We recommend using Microsoft Endpoint Manager, which includes Microsoft Intune (Intune) to manage your organization’s threat protection features for devices (also referred to as endpoints). Learn more about Endpoint Manager.
This article describes how to find your Microsoft Defender for Endpoint settings in Intune, and lists various tasks you can perform.
Find your Microsoft Defender for Endpoint settings in Intune
Important
You must have either the global administrator or service administrator role assigned in Intune to configure the settings described in this article. To learn more, see Types of administrators (Intune).
- Go to the Azure portal (https://portal.azure.com) and sign in.
- Under Azure Services, choose Intune.
- In the navigation pane on the left, choose Device configuration, and then, under Manage, choose Profiles.
- Select an existing profile, or create a new one.
Tip
Need help? See Using Microsoft Defender for Endpoint with Intune.
Configure Microsoft Defender for Endpoint with Intune
The following table lists various tasks you can perform to configure Microsoft Defender for Endpoint with Intune. You don’t have to configure everything all at once; choose a task, read the corresponding resources, and then proceed.
| Task | Resources to learn more |
|---|---|
| Manage your organization’s devices using Intune to protect those devices and data stored on them | Protect devices with Microsoft Intune |
| Integrate Microsoft Defender for Endpoint with Intune as a Mobile Threat Defense solution (for Android devices and devices running Windows 10 or Windows 11) |
Enforce compliance for Microsoft Defender for Endpoint with Conditional Access in Intune |
| Use Conditional Access to control the devices and apps that can connect to your email and company resources | Configure Conditional Access in Microsoft Defender for Endpoint |
| Configure Microsoft Defender Antivirus settings using the Policy configuration service provider (Policy CSP) | Device restrictions: Microsoft Defender Antivirus |
| If necessary, specify exclusions for Microsoft Defender Antivirus
Generally, you shouldn’t need to apply exclusions. Microsoft Defender Antivirus includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios. |
Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows
Device restrictions: Microsoft Defender Antivirus Exclusions for Windows 10 and Windows 11 devices Configure Microsoft Defender Antivirus exclusions on Windows Server 2016 or 2019 or 2022 |
| Configure your attack surface reduction rules to target software behaviors that are often abused by attackers
Configure your attack surface reduction rules in audit mode at first (for at least one week and up to two months). You can monitor status using Power BI (get our template), and then set those rules to active mode when you’re ready. |
Audit mode in Microsoft Defender for Endpoint
Endpoint protection: Attack Surface Reduction Learn more about attack surface reduction rules Tech Community blog post: Demystifying attack surface reduction rules – Part 1 |
| Configure your network filtering to block outbound connections from any app to IP addresses or domains with low reputations
Network filtering is also referred to as network protection. Make sure that Windows 10 and Windows 11 devices have the latest antimalware platform updates installed. |
Endpoint protection: Network filtering |
| Configure controlled folder access to protect against ransomware
Controlled folder access is also referred to as antiransomware protection. |
Endpoint protection: Controlled folder access |
| Configure exploit protection to protect your organization’s devices from malware that uses exploits to spread and infect other devices
Exploit protection is also referred to as Exploit Guard. |
Endpoint protection: Microsoft Defender Exploit Guard |
| Configure Microsoft Defender SmartScreen to protect against malicious sites and files on the internet.
Microsoft Edge should be installed on your organization’s devices. For protection on Google Chrome and FireFox browsers, configure exploit protection. |
Microsoft Defender SmartScreen |
| Configure Microsoft Defender Firewall to block unauthorized network traffic flowing into or out of your organization’s devices | Endpoint protection: Microsoft Defender Firewall |
| Configure encryption and BitLocker to protect information on your organization’s devices running Windows | Endpoint protection: Windows Encryption |
| Configure Microsoft Defender Credential Guard to protect against credential theft attacks | For Windows 10, Windows 11, Windows Server 2016, and Windows Server 2019, and Windows Server 2022, see Endpoint protection: Microsoft Defender Credential Guard
For Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8.1, and Windows Server 2012 R2, see Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft, Versions 1 and 2 |
| Configure Microsoft Defender Application Control to choose whether to audit or trust apps on your organization’s devices
Microsoft Defender Application Control is also referred to as AppLocker. |
Deploy Microsoft Defender Application Control policies by using Microsoft Intune |
| Configure device control and USB peripherals access to help prevent threats in unauthorized peripherals from compromising your devices | Control USB devices and other removable media using Microsoft Defender for Endpoint and Intune |
Configure your Microsoft 365 Defender portal
If you haven’t already done so, configure your Microsoft 365 Defender portal to view alerts, configure threat protection features, and view detailed information about your organization’s overall security posture. See Microsoft 365 Defender. You can also configure whether and what features end users can see in the Microsoft 365 Defender portal.