This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 65%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EH%3C/text%3E%3C/svg%3E)
Hi,
I have a question regarding few things I can't yet understand regarding Defender for Endpoint and Intune.
Naturally, you can use Intune to configure security on devices, like block USB, block installation of certain drivers and so on. This sounds really good.
Is there any reason to use Endpoint Security tab in Endpoint Manager then, if you can carry these tasks through configuration profiles?
I also found out you can connect Defender for Endpoint to Endpoint Manager...so it's another console that can make same tasks as MEM?
What I want to understand here, is how to take care of end user devices security in a best way. I'm guessing, but correct me if I'm wrong here, that Defender console should be a better and more potent way to perform tasks and I should instead of touching security in MEM, perform security tasks and configurations in Defender itself and they will propagate to EUD because there is a connector between these two and I've set up an onboarding to defender also. Are there any best practices to carry this out or common mistakes people make here? Or basically I should try to perform every security task configuration in Defender and just spearate it this way and it will be perfectly fine?
Thank you
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Heimdallr, Thanks for posting in Q&A.
In general, Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. Here is a link with more details:
Microsoft Intune is a cloud-based endpoint management solution. It manages user access and simplifies app and device management across your many devices, including mobile devices, desktop computers, and virtual endpoints.
https://learn.microsoft.com/en-us/mem/intune/fundamentals/what-is-intune
That is to say, they are different cloud service provided different functions. To integrate Microsoft Defender for Endpoint with Microsoft Intune, it can help you prevent security breaches and limit the impact of breaches within an organization. You can see more benefits with the integration in the following link:
https://learn.microsoft.com/en-us/mem/intune/protect/advanced-threat-protection
The Endpoint security policies are designed to help you focus on the security of your devices and mitigate risk. In fact, the settings found in Endpoint security policies are a subset of the settings that are found in endpoint protection and device restriction profiles in device configuration policy, and which are also managed through various security baselines. If we configure the same setting in different place, it will causes conflict. So to avoid the conflicts, please only choose one place to configure the setting:
https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-security
Hope the information can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.