Managing Microsoft Defender for Endpoint with the new Security Management feature in MEM/Intune
Currently in general availability is the new Security Settings Management in Microsoft Defender for Endpoint. Security Management for Microsoft Defender for Endpoint is the new method to manage Security settings for devices and servers that are not enrolled yet in Microsoft Endpoint Manager/ Intune. The new feature makes it possible to manage security settings from one single portal. Since late 2021 the feature has been in public preview and is currently generally available.
Blog tip: Microsoft Defender for Endpoint series (17 blogs)
Blog published: May 24, 2022
Blog latest updated: February 9, 2023
The new feature in Microsoft Defender for Endpoint makes it possible to deploy directly configurations from Microsoft Endpoint Manage/ Intune directly to MDE onboarded devices without the need to completely onboard devices into Intune. The new features bring the name Security Management for Microsoft Defender for Endpoint. Useful for “standalone” devices that aren’t managed by Microsoft Endpoint Manager, Intune, or Microsoft Endpoint Configuration Manager. Currently, most of the devices not part of Intune are managed with GPO, PowerShell, or other management options. Ideally for servers in a network segment without a management presence or where local teams are not allowed for managing security settings. The new way of managing devices makes it possible to centrally manage exclusions.
Currently, the following management methods are available for MDE.
- Cloud-only (Intune)
- Co-management (Intune/ MECM)
- On-premises Windows 10 (MECM, GPO, or PowerShell)
- On-premises Windows Server (MECM Tenant Attach, GPO, or Powershell)
The new Unified Endpoint Security experience brings Endpoint Manager directly to MDE-joined devices. With the new management solution devices will get the policies from Microsoft Endpoint Manager. Devices get the policies based on their Azure Active Directory device object and MDE SENSE service. A device that isn’t already visible in Azure Active Directory will join the main tenant where Defender for Endpoint (MDE) is activated as part of the new solution. For domain-joined devices the AD Connect join/ federation AAD Join process is needed for onboard devices.
Source: Documentation Microsoft
This blog will focus only on the new management. MDE onboarding is not part of the blog. For 2012R2, 2016 onboarding see: Install the new unified Microsoft Defender for Endpoint agent on Server 2012R2 and 2016
For the new management solution, some prerequisites are needed.
Devices must have access to the following URLs:
enterpriseregistration.windows.net– For Azure AD registration.
login.microsoftonline.com– For Azure AD registration.
*.dm.microsoft.com– The use of a wildcard supports the cloud-service endpoints that are used for enrollment, check-in, and reporting, and which can change as the service scales.
Operating system (KB’s installed)
The following platforms are supported. Some of them require a specific KB or higher for enabling the new management option.
- Windows 10 Professional/Enterprise: with KB5006738
- Windows 11 Professional/Enterprise
- Windows Server 2012 R2: with Microsoft Defender for Down-Level Devices
- Windows Server 2016: with Microsoft Defender for Down-Level Devices
- Windows Server 2019: with KB5006744
- Windows Server 2022: with KB5006745
Operating systems Not supported
The following operating systems are currently not supported:
- Domain controllers (Reason: Azure Active Directory Trust is required)
- Server Core installations
Source: Microsoft Frequently asked questions and considerations
Active Directory joined devices
- Authentication with a domain controller
- Azure AD connect configured to sync computer objects which are in scope
- Sync rule enabled for 2012 R2 ( only if 2012R2 is needed)
- Azure Active Directory Tenant ID from Microsoft Defender for Endpoint Tenant matching SCP entry of a domain
Any subscription that grants Microsoft Defender for Endpoint licenses also grants your tenant access to the Endpoint security node of the Microsoft Endpoint Manager admin center. There is no need to buy separate licenses for the Microsoft Endpoint Manager admin center. Included is the Endpoint security node for configuring policies.
Notice: If you have access to Microsoft Defender for Endpoint as part of a Microsoft Defender for Cloud-only license (formerly Azure Security Center), the Security Management for Microsoft Defender for Endpoint functionality isn’t available. Source: Microsoft
How does it work?
Let’s explain first before we go to the technical configuration part. Two situations:
Situation 1: Device without a local domain (workgroup)
- Onboard device to MDE
- Trust is established between devices and AzureAD. Target AzureAD object is located in the configured MDE tenant. If not already available, the process will create a new trust.
- Devices use their Azure AD Identity to communicate with Endpoint Manager and create objects in Intune.
- Deploy policies to AzureAD Group
- Apply and report policy
Situation 2: Device with domain (Active Directory joined devices with AzureAD connected or not connected):
- Onboard device to MDE
- Trust is established between devices and AzureAD with existing infrastructure to complete Hybrid Azure Active Directory Join. (AAD Connect or Federation provider)
- The device is part of the Azure AD Connect sync OUs
- Sync rule enabled for 2012R2
- Device synced to MDE tenant
- Devices use their Azure AD Identity to communicate with Endpoint Manager and create objects in Intune.
- Apply and report policy
Notice: For servers/workstations which are domain joined and not connected with AzureAD, the Active Directory requirements are needed for using the new feature. Read more: Troubleshoot security configuration management onboarding issues
Notice: Azure Active Directory Connect (AAD Connect) must be synchronized with the main tenant that is used for Microsoft Defender for Endpoint. The Azure Active Directory Tenant ID (MDE tenant) needs to match the Service Connection Point (SCP) Tenant ID. Tip: For checking the SCP Tenant ID and Azure AD Device ID. Use the MDE Client Analyzer. MDE Client Analyzer Results.htm provides the information.
Domain onboarding flow:
|Current Device State||New Device State with MDE management enabled|
|Already AADJ or HAADJ||Remains as is|
|Not AADJ or Hybrid Azure Active Directory Join (HAADJ) + Domain joined||Device is HAADJ’d|
|Not AADJ or HAADJ + Not domain joined||Device is AADJ’d|
Enable Security Configuration Management in MDE
First, we need to enable the feature in Microsoft 365 Defender. For enabling the feature use steps below. Important is to configure the pilot mode when testing for a small subset of devices.
- Sign in to Microsoft 365 Defender portal
- Go to Settings -> Endpoints > Enforcement Scope
- Configure the checkbox Use MDE to enforce security configuration settings from MEM
- Configure the checkbox for which OS platform (Server/ Client) the settings will be applied
Use the option on tagged devices for testing and validating the rollout on a small number of devices. Without using the tagged mode all devices which are part of the scope will be configured and onboarded.
In some environments it might be desired to manage devices with Configuration Manager tenant attach when both are enabled – it created the opportunity for conflicts and undesired results/health issues. When using Security Management for Microsoft Defender for Endpoint with Configuration Manager settings are only managed from one single channel from Configuration Manager. If the button Manage Security settings using Configuration Manager is ticked then Configuration Manager is recognized as the single security management authority.
Enable MDE Security Configuration Management in Endpoint Manager
For the first-time set-up, it is required to enable the new checkbox in Endpoint Manager. For enabling the new modern management method:
- Sign in to the Microsoft Endpoint Manager portal
- Go to Endpoint Security -> Microsoft Defender for Endpoint
- Enable the setting: Allow Microsoft Defender for Endpoint to enforce Endpoint Security Configurations
For the relevant users, there is a new role available in Microsoft 365 Defender for security settings management. For configuring the new role:
Go to Settings > Endpoint > Roles and use the following permission: Manage endpoint security settings in Microsoft Endpoint Manager. Users with the new permissions can change and create Endpoint security settings in Microsoft Endpoint Manager without the complete Endpoint Manager Roles.
Create AzureAD Groups
Before creating policies it is recommended to configure a couple of AzureAD Groups for deploying the new policies. Two methods are available:
- Assigned group
- Dynamic group
For the best security practice, it is recommended to use the Dynamic Device group member group creation. Dynamic gives the advantage of automatically adding devices in the correct group and deploying the policies when devices are managed by the new management.
For the configuration rules use the property systemLabels part of the AzureAD device object. The below values are available:
- MDEJoined – Devices that are joined the directory
- MDEManaged – Devices that are actively using the security management for Microsoft Defender for Endpoint
SystemLabels Object view (Microsoft Graph Explorer):
Create first profile
For the new MDE feature, we can use directly the Endpoint security node in the Microsoft Endpoint Manager/ Intune admin center. Only this blade will work for configuring and deploying settings.
Devices managed by this configuration capability check-in with Microsoft Endpoint Manager every 90 minutes to update policy. Via Intune, there is the option to manually sync a device on-demand. The Policy sync button is available directly on the device page.
Currently, not all security settings are supported for the new feature. Below is included:
- Antivirus policies
- Firewall policies
- Firewall rule policies
- Endpoint detection and response policies
- Attack Surface Reduction (public preview)
Duplicate policies and duplicated exclusions
Avoid deploying multiple policies that manage the same setting to a device. Currently, there is no support to deploy different configurations which include different settings.
Microsoft gives the following advice:
Microsoft Endpoint Manager supports deploying multiple instances of each endpoint security policy type to the same device, with each policy instance being received by the device separately. Therefore, a device might receive separate configurations for the same setting from different policies, which results in a conflict. Some settings (like Antivirus Exclusions) will merge on the client and apply successfully.
For exclusions, the items will be merged which gives the following option for more exclusion control. Important: Always limit the use of exclusions when possible.
- Profile A: Global exclusions (deployed to all systems)
- Profile B: Citrix exclusions (deployed to a specific set of systems hosting Citrix)
- Result: items from A will be merged together with B.
Create Security profiles
For creating the first profiles – follow the below steps:
- Sign in to the Microsoft Endpoint Manager portal
- Go to Endpoint Security and select the type of policies. For each policy select the platform: Windows 10, Windows 11, and Windows Server
- Configure the settings
Firewall / Firewall Rules
Endpoint Detection and Response
Configuring Antivirus profile
On the Configuration settings page, select the settings you want to manage with this profile.
On the Assignments page, select the Azure AD groups that will receive this profile. Only Device Objects are applicable for Microsoft Defender for Endpoint management. Targeting users is not supported.
A new policy is created with the target scope mdm,MicrosoftSense
MDE Device tag – Pilot group
For scoping the initial scope using the Pilot Mode, it is required to use the MDE device tag for limiting the scope. For enabling the management use the tag: MDE-Management for each device. After applying the devices is available for joining the new management process. When removing the Pilot Mode all devices will be automatically part of the new management service when supported.
Configuring device tags is possible from the portal or directly from the registry. Read more: Create and manage device tags.
After enabling the configuration in Intune and MDE we onboard two new devices to Defender for Endpoint with the latest onboarding files.
- 1x Windows 10 (workplace joined)
- 1x Server 2016 (workplace joined)
This gives the following result:
Device AzureAD Joined with the MDM status; Microsoft Intune
Visible in Intune and managed by MDE. Managed by MDE means the device is managed by Defender for Endpoint using the new configuration feature.
Policy applied and check-in status success
Settings correctly applied and reporting with the status: Succeeded
Device visible in Defender for Endpoint with the status; Managed by MDE
Troubleshooting is possible with multiple portals and tools. Through the Microsoft Defender for Endpoint portal, security administrators can use the Managed By entry for checking the onboarding state.
To see a list of all devices that have failed the Security Management for Microsoft Defender for Endpoint onboarding process, filter the device inventory page on the Managed By – MDE error item.
Defender for Endpoint Device page
The Microsoft Defender for Endpoint device page shows more information. The section Device management shows more information about the managed by state(1) and MDE enrollment status(2). Failures are directly visible in the MDE Enrollment status field.
The screenshot below shows device vm-pc-win05 which is correctly managed by MDE and gives the status success.
Defender for Endpoint Device page – Enforcement errors
Enforcement errors are visible directly from the MDE device page. When there is an issue; the title shows: This device has a configuration enforcement error.
Other enforcement errors examples:
- The error indicates that OS failed to perform hybrid join. Use Troubleshoot hybrid Azure Active Directory-joined devices as guide for troubleshooting OS-level hybrid join failures
- Invalid DNS settings on the workstation’s side. Active directory requires you to use domain DNS to work properly.
For more advanced details use the MDE Client Analyzer or MDE Client Analyzer Beta.
Find troubleshooting error code
Check the registry key EnrollmentStatus to find more information and the enrollment status:
Registry location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SenseCM
View the Microsoft docs for the complete error-code list.
Reporting configuration management
Included in Defender for Endpoint is the Configuration management blade. The Device configuration management blade shows the following MDE Management information.
Part of the reporting:
- Configuration method
- Onboarded via MDE security management (including failures)
Microsoft: Announcing Preview of New Security Management Capabilities for Microsoft Defender for Endpoint
Microsoft: Security Settings Management in Microsoft Defender for Endpoint is now generally available
Microsoft: Security Management documentation
Microsoft: Troubleshoot onboarding issues with MDE management
Hello. I updated the policy settings and deployment takes near one hour. Could you tell me how can enforce policy sync after the change?
The policy sync can take some time for the first time. After installing the Defender Sense sensor, the AAD-Join process/ MEM registration process starts. When the device is visible in MEM as MDE Managed, it will be synced quickly.
I have the same problem as Artur.
I configured some policies and Firewall rules but it not sync to client.
It only working after client restarted.
Can I immediately enforce policy to clients from Defender portal or from client?
Based on my test the first policy sync is after between 10min – 1 hour for the initial first-time sync and later policy changes.
Hi, one question please,
device enrolled in intune with company portal and azure ad registered
Company portal show me this warning “Enroll your device in Microsoft Defender for Endpoint” but, I can see the device in MDE dashboard in onboarded state
Why? Isn’t azure ad registered device compatible?
Hi, When devices are onboarded in MEM, expected Windows 10/11, you can onboard with the use of the onboarding part of Intune. MEM attach is only needed for systems that are not fully part of Intune.
1. Enable Defender for Endpoint integration
2. Create MDE Endpoint Detection and response policy
3. Deploy the configuration/ onboarding
Manual onboarding using the Defender for Endpoint onboarding is not needed for full Intune integration.
Hope this helps, when you have further questions – let me know.
Jeffrey, great write up! Would you know if MDE devices managed in MEM will show up in MEM reports for Microsoft Defender Antivirus? I have this configured and the MDE devices do not show up. It would be nice to get some output in the portal on AV definition status and other metrics.
Thanks. Tested the situation in my test lab. It seems MDE devices are not part of the build-in reporting.
There is reporting available part of the deployment profiles. The reporting; https://endpoint.microsoft.com/#blade/Microsoft_Intune_Enrollment/AgentStatusReportBlade shows only Intune managed devices.
AV Definition/ scan/ platform status is possible using TVM and Advanced hunting in MDE itself. Microsoft knows perfectly based on the TVM metrics, of the signature is compliant or non-compliant. Using KQL you can enable reporting including all the AV version data/ and statistics.
When you are looking for a sample KQL query, let me know by sending an e-mail.
Great article, very useful.
Is this applicable to a VDI infrastructure? Especially non-persitent VDI.
Azure AD is tricky. Due to the potential effect on Azure Active Directory environments with respect to device lifecycle and service quota the AzureAD object/ MEM objects seems not ideally for non-persistent VDI environments.
Microsoft gives the following details in combination with non-persistent VDI and MDE management. Except the AzureAD ID is gone after the lifecycle of the non-persistent devices.
“Due to the potential effect on Azure Active Directory environments with respect to device lifecycle and service quota, we advise against testing the current installation files and builds shared in this public preview in a non-persistent VDI environment.”
Hey, great article. Whats your opinion on using this without intune, just the P1 licence?
Any subscription that grants Microsoft Defender for Endpoint licenses also grants your tenant access to the Endpoint security node of the Microsoft Endpoint Manager admin center. Part of the Defender P1/ P2 license is the option to use the Endpoint security node. When using the full functionalities part of MEM/Intune it is advised to use the separate Intune license and use all advantages features.
Great article thanks
I am planning to connect on premises servers to azure
using azure arc
To provide the defender Antivirus,VA & Sentinal solutions to on premises servers windows & Linux machines
Can you please help me with the deployment method i can go with to provide the AV,EDR& ASR profiles for the Azure arc enabled servers
Thanks you in advance
Hi Prashant, thanks – part 4 of the series explains all available management options including focusing on the configuration components ( AV,EDR,ASR and more).
The next part is almost finalized.
Hi, thanks for those articles for Defender keep them coming 🙂
2 quick questions;
How would you manage DC with this method to push the policy? (with no Intune/mecm) Gpo? Azure Arc with a cloud license?
In the official doc (https://learn.microsoft.com/en-us/microsoft-365/security/defender-business/mdb-configure-security-settings?view=o365-worldwide) they mention you can use “device configuration” to manage the policy in the security portal. I don’t see this options. Is there any advantage on using those over the MEM.
Would be great if you could explain about doing test group for device once you already deployed using this scenario to test new/change of policy.
Thanks again for this and keep up the good work 🙂
Domain controllers are currently not supported for this solution. Use GPO/ PowerShell or other available methods for managing the AV part. See this blog for more information; https://jeffreyappel.nl/microsoft-defender-for-endpoint-series-configure-av-next-generation-protection-part4/
The article you mentioned is based on MDB ( Defender for Business and uses Intune. Both products are the same. MEM/ Intune is the same product.
Thank you very much for the article which gives some insight in to why Defender Policies are not working in 2019 servers for us. A Microsoft engineer told us the Intune is not supported on Windows servers by Microsoft and we need to use configuration manager to manage them. Is this why we need to use MDE to apply Intune defender policies to Windows servers? We tried to apply Intune defender AV policies to servers but not working.
Thanks – the security future in MEM/ Intune can be used for managing 2019 servers.
The following solution supports Server 2019 Servers for deploying policies via MDE management/ Intune.
Getting an error on some servers in terms of MEM enrollment. (SENSE LOG ID 60. – Failed to run endpointconfigmanagementenrollcommand) Do you know what the command is that its actually trying to run? This issue is network related (SenseCM error 13) but just wanted to force the action without having to wait for it to try again
Can you run the MDEClientAnalyzer for checking more in-depth events.
MDEClientAnalyzer collects related logs and files part of the Configmaangement enrollment.
The errors are related to the new security management. https://jeffreyappel.nl/managing-microsoft-defender-for-endpoint-with-the-new-security-management-feature-in-mem/
What happens if a device is managed by Configman and you deploy it via this method to MDE?
In MDE the device does show managed by MDE, Enrollment status success. In MEM i see the managed by MDE device and the ConfigMgr device. Just wondering what are the pros/cons of doing it this way.
Both profiles give a conflict. “If you use both, you’ll need to control policy through a single channel, as using more than one channel creates the opportunity for conflicts and undesired results.”
After the devices got the Intune policies, they lost the device action menu (isolate, troubleshoot, investiagate, etc) any idea why? It happened on a mix of w10 and w11 endpoints
I have verefied it with a newly onboarded device, it seems like all the policies take, but as soon as I manually sync policies from the device menu, then shortly after the device action menu is gone from the device details in Defender for Endpoint – glitch??
So with this configuration, you mean that we can manage DFE on windows server through intune portal ?
We do not need to create GPO to manage ASR, exclusion, antivirus etc ?
I did all configuration my my 2x 2012 r2 and 2019 server appear as UNKNOW in Managed by section, do you know why ?
Hi! Do you have any ideas for management of Azure ADDS joined servers. They are not synchronized to Azure AD since that sync is not bidirectional. Is there any other way than GPO / Powershell in that particular use case?
Great write up.