Ask Downloads
Domain 4 β€” Module 3 of 5 60%
25 of 27 overall
Domain 4: Protect Devices Free ⏱ ~11 min read

Defender for Endpoint: Integrate & Onboard

Microsoft Defender for Endpoint is the enterprise threat protection platform. Learn how to integrate it with Intune and onboard devices for advanced detection, investigation, and response.

What is Defender for Endpoint?

Simple explanation

If antivirus is a security camera, Defender for Endpoint is an entire security operations centre.

A security camera records what happens. A security operations centre (SOC) watches the cameras, spots suspicious behaviour, investigates incidents, and sends the response team. Defender for Endpoint does the same for your devices: it detects threats, investigates what happened, and helps you respond β€” all from a single dashboard.

When integrated with Intune, they share information: Intune tells Defender which devices are managed, and Defender tells Intune which devices have threats β€” enabling automatic compliance enforcement.

Integrating Intune with Defender for Endpoint

Step 1: Enable the connection

  1. Microsoft Defender portal (security.microsoft.com) β†’ Settings β†’ Endpoints β†’ Advanced features
  2. Enable Microsoft Intune connection β†’ Save
  3. Intune admin center β†’ Endpoint security β†’ Microsoft Defender for Endpoint
  4. Enable Connect to Microsoft Defender for Endpoint β†’ Save

What integration enables

FeatureHow It Works
Device risk score in complianceIntune compliance policies can check MDE’s machine risk level (Clear, Low, Medium, High)
Conditional access enforcementHigh-risk devices automatically blocked from M365 resources
Configuration deliveryMDE security settings can be delivered via Intune
Unified device viewSee MDE alerts alongside Intune management data
Onboarding via IntuneDeploy MDE onboarding package through Intune configuration profiles

Step 2: Create compliance policies using device risk

Once connected, add device risk to compliance policies:

SettingValueEffect
Require the device to be at or under the machine risk scoreMediumDevices with β€œHigh” risk are marked non-compliant
Combined with CA policyRequire compliant deviceHigh-risk devices are blocked from Exchange, SharePoint, Teams

Chen Wei at Meridian Bank sets the threshold to β€œLow” β€” even medium-risk devices are blocked from banking applications. The bank’s zero-tolerance security stance means any device flagged by Defender loses access instantly.

Onboarding devices

Windows onboarding via Intune

  1. Intune admin center β†’ Endpoint security β†’ Endpoint detection and response β†’ Create policy
  2. Select platform: Windows 10, Windows 11, and Windows Server
  3. Profile: Endpoint detection and response
  4. The onboarding configuration package is delivered via Intune’s config profile mechanism
  5. Assign to device groups

Multi-platform onboarding

PlatformOnboarding Method
WindowsIntune EDR policy (recommended), GPO, ConfigMgr, script
macOSIntune config profile, manual package (.pkg), JAMF
iOS/iPadOSDefender for Endpoint app from App Store + app config
AndroidDefender for Endpoint app from Managed Google Play + app config
LinuxScript-based onboarding, Ansible/Puppet
Exam tip: Defender for Endpoint licences

MDE comes in two plans:

  • Plan 1 β€” included in Microsoft 365 E3. Core protection: ASR, next-gen AV, device control. No EDR.
  • Plan 2 β€” included in Microsoft 365 E5. Full protection: everything in P1 + EDR, automated investigation, threat analytics, advanced hunting.

The exam may test: β€œWhat licence is needed for endpoint detection and response (EDR)?” β†’ MDE Plan 2 or M365 E5.

For Intune integration (risk-based compliance), you need MDE Plan 2 β€” Plan 1 doesn’t provide the device risk score used in compliance policies.

Deep dive: onboarding status verification

After onboarding, verify devices are reporting to MDE:

  1. Microsoft Defender portal β†’ Device inventory β†’ check the device appears
  2. Intune admin center β†’ Devices β†’ select device β†’ check β€œDefender for Endpoint status”
  3. On the device itself: run Get-MpComputerStatus in PowerShell β†’ check AMRunningMode is β€œNormal”

Common onboarding issues:

  • Device doesn’t appear in Defender portal β€” wait 24 hours (initial sync can be slow)
  • Onboarding fails β€” check prerequisites: .NET 4.5+, Windows telemetry enabled, proxy/firewall allows MDE URLs
  • Risk score not showing in Intune β€” verify the Intune-MDE connection is enabled in both portals

🎬 Video walkthrough

Flashcards

Question

What does integrating Intune with Defender for Endpoint enable?

Click or press Enter to reveal answer

Answer

Device risk scores in Intune compliance policies, conditional access enforcement based on threat level, onboarding delivery via Intune, and a unified device view combining management + security data.

Click to flip back
Question

How do you onboard Windows devices to Defender for Endpoint via Intune?

Click or press Enter to reveal answer

Answer

Create an Endpoint Detection and Response (EDR) policy in Intune (Endpoint security β†’ EDR), configure the onboarding package, and assign to device groups. The onboarding config is delivered via Intune's management channel.

Click to flip back
Question

What MDE licence is needed for risk-based compliance in Intune?

Click or press Enter to reveal answer

Answer

MDE Plan 2 (included in M365 E5). Plan 1 (included in M365 E3) provides core protection but doesn't include EDR or the device risk score that Intune compliance policies use.

Click to flip back

Knowledge Check

Knowledge Check

Chen Wei integrates Intune with Defender for Endpoint at Meridian Bank. He creates a compliance policy requiring devices to have a risk score of 'Low' or below. A banker's laptop is flagged as 'High' risk by Defender after suspicious PowerShell activity. What happens?
Knowledge Check

Sam needs to onboard macOS devices to Defender for Endpoint. What's the recommended approach?

Next up: Plan and Manage Windows Updates β€” update rings, feature update policies, and staged rollout strategies.