Defender for Endpoint On-boarding Differences

Copper Contributor

Hi There,

 

I am trying to deploy Defender for Endpoint via MEM using Plan 2 licensing.

 

With the initial device on-boarding, there appears to be two ways to do the on-boarding:

 

  • Devices > Configuration Profiles
  • Endpoint Security > Endpoint Detection and Response

 

What is the difference between the two methods?


If I am trying to slot Defender with a second AV product, can this be done via both methods?

6 Replies
Hi,
They are 2 methods where you can onboard your devices. Both will have the similar outcome and no restrictions on using either.

Also if you trying to make a different A. Product the primary AV in the computer, you can still use some features hand in hand with the Defender AV (provided if you have enabled ‘EDR in block mode’ in your Defender For Endpoint portal.

Please check my blog which I specifically wrote about on Onboarding and how to parallel run the Defender AV.

https://shehanperera.com/mdeseries/

Thanks.

As far as I learned, you should only use of of the two spaces to define your Configurations, to not mess things up - especially to not create any conflicts with two profiles with different settings.
Yes true. Definitely not to make any policy conflicts as they both have similar settings in it.
Hi @shehanjp

I appreciate you taking the time to respond to my post.

Your Option 4 is where I see a lot of differences in the Defender literature.
https://shehanperera.com/2022/01/26/4-onboarding/

Some say you only need the config policy if you don't have an API connection between Defender and Intune:
https://youtu.be/TK3s_Hgc6kk?t=157

And both your post/Youtube are a bit different from some of the MS Docs, which I think is recommending on-boarding devices in Defender through an Endpoint > Endpoint Detection and Response profiles:

https://docs.microsoft.com/en-us/learn/modules/m365-get-started-defender-endpoint/set-up-onboard-dev...

I see the value in having a policy there in case the API fails or is experiencing degradation, but whether I do that through Configuration Profiles or through Endpoint Security is a little confusing as Defender literature is a bit contradictory.

Hi @Ari_R420,

 

I think what he is discussing in the YouTube clip is this section of the page Configure Microsoft Defender for Endpoint in Microsoft Intune | Microsoft Docs

Also I guess you are correct and my apologies for directing you in a wrong path and I also have amend my blog post, so thanks for pointing that out :)

 

It sounds like when you set the connection between Defender and Intune, Defender will send the onboarding/ offboarding packages to Intune and you are all set.

You can use the config profiles as a backup but then you must see the options to specify onboarding and offboarding blobs in the settings - meaning the API connection is not successful.

I believe the Endpoint SecurityMicrosoft Defender for Endpoint >Create a device configuration profile to configure Microsoft Defender for Endpoint sensor goes to the same place as Tenant Administration > Connectors and Tokens > Microsoft Defender for Endpoint

 

Hope this clears the issue :)

 

Cheers!
Shehan.

Yep @shehanjp is correct here - Just enable Defender/Intune integration and deploy using Endpoint Security, the onboarding blob etc is taken care of automatically