Configure Microsoft Defender for Endpoint in Intune

## Prerequisites ### Subscriptions To use Microsoft Defender for Endpoint with Intune, you must have the following subscriptions: - **Microsoft Defender for Endpoint** - This subscription provides you access to the Microsoft Defender Security Center ([Microsoft Defender XDR](https://go.microsoft.com/fwlink/p/?linkid=2077139)). For Defender for Endpoint licensing options, see **Licensing requirements** in [Minimum requirements for Microsoft Defender for Endpoint](https://learn.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements) and [How to set up a Microsoft 365 E5 Trial Subscription](https://learn.microsoft.com/en-us/microsoft-365/security/defender/setup-m365deval#enable-microsoft-365-trial-subscription). - **Microsoft Intune** – A _Microsoft Intune Plan 1_ subscription provides access to Intune and the Microsoft Intune admin center. For Intune licensing options, see [Microsoft Intune licensing](https://learn.microsoft.com/en-us/mem/intune/fundamentals/licenses). ### Devices managed with Intune The following platforms are supported for Intune with Microsoft Defender for Endpoint: - Android - iOS/iPadOS - Windows 10/11 (Microsoft Entra hybrid joined or Microsoft Entra joined) ## Connect Microsoft Defender for Endpoint to Intune The first step you take is to set up the service-to-service connection between Intune and Microsoft Defender for Endpoint. Set up requires administrative access to both the Microsoft Defender Security Center, and to Intune. You only need to enable Microsoft Defender for Endpoint a single time per tenant. ### To enable Microsoft Defender for Endpoint Open the Microsoft Defender for Endpoint portal at [security.microsoft.com](https://security.microsoft.com/). The Intune admin center also includes a link to the Defender for Endpoint portal. 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 2. Select **Endpoint security** > **Microsoft Defender for Endpoint**, and then select **Open the Microsoft Defender Security Center**. > [!TIP] Tip > In the Intune admin center, if the **Connection status** at the top of the Microsoft Defender for Endpoint page is already set to **Enabled**, the connection to Intune is already active and the admin center displays different UI text for the link. In this event, select **Open the Microsoft Defender for Endpoint admin console** to open the Microsoft Defender for portal. Then you can use the guidance in the following step to confirm that the **Microsoft Intune connection** is set to **On**. ![[Pasted image 20240822180720.png]] 3. In **Microsoft Defender** portal (previously the _Microsoft Defender Security Center_): 1. Select [**Settings** > **Endpoints** >**Advanced features**](https://security.microsoft.com/preferences2/integration). 2. For **Microsoft Intune connection**, choose **On**: 3. Select **Save preferences**. ![[Pasted image 20240822180842.png]] > [!NOTE] Note > Once the connection is established, the services are expected to sync with each other _at least_ once every 24 hours. The number of days without sync until the connection is considered unresponsive is configurable in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). Select **Endpoint security** > **Microsoft Defender for Endpoint** > **Number of days until partner is unresponsive** 4. Return to **Microsoft Defender for Endpoint** page in the Microsoft Intune admin center. 1. To use Defender for Endpoint with **compliance policies**, configure the following under **Compliance policy evaluation** for the platforms you support: - Set **Connect Android devices** to Microsoft Defender for Endpoint to **On** - Set **Connect iOS/iPadOS devices** to Microsoft Defender for Endpoint to **On** - Set **Connect Windows devices** to Microsoft Defender for Endpoint to **On** When these configurations are _On_, applicable devices that you manage with Intune, and devices you enroll in the future, are connected to Microsoft Defender for Endpoint for compliance. For iOS devices, Defender for Endpoint also supports the following settings that help provide the Vulnerability Assessment of apps on Microsoft Defender for Endpoint for iOS. For more information about using the following two settings, see [Configure vulnerability assessment of apps](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/ios-configure-features#configure-vulnerability-assessment-of-apps). - **Enable App Sync for iOS Devices**: Set to **On** to allow Defender for Endpoint to request metadata of iOS applications from Intune to use for threat analysis purposes. The iOS device must be MDM-enrolled and provide updated app data during device check-in. - **Send full application inventory data on personally owned iOS/iPadOS Devices**: This setting controls the application inventory data that Intune shares with Defender for Endpoint when Defender for Endpoint syncs app data and requests the app inventory list. When set to **On**, Defender for Endpoint can request a list of applications from Intune for personally owned iOS/iPadOS devices. This list includes unmanaged apps and apps that were deployed through Intune. When set to **Off**, data about unmanaged apps isn’t provided. Intune does share data for the apps that were deployed through Intune. For more information, see [Mobile Threat Defense toggle options](https://learn.microsoft.com/en-us/mem/intune/protect/mtd-connector-enable#mobile-threat-defense-toggle-options). 2. To use Defender for Endpoint with **app protection policies** for Android and iOS/iPadOS, configure the following under **App protection policy evaluation** for the platforms you use: - Set **Connect Android devices to Microsoft Defender** for Endpoint to **On**. - Set **Connect iOS/iPadOS devices to Microsoft Defender for Endpoint** on to **On**. To set up an integration Microsoft Defender for Endpoint for compliance and app protection policy evaluation, you must have a role that includes _Read_ and _Modify_ for the _Mobile Threat Defense_ permission in Intune. The _Endpoint Security Manager_ built-in admin role for Intune has these permissions included. For more information about both MDM Compliance Policy Settings and App Protection Policy Settings, see [Mobile Threat Defense toggle options](https://learn.microsoft.com/en-us/mem/intune/protect/mtd-connector-enable#mobile-threat-defense-toggle-options). 5. Select **Save**. ## Onboard devices When you enable support for Microsoft Defender for Endpoint in Intune, you established a service-to-service connection between Intune and Microsoft Defender for Endpoint. You can then onboard devices you manage with Intune to Microsoft Defender for Endpoint. Onboarding enables collection of data about device risk levels. When onboarding devices, be sure to use the most recent version of Microsoft Defender for Endpoint for each platform. ### Onboard Windows devices - [**Endpoint detection and response**](https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-security-edr-policy) (EDR) policy. The _Microsoft Defender for Endpoint_ page in the Intune admin center includes a link that directly opens the EDR policy creation workflow, which is part of endpoint security in Intune. Use EDR policies to configure device security without the overhead of the larger body of settings found in device configuration profiles. You can also use EDR policy with tenant attached devices, which are devices you manage with Configuration Manager. When you configure EDR policy after connecting Intune to Defender, the policy setting _Microsoft Defender for Endpoint client configuration package type_ has a new configuration option: **Auto from connector**. With this option, Intune automatically gets the onboarding package (blob) from your Defender for Endpoint deployment, replacing the need to manually configure an Onboard package. - **Device configuration policy**. When creating a device configuration policy to onboard Windows devices, select the _Microsoft Defender for Endpoint_ template. When you connected Intune to Defender, Intune received an onboarding configuration package from Defender. This package is used by the template to configure devices to communicate with [Microsoft Defender for Endpoint services](https://learn.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) and to scan files and detect threats. The onboarded devices also report their risk level to Microsoft Defender for Endpoint based on your compliance policies. After onboarding a device using the configuration package, you don't need to do it again. - [**Group policy or Microsoft Configuration Manager**](https://learn.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). [Onboard Windows machines using Microsoft Configuration Manager](https://learn.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm) has more details on the Microsoft Defender for Endpoint settings. > [!TIP] Tip > When using multiple policies or policy types like _device configuration_ policy and _endpoint detection and response_ policy to manage the same device settings (such as onboarding to Defender for Endpoint), you can create policy conflicts for devices. To learn more about conflicts, see [Manage conflicts](https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-security-policy#manage-conflicts) in the _Manage security policies_ article. ### Create the device configuration profile to onboard Windows devices 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 2. Select **Endpoint security** > **Endpoint detection and response** > **Create Policy**. 3. For **Platform**, select **Windows 10, Windows 11, and Windows Server**. 4. For **Profile type**, select **Endpoint detection and response**, and then select **Create**. 5. On the **Basics** page, enter a _Name_ and _Description_ (optional) for the profile, then choose **Next**. 6. On the **Configuration settings** page, configure the following options for **Endpoint Detection and Response**: - **Microsoft Defender for Endpoint client configuration package type**: Select _Auto from connector_ to use the onboarding package (blob) from your Defender for Endpoint deployment. If you are onboarding to a different or disconnected Defender for Endpoint deployment, select _Onboard_ and paste the text from the WindowsDefenderATP.onboarding blob file into the _Onboarding (Device)_ field. - **Sample Sharing**: Returns or sets the Microsoft Defender for Endpoint Sample Sharing configuration parameter. - **[Deprecated] Telemetry Reporting Frequency**: For devices that are at high risk, **Enable** this setting so it reports telemetry to the Microsoft Defender for Endpoint service more frequently. ![[Pasted image 20240822181543.png]] > [!NOTE] Note > The preceding screen capture shows your configuration options after you’ve configured a connection between Intune and Microsoft Defender for Endpoint. When connected, the details for the onboarding and offboarding blobs are automatically generated and transfer to Intune. > > If you haven’t configured this connection successfully, the setting _Microsoft Defender for Endpoint client configuration package type_ only includes options to specify onboard and offboard blobs. 7. Select **Next** to open the **Scope tags** page. Scope tags are optional. Select **Next** to continue. 8. On the **Assignments** page, select the groups that will receive this profile. For more information on assigning profiles, see [Assign user and device profiles](https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-assign). When you deploy to user groups, a user must sign in on a device before the policy applies and the device can onboard to Defender for Endpoint. Select **Next**. 9. On the **Review + create** page, when you're done, choose **Create**. The new profile is displayed in the list when you select the policy type for the profile you created. **OK**, and then **Create** to save your changes, which creates the profile. ## Create an endpoint security policy The following procedure provides general guidance for creating endpoint security policies: 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 2. Select **Endpoint security** and then select the type of policy you want to configure, and then select **Create Policy**. Choose from the following policy types: - Account protection - Antivirus - Application control (Preview) - Attack surface reduction - Disk encryption - Endpoint detection and response - Firewall 3. Enter the following properties: - **Platform**: Choose the platform that you're creating policy for. The available options depend on the policy type you select. - **Profile**: Choose from the available profiles for the platform you selected. For information about the profiles, see the dedicated section in this article for your chosen policy type. 4. Select **Create**. 5. On the **Basics** page, enter a name and description for the profile, then choose **Next**. 6. On the **Configuration settings** page, expand each group of settings, and configure the settings you want to manage with this profile. When your done configuring settings, select **Next**. 7. On the **Scope tags** page, choose **Select scope tags** to open the _Select tags_ pane to assign scope tags to the profile. Select **Next** to continue. 8. On the **Assignments** page, select the groups that will receive this profile. For more information on assigning profiles, see [Assign user and device profiles](https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-assign). Select **Next**. 9. On the **Review + create** page, when you're done, choose **Create**. The new profile is displayed in the list when you select the policy type for the profile you created. ## Example Configurations ### Endpoint detection and response #### Device configuration profile - Windows 10 and Later | Name | Setting | | ----------------------------------------------------------------- | ------------------- | | Microsoft Defender for Endpoint client configuration package type | Auto from connector | | Telemetry Reporting Frequency | Expedite | ### Antivirus #### Microsoft Defender Antivirus - Windows 10 and Later | Name | Setting | | ------------------------------------------------------ | ------------------------------------------------------------------------------------------------- | | Allow Behavior Monitoring | Allowed. Turns on real-time behavior monitoring | | Allow Cloud Protection | Allowed. Turns on Cloud Protection | | Allow Email Scanning | Allowed. Turns on email scanning | | Allow Full Scan Removable Drive Scanning | Allowed. Scans removable drives | | Allow scanning of all downloaded files and attachments | Allowed | | Allow Realtime Monitoring | Allowed. Turns on and runs the real-time monitoring service | | Allow Scanning Network Files | Allowed. Scans network files | | Allow Script Scanning | Allowed | | Avg CPU Load Factor | 25 | | Check For Signatures Before Running Scan | Enabled | | Cloud Block Level | High Plus | | Cloud Extended Timeout | 50 | | Enable Low CPU Priority | Enabled | | Enable Network Protection | Enabled (block mode) | | PUA Protection | PUA Protection on. Detected items are blocked. They will show in history along with other threats | | Real Time Scan Direction | Monitor incoming files | | Schedule Quick Scan Time | 660 | | Signature Update Interval | 2 | | Submit Samples Consent | Always prompt | | Remediation action for Severe threats | Quarantine. Moves files to quarantine. | | Remediation action for Low severity threats | Quarantine. Moves files to quarantine | | Remediation action for Moderate severity threats | Quarantine. Moves files to quarantine | | Remediation action for High severity threats | Quarantine. Moves files to quarantine | #### Defender Update controls - Windows 10 and Later | Name | Setting | | ------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Engine Updates Channel | Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). | | Platform Updates Channel | Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). | | Security Intelligence Updates Channel | Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). | #### Windows Security Experience | Name | Setting | | ------------------------- | ------------------------------------------------ | | TamperProtection (Device) | On | | Company Name | Example, Inc. | | Email | [email protected] | | Phone | 555-555-5555 | | Url | [Example Helpdesk](https://helpdesk.example.com) | ## Sources [Configure Microsoft Defender for Endpoint in Microsoft Intune | Microsoft Learn](https://learn.microsoft.com/en-us/mem/intune/protect/advanced-threat-protection-configure) [Manage endpoint security policies in Microsoft Intune | Microsoft Learn](https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-security-policy#create-an-endpoint-security-policy)