question

No. If the workload is switched for a device but there is no Intune enforced policy for Windows Defender, then the ConfigMgr agent will continue to enforce the assigned Defender policy from ConfigMgr. From memory, you'll be able to see evidence of this in the comanagementhandler.log.

Hi @BojanZivkovic-7448,

Haven't heard from you for some time, is Jason's answer helpful to you? If it is helpful, please accept answer. It will make someone who has the similar issue easily find the answer.

If you have any other issues, please don't hesitate to let us know.

Thanks and have a nice day.

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

In case of conflict I guess Intune end will take precedence (if managing workload)? What about settings not conflicting with each other (for instance something defined in MECM but not in Intune - will they merge)?

In case of conflict I guess Intune end will take precedence

If the workload is set to Intune, yes, Intune will win -- that's the point of the workload slider.

will they merge

No, never, As noted, that's the entire point of an admin configurable workload using the sliders.

Since I am mostly concerned here about devices being outside the LAN most of the time, is implementing CMG waste of time and money for companies having Intune too? What I do not really like in Intune is handling 3rd party apps updates (we use Patch My PC Publishing Service internally and it works fine with MECM) but having CMG just for 3rd party apps updates looks like overkill. We have strong emphasis on security so having OS and apps up to date is top priority.