Onboard devices and configure Microsoft Defender for Endpoint capabilities

Deploying Microsoft Defender for Endpoint is a two-step process.

  • Onboard devices to the service
  • Configure capabilities of the service

The onboarding and configuration process

Role-based access control

We recommend using Privileged Identity Management to manage your roles to provide additional auditing, control, and access review for users with directory permissions.

Defender for Endpoint supports two ways to manage permissions:

  • Basic permissions management: Sets permissions to either full access or read-only. Users with global administrator or security administrator roles in Azure Active Directory (Azure AD) have full access. The security reader role has read-only access and doesn’t grant access to view machines/device inventory.
  • Role-based access control (RBAC): Sets granular permissions by defining roles, assigning Azure AD user groups to the roles, and granting the user groups access to device groups.


    Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2.

We recommend leveraging RBAC to ensure that only users that have a business justification can access Defender for Endpoint.

Onboard devices to the service

You’ll need to go the onboarding section of the Defender for Endpoint portal to onboard any of the supported devices. Depending on the device, you’ll be guided with appropriate steps and provided management and deployment tool options suitable for the device.

To onboard devices to the service:

  • Verify that the device fulfills the minimum requirements (https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/minimum-requirements)
  • Depending on the device, follow the configuration steps provided in the onboarding section of the Defender for Endpoint portal
  • Use the appropriate management tool and deployment method for your devices
  • Run a detection test to verify that the devices are properly onboarded and reporting to the service


Onboarding and configuration tool options

The following table lists the available tools based on the endpoint that you need to onboard.

Endpoint Tool options
Windows Local script (up to 10 devices)
Group Policy
Microsoft Intune/ Mobile Device Manager
Microsoft Configuration Manager
VDI scripts
Windows servers

Linux servers

Integration with Microsoft Defender for Cloud
macOS Local script
Microsoft Intune
Mobile Device Management
Linux servers Local script
Android Microsoft Intune
iOS Microsoft Intune
Mobile Application Manager


For devices that aren’t managed by Microsoft Intune or Microsoft Configuration Manager, you can use the Security Management for Microsoft Defender for Endpoint to receive security configurations for Microsoft Defender directly from Intune.

Configure capabilities of the service

Onboarding devices effectively enables the endpoint detection and response capability of Microsoft Defender for Endpoint.

After onboarding the devices, you’ll then need to configure the other capabilities of the service. The following table lists the capabilities you can configure to get the best protection for your environment.

Capability Description
Configure Microsoft Defender Vulnerability Management (MDVM) Defender Vulnerability Management is a component of Microsoft Defender for Endpoint, and provides both security administrators and security operations teams with unique value, including:

– Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities.

– Invaluable device vulnerability context during incident investigations.

– Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager.

Configure Next-generation protection (NGP) Microsoft Defender Antivirus is a built-in antimalware solution that provides next-generation protection for desktops, portable computers, and servers. Microsoft Defender Antivirus includes:

-Cloud-delivered protection for near-instant detection and blocking of new and emerging threats. Along with machine learning and the Intelligent Security Graph, cloud-delivered protection is part of the next-gen technologies that power Microsoft Defender Antivirus.

– Always-on scanning using advanced file and process behavior monitoring and other heuristics (also known as “real-time protection”).

– Dedicated protection updates based on machine learning, human and automated big-data analysis, and in-depth threat resistance research.

Configure attack surface reduction (ASR) Attack surface reduction capabilities in Microsoft Defender for Endpoint help protect the devices and applications in the organization from new and emerging threats.
Configure Auto Investigation & Remediation (AIR) capabilities Microsoft Defender for Endpoint uses Automated investigations to significantly reduce the volume of alerts that need to be investigated individually. The Automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives.
Configure Microsoft Defender Experts capabilities Microsoft Defender Experts is a managed hunting service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don’t get missed.