Edit

Get started: Create and deploy endpoint security policies from the admin center

  • Article

Applies to: Configuration Manager (current branch)

The Microsoft Intune family of products is an integrated solution for managing all of your devices. Microsoft brings together Configuration Manager and Intune into a single console called Microsoft Intune admin center.

Prerequisites

Supported endpoint security profiles for tenant attached devices

Platform Endpoint security policy Profile Endpoint Protection (Configuration Manager) Endpoint Security (Tenant Attach)
Windows 10, Windows 11, and Windows Server Antivirus Antivirus Supported Supported
Windows 10, Windows 11, and Windows Server Antivirus Antivirus Exclusions Supported Supported
Windows 10, Windows 11, and Windows Server Antivirus Tamper Protection Not Supported Supported
Windows 10, Windows 11, and Windows Server Attack Surface Reduction Attack Surface Reduction Rules Supported Supported
Windows 10, Windows 11 Attack Surface Reduction Application Guard Settings Supported Supported
Windows 10, Windows 11, and Windows Server Attack Surface Reduction Exploit protection Supported Supported
Windows 10, Windows 11, and Windows Server Endpoint detection and response Endpoint detection and response Supported Supported
Windows 10, Windows 11, and Windows Server Firewall Firewall Supported Supported
Windows 10, Windows 11, and Windows Server Firewall Firewall Rules Not Supported Supported

The following profiles are supported for devices you manage with Configuration Manager current branch, through the tenant attach scenario:

  • Platform: Windows 10, Windows 11, and Windows Server (ConfigMgr)

    • Profile: Microsoft Defender Antivirus - Manage Antivirus policy settings for Configuration Manager devices, when you use tenant attach.

      This profile is supported with devices that are tenant attached and run the following platforms:

      • Windows 10 and later (x86, x64, ARM64)
      • Windows Server 2019 and later (x64)
      • Windows Server 2016 (x64)
      • Windows 8.1 (x86, x64)
      • Windows Server 2012 R2 (x64)

    • Profile: Windows Security experience (ConfigMgr) - Manage Windows Security app settings for Configuration Manager devices, when you use tenant attach.

      This profile is supported with devices that are tenant attached and run the following platforms:

      • Windows 10 and later (x86, x64, ARM64)
      • Windows Server 2019 and later (x64)

    Important

    To support managing tamper protection your environment must additionally meet the prerequisites for managing tamper protection with Intune as detailed in the Windows documentation.

    • Profile: Endpoint detection and response (ConfigMgr) - Manage Endpoint detection and response policy settings, when you use tenant attach.

      This profile is supported with devices that are tenant attached and run the following platforms:

      • Windows 10 and later (x86, x64, ARM64)

      • Windows 8.1 (x84, x64)

      • Windows Server 2019 and later (x64)

      • Windows Server 2016 (x64)

      • Windows Server 2012 R2 (x64)

      • Profile: Attack Surface Reduction Rules (ConfigMgr) - Manage Attack Surface Reduction Rules for Configuration Manager devices as part of Attack surface reduction policy, when you use tenant attach.

      This profile is supported with devices that are tenant attached and run the following platforms:

      • Windows 10 and later (x86, x64, ARM64)
      • Windows Server 2019 and later (x64)
      • Windows Server 2016 (x64)
      • Windows Server 2012 R2 (x64)

      Note

      Attack Surface Reduction rules may not be available on Windows Server 2012 R2 and Windows Server 2016. For more information please refer to Attack Surface Reduction rules documentation.

  • Platform: Windows 10 and later

    • Profile: Microsoft Defender Firewall (ConfigMgr) - Manage firewall policy settings for Configuration Manager devices, when you use tenant attach.

      This profile is supported with devices that are tenant attached and run the following platforms:

      • Windows 10 and later (x86, x64, ARM64)

      Important

      A supported version of Configuration manager is required to support firewall policies.

    • Profile: Exploit Protection (ConfigMgr) - Manage Exploit Protection settings for Configuration Manager devices as part of Attack surface reduction policy, when you use tenant attach.

      This profile is supported with devices that are tenant attached and run the following platforms:

      • Windows 10 and later (x86, x64, ARM64)

    • Profile: Web Protection (ConfigMgr) - Manage Web Protection settings for Configuration Manager devices as part of Attack surface reduction policy, when you use tenant attach.

      This profile is supported with devices that are tenant attached and run the following platforms:

      • Windows 10 and later (x86, x64, ARM64)

Make Configuration Manager collections available to assign Endpoint security policies

When you enable collections of devices to work with endpoint security policies from Intune, you're configuring devices in those collections to onboard with Microsoft Defender for Endpoint.

  1. From a Configuration Manager console connected to your top-level site, right-click on a device collection that you synchronize to Microsoft Intune admin center and select Properties.

  2. On the Cloud Sync tab, enable the option to Make this collection available to assign Endpoint security policies from Microsoft Intune admin center.

    Configure cloud sync

  3. Select Add and then select the Microsoft Entra group that you would like to synchronize with Collect membership results.

  4. Select OK to save the configuration.

    Devices in this collection can now onboard with Microsoft Defender for Endpoint, and support use of Intune endpoint security policies.

Next steps