EDR Policies
Endpoint Detection and Response (EDR) policies configure Microsoft Defender for Endpoint onboarding and telemetry settings. Deploy EDR policies through Intune to enable advanced threat detection.
Onboarding Configuration
Windows
| Setting | Description |
|---|---|
| Onboarding Package | Auto-deployed through Intune |
| Sample Sharing | All / Safe only / None |
| Telemetry Frequency | Normal / Expedited |
| Offboarding | Remove from MDE monitoring |
macOS
- Onboarding blob via configuration profile
- Sample sharing through preference file
- Network protection for web content filtering
Linux
- Script-based onboarding
- Managed configuration
- Detection and response telemetry
Creating an EDR Policy
- Navigate to Endpoint Security then EDR
- Select target platform
- Configure onboarding settings
- Set sample sharing preferences
- Configure telemetry level
- Assign to device groups
Sample Submission Settings
| Setting | Description |
|---|---|
| Send all samples | Maximum coverage |
| Send safe samples | Non-personal files only |
| Always prompt | User approval required |
| Never send | No samples submitted |
Offboarding
Remove devices from MDE monitoring. Deploy offboarding profile. Device stops sending telemetry. Historical data retained.
Status Monitoring
- Onboarded — Actively reporting to MDE
- Pending — Onboarding in progress
- Failed — Onboarding failed
- Offboarded — Removed from monitoring
- Not Configured — No EDR policy assigned
Best Practices
- Onboard all managed devices
- Use expedited telemetry during investigations
- Enable automatic sample submission
- Monitor for failed onboarding
- Combine with compliance policies using MDE risk signals
API Reference
GET /api/devices/security/edr/status— Get onboarding statusPOST /api/devices/security/edr/policies— Create EDR policyGET /api/devices/security/edr/policies/:id/status— Get deployment statusPOST /api/devices/security/edr/offboard— Deploy offboarding
Last updated on