Configure Endpoint Detection and Response policies

  • 8 minutes

In Intune, EDR policies are available from Endpoint security > Endpoint detection and response. These policies use platform-specific profiles to configure devices for Microsoft Defender.

EDR policies configure devices so they can send security telemetry to Defender. The onboarding package includes tenant-specific configuration, service endpoints, authentication material, and initial communication settings. Onboarding enables telemetry flow, but it doesn’t configure advanced protection settings such as antivirus, firewall, or attack surface reduction policies. Those settings should be configured separately.

For Windows devices, EDR policy options include:

  • Microsoft Defender for Endpoint client configuration package type: Choose whether the policy is used for onboarding or offboarding. Choose Auto from connector to use the active Intune-to-Defender service connection to retrieve the current onboarding package.
  • Manual onboarding package: Upload or paste an onboarding package downloaded from the Microsoft Defender portal when automatic retrieval isn’t available.
  • Sample sharing: Choose whether files can be sent to Microsoft for deeper analysis.
  • [Deprecated] Telemetry Reporting Frequency: Increase telemetry reporting frequency when required by your organization. This setting is deprecated and doesn't affect new devices. The setting remains visible for older policy compatibility.

For macOS and Linux, EDR policies can include device tags, which help organize and filter devices in Defender. Linux also supports a separate Microsoft Defender Global Exclusions (AV+EDR) profile for certain exclusion scenarios.

Configure an EDR policy in Intune

To create an EDR policy in Intune:

  1. Sign in to the Microsoft Intune admin center.
  2. Go to Endpoint security > Endpoint detection and response.
  3. Select + Create Policy.
  4. Choose the platform, such as Windows and select the Endpoint detection and response profile and then select Create.
  5. Enter a name and optional description.
  6. Configure the EDR settings. For Windows, use Auto from connector when the service connection is active.
  7. Configure sample sharing based on organizational requirements.
  8. Assign the policy to the appropriate device group.
  9. Review and create the policy.

Use a preconfigured Windows EDR policy

For a faster Windows deployment, you can go to Microsoft Intune admin center > Endpoint security > Endpoint detection and response and use the EDR Onboarding Status tab to deploy a preconfigured policy. This option automatically uses the latest onboarding package from your Defender tenant and deploys a recommended onboarding policy to eligible Windows devices.

Use this approach when you want quick onboarding with standard settings. Create a custom policy instead when you need more control over assignments, scope tags, sample sharing, or other configuration choices.

Configure EDR settings in the Microsoft Defender portal

Some EDR-related configuration is managed in the Microsoft Defender portal, especially advanced tenant-level features.

One example is EDR in block mode. This feature provides additional protection when Microsoft Defender Antivirus isn’t the primary antivirus solution and is running in passive mode. EDR in block mode can remediate malicious artifacts detected by EDR, even if the primary non-Microsoft antivirus product missed them. It requires Microsoft Defender for Endpoint Plan 2 and supported Windows devices.

To enable EDR in block mode in the Microsoft Defender portal:

  1. Go to Settings > Endpoints > General > Advanced features.
  2. Turn on Enable EDR in block mode.
  3. Save the setting.