Deploy Microsoft Defender ATP Baseline with Intune (no Defender ATP license required!)
Question: Can you deploy the Defender ATP baseline in Intune without a license for Microsoft Defender for Endpoint (formerly Defender Advanced Threat Protection)?
Answer: Yes!
In our last blog post, Configure Microsoft Defender Antivirus with Intune, we talked about how even though Defender Antivirus is a component of Defender for Endpoint, it doesn’t require the additional license to configure Antivirus. Defender for Endpoint, when configured, provides additional functionality on top of Defender Antivirus. So if you’ve ever thought about deploying the Defender ATP Baseline with Intune, but didn’t have the ATP/Defender for Endpoint license, you can! Let’s go over the process.
First, I’ll prove that I don’t have Defender for Endpoint enabled by heading to securitycenter.windows.com:
And for extra proof, we would also see it in the Setup section of Endpoint security pane in the Microsoft Endpoint Manager admin center:
Now we’re good to start. First, head over to the Microsoft Endpoint Manager admin center and click Endpoint security > Security baselines > Microsoft Defender ATP Baseline:
Then click + Create profile
Provide a name for the profile, and then click Next. Per the docs article, the configuration settings on the next pane “represent the recommended configuration for ATP.” Unless there is a business requirement otherwise, I would leave these settings as default and click Next.
Then you are able to assign the profile, and click create!
And that’s it! Once the device has synced, you’ll see that the settings have applied in both the Settings app and Windows Security app:
In the portal, we will see that the Defender ATP baseline profile has succeeded:
We can also verify the baseline has applied by heading to Devices > Device name, under Endpoint security configuration we can see the profile:
Then if we click the profile, we can see the success state of each setting for this device:
Happy securing! 🤖
Why did u create a new policy instead of assigning the default baseline policy? Was it only for testing purposes? I guess you will not receive any new versions if you’re creating your own baseline policy.
As far as I know, there is no default baseline policy to assign. A baseline must be incorporated into a profile to be able to target users. Let me know if I missed this somewhere, happy to update this post with more info. The baseline associated with a profile can also be updated using the “Change Version” option.