Defender / Endpoint Security · Modern Endpoint Guides

🛡️ Microsoft Defender for Endpoint

MDE + Intune Integration Guide

Complete guide to deploying Microsoft Defender for Endpoint via Intune — NGAV, ASR rules, EDR, Automated Investigation & Response, Threat & Vulnerability Management, and Advanced Hunting KQL.

📅 Updated: May 2026 ⏱️ Implementation: 4–8 hours 🎯 Audience: Security Engineers, SOC Teams 📋 License: MDE P1/P2 + Intune P1

📋 Overview & Licensing

MDE provides comprehensive endpoint protection: NGAV stops malware, ASR prevents attack techniques, EDR detects suspicious behavior, and AIR automates investigation and remediation. All managed and deployed via Intune.

🔑 MDE Plan Comparison

Feature	MDE P1	MDE P2
NGAV / Antivirus	✅	✅
ASR Rules	✅	✅
Device Control (USB)	✅	✅
EDR	❌	✅
Automated Investigation (AIR)	❌	✅
Threat & Vulnerability Mgmt	❌	✅
Advanced Hunting (KQL)	❌	✅

📋 License Bundles

MDE P1 → M365 Business Premium, M365 E3
MDE P2 → M365 E5, Defender 365 P2 add-on
Mobile (iOS/Android): Separate MDE mobile license
macOS/Linux: Included in MDE P1/P2
Servers: MDE for Servers license (separate SKU)

🔌 Onboarding via Intune

💻 Windows Onboarding (MDE Connector)

Enable MDE connector in Intune

Intune admin center → Endpoint security → Microsoft Defender for Endpoint → Connect.

Configure Windows onboarding profile

Endpoint security → Endpoint detection and response → Create policy → Windows 10/11 → Onboard MDE.

Assign to All Devices group

Assign the EDR policy to All Windows devices or staged group.

Verify in MDE portal

security.microsoft.com → Devices → should appear within 24 hours of policy applying.

⚙️ MDE Integration Settings

Allow Microsoft Defender for Endpoint to enforce Endpoint Security Configurations → Enable
Connect Android devices to MDE → Enable
Connect iOS/iPadOS devices to MDE → Enable
Connect Windows devices to MDE → Enable
MDE security settings management enables bi-directional policy sync

📱 iOS/Android MDE App

Deploy Microsoft Defender app via Intune (VPP / managed)
Requires MDE mobile license
App Configuration policy sets onboarding mode
Provides: Web protection (phishing), network protection, jailbreak detection
Risk signals sent to Intune for Conditional Access

🔗 Mobile Threat Defense (MTD)

MDE acts as MTD partner in Intune
Device risk levels: Clear, Low, Medium, High
Compliance policy: Max allowed threat level = Medium
Conditional Access blocks high-risk mobile devices

🍎 macOS Onboarding

Deploy MDE via Intune PKG (VPP or LOB)
Requires system extension approval profile
PPPC (Privacy Preferences) profile for Full Disk Access
Onboarding package from MDE portal → exported as mobileconfig
Supported: macOS 11 (Big Sur) and later

📋 Required Profiles for macOS

System Extensions: Allow MDE kernel extension
Privacy Preferences (PPPC): Full Disk Access for MDE
Network Filter: MDE web protection
Notifications: Allow MDE alerts to appear
Onboarding blob: Activates MDE for the tenant

🦠 NGAV & Antivirus Policy

🛡️ Antivirus Policy Settings

Cloud protection: Enabled (Block at First Sight)
Behavior monitoring: Enabled
Real-time protection: Enabled
PUA protection: Block (Potentially Unwanted Apps)
Submit samples: Send safe samples automatically
Scan type: Quick scan daily; Full scan weekly

🔒 Tamper Protection

Prevents local users/apps from disabling MDE
Enable via Intune: Endpoint security → Antivirus → Tamper protection
Also available via MDE portal (tenant-wide)
Requires MDE onboarding to be active first
Highly recommended for all production devices

⚔️ Attack Surface Reduction (ASR) Rules

Always deploy ASR rules in Audit mode first for 2–4 weeks. Review events in MDE Advanced Hunting before switching to Block mode to avoid application compatibility issues.

🔒 Key ASR Rules

Rule Name	GUID (short)	Recommended Mode
Block Office apps creating executable content	3b576869...	Block
Block Office apps injecting code into other processes	75668c1f...	Block
Block JS/VBS from launching downloaded executables	d3e037e1...	Block
Block credential stealing from LSASS	9e6c4e1f...	Block
Block persistence via WMI event subscription	e6db77e5...	Block
Block untrusted/unsigned processes from USB	b2b3f03d...	Block
Block Adobe Reader from creating child processes	7674ba52...	Block
Block macro obfuscation in Office files	5beb7efe...	Audit → Block

🔍 EDR – Endpoint Detection & Response

🔍 EDR Capabilities

Continuous behavioral monitoring of processes, network, files
Timeline view of all endpoint activity
Alert queue with severity classification
Incident correlation across devices and users
6 months of raw event data stored (MDE P2)
Live response: remote shell to investigate device

⚡ Alert Severity Levels

Critical → Immediate action: ransomware, credentials theft
High → Action within 1 hour: lateral movement, persistence
Medium → Investigate same day: suspicious activity
Low → Review when possible: informational anomalies
Informational → Review in bulk

🤖 Automated Investigation & Response (AIR)

🤖 AIR Process

Alert triggers automatic investigation
MDE collects artifacts: processes, network connections, registry
AI engine determines verdict: Clean / Malicious / Suspicious
Automatic remediation actions proposed
Actions require approval (Semi-Auto) or auto-apply (Full Auto)

⚙️ Automation Level

Level	Behavior
Full automation	All remediation auto-approved
Semi – core folders	Only auto-approve non-critical folder actions
Semi – non-temp	Exclude temp folders from auto-approval
No auto-remediation	All actions require manual approval

Recommended: Start with Semi-automatic automation. Review the Action Center daily for pending approvals. Move to Full automation for trusted device groups after validating accuracy.

🎯 Threat & Vulnerability Management (TVM)

📊 Exposure Score & Secure Score

Exposure Score: 0–100 (lower = better security posture)
Microsoft Secure Score for Devices: 0–100 (higher = better)
Top security recommendations ranked by risk
Vulnerability severity: Critical, High, Medium, Low
CVSS score + exploitability factor

🛠️ TVM Workflow

Review top recommendations

TVM → Security recommendations → Sort by Exposure score impact.

Submit remediation request

Request remediation → Creates task in Intune or ITSM ticket.

Track remediation

TVM → Remediation → Monitor completion status over time.

🔎 Advanced Hunting (KQL)

// Find devices with high-severity alerts in last 7 days
AlertInfo
| where TimeGenerated > ago(7d)
| where Severity == "High" or Severity == "Critical"
| join kind=inner AlertEvidence on AlertId
| summarize AlertCount=count(), UniqueDevices=dcount(DeviceName) by Category, Title
| order by AlertCount desc

// Detect LSASS memory dump attempts
DeviceProcessEvents
| where FileName =~ "procdump.exe" or ProcessCommandLine has "lsass"
| where ProcessCommandLine has_any ("dump", "-ma", "minidump")
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine

// Suspicious PowerShell commands (encoded)
DeviceProcessEvents
| where FileName =~ "powershell.exe"
| where ProcessCommandLine has_any ("-EncodedCommand", "-enc", "hidden", "bypass")
| where ProcessCommandLine !contains "Intune"  // exclude known Intune scripts
| summarize count() by DeviceName, ProcessCommandLine
| order by count_ desc

// Devices missing critical security updates (TVM)
DeviceTvmSoftwareVulnerabilities
| where VulnerabilitySeverityLevel == "Critical"
| where IsExploitAvailable == true
| summarize CriticalVulns=count() by DeviceName
| order by CriticalVulns desc
| take 50

📊 Reports & Alerts

🔔 Alert Queue

security.microsoft.com → Incidents & Alerts
Filter by severity, status, assigned
Correlation into incidents
Email notifications configurable

📱 Device Inventory

All onboarded devices with risk level
OS version, last seen, onboarding status
Health status (active/inactive sensor)
Filter: High risk devices

🎯 TVM Dashboard

Exposure score trend over time
Top vulnerable devices
Software with most vulnerabilities
Zero-day vulnerabilities

🔧 Troubleshooting

❌ Common Issues & Fixes

Issue	Cause	Fix
Device not appearing in MDE portal	Onboarding policy not applied or sensor not started	Verify EDR policy applied; check SENSE service running
Sensor health: No data	SENSE service stopped or network issue	sc start SENSE; check connectivity to MDE endpoints
ASR causing app crash	Legitimate app blocked by ASR rule	Add app path as ASR exclusion in Intune
Tamper protection blocking changes	Expected — tamper protection is working	Disable via Intune (not locally) before making changes
AIR not triggering automatically	Automation set to manual; device group exclusion	Check device group automation setting in MDE portal
macOS MDE not starting	Missing Full Disk Access or system extension not approved	Deploy PPPC and System Extensions profiles via Intune

💻 PowerShell & Graph API

# Get MDE onboarding status for all Intune devices
Connect-MgGraph -Scopes "DeviceManagementManagedDevices.Read.All"
Get-MgDeviceManagementManagedDevice |
  Select-Object DeviceName, IsEncrypted, ComplianceState,
    @{N="MDEStatus"; E={$_.ConfigurationManagerClientEnabledFeatures}} |
  Export-Csv "C:\Reports\MDEStatus.csv" -NoTypeInformation

# Get MDE alerts via Defender API
$token = (Get-MgContext).AccessToken
$headers = @{ Authorization = "Bearer $token" }
$alerts = Invoke-RestMethod `
  -Uri "https://api.securitycenter.microsoft.com/api/alerts?`$filter=severity eq 'High'" `
  -Headers $headers

# Isolate a device via MDE API (incident response)
$deviceId = "device-mde-id"
Invoke-RestMethod `
  -Method POST `
  -Uri "https://api.securitycenter.microsoft.com/api/machines/$deviceId/isolate" `
  -Headers $headers `
  -Body (@{ Comment = "Isolating suspected compromised device"; IsolationType = "Full" } | ConvertTo-Json)

# Run antivirus scan on device
Invoke-RestMethod `
  -Method POST `
  -Uri "https://api.securitycenter.microsoft.com/api/machines/$deviceId/runAntiVirusScan" `
  -Headers $headers `
  -Body (@{ Comment = "Scheduled AV scan"; ScanType = "Full" } | ConvertTo-Json)