Forum Discussion
I have a query on cloud servers can be best managed by Intune / SCCM?
I have a query: can we onboard cloud servers to MS Defender and manage those servers via Intune? And do we have any limitations to manage via Intune? Also, what are the steps to onboard via Intune for cloud servers?
5 Replies
I have attempted the security management feature using Intune as suggested by rahuljindal-MVP. Onboarding the server to MDE, and then tagging the device with the MDE-Management tag and configured the settings between and Intune / MDE. The server showed up in Intune as "managed by MDE", but when you assign any type of AV policy to it from Intune, it never gets to the device or shows up in the assignment reports. I've had a ticket going with Microsoft now for several weeks. Have you actually seen this work in a production environment? Microsoft can't seem to confirm, and it still hasn't been proven to work.
Are the services reporting onboarded in Defender? If yes, then what is the AV status? Also, what is the OS of the servers and how are you assigning the policies? How have you created the Entra ID group? Another requirement is Defender for Servers licensing, however this is mostly for compliance purposes. You should still be able onboarding and manage the servers for MDE policies using Intune. I have implemented the solution for a number of customers so let me know if you have any questions.
Servers are onboarded to Defender, and then tagged with the 'MDE-Management' tag. After being tagged, they then show up in Intune as 'managed by MDE'. So following the doc, https://learn.microsoft.com/en-us/mem/intune/protect/mde-security-integration, it all aligns up until the point where you target an AV or ASR policy to an Entra ID group that contains the Servers.
No errors in the policy assignment report in Intune, it doesn't get listed at all, as if it were never targeted.
Running the "MDE Client Analyzer" tool locally on the server, it does provide an error describing exactly what i am experiencing. But there is no detail as to why the assignment failed. Below is a snip from the analyzer report.
If you are referring to Defender AV alone, then you can manage the servers using Intune through cloud attach feature in Configuration Manager. This is also true for Defender for Endpoint features. If you don’t have Configuration Manager then this will not work for you. In that case you can use security management configuration cloud feature which will involve enabling the connector between Defender portal and Intune. This way the devices have a synthetic object created in Entra ID, onboarded in Defender, not enrolled in Intune, but managed by Intune for MDE policies using the MDE channel. All of the above that I have stated have their own licensing requirements so have a look before deciding on the approach. In my personal opinion, go for security management feature.
