This article is contributed. See the original author and article here.



Welcome to another customer offering article to inform you about how to configure, setup, and deploy endpoint protection policies which include protective measures from Microsoft. In this article, we will present Premier Services Offerings WorkshopPLUS – Device Protection with Microsoft Endpoint Manager and Microsoft Defender for Endpoint.


Offering Overview 


With customers needing a deployment solution to push out Microsoft security policies and configurations, this offering will address this and more. This Premier offering builds on the fundamental security components and features of any Microsoft Endpoint Configuration Manager environment such as RBAC or role-based administration, Endpoint Protection​, Exploit Guard, Application Guard, Microsoft Defender for Endpoint, BitLocker Drive Encryption, and Compliance Settings. With this new customer offering, we were able to provide a 3-day hands on training in a live demo tenant to meet and exceed customer expectations. 


What the workshop entailsWhat the workshop entails


What’s Included 


The content of this offering is a mix of education, administration, compliance, and security best practices at the L200-L300 level. This offering focuses on the breadth of Microsoft Endpoint Configuration Manager, Microsoft Defender for Endpoint, M365 Security (on-prem and in the cloud), and also Intune. The Device Protection with Microsoft Endpoint Manager and Microsoft Defender for Endpoint workshop is a three day engagement where you will learn about configuring a tenant using  labs hosted in the cloud (Microsoft Labs on Demand) with a full M365 E5 license (EMS E5 + M365 E5 + Office 365 E5). Each module contains scenarios that provide students with in-depth expertise, tools, and hands-on experience to help implement and troubleshoot security related concepts as they pertain to Microsoft Endpoint Configuration  Manager. 


Endpoint Protection policiesEndpoint Protection policies


Areas Covered 


The sections  below sections are covered in detail throughout the three-day offering and expand on each objective to maximize your understanding of each topic and focus area through knowledge transfer modules. 


Introduction to Endpoint Security​ – Overall introduction to security settings and recommendations that can be managed using Microsoft Endpoint Configuration Manager and Intune.


Role Based Access Control – Overview of Role Based Administration Control concept in Microsoft Endpoint Configuration Manager, including the reporting feature.


Endpoint Protection Technologies Overview – Objectives focus on a deeper dive into the technologies that make up Endpoint Protection.


Antimalware Policies – Objectives focus on learning the basic concepts and terminology for Endpoint Protection Antimalware Policies for Microsoft Defender Antivirus.


CAMP and Security Intelligence Updates  Objectives focus on managing Endpoint Protection Definition updates through Configuration Manager. 


Endpoint Protection Alerts and Reporting – Objectives focus on how to configure and use alerts and report notifications within Configuration Manager. 


Endpoint Protection Troubleshooting – Objectives focus on learning troubleshooting techniques for securing endpoints.   

Exploit Guard and Application Guard – Objectives focus on learning about Attack Surface Reduction, Controlled Folder Access, and Exploit and Network Protection. You will also learn how to mitigate security threats using containers by deploying Application Guard.  


Microsoft Defender for Endpoint – Objectives focus on learning how to onboard endpoints to Microsoft Defender for Endpoint using Microsoft Endpoint Configuration Manager and explore basic operational possibilities within Microsoft Defender for Endpoint portal.  


Device Encryption – Learn what is BitLocker and explore modern management possibilities to control device encryption with Microsoft Endpoint Configuration Manager and Intune.  


Compliance settings – Dive deeper into the compliance settings topic, including management possibilities using Microsoft Endpoint Manager (Intune).  


Hands on with Labs on Demand


During this offering there are multiple hands-on labs exercises using Microsoft’s Labs on Demand. Each student will be an administrator of their own demo tenant where they will create and deploy security policies using Microsoft Endpoint Configuration Manager. Once the polices are deployed to another machine, the student will be able to view and test out those policies. The areas are listed below are covered in the lab exercises: 


  • Endpoint Security

  • Implementing RBAC 

  • Endpoint Protection policies

  • CAMP and Security Intelligence updates 

  • Endpoint protection alerts and reporting 

  • Endpoint protection troubleshooting 

  • Exploit Guard and Application Guard 

  • Microsoft Defender for Endpoint

  • Device Encryption 

  • Compliance settings 


Creating the configuration file for Endpoints for MDECreating the configuration file for Endpoints for MDE



Configuring Attack Surface Reduction RulesConfiguring Attack Surface Reduction Rules



Configuring Bitlocker drive encryption in MEMConfiguring Bitlocker drive encryption in MEM




After completing this course, you will understand how to set up, configure, and manage Microsoft Endpoint Configuration Manager Role Based Access​, Endpoint Protection for Microsoft Endpoint Manager, Application Guard and Exploit Guard integration​, Microsoft Defender for Endpoint​, BitLocker Drive Encryption, and compliance settings.


Key Personnel For this Offering 


This course is targeted at IT staff who have already started designing and implementing Microsoft Endpoint Configuration Manager integration with Microsoft Security products and concepts. To ensure that students are successful at the end of this WorkshopPLUS, it is highly recommended they meet the following criteria:​


  • Existing knowledge of Microsoft Endpoint Configuration Manager ​

  • Moderate knowledge of Windows Platform and Microsoft Security products​

  • Basic knowledge of Microsoft Endpoint Manager (Intune)​




As of this writing, the above modules are in scope. However, they might change as Microsoft Endpoint Configuration Manager, Intune, Microsoft Defender for Endpoint, and M365 Security are subject to change. 


Follow up and feedback


For further information, please contact your Microsoft Account Representative, Customer Success Account Manager (CSAM), or Service Delivery Manager (SDM).


To improve this or any other workshop, we always consider feedback from you. At Microsoft, achieving a high level of satisfaction among our customers and partners around the world is a core component of our business. For that reason, please don’t hesitate to complete the surveys and provide feedback.




Special thanks and credit to the development team:


Anton Tatarkin, Senior Customer Engineer, Intune / EMS / Configuration Manager, Netherlands


John Barbare, Senior Customer Engineer – Cybersecurity, Monitoring Solutions (Sentinel, M365 Defender, MDE, MDI, MCAS), Unites States


Charles Baldridge, Customer Engineer, Configuration Manager, United States

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.