MDE Series-Part 4: Microsoft Defender for Endpoint Onboarding using Microsoft Intune for Windows 

23.02.2024 | Blog, Microsoft Security

Microsoft Defender for Endpoint Onboarding Process using Microsoft Intune for Windows 


Do you often find forums discussing Microsoft Defender for Endpoint and its features, but still have questions in mind?

🚀A one-stop solution for all your questions- We have started a Microsoft Defender for Endpoint Series, where we want to cover topics on a deeper level and discover the possibilities with all kinds of threats and endpoints!

Learn Microsoft Defender for Endpoint with #Salona aka #Intunesiastic

In my earlier blog of the  Microsoft Defender for Endpoint Series , Microsoft Defender for Endpoint Series-Part 3 we have already established a service-to-service connection between Microsoft Intune and Microsoft Defender for Endpoint. Now we can proceed to onboard our desired platform endpoints to Microsoft Defender for Endpoint to manage them with Intune.

Today Let’s learn Microsoft Defender for Endpoint Onboarding Process using Intune for the Windows platform.We  This 4th blog is basically in the continuation of the third blog.

Microsoft Intune provides a seamless device onboarding experience for Microsoft Defender for Endpoints.

After we have integrated Intune and Microsoft Defender for Endpoint, at the back end, what happens is that:  Intune receives an onboarding configuration package from Microsoft Defender for Endpoint. Now there are multiple methods to deploy the configuration package to the endpoints: as below: In short, this is called Onboarding .

  1. Device Configuration Profiles
  2. Endpoint detection and response (EDR) policy
  3. Group policy or Microsoft Endpoint Configuration Manager

I shall be using the Endpoint Detection and Response (EDR) policy in Microsoft Intune to onboad the Windows devices. It has some of the benefits as :

  • Intune EDR policy is part of endpoint security in Microsoft  Intune. So there is no need for me to go to another portal like Defender Portal etc.
  • EDR policies can configure device security without the overhead of the larger body of settings found in device configuration profiles.
  • EDR policy can also be used with tenant attached devices. These devices are managed with Configuration Manager.
  • When we  configure an EDR policy after making the Intune and Microsoft Defender for Endpoint connection (in Microsoft Defender for Endpoint Series-Part 3), we get a new option in the EDR policy setting. This setting is called ‘Microsoft Defender for Endpoint client configuration package type’ & has a new configuration option called : ‘Auto from connector’. With this option, Intune automatically gets the onboarding package (blob) from Defender for Endpoint deployment. Thereby, it replaces the need to manually configure an Onboard package.
  • Also, the Windows Defender Advanced Threat Protection (WDATP) configuration service provider (CSP) empowers IT administrators to seamlessly onboard, configure, assess the health status, and offboard endpoints for WDATP, thereby enabling the robust endpoint detection and response capability of Microsoft Defender for Endpoint.
  • This process establishes a secure connection between the devices and the cloud-based security service, enabling real-time threat detection, proactive monitoring, and response capabilities.
⚠ Please Note: Some organizations use multiple policies or policy types to manage the same device settings (such as onboarding to Microsoft Defender for Endpoint). For example, they may use both a device configuration policy and an endpoint detection and response policy. This practice can result in policy conflicts for devices. To learn more about conflicts, see Manage conflicts.

Now coming back to the EDR Policy creation. At this point, the Defender onboarding package (blob) needs to be  deployed to the desired Windows devices. For this, let us create an Endpoint Detection and Response (EDR)  device configuration profile. Assign this policy to the desired devices.

🔐Create the device configuration profile to onboard Windows devices

  1. Sign in to the Intune admin center.
  2. Select Endpoint security > Endpoint detection and response > Create Policy.
  3. In the Platform field, select Windows 10 and Later.
  4. In the Profile type field, select Endpoint detection and response, and then select Create.
  5. On the Basics page, enter a Name and Description (optional) for the profile, then select Next.
  6. The below window shows the Confguration Settings, . It includes Microsoft Defender for Endpoint options such as Microsoft Defender for Endpoint client configuration package typeSample sharing, Telemetry (this is now depracted) etc. Choose the options as below snapshot:
  7. Select Next to open the Scope tags page. Scope tags are optional. Select Next to continue.
    1. On the Assignments page, select the groups that will receive this profile. For more information on assigning profiles, see Assign user and device profiles. When users are deployed to user groups, a user must sign-in on a device before the policy applies and the device onboards to Defender for Endpoint.
    2. Select Next.
    3. On the Review + create page, when you’re done, select Create. The new profile is displayed in the list when you select the policy type for the profile you created. Select OK, and then select Create to save your changes. At this point, the profile has been created.

Hence, I hope that today I have been able to give you a step-wise approach to Onboard Windows Devices to Microsoft Defender for Endpoint with  with Microsoft Intune. Moreover, would you want to go to the previous topics and revise? Well, here you goooo!

Also, I strongly believe that – ‘The fastest way to learn and retain a skill is, to teach it!‘ . Lastly, we recommend to stay tuned with us to progress on Microsoft Defender for Endpoint Chronicles. This is just the beginning.🌟

Author: Salona Sahni Kapoor aka Intunesiastic
cubic solutions GmbH

Blog | Microsoft Security

Cubic Solutions Background Scroller