Intune Defender for Endpoint Connector
Defender for Endpoint, are you licensed for it? Are you using it? Are you using Intune? Then why are you not using the Intune Connector for Microsoft Defender for Endpoint (MDE)? In this article I will hope to explore this on your behalf and share my findings. Microsoft Defender for Endpoint and Intune can be integrated to enhance your organisation’s security posture by enabling endpoint protection, threat detection, and response capabilities across all managed devices. This integration allows for the sharing of security information and the application of compliance policies based on threat intelligence.
So, what do we need to be able to use this? Lets take a look at the minimum requirements for Defender for Endpoint?
- Licenses
- Microsoft Edge (or Chrome)
- A supported version of windows, other platforms are supported but wont be discussed here.
- Meet the minimum spec
- Ideally be using IPv4 (IPV6 needs a bit more configuration but yet to meet anyone using IPv6 fully)
Starting January 14 2024, Microsoft Defender for Endpoint Plan 1 (P1) is automatically included in Microsoft 365 E3/A3 licenses. This means that all existing Microsoft 365 E3/A3 customers now have access to Defender for Endpoint P1. Additionally, customers with Microsoft 365 E5 licenses are already entitled to the comprehensive Microsoft Defender for Endpoint Plan 2 (P2) solution.
So if you have E3 or E5 and you pay for a separate Antivirus solution, I would ask - why are you doing this? According to this IDC report from 2022 Microsoft have a very significant market share for Worldwide Endpoint Security and looking at Gartner Peer Insights report Defender for Endpoint has some glowing reviews and community engagement. So why are a small number of companies still opting for a 3rd party Endpoint Security product? Could it be a distinct lack in appetite for a skills uplift? Not your problem? Feature differences? Don’t want to put all your eggs in one basket? All good reasons but are they good enough to justify the additional costs involved?
Setup
There are four main we need to look at to get this going.
- Establish a link between Intune and Defender for Endpoint
- Onboard Devices
- Advanced Compliance
- Conditional Access
Establishing a Link
To set up the connection, navigate to the Microsoft Intune > Tenant Administration > Connectors and Tokens > Microsoft Defender for Endpoint and then, like me, you may notice you don’t have one set up yet. Lets fix that.
If you click on the link “Connect Microsoft Defender for Endpoint to Microsoft Intune in the Microsoft Defender Security Center” the Security Centre portal will open in a new window. In the Microsoft Defender Security Center, go to Settings > Endpoints > Advanced features, and turn on the Microsoft Intune connection.
This integration enables Intune to receive risk signals from Defender for Endpoint, which can then be used to create and enforce compliance policies. Once established the Intune console will update. You can see here I have also enabled some settings related to Windows Devices.
Because Microsoft Defender for Endpoint can be used independently to Intune, the first setting allows devices to report their status to Intune, which we would like them to do. Also, the setting to connect versions of Windows 10.0.15063 or above has been selected. This version refers to Windows 10 Version 1703, released in April 2017. It does not, however, meet the minimum requirement for supporting Microsoft Defender for Endpoint, which starts from version 1709 (10.0.16299.15). So watch out for that, also.
Onboarding Devices
Onboarding devices to Microsoft Defender for Endpoint through Intune allows for comprehensive threat detection and response capabilities on each device. When devices are onboarded, Defender for Endpoint can monitor them for suspicious activities and provide detailed insights into potential threats.
To onboard devices, first, navigate to the Microsoft Intune Console. Go to Endpoint security > Endpoint detection and response. Notice here it tells you the connector is established.
Create a policy. Choose a platform (e.g., Windows 10, Windows 11 and WIndows Server) and select Endpoint detection and response under profile type. Configure the profile with your required settings and deploy it to the targeted device groups (the settings I opted for are in the below image).
Devices will automatically onboard to Defender for Endpoint upon receiving and applying this configuration, beginning real-time protection and threat monitoring.
Compliance Policy
We can now use a compliance policy in Intune that leverages the integration with Microsoft Defender for Endpoint to mark devices as compliant or not based upon their risk score. It assigns a risk score to each device, categorising the risk as:
- Clear: No known threats or vulnerabilities.
- Low: Minor issues that do not pose a significant threat.
- Medium: Notable issues that could potentially harm the device or network.
- High: Serious issues that pose a significant threat to the device or network.
Defender for Endpoint continuously monitors devices for security threats and vulnerabilities. It analyses telemetry data, including malware detection, suspicious activity and security configurations, to assign this risk score.
I’m not going to talk about what compliance policies are and how to set them up but you can read more here: https://learn.microsoft.com/mem/intune/protect/advanced-threat-protection-configure#create-and-assign-compliance-policy-to-set-device-risk-level. Of course in this article I have only discussed Windows Devices but other platforms are supported for this.
Conditional Access
Conditional Access policies in Entra ID can be enhanced using signals from Microsoft Defender for Endpoint, ensuring that only devices meeting specific security conditions can access corporate resources. This approach protects against compromised devices and reduces the risk of unauthorized access by incorporating real-time threat intelligence into access decisions.
Now that we have a compliance policy configured to look for devices with a specific risk score its entirely possible to configure a policy to block access to corporate resources for non-compliant devices. Conditional Access is a large and complex topic I am not going to cover here in any depth, it has been covered lots of times before but I will recommend you go and read the Conditional Access framework and polices link in the links at the end of this article to familiarise yourself with a standardised naming convention.
I appreciate you taking the time to read my blog.Please give it a share for me.
Jonathan
Links and References
| Location | Link |
|---|---|
| Microsoft Learn | Minimum requirements for Defender for Endpoint |
| Microsoft Learn | Prerequisites |
| Microsoft Learn | Configure Microsoft Defender for Endpoint in Intune |
| Microsoft Learn | MDE Planning Guide |
| Microsoft Learn | Conditional Access framework and polices |
| IDC | Worldwide Corporate Endpoint Security Market Shares, 2022 |
| Gartner | Gartner Peer Insights report for Defender for Endpoint |