Endpoint Manager and Defender for Endpoint Relationship Simplified

I stumbled upon this so many times, tripped and fell, read things over, test things again and again and finally thought to write about it. Without understanding the high-level architecture and how these two services talk to each other, using this in day-to-day tech life can be challenging. Especially if you are coming from a different (non-Microsoft) product, the learning curve can be a bit deeper. Today more and more organizations are starting to look at the Endpoint Manager and Defender for Endpoint capabilities and it is important to understand the mechanics to achieve the best results.

In essence, you can use this as a cheat sheet or a guide when you need to connect MEM and MDE.

Table of Contents

  1. Why do we need to build this relationship?
  2. Device Onboarding Process into MDE Via MEM
  3. How to Enforce Security Policies into MEM Unenrolled Devices
  4. Security Policies for the MEM Enrolled Devices
  5. Switch on Intune in MDE
  6. MDE Device Group Config
  7. Defender for Endpoint Licensing
  8. Final Words

Why do we need to build this relationship?

Simply put, Defender for Endpoint can’t enforce policies on its own. Some policies yes, but not everything in the stack. It needs an enforcer. In this case, the enforcer is Endpoint Manager. Endpoint Manager has the relevant security policies that need to be created and when it is assigned and the device is synced with Endpoint Manager, the sensor in the device will collect the relevant data and send it back to the defender portal for further analysis and can be actioned according to the policies set in MDE itself or in Endpoint Manager.

In a high level I want to show the relationship between the two services and the instances they need to work hand in hand.

Obviously, as you can see above there’s a lot going on, but my intention is to break it down into readable chunks and explain it one process at a time.

Device Onboarding Process into MDE Via MEM

This is not something new and this is one way of onboarding Windows devices into Microsoft Defender for Endpoint.

  1. As a part of the Service-to-Service connection, Endpoint Manager’s (explained in Switch on MEM in MDE section)
  2. Once the connection is setup, MDE will send the onboarding package to Intune end
  3. With the use of Endpoint Manager Device Config profiles, you can create the onboarding policy
  4. Once the device group is assigned to the policy, they will be onboarded into MDE

How to Enforce Security Policies into MEM Unenrolled Devices

Now that you have onboarded the devices into MDE via MEM or by some other means (running local script or GPO or Config Manager) the next thing probably in your agenda is to plan and deploy security policies.

There can be computers in your fleet that are onboarded in MDE, but not enrolled in Endpoint Manager yet, for various reasons. The good news is you can still manage some aspects of Security.

Your device is onboarded in MDE. MDE and MEM has the connection so

You have configured the service-to-service connection between MEM and MDE and this allows MDE to enforce Endpoint Security Configurations.

How to turn on this?

Endpoint Manager > Endpoint Security > Setup > Microsoft Defender for Endpoint

Also enabling this setting allows supported agents to report the status of applied profiles to Microsoft Endpoint Manager, and agents will appear in device views and reports relevant to Endpoint Security profile management.

You can now use Endpoint Manager’s Endpoint Security setup to configure the below policies.

  • Antivirus Policy
    • AV Profile
    • AV Exclusions profile
  • Firewall Policy
    • Firewall profile
    • Firewall Rules profile
  • Endpoint Detection and Response profile

Now that we’ve seen the Endpoint Manager side of things, let’s move on to Defender for Endpoint side of things.

Defender for Endpoint portal must know to enforce those above policies as they are onboarded to it.

Security.microsoft.com > Settings > Endpoint > Enforcement Scope

Switching ON the setting Use MDE to enforce security configuration settings from MEM

Choose which OS platforms to apply the settings on – You can select the Windows Client devices or Windows Server devices so any device that’s not enrolled in MEM will be enforced by the Security settings.

Pilot Mode – You can use Pilot mode to test out selected devices that are not enrolled in MEM. Tag those devices with the MDE-Management tag. You can also create a Device Group that captures the devices with the group for more tasks if needed.

Manage Security settings using Configuration Manager – Config Manager can help to enforce the security settings if a server is in place.

Security Policies for the MEM Enrolled Devices

For the Endpoint Manager enrolled devices, it is the standard way of assigning the policies via the Azure AD security groups. As you can see below, the full Endpoint Security stack can be implemented when the devices are enrolled in MEM

  • Antivirus Policy
    • AV Profile
    • AV Exclusions profile
  • Firewall Policy
    • Firewall profile
    • Firewall Rules profile
  • Endpoint Detection and Response profile
  • Disk Encryption Policy – All profile types
  • Attack surface reduction – All profile types
  • Account Protection – All profile types
  • Device Compliance – All profile types
  • Conditional Access – All profile types
  • Security Baseline – All profile types

Switch on Intune in MDE

This step is done as a part of the MDE feature configuration. With this, the data that’s collected in MDE will be sent to MEM as well as MEM to enforce policies related to security that are ultimately powered by MDE. The risk information can be also used in Conditional Access Policies.

Login to security.microsoft.com > Settings > Endpoints > Advanced Settings

MDE Device Group Config

Something that you may overlook in Device Group settings. As you can see the below option Manage endpoint security settings in Microsoft Endpoint Manager needs to be checked if you planning on providing Endpoint Security permissions for your admins

Image from MS Docs

Defender for Endpoint Licensing

I would like to direct your attention to this valuable URL from Microsoft explains the comparison between Microsoft Defender for Endpoint Plan 1, Plan 2 and Business which then can easily identify the policies that can be used.

Plans Comparison

Final Words

The above meme is self explanatory I guess. Well, on a serious note, as I mentioned earlier the connection between MDE and MEM is vital to enforce the Security policies at full power. I believe I managed to clear the grey areas and cover the why the what and the how questions. Please let me know in the comments if you have any questions and I’m more than happy to answer. Until my next post! Take care!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.