From 133569c9fbafe1c3e1dbc78855048c0cb1465b79 Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Wed, 25 Sep 2024 10:14:45 -0700 Subject: [PATCH 01/13] Update mde-security-integration.md --- memdocs/intune/protect/mde-security-integration.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/memdocs/intune/protect/mde-security-integration.md b/memdocs/intune/protect/mde-security-integration.md index 5bfeba1cbb4..fabd117a6ee 100644 --- a/memdocs/intune/protect/mde-security-integration.md +++ b/memdocs/intune/protect/mde-security-integration.md @@ -7,7 +7,7 @@ keywords: author: brenduns ms.author: brenduns manager: dougeby -ms.date: 09/24/2024 +ms.date: 09/25/2024 ms.topic: how-to ms.service: microsoft-intune ms.subservice: protect @@ -131,9 +131,7 @@ Security settings management doesn't work on and isn't supported with the follow - Domain Controllers - 32-bit versions of Windows -> [!IMPORTANT] -> -> In some cases, Domain Controllers that run a down level server operating system (2012 R2 or 2016) can unintentionally be managed by Microsoft Defender for Endpoint. In order to ensure that this doesn't happen in your environment, we recommend making sure your domain controllers are neither tagged "MDE-Management" or managed by MDE. + ### Licensing and subscriptions From 0f65eb7d1bce50c5265d7090182751b6e8ae8e67 Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Wed, 25 Sep 2024 10:15:34 -0700 Subject: [PATCH 02/13] Update mde-security-integration.md --- memdocs/intune/protect/mde-security-integration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/protect/mde-security-integration.md b/memdocs/intune/protect/mde-security-integration.md index fabd117a6ee..8956e496cb0 100644 --- a/memdocs/intune/protect/mde-security-integration.md +++ b/memdocs/intune/protect/mde-security-integration.md @@ -123,12 +123,12 @@ To confirm the version of the Defender agent, in the Defender portal go to the d - Windows Server 2016 with [Microsoft Defender for Down-Level Devices](/defender-endpoint/configure-server-endpoints#new-functionality-in-the-modern-unified-solution-for-windows-server-2012-r2-and-2016-preview) - Windows Server 2019 (with [KB5025229](https://support.microsoft.com/topic/april-11-2023-kb5025229-os-build-17763-4252-e8ead788-2cd3-4c9b-8c77-d677e2d8744f)) - Windows Server 2022 (with [KB5025230](https://support.microsoft.com/topic/april-11-2023-security-update-kb5025230-5048ddfb-7bf3-4e6c-b29a-7b44b789d282)) +- Domain Controllers (preview) Security settings management doesn't work on and isn't supported with the following devices: - Non-persistent desktops, like Virtual Desktop Infrastructure (VDI) clients - Azure Virtual Desktop (AVD and formerly Windows Virtual Desktop, WVD) -- Domain Controllers - 32-bit versions of Windows From 92248d8a6168da983babaf32b8943edc92d65fe4 Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Wed, 25 Sep 2024 10:35:57 -0700 Subject: [PATCH 03/13] Update mde-security-integration.md --- .../intune/protect/mde-security-integration.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/memdocs/intune/protect/mde-security-integration.md b/memdocs/intune/protect/mde-security-integration.md index 8956e496cb0..14e14ff8b7c 100644 --- a/memdocs/intune/protect/mde-security-integration.md +++ b/memdocs/intune/protect/mde-security-integration.md @@ -123,7 +123,7 @@ To confirm the version of the Defender agent, in the Defender portal go to the d - Windows Server 2016 with [Microsoft Defender for Down-Level Devices](/defender-endpoint/configure-server-endpoints#new-functionality-in-the-modern-unified-solution-for-windows-server-2012-r2-and-2016-preview) - Windows Server 2019 (with [KB5025229](https://support.microsoft.com/topic/april-11-2023-kb5025229-os-build-17763-4252-e8ead788-2cd3-4c9b-8c77-d677e2d8744f)) - Windows Server 2022 (with [KB5025230](https://support.microsoft.com/topic/april-11-2023-security-update-kb5025230-5048ddfb-7bf3-4e6c-b29a-7b44b789d282)) -- Domain Controllers (preview) +- Domain controllers (preview). See important information in [Use of security settings management on domain controllers](#use-of-security-settings-management-on-domain-controllers) (in this article). Security settings management doesn't work on and isn't supported with the following devices: @@ -131,8 +131,6 @@ Security settings management doesn't work on and isn't supported with the follow - Azure Virtual Desktop (AVD and formerly Windows Virtual Desktop, WVD) - 32-bit versions of Windows - - ### Licensing and subscriptions To use security settings management, you need: @@ -478,9 +476,9 @@ You can manually sync a device on-demand from the [Microsoft Defender portal](ht The Policy sync button only appears for devices that are successfully managed by Microsoft Defender for Endpoint. -### Devices protected by Tamper Protection +### Devices protected by tamper protection -If a device has Tamper Protection turned on, it isn't possible to edit the values of [Tamper Protected settings](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#what-happens-when-tamper-protection-is-turned-on) without disabling Tamper Protection first. +If a device has tamper protection turned on, it isn't possible to edit the values of [Tamper-protected settings](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#what-happens-when-tamper-protection-is-turned-on) without disabling Tamper Protection first. ### Assignment Filters and security settings management @@ -516,11 +514,13 @@ The following security settings are pending deprecation. The Defender for Endpoi ### Use of security settings management on domain controllers -Because a Microsoft Entra ID trust is required, domain controllers aren't currently supported. We're looking at ways to add this support. +Currently in preview, security settings management is now supported on domain controllers. To manage security settings on domain controllers, you must enable it in the enforcement scope page (go to **Settings** > **Endpoints** **Enforcement scope**). Windows Server devices must be enabled before you can enable configuration of domain controllers. Additionally, if the *on tagged devices* option is selected for Windows Servers, configuration of domain controllers is limited to tagged devices, too. + +> [!CAUTION] +> - Misconfiguration of domain controllers could have a negative impact on both your security posture and operational continuity. +> - If configuration of domain controllers is enabled in your tenant, make sure to review all Windows policies to make sure you're not unintentionally targeting Microsoft Entra device groups that contain domain controllers. To minimize risk to productivity, firewall policies aren't supported on domain controllers. +> - We recommend reviewing all policies targeted to domain controllers before unenrolling those devices. Make any required configurations first, and then unenroll your domain controllers. Defender for Endpoint configuration is maintained on each device after the device is unenrolled. -> [!IMPORTANT] -> -> In some cases, Domain Controllers that are run a down level server Operating system (2012 R2 or 2016) can unintentionally be managed by Microsoft Defender for Endpoint. In order to ensure that this doesn't happen in your environment, we recommend making sure your domain controllers are neither tagged "MDE-Management" or managed by MDE. ### Server Core installation From 27b2284d96d3f13cffab6949f23e6dc404aee466 Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Wed, 25 Sep 2024 10:40:13 -0700 Subject: [PATCH 04/13] Update mde-security-integration.md --- memdocs/intune/protect/mde-security-integration.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/memdocs/intune/protect/mde-security-integration.md b/memdocs/intune/protect/mde-security-integration.md index 14e14ff8b7c..46ea020cfaf 100644 --- a/memdocs/intune/protect/mde-security-integration.md +++ b/memdocs/intune/protect/mde-security-integration.md @@ -298,9 +298,9 @@ The following sections guide you through that process. ### Configure Microsoft Defender for Endpoint -In Microsoft Defender for Endpoint portal, as a security administrator: +In the Microsoft Defender portal, as a security administrator: -1. Sign in to [Microsoft Defender portal](https://security.microsoft.com/) and go to **Settings** > **Endpoints** > **Configuration Management** > **Enforcement Scope** and enable the platforms for security settings management. +1. Sign in to the [Microsoft Defender portal](https://security.microsoft.com/) and go to **Settings** > **Endpoints** > **Configuration Management** > **Enforcement Scope** and enable the platforms for security settings management. :::image type="content" source="./media/mde-security-integration/enable-mde-settings-management-defender.png" alt-text="Enable Microsoft Defender for Endpoint settings management in the Microsoft Defender portal." lightbox="./media/mde-security-integration/enable-mde-settings-management-defender.png#lightbox"::: From b26ad155f53262c38526eeba761d052889bb4719 Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Wed, 25 Sep 2024 10:41:06 -0700 Subject: [PATCH 05/13] Update mde-security-integration.md --- memdocs/intune/protect/mde-security-integration.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/memdocs/intune/protect/mde-security-integration.md b/memdocs/intune/protect/mde-security-integration.md index 46ea020cfaf..f9b4d84879e 100644 --- a/memdocs/intune/protect/mde-security-integration.md +++ b/memdocs/intune/protect/mde-security-integration.md @@ -306,7 +306,7 @@ In the Microsoft Defender portal, as a security administrator: > [!NOTE] > - > If you have the *Manage security settings in Security Center* permission in the Microsoft Defender for Endpoint portal, and are simultaneously enabled to view devices from all Device Groups (no [role-based access control](/microsoft-365/security/defender-endpoint/rbac) limits on your user permissions), you can also perform this action. + > If you have the *Manage security settings in Security Center* permission in the Microsoft Defender portal, and are simultaneously enabled to view devices from all Device Groups (no [role-based access control](/microsoft-365/security/defender-endpoint/rbac) limits on your user permissions), you can also perform this action. 2. Initially, we recommend testing the feature for each platform by selecting the platforms option for **On tagged devices**, and then tagging the devices with the `MDE-Management` tag. @@ -328,7 +328,7 @@ In the Microsoft Defender portal, as a security administrator: > [!TIP] > - > To ensure your Microsoft Defender for Endpoint portal users have consistent permissions across portals, if not already provided, request that your IT administrator grant them the Microsoft Intune **Endpoint Security Manager** [built-in RBAC role](../fundamentals/role-based-access-control.md). + > To ensure your Microsoft Defender portal users have consistent permissions across portals, if not already provided, request that your IT administrator grant them the Microsoft Intune **Endpoint Security Manager** [built-in RBAC role](../fundamentals/role-based-access-control.md). ### Configure Intune From d2da104f782bf0c4209755bbd7b0c3b9d95f0968 Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Wed, 25 Sep 2024 10:43:18 -0700 Subject: [PATCH 06/13] Update mde-security-integration.md --- memdocs/intune/protect/mde-security-integration.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/memdocs/intune/protect/mde-security-integration.md b/memdocs/intune/protect/mde-security-integration.md index f9b4d84879e..88ea49612fa 100644 --- a/memdocs/intune/protect/mde-security-integration.md +++ b/memdocs/intune/protect/mde-security-integration.md @@ -97,7 +97,7 @@ To confirm the version of the Defender agent, in the Defender portal go to the d *Known issue*: With the Defender agent version **101.23052.0009**, Linux devices fail to enroll when they're missing the following filepath: `/sys/class/dmi/id/board_vendor`. -*Known issue*: When a Linux device performs synthetic registration the Device Entra ID (formerly known as Device AAD ID) will not be visible in the Defender portal. This information can be viewed from the Intune or Entra portals. Administrators will still be able to manage devices with policies in this manner. +*Known issue*: When a Linux device performs synthetic registration, the Device Entra ID (formerly known as Device AAD ID) isn't visible in the Defender portal. This information can be viewed from the Intune or Microsoft Entra portals. Administrators can still manage devices with policies in this manner. **macOS**: @@ -113,7 +113,7 @@ To confirm the version of the Defender agent, in the Defender portal go to the d *Known issue*: With the Defender agent version **101.23052.0004**, macOS devices that are registered in Microsoft Entra ID before enrolling with security settings management receive a duplicate Device ID in Microsoft Entra ID, which is a synthetic registration. When you create a Microsoft Entra group for targeting policy, you must use the synthetic Device ID created by security settings management. In Microsoft Entra ID, the *Join Type* column for the synthetic Device ID is blank. -*Known issue*: When a macOS device performs synthetic registration the Device Entra ID (formerly known as Device AAD ID) will not be visible in the Defender portal. This information can be viewed from the Intune or Entra portals. Administrators will still be able to manage devices with policies in this manner. +*Known issue*: When a macOS device performs synthetic registration, the Device Entra ID (formerly known as Device AAD ID) isn't visible in the Defender portal. This information can be viewed from the Intune or Entra portals. Administrators can still manage devices with policies in this manner. **Windows**: From f6aadcf33e5128ecb9195e53b16404e35c3c0f8b Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Wed, 25 Sep 2024 10:44:14 -0700 Subject: [PATCH 07/13] Update mde-security-integration.md --- memdocs/intune/protect/mde-security-integration.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/memdocs/intune/protect/mde-security-integration.md b/memdocs/intune/protect/mde-security-integration.md index 88ea49612fa..421bd39145e 100644 --- a/memdocs/intune/protect/mde-security-integration.md +++ b/memdocs/intune/protect/mde-security-integration.md @@ -113,7 +113,7 @@ To confirm the version of the Defender agent, in the Defender portal go to the d *Known issue*: With the Defender agent version **101.23052.0004**, macOS devices that are registered in Microsoft Entra ID before enrolling with security settings management receive a duplicate Device ID in Microsoft Entra ID, which is a synthetic registration. When you create a Microsoft Entra group for targeting policy, you must use the synthetic Device ID created by security settings management. In Microsoft Entra ID, the *Join Type* column for the synthetic Device ID is blank. -*Known issue*: When a macOS device performs synthetic registration, the Device Entra ID (formerly known as Device AAD ID) isn't visible in the Defender portal. This information can be viewed from the Intune or Entra portals. Administrators can still manage devices with policies in this manner. +*Known issue*: When a macOS device performs synthetic registration, the Device Entra ID (formerly known as Device AAD ID) isn't visible in the Defender portal. This information can be viewed from the Intune or Microsoft Entra portals. Administrators can still manage devices with policies in this manner. **Windows**: @@ -532,7 +532,7 @@ PowerShell needs to be enabled. Security settings management doesn't work for a device that has PowerShell *LanguageMode* configured with *ConstrainedLanguage* mode `enabled`. For more information, see [about_Language_Modes](/powershell/module/microsoft.powershell.core/about/about_language_modes) in the PowerShell documentation. -### Managing security through MDE if you were previously using a third party security tool +### Managing security through MDE if you were previously using a third-party security tool If you previously had a third-party security tool on the machine and are now managing it with MDE, you might see some impact on MDE's capability to manage Security settings in rare cases. In such cases, as a troubleshooting measure, uninstall and reinstall the latest version of MDE on your machine. From d3bee1f1556db0971dbb950e856ba6141caedf6d Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Wed, 25 Sep 2024 10:49:28 -0700 Subject: [PATCH 08/13] Update mde-security-integration.md --- memdocs/intune/protect/mde-security-integration.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/memdocs/intune/protect/mde-security-integration.md b/memdocs/intune/protect/mde-security-integration.md index 421bd39145e..41bf1540cee 100644 --- a/memdocs/intune/protect/mde-security-integration.md +++ b/memdocs/intune/protect/mde-security-integration.md @@ -532,9 +532,9 @@ PowerShell needs to be enabled. Security settings management doesn't work for a device that has PowerShell *LanguageMode* configured with *ConstrainedLanguage* mode `enabled`. For more information, see [about_Language_Modes](/powershell/module/microsoft.powershell.core/about/about_language_modes) in the PowerShell documentation. -### Managing security through MDE if you were previously using a third-party security tool +### Managing security through Defender for Endpoint if you were previously using a third-party security tool -If you previously had a third-party security tool on the machine and are now managing it with MDE, you might see some impact on MDE's capability to manage Security settings in rare cases. In such cases, as a troubleshooting measure, uninstall and reinstall the latest version of MDE on your machine. +If you previously had a third-party security tool on the machine and are now managing it with Defender for Endpoint, you might see some impact on Defender for Endpoint's capability to manage Security settings in rare cases. In such cases, as a troubleshooting measure, uninstall and reinstall the latest version of Defender for Endpoint on your machine. ## Next steps From eddd025d182cbc7bb2186d9eea3e4a7bec811440 Mon Sep 17 00:00:00 2001 From: denisebmsft Date: Wed, 25 Sep 2024 10:49:55 -0700 Subject: [PATCH 09/13] Update mde-security-integration.md --- memdocs/intune/protect/mde-security-integration.md | 1 - 1 file changed, 1 deletion(-) diff --git a/memdocs/intune/protect/mde-security-integration.md b/memdocs/intune/protect/mde-security-integration.md index 41bf1540cee..6add843eb2e 100644 --- a/memdocs/intune/protect/mde-security-integration.md +++ b/memdocs/intune/protect/mde-security-integration.md @@ -521,7 +521,6 @@ Currently in preview, security settings management is now supported on domain co > - If configuration of domain controllers is enabled in your tenant, make sure to review all Windows policies to make sure you're not unintentionally targeting Microsoft Entra device groups that contain domain controllers. To minimize risk to productivity, firewall policies aren't supported on domain controllers. > - We recommend reviewing all policies targeted to domain controllers before unenrolling those devices. Make any required configurations first, and then unenroll your domain controllers. Defender for Endpoint configuration is maintained on each device after the device is unenrolled. - ### Server Core installation Security settings management doesn't support Server core installations due to Server core platform limitations. From a1bf6a42c47233c177813c97ebd7a783ad525876 Mon Sep 17 00:00:00 2001 From: brenduns Date: Mon, 30 Sep 2024 08:51:30 -0700 Subject: [PATCH 10/13] General fixes for bounce, due to poor referal path --- .../protect/mtd-device-compliance-policy-create.md | 8 ++++---- .../zimperium-mobile-threat-defense-connector.md | 11 +++-------- 2 files changed, 7 insertions(+), 12 deletions(-) diff --git a/memdocs/intune/protect/mtd-device-compliance-policy-create.md b/memdocs/intune/protect/mtd-device-compliance-policy-create.md index b01e390470e..4c8087e5834 100644 --- a/memdocs/intune/protect/mtd-device-compliance-policy-create.md +++ b/memdocs/intune/protect/mtd-device-compliance-policy-create.md @@ -1,14 +1,14 @@ --- # required metadata -title: Create a Mobile Threat Defense (MTD) device compliance policy with Microsoft Intune +title: Create Mobile Threat Defense compliance policies in Intune titleSuffix: Microsoft Intune description: Create an Intune device compliance policy that uses your MTD partner threat levels to determine if a mobile device can access company resources. keywords: author: brenduns ms.author: brenduns manager: dougeby -ms.date: 08/22/2024 +ms.date: 09/30/2024 ms.topic: how-to ms.service: microsoft-intune ms.subservice: protect @@ -94,6 +94,6 @@ Your Mobile Threat Defense partner can send a risk score for each device for whi > > Conditional Access policies for Microsoft 365 or other services also evaluate device compliance results, which include the threat-level configuration. Any noncompliant device can be blocked from accessing corporate resources until that devices threat-level is remediated to bring the device into compliance with your policies and that status is successfully reported to Intune via the MTD vendor. -## Next steps +## Related content -[Enable MTD with Intune](mtd-connector-enable.md) +[Enable a Mobile Threat Defense connector](mtd-connector-enable.md) diff --git a/memdocs/intune/protect/zimperium-mobile-threat-defense-connector.md b/memdocs/intune/protect/zimperium-mobile-threat-defense-connector.md index c10af4b062e..a94db3b9238 100644 --- a/memdocs/intune/protect/zimperium-mobile-threat-defense-connector.md +++ b/memdocs/intune/protect/zimperium-mobile-threat-defense-connector.md @@ -8,7 +8,7 @@ keywords: author: brenduns ms.author: brenduns manager: dougeby -ms.date: 11/17/2023 +ms.date: 09/30/2024 ms.topic: how-to ms.service: microsoft-intune ms.subservice: protect @@ -57,7 +57,7 @@ The Zimperium app for Android and iOS/iPadOS captures file system, network stack - **Support for enrolled devices** - Intune device compliance policy includes a rule for Mobile Threat Defense (MTD), which can use risk assessment information from Zimperium. When the MTD rule is enabled, Intune evaluates device compliance with the policy that you enabled. If the device is found noncompliant, users are blocked access to corporate resources like Exchange Online and SharePoint Online. Users also receive guidance from the Zimperium app installed in their devices to resolve the issue and regain access to corporate resources. To support using Zimperium with enrolled devices: - [Add MTD apps to devices](../protect/mtd-apps-ios-app-configuration-policy-add-assign.md) - [Create a device compliance policy that supports MTD](../protect/mtd-device-compliance-policy-create.md) - - [Enable the MTD connector in Intune](../protect/mtd-connector-enable.md) + - [Enable a Mobile Threat Defense connector](../protect/mtd-connector-enable.md) - **Support for unenrolled devices** - Intune can use the risk assessment data from the Zimperium app on unenrolled devices when you use Intune app protection policies. Admins can use this combination to help protect corporate data within a [Microsoft Intune protected app](../apps/apps-supported-intune-apps.md), Admins can also issue a block or selective wipe for corporate data on those unenrolled devices. To support using Zimperium with unenrolled devices: - [Add the MTD app to unenrolled devices](../protect/mtd-add-apps-unenrolled-devices.md) @@ -118,14 +118,9 @@ Access is granted on remediation: :::image type="content" source="./media/zimperium-mobile-threat-defense-connector/zimperium-mobile-app-policy-remediated.png" alt-text="Product flow for App protection policies to grant access after malware is remediated."::: -## Next steps +## Related content - [Integrate Zimperium with Intune](zimperium-mtd-connector-integration.md) - - [Set up Zimperium apps](mtd-apps-ios-app-configuration-policy-add-assign.md) - - [Create Zimperium device compliance policy](mtd-device-compliance-policy-create.md) - -- [Enable Zimperium MTD connector](mtd-connector-enable.md) - - [Create an MTD app protection policy](../protect/mtd-app-protection-policy.md) From 5134afde2f708c2be477adf485553b8b22bf147d Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 30 Sep 2024 10:05:16 -0700 Subject: [PATCH 11/13] Update mde-security-integration.md --- memdocs/intune/protect/mde-security-integration.md | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/memdocs/intune/protect/mde-security-integration.md b/memdocs/intune/protect/mde-security-integration.md index 6add843eb2e..ccd8ba36d32 100644 --- a/memdocs/intune/protect/mde-security-integration.md +++ b/memdocs/intune/protect/mde-security-integration.md @@ -7,7 +7,7 @@ keywords: author: brenduns ms.author: brenduns manager: dougeby -ms.date: 09/25/2024 +ms.date: 09/30/2024 ms.topic: how-to ms.service: microsoft-intune ms.subservice: protect @@ -122,7 +122,7 @@ To confirm the version of the Defender agent, in the Defender portal go to the d - Windows Server 2012 R2 with [Microsoft Defender for Down-Level Devices](/defender-endpoint/configure-server-endpoints#new-functionality-in-the-modern-unified-solution-for-windows-server-2012-r2-and-2016-preview) - Windows Server 2016 with [Microsoft Defender for Down-Level Devices](/defender-endpoint/configure-server-endpoints#new-functionality-in-the-modern-unified-solution-for-windows-server-2012-r2-and-2016-preview) - Windows Server 2019 (with [KB5025229](https://support.microsoft.com/topic/april-11-2023-kb5025229-os-build-17763-4252-e8ead788-2cd3-4c9b-8c77-d677e2d8744f)) -- Windows Server 2022 (with [KB5025230](https://support.microsoft.com/topic/april-11-2023-security-update-kb5025230-5048ddfb-7bf3-4e6c-b29a-7b44b789d282)) +- Windows Server 2022, including server core (with [KB5025230](https://support.microsoft.com/topic/april-11-2023-security-update-kb5025230-5048ddfb-7bf3-4e6c-b29a-7b44b789d282)) - Domain controllers (preview). See important information in [Use of security settings management on domain controllers](#use-of-security-settings-management-on-domain-controllers) (in this article). Security settings management doesn't work on and isn't supported with the following devices: @@ -521,10 +521,6 @@ Currently in preview, security settings management is now supported on domain co > - If configuration of domain controllers is enabled in your tenant, make sure to review all Windows policies to make sure you're not unintentionally targeting Microsoft Entra device groups that contain domain controllers. To minimize risk to productivity, firewall policies aren't supported on domain controllers. > - We recommend reviewing all policies targeted to domain controllers before unenrolling those devices. Make any required configurations first, and then unenroll your domain controllers. Defender for Endpoint configuration is maintained on each device after the device is unenrolled. -### Server Core installation - -Security settings management doesn't support Server core installations due to Server core platform limitations. - ### PowerShell restrict mode PowerShell needs to be enabled. From c00429a097c2b3676b7d63eddda303161a066883 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 30 Sep 2024 10:05:58 -0700 Subject: [PATCH 12/13] Update mde-security-integration.md --- memdocs/intune/protect/mde-security-integration.md | 1 + 1 file changed, 1 insertion(+) diff --git a/memdocs/intune/protect/mde-security-integration.md b/memdocs/intune/protect/mde-security-integration.md index ccd8ba36d32..5172808e0cd 100644 --- a/memdocs/intune/protect/mde-security-integration.md +++ b/memdocs/intune/protect/mde-security-integration.md @@ -127,6 +127,7 @@ To confirm the version of the Defender agent, in the Defender portal go to the d Security settings management doesn't work on and isn't supported with the following devices: +- Windows Server core 2109 and earlier - Non-persistent desktops, like Virtual Desktop Infrastructure (VDI) clients - Azure Virtual Desktop (AVD and formerly Windows Virtual Desktop, WVD) - 32-bit versions of Windows From 7058a472d56c897fce2d6fbda1f41ce518dc03df Mon Sep 17 00:00:00 2001 From: brenduns Date: Mon, 30 Sep 2024 10:16:37 -0700 Subject: [PATCH 13/13] Branding for Server Core --- memdocs/intune/protect/mde-security-integration.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/memdocs/intune/protect/mde-security-integration.md b/memdocs/intune/protect/mde-security-integration.md index 5172808e0cd..2f3162525bf 100644 --- a/memdocs/intune/protect/mde-security-integration.md +++ b/memdocs/intune/protect/mde-security-integration.md @@ -122,12 +122,12 @@ To confirm the version of the Defender agent, in the Defender portal go to the d - Windows Server 2012 R2 with [Microsoft Defender for Down-Level Devices](/defender-endpoint/configure-server-endpoints#new-functionality-in-the-modern-unified-solution-for-windows-server-2012-r2-and-2016-preview) - Windows Server 2016 with [Microsoft Defender for Down-Level Devices](/defender-endpoint/configure-server-endpoints#new-functionality-in-the-modern-unified-solution-for-windows-server-2012-r2-and-2016-preview) - Windows Server 2019 (with [KB5025229](https://support.microsoft.com/topic/april-11-2023-kb5025229-os-build-17763-4252-e8ead788-2cd3-4c9b-8c77-d677e2d8744f)) -- Windows Server 2022, including server core (with [KB5025230](https://support.microsoft.com/topic/april-11-2023-security-update-kb5025230-5048ddfb-7bf3-4e6c-b29a-7b44b789d282)) +- Windows Server 2022, including Server Core (with [KB5025230](https://support.microsoft.com/topic/april-11-2023-security-update-kb5025230-5048ddfb-7bf3-4e6c-b29a-7b44b789d282)) - Domain controllers (preview). See important information in [Use of security settings management on domain controllers](#use-of-security-settings-management-on-domain-controllers) (in this article). Security settings management doesn't work on and isn't supported with the following devices: -- Windows Server core 2109 and earlier +- Windows Server Core 2109 and earlier - Non-persistent desktops, like Virtual Desktop Infrastructure (VDI) clients - Azure Virtual Desktop (AVD and formerly Windows Virtual Desktop, WVD) - 32-bit versions of Windows