Policy assignment question

Copper Contributor

Hi. I have a question about the most efficient way to assign intune security policies for Defender for endpoint. This customer has intune joined Windows 10 devices and also Azure VMs with a combination of Windows Server OSs and Windows 10 workstations they use as SERVERS that are Intune MDE joined.


My question is what's the best way to handle the assignments for policies. I created two antivirus policies one for workstations and another one for servers. For the the servers, I can't do dynamic assignment to target server OS only because they also use workstations with Windows 10 as servers. And for the workstations policy I can't do All Devices or Windows 10 only because of their Windows 10 "servers".


I was thinking going manually assigned for the servers policy. And for the workstations policy use All Devices but create an exclude group that contains the servers and windows 10 "servers", but I'm not sure this is the best option. I was also thinking if I should leave the Azure VMs alone, and don't turn on the MDE tenant option and manage polices with gpo for those.


Any feedback would be much appreciated. TIA

3 Replies
How are servers enrolled in Defender? If you are using security configuration feature and applying policies to the servers from Intune based on synthetic object, then you can tag the servers in Defender and use that to create dynamic groups for assignment.

@rahuljindal-MVP Thanks. Servers are enrolled using security configuration and Intune. So, I create tag in the defender portal and use them for creating a group with dynamic assignment in intune? 

That is correct. Use the management type attribute to create the dynamic group. More on this in the official doc - https://learn.microsoft.com/en-us/mem/intune/protect/mde-security-integration#what-to-expect-in-the-...