Do you know that you can deploy configurations to devices without enrolling them to Intune? No than follow this blog how to enroll devices to Microsoft Defender for Endpoint (MDE).
In this blog I want to show you how you can onboard your devices in MDE. In the next blog I will show you what are the cababilities and features in the MDE Admin center.
Content
- Content
- What is MDE?
- What are the prerequisites?
- How does MDE work?
- How can I start with an trial license?
- Enable Security Configuration Management
- How to enroll a Windows Device?
- Create Security configurations
- How often does the devices check in?
What is MDE?
Microsoft Defender for Endpoint is a comprehensive, enterprise endpoint security solution that helps you to protect against advanced threats that may bypass traditional antivirus defenses. It provides threat intelligence, attack surface reduction, next-generation protection, endpoint detection and response (EDR), automated investigation and response, and managed hunting services.
Microsoft Defender for Endpoint uses machine learning, big data, and the Microsoft Intelligent Security Graph to detect, investigate, and respond to advanced attacks and data breaches on endpoints in an enterprise environment. It also provides you tools to manage their security posture and assess their endpoint’s resilience against advanced attacks.
It supports client operating systems as well as server system without the need to completely onboard devices into Intune.
What are the prerequisites?
For the enrolment of a device there are several requirements that has to be full filled:
- A trust is created with Entra ID
- Access to the following endpoints:
enterpriseregistration.windows.net– For Azure AD registration.login.microsoftonline.com– For Azure AD registration.*.dm.microsoft.com– The use of a wildcard supports the cloud-service endpoints that are used for enrollment, check-in, and reporting, and which can change as the service scales.
- Operating System:
- Windows 10 Professional/Enterprise (with KB5006738)
- Windows 11 Professional/Enterprise
- Windows Server 2012 R2 with Microsoft Defender for Down-Level Devices
- Windows Server 2016 with Microsoft Defender for Down-Level Devices
- Windows Server 2019 (with KB5006744)
- Windows Server 2022 (with KB5006745)
- License:
- Defender for Endpoint Plan 1 and Plan 2 (standalone or as part of other Microsoft 365 plans)
- To onboard servers to the standalone versions of Defender for Endpoint, server licenses are required. You can choose from:
- Microsoft Defender for Servers Plan 1 or Plan 2 (as part of the Defender for Cloud) offering
- Microsoft Defender for Endpoint for Servers
- Hardware for Windows;
- Cores: 2 minimum, 4 preferred
- Memory: 1 GB minimum, 4 preferred
Find more informations here
How does MDE work?
- Onboard the device: First step is to install the Microsoft Defender for Endpoint agent on your device and configure it to connect to the cloud service. This will enable the device to send and receive data from Microsoft Defender for Endpoint.
- Establish Azure AD trust: Next you need to join or register your device to Entra ID. This will enable the device to authenticate and access cloud resources.
- Report to Microsoft Endpoint Manager: Devices use their identity to communicate with Intune and receive policies when they are checked in.
- Policy targeting and status: Defender for Endpoint reports the status of the policy back to Microsoft Intune.
How can I start with an trial license?
If you not have a license for MDE you can start an trial here
Enable Security Configuration Management
- First open the Microsoft 365 Defender admin center
- Navigate to Settings -> Endpoints -> Enforcement Scope
- Activate the “Use MDE to enforce security configuration settings from Intune“
- Active the Windows Client and Server by tagged devices to run an test. If the test is successful you can switch this to all devices
- Click Save
- Naviagte to Roles and select Turn on roles
- Click on the role to edit
- Assign the role to an group
- Activate aldso the “Allow Microsoft Defender for Endpoint to enforce Endpoint Security Configuration” option in the Intune portal for this naviagte to Endpoint scecurity -> Microsoft Defender for Endpoint
- Now we have to tag the test devices with the
MDE-ManagementTag - To do this open the Device Inventory
- Select the devices and click on Manage tags
- Set the
MDE-ManagementTag and click Save and close
How to enroll a Windows Device?
- First open the Microsoft 365 Defender admin center
- Navigate to Settings -> Endpoints -> Onboarding
- Download the onboarding package for run an POC on some devices
- Unzip and run the script from an command prompt
- Test MDE with this test command
- Check if the service is running with
SC.EXE query windefendandSC.EXE query sense
Create Security configurations
It is recommended to create a dynamic group with all MDE devices in. You can do this by using the filter rule systemLabels contains MDEJoined or MDEManaged
Than you can assign policies to this group. The following configurations are supported:
- Endpoint detection and response policies
- Antivirus policies
- Firewall policies
- Firewall rule policies
- Attack Surface Reduction
How often does the devices check in?
The devices check in every 90 min to update the policies.
Modern Device Management 
[…] How to enroll device to Microsoft Defender for Endpoint and how does it work (1/2)? […]
LikeLike
Hi, Thanks for this informative post, when is the 2/2 be released? I observed that my BYOD device isnt coming up on intune. I dont know how long i have to wait for
LikeLike
I will relese the blog next week on sunday
LikeLike
[…] Part 1 (How to enroll device to Microsoft Defender for Endpoint and how does it work) […]
LikeLike
Thank you Jann
LikeLike