This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 65%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EH%3C/text%3E%3C/svg%3E)
HI All,
I got a question as I am trying to understand how does all of this work. Our goal is to distribute defender onboarding package, and after devices will be onboarded, deliver firewall and bitlocker policies to On prem devices.
I follow the instructions but nothing happens so I am wondering where did I make a mistake. I am also trying to understand the workflow - Does that connect from defender>ConfigMgr or this requires intune in first place? what we got now:
Tenant Attached config Mgr, basically Co management done with below:
- When I was in doubt that Defender forwards that from cloud to ConfigMGR, I've moved the defender policy to Pilot collection, so tried also without it.
+ group sync
I think configuration is done right, can anyone tell me if I even need to leave that policy on Intune pilot, or ConfigMgr should carry that on? I can't get the grasp of the flow of that whole process, or logs I should follow to see every part of the process done or not done.
Secondly, my issue is that I can't seem to find out why onboarding is not happening. It is just stuck in deployments and not happening, like MECM would not like to push it for some reason.
Or perhaps it is that long and I'm messing with it too much? The goal is to leave as much on ConfigMgr side as we can, instead of delegating to intune, and to deploy policies like FW + bitlocker. Policies are already deployed but it seems nothing will happen without onboarding to defender.
I've found one helpful blog that showed me that I can actually log in to machine and from configuration manager panel locally, enforce the onboarding to run since it is assigned. It then showed as compliant in MECM deployment, but bitlocker wasn't triggered at all...
I am getting really confused as I perceive this as 3 elements - Defender, Intune and MECM and I can't seem to get grasp over that to understand the flow and what I might be doing wrong or missing
Any hint would be great!
Edit: Devices got onboarded and at least FW policies came through. Not sure if the Intune configuration from screen above helped it? if yes this says to me that whatever is set in defender, goes through Intune to these devices if ConfigMgr allows it. Going further with this idea, it would mean that in order to switch BL on, I would have to move the Device Configuration bar, to pilot Intune....if yes, what MECM won't be able to do? I don't want to suddenly lose possibility to control the devices
Edit 2: Apparently according to endpoint security, after pushing Device Configuration to Intune Pilot side, bitlocker is "compliant" however absolutely nothing happened at least according to Manage-Bde or by simply looking at drive. I don't see any errors in event viewer bitlocker-API part I think this all connects now and it for sure required the Intune to force that all...however I can't understand why BL is not triggering
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Heimdallr , Thanks for posting in our Q&A. If we onboard Windows devices to Defender for Endpoint via Intune policy, then switch the workload to Intune is necessary.
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-endpoints-mdm?view=o365-worldwide
When we switch the Endpoint workload, the Configuration Manager policies stay on the device until the Intune policies overwrite them. This behavior makes sure that the device still has protection policies during the transition. For Device configuration policy, when the workload is switch, we can still deploy settings from Configuration Manager to co-managed devices even though Intune is the device configuration authority. You can see more details in the following link:
https://learn.microsoft.com/en-us/mem/configmgr/comanage/workloads#endpoint-protection
In addition, to validate workloads and determine where policies and apps come from in a co-management scenario, we can check the logs under %WinDir%\CCM\logs\CoManagementHandler.log. Here are some frequently asked questions about workloads in the following link. You can read it to see if it helps.
https://learn.microsoft.com/en-us/troubleshoot/mem/intune/troubleshoot-co-management-workloads
For bitlocker issue, after the Device configuration workload switch to Intune, try to configure the bitlocker policy and sync on the device side. Then check if the Bitlocker policy deployment is successful in Intune portal. If there's any error, try to troubleshoot according the following link:
https://techcommunity.microsoft.com/t5/intune-customer-success/support-tip-troubleshooting-bitlocker-policies-in-microsoft/ba-p/863670
Hope it can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Wow,
That is an awesome answer thank you so much!
The first link is totally nailing one of my issues, I couldn't find that one before.\
According to it, I've tried to use the on-prem scenario, but I didn't know I need GPO to do anything. When switched to Intune, I started to see some movement but I am stuck without bitlocker now, it simply doesn't apply. Since I understood the logic behind it, confirming my thesis that I can indeed do the defender without Intune (but since I did co management, why wouldn't I just push further), I am going to push this further via Co-Management and try to figure out the bitlocker issue now, thanks a lot!
@Heimdallr , Thanks for the reply. I am glad that our information can help. If there's anything we can help during your later troubleshooting, feel free to post in our Q&A. We are always glad to help.
Thanks for your time and have a nice day!