Microsoft Defender for Endpoint is Microsoft’s Endpoint Security Platform, while directly integrated with the rest of the Microsoft ecosystem, it can help prevent, detect and remediate threats across managed endpoints.
If you are getting started with Microsoft Defender for Endpoint and Intune, in this tutorial I am going to show you how you can ready your environment for the onboarding of your device to Defender for Endpoint using Microsoft Intune
Prerequisites
Licensing
To take advantage of Microsoft Defender for Endpoint, either of the following licenses will be required for your end users: (this also includes any licenses with the following licenses built-in)
- Microsoft Defender for Endpoint P1
- Microsoft Defender for Endpoint P2
Permissions
The following built-in Entra roles are required to configure the settings outlined in this tutorial:
- Security Administrator
- Intune Administrator
Enable the connection between Microsoft Defender for Endpoint and Microsoft Intune
The first step is to enable the connection between Microsoft Defender for Endpoint and Microsoft Intune, this ensures that device information can be shared between the platforms and is required for this configuration. Follow the below steps to enable the Microsoft Intune Connection from Microsoft Defender:
1. Log in to defender.microsoft.com.
2. Click Settings > Endpoints.
3. Enable the toggle for Microsoft Intune Connection.
4. Click Save preferences.
Connect Windows devices to Microsoft Defender for Endpoint
The second step is to ensure that Windows devices are connected to the Microsoft Denfender for Endpoint service from the Microsoft Intune portal, follow the below steps to configure this connection:
1. Log in to intune.microsoft.com.
2. Select Endpoint Security > Microsoft Denfender for Endpoint.
3. Toggle Connect Windows devices version 10.0.15063 and above to Microsoft Defender for Endpoint to On.
4. Click Save.
Onboard Windows devices to Microsoft Defender for Endpoint
Lastly, you need to deploy the configuration to your devices that are managed through Microsoft Intune. My preferred method for onboarding is to use a device configuration profile, however, a similar policy can also be configured from Endpoint Security > Endpoint Detection & Response. Follow the below steps to onboard your devices:
2. Select Create > New Policy.
3. Select the following profile options and click Create:
- Platform: Windows 10 and later
- Profile Type: Templates
- Template name: Microsoft Defender for Endpoint (Desktop services running Windows 10 or later).
4. Define a name for your configuration profile and click Next.
5. On the configuration settings page, set Expedite telemetry reporting frequency to Enable.
6. On the Assignments page, I recommend you select All users, otherwise if you are staging the rollout, you can select target groups first.
7. On the Applicability rules page, you can choose whether to apply the configuration based on the Operating System version. For a basic configuration, this can be skipped.
8. On the final page, click Create.
Monitor the device onboarding
Once the above three steps are complete, devices will be onboarded to Defender for Endpoint. No reboot is needed for the end device, provided it is turned on and enrolled into Intune, it will be automatically onboarded.
You can verify the onboarding status of your devices in the Microsoft Defender portal:
- Log in to defender.microsoft.com.
- Under Assets, select Devices.
- View the Onboarding status column of your device.
What is the difference between configuring this setting here and configuring it in the Endpoint detection and response section of EndPoint Security in Intune.
Both seem to server the same function and if both are set they conflict.
The Endpoint Security section utilises the connector that is configured in the security portal.
I assume if they both do the same it’s just a tider approach to have it in EndPoint Security?
Hi Vince, it is generally recommended to create a EDR policy to onboard devices. I believe any new settings will appear there and I have a sneak suspicion the configuration profile may be depreciated at some point.