Defender for Endpoint - What is it? And how do I on-board Windows Devices?

Ransomware is one of, if not the most, dangerous threat to organizations, and smaller businesses sometimes lack the resources to implement a security solution. Cyber attack threat scenarios have become more complicated than ever. Organizations with limited resources attempt to keep up with the going-ons while ensuring they have a zero-trust security policy that adapts in response to emerging threats and their own organizational needs.

However, the destination remains one of the most frequently targeted sites. New malware and ransomware are among the most prevalent dangers to these endpoints. Ransomware will continue to be a problem in the second half of 2021, and new, more sophisticated attacks will emerge. The financial harm to enterprises is growing, and the impact is felt not just in the private sector, but also in public infrastructure and a variety of industries.

Microsoft security researchers have seen a nearly 121% increase in enterprise ransomware infections between July 2020 and July 2021 (source: Introducing Microsoft Defender for Endpoint Plan 1 - Microsoft Tech Community).

So what does Microsoft have to say to this?

At least they’re trying!


Microsoft Defender for Endpoint

“Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. Defender for Endpoint provides advanced threat protection that includes antivirus, antimalware, ransomware mitigation, and more, together with centralized management and reporting.” (thanks for the introduction Microsoft docs).

Since August 2021, Defender for Endpoint has been split between two plans:

  • Plan 1 is designed for smaller businesses with limited resources searching for a security solution for their environment.
  • Plan 2 contains everything that was part of Defender for Endpoint previously.

With Microsoft Defender for Endpoint P1, you get the following core features:

  • Cloud-based anti-malware with built-in AI that stops ransomware, known and unknown malware and other threats right from the start.
  • Attack surface reduction capabilities that alert the device, prevent zero-days, and provide granular control over access and behavior on the endpoint.
  • Device-based access control that provides an additional layer of data protection and security breach prevention, enabling a zero-trust approach.

Whereas Microsoft Defender for Endpoint P2 includes:

  • Endpoint Detection and Response providing added protection when Microsoft Defender Antivirus is running in passive mode.
  • Automated Investigation and Remediation featuring advanced protection from security breaches and attacks.
  • Automated Investigation and Response which significantly lowers the time taken to remediate an attack, ensuring the business can get back online more quickly.

As the capabilities in Plan 2 are AI-driven, rather than definition based, organizations will be ahead of, and protected against, the latest malware, threats, and zero days.

Onboarding our devices to Defender for Endpoint

There are several ways you can on-board devices into Defender for Endpoint:

  • Local Script: If you're onboarding a few devices, you can choose this method. Learn more about onboarding with a local script
  • Intune: You can use Microsoft Endpoint Manager (MEM), which includes Microsoft Intune, to onboard all your organization's devices. Learn more about onboarding with MEM
  • Group Policy: If your organization is using Group Policy to configure devices, you can choose this method. Learn more about onboarding with Group Policy
  • System Center Configuration Manager (SCCM)/Microsoft Endpoint Manager (MEM): This option is for on-premises environments. Learn more about onboarding with SCCM onboarding with SCCM
  • VDI onboarding scripts: If you're using virtual desktop infrastructure (VDI) devices, use this method to onboard them. Learn more about onboarding VDI devices

We’ll be looking at the first three. Namely the Intune way; the local script way; and the Group Policy way. Let’s start with the Local Script method.


Local Script on-boarding

Microsoft has regressed from saying that this onboarding method can only be used on up to 10 devices to saying that the script is for testing purposes. This is due to the data reporting frequency is set higher than with other onboarding methods when onboarding using a local script.

Now I agree with Microsoft that this method is optimized for onboarding a single machine and should not be used for large scale deployment but for older, more brownfield tenants, you want this option to be available. Now that said, the onboarding script does reference TelemetryCriticalOptions but I’m not sure if that’s defining the telemetry option or is just the name of the variable EventSourceOptions is calling but I’d bet dollars-to-doughnuts it’s the former and the other telemetry options just aren’t documented. In which case you should, in theory, be able to find out the right variable for the telemetry source you want.

Regardless, I haven’t tried. Because this method is just for testing and shouldn’t be used widespread. But with that bit of throwaway theory aside…

From the Microsoft 365 Security Portal, navigate to Settings > Endpoints > Device management > Onboarding.

Go to Onboarding > Select the Local Script option and then the Download onboarding package option.

Open the script in an elevated prompt as an administrator.

Running the script on a device creates a trust with Azure Active Directory (Azure AD) and enrolls the device with Microsoft Intune.

And you should see the device in Security Center 😊,

Endpoint Manager / Intune        

Microsoft Defender for Endpoint integrates seamlessly into Intune. At least in theory. Instead of running a script manually, or pushing a group policy out on-premises, this is the cloud solution.

But if you go to Intune > Endpoint Security > Microsoft Defender for Endpoint; you’ll first be met with this sorry status 😥.

So, first you need to activate the Intune integration once during the initial setup and your reports will flow into Intune. Head to Microsoft 365 Security Portal and select Settings > Endpoints >Advanced features. For Microsoft Intune connection, choose On, and Save preferences.

Now  if you go to Intune > Endpoint Security > Microsoft Defender for Endpoint; you’ll first be met with this happy status 😀.

Now we need to create a Device Configuration Profile to let our Intune devices know they need to be onboarded to Defender for Endpoint. So, while still in Intune, select Endpoint security > Endpoint detection and response > Create Policy. For Platform, select Windows 10 and Later. For Profile type, select Endpoint detection and response, and then select Create.

On the Basics page, enter a Name and Description (optional) for the profile, then choose Next. On the Configuration settings page, configure the following options for Endpoint Detection and Response:

  • Block sample sharing for all files: Returns or sets the Microsoft Defender for Endpoint Sample Sharing
  • Expedite telemetry reporting frequency: For devices that are at high risk, Enable this setting so it reports telemetry to the Microsoft Defender for Endpoint service more frequently.

Push the device configuration out to whatever groups; the same way as you would push anything else out via Intune.

Have a look in Security Center and see if your devices are on-boarded.

To further validate if the devices are piping info through to Security Center, run the following in an elevated prompt, and an alert should pop-up in Security Center within the next 10-15 minutes:

New-Item -Path " C:\test-MDATP-test" -ItemType "directory"; powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference = 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('', 'C:\\test-MDATP-test\\invoice.exe');Start-Process 'C:\\test-MDATP-test\\invoice.exe'

Group Policy on-boarding

Instead of running the script manually, this method utilizes your on-premises ADDC infrastructure to push the on-boarding script out automatically. But if you’re reading this, you probably already know that, and are reading my substitute Lorem ipsom introductory block script 😉.  

From the Microsoft 365 Security Portal, navigate to Settings > Endpoints > Device management > Onboarding. Group Policy and download the onboarding package.

Unzip the contents of file to a shared, read-only area that the device can access. There should be a folder called OptionalParamsPolicy and a file called WindowsDefenderATPOnboardingScript.cmd in there.

Launch the Group Policy Management Console (GPMC), and either create a new GPO or right-click the Group Policy Objects you want to customize.

Navigate to Computer configuration > Preferences > Control panel > Right-click Scheduled Tasks. Choose New, and then Immediate Task (At least Windows 7).

Navigate to the General tab in the Task window that appears. Under Security Options, select Change User or Group and enter SYSTEM, then select Check Names and OK.

NT AUTHORITY SYSTEM appears as the user account under which the job will run. Select Run regardless of whether the user is signed in or not, and then tick the Run with highest rights check box.

Enter a suitable nme for the scheduled task in the Name area (for example, Defender for Endpoint Deployment). Navigate to the Actions tab and click New... In the Action field, make sure that Start a program is chosen. Enter the UNC path of the shared WindowsDefenderATPOnboardingScript.cmd file, using the file server's fully qualified domain name (FQDN).

In my quick ‘n dirty homelab style, I made a shared folder so my path looks like this:

\\WINS2022 \Users\Administrator\Documents\PUBLIC\WindowsDefenderATPOnboardingPackage\WindowsDefenderATPOnboardingScript.cmd

Select OK and close any open GPMC windows. To link the GPO to an Organization Unit (OU), right-click and select Link an existing GPO. In the dialogue box that is displayed, select the Group Policy Object that you wish to link. Click OK.