Flipping Intune Switches – The Secret Sauce to Smarter Endpoint Security

Simplify device compliance with MDE.

Earlier last week, I was chatting with a user who had already rolled out their Windows devices but felt they weren’t quite squeezing all the juice from their E5 subscription. We were right in the middle of configuring Microsoft Purview and realized we needed Endpoint Data Loss Prevention (DLP) set up. Easy enough, right? Well, not quite.

Turns out, we hit a little snag. Their devices hadn’t been onboarded to Microsoft Defender for Endpoint (MDE) yet. Why? They were using another endpoint security tool. No worries, though this gave us the perfect chance to explore Passive Mode, connectors, and a couple of sneaky Intune switches that can save your sanity.

Misleading Labels: Why These Settings Deserve a Second Look

Now, one of those toggles “Connect Windows devices to Microsoft Defender for Endpoint” sounds like it ropes in every single device across the board, no exceptions. The wording alone had the user understandably concerned. It read like flipping the switch would immediately onboard every device, with no room for piloting or gradual rollout.

One of the most favorite parts of my job is getting to hear their side of the story. Why this was a concern for them. Once I had an opportunity to unpack the settings with the user and dug into the actual behavior, they discovered that both toggles are far more flexible than their labels make them seem. Let’s break them down.

Setting One: Let MDE Take the Security Wheel

Allow Microsoft Defender for Endpoint to enforce Endpoint Security Configurations
This setting lets Microsoft Defender for Endpoint take charge of security settings even on devices that aren’t managed by Intune. That’s right a device doesn’t need to be enrolled in Intune at all to receive and enforce Security Settings. This opens the door for security teams to manage protection directly through the Defender portal, which keeps your Intune admins out of the weeds and your endpoints properly secured.

Getting Started:

  1. First, head to Intune > Endpoint Security > Microsoft Defender for Endpoint and flip the switch.
  2. Then, go to the Microsoft Defender portal > Settings > Endpoints > Enforcement Scope and pick the devices you want to include.
  3. Want to play it safe? Tag a few test devices with MDE-Management and then scope it to just those tagged machines.

This way, you’re not committing all at once you’re testing smart.

What does this get us? Well I’m glad you asked! We can now configure Security Settings in Defender under Configuration Management>Endpoint Security Policies.

Setting Two: Risk Scores Meet Compliance

Here’s the spicy one: “Connect Windows devices to Microsoft Defender for Endpoint for Compliance Policy Evaluation.”

Sure, the name’s a mouthful, but basically, this toggle syncs the device’s Risk Score from Defender right back into Intune. Why is this awesome? Now your compliance policies can react based on actual device risk levels.

Creating a Risk-Aware Compliance Policy

Here’s the recipe:

  • Flip on the compliance evaluation setting.
  • Create a Compliance Policy in Intune.
  •  In the policy, set the acceptable risk level. In my example, I’m using Medium.
  • Save it and boom! Intune and MDE start syncing like best friends.

Now, when a device suddenly becomes riskier (say, Medium bumps up to High), Intune flags it instantly as non-compliant, triggering your Conditional Access without anyone lifting a finger.

Risk Score vs. Exposure: What’s the Difference?

It’s easy to mix these up, so let’s clear the air:

  • Machine Risk Score: Think of this like your device’s current threat level, based on active alerts and how severe they are.
  • Exposure Level: This shows you how well the device is doing overall are updates missing, patches ignored, vulnerabilities left wide open? Don’t judge my Exposure Level…. It’s a test lab.

If risk goes up, compliance goes down automatic, easy, and effective.

We can see below that my test device has a few issues, with one incident flagged as high.

What does this now mean? Since we have a Compliance Policy that is now checking for the machine risk score. My policy is looking for a risk score at or under Medium. Now that my device now has a risk score of High it is no longer considered Compliant.

The Beautiful Feedback Loop

Once both settings are enabled, the real magic happens:

  • MDE can manage and enforce security settings, even outside Intune.
  • Intune reads the risk data and uses it to determine compliance.
  • Conditional Access enforces policies based on that compliance.

It’s like having a well-oiled machine keeping things in check without constant babysitting.

Wrapping It Up (With Fewer Headaches)

Admittedly, the toggle names in Intune could use a little naming help once this user explained their thoughts. Once you know what they actually do, they open the door to smarter testing, tighter security, and fewer fire drills.

So, go ahead tag a few pilot devices, flip those switches, and let MDE and Intune handle the heavy lifting. Meanwhile, you can sit back and enjoy a well-deserved cup of coffee.

Dustin Gullett
Dustin Gullett

Dustin Gullett is a Microsoft MVP focused on Microsoft Security, Intune, Entra ID, and Zero Trust architecture. He writes practical guides for admins deploying Microsoft security tools in the real world.

Articles: 38