Enable Microsoft Defender for Endpoint in Intune

Updated: Jul 8

How to onboard windows device to MDE using Intune


Microsoft intune provides the capability to onboard a device to MDE this will help to secure the devices from a security breach.


Prerequisites

  1. Enterprise Mobility + Security E3 and Windows E5 (or Microsoft 365 Enterprise E5) licensed Tenant

  2. Intune managed Windows 10 devices that are also Azure AD joined

  3. MDE and access to the Microsoft Defender Security Center (ATP portal)


To onboard a device to MDE(DATP) using intune, there are a couple of steps to achieve

  1. Establish a service to service connection

Enable MDE (DATP) in Intune Portal

Sign in to Intune Portal (to access your tenant) and navigate to Device Compliance and tap on Microsoft Defender ATP and enable it by switching the bar to ON from Off ( Connect windows device version 10.0.15063 and above to Microsoft Defender ATP

No alt text provided for this image

Enable the settings in windows defender portal as well under Advance features in windows defender portal toggle the bar to on for Microsoft Intune Connector and commit by tapping on saving preference

No alt text provided for this image

Once it is completed you can see connection status as enabled in intune portal

No alt text provided for this image

Device configuration Settings in Intune to push the profile to the device

In Device configuration navigate to profile and tap on createprofile to create a new profile provide a profile name ( I had given windows defender ATP since it’s a test environment )

No alt text provided for this image
No alt text provided for this image

Provide the name, select platform as windows 10 and later, and profile type as Microsoft Defender ATP ( Windows 10 Device )

Sample sharing for all files: Enable allows samples to be collected and shared with Microsoft Defender ATP. For example, if you see a suspicious file, you can submit it to Microsoft Defender ATP for deep analysis. Not configured doesn’t share any samples to Microsoft Defender ATP.

Expedite telemetry reporting frequency: For devices that are at high risk, enable this setting so it reports telemetry to the Microsoft Defender ATP service more frequently.

Enable the setting accordingly in Application rules add rules as required assign and don’t assign profile with conditions

No alt text provided for this image

Select OK, and Create to save your changes, which creates the profile and assigns the profile to a device assignment group.

No alt text provided for this image

Set Compliance Policy to set the level of risk


Device compliance policy creates a new policy and name as windows 10 compliance or as required select platform as windows 10 and later. Set device health, device properties, configuration manager compliance if intune shares workload with SCCM, system security, and Microsoft Defender ATP. And in Micorosft Defender ATP set the machine risk score as Clear, Low, Medium, or High


Clear: This level is the most secure. The device can’t have any existing threats and still access company resources. If any threats are found, the device is evaluated as noncompliant. (Microsoft Defender ATP users the value Secure.)

Low: The device is compliant if only low-level threats exist. Devices with medium or high threat levels aren’t compliant.

Medium: The device is compliant if the threats found on the device are low or medium. If high-level threats are detected, the device is determined as noncompliant.

High: This level is the least secure and allows all threat levels. So devices with high, medium, or low threat levels are considered compliant.

Select OK, and Create to save your changes, which creates a compliance policy and assigns the profile to a device assignment group.

No alt text provided for this image

Create a conditional access policy to enforce the device is having Windows Defender ATP is pushed to the device and its compliant

Select Conditional Access in the Intune portal and tap on new policy enter the policy name

No alt text provided for this image

select the users and groups in which the policy wants to be applied and exclude the group which the policy doesn’t want to be enforced and select done

No alt text provided for this image

Select Cloud apps, and choose which apps to protect. For example, choose Select apps, and select Office 365 Exchange Online. and other applications as required and select done

No alt text provided for this image

Select Conditions to select Client apps to apply the policy to apps and browsers. For example, select Yes, and then enable Browser and Mobile apps and desktop clients and other apps as well. this can be restricted accordingly and select done.

No alt text provided for this image

Select Grant to apply Conditional Access based on device compliance. For example, select Grant access and select Require device to be marked as compliant, choose select to save the settings

No alt text provided for this image

Select Enable policy to enable the conditional access

No alt text provided for this image

To View onboarding status in intune, you can go to devise compliance and MDE, you can see the devices with ATP sensor and without sensor

In Windows defender Portal you can see the device details in the machine list once it’s enrolled with intune using autopilot or windows enrollment

No alt text provided for this image

#Intune #M

580 views0 comments

Recent Posts

See All