Configure Microsoft Defender for Endpoint in Microsoft Intune

Organizations can integrate Microsoft Defender for Endpoint with Microsoft Intune as a Mobile Threat Defense solution. Integration can help prevent security breaches and limit the effect of breaches within an organization.

Microsoft Defender for Endpoint works with devices that run:

  • Android
  • iOS/iPadOS
  • Windows 10/11

To successfully use Microsoft Defender for Endpoint and Microsoft Intune in concert, you must:

  • Establish a service-to-service connection between Microsoft Intune and Microsoft Defender for Endpoint. This connection lets Microsoft Defender for Endpoint collect data about machine risk from supported devices an organization manages with Intune.
  • Use a device configuration profile to onboard devices with Microsoft Defender for Endpoint. An organization onboards devices to configure them to communicate with Microsoft Defender for Endpoint. By doing so, the organization can collect data to help assess its risk level.
  • Use a device compliance policy to set the level of risk you want to allow. Microsoft Defender for Endpoint reports risk levels. The system classifies devices that exceed the allowed risk level as noncompliant.
  • Use a conditional access policy to block users from accessing corporate resources from devices that are noncompliant. Conditional access policies can also block devices that exceed an organization’s expected risk levels.

When an organization integrates Microsoft Intune with Microsoft Defender for Endpoint, it can take advantage of Microsoft Defender for Endpoint’s Threat and Vulnerability Management (TVM) module. It can also use Intune to remediate endpoint weakness identified by TVM.

Example of using Microsoft Defender for Endpoint with Microsoft Intune

The following example helps explain how Microsoft Intune and Microsoft Defender for Endpoint work together to help protect organizations. For this example, Contoso already integrated Microsoft Defender for Endpoint and Intune.

Consider an event where someone sends a Word attachment with embedded malicious code to a Contoso user.

  • The user opens the attachment, which enables the embedded code.
  • An elevated privilege attack starts. An attacker from a remote machine has administrator rights to the victim’s device.
  • The attacker then remotely accesses the user’s other devices. This security breach can affect the entire Contoso organization.

Microsoft Defender for Endpoint can help resolve security events like this scenario.

  • In this example, Microsoft Defender for Endpoint detects each of the actions that occurred:
    • The device executed abnormal code.
    • The device experienced a process privilege escalation.
    • Opening the attachment injected malicious code into the device.
    • The attacker executed an external command a remote computer or device (known as issuing a suspicious remote shell). Doing so raised some concerns or doubts about the intentions or legitimacy of the action.
  • Based on the actions from the device, Microsoft Defender for Endpoint classified the device as high-risk. It also included a detailed report of suspicious activity in the Microsoft 365 Defender portal.

For this example, assume Contoso has an Intune device compliance policy that classifies devices with a Medium or High level of risk as noncompliant. As such, the compliance policy classified the compromised device as noncompliant. This classification allows Contoso’s conditional access policy to block access from that device to Contoso’s corporate resources.

For devices that run Android, you can use an Intune policy to modify the configuration of Microsoft Defender for Endpoint on Android. For more information, see Microsoft Defender for Endpoint web protection.

Prerequisites to integrating Microsoft Defender for Endpoint and Microsoft Intune

To use Microsoft Defender for Endpoint with Microsoft Intune, an organization must have the following subscriptions:

  • Microsoft Defender for Endpoint. This subscription provides you access to the Microsoft Defender Security Center (ATP portal).
  • Microsoft Intune. This subscription provides access to Intune and the Microsoft Endpoint Manager admin center.

The following platforms support Microsoft Intune with Microsoft Defender for Endpoint:

  • Android
  • iOS/iPadOS
  • Windows 10/11 (Hybrid Azure Active Directory Joined or Azure Active Directory Joined)

Enable Microsoft Defender for Endpoint in Intune

To set up the service-to-service connection between Intune and Microsoft Defender for Endpoint, you only need to enable Microsoft Defender for Endpoint a single time per tenant.

Complete the following steps to enable Microsoft Defender for Endpoint with Microsoft Intune:

  1. You must begin by navigating to the Microsoft Intune admin center. To do so, on the Microsoft 365 admin center, select Show all in the navigation pane. Under the Admin centers group, select Endpoint Manager.
  2. In the Microsoft Intune admin center, select Endpoint security in the navigation pane.
  3. On the Endpoint security | Overview page, under the Setup section in the middle pane, select Microsoft Defender for Endpoint.
  4. On the Endpoint security | Microsoft Defender for Endpoint page, select the Open the Microsoft Defender for Endpoint admin console. This step opens the Microsoft 365 Defender portal. TipIf the Connection status at the top of the page indicates Enabled, the connection to Intune already exists. In this event, you can select Open the Microsoft Defender Security Center. Then perform the following steps to ensure that you have set the Microsoft Intune connection to On.
  5. In the Microsoft 365 Defender portal, in the left-hand navigation pane, select Settings, then Endpoints, and then Advanced features.
  6. Set the toggle switch for the Microsoft Intune connection setting to On.Screenshot of the Microsoft Intune connection setting.
  7. Select Save preferences. NoteOnce you establish the connection between Microsoft Defender for Endpoint and Microsoft Intune, the services should sync with each other at least once every 24 hours. You can configure the number of days without sync until Microsoft Intune considers the connection unresponsive in the Microsoft Intune admin center. Select Endpoint security, then Microsoft Defender for Endpoint, and then Number of days until partner is unresponsive.
  8. At this point, you have enabled Microsoft Defender for Endpoint with Microsoft Intune. You must now configure Microsoft Defender for Endpoint to use compliance and app protection policies. To do so, you must select the browser tab containing the Endpoint security | Microsoft Defender for Endpoint page in the Microsoft Intune admin center.
  9. To use Microsoft Defender for Endpoint with compliance policies, complete the following steps to configure the following options for the platforms you support:
    1. In the Microsoft Intune admin center, in the left-hand navigation pane, select Endpoint security.
    2. On the Endpoint security | Overview page, in the middle pane under the Setup section, select Microsoft Defender for Endpoint.
    3. On the Endpoint security | Microsoft Defender for Endpoint page, under the Compliance policy evaluation section, turn the toggle switches to On for the following platforms your organization supports:
      • Connect Android devices version 6.0.0 and above to Microsoft Defender for Endpoint
      • Connect iOS/iPadOS devices version 13.0 and above to Microsoft Defender for Endpoint
      • Connect Windows devices version 10.0.15063 and above to Microsoft Defender for EndpointWhen you set these configurations to On, the following devices connect to Microsoft Defender for Endpoint for compliance:
      • Applicable devices that you manage with Intune.
      • Devices you enroll in the future.
    4. To use Microsoft Defender for Endpoint with app protection policies, under the App protection policy evaluation section, turn the toggle switches to On for the following platforms your organization supports (only Android and iOS/iPadOS devices apply):
      • Connect Android devices to Microsoft Defender for Endpoint
      • Connect iOS/iPadOS devices to Microsoft Defender for Endpoint
    5. Select Save.
    Screenshot showing the Microsoft Defender for Endpoint page with device compliance and app protection policy settings highlighted.

When you integrate a new application to Intune Mobile Threat Defense and enable the connection to Intune, Intune creates a classic conditional access policy in Azure Active Directory. Each MTD app you integrate, including Microsoft Defender for Endpoint or any of Microsoft’s MTD partners, creates a new classic conditional access policy. You can ignore these policies; however, you shouldn’t edit, delete, or disable them.

If you delete the classic policy, you must delete the connection to Intune that was responsible for its creation. Once you delete the connection, you must then set it up again. Doing so recreates the classic policy. The system doesn’t support migrating classic policies for MTD apps to the new policy type for conditional access.

Organizations should take into account the following considerations related to classic conditional access policies for MTD apps:

  • Intune MTD uses them to require the registration of devices in Azure AD. Doing so ensures they have a device ID before communicating to MTD partners. Devices require the ID to successfully report their status to Intune.
  • They have no effect on any other Cloud apps or resources.
  • They differ from the conditional access policies you can create to help manage MTD.
  • By default, they don’t interact with other conditional access policies that organizations use for evaluation.