Microsoft Defender for Business brings enterprise-grade endpoint detection and response (EDR) to companies with up to 300 employees, and it is included with Microsoft 365 Business Premium. Configured properly, it replaces traditional antivirus with behaviour-based protection, automated investigation, and centralized reporting.
Step 1: Access the Defender portal
Open security.microsoft.com and run the guided setup wizard the first time. It walks you through assigning permissions, configuring email notifications, and choosing your onboarding method. Take the time to set notification recipients so alerts actually reach a human.
Step 2: Onboard your devices
Windows devices that are Entra-joined and Intune-managed onboard automatically. For others, you can deploy the onboarding script via Group Policy, Intune, or run it locally. Confirm each device appears in the Device inventory with a status of "Onboarded" before moving on.
Step 3: Configure the security policies
Under Endpoints → Configuration management, review the next-generation protection and firewall policies. Enable real-time protection, cloud-delivered protection, and automatic sample submission. Turn on tamper protection so malware cannot disable Defender from the endpoint.
Step 4: Enable attack surface reduction rules
Attack surface reduction (ASR) rules block common malware behaviours such as Office apps spawning child processes or scripts launching downloaded executables. Deploy them in audit mode first, review what would be blocked, then switch the safe ones to block mode.
Step 5: Set automated investigation and response
Configure the automation level so Defender can investigate alerts and remediate threats without waiting for a human. For small teams without a dedicated SOC, "Full - remediate threats automatically" dramatically reduces dwell time.
Defender for Business gives a small company protection that used to require an entire security team. The key is to actually onboard every device and to review the incident queue regularly rather than treating it as a checkbox.
Korur Security Team
Korur Security Team