Create Intune Endpoint detection and response policy

Onboard your devices to Microsoft Defender for Endpoint using a EDR policy in Microsoft Intune

Prajwal Desai
Posted by Prajwal Desai
Create Intune Endpoint detection and response policy

In this tutorial, I will show you how to create an endpoint detection and response policy in Intune. You can manually create an EDR policy or use the preconfigured policy option to onboard your tenant devices to Microsoft Defender for Endpoint.

EDR capabilities of Microsoft Defender for Endpoint provide sophisticated attack detections that are real-time and actionable. Microsoft Defender itself offers these capabilities. The ability to prioritize alerts effectively, acquire visibility into the full breadth of a breach, and take response measures to remediate threats are all capabilities that security analysts possess.

When you integrate Microsoft Defender for Endpoint with Intune, you can use endpoint security policies for endpoint detection and response (EDR) to manage the EDR settings and onboard devices to Microsoft Defender for Endpoint.

You create and manage EDR policies from the endpoint detection and response node that is in the endpoint security node of the Microsoft Intune admin center. The EDR policy can be applied to Microsoft Entra ID devices or to on-premises devices that are synchronized from Configuration Manager through the tenant attach scenario.

Preconfigured EDR Policy vs Manual EDR Policy

When you create an EDR policy in Intune for onboarding devices to Microsoft Defender for Endpoint, you can choose between using a preconfigured policy or creating a policy that requires manual configuration of the settings. Both of these options are discussed below.

  • Preconfigured EDR policy: A preconfigured EDR policy is the easiest way to onboard Windows devices to Microsoft Defender for Endpoint. You can use this option for devices managed with Intune and for tenant-attached devices managed through Configuration Manager. Note that a preconfigured EDR policy can be configured and applied to Windows devices. Also, you can’t change the default policy configurations for installing Microsoft Defender for Endpoint, scope tags, or assignments.
  • Manual EDR Policy: A manual EDR policy supports all platforms, including Windows. You can use this option to create an onboarding policy that can be deployed to specific groups of devices, including Windows. When using this option, you can configure any of the available settings in the policy before it is deployed to the assigned groups.

When compared to preconfigured policies, choosing to manually create the policy provides more advantages for installing Microsoft Defender for Endpoint, scope tags, or assignments. We’ll look at both methods in this guide.

Prerequisites for EDR Policies

If you are going to create an EDR policy in Intune, you should be aware of these prerequisites:

  1.  Your Microsoft Defender for Endpoint tenant must be integrated with your Intune tenant before you can create EDR policies.
  2. The tenant attach must be configured in order to support deploying EDR policies to devices managed by Configuration Manager. Furthermore, you must also configure the Configuration Manager device collections to support endpoint security policies from Intune.

Create a manually configured EDR policy

Perform the following steps for manually configuring an EDR policy to onboard devices to Microsoft Defender for Endpoint:

Sign in to the Microsoft Intune admin center. Select Endpoint Security > Endpoint Detection and Response > Create Policy.

Create a manually configured EDR policy
Create a manually configured EDR policy

Select the platform and profile for your policy. The following information identifies your options:

  • Intune: Intune deploys the policy to devices in your assigned groups. When you create the policy, select:
    • Platform: Windows 10, Windows 11, and Windows Server
    • Profile: Endpoint detection and response
  • Configuration Manager: Configuration Manager deploys the policy to devices in your Configuration Manager collections. When you create the policy, select:
    • Platform: Windows 10, Windows 11, and Windows Server (ConfigMgr)
    • Profile: Endpoint detection and response (ConfigMgr)

Select Create.

Create a manually configured EDR policy
Create a manually configured EDR policy

On the Basics page, enter a name and description for the profile, then choose Next.

Enter a name and description for the profile
Enter a name and description for the profile

On the Configuration Settings page, choose the following:

  • Microsoft Defender for Endpoint Client configuration package type: select Auto from Connector.
  • Onboarding blob from Connector: This option is preconfigured, so you don’t have to configure it.
  • Sample sharing: Choose All (Default).
  • Telemetry Reporting Frequency: This option is deprecated and will be removed soon.

That’s it, click Next.

Microsoft Defender for Endpoint Policy Settings
Microsoft Defender for Endpoint Policy Settings

If you use Scope tags, on the Scope tags page, choose Select scope tags to open the Select tags pane to assign scope tags to the profile. Click Next.

Scope Tags for EDR Policy
Scope Tags for EDR Policy

On the Assignments page, select the groups or collections that receive this policy. The choice depends on the platform and profile you selected:

  • If you have selected Intune, select Microsoft Entra groups.
  • If you have selected Configuration Manager, select the collections from Configuration Manager that have synced to the Microsoft Intune admin center and enabled for Microsoft Defender for Endpoint policy.

Click Next.

Assign the EDR Policy
Assign the EDR Policy

On the Review + create page, when you’re done, choose Save.

Endpoint detection and response policy for endpoint security in Intune
Endpoint detection and response policy for endpoint security in Intune

Deploy Preconfigured EDR policy in Intune

Let’s follow the below steps to deploy a preconfigured endpoint detection and response policy in Intune.

In the Microsoft Intune admin center, go to Endpoint security > Endpoint detection and response > open the EDR Onboarding Status tab > select Deploy preconfigured policy.

On the Create a profile page, specify one of the following combinations, and then select Create:

For devices managed by Intune:

  • Platform: Windows 10, Windows 11, and Windows Server
  • Profile: Endpoint detection and response

For devices managed through the tenant attach scenario via Configuration Manager:

  • Platform: Windows 10, Windows 11, and Windows Server (ConfigMgr)
  • Profile: Endpoint detection and response (ConfigMgr)

Click Create.

Deploy Preconfigured EDR policy in Intune
Deploy Preconfigured EDR policy in Intune

On the Basics page, specify a name for this policy. Optionally, you can also add a description. Click Next.

Deploy Preconfigured EDR policy in Intune
Deploy Preconfigured EDR policy in Intune

On the Review and Create page, notice that the profile is assigned to All Devices by default.

For devices managed by Intune, the policy is applied to the All Devices group.

For devices managed by ConfigMgr, the policy is applied to All Desktop and Server Clients group for tenant-attached devices.

    Select Save to create and deploy the preconfigured policy.

    Create a Preconfigured Endpoint detection and response policy in Intune
    Create a Preconfigured Endpoint detection and response policy in Intune

    Monitoring the Endpoint detection and response policy in Intune

    When you deploy an EDR policy (manual or preconfigured), the Microsoft Intune admin center’s endpoint deployment and response node displays the devices that were onboarded and those that failed to onboard.

    To view details for individual devices, go to Endpoint security > Endpoint deployment and response > EDR Onboarding Status tab, and select a device from the list to view additional device-specific details.

    Monitoring the Endpoint detection and response policy in Intune
    Monitoring the Endpoint detection and response policy in Intune

    Generate EDR Onboarding Status Report

    After applying the EDR policy in Intune, you can use the EDR onboarding status report to find out the number of Windows devices onboarded to Defender for Endpoint​.

    Use these steps to run the onboarding status report in Intune:

    1. Sign in to Microsoft Intune admin center.
    2. Go to Endpoint Security > Endpoint Detection and Response.
    3. Under the section “Windows devices onboarded to Defender for Endpoint​”, click on Refresh.

    This report might take some time to generate and will expire after 72 hours. Once the report generation is complete, you should see the total number of devices that are onboarded as well as the devices that failed to onboard.

    Generate EDR Onboarding Status Report
    Generate EDR Onboarding Status Report
    Share This Article
    Prajwal Desai
    Posted by Prajwal Desai
    Follow:
    Prajwal Desai is a Microsoft MVP in Intune and SCCM. He writes articles on SCCM, Intune, Windows 365, Windows Server, Windows 11, WordPress and other topics, with the goal of providing people with useful information.
    Leave a comment