Using Intune and MDE with Azure AD Registered Windows 10/11

%3CLINGO-SUB%20id%3D%22lingo-sub-2889384%22%20slang%3D%22en-US%22%3EUsing%20Intune%20and%20MDE%20with%20Azure%20AD%20Registered%20Windows%2010%2F11%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2889384%22%20slang%3D%22en-US%22%3E%3CP%3ESo%20I%20have%20been%20talking%20with%20MDE%20support%20regarding%20the%20prerequisites%20for%20deploying%20MDE%20with%20Intune%2C%20and%20I%20have%20not%20been%20able%20to%20get%20a%20clear%20answer%20on%20the%20support%20for%20Azure%20AD%20registered%20devices.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fprotect%2Fadvanced-threat-protection%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fprotect%2Fadvanced-threat-protection%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20documentation%20above%20say%20that%20only%20AADJ%20and%20HAADJ%20devices%20are%20supported%2C%20but%20does%20this%20really%20apply%20to%20any%20and%20all%20use%20cases%20for%20MDE%20in%20Intune%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20say%20there%20are%204%20possible%20use%20cases%20with%20MDE%20and%20Intune.%3C%2FP%3E%3CP%3E1.%20Deployment%20with%20EDR%20policies%20(or%20custom%20policies%20with%20OMA-URI)%3C%2FP%3E%3CP%3E2.%20Settings%20management%20(AV%20policies%2C%20ASR%20policies%20etc)%3C%2FP%3E%3CP%3E3.%20Using%20MDE%20device%20risk%20in%20compliance%20policies%20and%20Azure%20AD%20conditional%20access%3C%2FP%3E%3CP%3E4.%20The%20sharing%20of%20TVM%20remediation%20tasks%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%2C%20to%20be%20honest%20the%20official%20documents%20are%20not%20really%20clear%20about%20how%20much%20of%20this%20can%20be%20done%20with%20Azure%20AD%20Registered%2C%20and%20how%20much%20requires%20AADJ%2FHAADJ.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20documentation%20really%20feels%20like%20it%20is%20mainly%20geared%20at%20the%20integration%20with%20Azure%20AD%20conditional%20access%2C%20and%20support%20has%20told%20me%20that%20this%20requires%20AADJ%2FHAADJ%20as%20listed.%20TVM%20remediation%20also%20explicitly%20lists%20this%20requirement%20in%20the%20MDE%20console.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20is%20this%20true%20for%20also%20for%20Onboarding%20and%20the%20various%20settings%20management%20policies%3F%3C%2FP%3E%3CP%3ESince%20OMA-URI%20enrollment%20is%20supported%20in%203rd%20party%20MDMs%2C%20I%20see%20no%20reason%20why%20%3CSTRONG%3Eonly%26nbsp%3B%3C%2FSTRONG%3EIntune%20would%20have%20requirements%20on%20the%20AAD%20registration%20form.%26nbsp%3B%3C%2FP%3E%3CP%3EEDR%20policies%2C%20AV%20policies%20etc.%20work%20with%20AAD%20registered%20devices%20from%20what%20I%20can%20see%20in%20my%20tests%2C%20but%20MDE%20support%20say%20they%20can't%20give%20me%20a%20straight%20answer%20if%20it%20is%20supported%20or%20not%2C%20because%20the%20documentation%20has%20no%20mention%20of%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWould%20really%20appreciate%20some%20feedback%20from%20a%20Microsoft%20employee%20on%20this%20matter%2C%3C%2FP%3E%3CP%3Eand%2For%20some%20official%20clarification%20in%20the%20documents.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2979591%22%20slang%3D%22de-DE%22%3ESubject%3A%20Using%20Intune%20and%20MDE%20with%20Azure%20AD%20Registered%20Windows%2010%2F11%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2979591%22%20slang%3D%22de-DE%22%3EAny%20updates%20on%20this%3F%3C%2FLINGO-BODY%3E
Frequent Contributor

So I have been talking with MDE support regarding the prerequisites for deploying MDE with Intune, and I have not been able to get a clear answer on the support for Azure AD registered devices.

https://docs.microsoft.com/en-us/mem/intune/protect/advanced-threat-protection

 

The documentation above say that only AADJ and HAADJ devices are supported, but does this really apply to any and all use cases for MDE in Intune?

 

I would say there are 4 possible use cases with MDE and Intune.

1. Deployment with EDR policies (or custom policies with OMA-URI)

2. Settings management (AV policies, ASR policies etc)

3. Using MDE device risk in compliance policies and Azure AD conditional access

4. The sharing of TVM remediation tasks

 

Now, to be honest the official documents are not really clear about how much of this can be done with Azure AD Registered, and how much requires AADJ/HAADJ.

 

The documentation really feels like it is mainly geared at the integration with Azure AD conditional access, and support has told me that this requires AADJ/HAADJ as listed. TVM remediation also explicitly lists this requirement in the MDE console.

 

However, is this true for also for Onboarding and the various settings management policies?

Since OMA-URI enrollment is supported in 3rd party MDMs, I see no reason why only Intune would have requirements on the AAD registration form. 

EDR policies, AV policies etc. work with AAD registered devices from what I can see in my tests, but MDE support say they can't give me a straight answer if it is supported or not, because the documentation has no mention of it.

 

Would really appreciate some feedback from a Microsoft employee on this matter,

and/or some official clarification in the documents.

6 Replies
Nothing at this time unfortunately.

@Jonhed 

 

I have the same question,

device enrolled in intune with company portal and azure ad registered

 

denisdm91_0-1649793998516.png

 

Company portal show me this warning but, I can see the device in MDE dashboard in onboarded state

 

@denisdm91 

Unfortunately, the use of MDE risk state in compliance policies is explicitly mentioned as being supported only with Azure AD joined and Hybrid Azure AD joined devices.

Therefore, if you have setup compliance policies to check for MDE, then my understanding is that Azure AD register ed devices are not supported.

thanks,
ok, so the limitation is only on the intune side (in the compliance policies)
because the antivirus seems to have taken the policies of configuration