Thank you everyone, for your participation in today's session! Q&A is open through this Friday at 12p PT!

Below are the questions the panelists answered live, along with associated timestamps: 

Question – You’re spending a lot of time on copilot/AI integrations into the product. It’s been helpful to see how this shows up in the product. Can you share more about how you’re infusing the Settings process with AI? – answered at 1:36.

Question – I have started applying security policies for Defender for Endpoint using MDE to manage them, adding the MDE tag to my Windows 11 machines. If I am migrating to Intune management, is it necessary to offboard the devices first, before applying the auto-enroll GPO and onboarding device configuration to the machines? – answered at 6:26.

Question – If we are pre-provisioning devices using Autopilot, how long will it take for them to report in as compliant in Defender? – answered at 12:27.

Question – Apologies if this was mentioned earlier, but to which licensing model is this applicable to? E5? – answered at 16:46.

Question – Can you provide greater clarity regarding the distinctions between Medium, High, and other risk levels? Concerned that overly stringent Defender requirements may adversely affect the overall Intune MDM user experience. – answered at 17:11.

Question – Do you have anything currently available or in development that will act similar to GPresult/RSOP (result set up policy) to see what settings are applied via Intune on a device and what policy applies the setting? – answered at 22:54.

Question – In a mixed environment (Entra ID joined + hybrid joined + a few BYOD), what’s your recommended baseline policy stack in Intune + Defender so we avoid overlapping controls and false positives? And how do you decide what belongs in Intune vs Defender? – answered at 32:03.

Question – Can we apply a compliance policy for risk level if the computer has Defender but is not in Intune it is manage from different MDM? – answered at 40:00.

Question – Can we only use MS Defender for Intune managed devices? What are the prerequisites? – answered at 44:37.

Question – So, with Intune, Defender for Cloud/M365, where is the overlap with Purview? As long as your environment is stood up using CAF/WAF with proper management groups that are top down? -- Note for audience -- CAF = Cloud Adoption Framework and WAF = Well-Architected Framework – answered at 46:05.

Question – Do you recommend the security baselines in Intune? – answered at 50:57.

Hey there,

on iOS, we can use Web Protection, but not Web Content Filtering with categories, ist this right? If so, why not? On Windows (at least) we can use that.

and, if a user receives a SMS or iMessage with an link, is there any protection to that if this is a phishing link? Or even worse, it’s a like with an exploit in iMessage? We had this issue a few months ago, I think with iMessage 😞

and, last but most important: I know that we can onboard supervised devices mostly silent with Intune into Defender. 
And as far as I know, non supervised devices are onboarded when the user does sign in, right?

Are there any differences in defender features? So, are supervised and non supervised devices are protected at the same level?

thanks a lot!!

jochen

Thanks for all the thoughtful questions and great discussion today. A recap of the questions answered during the live session (including timestamps) will be added here shortly. If you have additional questions, drop them here in the comments— Q&A is open until this Friday at 12p PT. 

We are facing delays when triggering manual sync from the Intune device page, often taking more than an hour, and policy deployment status is not always reported correctly. How can this be mitigated?

Additionally, Defender AV scans are not running as per the defined schedule and sometimes show as “Cancelled by NT AUTHORITY\SYSTEM”, even though the device is online. How can we identify the root cause?

Finally, for Defender Application Control for Business, we do not receive centralized alerts when apps are blocked and currently rely on local Event Viewer logs. Is there a centralized way to monitor and report these events?

Do you recommend the security baselines in Intune?

Can we apply a compliance policy for risk level if the computer has Defender but is not in Intune it is manage from different MDM?

Welcome to the first AMA in today’s Tech Community Live: Intune edition. Let’s get started! Drop your questions in the comments below—feel free to post them early and often.

Looking forward to the session, because we have big issues with the Defender <> Intune sync which is very unreliable for us. We face many “false-positives” due to the fact the Defender risk score is not synced in a timely manner with Intune or synced at all. In general, 50% of our devices have the status “not applicable” - even with a current check-in time of the device with Defender and Intune itsef. Pre-provisioning devices via Intune Autopilot is also causing “non-compliant” devices due to the risk score, causing completing the account setup phase at a later time e.g. next day to fail. We already had quite a few support tickets in regard to our problems, but so far our experience is frankly spoken not the best. Therefore, I hope to get more insights and/or find someone at Microsoft to tackle our issues.

We have implemented the Intune compliance policy for iOS, Android devices, “Microsoft Defender for Endpoint: Require the device to be at or under the machine risk score: medium,” with the primary goal of identifying and addressing devices where Microsoft Defender is not activated on Intune-managed endpoints. However, we have observed that this policy frequently results in false positives, particularly when users are inactive for extended periods (such as one week or more), which leads to unnecessary notifications.
To optimize our approach, we now seek greater clarity regarding the distinctions between Medium, High, and other risk levels, as overly stringent Defender requirements may adversely affect the overall Intune MDM user experience. Additionally, we have encountered challenges communicating with end-users, as they find that granting permissions to Microsoft Defender is less seamless compared to their experiences with Intune. Furthermore, the current Non-Compliance in-app notification is not user-friendly, as it is difficult to understand and often requires repeated authentication to access the non-compliance message.

We recommend simplifying the process and improving the Non-Compliance notification process to enhance clarity and reduce friction for end-users.

When you create a iOS compliance policy we have an issue where devices are marked as not compliant when the user haven't signed in on that device for a month. The custom policy says "Mark Device NonCompliant" 300 days. Is this primarily caused by the Tenant compliance setting  "Compliance status validity period days" being set to 30 days? How would you address the issue of devices being marked as not compliant after 30 days when one user can have multiple test devices that are not used every month?