Onboard Windows Devices to Defender for Endpoint using Intune

In this post, I will show you how to onboard Windows devices to Defender for Endpoint using Intune. You can manually create a EDR Policy or deploy a preconfigured EDR policy in Intune to onboard your Windows devices to Microsoft Defender Portal.

Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.

When you onboard a Windows device to Defender for Endpoint via Intune, new detections, vulnerability, or security data are sent to the Microsoft Defender portal. You can then prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats.

Prerequisites

To onboard your Windows devices and manage them from Defender for Endpoint console, the following are the requirements. These prerequisites are provided by Microsoft.

Licensing Requirements

• Defender for Endpoint Plan 1 and Plan 2.
• Microsoft Defender for Business (for small and medium-sized businesses)
• To onboard servers to Defender for Endpoint, any of the following server licences are required.
  • Microsoft Defender for Servers Plan 1 or Plan 2
  • Microsoft Defender for Endpoint Server
  • Microsoft Defender for Business servers

Supported Windows Versions

• Windows 11 Enterprise, Education, Pro, Pro Education, IoT Enterprise
• Windows 10 and 11 on ARM
• Windows 10 Enterprise, Education, Pro, Pro Education, IoT Enterprise, LTSC 2016 (or later).
• Windows Server
• Azure Virtual Desktop (AVD)
• Windows 365 Cloud PCs running one of the previously listed operating systems/versions.

Other Supported Operating Systems

• Mac (client devices)
• Linux
• Windows Subsystem for Linux
• Android
• iOS

Enable Microsoft Defender Antivirus ELAM driver

If you’re running Microsoft Defender Antivirus as the primary anti-malware product on your devices, the Defender for Endpoint agent successfully onboards without any problems.

If you’re using a non-Microsoft anti-malware solution alongside Mobile Device Management tools or Microsoft Configuration Manager (current branch), ensure that the Microsoft Defender Antivirus ELAM driver is activated.

Ways Onboard devices in Defender for Endpoint

Any of the supported management tools listed below can be used to onboard devices to Defender for Endpoint Portal.

• Windows Local script (up to 10 devices)
• Using Group Policy
• Microsoft Intune
• Microsoft Endpoint Configuration Manager
• Using VDI scripts
• Integration with Azure Defender

Step 1: Connect Microsoft Defender for Endpoint to Intune

Before you start to onboard the devices in Microsoft Defender for Endpoint, you need to first configure Defender for Endpoint integration for Intune. Note that this is a one-time action per tenant.

Sign in to the Microsoft Intune admin center. Go to Endpoint security > Microsoft Defender for Endpoint. Select the link Open the Microsoft Defender Security Center.

In the Microsoft Defender for Endpoint console, select Settings > Endpoints > Advanced features. Scroll down to locate the entry for Microsoft Intune connection and set the toggle to On. Click Save Preferences to complete the connection between Intune and Defender for Endpoint.

Step 2: Create an EDR Policy to onboard Windows Devices

Let’s create an Endpoint detection and response policy (EDR Policy) to onboard Windows devices to Microsoft Defender for Endpoint in Intune. Manually creating the EDR Policy is usually preferred for more granular deployments, which requires you to complete a few additional steps. If you wish to deploy a preconfigured EDR policy for onboarding devices to MDE, jump to Step 3.

Sign in to the Microsoft Intune Admin center. Go to Endpoint security and select Endpoint detection and response. Click Create Policy.

On Create a profile window, select Platform as Windows 10 and later and profile as Endpoint detection and response. Click Create.

In the Basics section, specify the profile name as “Onboard Windows Devices to Defender for Endpoint“. You may add a brief description as well. Click Next.

In the Configuration Settings section, select Endpoint Detection and Response. There are three settings available for Windows devices.

• Microsoft Defender for Endpoint client configuration package type: Choose the client package type. Select Auto from connector.
• Sample sharing for all files: Choose the Windows Defender Advanced Threat Protection Sample Sharing configuration parameter. Select Not Configured.
• Telemetry Reporting Frequency: Choose Windows Defender Advanced Threat Protection telemetry reporting frequency. Select Expedite.

Click Next.

On the Scope tags section, click Next.

Add your groups under the Assignments section. I would recommend adding Entra ID groups containing pilot devices and see if they enroll correctly. Once you see it working, you can add more groups later by editing the policy. Click Next.

Finally, review the profile settings on Review + Create section and click Create.

You should also see the newly created EDR policy under Endpoint Security > Endpoint detection and response.

Step 3: Deploy Preconfigured policy for Onboarding Windows devices

In this step, I will deploy a preconfigured EDR policy for onboarding Windows devices to MDE. Deploying a preconfigured policy is significantly easier and faster for onboarding devices compared to creating your own EDR policy.

Open the Microsoft Intune admin center and go to Endpoint security > Endpoint detection and response > and select the EDR Onboarding Status tab. On this tab, select Deploy preconfigured policy.

For Platform, select Windows for devices managed directly by Intune, or Windows (ConfigMgr) for devices managed through the Tenant Attach scenario. For Profile, select Endpoint detection and response. Click Create.

Specify a Name for the policy. Click Next.

On the Review and Create page, you can review the policy configuration. When ready, select Save to save this policy, which immediately begins to deploy to the All Devices group.

Step 4: Sync Intune Policies

After assigning the EDR policy to the device groups, the devices will get the policy settings after they check in with the Intune service. You can also force sync Intune policies on your computers in case you don’t find the policy settings applied to these devices.

Step 5: Monitor EDR Policy assignments

If you’ve manually created a EDR policy and assigned it to your Windows devices, the policy assignments can be monitored from the Intune admin center. To do that, go to Endpoint Security > Endpoint Detection and response. Select the Windows onboarding EDR Policy to see the count of devices that received the policy. To find the device names that successfully received the policy, click on View report.

Step 6: Verify the onboarding status of the device

In this step, I will show you how to check if the Windows devices are successfully onboarded to Defender for Endpoint. You can verify the Windows device onboarding status from the Intune admin center or from Microsoft Defender Portal.

Method 1: In the Intune admin center, go to Endpoint security > Endpoint detection and response > and select the EDR Onboarding Status tab. At the bottom, look for the device names along with the onboarding status column. The onboarding status column shows whether the device is successfully onboarded or not.

Method 2: Sign in to Microsoft Defender admin console and go to Assets > Devices. Here you should find the same set of Windows devices that were onboarded through Intune.

After onboarding the endpoints, the next step is where you’ll configure the various capabilities such as endpoint detection and response, next-generation protection, and attack surface reduction. All such interesting topics will be covered in the upcoming guides. I hope this device onboarding guide helped you. Thanks for reading👍