Deployed Defender for Endpoint across a distributed enterprise estate via Intune and GPO. Enabled EDR block mode, ASR rules, and Conditional Access device-risk integration — with zero standing admin via PIM.
Ericsson's Microsoft 365 environment had grown organically across multiple acquisitions. Endpoint protection was fragmented: a mix of legacy antivirus products, inconsistent patch compliance, and no unified visibility into device health or threat signals. Conditional Access policies existed but did not incorporate device risk — any enrolled device, regardless of health, could access corporate resources.
The security team needed a consolidated, enterprise-grade endpoint detection and response capability — one that could scale across a large, distributed estate without replacing existing infrastructure in a single disruptive cutover.
The engagement was scoped around Microsoft's XDR stack, anchored on Defender for Endpoint (MDE) as the primary EDR and telemetry source, with Intune as the management and onboarding plane.
The architecture addressed three parallel workstreams:
Endpoint onboarding — MDE deployed via Intune MDM policy for cloud-managed devices and Group Policy for legacy domain-joined endpoints that were not yet in Intune scope. Both methods pushed the same onboarding configuration blob, ensuring uniform sensor deployment regardless of management path.
Defender policy configuration — EDR in block mode, Attack Surface Reduction rules, and Network Protection deployed through Intune Endpoint Security profiles. ASR rules were staged through audit mode first, reviewed against 30 days of detection logs, then moved to block mode by rule to avoid false-positive disruption.
Identity integration — Conditional Access policies updated to incorporate Defender for Endpoint device risk signals. Devices assessed as "high risk" by MDE trigger a block at authentication time. Medium risk devices are challenged with step-up MFA and required to self-remediate before access is restored.
The engagement ran across four sprints.
Sprint 1 — Baseline and onboarding
MDE sensor deployment began with a pilot group of 50 IT-managed devices. Onboarding scripts were validated, sensor telemetry confirmed in the Defender portal, and initial alert volumes reviewed. Common false-positive alert categories were documented for tuning in later sprints.
Intune compliance policies were defined with MDE integration enabled: devices without an active MDE sensor were flagged non-compliant, which fed into the Conditional Access evaluation chain.
Sprint 2 — ASR and Network Protection
Attack Surface Reduction rules were deployed in audit mode across the full estate. A 30-day monitoring period produced a list of legitimate business processes triggering ASR detections — these were excluded by policy before enforcement was enabled. Network Protection was deployed in audit mode simultaneously and moved to block mode after the same monitoring window.
Sprint 3 — Conditional Access integration
Device risk signals from MDE were connected to Conditional Access. Policies were updated in report-only mode first, validated against 14 days of sign-in logs, then enforced progressively — high-risk device blocking first, followed by the step-up MFA requirement for medium-risk devices.
PIM was configured for all privileged Entra ID roles. Standing Global Admin assignments were eliminated. Every privileged access event from this point forward required justification, MFA re-authentication, and time-boxed activation.
Sprint 4 — Hunting and playbooks
KQL Advanced Hunting queries were built for the Defender XDR portal, covering:
Automated response playbooks were configured in Microsoft Sentinel (connected to MDE) for high-confidence detections: account isolation on confirmed credential compromise, device isolation on active ransomware indicators.
MDE sensor coverage reached 98% of the managed device estate within the first two sprints. EDR in block mode provided active threat prevention on all enrolled endpoints, replacing the legacy antivirus products which were subsequently decommissioned.
Conditional Access with device risk signals closed a significant gap: previously, a compromised but enrolled device could authenticate normally. Under the new architecture, any device assessed as high risk by MDE is blocked at authentication — even before an analyst reviews the alert.
Zero standing admin eliminated the single largest privilege escalation risk in the tenant. Every privileged operation now produces an audit trail: who activated, what role, for how long, with what justification.
Weekly evidence packs — screenshots, policy exports, detection summaries — were delivered to the Ericsson security team throughout the engagement, providing a clear audit trail for compliance reporting.
The programme gave Ericsson a security operating model that was materially easier to govern at enterprise scale. Endpoint health, detection coverage, and privileged access controls were brought into the same Microsoft security control plane, which reduced the effort required to evidence control ownership during internal review and external assurance activity.
Just as importantly, the design was built for sustainment rather than a one-time rollout. By combining subsidiary-independent onboarding methods, staged ASR enforcement, and documented hunting and response patterns, the engagement left Ericsson with a repeatable model for expanding coverage, tuning policy, and demonstrating control effectiveness without depending on ad hoc engineering effort.
Book a discovery call to discuss your Microsoft environment.