file and login.
Create the encryption policy and assign to the groups.
Control the conditional access depending on your use case.
Make sure the device is a member of the Entra ID assigned group.
Create the antivirus policies:
Antivirus updates (like security intelligence, engine updates, and platform updates) are delivered and applied.
Updates to the antivirus behavior ( real-time protection, scanning options, tamper protection, and remediation actions).
Add a new policy:
- Device > Configuration Profiles > Settings catalog
-
- Add Settings > Device Lock > Max Inactivity Time Device Lock
- Toggle "Device Password Enabled" to
Enabled - Set the time to the desired value (in minutes)
Tip
You can choose for it to be available as a featured app in the Company Portal. Also, choose if required or available.
Check the troubleshoot article in case of issues. For example, this URL will help with installation issues:
https://aka.ms/IntuneAppDeployment
https://learn.microsoft.com/en-us/troubleshoot/mem/intune/app-management/apps-appear-unavailable
- In the
Appsblade, create a new policy. - Select a source, such as Microsoft Store.
- Select an app, such as DBeaver.
- In the
Appsblade, create a new policy. - Select a source, such as Microsoft Store.
- In the assignment, select to uninstall an app.
To check the AutoPlay configuration:
- Open
gpedit.msc - Computer Configuration β Administrative Templates β Windows Components β AutoPlay Policies
The configuration should be Not Configured.
To create the policy on Intune, following this reference to set up device restrictions:
- Create a profile, settings option
- Search for
AutoPlay - Select all options (10 in total)
Test by inserting a USB drive with an autorun.inf file. Ensure no automatic execution occurs.
Create a compliance policy and assign to the required devices.
https://learn.microsoft.com/en-us/mem/intune/apps/app-management
https://github.com/microsoft/Intune-PowerShell-SDK
To find updated Windows Server images:
az vm image list-skus -l eastus2 -p MicrosoftWindowsServer -f WindowsServer --query [].nameTo find updated Windows 11 images:
az vm image list-skus -l eastus2 -p MicrosoftWindowsDesktop -f Windows-11 --query [].nameSuffixes details:
| Code | Description |
|---|---|
| avd | Azure Virtual Desktop |
| ent | Enterprise |
| entn | Enterprise (not with media player) |
| pro | Professional |
| pro-zh-cn | Simplified Chinese |
| pron | Professional (not with media player) |