When you integrate Microsoft Intune with Microsoft Defender for Endpoint, you can use Intune endpoint security policies to manage the Defender security settings on devices that aren't enrolled with Intune. This capability is known asDefender for Endpoint security settings management.

When you manage devices through security settings management:

• You can use theMicrosoft Intune admin center or theMicrosoft 365 Defender portal to manage Intune endpoint security policies for Defender for Endpoint and assign those policies to Microsoft Entra ID groups. The Defender portal includes the user interface for device views, policy management, and reports for security settings management.

  To manage policies from within the Defender portal, seeManage endpoint security policies in Microsoft Defender for Endpoint in the Defender content.

• Devices get their assigned policies based on their Microsoft Entra ID device object. A device that isn't already registered in Microsoft Entra is joined as part of this solution.

• When a device receives a policy, the Defender for Endpoint components on the device enforce the policy and report on the device's status. The device's status is available in the Microsoft Intune admin center and the Microsoft Defender portal.

This scenario extends the Microsoft Intune Endpoint Security surface to devices that aren't capable of enrolling in Intune. When a device is managed by Intune (enrolled to Intune) the device doesn't process policies for Defender for Endpoint security settings management. Instead, use Intune to deploy policy for Defender for Endpoint to your devices.

Applies to:

• Windows
• Windows Server 2012 R2 and later
• Linux
• macOS

Prerequisites

Review the following sections for requirements for the Defender for Endpoint security settings management Scenario.

Environment

When a supported device onboards to Microsoft Defender for Endpoint:

• The device is surveyed for an existing Microsoft Intune presence, which is a mobile device management (MDM) enrollment to Intune.
• Devices without an Intune presence enable the security settings management feature.
• For devices that aren't fully Microsoft Entra registered, a synthetic device identity is created in Microsoft Entra ID that allows the device to retrieve policies. Fully registered devices use their current registration.
• On the device, Microsoft Defender for Endpoint enforces policies that are retrieved from Microsoft Intune.

Government cloud support

The Defender for Endpoint security settings management scenario is supported in the following government tenants:

• US Government Community Cloud (GCC)
• US Government Community High (GCC High)
• Department of Defense (DoD)

For more information, see:

• Intune US Government service description
• Microsoft Defender for Endpoint for US Government customers
• Feature parity with commercial inMicrosoft Defender for Endpoint for US Government customers.

Connectivity requirements

Devices must have access to the following endpoint:

• *.dm.microsoft.com - The use of a wildcard supports the cloud-service endpoints that are used for enrollment, check-in, and reporting, and which can change as the service scales.

Supported platforms

Policies for Microsoft Defender for Endpoint security management are supported for the following device platforms:

Linux:

WithMicrosoft Defender for Endpoint for Linux agent version101.23052.0009 or later, security settings management is supported across all Linux distributions listed atSupported Linux distributions.

You can find the version of your Defender agents using these methods from within theMicrosoft Defender portal:

• You can investigate a single device by browsing toAssets > Devices > Overview and reviewing theDefender engine version field.

• You can view a summary report and export a full inventory list showing platform versions atReports > Endpoints > Device health > Microsoft Defender Antivirus health.

• You can use the following query inHunting > Advanced hunting and review theSoftwareVersion data:

  DeviceTvmSoftwareInventory| where SoftwareName == "defender_for_linux"

For guidance on updating the agent version, seeDeploy updates for Microsoft Defender for Endpoint on Linux.

Known issues

• With Defender agent version101.23052.0009, Linux devices fail to enroll if the following file path is absent:/sys/class/dmi/id/board_vendor.

• When a Linux device performs synthetic registration, the Device Entra ID (formerly known as Device AAD ID) isn't visible in the Defender portal. This information can be viewed from the Intune or Microsoft Entra portals. Administrators can still manage devices with policies in this manner.

macOS:

WithMicrosoft Defender for Endpoint for macOS agent version101.23052.0004 or later, security settings management is supported on the macOS versions listed in theSystem requirements

You can find the versions of your Defender agents using these methods from within theMicrosoft Defender portal:

• You can investigate a single device by browsing toAssets > Devices > Overview and reviewing theDefender engine version field.

• You can view a summary report and export a full inventory list showing platform versions atReports > Endpoints > Device health > Microsoft Defender Antivirus health.

• You can use the following query inHunting > Advanced hunting and review theSoftwareVersion data:

  DeviceTvmSoftwareInventory| where SoftwareName == "defender_for_mac"

For guidance on updating the agent version, seeDeploy updates for Microsoft Defender for Endpoint on macOS.

Known issues

• When a macOS device performs synthetic registration, the Device Entra ID (formerly known as Device AAD ID) isn't visible in the Defender portal. This information can be viewed from the Intune or Microsoft Entra portals. Administrators can still manage devices with policies in this manner.

Windows:

• Windows 10 Professional/Enterprise (withKB5023773)

  Important

  On October 14, 2025,Windows 10 reached end of support and won't receive quality and feature updates. Windows 10 is anallowed version in Intune. Devices running this version can still enroll in Intune and use eligible features, but functionality won't be guaranteed and can vary.

• Windows 11 Professional/Enterprise (withKB5023778)

• Windows Server 2012 R2 withMicrosoft Defender for Down-Level Devices

• Windows Server 2016 withMicrosoft Defender for Down-Level Devices

• Windows Server 2019 (withKB5025229)

• Windows Server 2019 Core (with theServer Core App Compatibility Feature on Demand installed)

• Windows Server 2022, including Server Core (withKB5025230)

• Windows Server 2025

• Domain controllers. See important information inUse of security settings management on domain controllers (in this article).

Security settings management doesn't work on and isn't supported with the following devices:

• Windows Server Core 2016 and earlier
• Non-persistent desktops, like Virtual Desktop Infrastructure (VDI) clients
• Azure Virtual Desktop (AVD and formerly Windows Virtual Desktop, WVD)
• 32-bit versions of Windows

Licensing and subscriptions

To use security settings management, you need:

• A subscription that grants licenses for Microsoft Defender for Endpoint, like Microsoft 365, or a standalone license for only Microsoft Defender for Endpoint. A subscription that grants Microsoft Defender for Endpoint licenses also grants your tenant access to the Endpoint security node of the Microsoft Intune admin center.

  Note

  Exception: If you have access to Microsoft Defender for Endpointonly through Microsoft Defender for servers (part of Microsoft Defender for Cloud, formerly Azure Security Center), the security settings management functionality isn't available. You must have at least one Microsoft Defender for Endpoint (user) subscription license active.

  The Endpoint security node is where you configure and deploy policies to manage Microsoft Defender for Endpoint for your devices and monitor device status.

  For current information about options, seeMinimum requirements for Microsoft Defender for Endpoint.

Role-based access controls (RBAC)

For guidance on assigning the right level of permissions and rights to administrators who manage Intune endpoint security policies from within the Intune admin center, seeAssign role-based access controls for endpoint security policy.

Architecture

The following diagram is a conceptual representation of the Microsoft Defender for Endpoint security configuration management solution.

1. Devices onboard to Microsoft Defender for Endpoint.
2. Devices communicate with Intune. This communication enables Microsoft Intune to distribute policies that are targeted to the devices when they check in.
3. A registration is established for each device in Microsoft Entra ID:
   • If a device previously was fully registered, like a Hybrid Join device, the existing registration is used.
   • For devices that aren't registered, a synthetic device identity is created in Microsoft Entra ID to enable the device to retrieve policies. When a device with a synthetic registration has a full Microsoft Entra registration created for it, the synthetic registration is removed and the devices management continues on uninterrupted by using the full registration.
4. Defender for Endpoint reports the status of the policy back to Microsoft Intune.

What to expect in the Microsoft Defender portal

You can use the Microsoft Defender for EndpointDevice inventory to confirm a device is using the security settings management capability in Defender for Endpoint, by reviewing the devices status in theManaged by column. TheManaged by information is also available on the devices side-panel or device page.Managed by should consistently indicate that its managed byMDE. 

You can also confirm a device is enrolled insecurity settings management successfully by confirming that the device-side panel or device page displayMDE Enrollment status asSuccess.

If theMDE Enrollment status doesn't displaySuccess, make sure you're looking at a device that was updated and is in scope for security settings management. (You configure the scope on the Enforcement scope page while configuring security settings management.)

What to expect in the Microsoft Intune admin center

In the Microsoft Intune admin center, go to the All Devices page. Devices enrolled with security settings management appear here as in the Defender portal. In the admin center, the devices Managed by field should display MDE.

What to expect in the Microsoft Azure portal

On theAll devices page In the Microsoft Azure portal, you can view device details.

To ensure that all devices enrolled in Defender for Endpoint security settings management receive policies, we recommend creating adynamic Microsoft Entra group based on the devices' OS Type. With a dynamic group, devices that are managed by Defender for Endpoint are automatically added to the group without requiring admins to perform other tasks, like creating a new policy.

Use the following guidance for your Dynamic groups:

• (Recommended) When targeting policy, use dynamic groups based on the device platform by using thedeviceOSType attribute (Windows, Windows Server, macOS, Linux) to ensure policy continues to be delivered for devices that change management types, for example during MDM enrollment.

• If necessary, dynamic groups containing exclusively devices that are managed by Defender for Endpoint can be targeted by defining a dynamic group using themanagementType attributeMicrosoftSense. Use of this attribute targets all devices that are managed by Defender for Endpoint via the security settings management functionality, and devices remain in this group only while managed by Defender for Endpoint.

Also, when configuring security settings management, if you intend to manage entire OS platform fleets using Microsoft Defender for Endpoint, by selectingall devices instead oftagged devices in the Microsoft Defender for Endpoint Enforcement Scope page, understand that any synthetic registrations are counted against Microsoft Entra ID quotas the same as full registrations.

Which solution should I use?

Microsoft Intune includes several methods and policy types to manage the configuration of Defender for Endpoint on devices. The following table identifies the Intune policies and profiles that support deployment to devices managed by Defender for Endpoint security settings management and can help you identify if this solution is right for your needs.

When you deploy an endpoint security policy that's supported for bothDefender for Endpoint security settings management andMicrosoft Intune, a single instance of that policy is processed by:

• Devices supported through security settings management (Microsoft Defender)
• Devices that are managed by either Intune or Configuration Manager.

Profiles for theWindows 10 and later platform aren't supported for devices managed by security settings management.

Following profiles are supported for each device type:

Linux

The following policy types support theLinux platform.

Endpoint security policy	Profile	Defender for Endpoint security settings management	Microsoft Intune
Antivirus	Microsoft Defender Antivirus
Antivirus	Microsoft Defender Antivirus exclusions
Endpoint detection and response	Endpoint detection and response
Endpoint detection and response	Microsoft Defender Global Exclusions (AV+EDR)

macOS

The following policy types support themacOS platform.

Endpoint security policy	Profile	Defender for Endpoint security settings management	Microsoft Intune
Antivirus	Microsoft Defender Antivirus
Antivirus	Microsoft Defender Antivirus exclusions
Endpoint detection and response	Endpoint detection and response

Windows

To support use with Microsoft Defender security settings management, your policies for Windows devices must use theWindows platform. Each profile for theWindows platform can apply to devices that are managed by Intune and to devices that are managed by security settings management.

Endpoint security policy	Profile	Defender for Endpoint security settings management	Microsoft Intune
Antivirus	Defender Update controls
Antivirus	Microsoft Defender Antivirus
Antivirus	Microsoft Defender Antivirus exclusions
Antivirus	Windows Security Experience
Attack Surface Reduction	Attack Surface Reduction Rules
Attack Surface Reduction	Device Control	Note1
Endpoint detection and response	Endpoint detection and response
Firewall	Firewall
Firewall	Firewall Rules

1 - This profile is visible in the Defender portal but isn't supported for devices managed only by Microsoft Defender through the Microsoft Defender security settings management scenario. This profile is supported only for devices managed by Intune.

Each Intune endpoint security profile is a discrete group of settings intended for use by security admins who focus on protecting devices in your organization. The following are descriptions of the profiles that are supported by the security settings management scenario:

• Antivirus policies manage the security configurations found in Microsoft Defender for Endpoint.

  Note

  While endpoints don't require a restart in order to apply modified settings or new policies, there's an issue where theAllowOnAccessProtection andDisableLocalAdminMerge settings might at times require end users to restart their devices for these settings to update. This issue is under investigation in order to provide a resolution.

• Attack surface reduction (ASR) policies focus on minimizing the places where your organization is vulnerable to cyberthreats and attacks. With security settings management, ASR rules apply to devices that runWindows 10,Windows 11, andWindows Server.

  Important

  On October 14, 2025,Windows 10 reached end of support and won't receive quality and feature updates. Windows 10 is anallowed version in Intune. Devices running this version can still enroll in Intune and use eligible features, but functionality won't be guaranteed and can vary.

  For current guidance about which settings apply to the different platforms and versions, seeASR rules supported operating systems in the Windows Threat protection documentation.

  Tip

  To help keep supported endpoints up to date, consider using themodern unified solution for Windows Server 2012 R2 and 2016.

  Also see:

  • Overview of attack surface reduction in the Windows Threat protection documentation.

• Endpoint detection and response (EDR) policies manage the Defender for Endpoint capabilities that provide advanced attack detections that are near real-time and actionable. Based on EDR configurations, security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats.

• Firewall policies focus on the Defender firewall on your devices.

• Firewall Rules are a type of profile forFirewall policy that is comprised of granular rules for Firewalls, including specific ports, protocols, applications, and networks.

Configure your tenant to support Defender for Endpoint security settings management

To support security settings management through the Microsoft Intune admin center, you must enable communication between them from within each console.

The following sections guide you through that process.

Configure Microsoft Defender for Endpoint

In the Microsoft Defender portal, as a security administrator:

1. Sign in to theMicrosoft Defender portal and go toSettings >Endpoints >Configuration Management >Enforcement Scope and enable the platforms for security settings management.

   

   Note

   If you have theManage security settings in Security Center permission in the Microsoft Defender portal, and are simultaneously enabled to view devices from all Device Groups (norole-based access control limits on your user permissions), you can also perform this action.

2. Initially, we recommend testing the feature for each platform by selecting the platforms option forOn tagged devices, and then tagging the devices with theMDE-Management tag.

   Tip

   Use the proper device tags to test and validate your rollout on a small number of devices.

   When you deploy to theAll devices group, any device that falls into the scope configured will automatically be enrolled.

   While most devices complete enrollment and apply assigned policy within a few minutes, a device can sometimes take up to 24 hours to complete enrollment.

   Important

   As of July 3rd, 2025, dynamic asset rules are supported for defining the devices in the MDE-Management tag in public preview.

3. Configure the feature for Microsoft Defender for Cloud onboarded devices and Configuration Manager authority settings to fit your organization's needs:

   

   Tip

   To ensure your Microsoft Defender portal users have consistent permissions across portals, if not already provided, request that your IT administrator grants them the Microsoft IntuneEndpoint Security Managerbuilt-in RBAC role.

Configure Intune

In the Microsoft Intune admin center, your account needs permissions equal to Endpoint Security Manager built-in Role based access control (RBAC) role.

1. Sign in to theMicrosoft Intune admin center.

2. SelectEndpoint security >Microsoft Defender for Endpoint, and setAllow Microsoft Defender for Endpoint to enforce Endpoint Security Configurations toOn.

   

   When you set this option toOn, all devices in the platform scope for Microsoft Defender for Endpoint that aren't managed by Microsoft Intune qualify to onboard to Microsoft Defender for Endpoint.

Onboard devices to Microsoft Defender for Endpoint

Microsoft Defender for Endpoint supports several options to onboard devices. For current guidance, seeOnboard to Microsoft Defender for Endpoint in the Defender for Endpoint documentation.

Coexistence with Microsoft Configuration Manager

In some environments, it might be desired to use security settings management with devices managed by Configuration Manager. If you use both, you need to control policy through a single channel. Use of more than one channel creates the opportunity for conflicts and undesired results.

To support this, configure theManage Security settings using Configuration Manager toggle toOff. Sign in to theMicrosoft Defender portal and go toSettings >Endpoints >Configuration Management >Enforcement Scope:

Create Microsoft Entra Groups

After devices onboard to Defender for Endpoint, you'll need to create device groups to support deployment of policy for Microsoft Defender for Endpoint. To identify devices that have enrolled with Microsoft Defender for Endpoint but aren't managed by Intune or Configuration Manager:

1. Sign in toMicrosoft Intune admin center.

2. Go toDevices >All devices, and then select the columnManaged by to sort the view of devices.

   Devices that onboard to Microsoft Defender for Endpoint and are registered but aren't managed by Intune displayMicrosoft Defender for Endpoint in theManaged by column. These are the devices that can receive policy for security management for Microsoft Defender for Endpoint.

   Starting on September 25, 2023, devices that use security management for Microsoft Defender for Endpoint can no longer be identified by using the following system labels:

   • MDEJoined - A now deprecated tag that was previously added to devices that were joined to the directory as part of this scenario.
   • MDEManaged - A now deprecated tag that was previously added to devices that actively used the security management scenario. This tag is removed from the device if Defender for Endpoint stops managing the security configuration.

   Instead of using system labels, you can use the management type attribute, and configure it toMicrosoftSense.

You can create groups for these devicesin Microsoft Entra orfrom within the Microsoft Intune admin center. When creating groups, you can use theOS value for a device if you're deploying policies to devices running Windows Server vs devices that run a client version of Windows:

• Windows 10 andWindows 11 - The deviceOSType or OS displays asWindows
• Windows Server - The deviceOSType or OS displays asWindows Server
• Linux Device - The deviceOSType or OS displays asLinux

Sample Intune Dynamic Groups with Rule Syntax

Windows Workstations:

Windows Servers:

Linux Devices:

Deploy policy

After creating one or more Microsoft Entra groups that contain devices managed by Microsoft Defender for Endpoint, you can create and deploy the following policies for security settings management to those groups. The policies and profiles available vary by platform.

For the list of policy and profile combinations supported for security settings management, see the chart inWhich solution should I use, found in this article.

1. Sign in to theMicrosoft Intune admin center.

2. Go toEndpoint security, select the type of policy you want to configure, and then selectCreate Policy.

3. For the policy, select the Platform and the Profile that you want to deploy. For a list of the Platforms and Profiles that support security settings management, see the chart inWhich solution should I use? earlier in this article.

   Note

   The supported profiles apply to devices that communicate through Mobile Device Management (MDM) with Microsoft Intune and devices that communicate using the Microsoft Defender for Endpoint client.

   Ensure you review your targeting and groups as necessary.

4. SelectCreate.

5. On theBasics page, enter a name and description for the profile, then chooseNext.

6. On theConfiguration settings page, select the settings you want to manage with this profile.

   To learn more about a setting, expand itsinformation dialog and select theLearn more link to view the on-line Configuration Service Provider (CSP) documentation or related details, for that setting.

   When you're done configuring settings, selectNext.

7. On theAssignments page, select the Microsoft Entra groups that receive this profile. For more information on assigning profiles, seeAssign user and device profiles.

   SelectNext to continue.

   Tip

   • Assignment filters aren't supported for devices managed by security settings management.
   • OnlyDevice Objects are applicable for Microsoft Defender for Endpoint management. Targeting users is not supported.
   • Policies apply to both Microsoft Intune and Microsoft Defender for Endpoint clients.

8. Complete the policy creation process and then on theReview + create page, selectCreate. The new profile is displayed in the list when you select the policy type for the profile you created.

9. Wait for the policy to be assigned and view a success indication that policy was applied.

10. You can validate that settings were applied locally on the client by using theGet-MpPreference command utility.

Monitor status

Intune:

Status and reports for policies that target devices in this channel are available from the policy node under Endpoint security in the Microsoft Intune admin center.

Drill in to the policy type and then select the policy to view its status. You can view the list of platforms, policy types, and profiles that support security settings management in the table inWhich solution should I use, earlier in this article.

When you select a policy, you can view information about the device check-in status, and can select:

• View report - View a list of devices that received the policy. You can select a device to drill in and see its per-setting status. You can then select a setting to view more information about it, including other policies that manage that same setting, which could be a source of conflict.
• Per setting status - View the settings that are managed by the policy, and a count of success, errors, or conflicts for each setting.

Defender Portal:

You can also monitor the Intune policies that are applied from within theMicrosoft Defender portal. Within the portal, go toEndpoints, expandconfiguration management and selectEndpoint security policies. Select a policy to view its status, and then select:

• Overview - View an overview of the groups the policy is applied to, the policy settings that are applied, and device check-in status.
• Policy Settings Values - View the settings that are configured by the policy.
• Policy settings status - View the settings that are managed by the policy, and a count of success, errors, or conflicts for each setting.
• Applied devices - View the devices to which the policy is applied.
• Assigned Groups - View the groups to which the policy is assigned.

For more information, seeManage endpoint security policies in Microsoft Defender for Endpoint in the Defender content.

Frequently asked questions and considerations

Device check-in frequency

Devices managed by this capability check-in with Microsoft Intune every 90 minutes to update policy.

You can manually sync a device on-demand from theMicrosoft Defender portal. Sign-in to the portal and go toDevices. Select a device that is managed by Microsoft Defender for Endpoint, and then select thePolicy sync button:

The Policy sync button only appears for devices that are successfully managed by Microsoft Defender for Endpoint.

Devices protected by tamper protection

If a device has tamper protection turned on, it isn't possible to edit the values ofTamper-protected settings without disabling Tamper Protection first.

Assignment Filters and security settings management

Assignment filters aren't supported for devices communicating through the Microsoft Defender for Endpoint channel. While assignment filters can be added to a policy that could target these devices, the devices ignore assignment filters. For assignment filter support, the device must be enrolled in to Microsoft Intune.

Deleting and removing devices

You can delete devices that use this flow using one of two methods:

• From within theMicrosoft Intune admin center go toDevices >All devices, select a device that displays eitherMDEJoined orMDEManaged in theManaged by column, and then selectDelete.
• You can also remove devices from the scope of Configuration Management in the Security Center.

Once a device is removed from either location, that change propagates to the other service.

Unable to enable the Security Management for Microsoft Defender for Endpoint workload in Endpoint Security

While an Administrator with permissions in both services can complete initial provisioning flows, the following roles are sufficient to complete configurations in each separate service:

• For Microsoft Defender, use the Security Administrator role.
• For Microsoft Intune, use the Endpoint Security Manager role.

Microsoft Entra joined devices

Devices that are joined to Active Directory use theirexisting infrastructure to complete the Microsoft Entra hybrid join process.

Unsupported security settings

The following security settings are pending deprecation. The Defender for Endpoint security settings management flow doesn't support these settings:

• Expedite telemetry reporting frequency (underEndpoint Detection and Response)

• AllowIntrusionPreventionSystem (underAntivirus)

• AllowLocalPolicyMerge

Use of security settings management on domain controllers

Security settings management is supported on domain controllers. To manage security settings on domain controllers, you must enable it in the enforcement scope page (go toSettings >EndpointsEnforcement scope). Windows Server devices must be enabled before you can enable configuration of domain controllers. Additionally, if theon tagged devices option is selected for Windows Servers, configuration of domain controllers is limited to tagged devices, too.

Microsoft Defender for Endpoint and PowerShell

Some Microsoft Defender for Endpoint client functions use PowerShell. For example, Live Response can execute custom scripts from an approved library. These functions run in an instance of PowerShell executed by the Defender for Endpoint client.  

Troubleshooting device issues is more difficult if administrators are blocked from executing PowerShell. Performance and communications problems can be diagnosed more easily with PowerShell scripts. 

Microsoft Defender for Endpoint security settings management will not work for a device that has PowerShell configured to run inConstrained Language Mode. For more information, seeabout_Language_Modes in the PowerShell documentation.

Managing security through Defender for Endpoint if you were previously using a third-party security tool

If you previously had a third-party security tool on the machine and are now managing it with Defender for Endpoint, you might see some impact on Defender for Endpoint's capability to manage Security settings in rare cases. In such cases, as a troubleshooting measure, uninstall and reinstall the latest version of Defender for Endpoint on your machine.

Related content

• Monitor Defender for Endpoint in Intune

• Manage endpoint security policies in Microsoft Defender for Endpoint in the Defender documentation.