SOLVED

Intune remote action compatibility with Defender EDR isolation

New Contributor

We're leveraging Intune alongside Defender for Endpoint. One challenge we're running into is that with Defender EDR, when our security team isolates a device, all connectivity to the Intune service is blocked (including for remote device actions like wipe device).

 

Is there something we're missing in our Defender / endpoint security configuration in MEM that would still allow Intune communication to occur in this EDR scenario? (or if not full Intune communication - at least MDM remote action push notifications?). Defender is clearly capable of allowing some traffic through (there's a built-in option in Defender isolation to allow Outlook/Teams traffic only when isolating a device, for instance) - I'm just not seeing any options to not block Intune traffic.

 

There are situations where it's important to maintain the ability for our security team to remote wipe a device - and other EDR solutions that aren't Defender have mechanisms for excluding Intune service IP ranges to still allow remote management functionality.

1 Reply
best response confirmed by kramer314 (New Contributor)
Solution

There is no such option.

 

You could use Live Response (isolated devices can still access the Defender service) to access such devices. That's probably also why the option isn't available, as you can run scripts in Live Response sessions (and, as such, don't need to have a connection to MDM).

 

If you allowed communications you could also instruct the user to reset their device.