Onboard devices and configure Microsoft Defender for Endpoint capabilities

Applies to:

Important

Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Want to experience Defender for Endpoint? Sign up for a free trial.

Deploying Microsoft Defender for Endpoint is a two-step process.

  • Onboard devices to the service
  • Configure capabilities of the service

The onboarding and configuration process

Role-based access control

We recommend using Privileged Identity Management to manage your roles to provide additional auditing, control, and access review for users with directory permissions.

Defender for Endpoint supports two ways to manage permissions:

  • Basic permissions management: Sets permissions to either full access or read-only. Users with global administrator or security administrator roles in Azure Active Directory (Azure AD) have full access. The security reader role has read-only access and doesn't grant access to view machines/device inventory.

  • Role-based access control (RBAC): Sets granular permissions by defining roles, assigning Azure AD user groups to the roles, and granting the user groups access to device groups. For more information. see Manage portal access using role-based access control.

    Note

    Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2.

We recommend leveraging RBAC to ensure that only users that have a business justification can access Defender for Endpoint.

Onboard devices to the service

You'll need to go the onboarding section of the Defender for Endpoint portal to onboard any of the supported devices. Depending on the device, you'll be guided with appropriate steps and provided management and deployment tool options suitable for the device.

To onboard devices to the service:

  • Verify that the device fulfills the minimum requirements
  • Depending on the device, follow the configuration steps provided in the onboarding section of the Defender for Endpoint portal
  • Use the appropriate management tool and deployment method for your devices
  • Run a detection test to verify that the devices are properly onboarded and reporting to the service

This article provides information on onboarding methods applicable to Windows Client and Server versions.

Onboarding and configuration tool options

The following table lists the available tools based on the endpoint that you need to onboard.

Endpoint Tool options
Windows Client Mobile Device Management / Microsoft Intune
Group Policy
Local script (up to 10 devices)
VDI scripts
Windows Server Microsoft Endpoint Configuration Manager
Group Policy
VDI scripts
Onboard Windows servers to the Microsoft Defender for Endpoint service
macOS Local scripts
Microsoft Endpoint Manager
JAMF Pro
Mobile Device Management
Linux Server Local script
Puppet
Ansible
iOS Microsoft Endpoint Manager
Android Microsoft Endpoint Manager

Note

For devices that aren't managed by a Microsoft Endpoint Manager (either Microsoft Intune or Microsoft Endpoint Configuration Manager), you can use the Security Management for Microsoft Defender for Endpoint to receive security configurations for Microsoft Defender directly from Endpoint Manager.

The following table lists the available tools based on the endpoint that you need to onboard.

Configure capabilities of the service

Onboarding devices effectively enables the endpoint detection and response capability of Microsoft Defender for Endpoint.

After onboarding the devices, you'll then need to configure the other capabilities of the service. The following table lists the capabilities you can configure to get the best protection for your environment.

Capability Description
Configure Microsoft Defender Vulnerability Management (MDVM) Defender Vulnerability Management is a component of Microsoft Defender for Endpoint, and provides both security administrators and security operations teams with unique value, including:

- Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities.

- Invaluable device vulnerability context during incident investigations.

- Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager.
Configure Next-generation protection (NGP) Microsoft Defender Antivirus is a built-in antimalware solution that provides next-generation protection for desktops, portable computers, and servers. Microsoft Defender Antivirus includes:

-Cloud-delivered protection for near-instant detection and blocking of new and emerging threats. Along with machine learning and the Intelligent Security Graph, cloud-delivered protection is part of the next-gen technologies that power Microsoft Defender Antivirus.

- Always-on scanning using advanced file and process behavior monitoring and other heuristics (also known as "real-time protection").

- Dedicated protection updates based on machine learning, human and automated big-data analysis, and in-depth threat resistance research.
Configure attack surface reduction (ASR) Attack surface reduction capabilities in Microsoft Defender for Endpoint help protect the devices and applications in the organization from new and emerging threats.
Configure Auto Investigation & Remediation (AIR) capabilities Microsoft Defender for Endpoint uses Automated investigations to significantly reduce the volume of alerts that need to be investigated individually. The Automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives.
Configure Microsoft Defender Experts capabilities Microsoft Defender Experts is a managed hunting service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don't get missed.

For more information, see Supported Microsoft Defender for Endpoint capabilities by platform.