Learn how to onboard computers with Microsoft Defender for Endpoint, which goes beyond Microsoft Defender’s endpoint anti-virus protection.
As device, or endpoint, management in the cloud continues to mature – and hybrid-joined devices become a tighter management strategy than domain-joined or Azure-joined alone – the idea of securing a floating endpoint becomes far more critical. From zero-hour detection and remediation to advanced persistent threat (APT) detection, response and reporting, Microsoft Defender for Endpoint (previously known as Microsoft Defender Advanced Threat Protection, or MDATP) covers all your endpoint threat protection needs.
In this blog, I’ll cover how simple it is to onboard computers and begin using Microsoft Defender for Endpoint.
Microsoft Defender for Endpoint Onboarding
Microsoft Defender for Endpoint is integrated with multiple services throughout the Microsoft 365 suite, including Microsoft Endpoint Manager and Microsoft Endpoint Configuration Manager.
Microsoft Endpoint Manager is an umbrella over the following technologies and is integrated with Microsoft Endpoint Configuration Manager:
- Endpoint Manager – multi-strategy threat detection and response
- Intune – traditional cloud-based MDM/MAM solution in Azure
- Desktop Analytics – log analysis
- Autopilot and more – automated setup and pre-configuration of devices
Here are just a few of the Microsoft Defender products associated with Microsoft’s Azure environment:
- Microsoft Defender – enterprise endpoint security for threat management, detection and response
- Microsoft Defender for Office 365 – safe links and safe attachments for Exchange online email
- Microsoft Defender for Identity – integrated with most of the security products in the Azure environment this is managed by a sensor installed on domain controllers ingesting network traffic and events and supplying security information and event management (SIEM), Microsoft Defender for Cloud Apps or Microsoft Defender for Endpoint for analysis.
Microsoft Defender for Endpoint has expanded its coverage over the last few years and can now be onboarded to operating systems using the methods listed below. There are a variety of options available, so I recommend considering your needs and asset inventories before designing a total onboarding plan.
Windows Operating Systems
The following installation methods are available for Windows-based operating systems:
Windows 7 SP1 and 8.1, both of which require you to use the Log Analytics / Microsoft Monitoring Agent
- Download and install the Microsoft Monitoring Agent to the device
- Configure the agent with workspace ID and Key
Windows Server 2012 R2, 2016
- Download and install the Microsoft Monitoring Agent to the device
- Configure the agent with workspace ID and Key
Windows 1803, 2019, and 2022
- Local script – command-line file installation for up to 10 devices
- Involves a service, event category installations, registry additions and a test
- Group Policy – includes command-line file installation as above plus ADMX/ADML configuration files
- SCCM – software delivery via System Center Configuration Manager
- VDI – onboarding scripts for non-persistent devices, or Virtual Desktop Infrastructure
Windows 10, Windows 11
- Local script – command-line file installation for up to 10 devices
- Involves a service, registry additions and a test
- Group Policy – includes command-line file installation as above plus ADMX/ADML configuration files
- Microsoft Endpoint Configuration Manager current branch or later – version 1606+ uses integrated Defender ATP policies onboarded with a JSON file
- SCCM – software delivery via System Center Configuration Manager 2012 / 2012R2 / 1511 / 1602
- MDM/Intune – Office 365 and Azure policies integrated via JSON file
- VDI – onboarding scripts for non-persistent devices, or Virtual Desktop Infrastructure
Non-Windows Operating Systems
The following installation methods are available for non-Windows-based operating systems:
- macOS – install via Intune, JAMF or BASH
- Linux Server – BASH install
- iOS – Microsoft Intune for both supervised and unsupervised devices. You can also download the app directly from Apple’s app store.
- Android – Legacy Devise Administrator or Android Enterprise mode with Microsoft Intune. The app will either work in Work Profile or Android Enterprise depending on the type of device you have. If your device is not enrolled in Microsoft Intune, then you’ll need to configure it using the instructions found here.
For More Information
All the scripts and information are located in the onboarding settings section in the Microsoft Defender Security Center along with the rest of the Microsoft Defender for Endpoint management tools at https://securitycenter.windows.com. As always, the requirements defined by your organization should serve as your guide to purchasing, configuring and using software.
Want more great content like this? Check out our blog.
