Defender Onboarding + Co-Management

Heimdallr 266 Reputation points

HI All,

I got a question as I am trying to understand how does all of this work. Our goal is to distribute defender onboarding package, and after devices will be onboarded, deliver firewall and bitlocker policies to On prem devices.

I follow the instructions but nothing happens so I am wondering where did I make a mistake. I am also trying to understand the workflow - Does that connect from defender>ConfigMgr or this requires intune in first place? what we got now:

Tenant Attached config Mgr, basically Co management done with below:

239071-image.png - When I was in doubt that Defender forwards that from cloud to ConfigMGR, I've moved the defender policy to Pilot collection, so tried also without it.
238969-image.png + group sync

I think configuration is done right, can anyone tell me if I even need to leave that policy on Intune pilot, or ConfigMgr should carry that on? I can't get the grasp of the flow of that whole process, or logs I should follow to see every part of the process done or not done.

Secondly, my issue is that I can't seem to find out why onboarding is not happening. It is just stuck in deployments and not happening, like MECM would not like to push it for some reason.
Or perhaps it is that long and I'm messing with it too much? The goal is to leave as much on ConfigMgr side as we can, instead of delegating to intune, and to deploy policies like FW + bitlocker. Policies are already deployed but it seems nothing will happen without onboarding to defender.

I've found one helpful blog that showed me that I can actually log in to machine and from configuration manager panel locally, enforce the onboarding to run since it is assigned. It then showed as compliant in MECM deployment, but bitlocker wasn't triggered at all...

I am getting really confused as I perceive this as 3 elements - Defender, Intune and MECM and I can't seem to get grasp over that to understand the flow and what I might be doing wrong or missing

Any hint would be great!

Edit: Devices got onboarded and at least FW policies came through. Not sure if the Intune configuration from screen above helped it? if yes this says to me that whatever is set in defender, goes through Intune to these devices if ConfigMgr allows it. Going further with this idea, it would mean that in order to switch BL on, I would have to move the Device Configuration bar, to pilot Intune....if yes, what MECM won't be able to do? I don't want to suddenly lose possibility to control the devices

Edit 2: Apparently according to endpoint security, after pushing Device Configuration to Intune Pilot side, bitlocker is "compliant" however absolutely nothing happened at least according to Manage-Bde or by simply looking at drive. I don't see any errors in event viewer bitlocker-API part I think this all connects now and it for sure required the Intune to force that all...however I can't understand why BL is not triggering

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,753 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,324 questions
Microsoft Configuration Manager
0 comments No comments
{count} votes

Accepted answer
  1. Crystal-MSFT 42,956 Reputation points Microsoft Vendor

    @Heimdallr , Thanks for posting in our Q&A. If we onboard Windows devices to Defender for Endpoint via Intune policy, then switch the workload to Intune is necessary.

    When we switch the Endpoint workload, the Configuration Manager policies stay on the device until the Intune policies overwrite them. This behavior makes sure that the device still has protection policies during the transition. For Device configuration policy, when the workload is switch, we can still deploy settings from Configuration Manager to co-managed devices even though Intune is the device configuration authority. You can see more details in the following link:

    In addition, to validate workloads and determine where policies and apps come from in a co-management scenario, we can check the logs under %WinDir%\CCM\logs\CoManagementHandler.log. Here are some frequently asked questions about workloads in the following link. You can read it to see if it helps.

    For bitlocker issue, after the Device configuration workload switch to Intune, try to configure the bitlocker policy and sync on the device side. Then check if the Bitlocker policy deployment is successful in Intune portal. If there's any error, try to troubleshoot according the following link:

    Hope it can help.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

0 additional answers

Sort by: Most helpful