Deploy Microsoft Defender ATP Baseline with Intune (no Defender ATP license required!)

Question: Can you deploy the Defender ATP baseline in Intune without a license for Microsoft Defender for Endpoint (formerly Defender Advanced Threat Protection)?

Answer: Yes!

In our last blog post, Configure Microsoft Defender Antivirus with Intune, we talked about how even though Defender Antivirus is a component of Defender for Endpoint, it doesn’t require the additional license to configure Antivirus. Defender for Endpoint, when configured, provides additional functionality on top of Defender Antivirus. So if you’ve ever thought about deploying the Defender ATP Baseline with Intune, but didn’t have the ATP/Defender for Endpoint license, you can! Let’s go over the process.

First, I’ll prove that I don’t have Defender for Endpoint enabled by heading to securitycenter.windows.com:

No Defender for Endpoint subscription

And for extra proof, we would also see it in the Setup section of Endpoint security pane in the Microsoft Endpoint Manager admin center:

Microsoft Defender ATP unavailable connection

Now we’re good to start. First, head over to the Microsoft Endpoint Manager admin center and click Endpoint security > Security baselines > Microsoft Defender ATP Baseline:

Security baselines pane

Then click + Create profile

Create Defender ATP baseline profile

Provide a name for the profile, and then click Next. Per the docs article, the configuration settings on the next pane “represent the recommended configuration for ATP.” Unless there is a business requirement otherwise, I would leave these settings as default and click Next.

Defender ATP Baseline settings

Then you are able to assign the profile, and click create!

Defender ATP Assignments
Create Defender ATP profile

And that’s it! Once the device has synced, you’ll see that the settings have applied in both the Settings app and Windows Security app:

Intune settings applied
Windows Security settings managed

In the portal, we will see that the Defender ATP baseline profile has succeeded:

We can also verify the baseline has applied by heading to Devices > Device name, under Endpoint security configuration we can see the profile:

Microsoft Defender ATP baseline applied

Then if we click the profile, we can see the success state of each setting for this device:

Defender ATP Settings state

Happy securing! 🤖

You may also like...

2 Responses

  1. Jvldn says:

    Why did u create a new policy instead of assigning the default baseline policy? Was it only for testing purposes? I guess you will not receive any new versions if you’re creating your own baseline policy.

    • Janusz says:

      As far as I know, there is no default baseline policy to assign. A baseline must be incorporated into a profile to be able to target users. Let me know if I missed this somewhere, happy to update this post with more info. The baseline associated with a profile can also be updated using the “Change Version” option.

Leave a Reply

Your email address will not be published. Required fields are marked *