Configure Microsoft Defender endpoint security settings and baselines

Completed

After devices are onboarded to Microsoft Defender, you can use Microsoft Intune to configure the security settings that help protect those devices. These settings include security baselines, Microsoft Defender Antivirus settings, attack surface reduction rules, firewall configuration, and Endpoint detection and response settings.

Configure a Microsoft Defender security baseline

To create a security baseline profile:

1. Sign in to the Microsoft Intune admin center.
2. Go to Endpoint security > Security baselines.
3. Select Microsoft Defender for Endpoint Security Baseline.
4. Select + Create policy, then on the Create a profile page, select Create.
5. Enter a name and description for the profile.
6. Review the baseline configuration settings.
7. Customize settings that don’t match your organization’s requirements.
8. Assign and create the policy.

The baseline should usually be tested with a smaller pilot group before broad deployment. This helps you identify settings that might affect productivity, line-of-business applications, or existing security controls.

After deployment, review the profile status, device status, and any policy conflicts in Intune. Security baselines can overlap with other Intune policies, so avoid configuring the same setting in multiple places unless you intentionally plan and monitor the result. Intune can show conflicts when different policies apply different values for the same setting.

Configure key Defender settings with endpoint security policies

Security baselines provide a recommended starting point, but they don’t replace all endpoint security policies. For more precise control, use the Endpoint security node in Intune. Endpoint security policies are purpose-built profiles that focus on specific security scenarios, such as antivirus, firewall, attack surface reduction, and endpoint detection and response.

Microsoft Defender Antivirus

In the Microsoft Intune admin center, go to Endpoint security > Antivirus to configure Microsoft Defender Antivirus settings. Common settings include real-time protection, cloud-delivered protection, sample submission, scan behavior, and exclusions. Exclusions should be used carefully because they reduce the areas that Defender Antivirus scans and can lower protection if configured too broadly.

Tamper Protection

Tamper Protection helps prevent unauthorized changes to important Microsoft Defender security settings. When Tamper Protection is enabled, protected settings can’t be changed by users, scripts, malware, or other unauthorized processes. This helps prevent attackers from disabling security features during an attack.

Attack surface reduction

Use Attack surface reduction to configure rules that reduce common attack techniques. Attack surface reduction rules can help block behaviors used by malware and malicious apps, such as suspicious scripts, executable content launched from Office apps, or other unusual application behavior. Devices must run Windows, and Microsoft Defender Antivirus must be the primary antivirus for attack surface reduction profiles.

A good deployment approach is to start with audit mode where appropriate, review the results, create exclusions only when necessary, and then move selected rules to block mode.

Firewall

Use Endpoint security > Firewall to configure built-in firewall settings for Windows and macOS devices. Firewall policies help you manage firewall state, rules, and network protection behavior without mixing unrelated settings into the same profile.

Endpoint detection and response

An Endpoint detection and response policy manages Defender's EDR settings. This policy type is also used to onboard Windows devices to Defender and can be customized for specific platforms, settings, and group assignments.