Part 10 – Configure Microsoft Intune – Windows Defender Advanced Threat Protection

Microsoft has announced ago a new feature in MS Intune few months. You can now use Windows Defender ATP as a compliance for your environment. This means you can give the device access to your corporate resource by the status of Windows Defender ATP, based on risk scores. If the device is not healthy or has to high-risk score in ATP then the access to the resources will be blocked by MS Intune. Windows Defender ATP help prevents security breaches and helps limit the impact within in your organization.

For more information:

Alrighty then, let’s begin!

You need Windows Defender ATP subscription. This subscription has to be connected with MS Intune. These are the steps how to connect with Windows Defender ATP. If you don’t have a Windows Defender ATP subscription, you can create a trial subscription and use this one to connect with your MS Intune environment.


Go to MS Intune portal -> Device compliance -> Windows Defender ATP

Click on the link Connect Windows Defender AP to Microsoft Intune in the Windows Defender Security Center.

Turn on Microsoft Intune connection and click on the Save preference button.

You get this message.

Go back to the MS Intune portal and click on the refresh button. The connection has been made and the status is available. The status will change to Connected later.

Turn on the options Connect Windows devices version… and Block unsupported OS versions. Click on the save button.

The next step is to onboard your test device into Windows Defender ATP. Go to the Windows ATP dashboard/portal:

Click Settings in the menu.

Click Onboarding

You have to change Deployment method to Mobile Device Management/Microsoft Intune. Click on the Download Package button. Save the Zip in Downloads.

Open the ZIP file and extract/copy the XML file and paste it Documents or somewhere else.

Now go to the MS Intune portal. We need to create a new device configuration profile. MS Intune portal -> Device Configuration -> Profiles

Click on the button Create profile.

Name the profile. The platform is Windows 10 and later. Profile type is Windows Defender ATP (Windows 10 Desktop). You get more settings on the right side.

Click on the folder upload a signed configuration… and browse to the XML file.

Enable the other options. Click on the OK button and then on the create button.

Click Assignments, search for the group and click on the select button. Click the save button. The profile is ready and will deploy to your device in a few minutes.

Then we have to make a new compliance policy based on device health. Go back and go to Device compliance -> Policies. Click on the Create Policy button.

You have to give the policy a name. The platform is Windows 10 and later. Click on Device health.

You got few options to choose from:

  • Secured: This level is the most secure. The device cannot have any existing threats and still access company resources. If any threats are found, the device is evaluated as noncompliant.
  • Low: The device is compliant if only low-level threats exist. Devices with medium or high threat levels are not compliant.
  • Medium: The device is compliant if the threats found on the device are low or medium. If high-level threats are detected, the device is determined as noncompliant.
  • High: This level is the least secure, and allows all threat levels. So devices that with high, medium or low threat levels are considered compliant.

Choose a level and click on the Ok button (twice). Click create to create the policy.

Click Assignments and search for the group. Select the group and click on the save button. The policy will over few minutes applied on the devices.

Go back to the Windows Defender ATP portal. Click Machines list in the menu. Here you have to see your device. If not, then you have to wait longer. The devices must be on this list. The device is now also managed by Windows Defender ATP.

It’s time to test Windows ATP. You can go to this site for testing Windows ATP. Go to Help in Windows ATP dashboard and click on Simulations & tutorials.

Click on the button Copy Simulation script of Scenario 2.

Go back to your device and open Windows PowerShell with administrative privileges.

Copy the script into the PowerShell window on your device. If you are using Hyper-V. Click in the menu on Clipboard -> Type clipboard text.

Hit enter to run the script. You see in few seconds starting Notepad and automatically closed.

The attack is done, injected and running.

Go back to the Windows Defender ATP dashboard and go to Alerts. You see new alerts, these alerts are because of your action. Now, you see how Windows Defender ATP works.

Click on the computer name to get an overview of the machine.

From here you can do some actions to cure the machine of viruses. You can do some action, investigate and review the activity. To go to depth in the details, I will save this for a new blog post later. It’s too much for this blog post right now.

To see more information about the device health state in the All devices view, you can add a column.

Go the Devices -> All Devices. Click on the button Column to add a new column to the view.

Select Device Health State and click on the apply button.

Scroll to the right and you see the new column based on the health level from Windows Defender ATP. Check your compliance if the machine is compliant or not. This is it. The machine gets a state from Windows Defender ATP based on risk level.


This blog was about the integration with MS Intune and Windows Defender ATP. Now you can use a compliance policy based on risk score or level. A machine with a high-risk score is not allowed to use corporate resources. And so, your organization is prevented from spreading out the viruses to your others clients by isolating and blocking the infected ones based on compliance policy and conditional access.

What we did is:
– integrate Windows Defender ATP with MS Intune;
– test Windows Defender ATP and check the alerts;
– made a compliance policy based on Device health state.

The last one, the compliance policy, will be used for Conditional Access to block the device based on the status of the compliance. For that, you can better read this blog post: Configure Microsoft Intune – Windows Defender ATP and Conditional Access

This is it. Thanks for reading my blog post about Windows Defender ATP. If you have any questions or comments about Windows Defender ATP or maybe Microsoft Intune related, don’t hesitate to contact me by email or by posting a comment here below. I am also active on social media and some community forums, like Technet forum, Yammer, and Techcommunity.

Good luck! Take care now, bye bye then…


1 thought on “Part 10 – Configure Microsoft Intune – Windows Defender Advanced Threat Protection

  1. […] I assume you have already integrate Windows Defender ATP with Microsoft Intune and you have tested the integration? The computer gets a risk level state from ATP, right? If not, then you must fix this first. Read this blogpost: Part 10 – Configure Microsoft Intune – Windows Defender Advanced Threat Protection […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: