From the standpoint of endpoint security management architecture, this situation addresses the challenge of overseeing security features on devices that are not under direct management. In the case of Intune-managed devices, whether operating solely in the cloud or through co-management scenarios, endpoint security management capabilities are provided. Additionally, integration between Intune and Configuration Manager offers comparable management capabilities for devices managed on-premises through Configuration Manager.

Ultimately, the integration of security configuration enforcement between Microsoft Defender for Endpoint (MDE) and Intune allows security teams to utilize the same administrative interface—the Intune console—to deploy security policies to devices exclusively enrolled in Microsoft Defender MDE.

Now, let’s delve into the configuration prerequisites and elements of the solution. We’ll begin by configuring them in our test environment and subsequently validate the setup:

Incorporating Microsoft Defender into your security strategy enhances protection and response capabilities.

Initially, the supported platforms, as of the document’s creation, encompassed Windows Server operating systems ranging from Windows Server 2012 R2 to Windows Server 2022, along with Windows 1x clients. Nevertheless, it’s advisable to consult the official documentation for the latest and most accurate list of supported platforms. Here you can find the official documentation.

In essence, devices must undergo enrollment in the Microsoft Defender for Endpoint service for policy application. Additionally, establishing an Azure AD trust is necessary for communication with Azure Active Directory (AAD) and Intune. Once communication is initiated with Intune, the status is reported, and policy information is pushed down to be applied to the endpoint.

From a capabilities standpoint, the Intune-MDE integration offers fundamental security policy management, covering aspects like antivirus configuration, antivirus exclusions, firewall configuration, firewall configuration exclusions, and EDR configuration. Nevertheless, it’s prudent to consult updated capability documentation to ensure awareness of potential improvements in capabilities while making decisions.

Integration Configuration

The integration process involves two configuration steps. The initial step is to integrate Microsoft Defender for Endpoint with Microsoft Intune, if not already completed. This can be accomplished in the “Settings – Endpoints – Advanced Features” view. By scrolling through the available features, the Microsoft Intune connection option becomes visible. Once activated, this integration becomes accessible on the Intune side as well.

Integration Configuration

Once activated, additional configuration options become accessible to specify the enforcement scope for endpoint security configuration. The initial option involves selecting the Windows device type for configuration enforcement, distinguishing between Windows client and Windows Server devices. Additionally, a more granular management approach can be implemented by tagging a subset of these device types as “MDE-Management.” The second section determines whether security settings management for devices enrolled by Microsoft Defender for Cloud will be overseen by MDE. The final option involves defining enforcement for devices equipped with the Configuration Manager agent. Enabling this setting ensures that the Configuration Manager agent handles security policies on Configuration Manager-managed devices.

These settings facilitate the capability for Microsoft Defender for Endpoint (MDE) to deploy the security policies formulated in Intune. Nevertheless, a straightforward configuration is also required on the Intune side to enable MDE integration. This configuration can be found in the Microsoft Defender for Endpoint view under the Endpoint security node.

The specific setting is labeled as “Allow Microsoft Defender for Endpoint to enforce Endpoint Security Configurations.” Activating this setting opens the MDE channel, enabling the deployment of security policies.

After the Configuration

The initial alteration after configuring is the appearance of the newly reflected device in Microsoft Intune. As observed, a new device is now visible on the Intune console, with its management authority indicated as MDE. Please note that this can take some time to complete.  Within Microsoft Defender for Endpoint, the “managed by” attribute for devices previously reported as “Unknown” now displays as “MDE” in the device inventory.

As of now you can start by creating policies for Windows Server in Intune. This is an example of an AV policy

Client Behaviour

Once you confirm that the security configuration is being enforced on the client from the MDE console, there are two primary controls on the client side to ensure policy application. The initial check involves the Windows Security application, where you will observe that the Virus & Threat Protection settings are indicated as managed by the system administrator and configured according to the policy settings created in Intune.

I have also written an article on how to setup the ability to onboard servers in to Microsoft Defender, you can find this here


get-mppreference


I have also written an article on the behaviour of ASR policies for Windows Servers, you can find this here.