Sample resources for Intune, Defender for Endpoint, and more.

Set the variables file:

cp config/template.tfvars .auto.tfvars

Check for the latest Windows images available.

Create the resources:

terraform init
terraform apply -auto-approve

A user IntuneAdmin@yourdomain will be created with the following permissions:

• Intune Administrator
• Security Administrator

This will allow access to the following applications:

• https://intune.microsoft.com
• https://security.microsoft.com

An appropriate license needs to be assigned to the user in order to activate Intune.

Connect MDE with Intune. (Microsoft Intune Plan)

💡 An addon or equivalent license needs to be purchased for this integration.

Microsoft Defender Antivirus works together with Microsoft Defender for Endpoint

Intune EDR policy (onboard)

This video shows how to configure Device Guard with Microsoft Intune.

💡 Device guard - Prevents malicious code from running by ensuring only allowed and known good code can run, such as malware or ransomware. (Only Windows Enterprise client)

Among other available services is controlled folder access.

A license is also required. EDR enables Azure Advanced Threat Protection

Make sure to also allow MDM user scope to enroll (Mobility MDM and WIP) - Microsoft Intune

💡 This helpful video shows how to enable Defender for Endpoint.

For Local Administrator Password Solution (LAPS), make sure you've enabled it in the device settings blade:

In Intune, create an account protection policy:

1. Select Endpoint security > Account protection > Create policy
2. Select Windows 10 and Windows LAPS
3. Create the policy for all devices

If MDE is enabled, it can take a while after joining Intune until everything is synced.

Access will be granted after the compliance check:

This section shows web protection.

An example with Microsoft Edge:

Select the appropriate configuration for the profile:

To test SmartScreen, use a sample URL, such as this demo malware page.

Security can be further enhanced with Alerts, and monitoring can use Reports.

With MDE, it is also possible to turn on web content filtering:

Protection includes: adult content, high bandwidth, legal liability, leisure, and uncategorized.

A policy can be created using a blade in the same view above, like this:

Credential guard, VBS, and UEFI, memory integrity, etc.

To find updated Windows 11 images:

az vm image list-skus -l eastus2 -f Windows-11 -p MicrosoftWindowsDesktop --query [].name

Suffix are: