Onboarding using Microsoft Intune

Applies to:

• Microsoft Defender for Endpoint Plan 1
• Microsoft Defender for Endpoint Plan 2
• Microsoft Defender XDR

Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.

This article acts as an example onboarding method.

In the Planning article, there were several methods provided to onboard devices to the service. This article covers the cloud-native architecture.

Diagram of environment architectures

While Defender for Endpoint supports onboarding of various endpoints and tools, this article doesn't cover them. For information on general onboarding using other supported deployment tools and methods, see Onboarding overview.

The Microsoft Intune family of products is a solution platform that unifies several services. It includes Microsoft Intune and Microsoft Configuration Manager.

This article guides users in:

• Step 1: Onboarding devices to the service by creating a group in Microsoft Intune to assign configurations on
• Step 2: Configuring Defender for Endpoint capabilities using Microsoft Intune

This onboarding guidance walks you through the following basic steps that you need to take when using Microsoft Intune:

• Identifying target devices or users
  • Creating a Microsoft Entra group (User or Device)
• Creating a Configuration Profile
  • In Microsoft Intune, we guide you in creating a separate policy for each capability.

Resources

Here are the links you need for the rest of the process:

• Intune admin center
• Microsoft Defender XDR
• Intune Security baselines

For more information about Microsoft Intune, go to Microsoft Intune securely manages identities, manages apps, and manages devices.

Step 1: Onboard devices by creating a group in Intune to assign configurations on

Identify target devices or users

In this section, we create a test group to assign your configurations on.

Note

Intune uses Microsoft Entra groups to manage devices and users. As an Intune admin, you can set up groups to suit your organizational needs.

For more information, see Add groups to organize users and devices.

Create a group

1. Open the Microsoft Intune admin center.

2. Open Groups > New Group.

   

3. Enter details and create a new group.

   

4. Add your test user or device.

5. From the Groups > All groups pane, open your new group.

6. Select Members > Add members.

7. Find your test user or device and select it.

   

8. Your testing group now has a member to test.

Step 2: Create configuration policies to configure Microsoft Defender for Endpoint capabilities

In the following section, you create several configuration policies.

First is a configuration policy to select which groups of users or devices are onboarded to Defender for Endpoint:

• Endpoint detection and response

Then, you continue by creating several different types of endpoint security policies:

• Next-generation protection
• Attack surface reduction

Endpoint detection and response

1. Open the Intune admin center.

2. Navigate to Endpoint security > Endpoint detection and response. Select on Create Policy.

   

3. Under Platform, select Windows 10, Windows 11, and Windows Server, Profile - Endpoint detection and response > Create.

4. Enter a name and description, then select Next.

   

5. Select settings as required, then select Next.

   

   Note

   In this instance, this has been auto populated as Defender for Endpoint has already been integrated with Intune. For more information on the integration, see Enable Microsoft Defender for Endpoint in Intune.

   The following image is an example of what you'll see when Microsoft Defender for Endpoint is NOT integrated with Intune:

   

6. Add scope tags if necessary, then select Next.

   

7. Add test group by clicking on Select groups to include and choose your group, then select Next.

   

8. Review and accept, then select Create.

   

9. You can view your completed policy.

   

Next-generation protection

1. Open the Intune admin center.

2. Navigate to Endpoint security > Antivirus > Create Policy.

   

3. Select Platform - Windows 10 and Later - Windows and Profile - Microsoft Defender Antivirus > Create.

4. Enter name and description, then select Next.

   

5. In the Configuration settings page: Set the configurations you require for Microsoft Defender Antivirus (Cloud Protection, Exclusions, Real-Time Protection, and Remediation).

   

6. Add scope tags if necessary, then select Next.

   

7. Select groups to include, assign to your test group, then select Next.

   

8. Review and create, then select Create.

   

9. You see the configuration policy you created.

   

Attack Surface Reduction - Attack surface reduction rules

1. Open the Intune admin center.

2. Navigate to Endpoint security > Attack surface reduction.

3. Select Create Policy.

4. Select Platform - Windows 10 and Later - Profile - Attack surface reduction rules > Create.

   

5. Enter a name and description, then select Next.

   

6. In the Configuration settings page: Set the configurations you require for Attack surface reduction rules, then select Next.

   Note

   We will be configuring all of the Attack surface reduction rules to Audit.

   For more information, see Attack surface reduction rules.

   

7. Add Scope Tags as required, then select Next.

   

8. Select groups to include and assign to test group, then select Next.

   

9. Review the details, then select Create.

   

10. View the policy.

    

Attack Surface Reduction - Web Protection

1. Open the Intune admin center.

2. Navigate to Endpoint security > Attack surface reduction.

3. Select Create Policy.

4. Select Windows 10 and Later - Web protection > Create.

   

5. Enter a name and description, then select Next.

   

6. In the Configuration settings page: Set the configurations you require for Web Protection, then select Next.

   Note

   We are configuring Web Protection to Block.

   For more information, see Web Protection.

   

7. Add Scope Tags as required > Next.

   

8. Select Assign to test group > Next.

   

9. Select Review and Create > Create.

   

10. View the policy.

    

Validate configuration settings

Confirm policies have been applied

Once the Configuration policy has been assigned, it takes some time to apply.

For information on timing, see Intune configuration information.

To confirm that the configuration policy is applied to your test device, follow the following process for each configuration policy.

1. Open the Intune admin center and navigate to the relevant policy as shown in the preceding section. The following example shows the next generation protection settings.

   

2. Select the Configuration Policy to view the policy status.

   

3. Select Device Status to see the status.

   

4. Select User Status to see the status.

   

5. Select Per-setting status to see the status.

   Tip

   This view is very useful to identify any settings that conflict with another policy.

   

Confirm endpoint detection and response

1. Before applying the configuration, the Defender for Endpoint Protection service shouldn't be started.

   

2. After the configuration is applied, the Defender for Endpoint Protection service should be started.

   

3. After the services are running on the device, the device appears in Microsoft Defender portal.

   

Confirm next-generation protection

1. Before applying the policy on a test device, you should be able to manually manage the settings as shown in the following image:

   

2. After the policy is applied, you shouldn't be able to manually manage the settings.

   Note

   In the following image Turn on cloud-delivered protection and Turn on real-time protection are being shown as managed.

   

Confirm Attack Surface Reduction - Attack surface reduction rules

1. Before applying the policy on a test device, open a PowerShell Window and type Get-MpPreference.

2. You should see the following lines with no content:

   AttackSurfaceReductionOnlyExclusions:

   AttackSurfaceReductionRules_Actions:

   AttackSurfaceReductionRules_Ids:

   

3. After applying the policy on a test device, open a PowerShell Windows and type Get-MpPreference.

4. You should see the following lines with content, as shown in the following image:

   

Confirm Attack Surface Reduction - Web Protection

1. On the test device, open a PowerShell Windows and type (Get-MpPreference).EnableNetworkProtection.

2. This should respond with a 0 as shown in the following image:

   

3. After applying the policy, open a PowerShell Windows and type (Get-MpPreference).EnableNetworkProtection.

4. You should see a response with a 1 as shown in the following image:

   

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.