Onboard Windows Endpoints in Microsoft Defender via MEM

Prajwal Desai
Posted by Prajwal Desai
Onboard Windows Endpoints in Microsoft Defender

After you configure Microsoft Defender for Endpoint in Intune, the next step is to onboard Windows Endpoints in Microsoft Defender. You can onboard the windows endpoints in defender via MEM.

Onboarding the devices in Microsoft Defender means you are adding your devices to Microsoft Defender in the MEM. Devices in your organization must be configured so that the Defender for Endpoint service can get sensor data from them.

Before you start to onboard Windows Endpoints in Microsoft Defender, you need to first enable Microsoft Defender for Endpoint in Intune. Ensure you have completed the steps covered in the post.

According to Microsoft, Microsoft Defender for Endpoint is a holistic, cloud-delivered endpoint security solution. Its capabilities include risk-based vulnerability management and assessment, attack surface reduction, behavior-based next-generation protection, endpoint detection and response (EDR), automatic investigation and remediation, managed hunting services, rich APIs, and unified security management.

We will create a policy under Endpoint detection and response to onboard Windows 10 endpoints into defender. The Windows 10 endpoints can be VM’s or laptops.

Microsoft Defender for Endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats.

Different Methods to Onboard Windows devices in Defender

There are various methods and deployment tools that you can use to configure the devices in your organization.

  • Windows Local script (up to 10 devices)
  • Using Group Policy
  • Microsoft Endpoint Manager/ Mobile Device Manager
  • Microsoft Endpoint Configuration Manager
  • Using VDI scripts
  • Integration with Azure Defender

Onboard Windows Endpoints in Microsoft Defender via MEM

Let’s now look at the steps to onboard Windows Endpoints in Microsoft Defender using Microsoft Endpoint Manager. We will create a new policy to onboard the Windows Endpoints.

Sign in to the Microsoft Endpoint Admin center. Go to Endpoint security and select Endpoint detection and response. Click Create Policy.

Onboard Windows Endpoints in Microsoft Defender via MEM
Onboard Windows Endpoints in Microsoft Defender via MEM

On Create a profile window, select Platform as Windows 10 and later and profile as Endpoint detection and response.

Click Create.

Onboard Windows Endpoints in Microsoft Defender via MEM
Onboard Windows Endpoints in Microsoft Defender via MEM

On the Basics section, specify the profile name. As you want to onboard windows endpoints to Microsoft Defender, specify name as “Onboard Windows Endpoints“. You may add a description as well. Click Next.

Onboard Windows Endpoints in Microsoft Defender via MEM
Onboard Windows Endpoints in Microsoft Defender via MEM

On the Configuration Settings section, select Endpoint Detection and Response. There are two settings that you see here.

  • Sample sharing for all files – Returns or sets the Microsoft Defender for Endpoint Sample Sharing configuration parameter.
  • Expedite telemetry reporting frequency – Expedite Microsoft Defender for Endpoint telemetry reporting frequency.

For now, let’s enable only the setting Expedite telemetry reporting frequency. Click Next.

Onboard Windows Endpoints in Microsoft Defender via MEM
Onboard Windows Endpoints in Microsoft Defender via MEM

On the Scope tags section, click Next.

Onboard Windows Endpoints in Microsoft Defender via MEM
Onboard Windows Endpoints in Microsoft Defender via MEM

Add your groups under the Assignments section. I would recommend adding groups containing pilot devices and see if they enroll correctly. Once you see it working, you can add more groups later by editing the policy. Click Next.

Onboard Windows Endpoints in Microsoft Defender via MEM
Onboard Windows Endpoints in Microsoft Defender via MEM

Finally review the profile settings on Review + Create section and click Create.

Onboard Windows Endpoints in Microsoft Defender via MEM
Onboard Windows Endpoints in Microsoft Defender via MEM

We have successfully created a profile to onboard Windows Endpoints in Microsoft Defender in Microsoft Endpoint Manager. Keep an eye on the notifications to confirm if the Onboard Windows Endpoints profile creation is successful.

You should also see the newly created profile under Endpoint Security > Endpoint detection and response.

Onboard Windows Endpoints in Microsoft Defender via MEM
Onboard Windows Endpoints in Microsoft Defender via MEM

Confirm the Windows Endpoint into Defender onboarding

This is the final step where we check and confirm if the Windows Endpoints are successfully onboarded in Microsoft Defender. Select the profile that you created. On the Overview section, you should now see the status of your Windows 10 endpoints changing from without to devices with Microsoft Defender for Endpoint enabled.

Verify the Windows Endpoint into Defender onboarding
Verify the Windows Endpoint into Defender onboarding

When you select the onboarded device and check the device status, you should see the following settings applied.

  • Expedite telemetry reporting frequency – Success
  • Microsoft Defender for Endpoint onboarding blob – Success
Share This Article
Prajwal Desai
Posted by Prajwal Desai
Follow:
Prajwal Desai is a Microsoft MVP in Intune and SCCM. He writes articles on SCCM, Intune, Windows 365, Windows Server, Windows 11, WordPress and other topics, with the goal of providing people with useful information.