You can onboard Windows 10 devices to Microsoft Defender for Endpoint in a few ways:
1. Local script
2. Using Intune device configuration profiles
and what will be covered here:
3. Using Endpoint Manager Endpoint security policies
and select Endpoint security from the menu on the left. Then select Endpoint detection and response. Finally, select the option + Create policy as shown above on the right.
Select the Platform as Windows 10 and later and for Profile, Endpoint detection and response as shown above.
In the next dialog, give the policy a suitable Name and Description.
As with the article on the onboarding process using Intune, I’d recommend setting the Expedite telemetry reporting frequency to Yes as shown above before proceeding.
As with any Endpoint policy, select the devices and/or users this policy will apply to. Generally, it is recommended that you apply these types of policies to device groups.
Proceed through the remaining screens until you end up on the Review + create as shown above. As with the Intune device configuration profile policy, if you look closely you will an option displayed which wasn’t shown during the policy creation process, Auto populate Microsoft Defender for Endpoint onboarding blob set to Yes. This is what will actually configure the targeted devices to connect to the Defender for Endpoint cloud service.
Press the Create button to complete the policy creation process.
If you now view the newly created policy, and unlike the Intune device configuration profile policy, you don’t see any mention of the Auto populate setting mentioned above. Makes it somewhat hard to troubleshoot for the uninitiated.
We can now monitor the deployment of the policy to devices via the Device status option in the policy options, as shown above. After a short wait, we see the policy has successfully been deployed to the machine in question.
Looking the Device inventory in the Microsoft 365 security center we now see the devices in question has been onboarded to Defender for Endpoint.
Both the Intune and Endpoint security approach are easy to implement with an almost identical policy, so which is better? There doesn’t appear to be any guidance from Microsoft on which policy to use, however Microsoft’s own wizards for Defender for Business implement onboarding via the Endpoint security approach shown here. In my brief experience, the Endpoint security approach also seems to be deployed faster to devices. I would also point out that Endpoint security is the more modern approach to device management and what Microsoft seems to be investing in currently. The only major draw back I can see is that Endpoint security policies currently only apply to the Windows platform.
Intune and Endpoint security approach are an indication of one of things Microsoft needs to fix I believe, because having two ways of doing the same thing in the same portal, without any warning of a potential clash makes things hard for those who have to maintain these environments. Given that the Endpoint security approach is the more modern, I expect it to be the winner in the long and suggest you only implement that policy for onboarding your Windows 10 devices for Microsoft Defender for Endpoint.
One thought on “Onboarding Windows 10 devices to Microsoft Defender for Business using Endpoint Security”