Introduction

This post is a summary for Defender for Endpoint security settings management, also known as Unified Settings Management. It will walk through all necessary steps to understand, plan, setup and use the features. Furthermore I will give recommendations for field deployments, tips and more. There are already some good posts on this topic, but I wanted to make my own summary, also as part of a learning process.

 

What is Unified Settings Management?

Defender for Endpoint (MDE) is a cloud-based extended detection and response (XDR) product that lives in the Microsoft cloud ecosystem. Security settings management is a feature part of it.

Intune plays an important role for this feature, since device management is originally reserved to Intune. Device management i.a. means configuration management, which is the process of applying policies that contain settings to configure a system.

Security settings management leverages concepts of Intune to deploy security settings to endpoints/devices, without the need of Intune 😉 That means, settings management from Defender can be used to deploy policies to devices which are only known to Defender for Endpoint. In a nutshell:

  1. Device is only onboarded to Microsoft Defender for Endpoint
  2. In Defender for Endpoint you can configure security configuration policies
  3. Defender for Endpoint can apply those client-side security policies on those systems

 

Management comparison 🧭

It might be helpful to understand the scope of different management scenarios.

Option MDE Settings Management "Classic" Intune onboarding

Configuration management scope

Minimal -> only security policies

Full configuration of every system aspect

Onboarding

With package and installation script

User- / device onboarding

Remote actions

Defender for Endpoint supported ones > security related

Intune > more system and general

Client deployment mechanism

New DM / MMP-C (read more)

Classic MDM + IME

Prerequisites

URL availability (dm.microsoft.com) and MDE configuration

URL endpoints, MDM scope, enrollment settings, policies in Intune

Licensing

Defender for Endpoint license

Intune license (at least plan 1)


Use cases

There are a few scenarios to choose Defender security settings management, such as:

  • ☁️ Secure with cloud-only: Apply policies and manage with fully cloud-based Defender for Endpoint. Onboarded devices have no dependencies.
  • 🪶 Secure non-enrolled endpoints: No full enrollment into Intune or other MDM is needed. Any endpoint can be equipped with this feature, ranging from BYOD up to corporate endpoints that are not (yet) in Intune.
  • 🛂 Securing non-domain endpoints: Devices, particularly servers may be outside of the corporate domain, in a DMZ or similar. Since no other management system is in that zone, you can use security settings management and configure from the cloud.

 

Advantages

The advantages of this feature include:

  • Only Defender for Endpoint onboarding needed, no Intune enrollment
  • Fully cloud-based, no dependency to network or on-premises resources
  • Easy configuration and management
  • Central settings monitoring
  • Cross-platform support

 

Prerequisites

  • Licenses: Defender for Endpoint
  • Roles and RBAC: Security administrator
  • Supported platforms: Windows 10/11, Windows Server, macOS, Linux
  • Connectivity: new network endpoint: *.dm.microsoft.com and ideally also to Intune + Defender network endpoints
  • Join state: No need to join via Entra or hybrid -> synthetic registration read more - Devices that are already joined will be satisfied.

 


Concept

Intune and Defender for Endpoint work together to apply endpoint security policies on MDE onboarded devices. A specialty is in step 2./3.: Devices will get a record in Intune in order to target them with policies. In case it is not yet in Intune or not fully registered in Entra ID, it will automatically generate a so-called synthetic object. This is nothing more than just a representation of that MDE only device in Entra ID.

Synthethic endpoint in Entra

  • See the OS identification of 'Windows Server', which is new
  • See the security settings management value which states it is Defender for Endpoint

MDE managed endpoint in Intune

  • See the managed by value 'MDE'
  • Remote tasks are not possible, however monitoring of policy assignment is possible

 

Supported profiles by platform

⚠️
Intune endpoint security configuration and Defender security settings management don't have feature parity, which means that Defender doesn't support all profile types of security areas (yet). Please check these links for supported profiles: Linux, macOS, Windows 10, Windows 11, and Windows Server

Setup

Enable tenant settings

First, we need to enable the tenant feature of unified security settings management in both Intune and Defender for Endpoint. At this point the fundamental connection should already be established, as I describe in this post:

The bridge from Intune to Defender for Endpoint
Introduction This post is a straightforward tutorial to enable Defender for Endpoint with Intune. These two products live in the Microsoft ecosystem and can be natively integrated. It is a major advantage to connect your endpoint management product (Intune) with your XDR and security product (Defender for Endpoint). To establish

 

Intune

Go to Tenant administration > Connectors and tokens > Microsoft Defender for Endpoint and enable 'Allow Microsoft Defender for Endpoint to enforce Endpoint Security Configurations'

⚠️
While in Intune, check if you have policies that are assigned to 'All Devices'. Be aware, that those policies will also target MDE settings management onboarded endpoints.

 

Defender for Endpoint

Go to Settings > Endpoints > Enforcement scope > enable 'Use MDE to enforce security configuration settings from Intune' and also enable the platforms you want. Either choose all devices or only tagged devices.

🗒️
To try out the features, I suggest beginning with tagged devices. The endpoints won't get any policies until you create and assign them.

 

Tagging endpoint

If you choose to manually tag endpoints in MDE, you need to add the tag:

MDE-Management

To endpoints, that should be onboarding with settings management into Entra and Intune (showed above).

 

Create policies

In Microsoft Defender, navigate to Configuration management > Endpoint security policies and create a new policy.

Depending on the platform and template you can now configure:

  • Policy name (recommendation: MDE-EndpointSecurity-Type-Policyname)
  • Settings configuration - configure the available settings according to the platform and template
  • Assignments - include/exclude to Entra security groups > create a new one and include the endpoints you want to target

 

💡
Note, that policies displayed in both Intune and Defender with the target 'microsoftSense' are applicable to MDE settings management.

 

Settings configuration

Equipping endpoints with endpoint security policies is the goal. Although not all templates/policy types are supported, you should strive to the best possible protection. Orientate with frameworks and best practices to apply security configuration based upon the platform. To dive more into it, read my blog post on security baselines

For cross-platform security I can recommend the following frameworks:

 

Targeting endpoints

Targeting the endpoints you want to protect with policies works conventionally with including Entra group assignments on policies.

If you want to identify the MDE settings management onboarded devices dynamically check out this rule:

The dynamic membership rule syntax:

(device.managementType -eq "MicrosoftSense")

 

Monitoring

The policy sync interval from the endpoint to the MDE service is 90 minutes. It is also possible to trigger the sync manually as a remote action on the endpoint inventory. Monitor the deployment status and settings application of the policy to the endpoint from both the Intune and Defender portal:

 

💡
Check out the FAQ from Microsoft for more details.

Oceanleaf
Technology blog on Microsoft Cloud. Learn about cutting edge tech, explained simply & straightforward in quality focused blog posts.
You’ve successfully subscribed to Oceanleaf
Welcome back! You’ve successfully signed in.
Great! You’ve successfully signed up.
Success! Your email is updated.
Your link has expired
Success! Check your email for magic link to sign-in.