Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Learn how integrating Microsoft Defender for Endpoint with Microsoft Intune can protect your organization. This integration lets you assess device risk in real time and automatically block compromised devices from corporate resources to prevent security breaches and limit their impact by automatically marking risky devices as noncompliant.
For example, if malware compromises a user's device, Microsoft Defender for Endpoint flags that device as high-risk and Intune can automatically cut off its access to corporate resources.
Tip
Before you begin, ensure your account is assigned an Intune role with sufficient permissions to configure these settings. For example, the Intune built-in role of Endpoint Security Manager has the necessary permissions.
Integration workflow
The following workflow applies to devices enrolled with Intune. For detailed instructions, see Configure Microsoft Defender for Endpoint in Intune:
- Establish a service-to-service connection between Intune and Microsoft Defender for Endpoint.
- Onboard devices with Microsoft Defender for Endpoint using Intune policy.
- Create a device compliance policy to set acceptable risk levels.
- Configure Conditional Access policy to block noncompliant devices.
Extend the integration: Once configured, you can leverage Threat & Vulnerability Management (TVM) to remediate endpoint weaknesses identified by Defender.
Additional integration options
App protection policies: You can use app protection policies to set device risk levels for both enrolled and unenrolled devices. This provides app-level protection based on Defender threat assessments.
Unenrolled devices: For devices that aren't or can't enroll in Intune, use Intune's security management for Microsoft Defender for Endpoint to manage Defender settings via endpoint security policies without requiring full device enrollment.
Before you begin any of these integration workflows, ensure you have the required licenses and platform configurations.
Prerequisites
Intune requirements
Subscription: Microsoft Intune Plan 1 subscription provides access to Intune and the Microsoft Intune admin center.
For licensing options, see Microsoft Intune licensing.
Supported platforms:
| Platform | Requirements |
|---|---|
| Android | Intune-managed devices |
| iOS/iPadOS | Intune-managed devices |
| Windows | Microsoft Entra ID hybrid joined or Microsoft Entra ID joined |
Microsoft Defender for Endpoint requirements
Subscription: Microsoft Defender for Endpoint subscription provides access to the Microsoft Defender XDR portal.
For licensing and system requirements, see:
- Licensing requirements in Microsoft Defender for Endpoint minimum requirements
- Microsoft 365 E5 trial subscription setup
- Microsoft Defender for Endpoint system requirements
Real-world scenario: Stopping a phishing attack
This example shows how Microsoft Defender for Endpoint and Intune work together to automatically contain threats. In this scenario, the integration is already configured.
How the attack unfolds
- Initial compromise: A user receives a Word document via email containing embedded malicious code.
- User action: The user opens the attachment and enables macros.
- Privilege escalation: The malware gains elevated privileges on the device.
- Lateral movement: The attacker attempts to access other corporate resources through the compromised device.
How the integration prevents the breach
Detection: Microsoft Defender for Endpoint detects:
- Abnormal code execution
- Process privilege escalation
- Malicious code injection
- Suspicious remote shell activity
Risk assessment: Based on these threat indicators, Microsoft Defender for Endpoint classifies the device as high-risk and creates a detailed report in the Microsoft Defender XDR portal.
Compliance enforcement: Your Intune device compliance policy automatically marks devices with Medium or High risk levels as noncompliant.
Access blocking: Conditional Access policies immediately block the compromised device from accessing corporate resources.
Containment: The threat is contained while security teams investigate and remediate.
Note
You can integrate Microsoft Defender for Endpoint with Microsoft Intune as a Mobile Threat Defense (MTD) solution, meaning Defender acts as the threat detection engine for Intune's compliance decisions.
Platform-specific capabilities
Different platforms offer unique configuration options when integrating with Microsoft Defender for Endpoint:
Android: Use Intune device configuration policies to configure Microsoft Defender for Endpoint web protection settings, including the ability to enable or disable VPN-based scanning.
iOS/iPadOS: Enable vulnerability assessment of apps to allow Defender to analyze app metadata from Intune for enhanced threat detection.
Windows: Benefit from automatic onboarding capabilities and use Microsoft Defender for Endpoint security baselines for comprehensive, prescriptive security configurations.
Next steps
Ready to set this up? Continue to the configuration guide that follows for step-by-step instructions.
Configure the integration
Primary guide: Configure Microsoft Defender for Endpoint in Intune - Complete step-by-step instructions for connecting, onboarding devices, and configuring Conditional Access policies.
Expand your knowledge
Intune resources:
- Use security tasks with Defender for Endpoint's Vulnerability Management to remediate device issues
- Get started with device compliance policies
Microsoft Defender for Endpoint resources: