Oct 27 2021 12:56 AM - edited Oct 27 2021 12:56 AM
So I have been talking with MDE support regarding the prerequisites for deploying MDE with Intune, and I have not been able to get a clear answer on the support for Azure AD registered devices.
https://docs.microsoft.com/en-us/mem/intune/protect/advanced-threat-protection
The documentation above say that only AADJ and HAADJ devices are supported, but does this really apply to any and all use cases for MDE in Intune?
I would say there are 4 possible use cases with MDE and Intune.
1. Deployment with EDR policies (or custom policies with OMA-URI)
2. Settings management (AV policies, ASR policies etc)
3. Using MDE device risk in compliance policies and Azure AD conditional access
4. The sharing of TVM remediation tasks
Now, to be honest the official documents are not really clear about how much of this can be done with Azure AD Registered, and how much requires AADJ/HAADJ.
The documentation really feels like it is mainly geared at the integration with Azure AD conditional access, and support has told me that this requires AADJ/HAADJ as listed. TVM remediation also explicitly lists this requirement in the MDE console.
However, is this true for also for Onboarding and the various settings management policies?
Since OMA-URI enrollment is supported in 3rd party MDMs, I see no reason why only Intune would have requirements on the AAD registration form.
EDR policies, AV policies etc. work with AAD registered devices from what I can see in my tests, but MDE support say they can't give me a straight answer if it is supported or not, because the documentation has no mention of it.
Would really appreciate some feedback from a Microsoft employee on this matter,
and/or some official clarification in the documents.
Oct 27 2021 11:39 PM
Nov 18 2021 02:05 AM
Nov 18 2021 07:44 PM
Apr 12 2022 01:08 PM
I have the same question,
device enrolled in intune with company portal and azure ad registered
Company portal show me this warning but, I can see the device in MDE dashboard in onboarded state
Apr 12 2022 03:28 PM
Unfortunately, the use of MDE risk state in compliance policies is explicitly mentioned as being supported only with Azure AD joined and Hybrid Azure AD joined devices.
Therefore, if you have setup compliance policies to check for MDE, then my understanding is that Azure AD register ed devices are not supported.
Apr 12 2022 04:07 PM