Get started: Create and deploy endpoint security policies from the admin center

Applies to: Configuration Manager (current branch)

Microsoft Endpoint Manager is an integrated solution for managing all of your devices. Microsoft brings together Configuration Manager and Intune into a single console called Microsoft Endpoint Manager admin center.

Prerequisites

Supported endpoint security profiles for tenant attached devices

The following profiles are supported for devices you manage with Configuration Manager current branch, through the tenant attach scenario:

  • Platform: Windows 10, Windows 11, and Windows Server (ConfigMgr)

    • Profile: Microsoft Defender Antivirus Policy - Manage Antivirus policy settings for Configuration Manager devices, when you use tenant attach.

      This profile is supported with devices that are tenant attached and run the following platforms:

      • Windows 10 and later (x86, x64, ARM64)
      • Windows Server 2019 and later (x64)
      • Windows Server 2016 (x64)
      • Windows 8.1 (x86, x64)
      • Windows Server 2012 R2 (x64)
    • Profile: Endpoint detection and response (ConfigMgr) - Manage Endpoint detection and response policy settings, when you use tenant attach.

      This profile is supported with devices that are tenant attached and run the following platforms:

      • Windows 10 and later (x86, x64, ARM64)
      • Windows 8.1 (x84, x64)
      • Windows Server 2019 and later (x64)
      • Windows Server 2016 (x64)
      • Windows Server 2012 R2 (x64)
    • Profile: Windows Security experience (preview) - Manage Windows Security app settings for Configuration Manager devices, when you use tenant attach.

      This profile is supported with devices that are tenant attached and run the following platforms:

      • Windows 10 and later (x86, x64, ARM64)
      • Windows Server 2019 and later (x64)

    Important

    To support managing tamper protection your environment must additionally meet the prerequisites for managing tamper protection with Intune as detailed in the Windows documentation.

  • Platform: Windows 10 and later

    • Profile: Microsoft Defender Firewall (ConfigMgr) (preview) - Manage firewall policy settings for Configuration Manager devices, when you use tenant attach.

      This profile is supported with devices that are tenant attached and run the following platforms:

      • Windows 10 and later (x86, x64, ARM64)

      Important

      A supported version of Configuration manager is required to support firewall policies.

    • Profile: Exploit Protection (ConfigMgr)(preview) - Manage Exploit Protection settings for Configuration Manager devices as part of Attack surface reduction policy, when you use tenant attach.

      This profile is supported with devices that are tenant attached and run the following platforms:

      • Windows 10 and later (x86, x64, ARM64)
    • Profile: Web Protection (ConfigMgr)(preview) - Manage Web Protection settings for Configuration Manager devices as part of Attack surface reduction policy, when you use tenant attach.

      This profile is supported with devices that are tenant attached and run the following platforms:

      • Windows 10 and later (x86, x64, ARM64)
    • Profile: Attack Surface Reduction Rules (ConfigMgr)(preview) - Manage Attack Surface Reduction Rules for Configuration Manager devices as part of Attack surface reduction policy, when you use tenant attach.

      This profile is supported with devices that are tenant attached and run the following platforms:

      • Windows 10 and later (x86, x64, ARM64)
      • Windows Server 2019 and later (x64)
      • Windows Server 2016 (x64)
      • Windows Server 2012 R2 (x64)

      Note

      Attack Surface Reduction rules may not be available on Windows Server 2012 R2 and Windows Server 2016. For more information please refer to Attack Surface Reduction rules documentation.

Make Configuration Manager collections available to assign Endpoint security policies

When you enable collections of devices to work with endpoint security policies from Intune, you're configuring devices in those collections to onboard with Microsoft Defender for Endpoint.

  1. From a Configuration Manager console connected to your top-level site, right-click on a device collection that you synchronize to Microsoft Endpoint Manager admin center and select Properties.

  2. On the Cloud Sync tab, enable the option to Make this collection available to assign Endpoint security policies from Microsoft Endpoint Manager admin center.

    Configure cloud sync

  3. Select Add and then select the Azure Active Directory group that you would like to synchronize with Collect membership results.

  4. Select OK to save the configuration.

    Devices in this collection can now onboard with Microsoft Defender for Endpoint, and support use of Intune endpoint security policies.

Next steps