Today I’ll let you into the domains of my demo environment. Together we will enable Microsoft Defender for Endpoint, connect it with Microsoft Intune, and onboard devices.
Defender for Endpoint is an enterprise endpoint security platform created to help businesses manage threats. It directly integrates with other Microsoft Solutions, such as Microsoft Purview. Defender for Endpoint is a prerequisite for Endpoint Data Loss Prevention (DLP) and Insider Risk management.
We will also touch on how signals from Defender for Endpoint can be used in Intune Application Protection policies and device compliance.
We need Intune Administrator and Security Administrator roles to configure the portals.
We need one or more devices enrolled and managed by Intune. My coworker and friend Ola Ström ☁️💻 has written an educative guide Intune lab for noobs and Part 3- Windows is what you are looking for if you want to learn the basics.
Select Endpoint security, then Microsoft Defender for Endpoint, and then select Open the Microsoft Defender Security Center.
Microsoft Defender for Endpoint - Open Microsoft 365 Defender Portal
Before connecting the services, the link says, Open the Microsoft Defender Security Center. After you have turned on the connection to Intune, the UI changes, and the link says, Open the Microsoft Defender for Endpoint admin console.
Scroll down to the Microsoft Intune connection, turn the toggle to On and Save Preferences.
Microsoft 365 Defender portal - Intune turned on
At this point, Microsoft Defender integrates into Intune. You can check the status in the Endpoint security menu.
Please return to the Microsoft Defender for Endpoint page in Intune, where we will configure some Policy settings.
MDM Compliance Policy Settings
We want to enable Defender for Endpoint with Compliance Policies. So we will turn on iOS and Windows devices under Compliance policy evaluation. Now our current managed devices, and devices you enroll in the future, are connected to Microsoft Defender for Endpoint for compliance.
Threat level classifications are determined by Microsoft Defender for Endpoint. For example, we can now create a policy that requires the device to be at or under the machine risk score to your preferred level. In Zero Trust identity and device access policies Microsoft recommends medium.
After you connect Intune and Microsoft Defender for Endpoint, Intune receives an onboarding configuration package. You can use a Device configuration profile or an Endpoint detection and response (EDR) policy to deploy the package to your Windows devices. Make sure to select only one to prevent policy conflicts for devices.
I’m using the EDR policy, which is more lightweight than device configuration profiles. So, for example, we can use the onboarding package from Defender for Endpoint, so we don’t need to manually configure a package.
Confirm that the rule is saying Yes, under assigned. If you check the devices, it might say pending for a few hours until it has been applied.
Summary and next steps
This small blog post grew into something more extensive than I had planned for. We did only scratch the surface when it comes to Defender for Endpoint. But now we have it working; we have enrolled devices and the possibility to create extraordinary policies for mobile and desktop, and even use Microsoft Purview features.
