Onboard devices and configure Microsoft Defender for Endpoint capabilities

Article
02/22/2023

Applies to:

Important

Some information in this article relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Want to experience Defender for Endpoint? Sign up for a free trial.

Deploying Microsoft Defender for Endpoint is a two-step process.

Onboard devices to the service
Configure capabilities of the service

Role-based access control

We recommend using Privileged Identity Management to manage your roles to provide additional auditing, control, and access review for users with directory permissions.

Defender for Endpoint supports two ways to manage permissions:

Basic permissions management: Sets permissions to either full access or read-only. Users with global administrator or security administrator roles in Azure Active Directory (Azure AD) have full access. The security reader role has read-only access and doesn't grant access to view machines/device inventory.
Role-based access control (RBAC): Sets granular permissions by defining roles, assigning Azure AD user groups to the roles, and granting the user groups access to device groups. For more information. see Manage portal access using role-based access control.

Note

Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2.

We recommend leveraging RBAC to ensure that only users that have a business justification can access Defender for Endpoint.

Onboard devices to the service

You'll need to go the onboarding section of the Defender for Endpoint portal to onboard any of the supported devices. Depending on the device, you'll be guided with appropriate steps and provided management and deployment tool options suitable for the device.

To onboard devices to the service:

Verify that the device fulfills the minimum requirements
Depending on the device, follow the configuration steps provided in the onboarding section of the Defender for Endpoint portal
Use the appropriate management tool and deployment method for your devices
Run a detection test to verify that the devices are properly onboarded and reporting to the service

This article provides information on onboarding methods applicable to Windows Client and Server versions.

Onboarding and configuration tool options

The following table lists the available tools based on the endpoint that you need to onboard.

Endpoint	Tool options
Windows	Local script (up to 10 devices) Group Policy Microsoft Intune/ Mobile Device Manager Microsoft Configuration Manager VDI scripts
Windows servers Linux servers	Integration with Microsoft Defender for Cloud
macOS	Local script Microsoft Intune JAMF Pro Mobile Device Management
Linux servers	Local script Puppet Ansible Chef Saltstack
Android	Microsoft Intune
iOS	Microsoft Intune Mobile Application Manager

Note

For devices that aren't managed by Microsoft Intune or Microsoft Configuration Manager, you can use the Security Management for Microsoft Defender for Endpoint to receive security configurations for Microsoft Defender directly from Intune.

Configure capabilities of the service

Onboarding devices effectively enables the endpoint detection and response capability of Microsoft Defender for Endpoint.

After onboarding the devices, you'll then need to configure the other capabilities of the service. The following table lists the capabilities you can configure to get the best protection for your environment.

Capability	Description
Configure Microsoft Defender Vulnerability Management (MDVM)	Defender Vulnerability Management is a component of Microsoft Defender for Endpoint, and provides both security administrators and security operations teams with unique value, including: - Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities. - Invaluable device vulnerability context during incident investigations. - Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager.
Configure Next-generation protection (NGP)	Microsoft Defender Antivirus is a built-in antimalware solution that provides next-generation protection for desktops, portable computers, and servers. Microsoft Defender Antivirus includes: -Cloud-delivered protection for near-instant detection and blocking of new and emerging threats. Along with machine learning and the Intelligent Security Graph, cloud-delivered protection is part of the next-gen technologies that power Microsoft Defender Antivirus. - Always-on scanning using advanced file and process behavior monitoring and other heuristics (also known as "real-time protection"). - Dedicated protection updates based on machine learning, human and automated big-data analysis, and in-depth threat resistance research.
Configure attack surface reduction (ASR)	Attack surface reduction capabilities in Microsoft Defender for Endpoint help protect the devices and applications in the organization from new and emerging threats.
Configure Auto Investigation & Remediation (AIR) capabilities	Microsoft Defender for Endpoint uses Automated investigations to significantly reduce the volume of alerts that need to be investigated individually. The Automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives.
Configure Microsoft Defender Experts capabilities	Microsoft Defender Experts is a managed hunting service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don't get missed.

For more information, see Supported Microsoft Defender for Endpoint capabilities by platform.