Mobile threat defense capabilities in Microsoft Defender for Business

Microsoft Defender for Business provides advanced threat protection capabilities for devices, such as Windows and Mac clients. Defender for Business capabilities now include mobile threat defense! Mobile threat defense capabilities help protect Android and iOS devices, without requiring you to use Microsoft Intune to onboard mobile devices.

In addition, mobile threat defense capabilities integrate with Microsoft 365 Lighthouse, where Cloud Solution Providers (CSPs) can view information about vulnerable devices and help mitigate detected threats.

What's included in mobile threat defense?

The following table summarizes the capabilities that are included in mobile threat defense in Defender for Business:

Capability Android iOS
Web Protection
Anti-phishing, blocking unsafe network connections, and support for custom indicators.
Web protection is turned on by default with web content filtering.
Included checkmark. Included checkmark.
Malware protection (Android-only)
Scanning for malicious apps.
Included checkmark. No
Jailbreak detection (iOS-only)
Detection of jailbroken devices.
No Included checkmark.
Microsoft Defender Vulnerability Management
Vulnerability assessment of onboarded mobile devices. Includes vulnerability assessments for operating systems and apps for Android and iOS.
See Use your vulnerability management dashboard in Microsoft Defender for Business.
Included checkmark. See note 1 (below)
Network Protection
Protection against rogue Wi-Fi related threats and rogue certificates.
Network protection is turned on by default with next-generation protection.
As part of mobile threat defense, network protection also includes the ability to allow root certification authority and private root certification authority certificates in Intune. It also establishes trust with endpoints.
See note 2 (below) See note 2 (below)
Unified alerting
Alerts from all platforms are listed in the unified Microsoft 365 Defender portal ( In the navigation pane, choose Incidents).
See View and manage incidents in Microsoft Defender for Business
Included checkmark. Included checkmark.
Conditional Access and conditional launch
Conditional Access and conditional launch block risky devices from accessing corporate resources.
- Conditional Access policies require certain criteria to be met before a user can access company data on their mobile device.
- Conditional launch policies enable your security team to block access or wipe devices that don't meet certain criteria.
Defender for Business risk signals can also be added to app protection policies.
Requires Intune
(see note 3 below)
Requires Intune
(see note 3 below)
Privacy controls
Configure privacy in threat reports by controlling the data sent by Defender for Business. Privacy controls are available for admin and end users, and for both enrolled and unenrolled devices.
Requires Intune (see note 3 below) Requires Intune (see note 3 below)
Integration with Microsoft Tunnel
Integration with Microsoft Tunnel, a VPN gateway solution for Intune.
Requires Intune VPN Tunnel
(see note 4 below)
Requires Intune VPN Tunnel
(see note 4 below)


  1. Intune is required for software/app vulnerabilities to be reported. Operating system vulnerabilities are included by default.

  2. Intune is required to configure or manage an allow list of root certification authority and private root certification authority certificates.

  3. Intune is included in Microsoft 365 Business Premium. Intune can be added on to Defender for Business.

  4. See Prerequisites for the Microsoft Tunnel in Intune.

How to get mobile threat defense capabilities

Mobile threat defense capabilities are now generally available to Defender for Business customers. Here's how to get these capabilities for your organization:

  1. Make sure that Defender for Business has finished provisioning. In the Microsoft 365 Defender portal, go to Assets > Devices.

    • If you see a message that says, "Hang on! We're preparing new spaces for your data and connecting them," it means that Defender for Business hasn't finished provisioning. This process is happening now, and can take up to 24 hours to complete.
    • If you see a list of devices, or you're prompted to onboard devices, it means Defender for Business provisioning has completed.
  2. Review, and if necessary, edit your next-generation protection policies.

  3. Review, and if necessary, edit your firewall policies and custom rules.

  4. Review, and if necessary, edit your web content filtering policy.

  5. To onboard mobile devices, see the "Use the Microsoft Defender app" procedures in Onboard devices to Microsoft Defender for Business.

See also