12.0 Defender for Endpoint(MDE): Security Settings Management

12.0 Defender for Endpoint(MDE): Security Settings Management

For the Intune-managed device, we deploy the policy from Intune but what if we have a device that is not Intune-managed and also not domain-joined then how to push security policies centrally?  The answer is to use Defender for Endpoint's new feature 'Security Settings Management'. Below is the official word about these features.

With Microsoft Defender for Endpoint (MDE), you can now deploy security configurations from Microsoft Intune directly to your onboarded devices without requiring a full Microsoft Intune device enrollment. This capability is known as Security Management for Microsoft Defender for Endpoint. With this capability, devices that aren’t managed by a Microsoft Intune service can receive security configurations for Microsoft Defender for Endpoint directly from Endpoint Manager.

We need to make communication between Intune and MDE.

Enable Security Settings Management

On the MDE portal(security.microsoft.com), navigate to Settings->Endpoints->Enforcement scope and turn the switch.

Once it is turned on then we can choose the device type and scope. Here, we have enabled both windows client and server for all devices. It means, if any windows client or server will be onboarded to the MDE then we can push the policy from Intune. These are the only tasks we need to do on the MDE portal.

We also have to turn the settings on Intune portal. Navigate to Endpoint security->Microsoft Defender for Endpoint->Allow Microsoft Defender for Endpoint to enforce Endpoint Security COnfigurations(switch on).

Microsoft Intune can enforce Endpoint Security profiles and configuration via supported agents independently of the device being managed by MDM or ConfigMgr.Enabling this setting allows supported agents to report the status of applied profiles to Microsoft Intune, and agents will appear in device views and reports relevant to Endpoint Security profile management.

Onboard workgroup windows server to MDE

Now Security Management for Microsoft Defender for Endpoint has been enabled on both sides. For this lab, we have a workgroup windows server. Let's onboard it manually. Refer to this on how to onboard unmanaged devices to MDE.

The onboarding has been completed and the windows server has appeared in the MDE portal. We can see the server is being managed by MDE.

Create AAD Group

In the background, the server automatically got registered to Azure Active Directory. We don't have to do a registered server for AAD. We can see the server in Intune portal as well. Once the device appears in Intune then we can push whatever policy we want to.

To deploy the policy for such devices, create a group and put the device there. We have created a group named MDE_Managed.

Create AV policy

For example, we are creating an AV policy. In the platform we can see, it also supports the windows servers so this policy will be deployed to the windows server without any issues.

Assigned the policy to the newly created group and policy will be applied to the server.

We can see the policy has been deployed successfully.


Security Management for Microsoft Defender for Endpoint is a great feature to deploy policies for unmanaged devices.

Hope this was helpful, contact me on Twitter @sakaldeep for any queries.