Microsoft Intune Extends Defender Security Policies to Unenrolled Devices
Intune can now push Defender for Endpoint security policies to unenrolled Windows, macOS, and Linux devices via Entra ID.
INTUNE
7/8/20262 min read
Microsoft Intune took a meaningful step toward closing a long-standing gap in endpoint security coverage on July 7, 2026, when it extended Defender for Endpoint security policy management to devices that were never enrolled in Intune at all. The capability, detailed in updated Microsoft Learn documentation, lets IT admins push antivirus, firewall, and attack surface reduction (ASR) rule configurations to Windows, Windows Server, macOS, and Linux devices that previously sat entirely outside Intune's management reach.
The mechanism relies on Microsoft Entra ID rather than traditional MDM enrollment. Devices receive their security configurations through their Entra ID identity, and Defender for Endpoint enforces those settings locally on the machine. "This scenario extends the Microsoft Intune Endpoint Security surface to devices that aren't capable of enrolling in Intune," Microsoft explained in its documentation. Importantly, the two paths don't overlap: a device that's already enrolled in Intune keeps receiving Defender for Endpoint settings through standard Intune policy, and this new unenrolled path only kicks in for machines that were never enrolled in the first place.
For admins, the practical upside is centralized visibility without centralized enrollment. Policy deployment, compliance status, and device posture can all be tracked from either the Intune admin center or the Defender portal, instead of requiring a separate tool for machines that can't run the Intune agent. That covers a lot of real-world territory: Linux servers, specialty or headless devices, and legacy macOS fleets that IT teams previously managed by hand or simply left on baseline Defender protection because full MDM enrollment wasn't practical or supported.
Turning this on isn't a single toggle. Organizations need to enable the enforcement scope in the Microsoft Defender portal and separately configure Intune to enforce endpoint security settings before policies will actually flow to unenrolled devices. Microsoft also requires Defender for Endpoint licensing, either bundled through Microsoft 365 or as a standalone MDE license, along with supported Defender agent versions and standard connectivity to Microsoft cloud endpoints. Role-based access control still applies throughout, so admins can delegate management of these unenrolled-device policies without handing out broader Intune permissions than a given team actually needs.
For IT teams sitting on a pile of devices that never made it into Intune, whether by design or because they simply couldn't enroll, this closes a real and fairly common gap. It's worth auditing your current Defender-managed-but-unenrolled device inventory this week to see how many machines actually qualify, then piloting the enforcement scope change on a small group before flipping it on tenant-wide. This update also lands right alongside Microsoft's broader July 1 rollout of Intune Suite capabilities into Microsoft 365 E3 and E5, so admins reviewing endpoint security posture this month have more than one reason to revisit their Defender and Intune configuration side by side.
Connect
Stay updated with latest Microsoft blog news
© 2025. All rights reserved.