Migrating Defender from Commercial to GCC - mattnovitsch/M365 GitHub Wiki

Migrating from Microsoft Defender for endpoint client from Commercial to GCC tenant. This is assuming you have already worked with your CSAM and the Microsoft Transition team and have already onboarded one device to the new GCC tenant first. This is required as backend tenant information needs to be configured. Quick link to this page: https://aka.ms/DefenderCommercialtoGCCDoc

1. Have CSAM open transition ticket to make.
2. Once the transition has completed the copying of configurations and the single device is in the GCC Defender XDR Portal, migrate the Intune/ConfigManager/GPO: Using Intune to Migrate agents into GCC Tenant.

• Navigate to Intune Admin Center (https://intune.microsoft.com/ )
• Select Endpoint Security on the left hand side
• Select Endpoint Detection and Response
• Select Create New Policy
• For Platform select Windows 10, Windows 11, and Windows Server and for Profile select Endpoint Detection and Response
• Select the Create button

• Give a name to your policy

• Select one of the following options: Auto from connector or Onboard. If you select Auto from connector you have to make sure the connector between Intune and Defender for endpoint is established. For onboard you will need to download the script from the Defender XDR portal. This example will be for onboard.  

• Navigate to Defender XDR in another browser tab(https://security.microsoft.com/ )

• Click on Settings

• Scroll down and select Onboarding

• Change Deployment Method to Mobile Device Management/ Microsoft Intune

• Select Download onboarding package

• Open File once it has completed downloading

• Open WindowsDefenderATP.onboarding with notepad or some other text editor program.  

• Copy the entire contents of the file (ctrl+a then ctrl+c)  

• Navigate back to Intune Admin Center tab.

• Paste the script into the Onboarding section

• Set Sample Sharing to All(Default)

• Set Telemetry Reporting Frequency to Normal  

• Add any scope tags and select Next  

• Put in a test group that you want to onboard first. Small percentage 5-10 would be good.

• Select Next

• Review the settings then click Save

3. If you are using Defender for Cloud and ARC(Migrate to tenant from Public to GCC (Gov) - Overview):

• Turn off the 'Endpoint protection' MDC component:
• MDC Environment settings
• Select the subscription
• In the Defenders plans page, select the Settings & monitoring button at the top
• Turn Off the Endpoint protection component
• Select 'Continue'
• Select 'Save'
• Delete the VM Extension from the machines
• Follow Offboard devices to offboard all servers.
• Have customer execute https://github.com/Azure/Microsoft-Defender-for-Cloud/tree/main/Powershell scripts/MDE Integration/Migrate GCC Tenant
• Turn the 'Endpoint protection' MDC component back on.
• VM's will be provisioned with VM Extension and will be onboarded to GCC

4. If you are using Sentinel, you will need to setup a GCC workspace for Sentinel, then you will be able to send data from Defender XDR in GCC to Sentinel.

5. Once customer has confirmed all endpoints are moved out of commercial, put in a ticket for the Defender Commercial tenant to be deleted.

Note: A reboot is required for these changes to take effect. Once the system is rebooted, it should appear in the GCC tenant within 1-2 hours. If you run into problems, please reach out to your CSAM or FTA/FM for assistance. If you don't have a CSAM or FTA/FM you can put in a request for assistance at Fast Track. Fast Track can walk you through the process.