Configure tenant attach to support endpoint security policies from Intune

When you use the Configuration Manager tenant attach scenario, you can deploy endpoint security policies from Intune to devices you manage with Configuration Manager. To use this scenario, you must first configure tenant attach for Configuration Manager and enable collections of devices from Configuration Manager for use with Intune. After collections are enabled for use, you use the Microsoft Intune admin center to create and deploy policies.

Requirements to use Intune policy for tenant attach

To support using Intune endpoint security policies with Configuration Manager devices, your Configuration Manager environment requires the following configurations. Configuration guidance is provided in this article:

General requirements for tenant attach

• Configure tenant attach - With the tenant attach scenario, you synchronize devices from Configuration Manager to the Microsoft Intune admin center. You can then use the admin center to deploy supported policies to those collections.

  Tenant attach is often configured with co-management, but you can configure tenant attach on its own.

• Synchronize Configuration Manager devices and collections – After you configure tenant attach, you can select the Configuration Manager devices to synchronize with Microsoft Intune admin center. You can also return later to modify the devices you sync.

  After selecting devices to synchronize, you must enable collections for use with endpoint security policies from Intune. Supported policies for Configuration Manager devices can only be assigned to collections you’ve enabled.

• Permissions to Azure AD - To complete setup of tenant attach, you’ll need an account with Global Administrator permissions to your Azure subscription.

• Tenant for Microsoft Defender for Endpoint – Your Microsoft Defender for Endpoint tenant must be integrated with your Microsoft Intune tenant (Intune subscription). See Use Microsoft Defender for Endpoint in the Intune documentation.

Configuration Manager version requirements for Intune endpoint security policies

Antivirus

Manage Antivirus settings for Configuration Manager devices, when you use tenant attach.

Policy path:

• Endpoint security > Antivirus > Windows 10, Windows 11, and Windows Server (ConfigMgr)

Profiles:

• Microsoft Defender Antivirus (preview)
• Windows Security experience (preview)

Required version of Configuration Manager:

• Configuration Manager current branch version 2006 or later

Supported Configuration Manager device platforms:

• Windows 8.1 (x86, x64), starting in Configuration Manager version 2010
• Windows 10 and later (x86, x64, ARM64)
• Windows 11 and later (x86, x64, ARM64)
• Windows Server 2012 R2 (x64), starting in Configuration Manager version 2010
• Windows Server 2016 and later (x64)

Important

On October 22, 2022, Microsoft Intune ended support for devices running Windows 8.1. Technical assistance and automatic updates on these devices aren't available.

If you currently use Windows 8.1, then we recommend moving to Windows 10/11 devices. Microsoft Intune has built-in security and device features that manage Windows 10/11 client devices.

Endpoint detection and response

Manage Endpoint detection and response policy settings for Configuration Manager devices, when you use tenant attach.

Policy path:

• Endpoint security > Endpoint detection and response > Windows 10, Windows 11, and Windows Server (ConfigMgr)

Profiles:

• Endpoint detection and response (ConfigMgr) (Preview)

Required version of Configuration Manager:

• Configuration Manager current branch version 2002 or later, with in-console update Configuration Manager 2002 Hotfix (KB4563473)
• Configuration Manager technical preview 2003 or later

Supported Configuration Manager device platforms:

• Windows 8.1 (x86, x64), starting in Configuration Manager version 2010
• Windows 10 and later (x86, x64, ARM64)
• Windows 11 and later (x86, x64, ARM64)
• Windows Server 2012 R2 (x64), starting in Configuration Manager version 2010
• Windows Server 2016 and later(x64)

Important

On October 22, 2022, Microsoft Intune ended support for devices running Windows 8.1. Technical assistance and automatic updates on these devices aren't available.

If you currently use Windows 8.1, then we recommend moving to Windows 10/11 devices. Microsoft Intune has built-in security and device features that manage Windows 10/11 client devices.

Firewall

Support for devices managed by Configuration Manager is in Preview.

Manage Firewall policy settings for Configuration Manager devices, when you use tenant attach.

Policy path:

• Endpoint security > Firewall > Windows 10 and later

Profiles:

• Microsoft Defender Firewall (ConfigMgr) (preview)

Required version of Configuration Manager:

• Configuration Manager current branch version 2006 or later, with in-console update Configuration Manager 2006 Hotfix (KB4578605)

Supported Configuration Manager device platforms:

• Windows 11 and later (x86, x64, ARM64)
• Windows 10 and later (x86, x64, ARM64)

Set up Configuration Manager to support Intune policies

Before you deploy Intune policies to Configuration Manager devices, complete the configurations detailed in the following sections. These configurations onboard your Configuration Manager devices with Microsoft Defender for Endpoint, and enable them to work with the Intune policies.

The following tasks are completed in the Configuration Manager console. If you’re not familiar with Configuration Manager, work with a Configuration Manager admin to complete these tasks.

1. Confirm your Configuration Manager environment
2. Configure tenant attach and synchronize devices
3. Select devices to synchronize
4. Enable collections for endpoint security policies

Tip

To learn more about using Microsoft Defender for Endpoint with Configuration Manager, see the following articles in the Configuration Manager content:

• Onboard Configuration Manager clients to Microsoft Defender for Endpoint via the Microsoft Intune admin center
• Microsoft Intune tenant attach: Device sync and device actions

Task 1: Confirm your Configuration Manager environment

Intune policies for Configuration Manager devices require different minimum versions of Configuration Manager, depending on when the policy was first released. Review the Configuration Manager version requirements for Intune endpoint security policies found earlier in this article to ensure your environment supports the policies you plan to use. A more recent version of Configuration Manager will support policies that require an earlier version.

When a Configuration Manager hotfix is necessary, you can find the hotfix as an in-console update for Configuration Manager. For more information see Install in-console updates in the Configuration Manager documentation.

After installing necessary updates, return here to continue configuring your environment to support endpoint security policies from the Microsoft Intune admin center.

Task 2: Configure tenant attach and synchronize devices

With Tenant attach you specify collections of devices from your Configuration Manager deployment to synchronize with the Microsoft Intune admin center. After collections synchronize, use the admin center to view information about those devices and to deploy endpoint security policy from Intune to them.

For more information about the tenant attach scenario, see Enable tenant attach in the Configuration Manager content.

Enable tenant attach when co-management hasn’t been enabled

Tip

You use the Co-management Configuration Wizard in the Configuration Manager console to enable tenant attach, but you don’t need to enable co-management.

If you plan to enable co-management, be familiar with co-management, its prerequisites, and how to manage workloads before you continue. See What is co-management? in the Configuration Manager documentation.

1. In the Configuration Manager admin console, go to Administration > Overview > Cloud Services > Co-management.

2. In the ribbon, click Configure co-management to open the wizard.

3. On the Tenant onboarding page, select AzurePublicCloud for your environment. Azure Government cloud isn't supported.

   1. Click Sign In. Use your Global Administrator account to sign in.

   2. Ensure the option Upload to Microsoft Intune admin center is selected on the Tenant onboarding page.

   3. Remove the check from Enable automatic client enrollment for co-management.

      When this option is selected, the Wizard presents additional pages to complete the setup of co-management. For more information, see Enable co-management in the Configuration Manager content.

   

4. Click Next and then Yes to accept the Create AAD Application notification. This action provisions a service principal and creates an Azure AD application registration to facilitate the sync of collections to the Microsoft Intune admin center.

5. On the Configure upload page, configure which collections of devices you want to sync. You can limit your configuration to device collections or use the recommended device upload setting for All my devices managed by Microsoft Endpoint Configuration Manager.

   Tip

   You can skip selecting collections now, and later use the information in the following task, Task 3, to configure which collections of devices to synchronize with the Microsoft Intune admin center.

6. Click Summary to review your selection, then click Next.

7. When the wizard is complete, click Close.

   Tenant attach is now configured, and selected devices sync to Microsoft Intune admin center.

Enable tenant attach when you already use co-management

1. In the Configuration Manager admin console, go to Administration > Overview > Cloud Services > Co-management.

2. Right-click your co-management settings and select Properties.

3. In the Configure upload tab, select Upload to Microsoft Intune admin center. Click Apply.

   The default setting for device upload is All my devices managed by Microsoft Endpoint Configuration Manager. You can also choose to limit your configuration to one or few device collections.

   

4. Sign in with your Global Administrator account when prompted.

5. Click Yes to accept the Create AAD Application notification. This action provisions a service principal and creates an Azure AD application registration to facilitate the sync.

6. Click OK to exit the co-management properties if you're done making changes. Otherwise move to Task 3 to selectively enable device upload to the Microsoft Intune admin center.

   Tenant attach is now configured, and selected devices sync to Microsoft Intune admin center.

Task 3: Select devices to synchronize

When tenant attach is configured, you can select devices to sync. If you haven't already synchronized devices or need to reconfigure which ones you do sync, you can edit the properties of co-management in the Configuration Manager console to do so.

Select devices to upload

1. In the Configuration Manager admin console, go to Administration > Overview > Cloud Services > Co-management.

2. Right-click your co-management settings and select Properties.

3. In the Configure upload tab, select Upload to Microsoft Intune admin center. Click Apply.

   The default setting for device upload is All my devices managed by Microsoft Endpoint Configuration Manager. You can also choose to limit your configuration to one or few device collections.

Task 4: Enable collections for endpoint security policies

After you configure devices to sync to Microsoft Intune admin center, you must enable collections to work with endpoint security policies. When you enable collections of devices to work with endpoint security policies from Intune, you're making the configured collections available to be targeted with endpoint security policies.

Enable collections for use with endpoint security policies

1. From a Configuration Manager console connected to your top-level site, right-click on a device collection that you synchronize to Microsoft Intune admin center and select Properties.

2. On the Cloud Sync tab, enable the option to Make this collection available to assign Endpoint security policies from Microsoft Intune admin center.

   • You can't select this option if your Configuration Manager hierarchy isn't tenant attached.
   • The collections available for this option are limited by the collection scope selected for tenant attach upload.

   

3. Select Add and then select the Azure Active Directory group that you would like to synchronize with Collect membership results.

4. Select OK to save the configuration.

   Devices in this collection can now onboard with Microsoft Defender for Endpoint, and support use of Intune endpoint security policies.

Next steps

• Configure Endpoint security policies for Antivirus, Firewall, and Endpoint detection and response.

• Learn more about Microsoft Defender for Endpoint.