Forum Discussion
Defender for Endpoint On-boarding Differences
Hi There,
I am trying to deploy Defender for Endpoint via MEM using Plan 2 licensing.
With the initial device on-boarding, there appears to be two ways to do the on-boarding:
- Devices > Configuration Profiles
- Endpoint Security > Endpoint Detection and Response
What is the difference between the two methods?
If I am trying to slot Defender with a second AV product, can this be done via both methods?
6 Replies
- As far as I learned, you should only use of of the two spaces to define your Configurations, to not mess things up - especially to not create any conflicts with two profiles with different settings.
- Yes true. Definitely not to make any policy conflicts as they both have similar settings in it.
- Hi,
They are 2 methods where you can onboard your devices. Both will have the similar outcome and no restrictions on using either.
Also if you trying to make a different A. Product the primary AV in the computer, you can still use some features hand in hand with the Defender AV (provided if you have enabled ‘EDR in block mode’ in your Defender For Endpoint portal.
Please check my blog which I specifically wrote about on Onboarding and how to parallel run the Defender AV.
https://shehanperera.com/mdeseries/
Thanks.- Hi shehanjp
I appreciate you taking the time to respond to my post.
Your Option 4 is where I see a lot of differences in the Defender literature.
https://shehanperera.com/2022/01/26/4-onboarding/
Some say you only need the config policy if you don't have an API connection between Defender and Intune:
https://youtu.be/TK3s_Hgc6kk?t=157
And both your post/Youtube are a bit different from some of the MS Docs, which I think is recommending on-boarding devices in Defender through an Endpoint > Endpoint Detection and Response profiles:
https://docs.microsoft.com/en-us/learn/modules/m365-get-started-defender-endpoint/set-up-onboard-devices?ns-enrollment-type=LearningPath&ns-enrollment-id=learn-m365.m365-defender-endpoint-secure-organization
I see the value in having a policy there in case the API fails or is experiencing degradation, but whether I do that through Configuration Profiles or through Endpoint Security is a little confusing as Defender literature is a bit contradictory.Hi Ari_R420,
I think what he is discussing in the YouTube clip is this section of the page https://docs.microsoft.com/en-us/mem/intune/protect/advanced-threat-protection-configure#create-the-device-configuration-profile-to-onboard-windows-devices
Also I guess you are correct and my apologies for directing you in a wrong path and I also have amend my blog post, so thanks for pointing that out 🙂
It sounds like when you set the connection between Defender and Intune, Defender will send the onboarding/ offboarding packages to Intune and you are all set.
You can use the config profiles as a backup but then you must see the options to specify onboarding and offboarding blobs in the settings - meaning the API connection is not successful.
I believe the Endpoint Security > Microsoft Defender for Endpoint >Create a device configuration profile to configure Microsoft Defender for Endpoint sensor goes to the same place as Tenant Administration > Connectors and Tokens > Microsoft Defender for EndpointHope this clears the issue 🙂
Cheers!
Shehan.
