Most of the MSPs I talk to already have Microsoft Defender for Endpoint sitting in their licensing stack. Plenty of them haven’t actually rolled it out to a single device. That gap between “we own it” and “it’s protecting the fleet” is where I see real risk hiding, and it’s the gap I want to help you close today. Here’s the path I walk through when I’m onboarding Windows machines into MDE, from licensing right through to the bit everyone skips — tuning.
Get the prerequisites right first
Before you touch a single endpoint, check the licensing. Defender for Endpoint Plan 1 ships with Microsoft 365 Business Premium and is fine for most SMBs. Plan 2 sits inside the E5 stack and is what you want if you need full EDR, threat hunting, and automated investigation. Don’t assume — open the Microsoft 365 admin centre and confirm what’s actually assigned.
Next, head to security.microsoft.com and run the initial setup wizard. Pick your data storage region, set your retention (180 days is fine), and turn on preview features so you see new capabilities as they land. Confirm the tenant is connected to Intune as your MDM authority, because that’s the path I recommend for almost every Windows fleet.
Choose your onboarding path
There are three doors into MDE for Windows, and the right one depends on how the device is managed.
Intune (my default). In the Microsoft Defender portal, go to Settings, Endpoints, Onboarding, choose Windows 10 and 11, and pick “Mobile Device Management / Microsoft Intune.” Click the link through to Intune and you’ll land on the EDR policy page. Create a profile, assign it to your “All Devices” or pilot group, and that’s the heavy lifting done. Devices check in on their next sync — usually within an hour.
Group Policy (for on-prem AD environments). Download the onboarding script and the matching ADMX templates from the same Onboarding page. Drop the script into a startup GPO targeting your machine OU, import the templates into your central store, then enable the Defender ATP policies under Computer Configuration. It’s old-school but rock solid.
Local script (pilots and one-offs). Download the .cmd file, run it as administrator on the target machine, and you’re done in under a minute. I use this when I want to prove the pipeline works before scaling.
Verify and then tune
Don’t trust the green tick — verify it. On the device, run the detection test command from Microsoft’s docs. Within fifteen minutes the device should appear in the Defender portal’s Device Inventory with an “Onboarded” sensor status and an active risk level.
Tuning is where most rollouts stall. Push attack surface reduction rules in audit mode first via Intune’s Endpoint Security blade, leave them there for a fortnight, then flip the noisy ones to block and exclude the genuine false positives. Turn on tamper protection, web content filtering, and network protection. Set up email notifications for high-severity alerts so the SOC inbox doesn’t become the place alerts go to die.
This is also where Copilot for Security earns its keep. I’ll ask Copilot in the Defender portal to summarise an incident, walk the kill chain, or draft the client-facing notification, and a forty-minute writeup becomes a ten-minute review.
The bit nobody talks about
MDE deployment isn’t a project, it’s a posture. The clients who get value are the ones whose MSP looks at the Secure Score in the Defender portal every fortnight, treats the recommendations as a backlog inside Planner, and reports progress to the business owner in plain language. Buying the licence is easy. Operating it is the work — and that’s exactly where you justify your fee.
CIAOPS 