KB5043950: Microsoft Defender for Endpoint known issue

Symptom

New Windows 11, version 24H2 devices that are intended to be onboarded to Microsoft Defender for Endpoint might require customers to enable the prerequisite feature. This affects all supported architectures. 

IT admins might observe devices not being able to be onboarded to the Defender for Endpoint cloud service, and not receiving the expected protection as a result, even if Intune is expected to execute the onboarding sequence by applying an endpoint detection and response (EDR) policy. Intune will also display an error as it is unable to successfully apply the policy. Users may also not be able to connect to corporate resources if a Conditional Access policy is configured to require Defender for Endpoint being enabled and actively reporting in. Compliance status is visible in the Microsoft Intune device compliance dashboard. This might happen in one of the following scenarios.

• A user buys a new device that has the Home SKU. This SKU does not support Defender for Endpoint. Then the user upgrades to Pro using a Pro product key. This process, called “transmog,” does not install Defender for Endpoint, which is by design. The Defender for Endpoint agent is not correctly enrolled in the Defender for Endpoint service, and the device is not protected.

• A user buys a new device that has the Pro SKU, and the OEM did not install the required feature. 

Important Defender for Endpoint has been removed from the base image for Windows 11, version 24H2 and needs to be manually installed whenever a device goes from Home to Pro.