- Onboard Windows devices through the Intune connector with auto-onboarding.
- Set next-generation antivirus and EDR policies in Intune.
- Audit attack-surface-reduction rules for a week before flipping them to Block.
- Read incidents, isolate compromised devices, and retire old antivirus.
If you own IT for a small company and you have Microsoft 365 Business Premium or standalone Defender for Business, you already have a capable endpoint protection platform sitting in your tenant. This guide walks you through turning it on, end to end. By the time you finish, you'll have Windows devices onboarded, next-generation antivirus and endpoint detection and response (EDR) policies in place, attack surface reduction (ASR) rules running, and you'll know how to read an alert, isolate a compromised device, and retire the antivirus you're replacing.
We'll work mostly in two places: the Microsoft Defender portal (security.microsoft.com) and the Microsoft Intune admin center (intune.microsoft.com). Both are included with Business Premium.
Before you start
- A Microsoft 365 Business Premium license, or standalone Defender for Business, assigned to the users whose devices you'll protect.
- A Global Administrator or Security Administrator role for the initial setup.
- Windows 10 or Windows 11 devices that are Microsoft Entra joined or hybrid joined and enrolled in Intune. Standalone Defender for Business does not include Intune, so if that's you, you'll onboard with the downloadable package or Group Policy instead.
- A list of the devices you expect to see, so you can confirm they all check in.
If you bought Business Premium, use Intune to onboard and to manage policy. It's the path Microsoft supports best, and it keeps every device under one set of rules instead of per-machine settings you'll forget about later.
Step 1: Run the Defender for Business setup wizard
- Go to security.microsoft.com and sign in.
- The first time you open the portal, a setup wizard offers to walk you through assigning users, onboarding devices, and configuring security settings. If you see it, take it. If you don't, the same actions live under Settings > Endpoints.
- Confirm your users are assigned, then continue to onboarding.
Step 2: Connect Intune and onboard Windows devices
For Business Premium tenants, onboarding flows through Intune.
- In the Defender portal, go to Settings > Endpoints > Onboarding.
- Set Operating system to Windows 10 and 11 and Deployment method to Mobile Device Management / Microsoft Intune.
- Open the Intune admin center at intune.microsoft.com in a second tab. Go to Endpoint security > Microsoft Defender for Endpoint and confirm the connection status reads Enabled. If it doesn't, toggle the connector on, then save.
- Still in Intune, create the onboarding policy: Endpoint security > Endpoint detection and response > Create Policy. Choose Windows as the platform and Endpoint detection and response as the profile.
- For Microsoft Defender for Endpoint client configuration package type, choose Auto from connector. This pulls the onboarding package straight from Defender so you don't have to handle a file.
- Assign the policy to a device group that contains your Windows machines, then create it.
If you're on standalone Defender for Business without Intune, instead go to Settings > Endpoints > Onboarding, set the deployment method to Local Script (for up to 10 devices) or Group Policy, download the package, and run it on each device.
Step 3: Confirm devices are reporting
Onboarding isn't instant. Devices need to check in and report.
- Back in the Defender portal, go to Assets > Devices.
- Within an hour or two, your onboarded machines appear with an Onboarding status of Onboarded and a recent Last seen time.
- If a device is missing, confirm it's enrolled in Intune and that the onboarding policy applies to its group.
Step 4: Set next-generation antivirus policy
- In Intune, go to Endpoint security > Antivirus > Create Policy.
- Choose Windows and the Microsoft Defender Antivirus profile.
- Turn on real-time protection, cloud-delivered protection, and automatic sample submission. Set a regular scan schedule and enable cloud protection at a high block level.
- Assign to your Windows device group and create.
Step 5: Turn on attack surface reduction rules
ASR rules block common attack techniques, like Office apps spawning child processes or scripts launching downloaded executables. These must be configured in Intune.
- Go to Endpoint security > Attack surface reduction > Create Policy.
- Choose Windows and the Attack surface reduction rules profile.
- Start by setting the high-value rules to Audit rather than Block for the first week. Audit logs what would have been blocked without disrupting anyone.
- Review the audit data in the Defender portal under Reports, then flip the rules that show no false positives to Block.
- Assign and create.
Going straight to Block on every ASR rule is the fastest way to break a line-of-business app and get a flood of help tickets. Audit first, watch for a week, then enforce. It's slower, and it saves you a bad Monday.
Step 6: Read and act on your first alert
- In the Defender portal, go to Incidents & alerts > Incidents. Defender groups related alerts into a single incident so you see the whole story, not one line at a time.
- Open an incident to see the affected device, the user, the attack technique, and a timeline of what happened.
- Read the recommended actions. For many incidents, Defender can take automated remediation on its own; for others, you'll quarantine a file, run a scan, or investigate the device.
- When you've handled it, set the incident status to Resolved and add a short classification (true positive, false positive, or informational) so your reporting stays clean.
Step 7: Isolate a compromised device
If a device looks actively compromised, cut it off from the network while keeping your connection to it for investigation.
- In Assets > Devices, open the affected device.
- From the action bar at the top of the device page, choose Isolate device.
- Add a comment for the record, then confirm. The device loses network access except its link back to Defender.
- When the investigation is done, return to the device and choose Release from isolation.
Step 8: Retire your old antivirus
If you're replacing a third-party antivirus, don't run two real-time engines at once. They fight, and they slow machines down.
- Confirm the device shows Onboarded and that Microsoft Defender Antivirus is active. When a third-party AV is present, Defender runs in passive mode; once you remove the other product, Defender takes over as the active engine.
- Uninstall the third-party agent through its own removal tool or through Intune, ideally during a maintenance window.
- Reboot, then confirm in the Defender portal that the device reports Microsoft Defender Antivirus as active and protected.
- Time the uninstall to your old contract's wind-down so you're never paying for two products or running with a coverage gap.
Verify it
Run the standard Defender test on one onboarded device: open an admin command prompt and trigger the EICAR test detection (a harmless industry-standard test file). Within a few minutes you should see a corresponding alert appear under Incidents & alerts. If it shows up, your pipeline from device to portal is working.
What to do next
Once the basics are running, schedule a recurring look at the Vulnerability management dashboard to catch unpatched software, and set up email notifications so the right person hears about high-severity incidents without having to live in the portal. From here, tuning ASR rules and reviewing incidents becomes a steady monthly rhythm rather than a one-time project.