Microsoft Defender for Business provides holistic security for multiple operating systems. Built-in intelligence ensures immediate detection, defense and response to current threats such as ransomware, malware or pishing. Microsoft Defender for Business is suitable for companies with up to 300 employees.

The rollout of this software within an Active Directory domain is very simple. Here is a step-by-step guide on how to perform the rollout with default settings.

Highlights from Microsoft Defender for Business:

  • Automated threat investigation and recovery
  • Threat intelligence from Microsoft security experts
  • Cross-platform functions

Prerequisites and Licensing

Microsoft Defender for Business requires the following license

  • Microsoft Defender for Business Standalone
  • Microsoft 365 Business Premium

An overview of Microsoft 365 license packages with their features can be found at https://m365maps.com.

A maximum of 300 users can be protected with Microsoft Defender for Business.

Basic configuration

Microsoft Defender for Business is managed through the Microsoft Security Portal. The portal https://security.microsoft.com is available for configuration.

Select “Endpoints” > “Device inventory” to beginn the onboarding process.

Specify users or groups from Azure Active Directory who will have access to Microsoft Defender for Business.

There are two roles available for access:

  • Security Administrators
    can view security information and security reports and manage security settings
  • Security Readers
    can view security information and security reports

next, setup email notfications.

There are two notification types available:

  • Alerts
    Email is sent when any type of notification is triggered on devices
  • Vulnerabilities
    Email is sent when certain vulnerability events occur

In this tutorial, Microsoft Defender for Business is configured on the devices via Active Directory Group Policies (GPO). The necessary package is downloaded here.

Microsoft Defender for Business provides a default configuration for the security settings. This default configuration can be adapted to your own needs at a later stage and before the rollout to the clients.

Finally, the settings are displayed again and can be confirmed with “Submit”. After a few minutes, the configuration of Microsoft Defender for Business is complete.

Sponsored Links

Windows Firewall Configuration

With the default configuration, the Windows Firewall is enabled for incoming connections.

Select “Endpoint” > “Device Configuration” > “Firewall” to adapt the configuration to the own security guidelines.

“Device Groups” can be used to configure different configurations for device groups. In the default configuration, the same configuration is rolled out to all devices.

The behavior of the firewall is configured in the “Configuration Settings”.
All incoming connections are rejected (1). If further settings are necessary, they can be done as “Custom rules” (2).

The configuration is now shown again for review and can be activated with “Update Policy”.

Next-Generation Protection (NGP)

In the Next-Generation Protection (NGP) policy, the behavior of Microsoft Defender on the clients is configured.

Select “Endpoint” > “Device Configuration” > “Next Generation Protection” to adapt the configuration to the own security guidelines.

“Device Groups” can be used to configure different configurations for device groups. In the default configuration, the same configuration is rolled out to all devices.

The configuration settings meet most requirements by default. It is recommended to activate “Use low performance” (1) so that the scan is performed in the background with limited performance and thus performance problems can be avoided..

The exclusion list (2) for processes, file extensions, files and paths can be edited here.

The configuration is now shown again for review and can be activated with “Update Policy”.

Onboarding with Group Policy (GPO)

In this tutorial, the devices are enrolled to Microsoft Defender for Business through a group policy.

The necessary script is included in the previously downloaded package “WindowsDefenderATPOnboardingPackage.zip”.

The unzipped script “WindowsDefenderATPOnboardingScript.cmd” is rolled out to all clients via a scheduled task.

Create the group policy “Defender_for_Business”, go to “Computer Configuration” > “Preferences” > “Control Panel Settings” and select “Sheduled Tasks”.

Assign a meaningful name for the task (1) and enable “run wheter user is logged on or not” (2).

Switch to the “Action” tab and select “New”

Specify UNC path to the “WindowsDefenderATPOnboardingScript.cmd” file.

Save Group Policy Object (GPO) and associate it with all organizational units that contain client and should be managed with Microsoft Defender for Business.

The script “WindowsDefenderATPOnboardingScript.cmd” is now executed on each client via the task scheduler.

About 12 hours later, the clients appear in the portal https://security.microsoft.com and are inventoried.


Follow me on LinkedIn and get informed about my latest posts.

Sponsored Links