How to Enable Defender for Endpoint in Microsoft Intune

Microsoft Defender for Endpoint is Microsoft’s Endpoint Security Platform, while directly integrated with the rest of the Microsoft ecosystem, it can help prevent, detect and remediate threats across managed endpoints.

If you are getting started with Microsoft Defender for Endpoint and Intune, in this tutorial I am going to show you how you can ready your environment for the onboarding of your device to Defender for Endpoint using Microsoft Intune 

Prerequisites

Licensing

To take advantage of Microsoft Defender for Endpoint, either of the following licenses will be required for your end users: (this also includes any licenses with the following licenses built-in)

  • Microsoft Defender for Endpoint P1
  • Microsoft Defender for Endpoint P2

Permissions

The following built-in Entra roles are required to configure the settings outlined in this tutorial:

  • Security Administrator
  • Intune Administrator

Enable the connection between Microsoft Defender for Endpoint and Microsoft Intune

The first step is to enable the connection between Microsoft Defender for Endpoint and Microsoft Intune, this ensures that device information can be shared between the platforms and is required for this configuration. Follow the below steps to enable the Microsoft Intune Connection from Microsoft Defender:

1. Log in to defender.microsoft.com.

2. Click Settings > Endpoints.

3. Enable the toggle for Microsoft Intune Connection.

Enable Microsoft Intune Connection
Enable Microsoft Intune Connection

4. Click Save preferences.

Connect Windows devices to Microsoft Defender for Endpoint

The second step is to ensure that Windows devices are connected to the Microsoft Denfender for Endpoint service from the Microsoft Intune portal, follow the below steps to configure this connection:

1. Log in to intune.microsoft.com.

2. Select Endpoint Security > Microsoft Denfender for Endpoint.

3. Toggle Connect Windows devices version 10.0.15063 and above to Microsoft Defender for Endpoint to On.

Connect Windows devices version 10.0.15063 and above to Microsoft Defender for Endpoint
Connect Windows devices version 10.0.15063 and above to Microsoft Defender for Endpoint

4. Click Save.

Onboard Windows devices to Microsoft Defender for Endpoint

Lastly, you need to deploy the configuration to your devices that are managed through Microsoft Intune.  My preferred method for onboarding is to use a device configuration profile, however, a similar policy can also be configured from Endpoint Security > Endpoint Detection & Response. Follow the below steps to onboard your devices:

1. In the Intune Admin Center select Devices > Configuration profiles.

2. Select Create > New Policy.

3. Select the following profile options and click Create:

  • Platform: Windows 10 and later
  • Profile Type: Templates
  • Template name: Microsoft Defender for Endpoint (Desktop services running Windows 10 or later).

4. Define a name for your configuration profile and click Next.

5. On the configuration settings page, set Expedite telemetry reporting frequency to Enable.

6. On the Assignments page, I recommend you select All users, otherwise if you are staging the rollout, you can select target groups first.

7. On the Applicability rules page, you can choose whether to apply the configuration based on the Operating System version. For a basic configuration, this can be skipped.

8. On the final page, click Create.

Monitor the device onboarding

Once the above three steps are complete, devices will be onboarded to Defender for Endpoint. No reboot is needed for the end device, provided it is turned on and enrolled into Intune, it will be automatically onboarded. 

You can verify the onboarding status of your devices in the Microsoft Defender portal:

  1. Log in to defender.microsoft.com.
  2. Under Assets, select Devices.
  3. View the Onboarding status column of your device.
Defender for Endpoint onboarding status
Defender for Endpoint onboarding status

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

This Post Has 2 Comments

  1. Vince

    What is the difference between configuring this setting here and configuring it in the Endpoint detection and response section of EndPoint Security in Intune.
    Both seem to server the same function and if both are set they conflict.
    The Endpoint Security section utilises the connector that is configured in the security portal.
    I assume if they both do the same it’s just a tider approach to have it in EndPoint Security?

    1. Daniel Bradley

      Hi Vince, it is generally recommended to create a EDR policy to onboard devices. I believe any new settings will appear there and I have a sneak suspicion the configuration profile may be depreciated at some point.

Leave a Reply