| title | Tenant attach - Create and deploy Attack surface reduction policies from the admin center |
|---|---|
| description | Create and deploy Attack surface reduction policies from the Microsoft Intune admin center and for Configuration Manager collections. |
| ms.date | 05/31/2022 |
| ms.topic | install-set-up-deploy |
| ms.subservice | core-infra |
| ms.collection | tier3 |
Applies to: Configuration Manager (current branch)
Create Attack surface reduction policies in the Microsoft Intune admin center and deploy them to Configuration Manager collections.
[!INCLUDE Profiles for Configuration Manager tenant attached devices]
-
In a browser, go to the Microsoft Intune admin center.
-
Select Endpoint security > Attack surface reduction then Create Policy.
-
Create a profile with the following settings:
- Platform: Windows 10 and later (ConfigMgr)
- Profile: Choose one of the following profiles:
- Attack Surface Reduction Rules (ConfigMgr)
- Exploit Protection (ConfigMgr)
- Web Protection (ConfigMgr)
Note
The Microsoft Edge installer, Attack Surface Reduction rules engine for tenant attach, and CMPivot are currently signed with the Microsoft Code Signing PCA 2011 certificate. If you set PowerShell execution policy to AllSigned, then you need to make sure that devices trust this signing certificate. You can export the certificate from a computer where you've installed the Configuration Manager console. View the certificate on "C:\Program Files (x86)\Microsoft Endpoint Manager\AdminConsole\bin\CMPivot.exe", and then export the code signing certificate from the certification path. Then import it to the machine's Trusted Publishers store on managed devices. You can use the process in the following blog, but make sure to export the code signing certificate from the certification path: Adding a Certificate to Trusted Publishers using Intune
- Assign a Name and optionally a Description on the Basics page.
- On the Configuration settings page, configure the settings you want to manage with this profile. When your done configuring settings, select Next. For more information about available settings for both profiles, see Attack surface reduction policy settings for tenant attached devices.
- Assign the policy to a Configuration Manager collection on the Assignments page.
[!INCLUDE Device status for Configuration Manager tenant attached devices]
- Attack surface reduction policy settings for tenant attached devices.
- Create and deploy endpoint security Antivirus policy to tenant attached devices
- Create and deploy endpoint security Endpoint Detection and Response policy to tenant attached devices
- Create and deploy endpoint security Firewall policy to tenant attached devices