After you configure Microsoft Defender for Endpoint in Intune, the next step is to onboard Windows Endpoints in Microsoft Defender. You can onboard the windows endpoints in defender via MEM.
Onboarding the devices in Microsoft Defender means you are adding your devices to Microsoft Defender in the MEM. Devices in your organization must be configured so that the Defender for Endpoint service can get sensor data from them.
Before you start to onboard Windows Endpoints in Microsoft Defender, you need to first enable Microsoft Defender for Endpoint in Intune. Ensure you have completed the steps covered in the post.
According to Microsoft, Microsoft Defender for Endpoint is a holistic, cloud-delivered endpoint security solution. Its capabilities include risk-based vulnerability management and assessment, attack surface reduction, behavior-based next-generation protection, endpoint detection and response (EDR), automatic investigation and remediation, managed hunting services, rich APIs, and unified security management.
We will create a policy under Endpoint detection and response to onboard Windows 10 endpoints into defender. The Windows 10 endpoints can be VM’s or laptops.
Microsoft Defender for Endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats.
Different Methods to Onboard Windows devices in Defender
There are various methods and deployment tools that you can use to configure the devices in your organization.
- Windows Local script (up to 10 devices)
- Using Group Policy
- Microsoft Endpoint Manager/ Mobile Device Manager
- Microsoft Endpoint Configuration Manager
- Using VDI scripts
- Integration with Azure Defender
Onboard Windows Endpoints in Microsoft Defender via MEM
Let’s now look at the steps to onboard Windows Endpoints in Microsoft Defender using Microsoft Endpoint Manager. We will create a new policy to onboard the Windows Endpoints.
Sign in to the Microsoft Endpoint Admin center. Go to Endpoint security and select Endpoint detection and response. Click Create Policy.
On Create a profile window, select Platform as Windows 10 and later and profile as Endpoint detection and response.
On the Basics section, specify the profile name. As you want to onboard windows endpoints to Microsoft Defender, specify name as “Onboard Windows Endpoints“. You may add a description as well. Click Next.
On the Configuration Settings section, select Endpoint Detection and Response. There are two settings that you see here.
- Sample sharing for all files – Returns or sets the Microsoft Defender for Endpoint Sample Sharing configuration parameter.
- Expedite telemetry reporting frequency – Expedite Microsoft Defender for Endpoint telemetry reporting frequency.
For now, let’s enable only the setting Expedite telemetry reporting frequency. Click Next.
On the Scope tags section, click Next.
Add your groups under the Assignments section. I would recommend adding groups containing pilot devices and see if they enroll correctly. Once you see it working, you can add more groups later by editing the policy. Click Next.
Finally review the profile settings on Review + Create section and click Create.
We have successfully created a profile to onboard Windows Endpoints in Microsoft Defender in Microsoft Endpoint Manager. Keep an eye on the notifications to confirm if the Onboard Windows Endpoints profile creation is successful.
You should also see the newly created profile under Endpoint Security > Endpoint detection and response.
Confirm the Windows Endpoint into Defender onboarding
This is the final step where we check and confirm if the Windows Endpoints are successfully onboarded in Microsoft Defender. Select the profile that you created. On the Overview section, you should now see the status of your Windows 10 endpoints changing from without to devices with Microsoft Defender for Endpoint enabled.
When you select the onboarded device and check the device status, you should see the following settings applied.
- Expedite telemetry reporting frequency – Success
- Microsoft Defender for Endpoint onboarding blob – Success