Now booking Q1 Intune migrations — talk to an engineer.

CyberSystem
← Back to Blog

Intune Microsoft Defender for Endpoint Integration: Complete Guide

Learn how to integrate Microsoft Defender for Endpoint with Intune to monitor device risk, enforce compliance, and remediate vulnerabilities using security tasks.

By Ali Alame
intunemicrosoft-defenderdefender-for-endpointsecuritythreat-protectioncompliancedevice-risk

Microsoft Defender for Endpoint integration with Intune enables you to use device risk signals in compliance policies, monitor device security, and remediate vulnerabilities through security tasks. This integration provides comprehensive threat protection and device security management.

Understanding Defender for Endpoint Integration

Microsoft Defender for Endpoint integration with Intune provides enhanced security capabilities including device risk monitoring, compliance enforcement, and vulnerability remediation. This integration connects Defender for Endpoint's threat detection with Intune's device management capabilities.

Key Benefits

  • Device Risk Monitoring: Use risk signals in compliance policies
  • Threat Protection: Enhanced endpoint security
  • Security Tasks: Remediate vulnerabilities from Intune
  • Compliance Integration: Enforce security baselines
  • Automated Remediation: Streamlined security response

For an overview, see Manage endpoint security in Microsoft Intune.

Prerequisites

Requirements

  1. Licenses:

    • Enterprise Mobility + Security E3
    • Windows E5 (or Microsoft 365 Enterprise E5)

  2. Intune Environment: Active Intune environment

  3. Device Requirements:

    • Microsoft Entra joined Windows devices
    • Devices managed by Intune

  4. Defender for Endpoint: Active Defender for Endpoint deployment

Setting Up Integration

Step 1: Configure Defender for Endpoint

  1. In Defender for Endpoint, enable Conditional Access integration
  2. Configure service-to-service connection
  3. Verify integration settings

Step 2: Configure Intune

  1. Sign in to the Microsoft Intune admin center
  2. Navigate to Endpoint security > Microsoft Defender for Endpoint
  3. Configure integration settings
  4. Verify connection status

For details, see Configure Microsoft Defender for Endpoint in Intune.

Device Risk Monitoring

Using Risk Signals in Compliance

Configure compliance policies to use Defender for Endpoint risk signals:

  1. Create or edit compliance policy

  2. Configure Device threat level setting

  3. Set maximum allowed threat level:

    • Secured: No threats detected
    • Low: Low risk threats
    • Medium: Medium risk threats
    • High: High risk threats

  4. Assign policy to groups

Recommendation: Allow access to devices with risk score of medium or lower.

For details, see Monitor device risk as a condition for access.

App Protection Policies

For Android and iOS/iPadOS:

  • Use threat signals in app protection policies
  • Configure device risk level requirements
  • Block access based on risk

For guidance, see Create and assign app protection policy to set device risk level.

Security Tasks

Understanding Security Tasks

Security tasks enable:

  1. Defender for Endpoint identifies at-risk devices
  2. Security tasks created for Intune
  3. Intune admins review and remediate tasks
  4. Status updates communicated back to Defender for Endpoint

Reviewing Security Tasks

  1. Navigate to Endpoint security > Security tasks
  2. Review available tasks
  3. Select task to view details
  4. Review remediation guidance
  5. Take action in Intune
  6. Mark task as complete

For details, see Review Security tasks from Microsoft Defender for Endpoint.

Remediating Vulnerabilities

  1. Review security task details
  2. Follow remediation steps
  3. Apply fixes in Intune
  4. Verify remediation
  5. Mark task as complete

For guidance, see Use Intune to remediate vulnerabilities identified by Microsoft Defender for Endpoint.

Security Baselines

Deploying Security Baselines

  1. Windows Security Baseline: Deploy Windows security settings
  2. Defender for Endpoint Baseline: Deploy Defender-specific settings
  3. Monitor Compliance: Track baseline compliance in Defender for Endpoint

Best Practice

Deploy both baselines:

  • Windows baseline for initial security
  • Defender baseline for optimal Defender configuration

For details, see Deploy security baselines and monitor compliance for these settings.

Compliance Policies

Configuring Compliance

  1. Create compliance policy
  2. Add Device threat level rule
  3. Set maximum allowed threat level
  4. Configure actions for noncompliance
  5. Assign to groups

Conditional Access Integration

  • Use compliance with Conditional Access
  • Block access for noncompliant devices
  • Enforce device risk requirements
  • Gate access based on threat level

For details, see Use device compliance policy.

Best Practices

1. Enable Integration

  • Configure integration on both sides
  • Verify connection status
  • Test integration functionality
  • Monitor integration health

2. Configure Risk Levels

  • Set appropriate risk thresholds
  • Allow medium or lower risk
  • Block high risk devices
  • Review and adjust as needed

3. Use Security Tasks

  • Review tasks regularly
  • Remediate promptly
  • Mark tasks complete
  • Track remediation status

4. Deploy Baselines

  • Deploy Windows baseline first
  • Layer Defender baseline
  • Monitor compliance
  • Update baselines regularly

5. Monitor and Respond

  • Review device risk regularly
  • Address high-risk devices
  • Track remediation progress
  • Adjust policies as needed

Troubleshooting

Common Issues

  1. Integration Not Working

    • Verify licenses
    • Check integration configuration
    • Review connection status
    • Test on both sides

  2. Risk Signals Not Available

    • Verify device onboarding
    • Check Defender for Endpoint status
    • Review compliance policy
    • Test risk detection

  3. Security Tasks Not Appearing

    • Verify integration
    • Check task creation
    • Review permissions
    • Test task workflow

Additional Resources

Conclusion

Microsoft Defender for Endpoint integration with Intune provides comprehensive threat protection and device security management. By following these best practices:

✅ Enable integration on both sides
✅ Configure appropriate risk levels
✅ Use security tasks for remediation
✅ Deploy security baselines
✅ Monitor and respond to threats

You can enhance your organization's security posture while maintaining seamless device management and threat response capabilities.

Remember: Defender for Endpoint integration requires proper licensing and configuration on both Intune and Defender for Endpoint. Always verify the integration status and test functionality before relying on it for production security enforcement.