Skip to main content

Defender for Endpoint (EDR) Onboarding

CMMC Control Mapping Matrix

Because EDR onboarding is tied directly to your specific tenant's Microsoft Graph connector, it cannot be imported via an OIB JSON file. It must be created manually.

Step 1: Enable the Connection in Defender

First, you have to tell Defender to allow Intune to talk to it.

  1. Open a new tab and log in to your GCC High Microsoft Defender portal (typically security.microsoft.us).
  2. In the left-hand navigation pane, scroll down and click Settings, then select Endpoints.
  3. Under the General section on the left menu, click Advanced features.
  4. Scroll down the list of features until you find Microsoft Intune connection .
  5. Toggle this setting to On.
  6. Click Save preferences at the bottom of the page.

Step 2: Enable the Connection in Intune

Now you need to flip the switches on the Intune side.

  1. Return to the Intune tab you took the screenshot of (Endpoint security > Microsoft Defender for Endpoint).
  2. Click the Refresh button at the top of the page. The connection status should change from "Unavailable" to "Available" or "Enabled".
  3. The blue information banner and the grayed-out settings will disappear, revealing the connector toggles.
  4. Under MDM Compliance Policy Settings, turn on: Connect Windows devices version 10.0.15063 and above to Microsoft Defender for Endpoint.
  5. (Optional but Recommended): Turn on Block unsupported OS versions if it is an option.
  6. Click Save at the top.

Step 3: Enable the Connection in Intune

  1. Log in to the GCC High Intune Admin Center.
  2. Navigate to Endpoint Security > Endpoint detection and response.
  3. Click Create Profile.
  4. Select Platform: Windows.
  5. Select Profile: Endpoint detection and response, then click Create.
  6. Name the profile Win - Custom - ES - Defender for Endpoint Onboarding.
  7. In the Configuration settings step, configure the following:
    • Microsoft Defender for Endpoint client configuration package type: Select Onboard.
    • Sample Sharing: Select None (Recommended for CMMC to prevent inadvertent CUI leakage to Microsoft).
    • [Deprecated] Telemetry Reporting Frequency: Leave as Not configured (Crucial for GCC High to prevent constant error states).
  8. Click Review + save and assign to your deployment rings.

📩 Don't Miss the Next Solution

Join the list to see the real-time solutions I'm delivering to my GCC High clients.