The Microsoft 365 Compliance Portal has a huge amount of nice features which can be used with cloud services. I’ve previously posted about the new Compliance Manager tool and how it can help to assess the controls in place in the tenancy while also recommending improvements. There are also tools such as DLP, Unified Labelling and Trainable Classifiers which provide some really flexible ways of protecting Data.

These features so far relate to how a user operates within the Microsoft 365 service but we also have some cool functionality available to us which we can extend to the end users device. We can leverage tools like Insider Risk Management and Endpoint DLP to extend our protection even further.

Prerequisites

To enable the device functionality, we first need to ensure we meet the prerequisites. Microsoft have published the below list for us to verify on our devices:

1. Must be running Windows 10 x64 build 1809 or later.
2. Antimalware Client Version is 4.18.2009.7 or newer. Check your current version by opening Windows Security app, select the Settings icon, and then select About. The version number is listed under Antimalware Client Version. Update to the latest Antimalware Client Version by installing Windows Update KB4052623. Note: None of Windows Security components need to be active, you can run Endpoint DLP independent of Windows Security status.
3. The following Windows Updates are installed. Note: These updates are not a pre-requisite to onboard a device to Endpoint DLP, but contain fixes for important issues thus must be installed before using the product.
   • For Windows 10 1809 – KB4559003, KB4577069, KB4580390
   • For Windows 10 1903 or 1909 – KB4559004, KB4577062, KB4580386
   • For Windows 10 2004 – KB4568831, KB4577063
   • For devices running Office 2016 (and not any other Office version) – KB4577063
4. All devices must be Azure Active Directory (Azure AD) joined, or Hybrid Azure AD joined.
5. Install Microsoft Chromium Edge browser on the endpoint device to enforce policy actions for the upload to cloud activity. See, Download the new Microsoft Edge based on Chromium.
6. If you are on Monthly Enterprise Channel of Microsoft 365 Apps versions 2004-2008, there is a known issue with Endpoint DLP classifying Office content and you need to update to version 2009 or later. See Update history for Microsoft 365 Apps (listed by date) for current versions. To learn more about this issue, see the Office Suite section of Release notes for Current Channel releases in 2020.

Enable Device Onboarding

When we have met the prerequisites in our environment, we can now enable Device Onboarding from the Compliance Portal. Navigate to https://compliance.microsoft.com and open up “Settings” then “Device Onboarding”.

From here, we turn on device onboarding and we’ll see that any of our devices already onboarded to Microsoft Defender for Endpoint will already be included… more on this in a bit. For now, click OK to enable Onboarding.

We might need to wait a few minutes for everything to kick in but when it is we are ready to onboard machines.

In the onboarding section, we can see the list of onboarding options available to us, you might notice that the list looks kind of familiar. For now we’ll select Local Script as we are testing on a small scale but there is a lot of flexibility in how we can deploy.

Select Local Script and download the package. Once it’s downloaded let’s open it up and see what it’s doing.

Opening up the downloaded script confirms the feeling of Déjà vu we might have been having. The onboarding process isn’t a unique Compliance Portal process, we are enrolling in Windows Defender for Endpoint which we may have already done in our tenancy. So the enrollment is the same thing. This makes sense as Windows Defender is the agent on the machine which actually enforces our controls.

Onboard a Device

Ok, now that we have our onboarding script (or whatever method we chose earlier) we just need to run it on the device. For the Script, we just copy to the machine and run as an admin.

We get the standard warning which we accept and the script will continue and onboard the machine for us.

On a larger scale I recommend using Microsoft Endpoint Manager / Intune for onboarding but for this demo the script has worked fine.

Verify The Machine Has Been Onboarded

After a minute or two we can hop back over to the Compliance portal and see our machine has been onboarded.

If we have the licensing, we will also see the device in the Windows Defender for Endpoint page.

Now that the device is onboarded, we can use some of the device based features of the Compliance center. I’ll be going through some if these in subsequent posts!