It is time for part 3A of the ultimate Microsoft Defender for Endpoint (MDE) series. After Part 3 (Onboard Defender for Endpoint) it is now time for some more technical deep-dive for specific onboarding methods. Part 3A is focused on onboarding using Microsoft Endpoint Manager/ Intune.

Important: Defender AV/ Next Generation Protection onboarding is critical and part of the complete protection platform. All AV/ Next Generation Protection information will be explained more in-depth including migration from other AV states. Part 3A contains the initial onboarding of Defender for Endpoint and needed connections from MEM/ Intune. In the next parts the additional settings will be explained.

NOTE: Blog series focuses on features in Microsoft Defender for Endpoint P2 all Microsoft Defender for Endpoint P1 features are available in P2.

Specific question or content idea part of Defender for Endpoint? Use the contact submission form and share the post ideas.


Onboard using Microsoft Endpoint Manager

When using Windows 10/ 11/ Windows Cloud PC and already using Microsoft Endpoint Manager/ Intune it is recommended to use the platform for onboarding and configuring Defender for Endpoint. For enabling Microsoft Defender for Endpoint in Intune it is needed to enable the integration between Defender for Endpoint and Microsoft Endpoint Manager.

Microsoft Defender for Endpoint integrates seamlessly into Microsoft Endpoint Manager. You only need to activate the integration and complete the initial setup.

The following items are needed:

  • Enable Defender for Endpoint in tenant (See part 1/2 of the MDE series)
  • Enable service-to-service connection between Intune and Microsoft Defender for Endpoint

Microsoft Endpoint Manager contains Intune and Configuration Manager. Using co-management devices joined in Configuration Manager can be onboarded in Microsoft Endpoint Manager. Tenant Attach is possible for Server – Onboarding using Configuration Manager will be explained in another part.


Enable Microsoft Defender for Endpoint integrations

First we need to enable the service-to-service connection between Intune and Microsoft Defender for Endpoint. Before enabling Defender for Endpoint in Intune, ensure there is administrative access to both the Microsoft Defender for Endpoint portal and Intune. Important: permissions are required in both products for enabling the service integration.

For enabling the connection in Defender for Endpoint follow the following steps:

  • Sign in to the security.microsoft.com portal
  • Go to Endpoints -> Advanced Features
  • Turn on the feature Microsoft Intune connection

Now we can validate the integration state between Defender for Endpoint and Microsoft Intune. For checking the state and configuring more settings go to Microsoft Endpoint admin center and select Microsoft Defender for Endpoint. The view contains a couple of settings relevant for Defender for Endpoint.

Connection status and last synchronized shows the status between MDE and MEM. When connected the value must be enabled with a frequent last synchronized time.

Endpoint Security Profile Settings

Allow Microsoft Defender for Endpoint to enforce Endpoint Security Configurations is needed when using Microsoft Defender for Endpoint to enforce Endpoint Security Configurations. This is only needed for non-MEM devices which are not managed using Intune. The configuration of this feature is earlier explained in the following blog post: Managing Microsoft Defender for Endpoint with the new Security Management feature in MEM

The setting is only for managing the configuration after the initial Defender for Endpoint onboarding.

Compliance

For compliance integrations, multiple settings can be enabled. When using Intune it is possible to use compliance policies for requiring compliant devices. Signals from Defender for Endpoint can be used for calculating the compliance or noncompliance state. (Require devices to be at or under the machine risk score)

The following controls are available for Defender AV:

In the Endpoint Security the following settings are part of the compliance integrations with Defender for Endpoint and can be enabled:

  • Connect Android devices version 6.0.0 and above to Microsoft Defender for Endpoint 
  • Connect iOS/iPadOS devices version 13.0 and above to Microsoft Defender for Endpoint 
  • Connect Windows devices version 10.0.15063 and above to Microsoft Defender for Endpoint
  • Enable App Sync (sending application inventory) for iOS/iPadOS devices 
  • Block unsupported OS versions 

For Windows make sure the toggle Connect Windows devices version 10.0.15063 and above to Microsoft Defender for Endpoint is enabled.

App protection policy evaluation

App Protection can be enabled for mobile platforms (iOS / Android). With the use of App protection policies it is possible to restrict access when prerequisites are not matched ( Max allowed device threat level). For example; when the device threat level contains Low – access to corporate data can be restricted.

The feature works only for iOS/ Android.


Create onboarding profile

After configuring Microsoft Defender for Endpoint in Intune, the next step is to onboard the devices in Defender for Endpoint.

Multiple ways are currently available in MEM/ Intune for completing the onboarding of Defender for Endpoint. Advised is to use the Endpoint Security profiles in Intune.

For creating the Endpoint detection and response/ MDE onboarding profile:

  • Sign in to the Microsoft Endpoint Admin center and go to Endpoint Security
  • Select Endpoint Detection and response and click on Create Policy
  • Select Platform: Windows 10, Windows 11, and Windows Server and Profile: Endpoint detection and response

On the Basics section, specify the profile name and optional description. The configuration settings contain all features which are needed for the initial onboarding. There are three settings that are relevant for the onboarding:

  • Microsoft Defender for Endpoint client configuration package type
  • Sample sharing
  • Telemetry Reporting Frequency

Microsoft Defender for Endpoint client configuration package type is needed for assigning the configuration package. When MEM/ MDE are completely synced it is part of the connection. The following options are available:

  • Auto from connector
  • Onboard
  • Offboard

When connected using the Auto from connector option; Intune automatically gets the onboarding package (blob) from the Defender for Endpoint deployment. There is no need for manually onboarding the package.

When there is no connection possible between MEM/ MDE or Intune is not onboarded in the same tenant where Defender for Endpoint is configured – the option onboard can be used. In the option onboard the blob value can be configured.

Sample sharing is part of Defender for Endpoint and is needed for sample sharing with Microsoft. Sample sharing can be Enabled/Disabled. To take full benefits from the cloud layer it is advised to use always Sample Sharing.

Telemetry Reporting Frequency is another setting part of the Defender for Endpoint profile which can be configured in two levels ( Normal/ Expedite)

By default the telemetry reporting frequency is based on the normal frequency. Personally, I recommend always the Expedite telemetry frequency for Defender for Endpoint.

Complete the Policy creation and assign the correct device group. I would recommend starting in a small pilot scope when deploying Defender for Endpoint for the first time – it is always recommended to confirm the sensor and network connections on a small set of devices. Sometimes organizations manually block the SENSE service or additional reporting location to Defender for Endpoint. For MDE it is critical to make sure all network recommendations are in place. After onboarding run the client analyzer on a small set of devices and validate all network settings and additional configurations. (see part 3)


Onboarded in Defender for Endpoint

After some time, Defender for Endpoint is deployed and the SENSE service must be running on the device. Using the build-in assignment reporting in Intune the deployment state can be validated.

When SENSE is not running it is advised to deep-dive more into the logs and start with the initial Microsoft Intune error codes.

For Microsoft Intune troubleshooting steps see: Troubleshoot onboarding issues using Microsoft Intune | Microsoft Docs

Local event log

The SENSE event logs in Applications and Services Logs > Microsoft > Windows > SENSE contains more detailed information. In cases when Defender for Endpoint service cannot be reached it is advised to match the eventID. When SENSE is running – wait sometime before the initial first sync.

Important to make sure all requisites are matched before running the initial onboarding. For Defender for Endpoint the diagnostic data service must be enabled for correct data reporting.

The complete list with Event ID is available here: View agent onboarding errors in the device event log | Microsoft Docs

Registry

In the registry the following path is interesting; Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection

The path contains the onboarding info and additional settings. OnboardingInfo contains the organization ID, geoLocation, and blob value.

Visible in Portal

When the onboarding is completed and SENSE is correctly running the devices must be visible in Defender for Endpoint. For viewing go to security.microsoft.com -> Devices and search for the device name. When correctly managed by MEM the value MEM is visible in the Managed by column.

Validate in Defender for Endpoint the Sensor health state and onboarding status for completing the actual onboarding. The Health state must be active when correctly configured.


Deploy device tag

For organizations it can be useful for deploying additional device tags for Defender for Endpoint for making more visibility in the type of device, locations, and more. Personally for more control (Suppressions/ Exclusions/ AIR/ Indicators); my recommendation is always to use a well-structured set of tags which makes more visibility for the security team.

Device tags can be set easily via the portal or manually via the registry. Deploying the registry key can be deployed in Intune via Configuration Profiles. (only one tag can be applied in the registry)

For deploying the tag using Intune;

  • Sign in to the Microsoft Endpoint Admin center and go to Devices
  • Select Configuration profiles and click on Create Policy
  • Select Platform: Windows 10 and later and Profile type: Templates/ Custom

Use the following custom OMA-URI details for adding the device tag. The name and description can be whatever you want. Important is the OMA-URI, Data Type, and Value.

OMA-URI./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/DeviceTagging/Group
Data TypeString
ValueDevice TAG name

With the result; a static Device Tag is visible in Defender for Endpoint. Notice: it is not possible to deploy multiple tags using the Registry/ PowerShell/ Intune method. For additional tags the manual option or Logic App API option can be used. Blog tip: Tag domain controllers automatically in Defender for Endpoint using KQL, Logic App, and API


Conclusion

Part3A of the Microsoft Defender for Endpoint series is completed – focussed on the initial Defender for Endpoint onboarding using Intune. Stay tuned for the next parts; where more in-depth knowledge and experience will be shared around Defender for Endpoint focussing on all the components and additional settings.

Next time some smaller sub-parts focussing on the initial deployment for:

  • Onboarded using Defender for Cloud integration
  • Microsoft Endpoint Configuration Manager
  • Group Policy
  • Local script (PowerShell)

Searching for specific Defender for Endpoint information? Use the contact submission form and share the post ideas or contact using Linkedin or Twitter. I will take all suggestions into the Defender for Endpoint series and help the community as far as possible.

View previous part – Microsoft Defender for Endpoint series – Onboard Defender for Endpoint – Part3


Sources

Microsoft: Defender for Endpoint documentation

Microsoft: Defender for Endpoint deployment guide

Microsoft: Configure Microsoft Defender for Endpoint in Intune