Later this month, Microsoft will be making architectural updates to the security settings management capabilities in Microsoft Defender for Endpoint that will simplify the device enrollment process. These updates include removing Azure Active Directory (AD) join or Hybrid Azure AD join as a pre-requisite for onboarding Windows devices that use security settings management in Defender for Endpoint.
What’s New
Later this month, Microsoft will be making architectural updates to the security settings management capabilities in Microsoft Defender for Endpoint that simplify the device enrollment process. These updates include removing Azure Active Directory (AD) join or Hybrid Azure AD join as a pre-requisite for onboarding Windows devices that use security settings management in Defender for Endpoint.
What’s Important to Know
Customers already using this functionality will seamlessly transition to the updated infrastructure with no impact for their existing Windows devices managed by Defender for Endpoint that are using this functionality. Additionally, there will be no changes to the device, its identity, or registration type.
“To ensure that all devices enrolled in security settings management for Microsoft Defender for Endpoint receive policies, we recommend creating a dynamic Azure AD group based on the systemLabels property containing the “MDEManaged” value.”
Ensure your Windows device is up to date to take advantage of these enhancements. Customers that don’t use public preview features will continue with the existing settings management experience. To opt in, go to the Microsoft Defender for Endpoint portal, and select Settings > Endpoints > Advanced features > Preview features.
In the Microsoft 365 Defender device inventory, you can confirm that the device is using the security settings management capability in Defender for Endpoint by checking its status in the Managed by column. This is also available on the device side panel or device page and should consistently indicate managed by MDE.
In the Intune admin center, search for the device name on the All Devices page. The device should appear here as well, with the Managed by field set to MDE.
To ensure that all devices enrolled in security settings management for Microsoft Defender for Endpoint receive policies, create a dynamic Azure AD group based on the systemLabels property containing the “MDEManaged” value. This will automatically add devices managed by Defender for Endpoint to the group, without requiring admins to perform any additional tasks.
Key points from the article:
- Microsoft will be making architectural updates to the security settings management capabilities in Microsoft Defender for Endpoint
- These updates will simplify the device enrollment process and remove Azure Active Directory (AD) join or Hybrid Azure AD join as a pre-requisite for onboarding Windows devices
- Ensure Windows devices are up to date to take advantage of these enhancements
- Existing Windows devices managed by Defender for Endpoint will seamlessly transition to the updated infrastructure with no impact
- Create a dynamic Azure AD group based on the system label property containing the “MDEManaged” value to ensure all devices receive policies
From the Microsoft 365 Blog