MDE Series-Part 3: Integration of Microsoft Intune with Microsoft Defender for Endpoint

20.02.2024 | Blog, Microsoft Security

Integration of Microsoft Intune with Microsoft Defender for Endpoint

 

Do you often find forums discussing Microsoft Defender for Endpoint and its features, but still have questions in mind?

ūüöÄA one-stop solution for all your questions- We have started a Microsoft Defender for Endpoint Series, where we want to cover topics on a deeper level and discover the possibilities with all kinds of threats and endpoints!

Learn Microsoft Defender for Endpoint with #Salona aka #Intunesiastic

Since seen in my second blog of the  Microsoft Defender for Endpoint Series, Microsoft Defender for Endpoint Series-Part 2 Microsoft Intune is the most common methods of deployment among- Windows 10/11, Android, iOS and macOS platforms.  So, let us first see, how to integrate Microsoft Intune with Microsoft Defender for Endpoint in these generic steps below:

  • Establish a service-to-service connection between Intune & Microsoft Defender for Endpoint.-This connection lets Microsoft Defender for Endpoint collect data about machine risk from supported devices you manage with Intune.
  • Use Intune policy to onboard devices with Microsoft Defender for Endpoint.-You onboard devices to configure them to communicate with Microsoft Defender for Endpoint and to provide data that helps assess their risk level.
  • Use Intune device compliance policies to set the level of risk you want to allow.-Microsoft Defender for Endpoint reports a devices risk level. Devices that exceed the allowed risk level are identified as non-compliant.
  • Use a conditional access policy.-to block users from accessing corporate resources from devices that are non-compliant.
  • Use¬†app protection policies (MAM).-For Android and iOS/iPadOS, to set device risk levels. App protection polices work with both enrolled and unenrolled devices.

ūüĒźIntegration of Microsoft Intune with Microsoft Defender for Endpoint

To set up the service-to-service connection between Intune and Microsoft Defender for Endpoint, you only need to enable Microsoft Defender for Endpoint a single time per tenant. These steps are as below:

  1. Navigate to the Microsoft Endpoint Manager admin center. Select Endpoint security in the navigation pane.
  2. On the Endpoint security | Overview page, under the Setup section in the navigation pane, select Microsoft Defender for Endpoint. Under the Microsoft Defender for Endpoint, you can see the Configuring Microsoft Defender for Endpoint.
    Fig1) Defender for Endpoint

    Fig1) Defender for Endpoint

     

  3. From the above window, click the link ‚ÄúConnect Microsoft¬†Defender for Endpoint to Microsoft Intune in the Microsoft Defender Security Center.‚ÄĚ This shall redirect you to the Microsoft 365¬†Defender¬†for the Endpoint portal (Security & Compliance (microsoft.com)
  4. Under the Devices tab, select the Onboard Devices option. Please note, for this, you need to scroll a bit towards down and then towards right. And we have not done the actual onboarding yet. Have patience and wait for my fourth blog!  We are going to do the Onboarding in there. There are different options to onboard. I shall be showing the way to onboard devices using Intune.
    Fig2) Defender For Endpoint
  5. Now click on Settings > Endpoints.¬† An important point to be noted is, you shall not see the option for ‘Endpoints’ unless you perform the 4th Step above (Onboard devices)Fig3) Defender for Endpoint
  6. Now click on Advanced Features and scroll down.  You will see the the  toggle switch for the Microsoft Intune connection . Set this setting to On.Fig4) Defender for Endpoint
    Enable Microsoft Defender for Endpoint in Intune

    Enable Microsoft Defender for Endpoint in Intune

     

    ūüí° Please Note: If the Connection status at the top of the page is already set to Enabled, the connection to Intune has already been made. In such case, you can select Open the Microsoft Defender for Endpoint admin console to open the Microsoft Defender Security Center. Then use the guidance in the following steps to confirm that the Microsoft Intune connection is set to On.

  7. Select Save preferences. Now go back to the Intune portal. The connection status is still Unavailable.
  8. Click on Refresh. After refreshing, the Connection status is Available and shows the Last synchronized date as below.

    ūüí° Please Note: Once the connection between Microsoft Defender for Endpoint and Microsoft Intune is established, the services are expected to sync with each other¬†at least¬†once every 24 hours. The number of days without sync until the connection is considered unresponsive can be configured in the Microsoft Endpoint Manager admin center.
    Select Endpoint security > Microsoft Defender for Endpoint > Number of days until partner is unresponsive.

  9. Certainly by now, the Microsoft Defender for Endpoint is enabled with Microsoft Intune.From the Intune admin center, you can easily Enable the Endpoint Security Profile settings .You can easily Enable or Disable some of the settings from the above window.
  10. Furthermore, now you need to configure Microsoft Defender for Endpoint to use compliance and app protection policies. For this, go to  Microsoft Defender for Endpoint page in the Microsoft Endpoint Manager admin center.
  11. Configure the following under MDM Compliance Policy Settings for Windows10/11, iOS or Androids:
  • Set¬†Connect Android devices to Microsoft Defender for Endpoint¬†to¬†On.
  • Set¬†Connect iOS devices to Microsoft Defender for Endpoint¬†to¬†On.
  • Set¬†Connect Windows devices to Microsoft Defender for Endpoint¬†to¬†On. Now, the following devices are connected to Microsoft Defender for Endpoint for compliance:
    • Applicable devices that you manage with Intune.
    • Devices you enroll in the future.

12. To use Microsoft Defender for Endpoint with MAM, configure the  App Protection Policy Settings for Android and iOS only:

    • Set¬†Connect Android devices to Microsoft Defender for Endpoint for app protection policy evaluation¬†to¬†On.
    • Set¬†Connect iOS devices to Microsoft Defender for Endpoint for app protection policy evaluation¬†to¬†On.

13. Select Save.

ūüí° Please Note: When you integrate a new application to Intune Mobile Threat Defense and enable the connection to Intune, Intune creates a classic conditional access policy in Microsoft Entra ID (Microsoft Azure).
Nevertheless, with each MTD app is integrated, including Microsoft Defender for Endpoint or any of Microsoft’s MTD partners, a new classic conditional access policy is created. These policies can be ignored; however, they shouldn’t be edited, deleted, or disabled.

If the classic policy is deleted, you must delete the connection to Intune that was responsible for its creation. Once you delete the connection, you must then set it up again. Doing so recreates the classic policy. Migrating classic policies for MTD apps to the new policy type for conditional access isn’t supported.

Classic conditional access policies for MTD apps:

  • Are used by Intune MTD to require that devices are registered in Microsoft Entra ID. With this, it is ensured that they have a device ID before communicating to MTD partners. The ID is required, so that devices can successfully report their status to Intune.
  • Have no effect on any other Cloud apps or resources.
  • Are distinct from conditional access policies you can create to help manage MTD.
  • By default, don’t interact with other conditional access policies you use for evaluation.

Further to view classic conditional access policies in Azure, go to Microsoft Entra ID > Conditional Access > Classic policies.

Hence, I hope that today I have been able to give you a step-wise approach to integrate this strong tool of Microsoft Defender for Endpoint with Microsoft Intune.

Moreover, would you want to go to the other topics and revise? Well, here you goooo!

Also, strongly believe that – ‘The fastest way to learn and retain a skill is, to teach it!‘ . Lastly, we recommend to stay tuned with us to progress on Microsoft Defender for Endpoint Chronicles. This is just the beginning.ūüĆü

Author: Salona Sahni Kapoor aka Intunesiastic
cubic solutions GmbH

ÓāĆ

Blog | Microsoft Security

Cubic Solutions Background Scroller