Home About Tools Projects Guides & Blog ⚡ Hire Me ✦ Websites Contact →
🛡️ Endpoint Security

Microsoft Defender for Endpoint: Onboarding via Intune Step-by-Step

Published 19 March 2026
Jack Davies
9 min read

Microsoft Defender for Endpoint (MDE) is Microsoft's enterprise EDR platform - it sits on top of Windows Defender Antivirus and adds threat detection, investigation, and response capabilities across your entire device estate. If you're on Microsoft 365 Business Premium or any of the E3/E5 plans, you already have the licence. The question is just whether you've turned it on.

Intune is the right deployment method for cloud-managed environments. Devices start reporting to the Defender portal within a few hours of the policy syncing.

Contents
  1. Prerequisites and Licensing
  2. Connect Intune to MDE
  3. Create the Onboarding Policy
  4. Configure Security Settings
  5. Assign and Verify

Prerequisites and Licensing

📋 Before You Start

Before creating any policy, confirm you have the right licence and that your devices are in scope. MDE is included in the following plans:

  • Microsoft 365 Business Premium - includes MDE Plan 1
  • Microsoft 365 E3 - includes MDE Plan 1
  • Microsoft 365 E5 / Defender for Endpoint Plan 2 - full EDR, threat hunting, and auto-investigation
  • Microsoft Defender for Business - standalone SMB-focused plan
ℹ️
Plan 1 vs Plan 2
Plan 1 gives you next-gen protection (antivirus, attack surface reduction, device control). Plan 2 adds EDR, threat hunting, automated investigation, and the full Defender portal experience. The onboarding process is identical - the feature set you see in the portal will differ based on your licence.

You'll also need devices that are:

  • Running Windows 10 1709 or later (Windows 11 fully supported)
  • Enrolled in Intune (Entra ID joined or Hybrid joined)
  • Not already onboarded to MDE via another method (SCCM, GPO, script)

Connect Intune to MDE

🔗 Integration Setup

The first step is enabling the connector between Intune and the Defender portal. This is a one-time tenant-level setting.

intune.microsoft.com Endpoint Security Microsoft Defender for Endpoint

On this page you'll see the connection status between Intune and the Defender portal. Click Open the Microsoft Defender for Endpoint admin console - this takes you to security.microsoft.com. Once in the Defender portal:

  1. 1
    Open Settings in Defender Portal
    Go to Settings → Endpoints → Advanced Features in the Microsoft Defender portal (security.microsoft.com).
  2. 2
    Enable Microsoft Intune Connection
    Find Microsoft Intune connection in the list and toggle it to On. Click Save preferences at the bottom of the page.
  3. 3
    Return to Intune and Refresh
    Go back to the Intune Admin Centre. The connection status should now show Enabled. This may take a minute or two to update.
Also enable Compliance Policy Evaluation
While you're in the Defender connector page in Intune, toggle on Compliance Policy Evaluation. This lets Intune use the MDE device risk score as part of a compliance policy - useful for blocking high-risk devices from accessing company resources via Conditional Access.

Create the Onboarding Policy

📋 Policy Creation

With the connector active, create the onboarding configuration profile in Intune. This is what actually deploys the MDE sensor to your devices.

intune.microsoft.com Endpoint Security Endpoint Detection & Response Create Policy

Select the following when prompted:

  • Platform: Windows 10, Windows 11, and Windows Server
  • Profile: Endpoint Detection and Response

Give the policy a clear name - something like CORP-MDE-Onboarding. On the configuration page you'll see the key settings below.

Configure Security Settings

⚙️ Configuration
🔍
Endpoint Detection and Response
Core onboarding and sample sharing settings
Microsoft Defender for Endpoint client configuration package type Auto from connector uses the onboarding package from the Intune-MDE connection you set up. This is the recommended option.
Auto from connector
Sample Sharing Allows suspicious files to be sent to Microsoft for analysis. Recommended for full EDR capability.
All
Telemetry Reporting Frequency Expedited sends telemetry more frequently, useful for high-risk environments. Normal is sufficient for most organisations.
Normal

Attack Surface Reduction Rules

ASR rules are worth deploying alongside the onboarding policy. They block common attack vectors - Office macro abuse, credential theft, malicious script execution. Create a separate policy under:

Endpoint Security Attack Surface Reduction Create Policy
🛡️
Key ASR Rules - Recommended Block Mode
Start in Audit mode, then switch to Block after reviewing reports
Block executable content from email client and webmail
Block
Block all Office applications from creating child processes
Block
Block credential stealing from Windows local security authority subsystem (lsass.exe)
Block
Block abuse of exploited vulnerable signed drivers
Block
Block JavaScript or VBScript from launching downloaded executable content
Block
Block process creations originating from PSExec and WMI commands
Audit
⚠️
Test ASR rules before enabling Block mode
Some ASR rules can break legitimate applications - particularly rules around Office child processes and PSExec if your team uses RMM tools or scripting heavily. Always set new rules to Audit first, review the ASR report in the Defender portal for 1–2 weeks, then switch to Block for rules that show no false positives.

Assign and Verify

✅ Verification

Assign the onboarding policy to your target device group. For most environments this will be all Windows devices or a specific corporate device group. Click Review + Create to save and deploy.

Once synced, devices will appear in the Defender portal within a few hours of the policy applying. You can verify onboarding status from two places:

From the Defender Portal

security.microsoft.com Assets Devices

Onboarded devices appear here with their onboarding status, risk level, and last seen timestamp. A device showing Active status with a recent check-in time is successfully onboarded.

From Intune

intune.microsoft.com Endpoint Security Microsoft Defender for Endpoint

This page shows a count of devices onboarded to MDE vs total enrolled Intune devices. Aim to get this as close to 100% as possible.

Force a sync if devices don't appear
If a device isn't showing up in the Defender portal after a few hours, trigger a manual Intune sync from Intune → Devices → [Device] → Sync, or run Start-Process "deviceenroller.exe" -ArgumentList "/o" on the device. The MDE sensor needs the policy to apply before it can phone home.
Microsoft Defender Intune Endpoint Security MDE Microsoft 365 EDR
// monthly tips

Get M365 tips in your inbox

Practical Intune and Microsoft 365 tips, once a month. No spam, no fluff.