Update to enrollment pre-requisites for Windows devices managed by Defender for Endpoint with Intune
Published Jun 14 2023 08:00 AM 24.9K Views

By: Laura Arrizza - Program Manager 2 | Microsoft Intune

 

Later this month, we'll be making architectural updates to the security settings management capabilities in Microsoft Defender for Endpoint that simplifies the device enrollment process. The updates include removing Azure Active Directory (AD) join or Hybrid Azure AD join as a pre-requisite for onboarding Windows devices that use security settings management in Defender for Endpoint. To learn more about this capability, see Manage Microsoft Defender for Endpoint on devices with Microsoft Intune.

 

This update applies to customers opted into public preview functionality for Defender for Endpoint. Customers that don’t use public preview features will continue with the existing  settings management experience. To opt in, go to the Microsoft Defender for Endpoint portal, and select Settings > Endpoints > Advanced features > Preview features. Make sure your Windows device is up to date to take advantage of these enhancements.

 

How this works

Customers already using this functionality will seamlessly transition to the updated infrastructure with no impact for their existing Windows devices managed by Defender for Endpoint that are using this functionality. Endpoint security policies will continue to apply as expected. Additionally, there will be no changes to the device, its identity, or registration type. Any new devices enrolled into security settings management for Defender for Endpoint will use the updated infrastructure.

 

Important: If a Windows device is managed by security settings management for Defender for Endpoint but has been unable to enroll due to not being Azure AD joined or Hybrid Azure AD joined, these devices will be able to be enrolled and policies targeted to the device can be applied. Once enrolled, the device will appear in the device lists for Microsoft 365 Defender, Microsoft Intune, and Azure AD. Note that while the device won’t be fully registered with Azure AD, it'll still count as one device object.

 

To filter for devices that were previously unable to enroll in Defender for Endpoint due to not meeting the Azure AD join or Hybrid Azure AD join pre-requisite, navigate to the Microsoft 365 Defender portal > Devices list and filter by enrollment status. Since these devices are still not fully registered, they’ll show the device attributes where MDM = Intune and Join Type = Blank. With the new release, these will begin to successfully enroll.

 

What to expect in the Microsoft 365 Defender portal

In the Microsoft 365 Defender device inventory, confirm that the device is using the security settings management capability in Defender for Endpoint by checking its status in the Managed by column. This is also available on the device side panel or device page and should consistently indicate Managed by MDE.

 

On the device side panel or device page, you can also confirm it’s successfully enrolled by checking the MDE Enrollment status is Success.

 

A screenshot of a device’s MDE Enrollment status on the device page in the Microsoft 365 Defender portal.A screenshot of a device’s MDE Enrollment status on the device page in the Microsoft 365 Defender portal.

 

If the MDE Enrollment status is not Success, make sure you’re looking at a device that was updated and that it’s in scope for settings management (based on how you configured the feature in the Enforcement scope page).

 

What to expect in the Microsoft Intune admin center

In the Intune admin center, search for the device name on the All Devices page. The device should appear here, with the Managed by field set to MDE.

 

A screenshot of the device page in the Intune admin center with the Managed by status of the device highlighted.A screenshot of the device page in the Intune admin center with the Managed by status of the device highlighted.

 

If policies were assigned to devices that had previous enrollment errors, then policies will apply as these devices start to onboard via the updated infrastructure.

 

What to expect in the Microsoft Azure portal

A screenshot of the All devices page in the Microsoft Azure portal with an example device highlighted.A screenshot of the All devices page in the Microsoft Azure portal with an example device highlighted.

 

To ensure that all devices enrolled in security settings management for Microsoft Defender for Endpoint receive policies, we recommend creating a dynamic Azure AD group based on the systemLabels property containing the “MDEManaged” value. This will automatically add devices managed by Defender for Endpoint to the group, without requiring admins to perform any additional tasks, such as creating a new policy.

Changes to system label attributes for grouping and targeting

Today, customers using the security settings management capability for Microsoft Defender for Endpoint can leverage the system labels, MDEManaged or MDEJoined, for Azure Active Directory (Azure AD) groups as one of the methods to target policy.

 

With the upcoming enrollment improvements for this capability, the MDEManaged and MDEJoined system labels won’t be applicable for new device enrollments. Note: This only applies to customers that are opted into the public preview features in Defender for Endpoint.

 

How does this affect you or your users?

Existing Windows devices managed by Defender for Endpoint that are using the security settings management functionality can continue to target policy with the MDEManaged or MDEJoined system labels. Important: For new enrollments, including those that begin to enroll due to the removal of the hybrid Azure AD join requirement, these system labels will not be applicable to target policies. Leverage one of the other available methods for new enrollments.

 

How can you prepare?

Review your group policy and targeting for Windows devices managed by Defender for Endpoint that are using the security settings management functionality. If you’re currently using MDEManaged or MDEJoined system labels for Azure AD groups to target policy, we recommend updating to one of the following methods:

  • (Recommended) Target policy based on the platform by using the deviceType attribute (Windows, WindowsServer, macOS, Linux).
  • Target policy by using the managementType attribute MicrosoftSense. This will target all devices managed by Defender for Endpoint that are using the security settings management functionality.

 

Stay tuned to What’s new in Intune for the release and for further additions to this functionality! If you have any questions, let us know in the comments or reach out to us on Twitter @IntuneSuppTeam.

 

Post Updates:

06/26/2023: Timeline updated to early July, previously expected end of June.

07/05/2023: Added clarity to changes to system label attributes for grouping and targeting.

07/17/2023: Updated to include blog author.

16 Comments
Version history
Last update:
‎Jul 17 2023 02:32 PM
Updated by: