🔒 Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided MD-102 Domain 4
Domain 4 — Module 3 of 5 60%
25 of 27 overall

MD-102 Study Guide

Domain 1: Prepare Infrastructure for Devices

  • Device Identity: Join, Register & Hybrid Free
  • Build the Right Device Groups
  • Intune Enrollment Essentials Free
  • Auto-Enrollment & Bulk Enrollment
  • Intune RBAC & Windows Hello for Business
  • Compliance Policies & Conditional Access
  • Windows LAPS & Local Group Management

Domain 2: Manage and Maintain Devices

  • Windows Autopilot: Choose Your Path Free
  • Autopilot: Device Names, ESP & Rollout
  • Provisioning Packages & Windows 11 Upgrades
  • Windows 365: Your PC in the Cloud
  • Configure Windows Devices with Intune
  • Config Profiles: Android, iOS & macOS
  • Control Admin Rights with EPM
  • Intune Suite: Apps, Analytics & Remote Help
  • Cloud PKI & Tunnel for MAM
  • Remote Actions & Device Queries

Domain 3: Manage Applications

  • App Deployment: Prepare & Package
  • Deploy Apps with Intune & App Stores
  • Microsoft 365 Apps: Deploy, Customize & Manage
  • App Protection Policies & Conditional Access
  • App Configuration: Managed Apps & Managed Devices

Domain 4: Protect Devices

  • Endpoint Security: Antivirus, Firewall & Encryption
  • Attack Surface Reduction & Security Baselines
  • Defender for Endpoint: Integrate & Onboard
  • Plan and Manage Windows Updates
  • Cross-Platform Updates & Delivery Optimization

MD-102 Study Guide

Domain 1: Prepare Infrastructure for Devices

  • Device Identity: Join, Register & Hybrid Free
  • Build the Right Device Groups
  • Intune Enrollment Essentials Free
  • Auto-Enrollment & Bulk Enrollment
  • Intune RBAC & Windows Hello for Business
  • Compliance Policies & Conditional Access
  • Windows LAPS & Local Group Management

Domain 2: Manage and Maintain Devices

  • Windows Autopilot: Choose Your Path Free
  • Autopilot: Device Names, ESP & Rollout
  • Provisioning Packages & Windows 11 Upgrades
  • Windows 365: Your PC in the Cloud
  • Configure Windows Devices with Intune
  • Config Profiles: Android, iOS & macOS
  • Control Admin Rights with EPM
  • Intune Suite: Apps, Analytics & Remote Help
  • Cloud PKI & Tunnel for MAM
  • Remote Actions & Device Queries

Domain 3: Manage Applications

  • App Deployment: Prepare & Package
  • Deploy Apps with Intune & App Stores
  • Microsoft 365 Apps: Deploy, Customize & Manage
  • App Protection Policies & Conditional Access
  • App Configuration: Managed Apps & Managed Devices

Domain 4: Protect Devices

  • Endpoint Security: Antivirus, Firewall & Encryption
  • Attack Surface Reduction & Security Baselines
  • Defender for Endpoint: Integrate & Onboard
  • Plan and Manage Windows Updates
  • Cross-Platform Updates & Delivery Optimization
Domain 4: Protect Devices Premium ⏱ ~11 min read

Defender for Endpoint: Integrate & Onboard

Microsoft Defender for Endpoint is the enterprise threat protection platform. Learn how to integrate it with Intune and onboard devices for advanced detection, investigation, and response.

What is Defender for Endpoint?

☕ Simple explanation

If antivirus is a security camera, Defender for Endpoint is an entire security operations centre.

A security camera records what happens. A security operations centre (SOC) watches the cameras, spots suspicious behaviour, investigates incidents, and sends the response team. Defender for Endpoint does the same for your devices: it detects threats, investigates what happened, and helps you respond — all from a single dashboard.

When integrated with Intune, they share information: Intune tells Defender which devices are managed, and Defender tells Intune which devices have threats — enabling automatic compliance enforcement.

Microsoft Defender for Endpoint (MDE) is an enterprise endpoint security platform that provides preventative protection, post-breach detection, automated investigation, and response. When integrated with Intune, the two services share device risk information: MDE reports a device’s risk level, and Intune compliance policies can require devices to be at or below a specific risk level — enabling conditional access to block risky devices from corporate resources.

Integrating Intune with Defender for Endpoint

Step 1: Enable the connection

  1. Microsoft Defender portal (security.microsoft.com) → Settings → Endpoints → Advanced features
  2. Enable Microsoft Intune connection → Save
  3. Intune admin center → Endpoint security → Microsoft Defender for Endpoint
  4. Enable Connect to Microsoft Defender for Endpoint → Save

What integration enables

FeatureHow It Works
Device risk score in complianceIntune compliance policies can check MDE’s machine risk level (Clear, Low, Medium, High)
Conditional access enforcementHigh-risk devices automatically blocked from M365 resources
Configuration deliveryMDE security settings can be delivered via Intune
Unified device viewSee MDE alerts alongside Intune management data
Onboarding via IntuneDeploy MDE onboarding package through Intune configuration profiles

Step 2: Create compliance policies using device risk

Once connected, add device risk to compliance policies:

SettingValueEffect
Require the device to be at or under the machine risk scoreMediumDevices with “High” risk are marked non-compliant
Combined with CA policyRequire compliant deviceHigh-risk devices are blocked from Exchange, SharePoint, Teams

Chen Wei at Meridian Bank sets the threshold to “Low” — even medium-risk devices are blocked from banking applications. The bank’s zero-tolerance security stance means any device flagged by Defender loses access instantly.

Onboarding devices

Windows onboarding via Intune

  1. Intune admin center → Endpoint security → Endpoint detection and response → Create policy
  2. Select platform: Windows 10, Windows 11, and Windows Server
  3. Profile: Endpoint detection and response
  4. The onboarding configuration package is delivered via Intune’s config profile mechanism
  5. Assign to device groups

Multi-platform onboarding

PlatformOnboarding Method
WindowsIntune EDR policy (recommended), GPO, ConfigMgr, script
macOSIntune config profile, manual package (.pkg), JAMF
iOS/iPadOSDefender for Endpoint app from App Store + app config
AndroidDefender for Endpoint app from Managed Google Play + app config
LinuxScript-based onboarding, Ansible/Puppet
💡 Exam tip: Defender for Endpoint licences

MDE comes in two plans:

  • Plan 1 — included in Microsoft 365 E3. Core protection: ASR, next-gen AV, device control. No EDR.
  • Plan 2 — included in Microsoft 365 E5. Full protection: everything in P1 + EDR, automated investigation, threat analytics, advanced hunting.

The exam may test: “What licence is needed for endpoint detection and response (EDR)?” → MDE Plan 2 or M365 E5.

For Intune integration (risk-based compliance), you need MDE Plan 2 — Plan 1 doesn’t provide the device risk score used in compliance policies.

ℹ️ Deep dive: onboarding status verification

After onboarding, verify devices are reporting to MDE:

  1. Microsoft Defender portal → Device inventory → check the device appears
  2. Intune admin center → Devices → select device → check “Defender for Endpoint status”
  3. On the device itself: run Get-MpComputerStatus in PowerShell → check AMRunningMode is “Normal”

Common onboarding issues:

  • Device doesn’t appear in Defender portal — wait 24 hours (initial sync can be slow)
  • Onboarding fails — check prerequisites: .NET 4.5+, Windows telemetry enabled, proxy/firewall allows MDE URLs
  • Risk score not showing in Intune — verify the Intune-MDE connection is enabled in both portals

🎬 Video walkthrough

🎬 Video coming soon

Defender for Endpoint: Integrate & Onboard — MD-102 Module 25

Defender for Endpoint: Integrate & Onboard — MD-102 Module 25

~11 min

Flashcards

Question

What does integrating Intune with Defender for Endpoint enable?

Click or press Enter to reveal answer

Answer

Device risk scores in Intune compliance policies, conditional access enforcement based on threat level, onboarding delivery via Intune, and a unified device view combining management + security data.

Click to flip back
Question

How do you onboard Windows devices to Defender for Endpoint via Intune?

Click or press Enter to reveal answer

Answer

Create an Endpoint Detection and Response (EDR) policy in Intune (Endpoint security → EDR), configure the onboarding package, and assign to device groups. The onboarding config is delivered via Intune's management channel.

Click to flip back
Question

What MDE licence is needed for risk-based compliance in Intune?

Click or press Enter to reveal answer

Answer

MDE Plan 2 (included in M365 E5). Plan 1 (included in M365 E3) provides core protection but doesn't include EDR or the device risk score that Intune compliance policies use.

Click to flip back

Knowledge Check

Knowledge Check

Chen Wei integrates Intune with Defender for Endpoint at Meridian Bank. He creates a compliance policy requiring devices to have a risk score of 'Low' or below. A banker's laptop is flagged as 'High' risk by Defender after suspicious PowerShell activity. What happens?
Knowledge Check

Sam needs to onboard macOS devices to Defender for Endpoint. What's the recommended approach?

Next up: Plan and Manage Windows Updates — update rings, feature update policies, and staged rollout strategies.

← Previous

Attack Surface Reduction & Security Baselines

Next →

Plan and Manage Windows Updates

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.