Manage Microsoft Defender for Endpoint with Intune

Applies to:

Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.

We recommend using Microsoft Endpoint Manager, which includes Microsoft Intune (Intune) to manage your organization's threat protection features for devices (also referred to as endpoints). Learn more about Endpoint Manager.

This article describes how to find your Microsoft Defender for Endpoint settings in Intune, and lists various tasks you can perform.

Find your Microsoft Defender for Endpoint settings in Intune

Important

You must be a global administrator or service administrator in Intune to configure the settings described in this article. To learn more, see Types of administrators (Intune).

  1. Go to the Azure portal (https://portal.azure.com) and sign in.

  2. Under Azure Services, choose Intune.

  3. In the navigation pane on the left, choose Device configuration, and then, under Manage, choose Profiles.

  4. Select an existing profile, or create a new one.

Configure Microsoft Defender for Endpoint with Intune

The following table lists various tasks you can perform to configure Microsoft Defender for Endpoint with Intune. You don't have to configure everything all at once; choose a task, read the corresponding resources, and then proceed.

Task Resources to learn more
Manage your organization's devices using Intune to protect those devices and data stored on them Protect devices with Microsoft Intune
Integrate Microsoft Defender for Endpoint with Intune as a Mobile Threat Defense solution
(for Android devices and devices running Windows 10 or later)
Enforce compliance for Microsoft Defender for Endpoint with Conditional Access in Intune
Use Conditional Access to control the devices and apps that can connect to your email and company resources Configure Conditional Access in Microsoft Defender for Endpoint
Configure Microsoft Defender Antivirus settings using the Policy configuration service provider (Policy CSP) Device restrictions: Microsoft Defender Antivirus

Policy CSP - Microsoft Defender for Endpoint
If necessary, specify exclusions for Microsoft Defender Antivirus

Generally, you shouldn't need to apply exclusions. Microsoft Defender Antivirus includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios.
Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows

Device restrictions: Microsoft Defender Antivirus Exclusions for Windows 10 devices

Configure Microsoft Defender Antivirus exclusions on Windows Server 2016 or 2019
Configure your attack surface reduction rules to target software behaviors that are often abused by attackers

Configure your attack surface reduction rules in audit mode at first (for at least one week and up to two months). You can monitor status using Power BI (get our template), and then set those rules to active mode when you're ready.
Audit mode in Microsoft Defender for Endpoint

Endpoint protection: Attack Surface Reduction

Learn more about attack surface reduction rules

Tech Community blog post: Demystifying attack surface reduction rules - Part 1
Configure your network filtering to block outbound connections from any app to IP addresses or domains with low reputations

Network filtering is also referred to as network protection.

Make sure that Windows 10 devices have the latest antimalware platform updates installed.
Endpoint protection: Network filtering

Review network protection events in Windows Event Viewer
Configure controlled folder access to protect against ransomware

Controlled folder access is also referred to as antiransomware protection.
Endpoint protection: Controlled folder access

Enable controlled folder access in Intune
Configure exploit protection to protect your organization's devices from malware that uses exploits to spread and infect other devices

Exploit protection is also referred to as Exploit Guard.
Endpoint protection: Microsoft Defender Exploit Guard

Enable exploit protection in Intune
Configure Microsoft Defender SmartScreen to protect against malicious sites and files on the internet.

Microsoft Edge should be installed on your organization's devices. For protection on Google Chrome and FireFox browsers, configure exploit protection.
Microsoft Defender SmartScreen

Device restrictions: Microsoft Defender SmartScreen

Policy settings for managing SmartScreen in Intune
Configure Microsoft Defender Firewall to block unauthorized network traffic flowing into or out of your organization's devices Endpoint protection: Microsoft Defender Firewall

Microsoft Defender Firewall with Advanced Security
Configure encryption and BitLocker to protect information on your organization's devices running Windows Endpoint protection: Windows Encryption

BitLocker for Windows 10 devices
Configure Microsoft Defender Credential Guard to protect against credential theft attacks For Windows 10, Windows Server 2016, and Windows Server 2019, see Endpoint protection: Microsoft Defender Credential Guard

For Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8.1, and Windows Server 2012 R2, see Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft, Versions 1 and 2
Configure Microsoft Defender Application Control to choose whether to audit or trust apps on your organization's devices

Microsoft Defender Application Control is also referred to as AppLocker.
Deploy Microsoft Defender Application Control policies by using Microsoft Intune

Endpoint protection: Microsoft Defender Application Control

AppLocker CSP
Configure device control and USB peripherals access to help prevent threats in unauthorized peripherals from compromising your devices Control USB devices and other removable media using Microsoft Defender for Endpoint and Intune

Configure your Microsoft Defender Security Center

If you haven't already done so, configure your Microsoft Defender Security Center (https://securitycenter.windows.com) to view alerts, configure threat protection features, and view detailed information about your organization's overall security posture.

You can also configure whether and what features end users can see in the Microsoft Defender Security Center.

Next steps