How to onboard windows device to MDE using Intune
Microsoft intune provides the capability to onboard a device to MDE this will help to secure the devices from a security breach.
Prerequisites
Enterprise Mobility + Security E3 and Windows E5 (or Microsoft 365 Enterprise E5) licensed Tenant
Intune managed Windows 10 devices that are also Azure AD joined
MDE and access to the Microsoft Defender Security Center (ATP portal)
To onboard a device to MDE(DATP) using intune, there are a couple of steps to achieve
Establish a service to service connection
Enable MDE (DATP) in Intune Portal
Sign in to Intune Portal (to access your tenant) and navigate to Device Compliance and tap on Microsoft Defender ATP and enable it by switching the bar to ON from Off ( Connect windows device version 10.0.15063 and above to Microsoft Defender ATP
Enable the settings in windows defender portal as well under Advance features in windows defender portal toggle the bar to on for Microsoft Intune Connector and commit by tapping on saving preference
Once it is completed you can see connection status as enabled in intune portal
Device configuration Settings in Intune to push the profile to the device
In Device configuration navigate to profile and tap on createprofile to create a new profile provide a profile name ( I had given windows defender ATP since it’s a test environment )
Provide the name, select platform as windows 10 and later, and profile type as Microsoft Defender ATP ( Windows 10 Device )
Sample sharing for all files: Enable allows samples to be collected and shared with Microsoft Defender ATP. For example, if you see a suspicious file, you can submit it to Microsoft Defender ATP for deep analysis. Not configured doesn’t share any samples to Microsoft Defender ATP.
Expedite telemetry reporting frequency: For devices that are at high risk, enable this setting so it reports telemetry to the Microsoft Defender ATP service more frequently.
Enable the setting accordingly in Application rules add rules as required assign and don’t assign profile with conditions
Select OK, and Create to save your changes, which creates the profile and assigns the profile to a device assignment group.
Set Compliance Policy to set the level of risk
Device compliance policy creates a new policy and name as windows 10 compliance or as required select platform as windows 10 and later. Set device health, device properties, configuration manager compliance if intune shares workload with SCCM, system security, and Microsoft Defender ATP. And in Micorosft Defender ATP set the machine risk score as Clear, Low, Medium, or High
Clear: This level is the most secure. The device can’t have any existing threats and still access company resources. If any threats are found, the device is evaluated as noncompliant. (Microsoft Defender ATP users the value Secure.)
Low: The device is compliant if only low-level threats exist. Devices with medium or high threat levels aren’t compliant.
Medium: The device is compliant if the threats found on the device are low or medium. If high-level threats are detected, the device is determined as noncompliant.
High: This level is the least secure and allows all threat levels. So devices with high, medium, or low threat levels are considered compliant.
Select OK, and Create to save your changes, which creates a compliance policy and assigns the profile to a device assignment group.
Create a conditional access policy to enforce the device is having Windows Defender ATP is pushed to the device and its compliant
Select Conditional Access in the Intune portal and tap on new policy enter the policy name
select the users and groups in which the policy wants to be applied and exclude the group which the policy doesn’t want to be enforced and select done
Select Cloud apps, and choose which apps to protect. For example, choose Select apps, and select Office 365 Exchange Online. and other applications as required and select done
Select Conditions to select Client apps to apply the policy to apps and browsers. For example, select Yes, and then enable Browser and Mobile apps and desktop clients and other apps as well. this can be restricted accordingly and select done.
Select Grant to apply Conditional Access based on device compliance. For example, select Grant access and select Require device to be marked as compliant, choose select to save the settings
Select Enable policy to enable the conditional access
To View onboarding status in intune, you can go to devise compliance and MDE, you can see the devices with ATP sensor and without sensor
In Windows defender Portal you can see the device details in the machine list once it’s enrolled with intune using autopilot or windows enrollment
