question

BGTech88 avatar image
0 Votes"
BGTech88 asked LuDaiMSFT-0289 commented

AzureAAD-MDE- Security Management for Microsoft Defender for Endpoint mis-scope

While setting up the process listed here https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/security-config-management?view=o365-worldwide
the scope of devices that the policy should apply to was wider than intended. As such, many devices were AAD Joined or Hybrid Joined that should not have been. The scope has been changed which caused the devices to be removed from Intune, however, reducing the scope of the policy has not changed the device status within AAD.

Is there a recommended method to remove these devices' AAD status/enrollment without effecting them within the production environment?

Thanks in advance.

mem-intune-enrollmentazure-ad-domain-services
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

LuDaiMSFT-0289 avatar image
1 Vote"
LuDaiMSFT-0289 answered LuDaiMSFT-0289 commented

@BGTech88 Thanks for posting in our Q&A. From the article, it seems there is no setting will remove intune devices.

To clarify this issue, we appreciate your help to collect some information:
1.Please make sure that the device is enrolled in intune before you configure Security Management.
2.Could you please clarify that which setting you used to educe the scope of the policy?
3.Please check if these target devices are listed in Azure AD portal. If possible, please show the screen shot of the device.
200089-image.png
Note: please hide the private information.

If there is anything update, feel free to let us know.

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



image.png (71.4 KiB)
image.png (14.7 KiB)
· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BGTech88 avatar image BGTech88 ·

Hey @LuDaiMSFT-0289 ,
Thank you for responding.

  1. There have not been any configurations to the Security Management for these devices.

  2. Initially the scope was set for Windows Client Devices and Pilot Mode. This has been changed to just Pilot Mode.

  3. Here is what I am seeing on these devices now in AAD
    200325-image.png


0 Votes 0 ·
image.png (12.5 KiB)
LuDaiMSFT-0289 avatar image LuDaiMSFT-0289 BGTech88 ·

@BGTech88 Thanks for your update. Generally, when we configure Microsoft Defender for Endpoint configuration settings, the device will show "MDE" under managed by in intune portal.
https://www.petervanderwoude.nl/post/getting-started-with-security-management-for-microsoft-defender-for-endpoint/
Note: Non-Microsoft link, just for the reference.

Honestly, I couldn't repeat this issue in my lab with the limitation resource. Given this situation, it is suggested to create an online support ticket to find the root cause. Here is the support link:
https://docs.microsoft.com/en-us/mem/get-support

Thanks for your understanding and hope everything goes well with you.

1 Vote 1 ·