Deploy Defender for Endpoint via Intune

Microsoft Defender for Endpoint (MDE) is Microsoft's enterprise EDR (Endpoint Detection and Response) platform. It provides advanced threat protection, device vulnerability assessment, attack surface reduction, and security analytics - all integrated with Microsoft 365 Defender.

Deploying it through Intune means zero-touch onboarding across your entire managed Windows fleet, with no need to manually run scripts or push packages through SCCM. This guide covers the complete onboarding process.

Prerequisites

📋 Before You Start

Licence: Microsoft Defender for Endpoint Plan 1 or Plan 2 (included in M365 Business Premium, E5, or as a standalone add-on)
Intune: Devices enrolled and managed in Intune
MDE tenant: Activated - browse to security.microsoft.com and complete initial setup
MDM authority: Intune set as the MDM authority in your tenant

ℹ️

Plan 1 vs Plan 2

Plan 1 (included in M365 Business Premium) gives you attack surface reduction, next-gen protection, and basic device control. Plan 2 adds EDR, threat hunting, automated investigation, and vulnerability management. Most SMBs using Business Premium start with Plan 1.

Step 1: Enable the MDE–Intune Connection

🔗 Connection

First, connect MDE to Intune so that compliance data flows between them and you can deploy MDE settings from the Intune console.

intune.microsoft.com› Endpoint Security› Microsoft Defender for Endpoint› Open the Microsoft Defender for Endpoint Admin Console

In the MDE portal:

security.microsoft.com› Settings› Endpoints› Advanced features› Microsoft Intune connection → On

Back in Intune, the connector status should change to Enabled within a few minutes. You'll see the option to enforce compliance policy and create device risk-based Conditional Access policies.

Step 2: Create the Onboarding Policy

📥 Onboarding

intune.microsoft.com› Endpoint Security› Endpoint Detection and Response› Create Policy → Windows 10, 11 and Server → EDR

📥

EDR Onboarding Policy

Onboards devices to MDE

Microsoft Defender for Endpoint client configuration package type

Auto from connector

Sample sharingAllows suspicious files to be automatically sent to Microsoft for analysis.

All

Telemetry reporting frequency

Normal

Assign this policy to your Windows device group. Once synced, Intune silently installs the MDE sensor on each device. Devices appear in the MDE portal within 1–2 hours.

Step 3: Configure Antivirus Policy

🛡️ Antivirus

intune.microsoft.com› Endpoint Security› Antivirus› Create Policy → Windows → Microsoft Defender Antivirus

🛡️

Defender Antivirus: Recommended Settings

Core protection configuration

Cloud-delivered protection

Enabled

Cloud-delivered protection level

High

Automatic sample submission

Enabled

Real-time protection

Enabled

Behaviour monitoring

Enabled

Scan all downloaded files and attachments

Enabled

Script scanning

Enabled

Potentially unwanted app (PUA) protection

Enabled

Allow users to access the Windows Security app

Enabled

Step 4: Attack Surface Reduction Rules

🔒 ASR

Attack Surface Reduction (ASR) rules block specific behaviours commonly used in malware attacks - things like Office macros spawning child processes, credential theft from LSASS, and executable content from email clients. They are one of the most effective preventive controls available.

intune.microsoft.com› Endpoint Security› Attack Surface Reduction› Create Policy → Windows → Attack Surface Reduction Rules

⚠️

Use Audit mode first

Set all ASR rules to Audit initially and review the logs in the MDE portal for 1–2 weeks before switching to Block. Some rules (especially those targeting Office macros and credential theft) can cause false positives in environments with LOB applications.

Key rules to enable in Block mode (after auditing):

Block credential stealing from the Windows local security authority subsystem
Block all Office applications from creating child processes
Block executable content from email client and webmail
Block JavaScript or VBScript from launching downloaded executable content
Block execution of potentially obfuscated scripts
Block abuse of exploited vulnerable signed drivers

Step 5: Compliance Integration

✅ Compliance

Once devices are onboarded, you can use their MDE risk score in Intune compliance policies. This means a device with active malware detections can automatically be marked as non-compliant, which in turn blocks access to corporate resources via Conditional Access.

intune.microsoft.com› Devices› Compliance› Create Policy → Windows → [Your policy] → Defender for Endpoint

✅

MDE Risk Score in Compliance

Fail compliance if MDE risk is elevated

Require the device to be at or under the machine risk scoreMedium blocks devices with active threats. Low is stricter. only fully clean devices pass.

Medium

Verify Onboarding

✅ Verification

Check onboarded devices in the MDE portal:

security.microsoft.com› Assets› Devices

Newly onboarded devices appear here within 1–2 hours of policy sync. The device shows its risk level, last seen time, sensor health, and any active alerts. A device showing Sensor status: Active is fully onboarded.

✅

Test with the EICAR file

Verify that Defender is active on a test device by downloading the EICAR test file from eicar.org. This is a harmless file that all AV products detect as malware. Defender should immediately quarantine it and generate an alert in the MDE portal.

How to Deploy Microsoft Defender for Endpoint via Intune

Prerequisites

Step 1: Enable the MDE–Intune Connection

Step 2: Create the Onboarding Policy

Step 3: Configure Antivirus Policy

Step 4: Attack Surface Reduction Rules

Step 5: Compliance Integration

Verify Onboarding

Get M365 tips in your inbox