Defender for Endpoint
Includes how to use Defender for Endpoint on Windows devices, notifications and policies.
- Part of
Defender for Endpoint is built into Windows 10 and 11 and combines with Microsoft's robust cloud service to process behavioural signals from the operating system reporting back to the cloud instance of Defender for Endpoint.
On-boarding Hwb managed devices into Microsoft Defender for Endpoint allows local authorities (LA) and schools to leverage the Defender for Endpoint cloud instance to manage the overall security of devices.
Role based access control is used to give fully delegated access to manage the security of devices through Intune and Defender for Endpoint portal.
Through the Defender for Endpoint portal, device vulnerabilities, weaknesses, recommendations and remediations can all be managed for your devices all in conjunction with security policies set in Intune.
Defender for Endpoint on Windows devices
Onboarding for Windows devices
To begin the process of onboarding devices, navigate to Defender for Endpoint to download the onboarding blob:
- Navigate and log in to security.microsoft.com
- Go to Settings > Endpoints > Onboarding.
- Select the operating system to start onboarding process:
- Select 'windows 10 and 11' from the dropdown.
- Under deployment method, select 'Mobile Device Management/Microsoft Intune'.
- Click 'Download Onboarding Package' and save locally.
Intune onboarding profile for Windows devices (required)
In Intune, create the Endpoint detection and response policy device configuration profile to onboard Windows devices.
Go to Intune > Endpoint Security > Endpoint detection and response > Create Policy:
- Platform: Select 'Windows 10, Windows 11 and Windows Server'.
- Profile: Select 'Endpoint detection and response'.
- Name: Provide a suitable name and description for the policy inline with your naming convention > click 'Next'.
- Choose 'Onboard' from the dropdown for package type.
- Paste in the onboarding blob from the zip previously downloaded into the 'Onboarding (Devices)' text field.
- Select your option for Sample Sharing and Telemetry Reporting Frequency.
- Scope the policy to your organisation with appropriate scope tags.
- Assign the policy to your devices.
Tagging your Windows devices ready for Defender for Endpoint (required)
For your devices to appear in Defender for Endpoint, your devices must be tagged first. In Intune, tag Windows 10 or 11 device with the School or Local Authority ID. Devices can only be tagged with one tag, this policy should be applied to devices only.
- Create a custom device configuration profile.
- Platform Windows 10 and later.
- Set configuration settings as follows:
- Name: Device Tagging.
- OMA-URI: ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/DeviceTagging/Group.
- Data type: String
- Value: {school id} for example ‘6xxxxxx’ OR {local authority (LA) id} for example ‘6xx’.
Important: For the Value, use the full school id number if you wish for IT staff in the school to manage the device security, if device security is to be managed centrally by the LA then you can use the LA identifier, for example ‘6xx’
- Assign to a device group.
Viewing your devices in Defender for Endpoint
Local authority Intune administrators by default, once devices are onboarded, will have access to Defender for Endpoint to view their onboarded devices.
Onboarded devices once tagged properly with the LA code can take up to 24 hours to appear in the local authority device group. The device must be active and have talked back to the defender for endpoint cloud service.
A request must be made to support@hwbcymru.net if local authorities wish to delegate this access to Intune administrators in schools.
Configuring notifications for alerts (required)
In Defender, configure Defender for Endpoint alert notifications rule:
- Navigate and log in to security.microsoft.com
- Go to Settings > Endpoints > Email notifications.
- Select '+ Add notification rule'.
- Configure notification settings for your needs.
- Select the device group “6XX – {LA Name} Defender Devices”.
- Configure the alert severity to be notified about and click next.
- Input the email address that needs to receive the alert and click 'next' to review and submit.
Configuring notifications for incidents (required)
In Defender, configure Defender for Endpoint incident notifications rule:
- Navigate and log in to security.microsoft.com
- Go to Settings > Microsoft Defender XDR > Email notifications.
- Select '+ Add incident notification rule'.
- Configure notification settings for your needs.
- Select the device group “6XX – {LA Name} Defender Devices”.
- Configure the alert severity to be notified about and click next.
- Input the email address that needs to receive the alert and click next to review and submit.
Intune and Defender for Endpoint
It’s recommended that device management and security administrators use Intune endpoint security policies to manage security settings on devices. Each endpoint security policy supports one or more profile. These profiles are similar in concept to a device configuration policy template, a logical group of related settings.
For more details, please visit the Microsoft Learn site for guidance on managing endpoint security.
Configuring an anti-virus policy for Windows (required)
The anti-virus policy is a key component of Defender for Endpoint and is required for managed devices.
To configure, go to Intune > Endpoint Security > Anti-virus > Create Policy > Windows 10, Windows 11, and Windows Server > Microsoft Defender Anti-virus.
This example policy is a based-on recommendations from Microsoft and Security professionals.
Although recommended, careful considerations need to be made on how each setting might impact local setup, please configure to your own local needs and requirements.
Where possible testing on select few devices and running settings in audit mode should be applied before deployment.
Defender Policy CSP: Windows Client Management | Microsoft Learn
Recommended anti-virus policy
Setting | Value |
Allow Archive Scanning | Allowed. Scans the archive files. |
Allow Behavior Monitoring | Allowed. Turns on real-time behaviour monitoring. |
Allow Cloud Protection | Allowed. Turns on Cloud Protection. |
Allow Email Scanning | Allowed. Turns on email scanning. |
Allow Full Scan On Mapped Network Drives | Not configured |
Allow Full Scan Removable Drive Scanning | Allowed. Scans removable drives. |
[Deprecated] Allow Intrusion Prevention System | Allowed. |
Allow scanning of all downloaded files and attachments | Allowed. |
Allow Realtime Monitoring | Allowed. Turns on and runs the real-time monitoring service. |
Allow Scanning Network Files | Not configured |
Allow Script Scanning | Allowed. |
Allow User UI Access | Not configured |
Avg CPU Load Factor | Not configured – Default 50% |
Check For Signatures Before Running Scan | Enabled |
Cloud Block Level | High |
Cloud Extended Timeout | Configured – 50 seconds |
Days To Retain Cleaned Malware | Not configured |
Disable Catchup Full Scan | Not configured |
Disable Catchup Quick Scan | Not configured |
Enable Low CPU Priority | Not configured |
Enable Network Protection | Enabled (block mode) |
Excluded Extensions | Not configured |
Excluded Paths | Not configured |
Excluded Processes | Not configured |
PUA Protection | PUA Protection on. Detected items are blocked. They will show in history along with other threats. |
Real Time Scan Direction | Monitor all files (bi-directional). |
Scan Parameter | Quick scan |
Schedule Quick Scan Time | Configured |
Schedule Scan Day | Every day |
Schedule Scan Time | Not configured |
Signature Update Fallback Order | Configured |
Signature Update File Shares Sources | Not configured |
Signature Update Interval | Configured |
Submit Samples Consent | Send safe samples automatically. |
Disable Local Admin Merge | Not configured |
Allow On Access Protection | Allowed. |
Remediation action for Severe threats | Quarantine. Moves files to quarantine. |
Remediation action for Moderate severity threats | Quarantine. Moves files to quarantine. |
Remediation action for Low severity threats | Quarantine. Moves files to quarantine. |
Remediation action for High severity threats | Quarantine. Moves files to quarantine. |
Allow Network Protection Down Level | Not configured |
Allow Datagram Processing On Win Server | Not configured |
Disable Dns Over Tcp Parsing | Not configured |
Disable Http Parsing | Not configured |
Disable Ssh Parsing | Not configured |
Disable Tls Parsing | Not configured |
Enable Dns Sinkhole | Not configured |
Engine Updates Channel | Staged |
Metered Connection Updates | Not configured |
Platform Updates Channel | Not configured |
Security Intelligence Updates Channel | Not configured |
Attack surface reduction for Windows only (recommended)
To configure, go to Intune > Endpoint Security > Attack surface reduction > Create Policy > Windows 10, Windows 11, and Windows Server > Attack surface reduction rules.
In Intune, configure Attack Surface Reduction (ASR) considering local impact and requirements:
- Set all configuration settings to audit mode and review in defender for endpoint before enabling. It’s important that you understand ASR rules before implementing. Follow Microsoft guidance on how to deploy ASR rules to your devices.
Use attack surface reduction rules to prevent malware infection | Microsoft Learn
Microsoft support and guidance
Please refer to the Microsoft support and guidance before implementing the recommended policies.