Get Started Free

Module 7: Defender for Endpoint Configuration & Device Management

75 minutes · Configure Protections and Detections (15-20%)

Module 1 introduced Defender for Endpoint as a component. Module 3 showed you the device investigation page. This module teaches you to configure the product — onboarding, ASR rules, EDR settings, device groups, and the compliance integration that blocks AiTM attacks.

The configuration decisions you make here directly affect your investigation capability. An unboarded device is invisible. A misconfigured ASR rule blocks legitimate software. A poorly scoped device group gives the wrong analysts access to the wrong devices.

DEFENDER FOR ENDPOINT — CONFIGURATION LAYERSOnboardingIntune · GPO · Script7.1-7.2PreventionASR Rules · Indicators7.3Detection & ResponseEDR · AIR · Live Response7.4OperationsGroups · RBAC · TVM7.5-7.8Conditional Access IntegrationDevice compliance feeds Entra ID CA — blocks AiTM token replay from unmanaged devices
Prerequisites

You need Defender for Endpoint P2 (included in M365 E5) and an Intune-enrolled device for full lab exercises. The developer tenant from Module 1.11 provides the licensing. If you do not have a physical device to enroll, you can follow the configuration steps in the portal and verify with KQL queries against sample data.

Sections in this module

7.1 Onboarding Devices

7.2 Sensor and Client Configuration

7.3 Attack Surface Reduction (ASR) Rules

7.4 EDR and Automated Investigation Configuration

7.5 The Device Investigation Page

7.6 Device Isolation and Response Actions

7.7 Device Groups and RBAC

7.8 Device Compliance and Conditional Access

7.9 Threat and Vulnerability Management

7.10 Module Assessment

Start: 7.1 Onboarding Devices →