Microsoft Defender for Endpoint (MDE) is part of the Microsoft Defender platform, and is designed to protect devices and endpoints from various cyber threats. To implement this product successfully, the first step is ensuring efficient onboarding of new devices. So, I always ask myself, “Which MDE onboarding method suits my current situation best?”

In this blog, I will provide an overview of multiple MDE onboarding methods, including Intune, Azure, Group Policy, and many more! While this won’t be an in-depth, step-by-step guide, it will give you a better understanding of the different techniques and know when to use each one.

The post will cover the following sections:

• Microsoft Intune
• Onboarding packages or scripts
• Device Discovery
• Personal devices
• Azure
• Azure Arc
• Direct Onboarding
• Wrap up

Microsoft Intune

If you are already using Microsoft Intune for managing devices, onboarding the devices in Microsoft Defender for Endpoint through Intune will automatically become the most logical and efficient method. This method involves pushing apps or configuration profiles to the devices, a task familiar to most Intune administrators.

For Windows devices, the Microsoft Defender app is already built-in to the operating system. So you will only need to enable and configure the Microsoft Defender for Endpoint sensor, which is available as a Windows service called Windows Defender Advanced Threat Protection Service, or MsSense.exe.

To create the configuration profile, navigate to Endpoint Security and create an Endpoint Detection and Response policy.

For other operating systems, such as iOS, Android and macOS, the Microsoft Defender app must be deployed to the device first before completing the onboarding process.

To achieve this, you can deploy the app directly from the Microsoft Intune admin center, and choose either iOS store app, Managed Google Play app, or macOS (MDE) depending on the OS.

Please note that onboarding MacOS devices may require additional configuration profiles. Additionally, for Android devices, you’ll need to set up the Managed Google Play store first before deploying apps like Microsoft Defender.

Onboarding packages and scripts

Not all companies are ready to have their devices managed by Microsoft Intune. Some may use a different management platform, and others have a certain number of devices that are not being or cannot be managed for various reasons. When in this situation, deploying a script or onboarding package with any deployment tool is the way to go.

Get started by directly downloading the necessary scripts and packages from the Microsoft Defender admin center.

Once you have downloaded the package, you can distribute it to the devices using different tools such as Group Policy, SCCM, Puppet, or any other relevant deployment tool for your organization and operating systems.

Alternatively, if you have some time to spare, you can onboard specific devices by downloading and executing a local script. This provides another flexible option for the onboarding process.

Most of these scripts or packages can be easily deployed on the endpoints, except for the VDI scripts used with non-persistent devices. These scripts require you to onboard a new device every time a new user signs in, which can create some challenges.

Device discovery

Microsoft Defender for Endpoint’s Device Discovery feature allows us to actively scan the corporate network for any unmanaged devices that have not been onboarded yet. This is a valuable tool as it provides visibility and protection for devices that were previously invisible. To enable this feature, navigate to the Settings > Endpoints section in the Microsoft Defender admin portal.

Once enabled and configured, device discovery will use already onboarded devices to scan for new devices. As new devices are discovered, they’ll appear in the inventory, ready for onboarding.

Be aware that you can discover not only endpoints, but also other network devices such as routers, switches, and printers. After onboarding, these devices can be scanned for vulnerabilities, if supported.

Personal devices

Not all devices used by employees are corporate-owned; some companies allow their employees to work from personal devices too. When dealing with this situation, deploying the app conventionally isn’t an option as employees prefer not to have their personal devices managed by the company.

Instead, we can enforce the installation of Microsoft Defender for Endpoint when they access corporate data. This involves implementing Mobile Application Management (MAM) and configuring the “Max allowed device threat level” setting in the “Conditional launch” page of the app protection policy.

Additionally, activate the app protection policy evaluation for Android & iOS devices in the Microsoft Defender for Endpoint connector settings. This ensures that the app protection policy is allowed to asses device’s threat health.

After configuration, Microsoft will prompt users to install the MDE app before allowing access to corporate data.

For personal Windows devices, a similar solution is available through Microsoft’s recent release of MAM for Windows in Public Preview. You can learn more about its capabilities in one my latest blog posts on the topic.

Azure

With Microsoft Defender for Cloud, we gain the ability to protect various resources hosted in Microsoft Azure and beyond. Specifically, it offers a feature called Microsoft Defender for Servers, which allows us to protect our servers.

This method doesn’t require additional Microsoft 365 subscriptions to license the servers. To begin, enable Microsoft Defender for Servers Plan 1 or Plan 2 on your Azure Subscription through the Microsoft Defender for Cloud portal. As usual with Azure, you’ll be billed by the hour for using these capabilities.

Remember to enable Endpoint Protection in the settings of the Defender for Servers plan.

Once enabled, the machines hosted in the subscription will automatically onboard into Microsoft Defender for Endpoint. It might take a short while, but once completed, you’ll notice that the MDE.Windows or MDE.Linux extension has been installed automatically.

Azure Arc

Even if your servers are on-premises and there are no plans to migrate them, you can still benefit from the automated onboarding process for Microsoft Defender for Endpoint in Azure.

To achieve this, simply enable Azure Arc on these servers by running a deployment script that deploys the connected machine agent to these machines. Once done, you can manage them like any other Azure-hosted virtual machine, benefitting from Azure operations such as performance monitoring, log data collection, task automation, Azure policies, update management, and more!

Furthermore, Azure Arc offers the same automated onboarding process into Microsoft Defender for Endpoint, as described in the previous chapter. Just make sure to have Microsoft Defender for Servers enabled on the subscription, along with the Endpoint Protection setting, and you’re good to go!

After successfully onboarding the servers into Azure Arc, proceed with the same steps as described in the previous chapter. They will then be visible in the Microsoft Defender for Cloud inventory, just like any other protected resource.

Direct Onboarding

If you are not ready to move your servers to Microsoft Azure or manage them with Azure Arc, there is another MDE onboarding method available. You can deploy the same onboarding packages or scripts mentioned in a previous chapter.

However, there is one challenge with these servers. In the past, we could license them with a specific Microsoft Defender for Endpoint for Servers license. Unfortunately, these licenses are no longer available for purchase, unless you’re using Microsoft Defender for Business. But don’t worry, Microsoft has introduced a new feature called Direct Onboarding into Microsoft Defender for Cloud.

We can enable this feature directly from the Microsoft Defender for Cloud portal.

From there, you can enable the direct onboarding feature and select the Azure subscription to use for billing purposes. Keep in mind that enabling this feature activates the Microsoft Defender for Server P1 license on the subscription, leading to direct monthly billing for usage.

After onboarding the servers in Microsoft Defender for Endpoint, they’ll seamlessly synchronize and appear as visible objects in the Microsoft Defender for Cloud inventory, as shown below. Please note that this process may take up to 24 hours to complete.

Wrap up

Once you’ve successfully onboarded your devices, you’ll instantly spot them in the device asset section within Microsoft Defender. However, if you encounter issues during onboarding, you can use the MDE client analyzer tool to troubleshoot the problem. It will help you identify potential obstacles like network connectivity that might be blocking the onboarding process.

Keep in mind that onboarding devices is just the first step. It’s essential to configure the product itself with proper protection settings, including network protection, cloud protection, behavior monitoring, real-time monitoring, security & signature updates, scan schedules, smart screen, sample submitting, tamper protection, automated remediation and more!

I hope this blog post has helped you find the perfect MDE onboarding method for your organization!

If you have any questions or need further assistance, feel free to ask in the comments!

MS Defender for Endpoint (MDE) Onboarding Method Overview