Endpoint Security configure it with Intune
Security you already own, applied properly. This article explains what each Intune Endpoint security blade does and what Endpoint Security settings you can configure with Intune, which licence unlocks it, and where it pays off. Turn windows security you already own into a consistent, centrally enforced baseline. Switch on the Defender for Endpoint connector, and you add device risk, deep telemetry and response tooling without changing agents on the device.
Never miss an article and subscribe
Licencing
Most Endpoint security settings only need Intune Plan 1.
That’s included with Microsoft 365 E3/E5 and Business Premium for business, and A3/A5 for education. *Business Premium includes Defender for Business (MDE P1), but is capped at 300 users* Intune Plan 1 covers the majority of endpoint security settings, with EPM and advanced analytics requiring add‑ons
Where extra licences apply:
- Conditional Access > Microsoft Entra ID P1 (Business Premium already includes P1).
lets you make access to Microsoft 365 conditional on device compliance. - Endpoint Privilege Management (EPM) > Intune EPM add-on or Intune Suite.
remove local admin while allowing approved elevation with audit and justification. - Microsoft Defender for Endpoint (MDE)
- Plan 1 (P1): pre-breach hardening and visibility; manage Defender AV, Firewall, web and network protection, Attack Surface Reduction, device control, and see basic security posture in the Defender portal.
- Plan 2 (P2): everything in P1 plus Endpoint Detection and Response (EDR) device timeline, incidents, automated investigation and remediation, advanced hunting, live response, device isolation and EDR in block mode (stops threats even when a third-party AV is primary).
- Microsoft 365 E5 (business) and A5 (education) include MDE P2.
Connector note: enabling the Intune ↔ Defender connector costs nothing. It lets Intune onboard devices to MDE and consume device risk in compliance. The depth of investigation you get after onboarding depends on whether you hold P1 or P2.
I have a video covering some of the config in the article.
What each Intune Endpoint security blade covers
Antivirus
What you standardise, cloud-delivered protection, real-time protection, download/IOAV scanning, quick/full scan cadence, security-intelligence update frequency and exclusions. If another AV is present, enable Limited Periodic Scanning so Defender still runs scheduled scans.
When to invest, always, up-to-date protection with no extra agent.
Mill Town High School
The school wants quiet protection on staff and student laptops on and off-site. Enable cloud protection and automatic sample submission, schedule a daily quick scan at 18:00, set intelligence updates every two hours, and avoid broad exclusions. Turn on Limited Periodic Scanning so Defender still does a daily pass even if a STEM image ships with another AV.
Disk encryption
What you enforce: BitLocker for OS, fixed and removable drives; escrow recovery keys to Microsoft Entra ID. You can deny write to an unencrypted USB or require encryption before write.
When to invest, always, data-at-rest and removable-media control are table stakes.
Liver Shipping
Field laptops travel between ports and warehouses. Silent BitLocker protects drives and stores keys in Entra ID. USB policy denies write to unencrypted sticks, allowing write only after BitLocker encrypts the device, reducing accidental data leakage without banning USB outright.
Firewall
What you control: Microsoft Defender Firewall across Domain, Private and Public profiles and any inbound/outbound rules you need. Start with all profiles On, then add only the rules your apps require.
When to invest, always, limits lateral movement and helps contain break-outs.
Mill Town High School
Public profile On for student laptops when they leave the campus network; a small set of outbound rules allow learning platforms, blocking risky peer-to-peer ports.
Endpoint Privilege Management (EPM) (EPM add-on / Intune Suite)
What you control: standard users can request or receive policy-driven elevation for specific installers or tools; every elevation is logged with justification. No need to grant permanent local admin.
When to invest: when removing local admin, but legacy apps still need elevation.
Liver Shipping
Warehouse PCs run a label printer driver that needs elevation during updates. An EPM rule allows the signed installer to elevate silently, while everything else remains standard user.
Endpoint detection and response (MDE onboarding and EDR) (MDE P2 for EDR features)
What it adds: the MDE sensor streams telemetry to the Defender portal. With P2 you gain device timeline, incidents, automated investigation, hunting and EDR in block mode.
When to invest: you want to detect, investigate and respond, not just configure.
Liver Shipping
Security analysts monitor incidents for roaming laptops, run live response on suspicious hosts and isolate compromised devices from the network while investigations run.
App Control for Business (WDAC)
What you control: an allow-list for executables, scripts and drivers. Run in Audit to learn what would be blocked, then Enforce. Ideal for labs and kiosks.
When to invest: shared devices and high-risk roles where you want only approved software to run.
Mill Town High School
ICT suites start in Audit for a term, then switch to Enforce so only approved teaching apps and drivers run during exams.
Attack Surface Reduction (ASR)
What you control: rule-based mitigations that cut common attack paths. Good starters:
Block Office applications from creating child processes
Block executable content from email and webmail clients
Block JavaScript/VBScript from launching downloaded executables
Use advanced protection against ransomware
When to invest: early, set rules to Audit first to find clashes, then Block.
Liver Shipping
Finance and operations are frequent phishing targets. ASR blocks launch of payloads straight from email and webmail, while audit data helps refine exclusions for scanning software.
Account protection
What you control: the Windows Security app experience (hide the tray icon, hide panes, show IT contact), and Windows LAPS and local group membership policies under the same blade.
When to invest: shared devices, labs and any place you want fewer prompts and stronger recovery options.
Mill Town High School
Windows LAPS rotates the built-in Administrator password on lab PCs and stores it in Entra ID. Helpdesk can retrieve a time-limited password for an exam machine, and it resets after use. The tray icon and Family options are hidden on student builds.
Device compliance
What you measure: BitLocker on, Defender real-time protection on, minimum OS, custom settings, and—if the connector is enabled—MDE device risk. Output is Compliant or not compliant per device.
When to invest: always, it turns settings into an access signal.
Liver Shipping
Compliance requires BitLocker, OS at the current baseline and MDE risk ≤ “Medium”. Non-compliant devices are flagged and can be remediated before they reach company data.
Conditional Access (Entra ID P1)
What you enforce: access to Microsoft 365 (and other apps) is conditional on device state, user risk, sign-in risk and location. The most common control requires the device to be marked as compliant.
When to invest: as soon as your compliance policy is stable.
Mill Town High School
Students and staff must use compliant devices to access Teams and OneDrive. The break-glass admin is excluded so the school never locks itself out during a misconfiguration.
Microsoft Defender for Endpoint connector, how it fits the picture
It’s a one-time tenant switch that links Intune and Defender.
Once on, Intune can onboard Windows to MDE without scripts.
Device risk from Defender becomes available to Device compliance, which Conditional Access can then enforce.
The Defender for Endpoint page in Intune shows connection status and last synchronised and lets you set partner-health behaviour (for example, how long Intune will trust risk data if the partner stops responding).
In the Defender portal, you can see Intune as the configuration manager for security settings, keeping policy ownership clear.
Intune does configuration. Defender for Endpoint adds detection and response. Conditional Access turns both into access decisions. Mix and match the licences above to meet your risk and budget.
Use Intune to configure the controls you already own (Defender AV, BitLocker, Firewall, ASR), measure them with Device compliance, and let Conditional Access decide who gets in. If you need detection and response, add Defender for Endpoint P2; if you’re removing local admin, add Endpoint Privilege Management. That’s the entire loop: configure > verify > enforce > respond
Feel free to buy me a coffee to keep this website up and running
Also checkout this article Avoid Microsoft 365 Lockouts with Break Glass Accounts
Tags: Intune, Intune Endpoint security, Security