Managing Windows Server Defender policies with Intune
- Vlad Johansen
- 5 hours ago
- 5 min read
Hello folks,
I haven’t written blog posts for a while, so it’s about time now. Today’s blog post will be about managing Defender policies on Azure hosted Windows Servers using Intune. If you are already using Microsoft Intune as an endpoint management tool and have servers in Azure, then this blog post should be interesting for you.
Actually, this approach has existed for 2+years now. I have tested it on two of my Windows Servers hosted in Azure - and it works great.
Let’s start with licensing, as always.
You’ll need at least one Defender for Endpoint or Defender for Business license to activate this feature, and of course you’ll need:
Defender for Business for Servers, or
Defender for Endpoint for Servers, or
Defender for Servers P1 or P2 licenses on your server(s).
Only this Windows OS versions and scenarios are supported
Windows 10 Professional/Enterprise (with KB5023773)
Windows 11 Professional/Enterprise (with KB5023778)
Windows Server 2012 R2 with Microsoft Defender for Down-Level Devices
Windows Server 2016 with Microsoft Defender for Down-Level Devices
Windows Server 2019 (with KB5025229)
Windows Server 2019 Core (with the Server Core App Compatibility Feature on Demand installed)
Windows Server 2022, including Server Core (with KB5025230)
Windows Server 2025
On Domain controllers it's required to activate on more setting in Defender portal with some limitations
Source: Microsoft Learn: Learn about using Intune to manage Microsoft Defender settings on devices that aren't enrolled with Intune | Microsoft Learn
Unsupported versions and scenarios
Windows Server Core 2016 and earlier
Non-persistent desktops, like Virtual Desktop Infrastructure (VDI) clients
Azure Virtual Desktop (AVD and formerly Windows Virtual Desktop, WVD)
32-bit versions of Windows
In today’s demo, I’ll use my Windows Server 2022 with Defender for Servers P2, which is active on my Azure subscription.
First, we need to activate some features in the Defender portal and the Intune portal. Let’s start with the Defender portal:
Go to security.microsoft.com -> Settings -> Endpoints -> Configuration Management -> Enforcement Scope and enable the platforms for security settings management.
Now, we'll need to choose which OS security settings we want to be able to manage from Intune under Enable configuration management. Choose between "On all devices" or "On tagged devices". If you go for method number 2 you'll need to tag them with "MDE-Management" tag.
I choose to manage all OS on All devices
Important message regarding Domain controllers
Source: Microsoft Learn: Learn about using Intune to manage Microsoft Defender settings on devices that aren't enrolled with Intune | Microsoft Learn
Now, turn ON "Security settings management for Microsoft Defender for Cloud onboarded devices" and press Save
Now, let's go to Intune portal
Go to intune.microsott.com -> Endpoint Security -> Microsott Defender for Endpoint -> and set Allow Microsoft Defender for Endpoint to enforce Endpoint Security Configurations to On if it's not already ON.
Now, if you have Windows Server devices onboarded to MDE directly or via Defender for Servers, they should start to appear in the Intune portal under Windows devices. Please allow up to 24 hours for this process. In my case, it took around an hour.
In the meantime, let’s create dynamic groups. I have already created mine for Windows Servers in MDE.
You can also choose to create separate groups for each OS version—for example, one for 2016, one for 2019, one for 2022, and so on. Then, you’ll need to add an expression like DeviceOSVersion equals 10.0.20348, which corresponds to Windows Server 2022.
Here is a table showing all most used versions
Windows Server Version | OS Build | device.deviceOSVersion Value |
Windows Server 2016 | 10.0.14393 | 10.0.14393 |
Windows Server 2019 | 10.0.17763 | 10.0.17763 |
Windows Server 2022 | 10.0.20348 | 10.0.20348 |
Windows Server 2025 (preview) | 10.0.26100 | 10.0.26100 |
Now, let's check intune.microsoft.com -> Devices -> Windows
As you can see, here are my two Windows Server 2022 devices from Azure, and they show Managed by: MDEÂ instead of Intune. This means the devices are not enrolled in Intune like Windows 10 or 11 devices can be. They are only onboarded to Defender and synchronized to Intune. With other words they are managed by Defender. But since we can push Defender policies from Intune as well and integration is set up, we are now able to manage those settings from here.
You can also see, that I can't do anything with this device in Intune portal, only Delete button is available
Now, when our devices are successfully synced from Defender to Intune, we can create our test policies and scope them to our new group(s). Remember- be very careful which policies you push to your Windows Servers, especially domain controllers. If you use GP, double check it before you apply them from Intune.
For this test, I’ll use some simple policies to show you how things work.
After scoping and deploying your policies, please allow up 90 minutes for them to sync to your devices. You can also trigger a manual sync by going to the Defender portal -> Assets -> Devices -> Find your device ->Open it -> Click the three dots in the upper right corner and choose Policy sync. The speed depends on many factors, but usually it does not take so long time.
Wait for some minutes and you go back to Intune portal, find your device -> Device configuration and check status
Status can also be checked in Defender portal -> Assets-> Devices -> Find your device -> Open it -> Security policies
Fun fact:Â You can create a policy in the Defender portal, and it will be synced to Intune and the same goes if the policy is created in Intune. BUT, this only applies to policies that are available to create from the Defender portal.
So only those policies with some limitations
If you have other policies in Intune which is not part of one of those policies mentioned above, they will not appear in policy list in Defender.
More information can be found here: Learn about using Intune to manage Microsoft Defender settings on devices that aren't enrolled with Intune | Microsoft Learn
Now, let's take a look on our server and see if policies have applied as Intune states
AV settings
Let's check ASR rules with a bit customized powershell script
Here is a table from learn which translates Rule GUID to Rule namings
Here we have a mismatch: PowerShell shows 19 rules in audit mode, but the Defender portal reports that we have 20, where only 16 are applicable to this server. Good to know!
By the way, I found a helpful table that shows which ASR rules are applicable for each operating system
Source: https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?utm_source=chatgpt.com#asr-rules-supported-operating-systems Another great fact: you can manage these settings on servers that aren’t even in Azure, as long as they’re onboarded to Defender using a local script, GPO, or MCM. We’ll take a closer look at this in another blog post.
Wrapping up
This is a great way to have a unified portal for managing Defender policies and overseeing the status of all your devices in Defender portal. Best of all, you can combine this method with your existing GPOs, which makes the approach even better!
For latest and updated info please check Microsoft Learn pages !
All the best