Merge pull request #7402 from matt-call/MDEDocUpdates0420

Security Management doc updates for 2203/2204

Author: v-dihans

memdocs/intune/protect/includes/security-config-mgt-prerequisites.md

@@ -4,7 +4,7 @@ description: include file
 author: brenduns
 ms.service: microsoft-intune
 ms.author: brenduns
-ms.date: 01/24/2022
+ms.date: 04/20/2022
 ms.topic: include
 ---
 ## Prerequisites
@@ -30,13 +30,16 @@ Devices must have access to the following endpoints:
 - `*.dm.microsoft.com` - The use of a wildcard supports the cloud-service endpoints that are used for enrollment, check-in, and reporting, and which can change as the service scales.
 > [!Note]
 > If your organization users Secure Socket Layer (SSL) inspection, the endpoints should be excluded from inspection.
+
 ### Supported platforms
+
 Policies for Microsoft Defender for Endpoint security management are supported for the following device platforms:
 - Windows 10 Professional/Enterprise (with [KB5006738](https://support.microsoft.com/topic/october-26-2021-kb5006738-os-builds-19041-1320-19042-1320-and-19043-1320-preview-ccbce6bf-ae00-4e66-9789-ce8e7ea35541))
 - Windows Server 2012 R2 with [Microsoft Defender for Down-Level Devices](/microsoft-365/security/defender-endpoint/configure-server-endpoints#new-functionality-in-the-modern-unified-solution-for-windows-server-2012-r2-and-2016-preview)
 - Windows Server 2016 with [Microsoft Defender for Down-Level Devices](/microsoft-365/security/defender-endpoint/configure-server-endpoints#new-functionality-in-the-modern-unified-solution-for-windows-server-2012-r2-and-2016-preview)
 - Windows Server 2019 (with [KB5006744](https://support.microsoft.com/topic/october-19-2021-kb5006744-os-build-17763-2268-preview-e043a8a3-901b-4190-bb6b-f5a4137411c0))
 - Windows Server 2022 (with [KB5006745](https://support.microsoft.com/topic/october-26-2021-kb5006745-os-build-20348-320-preview-8ff9319a-19e7-40c7-bbd1-cd70fcca066c))
+
 ### Licensing and subscriptions
 To use security management for Microsoft Defender for Endpoint, you need:
 
@@ -90,25 +93,35 @@ The following table can help you understand which policies that can configure MD
 To support Microsoft Defender for Endpoint security configuration management through the Microsoft Endpoint Manager admin center, you must enable communication between them from within each console.
 1. Sign in to [Microsoft 365 Defender portal](https://security.microsoft.com/) and go to **Settings** > **Endpoints** > **Configuration Management** > **Enforcement Scope** and enable the platforms for security settings management:
    :::image type="content" source="../media/mde-security-integration/enable-mde-settings-management-defender.png" alt-text="Enable Microsoft Defender for Endpoint settings management in the Microsoft 365 Defender portal.":::
-2. Make sure the relevant users have permissions to manage endpoint security settings in Microsoft Endpoint Manager or grant those permissions by configuring a role in the Microsoft 365 Defender portal. Go to **Settings** > **Roles** > **Add item**:
+1. Configure Pilot Mode and Configuration Manager authority settings to fit your organization needs:
+   :::image type="content" source="../media/mde-security-integration/pilot-CMAuthority-mde-settings-management-defender.png" alt-text="Configure Pilot mode for Endpoint settings management in the Microsoft 365 Defender portal.":::
+   > [!TIP]
+   > Use pilot mode and the proper device tags to test and validate your rollout on a small number of devices. Without using pilot mode, any device that falls into the scope configured will automatically be enrolled.
+
+1. Make sure the relevant users have permissions to manage endpoint security settings in Microsoft Endpoint Manager or grant those permissions by configuring a role in the Microsoft 365 Defender portal. Go to **Settings** > **Roles** > **Add item**:
    :::image type="content" source="../media/mde-security-integration/add-role-in-mde.png" alt-text="Create a new role in the Defender portal.":::
    > [!TIP]
    > You can modify existing roles and add the necessary permissions versus creating additional roles in Microsoft Defender for Endpoint
-3. When configuring the role, add users and be sure to select **Manage endpoint security settings in Microsoft Endpoint Manager**:
+1. When configuring the role, add users and be sure to select **Manage endpoint security settings in Microsoft Endpoint Manager**:
+
       :::image type="content" source="../media/mde-security-integration/add-role.png" alt-text="Grant users permissions to manage settings.":::
-4. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-5. Select **Endpoint security** > **Microsoft Defender for Endpoint**, and set **Allow Microsoft Defender for Endpoint to enforce Endpoint Security Configurations (Preview)** to **On**.
+1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Select **Endpoint security** > **Microsoft Defender for Endpoint**, and set **Allow Microsoft Defender for Endpoint to enforce Endpoint Security Configurations** to **On**.
+
    :::image type="content" source="../media/mde-security-integration/enable-mde-settings-management-mem.png" alt-text="Enable Microsoft Defender for Endpoint settings management in the Microsoft Endpoint Manager admin center.":::
+   
    When you set this option to *On*, all devices in the platform scope in Microsoft Defender for Endpoint that aren't managed by Microsoft Endpoint Manager will qualify to onboard to Microsoft Defender for Endpoint.
+
+> [!TIP]
+> Users that are delegated the ability to manage endpoint security settings may not have the ability to implement tenant-wide configurations in Endpoint Manager.  Check with your Endpoint Manager administrator for more information on roles and permissions in your organization.
+
 ## Onboard devices to Microsoft Defender for Endpoint
+
 Microsoft Defender for Endpoint supports several options to onboard devices. For current guidance, see [Onboarding tools and methods for Windows devices](/microsoft-365/security/defender-endpoint/security-config-management) in the Defender for Endpoint documentation.
-> [!IMPORTANT]  
-> After a device onboards with Microsoft Defender for Endpoint, it must and be tagged with **MDE-Management** before it can enroll with Security Management for Microsoft Defender for Endpoint. For more information on device tagging in MDE, see [*Create and manage device tags*](/microsoft-365/security/defender-endpoint/machine-tags).
-Devices that you manage with Intune are not supported for this scenario.
 
 ## Co-existence with Microsoft Endpoint Configuration Manager
 
-When using Configuration Manager, the best path for management of security policy is using the [Configuration Manager tenant attach](/mem/configmgr/tenant-attach/endpoint-security-get-started). In some environments it may be desired to use Security Management for Microsoft Defender for Endpoint. When using Security Management for Microsoft Defender for Endpoint with Configuration Manager, endpoint security policy should be isolated to a single control plane. Controlling policy through both channels will create the opportunity for conflicts and undesired results.
+When using Configuration Manager, the best path for management of security policy is using [Configuration Manager tenant attach](/mem/configmgr/tenant-attach/endpoint-security-get-started). In some environments it may be desired to use Security Management for Microsoft Defender for Endpoint. When using Security Management for Microsoft Defender for Endpoint with Configuration Manager, endpoint security policy should be isolated to a single control plane. Controlling policy through both channels will create the opportunity for conflicts and undesired results.
 
 ## Create Azure AD Groups
 
@@ -138,17 +151,17 @@ After creating one or more Azure AD groups that contain devices managed by Micro
 2. Go to **Endpoint security** and then select the type of policy you want to configure, either Antivirus or Firewall, and then select **Create Policy**.
 3. Enter the following properties or the policy type you selected:
    - For Antivirus policy, select:
-     - Platform: **Windows 10, Windows 11, and Windows Server (Preview)**
-     - Profile: **Microsoft Defender Antivirus (Preview)**
+     - Platform: **Windows 10, Windows 11, and Windows Server**
+     - Profile: **Microsoft Defender Antivirus**
    - For Firewall policy, select:
-     - Platform: **Windows 10, Windows 11, and Windows Server (Preview)**
-     - Profile: **Microsoft Defender Firewall (Preview)**
+     - Platform: **Windows 10, Windows 11, and Windows Server**
+     - Profile: **Microsoft Defender Firewall**
    - For Firewall Rules policy, select:
-     - Platform: **Windows 10, Windows 11, and Windows Server (Preview)**
-     - Profile: **Microsoft Defender Firewall Rules (Preview)**
+     - Platform: **Windows 10, Windows 11, and Windows Server**
+     - Profile: **Microsoft Defender Firewall Rules**
    - For Endpoint Detection and Response policy, select:
-     - Platform: **Windows 10, Windows 11, and Windows Server (Preview)**
-     - Profile: **Endpoint detection and response (Preview)**
+     - Platform: **Windows 10, Windows 11, and Windows Server**
+     - Profile: **Endpoint detection and response**
    >[!Note]
    > These profiles apply to both devices communicating through Mobile Device Management (MDM) with Microsoft Intune as well as devices that are communicating using the Microsoft Defender for Endpoint client.
    >
@@ -165,9 +178,10 @@ After creating one or more Azure AD groups that contain devices managed by Micro
 
    > [!TIP]
    >
-   > - Assignment filters are not supported for Security Configuration Management profiles.
+   > - Assignment filters are not supported for devices leveraging the Security Management for Microsoft Defender for Endpoint feature.
    > - Only *Device Objects* are applicable for Microsoft Defender for Endpoint management. Targeting users is not supported.
    > - Policies configured will apply to both Microsoft Intune and Microsoft Defender for Endpoint clients
+
 8. Complete the policy creation process and then on the **Review + create** page, select **Create**. The new profile is displayed in the list when you select the policy type for the profile you created.
 
 9. Wait for the policy to be assigned and view a success indication that policy was applied.

memdocs/intune/protect/mde-security-integration.md

@@ -7,7 +7,7 @@ keywords:
 author: brenduns
 ms.author: brenduns
 manager: dougeby
-ms.date: 04/05/2022
+ms.date: 04/20/2022
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: protect
@@ -56,12 +56,20 @@ When you select a policy, you'll see information about the device check-in statu
 
 - **Per setting status** - View the settings that are managed by the policy, and a count of success, errors, or conflicts for each setting.
 
-## Known limitations and considerations
+## Frequently asked questions and considerations
 
 ### Assignment Filters and Security Management for Microsoft Defender for Endpoint
 
 Assignment filters are not supported for devices communicating through the Microsoft Defender for Endpoint channel. While assignment filters can be added to a policy that could be targeted at these devices, the device will ignore assignment filters. For assignment filter support, the device must be enrolled in to Microsoft Endpoint Manager.
 
+### Deleting and removing devices
+
+Devices that are using this flow will be unable to be deleted from the Microsoft Endpoint Manager admin center. The enrollment state is driven from Microsoft Defender for Endpoint, and deleting them from the admin center would only cause them to be removed temporarily. If devices need to be removed from management, they should be removed from the scope of Configuration Management in the Security Center. Once removed, that change will be propagated across services.
+
+### Unable to enable the Security Management for Microsoft Defender for Endpoint workload in Endpoint Security
+
+Most initial provisioning flows are completed typically and created by an Administrator of both services. There are some scenarios where Role-based Administration is used to customize the permissions of administrators. Today, those delegated the *Endpoint Security Manager* role may not have the necessary permissions to enable this feature. We will address this in a future release.
+
 ### Co-existence with Microsoft Endpoint Configuration Manager
 
 When using Configuration Manager, the best path for management of security policy is using the [Configuration Manager tenant attach](../../configmgr/tenant-attach/endpoint-security-get-started.md). In some environments it may be desired to use Security Management for Microsoft Defender for Endpoint. When using Security Management for Microsoft Defender for Endpoint with Configuration Manager, endpoint security policy should be isolated to a single control plane. Controlling policy through both channels will create the opportunity for conflicts and undesired results.
@@ -77,7 +85,6 @@ To troubleshoot Azure Active Directory onboarding issues, see  [Troubleshoot Sec
 The following security settings are pending deprecation. The Security Management for Microsoft Defender for Endpoint flow does not support these settings:
 
 - Expedite telemetry reporting frequency (under **Endpoint Detection and Response**)
-- AllowOnAccessProtection (under **Antivirus**)
 - AllowIntrusionPreventionSystem (under **Antivirus**)
 
 ### Managing security configurations on domain controllers
@@ -90,7 +97,7 @@ Due to the potential effect on Azure Active Directory environments with respect
 
 ### Server Core installation
 
-Due to the limited scope of Server core installations, these are not supported by Security Management for Microsoft Defender for Endpoint.
+Due to the platform limitations of Server core installations, these are not supported by Security Management for Microsoft Defender for Endpoint.
 
 ## Next steps