Microsoft Endpoint Manager: manage Windows Server via MDE

Microsoft Endpoint Manager Windows Server

Questo articolo è disponibile anche in lingua italiana al seguente link: Microsoft Endpoint Manager: gestire i server tramite MDE –

In Microsoft Endpoint Manager one of the missing points considered critical has always been the lack of server management, both for configurations and for all the security part. In late 2021, Microsoft had begun to show some weird settings that hinted that this gap would soon be bridging.

With Windows 10 and 11, onboarding takes place through integration with Azure AD but since the servers do not have this function, the answer is to use Microsoft Defender for Endpoint.

The new solution is called Unified Endpoint Security and brings your devices present in MDE into Endpoint Manager directly, so that the integration of clients and servers can be managed more easily. The agent who orchestrates everything behind the scenes is called Sense.


In the MDE security settings, select the Enforcement Scope section and enable the Windows Server devices option.

Since this is a preview, you need to tag the computers you want to bring into MEM and to do this you need to add the MDE-Management value.

Since not all settings still support filters, even to have a logical division that I still prefer, it is useful to create a dynamic group of devices based on the server version in order to have a target to which to assign the created rules.

Using the query: (device.deviceOSVersion -contains “10.0.17763”) – in the case of Windows Server 2019.

Azure AD and MEM

After a maximum of one hour, the onboarding situation should be completed and you should be able to see the resource in Azure AD and MEM.

Result in Azure AD
Result in MEM


All the policies to manage the servers are not yet available but certainly the security component has everything already operational. Microsoft Defender, Attack Surface Reduction and the Windows Firewall, have the ability to create rules to be applied also for servers.

In addition, a set of settings that is inherited from MDE will be automatically imported into the antivirus rules to ensure basic Defender security, which can be customized according to business needs.

The reporting also offers the ability to view whether the servers are configured correctly, so that you can easily troubleshoot.


This new feature is certainly essential to increase security, by standardizing management directly from a cloud platform, which allows you to put together hybrid environments quickly and easily.

With the evolution of Microsoft Endpoint Manager, it will probably also be possible to manage the configuration in the future, replacing the classic GPOs.