Set up and configure Microsoft Defender for Endpoint Plan 1

Applies to:

This article describes how to set up and configure Defender for Endpoint Plan 1. Whether you have assistance or are doing it yourself, you can use this article as a guide throughout your deployment.

The setup and configuration process

Setup and deployment flow for Microsoft Defender for Endpoint Plan 1

The general setup and configuration process for Defender for Endpoint Plan 1 is as follows:

Number Step Description
1 Review the requirements Lists licensing, browser, operating system, and datacenter requirements
2 Plan your deployment Lists several deployment methods to consider and includes links to more resources to help you decide which method to use
3 Set up your tenant environment Lists tasks for setting up your tenant environment
4 Assign roles and permissions Lists roles and permissions to consider for your security team

TIP: As soon as roles and permissions are assigned, your security team can get started using the Microsoft 365 Defender portal. To learn more, see Getting started.
5 Onboard to Defender for Endpoint Lists several methods by operating system to onboard to Defender for Endpoint Plan 1 and includes links to more detailed information for each method
6 Configure next-generation protection Describes how to configure your next-generation protection settings in Microsoft Endpoint Manager
7 Configure your attack surface reduction capabilities Lists the types of attack surface reduction capabilities you can configure and includes procedures with links to more resources

Review the requirements

The following table lists the basic requirements for Defender for Endpoint Plan 1:

Requirement Description
Licensing requirements Defender for Endpoint Plan 1 (standalone, or as part of Microsoft 365 E3 or A3)
Browser requirements Microsoft Edge
Internet Explorer version 11
Google Chrome
Operating systems Windows 11, or Windows 10, version 1709, or later
macOS (the three most recent releases are supported)
iOS
Android OS

Note that the standalone version of Defender for Endpoint Plan 1 does not include server licenses. To onboard servers, you'll need Defender for Servers Plan 1 or Plan 2 as part of the Defender for Cloud offering. To learn more. see Overview of Microsoft Defender for Servers.
Datacenter One of the following datacenter locations:
- European Union
- United Kingdom
- United States

Plan your deployment

When you plan your deployment, you can choose from several different architectures and deployment methods. Every organization is unique, so you have several options to consider, as listed in the following table:

Method Description
Microsoft Intune (included in Microsoft Endpoint Manager) Use Intune to manage endpoints in a cloud native environment
Microsoft Intune and Configuration Manager (included in Microsoft Endpoint Manager) Use Intune and Configuration Manager to manage endpoints and workloads that span an on-premises and cloud environment
Configuration Manager Use Configuration Manager to protect on-premises endpoints with the cloud-based power of Defender for Endpoint
Local script downloaded from the Microsoft 365 Defender Portal Use local scripts on endpoints to run a pilot or onboard just a few devices

To learn more about your deployment options, see Plan your Defender for Endpoint deployment. And, download the following poster:

Deployment strategy poster thumbnail

Get the deployment poster

Tip

For more detailed information about planning your deployment, see Plan your Microsoft Defender for Endpoint deployment.

Set up your tenant environment

Setting up your tenant environment includes tasks, such as:

  • Verifying your licenses
  • Configuring your tenant
  • Configuring your proxy settings (only if necessary)
  • Making sure sensors are working correctly and reporting data to Defender for Endpoint

These tasks are included in the setup phase for Defender for Endpoint. See Set up Defender for Endpoint.

Assign roles and permissions

In order to access the Microsoft 365 Defender portal, configure settings for Defender for Endpoint, or perform tasks, such as taking response actions on detected threats, appropriate permissions must be assigned. Defender for Endpoint uses built-in roles within Azure Active Directory.

Microsoft recommends assigning users only the level of permission they need to perform their tasks. You can assign permissions by using basic permissions management, or by using role-based access control (RBAC).

  • With basic permissions management, global admins and security admins have full access, whereas security readers read-only access.
  • With RBAC, you can set more granular permissions through more roles. For example, you can have security readers, security operators, security admins, endpoint administrators, and more.

The following table describes key roles to consider for Defender for Endpoint in your organization:

Role Description
Global administrators (also referred to as global admins)

As a best practice, limit the number of global administrators.
Global admins can perform all kinds of tasks. The person who signed up your company for Microsoft 365 or for Microsoft Defender for Endpoint Plan 1 is a global administrator by default.

Global admins are able to access/change settings across all Microsoft 365 portals, such as:
- The Microsoft 365 admin center (https://admin.microsoft.com)
- Microsoft 365 Defender portal (https://security.microsoft.com)
- Microsoft Endpoint Manager admin center (https://endpoint.microsoft.com)
Security administrators (also referred to as security admins) Security admins can perform security operator tasks plus the following tasks:
- Monitor security-related policies
- Manage security threats and alerts
- View reports
Security operator Security operators can perform security reader tasks plus the following tasks:
- View information about detected threats
- Investigate and respond to detected threats
Security reader Security readers can perform the following tasks:
- View security-related policies across Microsoft 365 services
- View security threats and alerts
- View reports

Tip

To learn more about roles in Azure Active Directory, see Assign administrator and non-administrator roles to users with Azure Active Directory. And, more information about roles for Defender for Endpoint, see Role-based access control.

Onboard to Defender for Endpoint

When you're ready to onboard your organization's endpoints, you can choose from several methods, as listed in the following table:

Endpoint Operating System Onboarding methods
Windows 10 Local script (up to 10 devices)
Group Policy
Microsoft Endpoint Manager/ Mobile Device Manager
Microsoft Endpoint Configuration Manager
VDI scripts
macOS Local scripts
Microsoft Endpoint Manager
JAMF Pro
Mobile Device Management
iOS App-based
Android Microsoft Endpoint Manager

Then, proceed to configure your next-generation protection and attack surface reduction capabilities.

Configure next-generation protection

We recommend using Microsoft Endpoint Manager to manage your organization's devices and security settings, as shown in the following image:

Endpoint security policies in the Micorosft Endpoint Manager portal

To configure your next-generation protection in Microsoft Endpoint Manager, follow these steps:

  1. Go to the Microsoft Endpoint Manager admin center (https://endpoint.microsoft.com) and sign in.

  2. Select Endpoint security > Antivirus, and then select an existing policy. (If you don't have an existing policy, create a new policy.)

  3. Set or change your antivirus configuration settings. Need help? Refer to the following resources:

  4. When you are finished specifying your settings, choose Review + save.

Configure your attack surface reduction capabilities

Attack surface reduction is all about reducing the places and ways your organization is open to attack. Defender for Endpoint Plan 1 includes several features and capabilities to help you reduce your attack surfaces across your endpoints. These features and capabilities are listed in the following table:

Feature/capability Description
Attack surface reduction rules Configure attack surface reduction rules to constrain software-based risky behaviors and help keep your organization safe. Attack surface reduction rules target certain software behaviors, such as
- Launching executable files and scripts that attempt to download or run files
- Running obfuscated or otherwise suspicious scripts
- Performing behaviors that apps don't usually initiate during normal day-to-day work

Such software behaviors are sometimes seen in legitimate applications. However, these behaviors are often considered risky because they are commonly abused by attackers through malware.
Ransomware mitigation Set up ransomware mitigation by configuring controlled folder access, which helps protect your organization's valuable data from malicious apps and threats, such as ransomware.
Device control Configure device control settings for your organization to allow or block removable devices (such as USB drives).
Network protection Set up network protection to prevent people in your organization from using applications that access dangerous domains or malicious content on the Internet.
Web protection Set up web threat protection to protect your organization's devices from phishing sites, exploit sites, and other untrusted or low-reputation sites. Set up web content filtering to track and regulate access to websites based on their content categories (such as Leisure, High bandwidth, Adult content, or Legal liability).
Network firewall Configure your network firewall with rules that determine which network traffic is permitted to come into or go out from your organization's devices.
Application control Configure application control rules if you want to allow only trusted applications and processes to run on your Windows devices.

Attack surface reduction rules

Attack surface reduction rules are available on devices running Windows. We recommend using Microsoft Endpoint Manager, as shown in the following image:

Attack surface reduction rules in the Microsoft Endpoint Manager portal

  1. Go to the Microsoft Endpoint Manager admin center (https://endpoint.microsoft.com) and sign in.

  2. Choose Endpoint security > Attack surface reduction > + Create policy.

  3. For Platform, select Windows 10 and later.

  4. For Profile, select Attack surface reduction rules, and then choose Create.

  5. On the Basics tab, specify a name and description for the policy, and then choose Next.

  6. On the Configuration settings tab, expand Attack Surface Reduction Rules.

  7. Specify settings for each rule, and then choose Next. (For more information about what each rule does, see Attack surface reduction rules.)

  8. On the Scope tags tab, if your organization is using scope tags, choose + Select scope tags, and then select the tags you want to use. Then, choose Next.

    To learn more about scope tags, see Use role-based access control (RBAC) and scope tags for distributed IT.

  9. On the Assignments tab, specify the users and groups to whom your policy should be applied, and then choose Next. (To learn more about assignments, see Assign user and device profiles in Microsoft Intune.)

  10. On the Review + create tab, review the settings, and then choose Create.

Ransomware mitigation

You get ransomware mitigation through controlled folder access, which allows only trusted apps to access protected folders on your endpoints.

We recommend using Microsoft Endpoint Manager to configure controlled folder access.

ASR policies in the Microsoft Endpoint Manager portal

  1. Go to the Microsoft Endpoint Manager admin center (https://endpoint.microsoft.com) and sign in.

  2. Select Endpoint Security, and then select Attack Surface Reduction.

  3. Choose + Create Policy.

  4. For Platform, select Windows 10 and later, and for Profile, select Attack surface reduction rules. Then choose Create.

  5. On the Basics tab, name the policy and add a description. Select Next.

  6. On the Configuration settings tab, in the Attack Surface Reduction Rules section, scroll down to the bottom. In the Enable folder protection drop-down, select Enable. You can optionally specify these other settings:

    • Next to List of additional folders that need to be protected, select the drop-down menu, and then add folders that need to be protected.
    • Next to List of apps that have access to protected folders, select the drop-down menu, and then add apps that should have access to protected folders.
    • Next to Exclude files and paths from attack surface reduction rules, select the drop-down menu, and then add the files and paths that need to be excluded from attack surface reduction rules.

    Then choose Next.

  7. On the Scope tags tab, if your organization is using scope tags, choose + Select scope tags, and then select the tags you want to use. Then, choose Next.

    To learn more about scope tags, see Use role-based access control (RBAC) and scope tags for distributed IT.

  8. On the Assignments tab, select Add all users and + Add all devices, and then choose Next. (You can alternately specify specific groups of users or devices.)

  9. On the Review + create tab, review the settings for your policy, and then choose Create. The policy will be applied to any endpoints that were onboarded to Defender for Endpoint shortly.

Device control

You can configure Defender for Endpoint to block or allow removable devices and files on removable devices. We recommend using Microsoft Endpoint Manager to configure your device control settings.

Microsoft Endpoint Manager administrative templates

  1. Go to the Microsoft Endpoint Manager admin center (https://endpoint.microsoft.com) and sign in.

  2. Select Devices > Configuration profiles > Create profile.

  3. For Platform, select Windows 10 and later, and for Profile type, select Templates.

    Under Template name, select Administrative Templates, and then choose Create.

  4. On the Basics tab, name the policy and add a description. Select Next.

  5. On the Configuration settings tab, select All Settings. Then in the search box, type Removable to see all the settings that pertain to removable devices.

  6. Select an item in the list, such as All Removable Storage classes: Deny all access, to open its flyout pane. The flyout for each setting explains what happens when it is enabled, disabled, or not configured. Select a setting, and then choose OK.

  7. Repeat step 6 for each setting that you want to configure. Then choose Next.

  8. On the Scope tags tab, if your organization is using scope tags, choose + Select scope tags, and then select the tags you want to use. Then, choose Next.

    To learn more about scope tags, see Use role-based access control (RBAC) and scope tags for distributed IT.

  9. On the Assignments tab, select Add all users and + Add all devices, and then choose Next. (You can alternately specify specific groups of users or devices.)

  10. On the Review + create tab, review the settings for your policy, and then choose Create. The policy will be applied to any endpoints that were onboarded to Defender for Endpoint shortly.

Network protection

With network protection, you can help protect your organization against dangerous domains that might host phishing scams, exploits, and other malicious content on the Internet. We recommend using Microsoft Endpoint Manager to turn on network protection.

Endpoint protection profile in the Microsoft Endpoint Manager portal

  1. Go to the Microsoft Endpoint Manager admin center (https://endpoint.microsoft.com) and sign in.

  2. Select Devices > Configuration profiles > Create profile.

  3. For Platform, select Windows 10 and later, and for Profile type, select Templates.

    Under Template name, select Endpoint protection, and then choose Create.

  4. On the Basics tab, name the policy and add a description. Select Next.

  5. On the Configuration settings tab, expand Microsoft Defender Exploit Guard, and then expand Network filtering.

    Set Network protection to Enable. (You can alternately choose Audit to see how network protection will work in your environment at first.)

    Then choose Next.

  6. On the Assignments tab, select Add all users and + Add all devices, and then choose Next. (You can alternately specify specific groups of users or devices.)

  7. On the Applicability Rules tab, set up a rule. The profile you are configuring will be applied only to devices that meet the combined criteria you specify.

    For example, you might choose to assign the policy to endpoints that are running a certain OS edition only.

    Then choose Next.

  8. On the Review + create tab, review the settings for your policy, and then choose Create. The policy will be applied to any endpoints that were onboarded to Defender for Endpoint shortly.

Tip

You can use other methods, such as Windows PowerShell or Group Policy, to enable network protection. To learn more, see Turn on network protection.

Web protection

With web protection, you can protect your organization's devices from web threats and unwanted content. Your web protection includes web threat protection and web content filtering. Configure both sets of capabilities. We recommend using Microsoft Endpoint Manager to configure your web protection settings.

Configure web threat protection

  1. Go to the Microsoft Endpoint Manager admin center (https://endpoint.microsoft.com), and sign in.

  2. Choose Endpoint security > Attack surface reduction, and then choose + Create policy.

  3. Select a platform, such as Windows 10 and later, select the Web protection profile, and then choose Create.

  4. On the Basics tab, specify a name and description, and then choose Next.

  5. On the Configuration settings tab, expand Web Protection, specify the settings in the following table, and then choose Next.

    Setting Recommendation
    Enable network protection Set to Enabled. Prevents users from visiting malicious sites or domains.

    Alternately, you can set network protection to Audit mode to see how it will work in your environment. In audit mode, network protection does not prevent users from visiting sites or domains, but it does track detections as events.
    Require SmartScreen for Microsoft Edge Legacy Set to Yes. Helps protect users from potential phishing scams and malicious software.
    Block malicious site access Set to Yes. Prevents users from bypassing warnings about potentially malicious sites.
    Block unverified file download Set to Yes. Prevents users from bypassing the warnings and downloading unverified files.
  6. On the Scope tags tab, if your organization is using scope tags, choose + Select scope tags, and then select the tags you want to use. Then, choose Next.

    To learn more about scope tags, see Use role-based access control (RBAC) and scope tags for distributed IT.

  7. On the Assignments tab, specify the users and devices to receive the web protection policy, and then choose Next.

  8. On the Review + create tab, review your policy settings, and then choose Create.

Tip

To learn more about web threat protection, see Protect your organization against web threats.

Configure web content filtering

  1. Go to the Microsoft 365 Defender portal (https://security.microsoft.com/) and sign in.

  2. Choose Settings > Endpoints.

  3. Under Rules, choose Web content filtering, and then choose + Add policy.

  4. In the Add policy flyout, on the General tab, specify a name for your policy, and then choose Next.

  5. On the Blocked categories, select one or more categories that you want to block, and then choose Next.

  6. On the Scope tab, select the device groups you want to receive this policy, and then choose Next.

  7. On the Summary tab, review your policy settings, and then choose Save.

Tip

To learn more about configuring web content filtering, see Web content filtering.

Network firewall

Network firewall helps reduce the risk of network security threats. Your security team can set rules that determine which traffic is permitted to flow to or from your organization's devices. We recommend using Microsoft Endpoint Manager to configure your network firewall.

Firewall policy in the Microsoft Endpoint Manager portal

To configure basic firewall settings, follow these steps:

  1. Go to the Microsoft Endpoint Manager admin center (https://endpoint.microsoft.com), and sign in.

  2. Choose Endpoint security > Firewall, and then choose + Create Policy.

  3. Select a platform, such as Windows 10 and later, select the Microsoft Defender Firewall profile, and then choose Create.

  4. On the Basics tab, specify a name and description, and then choose Next.

  5. Expand Microsoft Defender Firewall, and then scroll down to the bottom of the list.

  6. Set each of the following settings to Yes:

    • Turn on Microsoft Defender Firewall for domain networks
    • Turn on Microsoft Defender Firewall for private networks
    • Turn on Microsoft Defender Firewall for public networks

    Review the list of settings under each of domain networks, private networks, and public networks. You can leave them set to Not configured, or change them to suit your organization's needs.

    Then choose Next.

  7. On the Scope tags tab, if your organization is using scope tags, choose + Select scope tags, and then select the tags you want to use. Then, choose Next.

    To learn more about scope tags, see Use role-based access control (RBAC) and scope tags for distributed IT.

  8. On the Assignments tab, select Add all users and + Add all devices, and then choose Next. (You can alternately specify specific groups of users or devices.)

  9. On the Review + create tab, review your policy settings, and then choose Create.

Tip

Firewall settings are detailed and can seem complex. Refer to Best practices for configuring Windows Defender Firewall.

Application control

Windows Defender Application Control (WDAC) helps protect your Windows endpoints by only allowing trusted applications and processes to run. Most organizations used a phased deployment of WDAC. That is, most organizations don't roll out WDAC across all Windows endpoints at first. In fact, depending on whether your organization's Windows endpoints are fully managed, lightly managed, or "Bring Your Own Device" endpoints, you might deploy WDAC on all or some endpoints.

To help with planning your WDAC deployment, see the following resources:

Next steps

Now that you have gone through the setup and configuration process, your next step is to get started using Defender for Endpoint.