This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 74%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
We have about 45 Windows servers ranging from Server 2012 to Server 2025 added into Azure Arc. These servers are enrolled in MDE management, which is confirmed working. Our initial test deployment of 6 Windows VMs received all AV policies successfully.
On Thursday morning last week, we added the remaining 39 Windows server Intune objects to the Entra group assigned to the MDE AV policy and Attack Surface Reduction policy. All 39 of those VMs are still not receiving the policies, show no conflicts, and have the policy status as "pending" in Intune. I have ran the client analyzer tool on a selection of working and not working VMs and found the results to be identical. There were no errors shown in either test. Running Get-MpComputerStatus on working and non-working VMs also show the same results. The VMs have all checked in with Intune within the last 24 hours.
The VMs are also receiving the AV Exclusion policies and Security Experience policies without issue. This is only a problem with the AV policy and Attack Surface Reduction policies.
Any ideas as to what is happening or tests I can run?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@SysTek, Thanks for posting in Q&A. From your description, I know the 39 windows servers show pending status on AV policy and Attack Surface Reduction policy.
Based on my checking this applies to Windows Server 2012 R2 and later. For Windows server 2912, it will affect. Please upgrade to the supported version.
https://learn.microsoft.com/en-us/intune/intune-service/protect/mde-security-integration
When a device receives a policy, the Defender for Endpoint components on the device enforce the policy and report on the device's status. For Pending status, it seems the device status isn't reported back from the device.
Please ensure the following endpoint are allowed to access:
*.dm.microsoft.com - The use of a wildcard supports the cloud-service endpoints that are used for enrollment, check-in, and reporting, and which can change as the service scales.In addition, I find there's an issue where the AllowOnAccessProtection and DisableLocalAdminMerge settings might at times require end users to restart their devices for these settings to update. Please restart your affected device to see if the status will be changed.
Please try the above suggestion to see if it can work.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@SysTek, How's everything going? If there's any update, feel free to let us know.