You might be wondering how “Defender for Endpoint” differs from “Defender for Office 365.” Both involve the Defender platform, but Defender for Endpoint implements the desired Microsoft security settings to the device itself rather than just to Office 365 services. Defender for Endpoint protects devices from malware, spyware, and viruses. Microsoft Defender for Office 365 secures cloud-based applications and programs. For example, Defender is where you can configure anti-phishing policies for Outlook. Defender for Endpoint combines enrollment policies and profiles of Intune with security settings in Defender. We outline how to set up Intune in our previous blog post.
Defender for Endpoint is the means of centrally managing device security and configuration profiles. This blog post covers how to set up Defender for Endpoint in your Microsoft suite. This is Chapter 10 of our “Golden Tenant”: Microsoft 365 Setup Guide. At this point, you have a solid set of baselines you can refer back to for future auditing and configuration.
Create Connection from Defender to Intune
This allows device onbarding for Microsoft Defender for Endpoint from Intune for any Entra Joined workstations. This configuration will allow for you to manage Microsoft Defender for Endpoint policies within the Defender Dashboard at a centralized location.
- In security.microsoft.com navigate to Settings > Endpoints > Advanced features > Scroll down and enable Microsoft Intune Connection > Click Save Preferences to force changes throughout the tenant
- In intune.microsoft.com navigate to Tenant Administration > Connectors and tokens > Click on Microsoft Defender for Endpoint > Set the Endpoint Security Profile Settings to On, and Save settings
- Once you have the settings, you can set the Compliance policy evaluation settings to On for all of the devices that you will be deploying Compliance policies.
- If you deploy App Protection Policies in your environment, you can also enable evaluation for Defender to be included for Android and iOS devices.
- You should now see the Connection status listed as enabled, the last synchronization date will also appear.
Create Microsoft Defender for Endpoint Onboarding Profile
Now, in order for Defender Onboarding to take place, you will need to create the Onboarding profile inside of the Endpoint Security section of Intune.
Navigate to intune.microsoft.com > Endpoint security > under Manage, click on Endpoint detection and response > click + Create policy
- Set Platform to Windows 10, Windows 11, and Windows Server
- Set Profile, Endpoint detection and response
- Name: Win – MDE Onboarding Policy
- Set the following policy settings:
Assign to All Devices + All Users
Defender for Endpoint Incident Alerts
In security.microsoft.com navigate to Settings at the bottom of the right-hand panel, click on Endpoints > Email notifications > Alerts > Add notification rule
Notification rule name: Default [your organization name] endpoint notifications
Set the recipient email address (can be external address)
Alerts will be sent to the email inboxes provided and can also be sent to external email addresses.
Defender For Endpoint Vulnerability Management Alerts
In security.microsoft.com navigate to Settings at the bottom of the right-hand panel, click on Endpoints > Email notifications > Vulnerabilities > Add notification rule
Notification rule name: Default [your organization name] vulnerabilities notification
Set the recipient email address (can be external address)
Now alerts High and higher will be sent to the email boxes provided and can also be sent to external email addressees
Defender For Endpoint Threat Analytics Reports
These reports are optional, but helpful to keep you aware of trending threats. These emails will break down threats that are occurring as they occur within Microsoft 365.
Enforcement Scope for Devices
(Do this last for your Defender for Endpoint deployment)
In security.microsoft.com navigate to Settings > Endpoints > Advanced features > Scroll down and click on Enforcement scope under Configuration Management > Set the setting Use MDE to enforce security configuration settings from Intune to On
- Under the “Enable” configuration management label, select the checkbox for each OS type and select the Radio button to enable On tagged devices
- Optional: Security settings management for Microsoft Defender for Cloud Onboarded devices.
- Click Save to apply changes to Microsoft Defender.
Automated Tagging for Devices
When using Automated Incident Remediation within the tenant Automated Tagging is helping the following:
- Workstations
- Servers
- MacOS
- Android
- iOS
Additional settings to configure for Defender for Endpoint
Navigate to security.microsoft.com > select Settings > Endpoints > under General, select Advanced features
- Enable EDR in block mode, this will put devices that are not managed by Defender’s Anti-virus into Passive mode
- When Defender for Endpoint is the primary Anti-virus, the state is Active mode inside of the Defender portal for devices.
- When Defender for Endpoint is not the primary Anti-virus, the state is EDR in block mode inside of the Defender portal for devices.
- Enable Allow or block file
- Enable Hide potential duplicate device records
- Enable Tamper protection
- Enable Microsoft Defender for Cloud Apps
- Enable Show user details
- Enable Web content filtering
- Enable Unified audit log
- Enable Device discovery
- Enable Live response
- Enable Live Response for Servers
- Enable Live Response unsigned script execution
- Enable Authenticated telemetry
The Complete Guide to Microsoft 365
Want full access to the ultimate Microsoft 365 deployment & security cheatsheet? Purchase our complete Golden Tenant now to get detailed instructions, in-depth explanations, and even personalized Microsoft consulting. Have peace of mind with the security of your Microsoft suite by using our CIS-compliant SOPs.
