Microsoft Defender for Endpoint series – Onboard using Microsoft Intune – Part3A
It is time for part 3A of the ultimate Microsoft Defender for Endpoint (MDE) series. After Part 3 (Onboard Defender for Endpoint) it is now time for some more technical deep dive for specific onboarding methods. Part 3A is focused on onboarding using Intune.
Important: Defender AV/ Next Generation Protection onboarding is critical and part of the complete protection platform. All AV/ Next Generation Protection information will be explained more in-depth including migration from other AV states. Part 3A contains the initial onboarding of Defender for Endpoint and needed connections from Intune. In the next parts the additional settings will be explained.
NOTE: Blog series focuses on features in Microsoft Defender for Endpoint P2 all Microsoft Defender for Endpoint P1 features are available in P2.
Specific question or content idea part of Defender for Endpoint? Use the contact submission form and share the post ideas.
Onboard using Intune
When using Windows 10/ 11/ Windows Cloud PC and already using Intune it is recommended to use the platform for onboarding and configuring Defender for Endpoint. For enabling Microsoft Defender for Endpoint in Intune it is needed to enable the integration between Defender for Endpoint and Intune.
Microsoft Defender for Endpoint integrates seamlessly into Intune. You only need to activate the integration and complete the initial setup.
The following items are needed:
- Enable Defender for Endpoint in tenant (See part 1/2 of the MDE series)
- Enable service-to-service connection between Intune and Microsoft Defender for Endpoint
With the use of co-management devices joined in Configuration Manager can be onboarded in Microsoft Endpoint Manager. Tenant Attach is possible for servers. Onboarding using Configuration Manager will be explained in another part.
Enable Microsoft Defender for Endpoint integrations
First we need to enable the service-to-service connection between Intune and Microsoft Defender for Endpoint. Before enabling Defender for Endpoint in Intune, ensure there is administrative access to both the Microsoft Defender for Endpoint portal and Intune.
Important: permissions are required in both products for enabling the service integration.
For enabling the connection in Defender for Endpoint follow the following steps:
- Sign in to the security.microsoft.com portal
- Go to Endpoints -> Advanced Features
- Turn on the feature Microsoft Intune connection
Now we can validate the integration state between Defender for Endpoint and Microsoft Intune. For checking the state and configuring more settings go to the Intune portal and select Microsoft Defender for Endpoint. The view contains a couple of settings relevant to Defender for Endpoint.
Connection status and last synchronized shows the status between MDE and Intune. When connected the value must be enabled with a frequent last synchronized time.
Endpoint Security Profile Settings
Allow Microsoft Defender for Endpoint to enforce Endpoint Security Configurations is needed when using Microsoft Defender for Endpoint to enforce Endpoint Security Configurations. This is only needed for non-Intune devices which are not managed using Intune. The configuration of this feature is earlier explained in the following blog post: Managing Microsoft Defender for Endpoint with the new Security Management feature in MEM
The setting is only for managing the configuration after the initial Defender for Endpoint onboarding.
For compliance integrations, multiple settings can be enabled. When using Intune it is possible to use compliance policies for requiring compliant devices. Signals from Defender for Endpoint can be used for calculating the compliance or noncompliance state. (Require devices to be at or under the machine risk score)
The following controls are available for Defender AV:
In the Endpoint Security the following settings are part of the compliance integrations with Defender for Endpoint and can be enabled:
- Connect Android devices version 6.0.0 and above to Microsoft Defender for Endpoint
- Connect iOS/iPadOS devices version 13.0 and above to Microsoft Defender for Endpoint
- Connect Windows devices version 10.0.15063 and above to Microsoft Defender for Endpoint
- Enable App Sync (sending application inventory) for iOS/iPadOS devices
- Block unsupported OS versions
For Windows make sure the toggle Connect Windows devices version 10.0.15063 and above to Microsoft Defender for Endpoint is enabled.
App protection policy evaluation
App Protection can be enabled for mobile platforms (iOS / Android). With the use of App protection policies, it is possible to restrict access when prerequisites are not matched (Max allowed device threat level). For example; when the device threat level contains Low – access to corporate data can be restricted.
The feature works only for iOS/ Android.
Create onboarding profile
After configuring Microsoft Defender for Endpoint in Intune, the next step is to onboard the devices in Defender for Endpoint.
Multiple ways are currently available in Intune for completing the onboarding of Defender for Endpoint. Advised is to use the Endpoint Security profiles in Intune.
For creating the Endpoint detection and response/ MDE onboarding profile:
- Go to the Intune portal and go to Endpoint Security
- Select Endpoint Detection and response and click on Create Policy
- Select Platform: Windows 10, Windows 11, and Windows Server and Profile: Endpoint detection and response
On the Basics section, specify the profile name and optional description. The configuration settings contain all features which are needed for the initial onboarding. There are three settings that are relevant for the onboarding:
- Microsoft Defender for Endpoint client configuration package type
- Sample sharing
- Telemetry Reporting Frequency (deprecated)
Microsoft Defender for Endpoint client configuration package type is needed for assigning the configuration package. When Intune/ MDE are completely synced it is part of the connection. The following options are available:
- Auto from connector
When connected using the Auto from connector option; Intune automatically gets the onboarding package (blob) from the Defender for Endpoint deployment. There is no need for manually onboarding the package.
When there is no connection possible between Intune/ MDE or Intune is not configured in the same tenant where Defender for Endpoint is configured – the option onboard can be used. In the option onboard the custom blob value can be configured.
Sample sharing is part of Defender for Endpoint and is needed for sample sharing with Microsoft. Sample sharing can be Enabled/Disabled. To take full benefits from the cloud layer it is advised to use always Sample Sharing.
Telemetry Reporting Frequency is another setting part of the Defender for Endpoint profile which can be configured in two levels (Normal/ Expedite)
By default, the telemetry reporting frequency is based on the normal frequency. I always recommend the Expedite telemetry frequency for Defender for Endpoint.
Update July 2023: The Telemetry Reporting Frequency setting is currently deprecated and no longer needed/ removed from the profile list. Configure this setting with Not Configured
Complete the Policy creation and assign the correct device group. I would recommend starting in a small pilot scope when deploying Defender for Endpoint for the first time – it is always recommended to confirm the sensor and network connections on a small set of devices.
Sometimes organizations manually block the SENSE service. For MDE it is critical to make sure all network recommendations are in place. After onboarding run the client analyzer on a small set of devices and validate all network settings and additional configurations. (see part 3)
Onboarded in Defender for Endpoint
After some time, Defender for Endpoint is deployed and the SENSE service must be running on the device. Using the build-in assignment reporting in Intune the deployment state can be validated.
When SENSE is not running it is advised to deep-dive more into the logs and start with the initial Microsoft Intune error codes.
For Microsoft Intune troubleshooting steps see: Troubleshoot onboarding issues using Microsoft Intune | Microsoft Docs
Local event log
The SENSE event logs in Applications and Services Logs > Microsoft > Windows > SENSE contains more detailed information. In cases when Defender for Endpoint service cannot be reached, it is advised to match the eventID. When SENSE is running – wait some time before the initial first sync.
Important to make sure all requisites are matched before running the initial onboarding. For Defender for Endpoint, the diagnostic data service must be enabled for correct data reporting.
The complete list with Event ID is available here: View agent onboarding errors in the device event log | Microsoft Docs
In the registry the following path is interesting; Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
The path contains the onboarding info and additional settings. OnboardingInfo contains the organization ID, geoLocation, and blob value.
Visible in Portal
When the onboarding is completed, and SENSE is correctly running the devices must be visible in Defender for Endpoint. For viewing onboarded devices go to security.microsoft.com -> Assets -> Devices and search for the device name. When correctly managed by Intune the value Intune is visible in the Managed by column.
Validate in Defender for Endpoint the Sensor health state and onboarding status for completing the actual onboarding. The health state must be active when correctly configured.
Deploy device tag
For organizations, it can be useful for deploying additional device tags for Defender for Endpoint for making more visibility in the type of device, locations, and more. For more control (Suppressions/ Exclusions/ AIR/ Indicators); my recommendation is always to use a well-structured set of tags which makes more visibility for the security team.
Device tags can be set easily via the portal or manually via the registry. Deploying the registry key can be deployed in Intune via Configuration Profiles. (Only one tag can be applied in the registry)
For deploying the tag using Intune;
- Sign in to the Microsoft Intune admin center and go to Devices
- Select Configuration profiles and click on Create Policy
- Select Platform: Windows 10 and later and Profile type: Templates -> Custom
Use the following custom OMA-URI details for adding the device tag. The name and description can be whatever you want. Important is the OMA-URI, Data Type, and Value.
|Device TAG name
With the result, a static Device Tag is visible in Defender for Endpoint. Notice: it is not possible to deploy multiple tags using the Registry/ PowerShell/ Intune method. For additional tags the manual option or Logic App API option can be used. Blog tip: Tag domain controllers automatically in Defender for Endpoint using KQL, Logic App, and API
Part3A of the Microsoft Defender for Endpoint series is completed – focused on the initial Defender for Endpoint onboarding using Intune. Stay tuned for the next parts; where more in-depth knowledge and experience will be shared around Defender for Endpoint focusing on all the components and additional settings.
In the next blogs more information scoped on the following deployment methods:
- Onboarded using Defender for Cloud integration
- Microsoft Endpoint Configuration Manager
- Group Policy
- Local script (PowerShell)
Searching for specific Defender for Endpoint information? Use the contact submission form and share the post ideas or contact using Linkedin or Twitter. I will take all suggestions into the Defender for Endpoint series and help the community as far as possible.
Microsoft: Defender for Endpoint documentation
Microsoft: Defender for Endpoint deployment guide