Create Intune Endpoint detection and response policy
In this tutorial, I will show you how to create an endpoint detection and response policy in Intune. You can manually create an EDR policy or use the preconfigured policy option to onboard your tenant devices to Microsoft Defender for Endpoint.
EDR capabilities of Microsoft Defender for Endpoint provide sophisticated attack detections that are real-time and actionable. Microsoft Defender itself offers these capabilities. The ability to prioritize alerts effectively, acquire visibility into the full breadth of a breach, and take response measures to remediate threats are all capabilities that security analysts possess.
When you integrate Microsoft Defender for Endpoint with Intune, you can use endpoint security policies for endpoint detection and response (EDR) to manage the EDR settings and onboard devices to Microsoft Defender for Endpoint.
You create and manage EDR policies from the endpoint detection and response node that is in the endpoint security node of the Microsoft Intune admin center. The EDR policy can be applied to Microsoft Entra ID devices or to on-premises devices that are synchronized from Configuration Manager through the tenant attach scenario.
Preconfigured EDR Policy vs Manual EDR Policy
When you create an EDR policy in Intune for onboarding devices to Microsoft Defender for Endpoint, you can choose between using a preconfigured policy or creating a policy that requires manual configuration of the settings. Both of these options are discussed below.
- Preconfigured EDR policy: A preconfigured EDR policy is the easiest way to onboard Windows devices to Microsoft Defender for Endpoint. You can use this option for devices managed with Intune and for tenant-attached devices managed through Configuration Manager. Note that a preconfigured EDR policy can be configured and applied to Windows devices. Also, you can’t change the default policy configurations for installing Microsoft Defender for Endpoint, scope tags, or assignments.
- Manual EDR Policy: A manual EDR policy supports all platforms, including Windows. You can use this option to create an onboarding policy that can be deployed to specific groups of devices, including Windows. When using this option, you can configure any of the available settings in the policy before it is deployed to the assigned groups.
When compared to preconfigured policies, choosing to manually create the policy provides more advantages for installing Microsoft Defender for Endpoint, scope tags, or assignments. We’ll look at both methods in this guide.
Prerequisites for EDR Policies
If you are going to create an EDR policy in Intune, you should be aware of these prerequisites:
- Your Microsoft Defender for Endpoint tenant must be integrated with your Intune tenant before you can create EDR policies.
- The tenant attach must be configured in order to support deploying EDR policies to devices managed by Configuration Manager. Furthermore, you must also configure the Configuration Manager device collections to support endpoint security policies from Intune.
Create a manually configured EDR policy
Perform the following steps for manually configuring an EDR policy to onboard devices to Microsoft Defender for Endpoint:
Sign in to the Microsoft Intune admin center. Select Endpoint Security > Endpoint Detection and Response > Create Policy.
Select the platform and profile for your policy. The following information identifies your options:
- Intune: Intune deploys the policy to devices in your assigned groups. When you create the policy, select:
- Platform: Windows 10, Windows 11, and Windows Server
- Profile: Endpoint detection and response
- Configuration Manager: Configuration Manager deploys the policy to devices in your Configuration Manager collections. When you create the policy, select:
- Platform: Windows 10, Windows 11, and Windows Server (ConfigMgr)
- Profile: Endpoint detection and response (ConfigMgr)
Select Create.
On the Basics page, enter a name and description for the profile, then choose Next.
On the Configuration Settings page, choose the following:
- Microsoft Defender for Endpoint Client configuration package type: select Auto from Connector.
- Onboarding blob from Connector: This option is preconfigured, so you don’t have to configure it.
- Sample sharing: Choose All (Default).
- Telemetry Reporting Frequency: This option is deprecated and will be removed soon.
That’s it, click Next.
If you use Scope tags, on the Scope tags page, choose Select scope tags to open the Select tags pane to assign scope tags to the profile. Click Next.
On the Assignments page, select the groups or collections that receive this policy. The choice depends on the platform and profile you selected:
- If you have selected Intune, select Microsoft Entra groups.
- If you have selected Configuration Manager, select the collections from Configuration Manager that have synced to the Microsoft Intune admin center and enabled for Microsoft Defender for Endpoint policy.
Click Next.
On the Review + create page, when you’re done, choose Save.
Deploy Preconfigured EDR policy in Intune
Let’s follow the below steps to deploy a preconfigured endpoint detection and response policy in Intune.
In the Microsoft Intune admin center, go to Endpoint security > Endpoint detection and response > open the EDR Onboarding Status tab > select Deploy preconfigured policy.
On the Create a profile page, specify one of the following combinations, and then select Create:
For devices managed by Intune:
- Platform: Windows 10, Windows 11, and Windows Server
- Profile: Endpoint detection and response
For devices managed through the tenant attach scenario via Configuration Manager:
- Platform: Windows 10, Windows 11, and Windows Server (ConfigMgr)
- Profile: Endpoint detection and response (ConfigMgr)
Click Create.
On the Basics page, specify a name for this policy. Optionally, you can also add a description. Click Next.
On the Review and Create page, notice that the profile is assigned to All Devices by default.
For devices managed by Intune, the policy is applied to the All Devices group.
For devices managed by ConfigMgr, the policy is applied to All Desktop and Server Clients group for tenant-attached devices.
Select Save to create and deploy the preconfigured policy.
Monitoring the Endpoint detection and response policy in Intune
When you deploy an EDR policy (manual or preconfigured), the Microsoft Intune admin center’s endpoint deployment and response node displays the devices that were onboarded and those that failed to onboard.
To view details for individual devices, go to Endpoint security > Endpoint deployment and response > EDR Onboarding Status tab, and select a device from the list to view additional device-specific details.
Generate EDR Onboarding Status Report
After applying the EDR policy in Intune, you can use the EDR onboarding status report to find out the number of Windows devices onboarded to Defender for Endpoint.
Use these steps to run the onboarding status report in Intune:
- Sign in to Microsoft Intune admin center.
- Go to Endpoint Security > Endpoint Detection and Response.
- Under the section “Windows devices onboarded to Defender for Endpoint”, click on Refresh.
This report might take some time to generate and will expire after 72 hours. Once the report generation is complete, you should see the total number of devices that are onboarded as well as the devices that failed to onboard.
Need more help?
If you need further assistance on the above article or want to discuss other technical issues, check out some of these options.