Migrating computers that had GPOs that disabled Defender Firewall and Antivirus.

Brass Contributor

Hello all,


I'm having trouble getting Windows machines that are joined to the local domain\ hybrid joined to azure and enrolled in Intune\MDE to take polices from Windows Defender for Endpoint. These machines in the past had a domain GPO that applied to them to disable the defender firewall and antivirus.  On the GPO that still applies to them (it has other settings we want to keep) the defender and firewall settings are now set to "not configured" I then went into the registry on the PC and deleted the policies that disabled the firewall and antivirus from the domain gpo.


I would now expect for Intune\MDM to take control of the firewall and push the policy.


Is there anything else I would need to do?






3 Replies
Sounds about right. So what’s not working?



It doesn't appear that the policies are working even though I can see them applied. For example defender endpoint says firewall is enabled on domain\private\public with no exceptions and I still can ping the machine in question. Thinks like that.


Is there a command prompt to force a client to check in with Defender endpoint? I already tried to sync the client in the intune interface.


Also, I may be a little confused on where to enroll these devices. I thought the place to manage windows defender would be  Microsoft Endpoint Manager. However, after reading this:


It appears that maybe I shouldnt be using MDE.  "With this capability, devices that aren’t managed by a Microsoft Endpoint Manager service can receive security configurations for Microsoft Defender for Endpoint directly from Endpoint Manager."


My devices are enrolled in MEM and can be managed by MEM.


"When a device is managed by Endpoint Manager (enrolled to Intune) the device won't process policies for Security Management for Microsoft Defender for Endpoint. Instead, use Intune to deploy policy for Defender for Endpoint to your devices."









Yes in your case using Intune to manage the policies looks like the logical option. You can check MDM diagnostic report, device events to see if the Defender policies are applying correctly or not. Do you have the devices onboarded on Defender for endpoint as well? If yes, then you can check under vulnerability recommendations in Defender Portal as well.