Use MDE to enforce security configuration settings from MEM

Rizwan Assad 321 Reputation points
2022-12-13T03:46:07.053+00:00

Does turning this option on will enforce any settings that are already there in endpoint manager for all the devices?

and if the "enforcement scope" is set to test the feature on a specific set of devices that are tagged MDE-Management does all the advanced features turned on will only affect those devices?

it seems that security baseline of defender for endpoint is already deployed to all the devices via endpoint manager but "Use MDE to enforce security configuration settings from MEM" is turned off and from end point manager > defender for endpoint setup > "allow microsoft defender for endpoint to enforce endpoint security configurations" is also turned off.

if we turn on these options now does that mean that all the devices will get affected or we can scope the deployment in some way?

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
3,003 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,557 questions
Microsoft Configuration Manager
0 comments No comments
{count} votes

Accepted answer
  1. Crystal-MSFT 51,896 Reputation points Microsoft Vendor
    2022-12-14T02:29:54.167+00:00

    @Rizwan Assad , Based on my understanding, when we set this option to On, all devices in the platform scope in Microsoft Defender for Endpoint that aren't managed by Microsoft Endpoint Manager will qualify to onboard to Microsoft Defender for Endpoint. This will mot enforce any settings that are already there in endpoint manager for all the devices.

    We can set "enforcement scope" to use the proper device tags to test. Then the setting like "Allow Microsoft Defender for Endpoint to enforce Endpoint Security Configurations" will only affect these devices. Enabling this setting allows supported agents to report the status of applied profiles to Microsoft Endpoint Manager, and agents will appear in device views and reports relevant to Endpoint Security profile management. You can check the status via the report to confirm.

    Meanwhile, when you deploy a policy that’s supported for both MDE security configuration and Microsoft Endpoint Manager, a single instance of that policy can be processed by devices that run MDE only and devices that are managed by either Intune or Configuration Manager.

    In addition, to apply the security policy in Intune, we need to assign the policy to the device group. So if there's no policy assigned. It will not applied either. Here is a link with more details for your reference:
    https://learn.microsoft.com/en-us/mem/intune/protect/mde-security-integration

    Hope it can help.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


1 additional answer

Sort by: Most helpful
  1. Andrew Blumhardt 9,871 Reputation points Microsoft Employee
    2022-12-13T13:45:07.41+00:00

    You probably don't need this if all systems are Intune/MEM managed. This feature allows you to proxy several MEM policies through MDE for systems that are not managed by MEM directly. For example, a workgroup system or user's personal device. I believe those systems managed by MEM will remain MEM managed. You can verify in the device inventory under the "Managed By" column. You can scope this using the testing tag option only.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.