Defender for endpoint MDE vs MDM rules and policies

Tom Meeus 141 Reputation points
2022-11-02T08:55:08.027+00:00

Hi all,

As the Defender for endpoint license is included with my M365 Business Premium i'm looking into this as a possible AV solution.
We use intune autopilot and the Configuration profiles and Compliance policies to secure and limit the devices.
This is combined with Conditional Access to push certain security baselines to the device and also the user.

Now we use a device restriction configuration profile in intune that blocks certain items. Now the "endpoint security" tab (via the intune admin center) allows you to create 4 Security Baselines.
Can anyone tell me what will happen to my existing policies if i configure the "Security Baseline for Windows 10 and later" and "Microsoft Defender for Endpoint Baseline" ?

  • Will they merge (like a GPO)
  • Will i get a "conflict" status
  • From a mgmt point of view do i prefer intune to determine this baseline or the Endpoint security?
  • Also if at a certain point the CxO's want to move to another AV/protection suite, it will be more logical to leave the baselines at intune, so i don't have to merge them in MDM.
  • Do i need to see Endpoint security as a stand alone defender version or does it link up with the other Defender programs?

Thanks in advance

Microsoft Intune Configuration
Microsoft Intune Configuration
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Configuration: The process of arranging or setting up computer systems, hardware, or software.
1,775 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,611 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Caleb-MSFT 161 Reputation points
    2022-11-03T05:37:32.397+00:00

    @Tom Meeus , Thanks for posting in Q&A.
    For your questions, here are my answers for your reference:
    Q1: What will happen to my existing policies if I configure the "Security Baseline for Windows 10 and later" and "Microsoft Defender for Endpoint Baseline"?
    A1: In General, many of the settings you can configure for devices can be managed by different features in Intune. When you use multiple methods or instances of the same method to configure the same setting, ensure your different methods either agree or aren't deployed to the same devices, otherwise they will conflict. Say in other words, if you use device configuration, please don't use endpoint security.
    Here is a link with some details for your reference:
    https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-security#avoid-policy-conflicts

    Q2: From a management perspective, should I prefer Intune to determine this baseline or the Endpoint security?
    A2: In fact, Intune is a cloud-based endpoint management solution. It manages user access and simplifies app and device management across your many devices, including mobile devices, desktop computers, and virtual endpoints, and endpoint security is just one feature available in Intune. Endpoint security policies are intended to assist you in focusing on the security of your devices while also reducing risk. If you want to deploy such policies in a batch, Intune is a good option.

    Q3: If at a certain point the Cxo’s want to move to another AV/protection suite, should I leave the baselines at Intune?
    A3: Based as I know, currently, the integrated AV is Microsoft Defender. If you want to move to another AV. You can let it there as not configured.

    Q4: Do I need to see Endpoint security as a standalone defender version, or does it link up with the other Defender programs?
    A4: In fact, the Endpoint security node in Intune is used to configure device security and to manage security tasks for devices when those devices are at risk, it is not a defender version. You can use endpoint security to do the following:
    • Review the status of all your managed devices.
    • Deploy security baselines that establish best practice security configurations for devices.
    • Manage security configurations on devices through tightly focused policies.
    • Establish device and user requirements through compliance policy.
    • Integrate Intune with your Microsoft Defender for Endpoint team.
    For more information about Endpoint Security, you can refer to this link:
    https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-security

    Hope the above information can help you.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


  2. Pavel yannara Mirochnitchenko 12,381 Reputation points MVP
    2022-11-03T07:50:54.437+00:00

    Short answer - they will not merge and you need to review settings and solve conflicts yourself. I also seen, that Windows Sec Baseline and Edge sec baseline have overlaping settings as well and they will conflict each other.

    From Ignite / technical takeoff sessions by Microsoft, I learned that these security baselines will also flow into Settings Catalog model later on....maybe next year.

    0 comments No comments