Onboard Intune Managed Machine to Defender for Endpoint

This Microsoft Intune and Defender for Endpoint article will show how to onboard Windows 10\11 managed machines to MDE.

Microsoft Defender for Endpoint (MDE) offers comprehensive end-to-end protection of Windows, macOS and Android devices with advanced capabilities.

When combined with Microsoft Intune, the two services can complement one another and offer a detailed insight into the security posture of managed Intune devices (Azure AD Joined)

The onboarding process in this article will first require the connection between the two services (Intune and MDE) and then an EDR policy in Intune to onboard the devices.

Onboarding AP Devices

The first step of onboarding Intune managed machine is to create a service connection between MDE and Intune. You only need to do this step once per tenant.

To get started, log in to the Microsoft Defender 365 portal and click on Settings.

Security Portal

From the settings page, click on Endpoints

Click on Advanced features

Switch on the Microsoft Intune connection

Create EDR Policy (Intune)

Once the connection part is done, login into the Microsoft Intune portal.

Click on Microsoft Defender for Endpoint

Enable the profile settings and Click Save.

Note: Don’t continue with the rest of the configuration until you see the connection status set to Enabled

Onboard Devices

In this stage, we will create an Endpoint detection and response (EDR) policy and assign it to Intune-managed devices.

Note: You must create an Azure AD group with the computer you want to onboard.

Once the Connection status is set to Enabled, scroll down to the bottom of the page.

Click on Create a device configuration profile to configure Microsoft Defender for the Endpoint sensor.

Create a profile

In the Configuration settings, set both options to Yes.

Add your Azure AD group to the assignment section and save the profile.

Once the policy is applied to the computers, you will see them in the profile assignment status.

Verify Onboarding

If you want to verify that your computers were successfully onboarded to EDM, one of the onboarded machines, check the status of the following service.

Windows Defender Advanced Protection Service.

The service status should be set to Running. It means the computer has not been onboarded yet if it is set to manual.






Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.