Professional Documents
Culture Documents
Deploy An Endpoint Detection and Response (EDR) Solution With Microsoft
Deploy An Endpoint Detection and Response (EDR) Solution With Microsoft
Page 1
Microsoft Endpoint Manager is a unified endpoint management and security platform, including the features and functionality
delivered by Configuration Manager and Microsoft Intune
Win 10, Android, iOS, Linux & macOS Win 10, Android, iOS, Linux& macOS Win 10 & Windows Server
We recommend onboarding, configuring, and remediating endpoints from the cloud with We recommend this architecture for organizations that host both on-premises and cloud-
Microsoft Intune for enterprises that don’t have an on-premises configuration management based workloads. ConfigMgr and Intune provide integrated cloud-powered management
solution or whom are trying to reduce their current on-premises infrastructure footprint tools, and unique co-management options to provision, deploy, manage, and secure
endpoints and applications across an organization.
Manually export
onboarding files
Defender for Defender for
ConfigMgr Endpoint Endpoint
Manually
Onboarding, configuration Manually export EDR
export group
and remediation Local scripts
policy objects EDR
Win 10 & Windows Server Win 10 & Windows Server Win 10, Android, iOS, Linux & macOS
We recommend this architecture for enterprises that want to maximize their investments in We recommend this architecture for SOCs that are looking to evaluate or run a Microsoft
Configuration Manager or Active Directory Domain Services while still leveraging the cloud- Defender for Endpoint pilot, but haven’t invested in management or deployment tools. This
based power of Microsoft Defender for Endpoint. architecture may also be used to onboard devices that are in small environments without
management infrastructure (for example, a DMZ)
September 2021 © 2021 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com.
Deploy an endpoint detection and This topic is 2 of 6
Intune
7 To verify that the devices are properly onboarded and reporting, run Managed Internet
a detection test on the newly onboarded devices (commands can be
found in the Microsoft Defender Security Center settings under Win 10, Android, iOS, Linux & macOS
Onboarding)
Prepare
1. Assess your infrastructure: 2. Choose compatible platforms: 3. Assess application compatibility: 4. Choose the right architecture:
including network proxy including Windows 10, macOSX, including supported browsers, use the cloud-only, Microsoft Intune
configurations, internet connectivity iOS, Linux, and Android. Ensure diagnostic data settings, Microsoft approach if you don’t have existing
to endpoints, deployment and that they are both supported by Defender for Endpoint agents for management and deployment tools
management tools, and hosting Microsoft Defender for Endpoint non-Windows devices, and the capable of supporting Microsoft
environments. and that your enterprise’s coexistence of existing endpoint Defender for Endpoint or if your are
deployment and management security solutions. trying to reduce your total cost of
tools can perform onboarding and ownership and datacenter footprint.
remediation tasks.
Setup
1. Identify pilot users and 2. Procure and assign Microsoft 3. Setup Microsoft Defender 4. Connect Intune and Microsoft
platforms: identify the users Intune and Defender for Endpoint Security Center: complete the Defender Security Center:
and platforms that you want to licensing: Ensure that the initial setup wizard in the Microsoft ensure that Microsoft Intune
participate in the pilot and prepare appropriate Defender for Endpoint Defender Security Center which connection is turned on in the
their devices by ensuring they have and Intune licensing has been includes role-based access control Microsoft Defender Security
internet connectivity (see public procured (see public guidance or (RBAC), data retention policies, Center and download onboarding
guidance for proxy URLs), diagnostic contact a licensing specialist) and organizational size, geographical packages for any non-Windows
data settings enabled (Windows assign it to user’s participating in storage locations, and the option to devices
devices), and licensed operating the pilot through Azure Active use preview features
systems Directory
Onboard
1. Onboard pilot devices: Optional: 2. Verify onboarding was 3. Run Microsoft 4. Conduct an
create a device create compliance successful: Defender for Endpoint’s enterprise rollout:
configuration policy in policies in Microsoft on the first devices evaluation tutorial: sign onboard the rest of
Microsoft Intune using the Intune to determine an onboarded, run a in to Microsoft Defender your enterprise’s
Microsoft Defender for acceptable risk level to detection test to ensure for Endpoint security devices and see topic 6
Endpoint (Windows 10 allow and then create that the device is Center and use the to start adopting the
Desktop) profile type conditional access communicating with the Evaluation and Simulation full suite of Microsoft
policies to block access Microsoft Defender for tab to evaluate the Defender for Endpoint
to corporate resources Endpoint service (see product and familiarize services
if a device is determined instructions in Microsoft security administrators
to be non-compliant Defender Security Center) and operators
September 2021 © 2021 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com.
Deploy an endpoint detection and This topic is 3 of 6
Onboard devices to Microsoft Defender for Endpoint using Microsoft Intune and Configuration Manager
Sign in to the Azure Portal configure automatic enrollment for Intune by configuring
1 the MDM User Scope in Azure Active Directory
Assign Intune licenses to users in Azure Active Directory and ensure their devices are
1 2
2 enrolled
Admin Azure Active
Choose which workloads you want to be managed by Microsoft Intune and switch Directory
3 them in the Configuration Manager co-management node
Install the Configuration Manager agent on new devices that are auto-enrolled into
4a Azure AD (see public guidance on setting up co-management and ensure that Azure 6 5
AD Connect is configured for hybrid Azure AD)
Admin Admin
Configure Windows 10 devices that are already Configuration Manager clients to be
4b hybrid Azure AD-joined, and enroll them in Intune
5 Sign in to the Microsoft Defender Security Center and complete the initial setup
wizard
7
Sign in to the Microsoft Endpoint Manager admin center and navigate to Open the
6 Microsoft Defender Security Center to connect to the Microsoft Defender for
Microsoft Intune
connection
Endpoint service Microsoft for onboarding and Defender for
risk assessment
In the Microsoft Defender Security Center, turn on the Microsoft Intune connection
Intune 3 Endpoint
7 setting 4b
8b Onboarding, configuration 8a Manually
Export
and remediation ConfigMgr Onboarding
In the Microsoft Defender Security Center, go to Onboarding under settings,
8a
Onboarding, EDR
files
configuration and
download a System Center Configuration Manager package, and import it into your remediation
Configuration Manager environment 4a Co-managed ConfigMgr
Onboarded
9 Managed Internet
Devices
In the Microsoft Endpoint Manager admin center, create a device configuration policy
8b using the Microsoft Defender for Endpoint (Windows 10 Desktop) profile type
Win 10, Android, iOS, Linux & macOS Win 10 & Windows Server
(please note that non-Windows devices require an installation package that must be
downloaded from the Microsoft Defender Security Center)
9 To verify that the devices are properly onboarded and reporting, run a detection test on the newly onboarded devices (commands can be found in the Microsoft Defender Security Center
settings under Onboarding)
Prepare
1. Assess your infrastructure: including 2. Choose compatible platforms: 3. Assess application compatibility: 4. Choose the right architecture: use
network proxy configurations, internet including Windows 10, Windows Server, including supported browsers, diagnostic the co-management architecture if you
connectivity to endpoints, deployment and macOSX, and Android. Ensure that they data settings, Microsoft Defender for manage both on-premises and cloud-
management tools, and hosting are both supported by Microsoft Endpoint agents for non-Windows devices, native workloads and want more
environments. Defender for Endpoint and that your and the coexistence of existing endpoint platform and management flexibility.
enterprise’s deployment and security solutions.
management tools can perform
onboarding and remediation tasks.
Setup
1. Identify pilot users and platforms: 2. Procure and assign Microsoft 3. Choose Microsoft Intune managed 4a. Set up new, internet-based
identify the users and platforms that you Intune and Defender for Endpoint workloads: configure selected services to devices: install the Configuration
want to participate in the pilot and prepare licensing: ensure that the appropriate use Microsoft Intune in the Configuration Manager agent on new devices that are
their devices by ensuring they have internet Defender for Endpoint and Intune Manager co-management node auto-enrolled into Azure AD
connectivity (see public guidance for proxy licensing has been procured (see public
URLs), diagnostic data settings enabled guidance or contact a licensing
(Windows devices), and licensed operating specialist) and assign it to user’s
systems participating in the pilot through Azure
Active Directory
4b. Set up existing Configuration 5. Setup Microsoft Defender Security 6. Connect Intune and Microsoft
Manager devices: configure Windows 10 Center: complete the initial setup wizard Defender Security Center: ensure that
devices that are already Configuration in the Microsoft Defender Security Center Microsoft Intune connection is turned on in
Manager clients to be hybrid Azure AD- which includes role-based access control the Microsoft Defender Security Center and
joined, and enroll them in Intune (see (RBAC), data retention policies, download onboarding packages for any
public guidance on setting up co- organizational size, geographical storage non-Windows devices
management and ensure that Azure AD locations, and the option to use preview
Connect is configured for hybrid Azure AD) features
Onboard
1. Onboard Configuration 2. Onboard Intune pilot Optional: create 3. Verify onboarding 4. Run Microsoft 5. Conduct an enterprise
Manager pilot devices: devices: create a device compliance policies in was successful: on the Defender for Endpoint’s rollout: onboard the rest
download a Configuration configuration policy in Microsoft Intune to first devices onboarded, evaluation tutorial: sign of your enterprise’s devices
Manager installation Microsoft Intune using determine an acceptable run a detection test to in to Microsoft Defender and see topic 6 to start
package from the the Microsoft Defender risk level to allow and ensure that the device is for Endpoint security adopting the full suite of
Microsoft Defender for Endpoint (Windows then create conditional communicating with the Center and use the Microsoft Defender for
Security Center and import 10 Desktop) profile type access policies to block Microsoft Defender for Evaluation and Simulation Endpoint services
it into your configuration access to corporate Endpoint service (see tab to evaluate the
manager environment resources if a device is instructions in Microsoft product and familiarize
determined to be non- Defender Security Center) security administrators
compliant and operators
September 2021 © 2021 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com.
Deploy an endpoint detection and This topic is 4 of 6
Onboard devices to Microsoft Defender for Endpoint using Configuration Manager or Group Policy Objects
Group Policy
4 To verify that the devices are properly onboarded and reporting, run CofigMgr
Managed Managed
Onboarded
found in the Microsoft Defender Security Center settings under Win 10 & Win 10 &
Onboarding) Windows Windows
Server Server
Prepare
1. Assess your infrastructure: including 2. Choose compatible platforms: 3. Assess application compatibility: 4. Choose the right architecture: use
network proxy configurations, internet including Windows 10 and Windows including supported browsers, diagnostic the on-premises architecture to
connectivity to endpoints, deployment Server. Ensure that they are both data settings, Microsoft Defender for maximize investments in Configuration
and management tools, and hosting supported by Microsoft Defender for Endpoint agents for non-Windows devices, Manager or Active Directory Domain
environments. Endpoint and that your enterprise’s and the coexistence of existing endpoint Services while still leveraging the cloud-
deployment and management tools can security solutions. based power of Microsoft Defender for
perform onboarding and remediation Endpoint.
tasks.
Setup
1. Identify pilot users and platforms: 2. Procure and assign Defender for 3a. Set up Configuration Manager 4. Set up Microsoft Defender Security
identify the users and platforms that you Endpoint licensing: ensure that the devices: ensure that devices are Center: complete the initial setup wizard in
want to participate in the pilot and prepare appropriate Defender for Endpoint communicating the Configuration Manager the Microsoft Defender Security Center
their devices by ensuring they have internet licensing has been procured (see public service via an agent and if necessary, create which includes role-based access control
connectivity (see public guidance for proxy guidance or contact a licensing device collections to control which devices (RBAC), data retention policies,
URLs), diagnostic data settings enabled specialist) get onboarded to the Microsoft Defender organizational size, geographical storage
(Windows devices), and licensed operating for Endpoint service first locations, and the option to use preview
systems features
3b. Set up group policy managed
devices: ensure that the devices are
domain-joined to an Active Directory
Domain Services domain and receiving
policy from a domain controller
Onboard
1. Onboard Configuration 2. Onboard group policy 3. Verify onboarding 4. Run a detection test on 5. Run Microsoft Defender 6. Conduct an enterprise
Manager pilot devices: pilot devices: download was successful: on the each type of platform: on for Endpoint’s evaluation rollout: onboard the rest
download a Configuration the group policy installation first devices onboarded, the first devices onboarded, tutorial: sign in to Microsoft of your enterprise’s devices
Manager installation package from the Microsoft run a detection test to run a detection test to Defender Security Center and see topic 6 to start
package from the Defender Security Center, ensure that the device is ensure that the device is and use the Evaluation and adopting the full suite of
Microsoft Defender create a group policy object communicating with the communicating with the Simulation tab to evaluate Microsoft Defender for
Security Center and import with a scheduled task, and Microsoft Defender for Microsoft Defender for the product and familiarize Endpoint services
it into your configuration run the onboarding Endpoint service (see Endpoint service (see security administrators and
manager environment command file as a program instructions in Microsoft instructions in Microsoft operators
to filter, pilot devices Defender Security Center) Defender Security Center)
September 2021 © 2021 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com.
Deploy an endpoint detection and This topic is 5 of 6
Onboard devices to Microsoft Defender for Endpoint using Configuration Manager or Group Policy Objects
4 To verify that the devices are properly onboarded and reporting, run
a detection test on the newly onboarded devices (commands can be
found in the Microsoft Defender Security Center settings under Manually export
Local scripts
Onboarding ) EDR
Unmanaged Internet
Prepare
1. Assess your infrastructure: 2. Choose compatible platforms: 3. Assess application compatibility: 4. Choose the right architecture:
including network proxy including Windows 10, Windows including supported browsers, use the evaluation and local
configurations, internet connectivity to Server, macOSX, and Android. diagnostic data settings, Microsoft onboarding architecture to conduct
endpoints, deployment and Ensure that they are both supported Defender for Endpoint agents for non- a minimally invasive evaluation of
management tools, and hosting by Defender for Endpoint and that Windows devices, Microsoft Defender for Endpoint
environments. your enterprise’s deployment and and the coexistence of existing or to deploy to small, specialized
management tools can perform endpoint security solutions. environments without a robust
onboarding and remediation tasks. management solution (e.g., a DMZ)
Setup
1. Identify pilot users and platforms: 3. Set up Microsoft Defender Security Center: complete the initial setup wizard
identify the users and platforms that you want to participate in the pilot and in the Microsoft Defender Security Center which includes role-based access control
prepare their devices by ensuring they have internet connectivity (see public (RBAC), data retention policies, organizational size, geographical storage locations,
guidance for proxy URLs), diagnostic data settings enabled (Windows devices), and the option to use preview features
and licensed operating systems
2. Procure and assign Defender for Endpoint licensing: ensure that the
appropriate Defender for Endpoint licensing has been procured (see public
guidance or contact licensing specialist)
Onboard
1. Onboard pilot devices: download a local script installation package from the 4. Run Microsoft Defender for Endpoint’s evaluation tutorial: sign in to
Microsoft Defender Security Center and run it locally on the devices you want to Microsoft Defender Security Center and use the Evaluation and Simulation tab to
onboard evaluate the product and familiarize security administrators and operators
2. Verify onboarding was successful: on the first devices onboarded, run a 5. Conduct an enterprise rollout: onboard the rest of your enterprise’s devices
detection test to ensure that the device is communicating with the Microsoft using a scalable deployment method (local scripts are restricted to 10 devices each)
Defender for Endpoint service (see instructions in Microsoft Defender Security and see topic 6 to start adopting the full suite of Defender for Endpoint services
Center)
3. Run a detection test on each type of platform: on the first devices
onboarded, run a detection test to ensure that the device is communicating
with the Microsoft Defender for Endpoint service (see instructions in Microsoft
Defender Security Center)
September 2021 © 2021 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com.
Deploy an endpoint detection and This topic is 6 of 6
Endpoint detection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made
it past the first two security pillars. Advanced hunting provides a query-based threat-hunting tool that lets you proactively find breaches
and create custom detections.
Adoption Rank Order: 1
This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint
vulnerabilities and misconfigurations. Threat & Vulnerability Management also includes Configuration Score. Configuration score gives you
visibility and control over the security posture of your organization based on security best practices. High configuration score means your
endpoints are more resilient from cybersecurity threat attacks.
Adoption Rank Order: 2
Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers,
and servers.
Adoption Rank Order: 3
The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly
set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitation. This set of capabilities also
includes network protection and web protection, which regulate access to malicious IP addresses, domains, and URLs.
Adoption Rank Order: 4
Microsoft Defender for Endpoint uses Automated investigations to significantly reduce the volume of alerts that need to be investigated
individually. The Automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as
playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing
security operations experts to focus on more sophisticated threats and other high value initiatives.
Adoption Rank Order: Not applicable
Microsoft Defender for Endpoint's new managed threat hunting service provides proactive hunting, prioritization, and additional context
and insights that further empower Security operation centers (SOCs) to identify and respond to threats quickly and accurately.
Adoption Rank Order: Not applicable
September 2021 © 2021 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com.