Manage security settings for Windows, macOS, and Linux natively in Defender for Endpoint

As advanced threats such as ransomware continue to increase in velocity, and sophistication, organizations are evolving their endpoint security strategies away from point solutions to a more holistic security approach focused on vendor consolidation. At the same time, we continue to see a gap between security and IT teams to achieve a seamless and effective operating model for effective endpoint security.

While many endpoint security solutions now provide some level of endpoint management experience that include capabilities such as device inventory and policy authoring, they are often disconnected from the tools IT teams use to do many of the same things. This combination leads to a lack of visibility and coordination among these two groups, leaving too much room for security gaps to grow.

Microsoft believes organizations can protect their endpoints more effectively by bringing their security and IT teams closer together. Today we are excited to announce the public preview of a unified security settings management experience that offers a consistent, single source of truth for managing endpoint security settings across Windows, macOS, and .  It is built into the Microsoft 365 portal, and therefore easily accessible for security teams, but built on the powerful capabilities of Microsoft Intune.

Starting today, customers will benefit from a host of new capabilities:

  • Native security settings management capabilities in for Endpoint that support Windows, macOS, and
  • Existing endpoint security policies are automatically ingested in the Microsoft 365 portal
  • Create and edit AV policies directly from the Microsoft 365 Defender portal
  • Policies are automatically synced with Microsoft Intune to ensure coordination between IT and Security teams for organizations who use Intune as a full management suite.
  • A new list on the device page, that shows all security policies and their settings
  • Simplified device onboarding: Removal of Azure Active Directory hybrid join as a management prerequisite

Cross-platform support

Security administrators can now use the security settings management capabilities in Defender for Endpoint to manage their security configuration settings across Windows, macOS and Linux devices without the need for separate management tools, or updates to IT resources.

Managing security policies in the Microsoft 365 Defender portal

Up until today, security administrators were required to use additional tools to manage their endpoint security settings, which can slow down response. The new integration of Microsoft Intune's endpoint security experience into the Microsoft Defender for Endpoint bridges this gap to help organizations better protect themselves by operating from a single portal.

While Microsoft Intune is not a requirement, the seamless sync offers additional benefits for organizations using both products. All data is shared, always in sync and therefore ensures that IT and security teams share single source of truth for both IT administrators using Microsoft Intune and Security administrators – thanks to this integration, both administrators will see the same data between their portals, preventing confusion, misconfigurations and potential security gaps.

Simplified device onboarding

For organizations that wanted to use security settings management capabilities in the past, Defender for Endpoint required all devices to fully register with . This required fixing of pre-existing misconfigurations that prevented devices from successfully joining their identity inventory. Starting today, devices no longer need to be joined to the organizations and can instantly be managed with Defender for Endpoint. This significantly simplifies the onboarding process and security settings can be deployed to all in-scope devices immediately.

Let's take a look at the new, integrated experience.

Manage your security policies

View all your Intune security policies directly in the Microsoft 365 Defender portal by going to > Endpoint Security Policies. You can filter the list as well as search for specific policies using the built-in ‘filter' and ‘search' capabilities.

Image 1: Security policy interface in the Microsoft 365 Defender portalImage 1: Security policy interface in the Microsoft 365 Defender portal

AV policies for Windows, Linux and MacOS can be created from the portal.

Image 2: Create a new policyImage 2: Create a new policy

The device page includes a list of received policies, as well as their respective settings and status:

Image 3: New device pageImage 3: New device page

With this update we want to make sure that the transition is seamless for all existing customers. Here is how the transition will work:

  • All Windows devices that previously used this management feature, will seamlessly transition to use the new, lightweight mechanism.
  • Devices that were previously managed by Defender for Endpoint but had enrollment errors will now seamlessly be enrolled.
  • Devices that are already fully registered with and are receiving policies, will remain registered to Azure AD and continue to receive policies.

Get started today!

While this change doesn't require any immediate administrative action, you can take the following actions to prepare for this upgrade:

Step 1: Turn on preview features

Make sure you have preview features enabled in order to use Native Security Settings Management for Microsoft Defender for Endpoint

  1. In the Microsoft 365 Defender portal navigation pane, select Settings > Endpoints > Advanced features > Preview features.
  2. Toggle the setting On and select Save preferences.

Step 2: Review how Settings Management for Microsoft Defender for Endpoint is configured 

We recommend navigating to the Microsoft 365 Defender portal and reviewing which devices you intend to manage using by Defender for Endpoint at Settings > Endpoints > > Enforcement scope. Make sure the feature is turned on, and that for each Operating System, your management preferences have been configured accurately. Advanced configuration options which were available until today remain effective and are outlined in our main documentation.

Image 4: Security settings management configurationImage 4: Security settings management configuration

Step 3: Create a dynamic AAD group to automatically target devices with policies

To ensure that all endpoints enrolled with security settings management capabilities for Defender for Endpoint receive policies, we recommend creating a dynamic Azure AD group based on the devices' OS Type. Note that you can now also dynamically group servers in Azure AD.

By targeting security policies to these dynamic Azure AD groups, all devices managed by Defender for Endpoint will automatically be protected – without requiring admins to perform any additional tasks like creating a new policy or fine tuning existing ones.

Important :
If until today you've been creating dynamic Azure AD groups based on the “MDEManaged” or “MDEJoined” system labels, these are currently not supported for new devices that enroll using Defender for Endpoint settings management. If you still intend to dynamically group devices in Azure AD based on this criterion, we recommend using the “Management Type = microsoftSense” attribute instead.

More information:


This article was originally published by Microsoft's Defender for Endpoint Blog. You can find the original article here.