How to Onboard Devices to Microsoft Defender for Endpoint

Do you know that you can deploy configurations to devices without enrolling them to Intune? No, then follow this blog how to enroll devices to Microsoft Defender for Endpoint (MDE).

In this blog I want to show you how you can onboard your devices in MDE. In the next blog I will show you what are the capabilities and features in the MDE Admin center.

Content

1. Content
2. What is MDE?
3. What are the prerequisites?
4. How does MDE work?
5. How can I start with a trial license?
6. Enable Security Configuration Management
7. How to enroll a Windows Device?
8. Create Security configurations
9. How often does the devices check in?

What is MDE?

Microsoft Defender for Endpoint is a comprehensive, enterprise endpoint security solution that helps you to protect against advanced threats that may bypass traditional antivirus defenses. It provides threat intelligence, attack surface reduction, next-generation protection, endpoint detection and response (EDR), automated investigation and response, and managed hunting services.

Microsoft Defender for Endpoint uses machine learning, big data, and the Microsoft Intelligent Security Graph to detect, investigate, and respond to advanced attacks and data breaches on endpoints in an enterprise environment. It also provides tools to manage their security posture and assess their endpoint’s resilience against advanced attacks.

It supports client operating systems as well as server systems without the need to completely onboard devices into Intune.

Source: https://learn.microsoft.com/en-us/mem/intune/protect/media/mde-security-integration/endpoint-security-overview.png#lightbox

What are the prerequisites?

For the enrollment of a device there are several requirements that have to be fulfilled:

• A trust is created with Entra ID
• Access to the following endpoints:
  • enterpriseregistration.windows.net – For Microsoft Entra ID registration.
  • login.microsoftonline.com – For Microsoft Entra ID registration.
  • *.dm.microsoft.com – The use of a wildcard supports the cloud-service endpoints that are used for enrollment, check-in, and reporting, and which can change as the service scales.
• Operating System:
  • Windows 10 Professional/Enterprise (with KB5006738)
  • Windows 11 Professional/Enterprise
  • Windows Server 2012 R2 with Microsoft Defender for Down-Level Devices
  • Windows Server 2016 with Microsoft Defender for Down-Level Devices
  • Windows Server 2019 (with KB5006744)
  • Windows Server 2022 (with KB5006745)
• License:
  • Defender for Endpoint Plan 1 and Plan 2 (standalone or as part of other Microsoft 365 plans)
  • To onboard servers to the standalone versions of Defender for Endpoint, server licenses are required. You can choose from:
    • Microsoft Defender for Servers Plan 1 or Plan 2 (as part of the Defender for Cloud) offering
    • Microsoft Defender for Endpoint for Servers
• Hardware for Windows;
  • Cores: 2 minimum, 4 preferred
  • Memory: 1 GB minimum, 4 preferred

Find more information the Microsoft documentation

How does MDE work?

• Onboard the device: First step is to install the Microsoft Defender for Endpoint agent on your device and configure it to connect to the cloud service. This will enable the device to send and receive data from Microsoft Defender for Endpoint.
• Establish Microsoft Entra ID trust: Next you need to join or register your device to Entra ID. This will enable the device to authenticate and access cloud resources.
• Report to Microsoft Intune: Devices use their identity to communicate with Intune and receive policies when they are checked in.
• Policy targeting and status: Defender for Endpoint reports the status of the policy back to Microsoft Intune.

How can I start with a trial license?

If you do not have a license for MDE you can start a trial this guide

Enable Security Configuration Management

• First open the Microsoft 365 Defender admin center (https://security.microsoft.com/)
• Navigate to Settings -> Endpoints -> Enforcement Scope
• Activate the “Use MDE to enforce security configuration settings from Intune“
• Activate the Windows Client and Server by tagging devices to run a test. If the test is successful you can switch this to all devices
• Click Save

• Navigate to Roles and select Turn on roles

• Click on the role to edit

• Assign the role to a group

• Also activate the “Allow Microsoft Defender for Endpoint to enforce Endpoint Security Configuration” option in the Intune portal for this navigate to Endpoint security -> Microsoft Defender for Endpoint

• Now we have to tag the test devices with the MDE-Management Tag
• To do this open the Device Inventory in the Microsoft Defender portal
• Select the devices and click on Manage tags

• Set the MDE-Management Tag and click Save and close

How to enroll a Windows Device?

• First open the Microsoft 365 Defender admin center (https://security.microsoft.com/)
• Navigate to Settings -> Endpoints -> Onboarding
• Download the onboarding package to run a POC on some devices

• Unzip and run the script from a command prompt
• Test MDE with this test command

• Check if the service is running with SC.EXE query windefend and SC.EXE query sense

Create Security configurations

It is recommended to create a dynamic group with all MDE devices in. You can do this by using the filter rule systemLabels contains MDEJoined or MDEManaged

Then you can assign policies to this group. The following configurations are supported:

• Endpoint detection and response policies
• Antivirus policies
• Firewall  policies
• Firewall rule policies
• Attack Surface Reduction

How often does the devices check in?

The devices check in every 90 min to update the policies.