Setting Up Microsoft Defender for Business (Step-by-Step)
A practical guide to deploying Microsoft Defender for Business across your organisation. Covers onboarding devices, configuring policies, and monitoring threats.
Overview
Microsoft Defender for Business is an endpoint security solution built specifically for small and medium businesses (up to 300 users). It includes endpoint detection and response (EDR), automated investigation, threat and vulnerability management, and attack surface reduction — capabilities that previously required an E5 licence.
Defender for Business is included with Microsoft 365 Business Premium or available as a standalone add-on.
Prerequisites
- Microsoft 365 Business Premium, E3 + Defender for Business add-on, or E5 licence
- Global Admin or Security Admin role
- Devices running Windows 10/11 Pro, Enterprise, or Education
- macOS, iOS, and Android are also supported
Step 1: Open the Setup Wizard
- Go to security.microsoft.com (Microsoft Defender XDR portal)
- If this is your first time, the Setup wizard will launch automatically
- If not, go to Settings > Endpoints > Onboarding
The wizard walks through:
- Assigning user permissions
- Setting up email notifications for alerts
- Onboarding your first devices
Step 2: Onboard Devices
Windows devices via Intune (recommended)
If your devices are enrolled in Intune, onboarding is automatic:
- Go to intune.microsoft.com > Endpoint security > Microsoft Defender for Endpoint
- Toggle Allow Microsoft Defender for Endpoint to enforce Endpoint Security Configurations to On
- Toggle Connect Windows devices to On
- Devices will onboard automatically within hours
Windows devices via local script (for non-Intune environments)
- Go to security.microsoft.com > Settings > Endpoints > Onboarding
- Select Local Script as the deployment method
- Download the onboarding package
- Run on each device as Administrator:
# Extract and run the onboarding script
Expand-Archive -Path "WindowsDefenderATPOnboardingPackage.zip" -DestinationPath "C:\Temp\MDE"
& "C:\Temp\MDE\WindowsDefenderATPLocalOnboardingScript.cmd"
Verify onboarding
# Check Defender for Endpoint service status
Get-Service -Name "Sense" | Select-Object Status, StartType
# Should show: Running, Automatic
Or check in the portal: security.microsoft.com > Assets > Devices — the device should appear within 5-10 minutes.
macOS devices
- In the Defender portal, go to Settings > Endpoints > Onboarding
- Select macOS as the operating system
- Download the onboarding package
- Deploy via Intune or install manually using the
.pkginstaller
Mobile devices (iOS / Android)
Deploy Microsoft Defender via Intune app deployment:
- Go to intune.microsoft.com > Apps > All apps > Add
- Select Microsoft Defender for the appropriate platform
- Assign to your user groups
Step 3: Configure Security Policies
Default policies (automatic)
Defender for Business comes with pre-configured policies that are suitable for most SMBs:
| Policy | What It Does | Default |
|---|---|---|
| Next-generation protection | Real-time antivirus, cloud protection, behaviour monitoring | Enabled |
| Firewall protection | Windows Firewall rules for all profiles | Enabled |
| Attack surface reduction | Blocks common attack techniques (Office macros, scripts, etc.) | Audit mode |
| Endpoint detection and response | Continuous monitoring for advanced threats | Enabled |
Customise policies
To adjust policies:
- Go to security.microsoft.com > Endpoints > Configuration management > Device configuration
- Click the policy you want to edit
- Common adjustments:
- Move ASR rules from Audit to Block after reviewing audit results for 1-2 weeks
- Add folder exclusions for line-of-business applications that trigger false positives
- Adjust scan schedules to run outside business hours
Do not disable cloud-delivered protection or tamper protection. These are critical for detecting zero-day threats and preventing malware from turning off Defender.
Step 4: Configure Alerts and Notifications
- Go to security.microsoft.com > Settings > Endpoints > Email notifications
- Click Add notification rule
- Configure:
- Name: Critical Alerts — IT Team
- Severity: High and Critical
- Recipients: your IT team email or distribution group
- Also configure alerts in Settings > Endpoints > Alert notifications for specific detection categories
Step 5: Review the Security Dashboard
After onboarding devices, your main monitoring views are:
Threat and Vulnerability Management
security.microsoft.com > Vulnerability management > Dashboard
This shows:
- Exposure score — how vulnerable your environment is (lower is better)
- Microsoft Secure Score for Devices — how well your devices are configured
- Top security recommendations — prioritised actions to reduce risk
- Vulnerable software — applications with known CVEs installed on your devices
Incidents and Alerts
security.microsoft.com > Incidents & alerts
This shows correlated security events. Each incident groups related alerts, affected devices, and users into a single investigation view. Defender automatically investigates many alerts and takes remediation actions.
Device Inventory
security.microsoft.com > Assets > Devices
Shows all onboarded devices with their:
- Risk level (High, Medium, Low)
- Exposure level
- OS version and health status
- Last seen timestamp
Step 6: Enable Automated Investigation and Response
Defender for Business includes automated investigation that can quarantine files, block malicious processes, and remediate threats without manual intervention.
- Go to security.microsoft.com > Settings > Endpoints > Advanced features
- Ensure Automated Investigation is set to On
- Set the automation level to Full - remediate threats automatically for most environments
Full automation is recommended for SMBs because most businesses do not have a dedicated SOC team to manually triage every alert. Defender's automated investigation resolves the majority of common threats correctly.
Monitoring Checklist (Weekly)
| Task | Where | What to Look For |
|---|---|---|
| Review incidents | Incidents & alerts | Any High/Critical incidents not auto-resolved |
| Check device health | Assets > Devices | Devices showing as "Inactive" or "Misconfigured" |
| Review recommendations | Vulnerability management | Top 5 recommendations, especially critical CVEs |
| Check Secure Score | Vulnerability management > Dashboard | Score trending up, not down |
| Review web content filtering | Reports > Web protection | Blocked categories and URLs |
Troubleshooting
| Issue | Cause | Fix |
|---|---|---|
| Device not appearing in portal | Onboarding not complete or Sense service stopped | Re-run onboarding script, check Get-Service Sense |
| "Onboarding failed" error | Proxy blocking communication to Microsoft endpoints | Allow *.securitycenter.windows.com and *.endpoint.security.microsoft.com |
| High number of false positives | ASR rules or antivirus flagging legitimate apps | Add exclusions for specific apps/paths in the policy |
| Automated remediation not working | Automation level set to "No automated response" | Change to "Full" in Settings > Advanced features |
| macOS device shows "No sensor data" | Defender not granted Full Disk Access | Grant in System Settings > Privacy & Security > Full Disk Access |
Next Steps
- Enable web content filtering to block malicious and inappropriate websites
- Configure device groups to apply different policies to different teams
- Integrate with Microsoft Sentinel for advanced SIEM capabilities (larger organisations)
- Review the Secure Score recommendations monthly and implement the top priorities
Related Articles
Was this article helpful?