May 02, 2022

Datto RMM’s Integration With Microsoft Defender for Business Is Now Available

By Luke Walker

Today, we are excited to announce Datto RMM’s integration with Microsoft Defender for Business, an endpoint security solution built to bring enterprise-grade security to small and medium businesses (SMBs).

Countering the tremendous number of cyberattacks remains one of the largest challenges today for Managed Service Providers (MSPs) responsible for securing endpoint fleets. To help MSPs deliver effective protection against these security threats, Microsoft’s Defender for Business elevates security from traditional antivirus to next-generation protection by delivering robust endpoint detection and response, threat, and vulnerability management capabilities. Microsoft Defender for Business is now generally available in Microsoft 365 Business Premium and as a standalone solution. Datto RMM’s Integration will also work with Microsoft Defender for Endpoint Plan 1 and Plan 2.

As security solutions evolve, so do the anti-capabilities of modern malware packages. 

A Picus Labs research report found that the average malware now demonstrates eleven malicious behaviors (adversary tactics, techniques and procedures, TTPs), as opposed to nine from 2020. Monitoring agents can be disabled, registry keys damaged, or other key functionality impaired, this  can potentially prevent an MSP’s ability to detect threats as they emerge amongst  your clients’ IT ecosystems. These gaps within an organization’s defenses can go unaddressed or lost in the noise of day-to-day operations, increasing the chances of a successful attack.

With today’s launch of Datto RMM’s Defender for Business Integration, Datto RMM and Microsoft partners can leverage your RMM monitoring policies to automatically detect unhealthy hosts and remediate critical operations to restore and maintain your security posture.

Detecting unhealthy hosts and monitoring for suspicious activity

Critical to the operation of Microsoft Defender is the sensor which reports behavioral data back to the Defender for Business service.  The upkeep of this sensor along with Defender Antivirus, must be maintained to retain visibility for security issues across the endpoint fleet, which presents friction for MSPs when monitoring fails.

The Defender for Endpoint monitoring policy checks to verify that the right conditions and settings exist for the successful operations, raising alerts within Datto RMM and PSA tickets.  This policy works for both Defender for Business and Defender for Endpoint. Users can take advantage of this alert by deploying the integration titled “Application: Windows Defender for Endpoint” policy from the Best Practices section of the RMM portal.  

When activated the policy will target all Windows desktops and servers by default, but can be modified to target certain devices or sites as desired.  Once the policy has been pushed to your RMM agents, they will begin monitoring endpoints for infections, issues and misconfigurations.

In this example below, Datto RMM has identified one Windows machine where the Defender for Business agent was installed, but never successfully onboarded to the Defender service, creating a gap within the organization’s defense.

Any malware, controlled folder access or potentially unwanted program reports will be flagged for review. These RMM alerts can also be configured to notify by creating a ticket in the MSP’s supported PSA tool, triggering further automation and SLAs to respond to the infection, or e-mails can be sent to the appropriate teams.

Additionally, Defender for Business and Microsoft Defender for Endpoint provide advanced attack detections that are near real-time and actionable. Some examples to such detections are credential theft tools activities, ransomware activities, tampering with security sensors, or any malicious activities indicative of a human adversary associated with advanced persistent threats (APT). These alerts indicate a high risk because of the severity of damage they can inflict on devices.

The Defender for Business service lets you gain visibility into the scope of a breach and take response actions to remediate threats. When a threat is detected, alerts are created in the Defender for Business system for the MSP to address. Alerts with the same attack techniques or attributed to the same attacker are aggregated into an entity called an incident, making it easy to collectively investigate and respond to threats.

To maintain full view of post-breach alerts and incidents from Defender for Business, we recommend that MSPs configure the appropriate email flow to their PSA solution. For Datto RMM partners using Autotask PSA, please refer to this article to set up email notifications for Defender for Business events and convert them into PSA tickets.

Working with Defender Antivirus in Datto RMM

Microsoft Defender Antivirus is a key component of Microsoft’s endpoint security solution for small and medium businesses, Defender for Business, making it crucial to monitor this service.

Datto RMM’s agents can detect the presence of Defender Antivirus on Microsoft Windows desktops and servers, providing accurate information to MSPs on whether a given endpoint is protected, and whether it requires attention to resolve out-of-date definitions or interrupted services.

MSP Technicians can force a signature update, or a Quick / Full on-demand scan against a given endpoint, without requiring the technician to begin a remote access session, and without disruption or intervention on the end-user’s behalf.


Datto RMM’s integration with Microsoft Defender for Business enables MSPs to provide powerful and easy-to-use security solutions with a consistent security posture, to their small and medium business (SMB) clients.

Partners can access these integrations today in their Datto RMM tenant, or if you are new to Datto RMM you can sign-up for a 14-day free trial.

Learn more about Microsoft Defender for Business here.

Suggested Next Reads

Elevate Autotask Tickets With IT Glue Checklists

Streamline IT support with Autotask checklists. Empower Level 1 technicians to handle repetitive tickets efficiently, reducing escalations and improving service quality.