Microsoft Defender for Endpoint

Applies to: Configuration Manager (current branch)

Endpoint Protection can help manage and monitor Microsoft Defender for Endpoint. Microsoft Defender for Endpoint helps enterprises detect, investigate, and respond to advanced attacks on their networks. Configuration Manager policies can help you onboard and monitor Windows 10 or later clients.

Microsoft Defender for Endpoint's cloud-based portal is Microsoft Defender Security Center. By adding and deploying a client onboarding configuration file, Configuration Manager can monitor deployment status and Microsoft Defender for Endpoint agent health. Microsoft Defender for Endpoint is supported on PCs running the Configuration Manager client or managed by Microsoft Intune.

Prerequisites

  • Subscription to the Microsoft Defender for Endpoint online service
  • Clients computers running the Configuration Manager client
  • Clients using an OS listed in the Supported client operating systems section below.
  • Your administrative user account needs the Endpoint Protection Manager security role.

Supported client operating systems

You can onboard the following operating systems:

  • Windows 8.1
  • Windows 10, version 1607 or later
  • Windows 11
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server Semi-Annual Channel (SAC), version 1803 or later
  • Windows Server 2019
  • Windows Server 2022

About onboarding to Microsoft Defender for Endpoint with Configuration Manager

Different operating systems have different needs for onboarding to Microsoft Defender for Endpoint. Windows 8.1 and other down-level operating system devices need the Workspace key and Workspace ID to onboard. Up-level devices, such as Windows Server version 1803, need the onboarding configuration file. Configuration Manager also installs the Microsoft Monitoring Agent (MMA) when needed by onboarded devices but it doesn't update the agent automatically.

Up-level operating systems include:

  • Windows 10, version 1607 and later
  • Windows 11
  • Windows Server Semi-Annual Channel (SAC), version 1803 or later
  • Windows Server 2019
  • Windows Server 2022

Down-level operating systems include:

  • Windows 8.1
  • Windows Server 2012 R2
  • Windows Server 2016

Note

Currently, the modern, unified Microsoft Defender for Endpoint for Windows Server 2012 R2 & 2016 is in public preview. Configuration Manager version 2107 with the update rollup supports configuration using Endpoint Protection policies, including those policies created in the Microsoft Endpoint Manager admin center using tenant attach. For more information on how to deploy the preview, see Server migration scenarios.

When you onboard devices to Microsoft Defender for Endpoint with Configuration Manager, you deploy the Defender policy to a target collection or multiple collections. Sometimes the target collection contains devices running any number of the supported operating systems. The instructions for onboarding these devices vary based on if you're targeting a collection containing devices with operating systems that are only up-level or if the collection also includes down-level clients.

Warning

  • If your target collection contains down-level devices, and you use the instructions for onboarding only up-level devices, then the down-level devices won't be onboarded. The optional Workspace key and Workspace ID fields are used for onboarding down-level devices, but if they aren't included then the policy will fail on down-level clients.

  • In Configuration Manager 2006, or earlier:

    • If you edit an existing policy to add or edit the Workspace key and Workspace ID fields, you must also provide the configuration file too. If all three items are not provided, the policy will fail on down-level clients. > - If you need to edit the onboarding file, and also have the Workspace key and Workspace ID fields populated, provide them again along with the onboarding file. If all three items are not provided, the policy will fail on down-level clients.

Onboard devices with any supported operating system to Microsoft Defender for Endpoint (recommended)

You can onboard devices running any of the supported operating systems to Microsoft Defender for Endpoint by providing the configuration file, Workspace key, and Workspace ID to Configuration Manager.

Get the configuration file, workspace ID, and workspace key

  1. Go to the Microsoft Defender for Endpoint online service and sign in.

  2. Select Settings, then select Onboarding under the Endpoints heading.

  3. For the operating system, select Windows 10 and 11.

  4. Choose Microsoft Endpoint Configuration Manager current branch and later for the deployment method.

  5. Click Download package.

    Onboarding configuration file download

  6. Download the compressed archive (.zip) file and extract the contents.

  7. Select Settings, then select Onboarding under the Device management heading.

  8. For the operating system, select either Windows 7 SP1 and 8.1 or Windows Server 2008 R2 Sp1, 2012 R2 and 2016 from the list.

    • The Workspace key and Workspace ID will be the same regardless of which of these options you choose.

  9. Copy the values for the Workspace key and Workspace ID from the Configure connection section.

    Important

    The Microsoft Defender for Endpoint configuration file contains sensitive information which should be kept secure.

Onboard the devices

  1. In the Configuration Manager console, navigate to Assets and Compliance > Endpoint Protection > Microsoft Defender ATP Policies.

  2. Select Create Microsoft Defender ATP Policy to open the policy wizard.

  3. Type the Name and Description for the Microsoft Defender for Endpoint policy and select Onboarding.

  4. Browse to the configuration file you extracted from the downloaded .zip file.

  5. Supply the Workspace key and Workspace ID then click Next.

    • Verify that the Workspace key and Workspace ID are in the correct fields. The order in the console may vary from the order in Microsoft Defender for Endpoint online service. Create Microsoft Defender for Endpoint Policy Wizard

  6. Specify the file samples that are collected and shared from managed devices for analysis.

    • None
    • All file types

  7. Review the summary and complete the wizard.

  8. Right-click on the policy you created, then select Deploy to target the Microsoft Defender for Endpoint policy to clients.

Important

  • In Configuration Manager 2006, or earlier:
    • If you edit an existing policy to add or edit the Workspace key and Workspace ID fields, you must also provide the configuration file too. If all three items are not provided, the policy will fail on down-level clients. > - If you need to edit the onboarding file, and also have the Workspace key and Workspace ID fields populated, provide them again along with the onboarding file. If all three items are not provided, the policy will fail on down-level clients.

Onboard devices running only up-level operating systems to Microsoft Defender for Endpoint

Up-level clients require an onboarding configuration file for onboarding to Microsoft Defender for Endpoint. Up-level operating systems include:

  • Windows 11
  • Windows 10, version 1607 and later
  • Windows Server Semi-Annual Channel (SAC), version 1803 and later
  • Windows Server 2019
  • Windows Server 2022

If your target collection contains both up-level and down-level devices, or if you're not sure, then use the instructions to onboard devices running any supported operating system (recommended).

Get an onboarding configuration file for up-level devices

  1. Go to the Microsoft Defender Security Center and sign in.
  2. Select Settings, then select Onboarding under the Endpoint heading.
  3. For the operating system, select Windows 10 and 11.
  4. Choose Microsoft Endpoint Configuration Manager current branch and later for the deployment method.
  5. Click Download package.
  6. Download the compressed archive (.zip) file and extract the contents.

Important

  • The Microsoft Defender for Endpoint configuration file contains sensitive information which should be kept secure.
  • If your target collection contains down-level devices, and you use the instructions for onboarding only up-level devices, then the down-level devices won't be onboarded. The optional Workspace key and Workspace ID fields are used for onboarding down-level devices, but if they aren't included then the policy will fail on down-level clients.

Onboard the up-level devices

  1. In the Configuration Manager console, navigate to Assets and Compliance > Endpoint Protection > Microsoft Defender ATP Policies and select Create Microsoft Defender ATP Policy. The policy wizard opens.
  2. Type the Name and Description for the Microsoft Defender for Endpoint policy and select Onboarding.
  3. Browse to the configuration file you extracted from the downloaded .zip file.
  4. Specify the file samples that are collected and shared from managed devices for analysis.
    • None
    • All file types
  5. Review the summary and complete the wizard.
  6. Right-click on the policy you created, then select Deploy to target the Microsoft Defender for Endpoint policy to clients.

Monitor

  1. In the Configuration Manager console, navigate Monitoring > Security and then select Microsoft Defender ATP.

  2. Review the Microsoft Defender for Endpoint dashboard.

    • Microsoft Defender ATP Agent Onboarding Status: The number and percentage of eligible managed client computers with active Microsoft Defender for Endpoint policy onboarded

    • Microsoft Defender ATP Agent Health: Percentage of computer clients reporting status for their Microsoft Defender for Endpoint agent

      • Healthy - Working properly

      • Inactive - No data sent to service during time period

      • Agent state - The system service for the agent in Windows isn't running

      • Not onboarded - Policy was applied but the agent hasn't reported policy onboard

Create an offboarding configuration file

  1. Sign in to the Microsoft Defender Security Center.

  2. Select Settings, then select Offboarding under the Endpoint heading.

  3. Select Windows 10 and 11 for the operating system and Microsoft Endpoint Configuration Manager current branch and later for the deployment method.

    • Using the Windows 10 and 11 option ensures that all devices in the collection are offboarded and the MMA is uninstalled when needed.

  4. Download the compressed archive (.zip) file and extract the contents. Offboarding files are valid for 30 days.

  5. In the Configuration Manager console, navigate to Assets and Compliance > Endpoint Protection > Microsoft Defender ATP Policies and select Create Microsoft Defender ATP Policy. The policy wizard opens.

  6. Type the Name and Description for the Microsoft Defender for Endpoint policy and select Offboarding.

  7. Browse to the configuration file you extracted from the downloaded .zip file.

  8. Review the summary and complete the wizard.

Select Deploy to target the Microsoft Defender for Endpoint policy to clients.

Important

The Microsoft Defender for Endpoint configuration files contains sensitive information which should be kept secure.

Next steps