This chapter covers deploying Microsoft Defender for Endpoint (MDE) via Microsoft Intune, a critical skill for securing endpoints in a Microsoft 365 environment. The MS-102 exam tests your ability to configure MDE integration with Intune, deploy policies, and manage sensor onboarding. Approximately 10-15% of exam questions touch on security threat management, with a significant portion focused on endpoint deployment. Mastering this topic ensures you can answer scenario-based questions about policy conflicts, onboarding failures, and reporting.
Jump to a section
Imagine a large corporate office building (your network) where employees (devices) come and go. The building has a security team (Defender for Endpoint) that needs to be deployed to every floor. The building manager (Intune) is responsible for onboarding new employees and issuing them badges (policies). When a new employee arrives, the manager assigns a badge with specific access permissions (device compliance policies) and installs a security app (Microsoft Defender for Endpoint sensor) on the employee's phone. The security team then monitors the employee's behavior—where they go, what they do, and who they talk to—looking for suspicious activity (malware, ransomware). If an employee starts acting strangely (e.g., trying to enter a restricted area without permission), the security team immediately alerts the manager and takes action (e.g., escorting the employee out, blocking access). The manager can also update the badge permissions remotely (change policies) or even revoke access entirely (wipe the device) if the employee is compromised. The key is that the security team cannot protect a floor unless the building manager has issued a badge and installed the app—deployment via Intune is the prerequisite for protection.
What is Defender for Endpoint Deployment via Intune?
Microsoft Defender for Endpoint (MDE) is an enterprise-grade endpoint security platform that provides preventative protection, post-breach detection, automated investigation, and response. To protect devices, MDE requires a sensor (the Defender for Endpoint agent) to be installed and configured on each endpoint. Intune serves as the mobile device management (MDM) and mobile application management (MAM) provider that can deploy the MDE sensor, configure its settings, and enforce compliance policies.
Why Deploy MDE via Intune?
Deploying MDE via Intune is the preferred method for organizations already using Microsoft Endpoint Manager (MEM) for device management. It offers a unified console for policy management, eliminates the need for separate deployment tools, and enables integration with Conditional Access policies. The exam focuses on this integration because it represents the modern, cloud-native approach to endpoint security.
How It Works Internally
The deployment process involves several layers:
Intune Enrollment: Devices must be enrolled in Intune (either as MDM-managed or co-managed with Configuration Manager). Enrollment creates a device identity in Azure AD and establishes a management channel.
MDE Integration: The Intune tenant must be connected to the MDE service. This is done in the Microsoft 365 Defender portal under Settings > Endpoints > Advanced Features > Microsoft Intune connection. This connection allows Intune to receive device risk scores from MDE and apply Conditional Access policies.
3. Policy Creation: In Intune, you create device configuration profiles for MDE. There are two main types:
- Windows: Use the 'Microsoft Defender for Endpoint (Windows 10/11)' template. This configures the sensor via a configuration service provider (CSP) called ./Device/Vendor/MSFT/Defender.
- macOS: Use the 'Microsoft Defender for Endpoint (macOS)' template, which deploys a .plist configuration file.
- Linux: Use a custom configuration profile with a JSON file.
- iOS/iPadOS: MDE is deployed as a managed app via Intune App Protection Policies (MAM), not as a device configuration profile.
Agent Deployment: Intune pushes the MDE sensor to devices. For Windows, the sensor is part of the OS (Windows 10/11) and is activated via the configuration profile. For macOS, Linux, and mobile devices, Intune deploys the MDE app package.
Onboarding: The sensor connects to the MDE cloud service using an onboarding policy that contains a workspace ID and a shared access signature (SAS) token. The onboarding policy is a configuration profile that includes the Onboarding settings (e.g., workspace ID, connection type).
Reporting: Once onboarded, devices appear in the Microsoft 365 Defender portal. Intune can pull device risk levels (low, medium, high) from MDE and use them in Conditional Access policies.
Key Components, Values, and Defaults
Onboarding Policy: Contains the WorkspaceID (a GUID) and ConnectionType (e.g., AzureADDevice for Azure AD joined devices). The policy is signed with a certificate to prevent tampering.
MDE Sensor Version: Windows 10/11 includes the sensor built-in. For macOS, the latest version is 101.xx.xx. For Linux, version 101.xx.xx.
Default Settings: By default, MDE runs in passive mode if the device is managed by another antivirus solution (e.g., third-party). Active mode requires real-time protection to be enabled.
Timers: The sensor checks in with the cloud every 5 minutes. If a device does not check in for 30 days, it is considered inactive.
Reporting Interval: Risk level updates are sent to Intune every 5 minutes (configurable).
Configuration and Verification Commands
To verify MDE sensor status on a Windows device, use PowerShell:
Get-MpComputerStatus | Select-Object AMProductVersion, AMServiceEnabled, AntispywareEnabled, AntivirusEnabledTo check onboarding status:
Get-MpComputerStatus | Select-Object OnboardingState, OrgIdThe OnboardingState value of 1 means onboarded, 0 means not onboarded. OrgId should match the workspace ID.
On macOS, use terminal:
mdatp healthInteraction with Related Technologies
Conditional Access: Intune can use MDE risk level as a condition. For example, block access to Exchange Online if device risk is medium or high.
Microsoft Defender for Cloud Apps: MDE signals can be used for app control and session policies.
Microsoft 365 Defender: MDE feeds alerts into the unified incident queue.
Configuration Manager: Co-managed devices can have MDE policies managed by Intune (workload slider for Endpoint Protection).
Common Pitfalls
Policy Conflicts: If both Intune and Configuration Manager deploy MDE policies, conflicts can occur. The exam tests that you know to use the workload slider to move the Endpoint Protection workload to Intune.
Onboarding Failure: Incorrect workspace ID or expired SAS token causes onboarding failure. The token is valid for 1 year by default.
Troubleshooting: Use DeviceHealthStatus in Microsoft 365 Defender portal to see onboarded vs. non-onboarded devices. Use Intune reports to see policy assignment failures.
Connect Intune to MDE
In the Microsoft 365 Defender portal, navigate to Settings > Endpoints > Advanced Features > Microsoft Intune connection. Toggle the connection to On. This establishes a service-to-service trust between Intune and MDE. Without this step, Intune cannot receive device risk scores or deploy MDE policies. The connection uses OAuth 2.0 for authentication. You must have Global Administrator or Security Administrator role to enable this.
Create MDE Onboarding Policy
In Intune, go to Endpoint security > Endpoint detection and response > Create policy. Select platform (Windows 10/11, macOS, Linux). For Windows, use the 'Microsoft Defender for Endpoint (Windows 10/11)' template. Configure the onboarding blob (workspace ID and connection type). The blob is a base64-encoded string that contains the workspace ID and a signature. You can download the onboarding package from the MDE portal and extract the blob.
Assign Policy to Device Groups
Assign the onboarding policy to Azure AD device groups or user groups. The policy applies to devices that are enrolled in Intune. For Windows, the policy triggers the sensor to activate. For macOS, it deploys the MDE app and configuration. Use dynamic groups based on device OS, enrollment type, or compliance status to target the policy.
Verify Onboarding in MDE Portal
In the Microsoft 365 Defender portal, go to Devices list. Filter by onboarding status. Newly onboarded devices should appear within 5 minutes (the sensor check-in interval). If devices do not appear, check the Intune policy assignment status and the sensor health on the device. Common issues include incorrect blob or network connectivity to the MDE cloud (endpoint: `*.endpoint.microsoft.com`).
Configure MDE Settings (Optional)
Create additional configuration profiles for MDE settings like real-time protection, cloud-delivered protection, and sample submission. In Intune, go to Endpoint security > Antivirus > Create policy. Configure settings such as 'Turn on real-time protection' (enabled by default), 'Cloud-delivered protection level' (default: Not configured, but exam expects 'High' for maximum protection), and 'Sample submission consent' (default: 'Send safe samples automatically').
Enable Risk-Based Conditional Access
In Azure AD, create a Conditional Access policy that uses 'Device risk' as a condition. Select 'Low, Medium, High' risk levels. For example, block access to corporate resources if device risk is Medium or High. This requires the MDE-Intune connection to be active. The risk level is updated every 5 minutes. Test the policy by intentionally triggering a malware detection on a test device.
In a large enterprise with 10,000 Windows 10 devices, deploying MDE via Intune is streamlined because Windows 10 already includes the sensor. The onboarding policy is assigned to a dynamic group containing all Windows 10 devices. However, macOS devices require the MDE app to be deployed as a line-of-business (LOB) app via Intune. The app is about 150 MB, so bandwidth considerations matter for remote workers. One common problem is that macOS devices may not receive the policy if they are not enrolled in Intune (e.g., user-enrolled vs. device-enrolled). The solution is to use user-driven enrollment with Apple Business Manager.
Another scenario is a hybrid environment with Configuration Manager. Co-managed devices need the Endpoint Protection workload slider moved to Intune to avoid policy conflicts. If the slider is set to Configuration Manager, Intune MDE policies are ignored. The exam tests this scenario heavily. In production, you would set the slider to 'Intune' for the Endpoint Protection workload and then deploy MDE policies via Intune.
A third scenario is a zero-trust deployment where all devices must meet a minimum risk score before accessing apps. The admin creates a Conditional Access policy that requires device compliance (which includes MDE risk level). If a device's risk level is 'High', it is blocked. This requires MDE to be onboarded and reporting risk. A common mistake is forgetting to enable the Intune connection in MDE, which causes the risk level to always be 'Not available' in Conditional Access, resulting in access being granted even to compromised devices.
Performance considerations: The MDE sensor uses minimal CPU (typically <5% on idle) and network bandwidth (approximately 10 MB per day for telemetry). However, during a full scan, CPU usage can spike to 30-50%. For low-powered devices (e.g., VDI), consider excluding certain processes from scanning to avoid performance degradation.
The MS-102 exam tests MDE deployment via Intune under objective 3.2 'Implement and manage threat protection by using Microsoft 365 Defender'. You need to know: 1. How to enable the Intune-MDE connection: The exact path is Microsoft 365 Defender portal > Settings > Endpoints > Advanced Features > Microsoft Intune connection. The most common wrong answer is 'Intune admin center > Tenant administration > Connectors and tokens' – that's for other connectors, not MDE. 2. Onboarding policy types: For Windows, use the 'Microsoft Defender for Endpoint (Windows 10/11)' template. For macOS, use the 'Microsoft Defender for Endpoint (macOS)' template. Candidates often confuse this with 'Antivirus' policy. The onboarding policy is under 'Endpoint detection and response', not 'Antivirus'. 3. Policy conflict resolution: If a device is co-managed, the Endpoint Protection workload slider must be set to 'Intune' for Intune MDE policies to apply. The exam loves to present a scenario where a device is co-managed and MDE policy is not applying, and the answer is to move the slider. 4. Risk level integration: Conditional Access can use 'Device risk' from MDE. The risk levels are Low, Medium, High. The default check-in interval for risk updates is 5 minutes. A common trap is that the risk level is updated in real-time – it is not; there is a 5-minute delay. 5. Troubleshooting: If a device is not onboarding, check the onboarding blob (workspace ID and signature). The blob expires after 1 year. The exam might present a scenario where onboarding worked initially but stopped after 11 months – the answer is to regenerate the onboarding package. 6. Edge cases: For unmanaged devices (not enrolled in Intune), MDE can still be deployed via Microsoft Defender for Business or via local script, but the exam focuses on Intune-managed devices. Also, for iOS/iPadOS, MDE is deployed as a managed app via App Protection Policies, not as a device configuration profile.
To eliminate wrong answers, focus on the mechanism: MDE sensor activation requires an onboarding policy with the correct workspace ID. If the policy is assigned but not applied, check if the device is receiving the policy (Intune reports) and if the sensor is active (PowerShell command). The exam will often give symptoms like 'Device shows as Not onboarded in MDE portal but policy shows as succeeded in Intune' – the cause is usually an incorrect blob or network issue.
Enable Intune-MDE connection in Microsoft 365 Defender portal (Settings > Endpoints > Advanced Features).
Create onboarding policies under Endpoint security > Endpoint detection and response, not Antivirus.
Onboarding blob contains workspace ID and signature; valid for 1 year.
Risk level updates to Intune every 5 minutes, not real-time.
Co-managed devices: set Endpoint Protection workload slider to Intune for Intune policies to apply.
For iOS/iPadOS, MDE is deployed as a managed app via App Protection Policies, not device config.
Troubleshoot onboarding with 'Get-MpComputerStatus' PowerShell command (Windows) or 'mdatp health' (macOS).
These come up on the exam all the time. Here's how to tell them apart.
Intune Deployment
Cloud-native, no on-premises infrastructure required.
Policies are assigned to Azure AD groups; no collections.
Onboarding is done via CSP (Windows) or .plist (macOS).
Risk level integration with Conditional Access is seamless.
Best for modern managed devices (Azure AD joined, co-managed).
Configuration Manager Deployment
Requires on-premises servers and client agents.
Uses device collections for targeting.
Onboarding is done via client settings or scripts.
Risk integration requires additional connectors.
Best for on-premises domain-joined devices with no Intune enrollment.
Mistake
MDE deployment via Intune requires the MDE agent to be downloaded and installed separately.
Correct
For Windows 10/11, the sensor is built into the OS. The onboarding policy activates it. For macOS and Linux, Intune can deploy the app as a line-of-business app, but the sensor is part of the app package.
Mistake
The Intune-MDE connection is enabled in the Intune admin center.
Correct
It is enabled in the Microsoft 365 Defender portal under Settings > Endpoints > Advanced Features. The Intune admin center only shows the connection status, not the enable toggle.
Mistake
MDE onboarding policies are created under 'Antivirus' in Endpoint security.
Correct
Onboarding policies are created under 'Endpoint detection and response' (EDR). Antivirus policies configure real-time protection settings, not onboarding.
Mistake
Conditional Access with device risk updates instantly.
Correct
The risk level is updated every 5 minutes. There is a delay. The exam may test this by asking about the maximum delay for risk-based access decisions.
Mistake
Co-managed devices can receive MDE policies from both Intune and Configuration Manager simultaneously.
Correct
Only one management authority can apply MDE policies. The Endpoint Protection workload slider determines which tool is authoritative. If set to Configuration Manager, Intune policies are ignored.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Create an onboarding policy under Endpoint security > Endpoint detection and response. Select platform Windows 10/11, use the template 'Microsoft Defender for Endpoint (Windows 10/11)'. Configure the onboarding blob (download from MDE portal). Assign the policy to a device group. The sensor is built into Windows 10; the policy activates it.
Onboarding policy activates the MDE sensor and connects it to the cloud service. Antivirus policy configures real-time protection, cloud-delivered protection, and scan settings. Both are needed for full protection, but onboarding must come first.
Possible causes: incorrect onboarding blob (workspace ID or signature), network connectivity to MDE endpoints (check *.endpoint.microsoft.com), or policy not applied (check Intune device status). Use PowerShell 'Get-MpComputerStatus' to verify OnboardingState.
Yes. Create an onboarding policy for macOS using the 'Microsoft Defender for Endpoint (macOS)' template. Also deploy the MDE app as a line-of-business app from the macOS store. The policy configures the sensor.
After enabling the Intune-MDE connection, you can create a Conditional Access policy in Azure AD that uses 'Device risk' condition. Choose risk levels (Low, Medium, High). Intune receives risk updates every 5 minutes. For example, block access if risk is High.
Policy conflicts occur. Use the co-management workload slider to set Endpoint Protection to 'Intune' or 'Configuration Manager'. Only the chosen tool's policies apply. The slider is in the Configuration Manager console or Intune admin center.
In the Microsoft 365 Defender portal, go to Settings > Endpoints > Onboarding. Download a new onboarding package for your platform. Extract the onboarding blob (base64 string) and update the Intune policy with the new blob.
You've just covered Defender for Endpoint Deployment via Intune — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?