Defender for Endpoint

Configure Microsoft Defender for Endpoint (MDE) integration with Intune. Onboard devices for advanced threat protection, endpoint detection and response, and threat vulnerability management.

Onboarding

Enable connection in Microsoft 365 Defender portal
Configure Intune to use MDE risk signals
Deploy onboarding profiles to devices
Verify devices appear in Defender portal

Platform Support

Platform	Onboarding Method
Windows 10/11	Intune configuration profile
macOS	Intune configuration profile
Linux	Script-based onboarding
iOS	Microsoft Defender app
Android	Microsoft Defender app

Threat and Vulnerability Management

Software vulnerabilities with known CVEs
Security recommendations for remediation
Exposed devices with critical vulnerabilities
Security score metric

Device Risk Levels

Level	Description
Clear	No active threats
Low	Low-severity threats
Medium	Medium-severity threats
High	High-severity or active threats

Compliance Integration

Use MDE risk signals in Intune compliance policies:

Set maximum allowed device risk level
Non-compliant devices blocked via Conditional Access
Risk level updated in real time

Sample Submission

Send all samples — Maximum detection coverage
Send safe samples — Non-personal files only
Always prompt — User approval required
Never send — Not recommended

Web Protection

Block malicious websites
Phishing protection with SmartScreen
Custom URL block lists

Best Practices

Onboard all managed devices
Integrate MDE risk signals with compliance
Enable automated investigation and remediation
Review vulnerability management recommendations
Configure web protection for phishing prevention

API Reference

GET /api/devices/security/defender-atp/status — Get onboarding status
GET /api/devices/security/defender-atp/alerts — Get alerts
GET /api/devices/security/defender-atp/vulnerabilities — Get vulnerabilities
POST /api/devices/security/defender-atp/onboard — Deploy onboarding

Last updated on February 13, 2026

BitLocker Keys Disk Encryption