We have implemented the Intune compliance policy for iOS, Android devices, “Microsoft Defender for Endpoint: Require the device to be at or under the machine risk score: medium,” with the primary goal of identifying and addressing devices where Microsoft Defender is not activated on Intune-managed endpoints. However, we have observed that this policy frequently results in false positives, particularly when users are inactive for extended periods (such as one week or more), which leads to unnecessary notifications.
To optimize our approach, we now seek greater clarity regarding the distinctions between Medium, High, and other risk levels, as overly stringent Defender requirements may adversely affect the overall Intune MDM user experience. Additionally, we have encountered challenges communicating with end-users, as they find that granting permissions to Microsoft Defender is less seamless compared to their experiences with Intune. Furthermore, the current Non-Compliance in-app notification is not user-friendly, as it is difficult to understand and often requires repeated authentication to access the non-compliance message.

We recommend simplifying the process and improving the Non-Compliance notification process to enhance clarity and reduce friction for end-users.