|

Configure MDE + Intune Compliance and App Protection Policy Evaluation (Windows, Android, iOS)

ByTechieGeek

Guide: Enable Compliance and App Protection Policy Evaluation (MDE + Intune), Then Enforce with Conditional Access

This guide continues after youโ€™ve already enabled the service-to-service connection between Microsoft Defender for Endpoint (MDE) and Microsoft Intune. The goal here is to ensure Intune can consume Defender signals for:

  • Compliance decisions (device risk/health)
  • App protection evaluation (mobile scenarios)
  • Conditional Access enforcement (block or restrict access)

1) Enable Compliance Policy Evaluation (Intune uses Defender signals)

What this does

When you enable these toggles, Intune can evaluate device risk/threat signals from MDE and use them during compliance assessment. This is the bridge between โ€œDefender detected riskโ€ and โ€œIntune marks device noncompliant.โ€

Steps

  1. Go to Intune admin center
    • https://intune.microsoft.com or https://endpoint.microsoft.com
  2. Select Endpoint security
  3. Scroll to Setup and select Microsoft Defender for Endpoint
  4. In the details pane, locate Compliance policy evaluation
  5. Enable the platform toggles that apply to your environment, for example:
    • Connect Android devices (v6.0.0 and above) to Microsoft Defender for Endpoint
    • Connect iOS/iPadOS devices (v13.0 and above) to Microsoft Defender for Endpoint
    • Connect Windows devices (10.0.15063 and above) to Microsoft Defender for Endpoint
  6. Select Save

Practical guidance

  • Start with a pilot group first (IT or security test users) before broad rollout.
  • If you do not manage a platform, do not enable its toggle just because it is available.

2) Enable App Protection Policy Evaluation (MAM integration)

What this does

This allows Defender signals to be used with Intune App Protection Policies (MAM) on supported platforms. This is most relevant for Android and iOS/iPadOS.

Steps

  1. Go to Intune admin center
  2. Select Endpoint security
  3. Under Setup, select Microsoft Defender for Endpoint
  4. Scroll to App protection policy evaluation
  5. Enable the platform toggles you use, such as:
    • Connect Android devices to Microsoft Defender for Endpoint
    • Connect iOS/iPadOS devices to Microsoft Defender for Endpoint
  6. Select Save

Practical guidance

  • Not every tenant shows all toggles. That is normal.
  • This is especially useful in BYOD + MAM scenarios where full device enrollment may not be required.

3) Create an Intune Compliance Policy (so you can enforce access)

Enabling evaluation toggles is not enough. You still need an actual Compliance Policy that includes Defender risk settings, plus assignments.

Steps

  1. Go to Intune admin center
  2. Select Devices โ†’ Compliance policies
  3. Select Create policy
  4. Choose a Platform:
    • Windows 10 and later
    • Android Enterprise
    • iOS/iPadOS
  5. Choose a Profile (varies by platform), then select Create
  6. Basics: name and description, then Next
  7. Compliance settings: configure your organizationโ€™s requirements

Device Health and Risk: The two settings people confuse

In many policies you may see both:

A) Microsoft Defender for Endpoint: Require the device to be at or under the machine risk score

  • Uses MDE machine risk score computed across categories like OS, apps, network, accounts, and security controls.
  • Devices above the selected threshold become noncompliant.

B) Device health: Require the device to be at or under the Device Threat Level

  • Uses threat information from a connected Mobile Threat Defense provider (MDE can be one of them).
  • More focused on current threat state.

How to choose in practice

  • If your goal is โ€œDefender risk score drives compliance,โ€ start with machine risk score.
  • If your goal is โ€œblock devices with active threats,โ€ use Device Threat Level.
  • Many orgs test both in pilot, then standardize.

4) Configure Actions for Noncompliance

This is how you operationalize compliance:

  1. In the compliance policy wizard, go to Actions for noncompliance
  2. Add actions such as:
    • Send email to end user
    • Send push notification
    • Remotely lock device
    • Add device to retire list
  3. Set the timing (immediate vs delayed) based on your support model

Recommendation

  • In pilot: notify first, delay punitive actions.
  • In production: phase enforcement (notify โ†’ block access via CA โ†’ retire for unmanaged).

5) Assign the Compliance Policy

  1. Go to Assignments
  2. Select the user/device groups in scope
  3. Save the policy

Assignment is where most โ€œit doesnโ€™t workโ€ issues come from. If the correct devices are not targeted, compliance will never evaluate.

6) Enforce with Conditional Access (the final control)

Once compliance is working, enforce it:

  1. Go to Microsoft Entra admin center
  2. Navigate to Protection โ†’ Conditional Access
  3. Create a policy (typical baseline):
    • Users: target group (exclude break-glass accounts)
    • Cloud apps: Microsoft 365 or specific apps
    • Grant: Require device to be marked as compliant
  4. Enable and monitor sign-ins

This is the full chain:
MDE signals โ†’ Intune compliance โ†’ Conditional Access enforcement

7) Validation checklist (quick)

In Intune

  • Endpoint security โ†’ Microsoft Defender for Endpoint
    • Connection is Available
    • Evaluation toggles are enabled for your platforms

On a test device

  • Device appears in Defender portal
  • Device appears in Intune with expected compliance state
  • Conditional Access sign-in is blocked or allowed based on compliance

 

LinkedInCopyPinterestRedditTelegramChatGPTSMS

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *