This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(51.2, 87%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hello,
I am currently investigating the deployment of Microsoft Defender for Endpoint on fully-managed corporate Android devices, deploying with Microsoft Intune. This is just a proof of concept for the business at this stage.
I am discovering various issues which would make this deployment a rubbish end-user experience, and also finding security flaws with the app itself. I 'm struggling to find any solutions to these issues and flaws, this is where I need some help here please.
Here are my rough notes on what steps need manual input on the Android devices when launching the Microsoft Defender app for the first time, obviously we would want this deployment to be completely zero-touch/silent...
I can't imagine any users bothering with all these steps if we were to roll out the app to the business.
If there is no way of getting this app deployment fully zero-touch/silent, then my other idea was an Intune compliance policy that doesn't let you access any company resources at all unless the Defender app is fully running. But I can only find policies that just detect that the app is installed or not.
The security flaws with the app are the following...
Any ideas or opinions please? As it stands Microsoft Defender for Endpoint is no good for us on Android.
Thanks!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@AmazingPhone6248, Thanks for posting in Q&A.
Based as I know, we can deploy the app via Intune for Android devices. For Android Enterprise enrolled devices, we can configure app configuration policy and device configuration policy. You can configure them and see if we can get a better sign in experience. Here is a link with the detailed steps you can try:
Meanwhile, for compliance policy setting of Android, I find a setting "Require the device to be at or under the machine risk score". it will check the score evaluated by Microsoft Defender for Endpoint. when exceed the score, it will get marked noncompliant. Maybe you can try this setting to see if the setting can work for these devices which are not running Defender.
Hope it can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@AmazingPhone6248, Hope things are going well. I am writing to see if we have the opportunity to try the above suggestion. If there' s anything unclear, feel free to post back to discuss together.
Hi, thanks for the reply, but we've already read Microsoft's documentation about this subject. The links you have provided do not cover the specifics in my post.
@AmazingPhone6248, Thanks for the reply. Maybe you can open case with Microsoft Intune and Microsoft Defender for Endpoint support to get more help.
Unfortunately I cannot open a case directly with Microsoft, as we have a CSP agreement in place. We have to go through them for all support. They have said these issues are outside of scope. Which is why I've had to ask for help on this forum.
@AmazingPhone6248, Thanks for the reply. We can wait to see if anyone has any experience on this can share here to help.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(198.4, 51%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMA%3C/text%3E%3C/svg%3E)
Hi @Crystal-MSFT , I'm having the same issue as reported above. Even when configuring the app configuration policy the app will still prompt the end user to approve and apply the permissions on the phone for the app to function properly.
Please see below the permissions and config applied from Intune.
@AmazingPhone6248 did you manage to find a solution?
Hi, I'm having the same issue as reported above. Even when configuring the app configuration policy the app will still prompt the end user to approve and apply the permissions on the phone for the app to function properly.
Please see below the permissions and config applied from Intune.
@AmazingPhone6248 did you manage to find a solution?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 98%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
I had the same issue last year while first rolloing out our COPE Devices. I also had a MS Ticket open about that Issue and the answer was: "There is no way of silent onboarding a Android Device for MS Defender as you can do on iOS. This is a Android restriction that the User has to do on their own even though it's a managed phone, the User has to give out the permission for it to work by themself. It's not a bug it's intended to do so because you are establishing a always-on VPN and Android needs the End-User permission. The permission from the Admin is invalid at that time."
If there is a proper solution to bypass all the setup steps for MS Defender, please let me know as we also have this in our documentation for the End-User and that's where most of the problems occure.