This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 75%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
I am confused on which is the best location to manage the security setting for my Intune managed Windows devices. Should I be using the "Endpoint Security" section in the Intune portal or the Microsoft 365 Defender>Endpoints>Configuration Management>Device Configurations.
I have policies in both places and there appears to be conflicts. Is there someone with a blog or site that can break down the differences and when/why I should choose one over the other. Is the Microsoft 365 Defender option just for endpoints not managed by Intune? I don't mind reading through the details, I just can't find anything that explains the context. Any help is appreciated.
It mostly depends on how the devices are managed in general. If the devices are enrolled in Intune then ideally you will want the policy management to be carried out in Intune. For devices that are not enrolled in Intune and managed by MDE can have the policies applied using the new configuration management feature in Defender. FYI MDE managed devices can still have the Defender policies managed using Intune as well if you enable security configuration management scope in Defender and Intune and tag the devices with MDE-management, Example Windows Servers.
@Rahul Jindal [MVP] Thank you. Seems like creating policies in both platforms and creating an exclusion in MDE for Intune managed devices is the way to go. Are there any good guides/resources out there that map settings from Intune Endpoint Security to MDE?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 35%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZM%3C/text%3E%3C/svg%3E)
@Chad Miars, Thanks for posting in Q&A. From your description, we understand that you have confusion on using Intune or Microsoft 365 Defender Endpoint portal to manage security settings for Windows Endpoints.
We did some research. For the "Endpoint Security" section to manage security settings for devices enrolled in Intune generally. This is where you'll set up device security policies and settings that are tailored to the devices you're managing with Intune.
For more information about Microsoft Defender for Microsoft Intune, please visit the link below:
The "Configuration Management" section under Microsoft 365 Defender is more focused on security configurations that are tied to threat detection and response, and it might be more relevant for endpoints that are not directly managed by Intune, such as servers or devices that fall outside of your Intune management scope. Here are some security settings you can configure:
For more information about Microsoft Defender for Endpoint, please visit the link below:
Microsoft 365 Defender portal | Microsoft Learn
To determine where we configure the policy, you can check which the device is managed by. If the device is managed by MDE, you can set the policy only in Microsoft Defender for endpoint to avoid conflict.
Hope above can be helpful.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.