Configure Defender for Endpoint

Microsoft Defender for Endpoint configuration is applicable tenant-wide (which means all
devices enrolled in the tenant to Defender for Endpoint). The configuration is part of the
Microsoft 365 product and is available via security.microsoft.com.

Part of the online security.microsoft.com configuration:

Microsoft 365 Defender

 Email notification
 Preview features
 Streaming API
 Permissions and roles
 Alert tuning

Microsoft Defender for Endpoint

 General
 Data retention
 Email notifications
 Advanced features (service features)
 Auto remediation

 Permissions
 Roles
 Device groups

 Rules
 Alert suppression
 Indicators
 Process Memory Indicators
 Web content filtering
 Automation uploads
 Automation folder exclusions

 Configuration management
 Enforcement scope

 Network assessments
 Assessment jobs

Microsoft Defender for Endpoint contains a large set of features that can be directly configured
from the cloud portal. It is critical to confirm Defender for Endpoint is correctly configured with
the right decision to make sure endpoints are completely protected and using all of the available

1|ADNAN
protection features. Let’s start some deep-diving into the Defender for Endpoint available
features.

Email notifications
Defender for Endpoint supports Email notifications that are only working for the source
Defender for Endpoint. Email notifications can be configured for Alerts and Vulnerabilities.
Based on my opinion I’m not advising the alert email notifications part of Defender for
Endpoint. Reason; notifications in Defender 365 give more flexibility and integration with other
Defender 365 sources.

Notifications part of Microsoft Defender 365 is possible via security.microsoft.com -> Settings -
> Microsoft 365 Defender -> Email notifications Alerting via Microsoft Defender 365 is
applicable for incidents.

When there is the preference to use notifications for vulnerabilities use the Email notification
configuration in Defender for Endpoint. With Email vulnerabilities, it is impossible to send
automated emails when new vulnerabilities are affected to organization assets (for example;
When the Severity threshold is critical/CVSS 9.0 and a new public exploit is available)

2|ADNAN
Advanced features
Advanced Features are important for using most of the protection features and integration with
other features like Microsoft Endpoint Manager. Currently, there are many advanced features
and some of them are critical for the best EDR/protection posture.

3|ADNAN
Automated investigation
Automated investigation enables various inspection algorithms and is designed for taking
immediate actions to resolve breaches and start automated investigations. For getting automated
investigation and response (AIR) capabilities it is needed to enable the feature. Based on device
groups the level of remediation can be configured. It will automatically clean files, and if
something is detected it will automatically clean systems based on created exes, registry keys,
and scheduled tasks.

Note: enable this feature and make remediation exceptions based on device groups when needed.

Live Response/ Live Response for Servers

Live Response is an MDE capability that provides security team members immediate remote
console access to a device. This provides the ability to perform in-depth investigation, hunt for
data, and further analysis. Live response can also be combined with device isolation for
restricting the potential attack during investigations.

Note: enable this feature, only be careful with the permissions, it is possible to run “custom”
PowerShell scripts.

Live Response unsigned script execution

Live Response unsigned script execution enables the option for running unsigned PowerShell
script in Live Response. Allowing the use of unsigned scripts directly from Live Response may
increase your exposure to threats.

Note: only use the future when there are no alternatives, ideally PowerShell scripts are correctly
signed.

4|ADNAN
Restrict correlation within scoped device groups
This configuration can be used for scenarios where local SOC operations would like to limit alert
correlations only to available device groups. By turning on this setting, an incident composed of
alerts that cross-device groups will no longer be considered a single incident. SOC teams can
view the alert. However, global SOC will see several different incidents by device group instead
of one incident for all device groups.

Advice: Only enable when there are benefits of incident correlation across the organization.
Changing this setting is only affected future alert correlation. Existing alerts are not affected after
changing.

Enable EDR in block mode

When using third-party AV Defender for Endpoint in EDR in block mode it will override the
third-party AV and clean items. The primary purpose of EDR in block mode is to remediate
post-breach detections that were missed by a non-Microsoft antivirus product.

Enabled via Advanced Features the configuration is pushed to all supported onboarded systems.
Since version 4.18.2202.x it is possible to enable EDR in block mode for specific devices using
Intune CSPs.

Note: Where the value is mostly based in combination with 3rd party AV solution it is
recommended when endpoints are changing into passive/ EDR in block mode. There is
completely no downside to having this feature enabled and works more as a post-breach fallback
when Defender is not running in active mode or when attackers installing other AV solutions to
bypass Defender AV protections. When deploying Defender for Endpoint in combination with
other products, always confirm based on a small set of devices of there are unwanted blocks.

Automatically resolve alerts

This one is interesting and depends on the needs and size of the environment/ customers.
Automatically resolving alerts works in combination with the Automated Investigation features;
when the automated investigation is cleaning up the alert, it will close it automatically by
automation.
5|ADNAN
Note: There is one major reason for enabling this feature; when using a device risk-based
conditional access will get the users faster back online. The downside; Microsoft is automatically
resolving the alerts; which makes in large environments the alert “hidden” in the resolved
history. Where malware is cleaned up it requires maybe some more investigation for tracking the
initial action and in-depth investigation. Based on personal preference; the following is the
advice;

Do you have the resources for tracking all incidents manually? disable the feature and check
each incident more in-depth (don’t trust Microsoft completely). For smaller organizations, it is
possible to automatically close the alerts which are cleaned by Automated Investigation and give
more attention to the real ones. When enabled; always track weekly the action center history. If a
security operations analyst manually sets the status of an alert to “In progress” or “Resolved” the
auto-resolve capability will not overwrite it.

Allow or block file

When Defender Antivirus is running in active mode and cloud-based protection is enabled it is
possible to block potentially malicious files from being read, written, or executed. When
enabling the advanced features there is the option for adding custom hashes via indicators.
Indicators can be completely scoped to specific device groups.

Note: Enable the feature, it is useful for blocking files or whitelisting files centrally from the
Defender for Endpoint. The Allow or block file feature can be used for allowing hash values.
Indicators can be completely scoped to specific machine groups

Custom network indicators

Custom network indicators are needed for blocking specific network indicators (IP addresses,
domains, or URLs) added via the Defender for Endpoint Indicators. To use this feature, network
protection in block mode is required. Web protection is built on top of the custom network
indicators.

6|ADNAN
Advice: Enable the feature, it is useful for blocking network indicators or whitelisting specific
websites. Indicators can be completely scoped to specific machine groups

Tamper protection
Tamper Protection is critical in protection against attacks. Tamper Protection in Defender for
Endpoint protects organizations from unwanted changes in the Defender configuration by
unauthorized users. Tamper Protection prevents malicious actors from changing protection
features. By default (without Tamper Protection), a local administrator can disable Microsoft
Defender Antivirus.

During cyber attacks, bad actors are trying to disable security features, such as virus and threat
protection and real-time /behavior monitoring.

Tamper protection essentially locks Microsoft Defender Antivirus to its secure, default values,
and prevents configured security settings from being changed through apps and other methods
such as:

 Registry Editor
 PowerShell cmdlets
 Group Policy

When enabled via Advanced Features Tamper Protection is globally enabled for all supported
machines. Tamper Protection via Advanced Features requires dependency on cloud-delivered
protection. Since Defender platform version 4.18.2111.5, if cloud-delivered protection is not
turned on and Tamper Protection is enabled, it will automatically enable cloud-delivered
protection.

It is possible to start configuring Tamper Protection via MEM/Intune during the initial
deployment and switch directly to the global enablement after the initial deployment. For servers
Tenant Attach is required for enforcing Tamper Protection from Intune.

When Tamper Protection is enabled globally it is possible to overwrite Tamper Protection using
Intune for disabling Tamper Protection.

Note: Configure from the portal is for all supported devices recommended; my advice is to
enable Tamper Protection via de portal and not only in MECM or Intune, ideally configure both
for the best protection state.

Based on my opinion tamper protection must be always enabled. The new troubleshooting
mode can be used during troubleshooting situations to disable the features for troubleshooting.
Sometimes customers like to disable Microsoft Defender during troubleshooting and not

7|ADNAN
configure Tamper Protection, which makes a security cap. The new troubleshooting mode is
fixing this request, where teams are having more flexibility. View the in-depth troubleshooting
blog here.

Microsoft docs: Protect security settings with tamper protection

Recently Microsoft added the feature “Tamper protection for exclusions. With this new feature,
there is more control for exclusions.

When tamper protection is combined with the DisableLocalAdminMerge setting exclusions and
DisableLocalAdminMerge will be protected by tamper protection. This means that any
exclusions configured by other processes will be explicitly ignored and only intended exclusions
are applicable on the device.

Check the registry key:

HKLM\SOFTWARE\Microsoft\Windows Defender\Features and the Value TPExclusions

for confirming that the feature is enabled. A value of 1 means the exclusions are protected and
the functionality is correctly enabled.

Microsoft Defender for Identity integration

The integration with Microsoft Defender for Identity receives enriched user and device data from
Defender for identity and forward Defender for Endpoint signals. In both products, there is better
visibility, additional detections, and efficient investigations.

Advice: Always enable it when the license is available for Defender for Identity. There is
no downside to having this feature enabled when Defender for Identity is available.

Update January 2023: Integration is not needed anymore; Defender for Identity is part
of Microsoft Defender 365 and already enabled part of the Microsoft 365 Defender
integration.

Show user details

When enabling this feature the user details stored in Azure Active Directory are visible
in Microsoft Defender. Details include a user’s picture, name, title, and department
information when investigating user account entities. Personal information is available
in the following dashboard:

 Security operation dashboard

8|ADNAN
  Alert queue
 Device details page

Advice: Enable when there is no specific reason for disablement.

Office 365 Threat Intelligence connection

The Office 365 Threat Intelligence connection is available when Office 365 E5 or the Threat
Intelligence add-on is available. When enabling data from Defender for Office 365 is available in
Defender for Endpoint.

Note: Additional configuration is required from the Security & Compliance dashboard.

Note: Always enable it when the license is available. There is no downside to having this feature
enabled.

Update January 2023: Integration is not needed anymore; Defender for Office is part of
Microsoft Defender 365.

Microsoft Defender for Cloud Apps

This feature/ integration will be discussed later in this series during the integration part.

Web content filtering

This feature will be discussed later in this series.

Download quarantined files.

Downloading quarantined files allows security teams to download quarantined files using the
“Download file” button. All quarantined files will be collected and stored in a secure location.

9|ADNAN
Note: This feature will benefit Security Admins and SecOps teams during an investigation, by
permitting them to download the quarantined files directly from the portal, without any end-user
involvement.

Share endpoint alerts with Microsoft Purview Compliance

Center
Forwards endpoint security alerts and their triage status to the Microsoft Purview compliance
portal, which allows users to exchange insider risk management policies.

Note: Enable and only disable when compliance sharing is not allowed with Microsoft Purview
Compliance Center based on legal reasons.

Authenticated telemetry
Authentication telemetry prevents spoofing telemetry into Defender for Endpoint.

Note: Always enable, giving protection against telemetry spoofing.

Microsoft Intune connection

This feature/ integration will be discussed later in this series during the onboarding part.

Device discovery
This feature will be discussed later in this series.

Preview features
When enabled Defender for Endpoint tenant receives earlier new improvements and features. All
preview features released in public preview are fully supported by Microsoft.

The preview versions are provided with a standard support level and can be used for production
environments. When enabled the features will be enabled for the generally available (GA)
release.

10 | A D N A N
Note: Depending on the environment – some environments are only using Global Availablity
features. Personally, I usually activate the preview features; to get a quicker hands-on experience
with new features. Based on multiple years of experience; never had critical issues based on
preview features.

Endpoint Attack Notification

Endpoint Attack Notification is part of Microsoft Threat Experts. Endpoint Attack Notifications
provided proactive hunting based on real Microsoft Defender data. Endpoint attack notifications
are recommended for enabling. These notifications show up as a new alert.

Endpoint Attack Notification is free when you apply and are approved. You can apply
from security.microsoft.com -> From the navigation pane, go to Settings > General >
Advanced features > Endpoint Attack Notification

Advice: Enable when possible, Endpoint Attack Notifications adds interesting threat information
including proactive based on real Microsoft Defender data.

Permissions – Roles
Correct admin roles, permissions, and assigned Azure Active Directory groups are important for
the tier-based/ role-based access model to assign and authorize access to different teams.

Defender for Endpoint supports different ways and options from basic permissions up to
advanced permissions.

11 | A D N A N
 Group AAD build-in role Permissions in MDE

Security Administrator Yes Full access

Global Administrator Yes Full access

Security Reader Yes Reader-only access

Global Reader Yes Reader-only access

When configuring Defender for Endpoint for the first time it is based on basic permissions using
the following build-in AAD roles:

Currently, there are two ways of enabling RBAC roles within Defender for Endpoint. In the
product itself, there is a roles feature. It is recommended to use the new Defender 365 unified
RBAC. With the use of unified RBAC it is possible to create roles across all products.

Roles in Microsoft 365 Defender (Unified RBAC)

Recently Microsoft announced the new unified role-based access future. With the new unified
RBAC, it is possible to enable roles with more permissions for other security apps.
See: Defender unified RBAC

With the Microsoft 365 Defender RBAC model it is possible to use the existing permissions in
the unified RBAC models. With this, it is possible to use single roles for access in Defender for
Endpoint, Defender for Office 365, Defender for Identity, and more.

Microsoft explained the mapping between the Microsoft 365 Defender RBAC permissions
within the existing RBAC permissions. See: Map Microsoft 365 Defender RBAC permissions to
existing RBAC permissions

12 | A D N A N
Unified RBAC is available via Microsoft 365 Defender and is currently supported for
Endpoint/ Email & collaboration and Identity.

Roles in Defender for Endpoint

Personally, I prefer to use the Unified RBAC across Defender 365 Defender, since this RBAC
feature is more ready for the complete EDR/XDR experience. The Defender for Endpoint
standalone RBAC is available via the following method:

Enabling the Role-based access control (RBAC) future is possible in Defender using the
button “Turn on roles” in the Roles section.

For each role the permissions can be configured; For example; allow Tier 1 – Local support
(Servicedesk) to view data in security operations and threat and vulnerability management.

13 | A D N A N
Where Tier 2 – Regional/Opco security operations teams are allowed to view data and managed
active remediation actions, Exception handling, alert investigations, and basic live response
capabilities.

14 | A D N A N
Click on Assigned user groups for attaching AzureAD groups.

Permissions – Device Groups

Device groups are based on my personal opinion critical in Defender for Endpoint environments.
For the following reasons;

 RBAC management: Allowing teams to only manage a subset of devices

 Scoping for settings/ policies: Deploy policies based on device groups (Web content
Filtering, indicators, hashes, etc)
 Created target groups for Defender for Cloud Apps: Device groups can be used for
Defender for Cloud Apps scoped profiles.
 Configure automation level: Allows the flexibility for automated remediation
 Filtering in Defender portal: Filter on device groups in TVM increases making it possible
to view only TVM recommendations for a specific group; for example domain
controllers)

15 | A D N A N
  Visibility for SOC/ SIEM/ Security: Direct visibility into different types of servers/
workstations (Kiosk, WVD, Domain Controller, SQL). Security knows direct the incident
is scoped on one of the domain controllers.

You can define a membership rule that uses one or more of the following device attributes:

 Device name
 Device domain
 Device operating system
 Device tag

Device tags can be easily set by registry, PowerShell, API, Logic App, manual, or Intune. Device
attributes can be used for configuring groups based on OS, name convention, or domain. It is
possible to use the AND operator. For example; we can have a device group called NL devices
with a membership rule: (“Device Name” starts with “NL” AND “OS” = “Windows 10 and
Windows11”).

Devices can only be member of one device group. Device groups are assigned on a rank. When a
device is matched to more than one group, it is only added to the highest-ranked group. Devices
that are not matched to any groups are added to the Ungrouped devices group. In the below
example; Server – all Windows Servers is the highest ranked group and ungrouped devices
(default) the lowest.

16 | A D N A N
User access makes it possible to restrict access for specific groups by selecting the configured
Roles. For example; allow only admins in the US to view US-only devices. When configuring
User access it is required to add the group first in one of the roles. When added in the Roles
section it is possible to select the configured group in the device group user access settings.

General – Auto remediation

17 | A D N A N
 When configuring device groups in Defender for Endpoint it is possible to select the Auto
remediation level. By default, automated remediation is configured on Full for all devices. When
Automated investigation and remediation (AIR) is enabled on tenants, Microsoft Defender will
auto-create a remediation action that removes the malicious entity found after investigating
suspicious activity. This process is completely automatic and part of the AIR configuration.
Response actions can be configured using the Auto remediation settings. Based on the
automation level the remediation actions are completely automatic or require manual approval.
The following levels are available:

Automation level Explanation

Devices will not be investigated.

No automated response

Semi – require approval Devices are automatically investigated when an alert is received from a detection
for all folders system, but require approval before any remediation action can be taken.

Devices are automatically investigated when an alert is received from a detection

Semi – require approval system and automatically remediated within temp and download directories; all other
for non-temp folders remediation actions require approval.

Devices are automatically investigated when an alert is received from a detection

Semi – require approval
system and remediated except those identified within core system directories;
for core folders
remediation actions for threats to core system directories require approval.

Full – remediate threats Devices will be automatically investigated and remediated by MDE, without the need for
automatically any human intervention.

Note: use Automation level Full – remediate threats automatically and make only exceptions
when needed. When Full – remediate threats automatically is not possible (Critical devices,
POS/Retail, KIOSK) it is recommended to configure one of the Semi automation levels. Don’t
make exceptions for the Ungrouped devices (default) group), make the default always Full –
remediate threats automatically.

18 | A D N A N
 Onboard Defender for Endpoint:

Microsoft Defender for Endpoint can be onboarded using multiple methods, which will be
explained in this part of the series. For customers evaluating Defender for Endpoint, the
evaluation lab can be used for onboarding some machines and testing Defender for Endpoint.

The following tools can be used for Windows:

Local script (PowerShell)

Group Policy

Microsoft Endpoint Manager

Microsoft Endpoint Configuration Manager

VDI scripts

Onboarded using Defender for Cloud integratio

Onboard using Microsoft Intune

When using Windows 10/ 11/ Windows Cloud PC and already using Intune it is recommended to
use the platform for onboarding and configuring Defender for Endpoint. For enabling Microsoft
Defender for Endpoint in Intune it is needed to enable the integration between Defender for
Endpoint and Intune.

Microsoft Defender for Endpoint integrates seamlessly into Intune. You only need to activate the
integration and complete the initial setup.

The following items are needed:

 Enable Defender for Endpoint in tenant (See part 1/2 of the MDE series)
 Enable service-to-service connection between Intune and Microsoft Defender for
Endpoint

With the use of co-management devices joined in Configuration Manager can be onboarded in
Microsoft Endpoint Manager. Tenant Attach is possible for servers. Onboarding using
Configuration Manager will be explained in another part.

Enable Microsoft Defender for Endpoint integrations!

19 | A D N A N
First we need to enable the service-to-service connection between Intune and Microsoft Defender
for Endpoint. Before enabling Defender for Endpoint in Intune, ensure there is administrative
access to both the Microsoft Defender for Endpoint portal and Intune.

Important: permissions are required in both products for enabling the service integration.

For enabling the connection in Defender for Endpoint follow the following steps:

 Sign in to the security.microsoft.com portal

 Go to Endpoints -> Advanced Features
 Turn on the feature Microsoft Intune connection

Now we can validate the integration state between Defender for Endpoint and Microsoft Intune.
For checking the state and configuring more settings go to the Intune portal and
select Microsoft Defender for Endpoint. The view contains a couple of settings relevant to
Defender for Endpoint.

Connection status and last synchronized shows the status between MDE and Intune. When
connected the value must be enabled with a frequent last synchronized time.

20 | A D N A N
Endpoint Security Profile Settings
Allow Microsoft Defender for Endpoint to enforce Endpoint Security Configurations is needed
when using Microsoft Defender for Endpoint to enforce Endpoint Security Configurations. This
is only needed for non-Intune devices which are not managed using Intune. The configuration of
this feature is earlier explained in the following blog post: Managing Microsoft Defender for
Endpoint with the new Security Management feature in MEM

The setting is only for managing the configuration after the initial Defender for Endpoint
onboarding.

Compliance
For compliance integrations, multiple settings can be enabled. When using Intune, it is possible
to use compliance policies for requiring compliant devices. Signals from Defender for Endpoint
can be used for calculating the compliance or noncompliance state. (Require devices to be at or
under the machine risk score)

21 | A D N A N
In the Endpoint Security the following settings are part of the compliance integrations with
Defender for Endpoint and can be enabled:

 Connect Android devices version 6.0.0 and above to Microsoft Defender for Endpoint
 Connect iOS/iPadOS devices version 13.0 and above to Microsoft Defender for
Endpoint
 Connect Windows devices version 10.0.15063 and above to Microsoft Defender for
Endpoint
 Enable App Sync (sending application inventory) for iOS/iPadOS devices
 Block unsupported OS versions

For Windows make sure the toggle Connect Windows devices version 10.0.15063 and above to
Microsoft Defender for Endpoint is enabled.

22 | A D N A N
App protection policy evaluation
App Protection can be enabled for mobile platforms (iOS / Android). With the use of App
protection policies, it is possible to restrict access when prerequisites are not matched (Max
allowed device threat level). For example, when the device threat level contains Low – access to
corporate data can be restricted.

The feature works only for iOS/ Android.

Create onboarding profile

After configuring Microsoft Defender for Endpoint in Intune, the next step is to onboard the
devices in Defender for Endpoint.

Multiple ways are currently available in Intune for completing the onboarding of Defender for
Endpoint. Advised is to use the Endpoint Security profiles in Intune.

For creating the Endpoint detection and response/ MDE onboarding profile:

 Go to the Intune portal and go to Endpoint Security

 Select Endpoint Detection and response and click on Create Policy

23 | A D N A N
  Select Platform: Windows 10, Windows 11, and Windows Server and
Profile: Endpoint detection and response.

On the Basics section, specify the profile name and optional description. The configuration
settings contain all features which are needed for the initial onboarding. There are three settings
that are relevant for the onboarding:

 Microsoft Defender for Endpoint client configuration package type

 Sample sharing
 Telemetry Reporting Frequency

Microsoft Defender for Endpoint client configuration package type is needed for assigning
the configuration package. When Intune/ MDE are completely synced it is part of the connection.
The following options are available:

 Auto from connector

 Onboard
 Offboard

24 | A D N A N
When connected using the Auto from connector option; Intune automatically gets the
onboarding package (blob) from the Defender for Endpoint deployment. There is no need for
manually onboarding the package.

When there is no connection possible between Intune/ MDE or Intune is not configured in the
same tenant where Defender for Endpoint is configured – the option onboard can be used. In the
option onboard the custom blob value can be configured.

Sample sharing is part of Defender for Endpoint and is needed for sample sharing with
Microsoft. Sample sharing can be Enabled/Disabled. To take full benefits from the cloud layer it
is advised to use always Sample Sharing.

Telemetry Reporting Frequency is another setting part of the Defender for Endpoint profile
which can be configured in two levels (Normal/ Expedite)

25 | A D N A N
By default, the telemetry reporting frequency is based on the normal frequency. Personally, I
recommend always the Expedite telemetry frequency for Defender for Endpoint.

Update July 2023: The Telemetry Reporting Frequency setting is currently deprecated and no
longer needed/ removed from the profile list.

Complete the Policy creation and assign the correct device group. I would recommend starting in
a small pilot scope when deploying Defender for Endpoint for the first time – it is always
recommended to confirm the sensor and network connections on a small set of devices.

Sometimes organizations manually block the SENSE service or additional reporting location to
Defender for Endpoint. For MDE it is critical to make sure all network recommendations are in
place. After onboarding run the client analyzer on a small set of devices and validate all network
settings and additional configurations.

Onboarded in Defender for Endpoint

After some time, Defender for Endpoint is deployed, and the SENSE service must be running on
the device. Using the build-in assignment reporting in Intune the deployment state can be
validated.

26 | A D N A N
When SENSE is not running it is advised to deep-dive more into the logs and start with the initial
Microsoft Intune error codes.

For Microsoft Intune troubleshooting steps see: Troubleshoot onboarding issues using Microsoft
Intune | Microsoft Docs

Local event log

The SENSE event logs in Applications and Services

Logs > Microsoft > Windows > SENSE contains more detailed information. In cases when
Defender for Endpoint service cannot be reached, it is advised to match the eventID. When
SENSE is running – wait sometime before the initial first sync.

Important to make sure all requisites are matched before running the initial onboarding. For
Defender for Endpoint the diagnostic data service must be enabled for correct data reporting.

The complete list with Event ID is available here: View agent onboarding errors in the device
event log | Microsoft Docs

Registry

In the registry the following path is interesting; Computer\HKEY_LOCAL_MACHINE\

SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection

The path contains the onboarding info and additional settings. OnboardingInfo contains the
organization ID, geoLocation, and blob value.

27 | A D N A N
Visible in Portal

When the onboarding is completed, and SENSE is correctly running the devices must be visible
in Defender for Endpoint. For viewing onboarded devices go to security.microsoft.com -
> Assets -> Devices and search for the device name. When correctly managed by Intune the
value Intune is visible in the Managed by column.

Validate in Defender for Endpoint the Sensor health state and onboarding status for completing
the actual onboarding. The health state must be active when correctly configured.

Deploy device tag

For organizations, it can be useful for deploying additional device tags for Defender for Endpoint
for making more visibility in the type of device, locations, and more. For more control
(Suppressions/ Exclusions/ AIR/ Indicators); my recommendation is always to use a well-
structured set of tags which makes more visibility for the security team.

Device tags can be set easily via the portal or manually via the registry. Deploying the registry
key can be deployed in Intune via Configuration Profiles. (Only one tag can be applied in the
registry)

For deploying the tag using Intune;

 Sign in to the Microsoft Intune admin center and go to Devices

28 | A D N A N
  Select Configuration profiles and click on Create Policy
 Select Platform: Windows 10 and later and Profile type: Templates -> Custom

Use the following custom OMA-URI details for adding the device tag. The name and description
can be whatever you want. Important is the OMA-URI, Data Type, and Value.

OMA-URI ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/DeviceTagging/Group

Data Type String

Value Device TAG name

With the result, a static Device Tag is visible in Defender for Endpoint. Notice: it is not possible
to deploy multiple tags using the Registry/ PowerShell/ Intune method. For additional tags the
manual option or Logic App API option can be used

29 | A D N A N