Learning Path 2 - Lab 1 - Exercise 1 - Deploy Microsoft Defender for Endpoint

Lab scenario

Lab overview.

You are a Security Operations Analyst working at a company that is implementing Microsoft Defender for Endpoint. Your manager plans to onboard a few devices to provide insight into required changes to the Security Operations (SecOps) team response procedures.

You start by initializing the Defender for Endpoint environment. Next, you onboard the initial devices for your deployment by running the onboarding script on the devices. You configure security for the environment. Lastly, you create Device groups and assign the appropriate devices.

Important: The lab Virtual Machines are used through different modules. SAVE your virtual machines. If you exit the lab without saving, you will be required to re-run some configurations again.

Note: Make sure you have completed successfully Task 3 of the previous module.

Task 1: Initialize Microsoft Defender for Endpoint

In this task, you will perform the initialization of the Microsoft Defender for Endpoint portal.

  1. Log in to WIN1 virtual machine as Admin with the password: Pa55w.rd.

  2. If you are not already at the Microsoft 365 Defender portal, start the Microsoft Edge browser.

  3. In the Edge browser, go to the Microsoft 365 Defender portal at (https://security.microsoft.com).

  4. In the Sign in dialog box, copy, and paste in the tenant Email account for the admin username provided by your lab hosting provider and then select Next.

  5. In the Enter password dialog box, copy, and paste in the admin’s tenant password provided by your lab hosting provider and then select Sign in.

    Tip: The admin’s tenant email account and password can be found on the Resources tab.

  6. On the Microsoft 365 Defender portal, from the navigation menu, select Settings from the left.

  7. On the Settings page select Device discovery.

    Note: If you do not see the Device discovery option under Settings, logout by selecting the top-right circle with your account initials and select Sign out. Other options that you might want to try is to refresh the page with Ctrl+F5 or open the page InPrivate. Login again with the Tenant Email credentials.

  8. In Discovery setup make sure Standard discovery (recommended) is selected.

    Hint: If you do not see the option, refresh the page.

Task 2: Onboard a Device.

In this task, you will onboard a device to Microsoft Defender for Endpoint using an onboarding script.

  1. If you are not already at the Microsoft 365 Defender portal in your browser, start the Microsoft Edge browser and go to (https://security.microsoft.com) and login with the Tenant Email credentials.

  2. Select Settings from the left menu bar, then from the Settings page select Endpoints.

  3. Select Onboarding in the Device management section.

    Note: You can also perform device onboarding from the Assets section of the left menu bar. Expand Assets and select Devices. On the Device Inventory page, with Computers & Mobile selected, scroll down to Onboard devices. This takes you to the Settings > Endpoints page.

  4. In the “1. Onboard a device” area make sure “Local Script (for up to 10 devices)” is displayed in the Deployment method drop-down and select the Download onboarding package button.

  5. Under the Downloads pop-ipup, highlight the “WindowsDefenderATPOnboardingPackage.zip” file with your mouse and select the folder icon Show in folder. Hint: In case you don’t see it, the file should be in the c:\users\admin\downloads directory.

  6. Right-click the downloaded zip file and select Extract All…, make sure that Show extracted files when complete is checked and select Extract.

  7. Right-click on the extracted file “WindowsDefenderATPLocalOnboardingScript.cmd” and select Properties. Select the Unblock checkbox in the bottom right of the Properties windows and select OK.

  8. Right-click on the extracted file “WindowsDefenderATPLocalOnboardingScript.cmd” again and choose Run as Administrator. Hint: If you encounter the Windows SmartScreen window, select on More info, and choose Run anyway.

  9. When the “User Account Control” window is shown, select Yes to allow the script to run and answer Y to the question presented by the script and press Enter. When complete you should see a message in the command screen that says Successfully onboarded machine to Microsoft Defender for Endpoint.

  10. Press any key to continue. This will close the Command Prompt window.

  11. Back in the Onboarding page from the Microsoft 365 Defender portal, under the section “2. Run a detection test”, copy the detection test script by selecting the Copy button.

  12. In the windows search bar of the WIN1 virtual machine, type CMD and choose to Run as Administrator on the right pane for the Command Prompt app.

  13. When the “User Account Control” window is shown, select Yes to allow the app to run.

  14. Paste the script by right-clicking in the Administrator: Command Prompt windows and press Enter to run it. Note: The window closes automatically after running the script.

  15. In the Microsoft 365 Defender portal, in the left-hand menu, under the Assets area, select Devices. If the device is not shown, complete the next task and come back to check it back later. It can take up to 60 minutes for the first device to be displayed in the portal.

    Note: If you have completed the onboarding process and don’t see devices in the Devices list after an hour, it might indicate an onboarding or connectivity problem.

Task 3: Configure Roles

In this task, you will configure roles for use with device groups.

  1. In the Microsoft 365 Defender portal select Settings from the left menu bar, then select Endpoints.

  2. Select Roles under the permissions area.

  3. Select the Turn on roles button.

  4. Select + Add item.

  5. In the Add role dialog enter the following:

    General setting Value
    Role name Tier 1 Support
    Permissions Live Response capabilities - Advanced

  6. Select the Assigned user groups tab on the top. Select sg-IT and then select Add selected groups. Make sure it appears under Azure AD user groups with this role.

  7. Select Save. If you receive an error while saving the role, refresh the page and try again.

Task 4: Configure Device Groups

In this task, you will configure device groups that allow for access control and automation configuration.

  1. In the Microsoft 365 Defender portal select Settings from the left menu bar, then select Endpoints.

  2. Select Device groups under the permissions area.

  3. Select + Add device group icon.

  4. Enter the following information on the General tab:

    General setting Value
    Device group name Regular
    Automation level Full - remediate threats automatically

  5. Select Next.

  6. On the Devices tab, for the OS condition select Windows 10 and select Next.

  7. On the Preview devices tab, select Show preview to see the WIN1 virtual machine, most likely the data is not populated yet. Leave it as is and select Next.

  8. For the User access tab, select sg-IT and then select Add selected groups button. Make sure it appears under Azure AD user groups with access to this device group.

  9. Select Done.

  10. Device group configuration has changed. Select Apply changes to check matches and recalculate groupings.

  11. You are going to have two device groups now; the “Regular” you just created and the “Ungrouped devices (default)” with the same remediation level.

Proceed to Exercise 2