Lab scenario

You are a Security Operations Analyst working at a company that is

implementing Microsoft Defender for Endpoint. Your manager plans to onboard
a few devices to provide insight into required changes to the Security
Operations (SecOps) team response procedures.

You start by initializing the Defender for Endpoint environment. Next, you
onboard the initial devices for your deployment by running the onboarding
script on the devices. You configure security for the environment. Lastly, you
create Device groups and assign the appropriate devices.
Important: The lab Virtual Machines are used through different modules. SAVE your virtual
machines. If you exit the lab without saving, you will be required to re-run some configurations
again.
Note: Make sure you have completed successfully Task 3 of the previous module.
Note: An interactive lab simulation is available that allows you to click through this lab at your
own pace. You may find slight differences between the interactive simulation and the hosted
lab, but the core concepts and ideas being demonstrated are the same.

Task 1: Initialize Microsoft Defender for Endpoint

In this task, you’ll perform the initialization of the Microsoft Defender for
Endpoint portal.

1. Log in to WIN1 virtual machine as Admin with the password: Pa55w.rd.

 2. If you aren’t already at the Microsoft 365 Defender portal, start the
Microsoft Edge browser.
3. In the Edge browser, go to the Microsoft 365 Defender portal at
(https://security.microsoft.com).
4. In the Sign in dialog box, copy, and paste in the tenant Email account for
the admin username provided by your lab hosting provider and then
select Next.
5. In the Enter password dialog box, copy, and paste in the admin’s tenant
password provided by your lab hosting provider and then select Sign in.
Tip: The admin’s tenant email account and password can be found on the
Resources tab.

6. On the Microsoft 365 Defender portal, from the navigation menu,

select Settings from the left.
7. On the Settings page, select Device discovery.
Note: If you do not see the Device discovery option under Settings, logout by
selecting the top-right circle with your account initials and select Sign out.
Other options that you might want to try is to refresh the page with Ctrl+F5 or
open the page InPrivate. Login again with the Tenant Email credentials.

8. In Discovery setup, make sure Standard discovery (recommended) is

selected.
Hint: If you do not see the option, refresh the page.

Task 2: Onboard a Device.

In this task, you’ll onboard a device to Microsoft Defender for Endpoint using an
onboarding script.

1. Select Settings from the left menu bar, then from the Settings page
select Endpoints.
2. Select Onboarding in the Device management section.
Note: You can also perform device onboarding from the Assets section of the
left menu bar. Expand Assets and select Devices. On the Device Inventory page,
with Computers & Mobile selected, scroll down to Onboard devices. This takes
you to the Settings > Endpoints page.

3. In the “1. Onboard a device” area make sure “Local Script (for up to 10
devices)” is displayed in the Deployment method drop-down and select
the Download onboarding package button.
4. Under the Downloads pop-up, highlight the
“WindowsDefenderATPOnboardingPackage.zip” file with your mouse and
select the folder icon Show in folder. Hint: In case you don’t see it, the
file should be in the c:\users\admin\downloads directory.
Tip: If your browser blocks the download, take action in the browser to allow it.
In the Microsoft Edge Browser, you may see the message,
 “WindowsDefenderATPOnboardingPackage.zip isn’t commonly downloaded.
Make sure you trust…, select the ellipsis button (…) if needed and then
select Keep. In Microsoft Edge a second pop-up appears with the
message,”Make sure you trust WindowsDefenderATPOnboardingPackage.zip
before you open it”, select Show more to expand the selections and select Keep
anyway.

5. Right-click the downloaded zip file and select Extract All…, make sure
that Show extracted files when complete is checked and select Extract.
6. Right-click on the extracted file
“WindowsDefenderATPLocalOnboardingScript.cmd” and
select Properties. Select the Unblock checkbox in the bottom right of
the Properties windows and select OK.
7. Right-click on the extracted file
“WindowsDefenderATPLocalOnboardingScript.cmd” again and
choose Run as Administrator. Hint: If you encounter the Windows
SmartScreen window, select on More info, and choose Run anyway.
8. When the “User Account Control” window is shown, select Yes to allow
the script to run and answer Y to the question presented by the script
and press Enter. When complete you should see a message in the
command screen that says Successfully onboarded machine to Microsoft
Defender for Endpoint.
9. Press any key to continue. This closes the Command Prompt window.

Task 3: Configure Roles

In this task, you’ll configure roles for use with device groups.

1. In the Microsoft 365 Defender portal select Settings from the left menu
bar, then select Endpoints.
2. Select Roles under the permissions area.
3. Select the Turn on roles button.
4. Select + Add item.
5. In the Add role dialog, enter the following:

General setting Value

Role name Tier 1 Support

Permissions Live Response capabilities - Advanced

6. Select Next.
 7. Select the Assigned user groups tab on the top. Select sg-IT and then
select Add selected groups. Make sure it appears under Azure AD user
groups with this role.
8. Select Submit and then Done when finished.
Note: If you receive the error “User can’t perform this action since its
UserAuthEnforcementMode is Rbac and this action requires one of: RbacV2”,
select OK and try again.

Task 4: Configure Device Groups

In this task, you’ll configure device groups that allow for access control and
automation configuration.

1. In the Microsoft 365 Defender portal select Settings from the left menu
bar, then select Endpoints.
2. Select Device groups under the permissions area.
3. Select + Add device group icon.
4. Enter the following information on the General tab:

General setting Value

Device group name Regular

Automation level Full - remediate threats automatically

5. Select Next.
6. On the Devices tab, for the OS condition select Windows 10 and
select Next.
7. On the Preview devices tab, the Show preview button could show the
WIN1 virtual machine, but most likely the data isn’t populated yet.
Select Next to continue.
8. For the User access tab, select sg-IT and then select Add selected
groups button. Make sure it appears under Azure AD user groups with
access to this device group.
9. Select Submit and then Done when finished.
10. Device group configuration has changed. Select Apply changes to check
matches and recalculate groupings.
11. You’re going to have two device groups now; the “Regular” you just
created and the “Ungrouped devices (default)” with the same
remediation level.

Proceed to Exercise 2