Windows Device Onboarding Guide
This guide provides a complete step-by-step walkthrough for onboarding Windows devices to Microsoft Defender for Endpoint (MDE) using Microsoft Intune, including all prerequisites, licensing requirements, role configurations, and best practice policies.
Prerequisites
Before beginning the onboarding process, ensure the following requirements are met.
Licensing Requirements
Note: For server onboarding, you need Microsoft Defender for Servers Plan 1 or Plan 2, or Microsoft Defender for Endpoint Server license .
Supported Windows Client Operating Systems
The following Windows versions are supported for onboarding :
- Windows 11 Enterprise, Education, Pro, Pro Education, IoT Enterprise
- Windows 10 Enterprise, Education, Pro, Pro Education, IoT Enterprise
- Windows 10/11 on ARM
- Windows 10 LTSC 2016 or later
- Windows 365 Cloud PCs
- Azure Virtual Desktop (AVD)
Required Services
Before onboarding, ensure these services are configured and accessible:
| Service | Purpose |
|---|---|
| Microsoft Entra ID (Azure AD) | Device identity and join state management |
| Microsoft Intune | Policy creation and deployment |
| Microsoft Defender for Endpoint | Endpoint detection and response (EDR) |
| Microsoft 365 Defender portal | Centralized security management (security.microsoft.com) |
Required Roles and Permissions
- Endpoint Security Manager role (built-in)
- OR custom role with:
- Mobile Threat Defense permissions (Read and Modify)
- Endpoint Detection and Response permissions (Assign, Create, Delete, Read, Update, View Reports)
- Security Administrator role
In Microsoft Defender portal :
- Security Administrator role
- OR “Manage security settings in Security Center” permission
Important: Microsoft recommends using roles with the fewest permissions. Global Administrator is a highly privileged role that should be limited to emergency scenarios.
Network Requirements
- Devices must have stable internet connectivity
- No SSL inspection blocking Microsoft security endpoints
- Access to Microsoft Defender for Endpoint service endpoints
Step 1: Connect Microsoft Defender for Endpoint to Intune
This is a one-time setup per tenant that establishes the service-to-service connection .
1.1 Check Current Connection Status
- Sign in to the Microsoft Intune admin center at https://intune.microsoft.com
- Navigate to Endpoint security → Microsoft Defender for Endpoint
- Check the Connection status:
- If Enabled – Already connected, proceed to Step 2
- If Unavailable – Continue with the following steps
1.2 Enable the Connection in Microsoft Defender Portal
- From the Intune admin center, scroll to the bottom of the page and select Open the Microsoft Defender Security Center (or directly go to https://security.microsoft.com)
- In the Microsoft Defender portal, navigate to:
System → Settings → Endpoints → General → Advanced features - Locate Microsoft Intune connection and toggle it to On
- Click Save preferences
1.3 Verify the Connection
- Return to the Intune admin center (refresh if needed)
- Navigate to Endpoint security → Microsoft Defender for Endpoint
- Confirm Connection status shows Enabled (may take up to 15 minutes to update)
Step 2: Configure Integration Settings
After the service connection is established, configure which platforms connect to Defender for Endpoint .
2.1 Configure Compliance Policy Evaluation
In the Intune admin center, go to Endpoint security → Microsoft Defender for Endpoint
Under Compliance policy evaluation, enable:
- Connect Windows devices to Microsoft Defender for Endpoint – On
(Optional for mobile devices)
- Connect Android devices – On/Off as needed
- Connect iOS/iPadOS devices – On/Off as needed
2.2 Configure App Protection Policy Evaluation (Optional)
Under App protection policy evaluation, enable as needed:
- Android and iOS/iPadOS device connections
2.3 Save Configuration
Click Save to apply all settings.
Step 3: Create an Entra ID Pilot Group (Recommended)
Create a pilot group for testing before broad deployment .
- Go to Microsoft Entra admin center (entra.microsoft.com)
- Navigate to Groups → All groups → New group
- Configure:
- Group type: Security
- Membership type: Assigned
- Group name:
GRP-WIN-MDE-Pilot - Members: Add test users or devices
- Click Create
Step 4: Onboard Windows Devices Using EDR Policy
Choose Your Deployment Approach
| Approach | Best For |
|---|---|
| Quick Setup | Fast, broad deployment to all Windows devices with no additional configuration |
| Custom Setup | Granular control, specific device groups, or custom scope tags |
Option 1: Quick Setup (Preconfigured Policy)
Use this option for fast deployment to all Windows devices .
Quick Setup Steps:
- In the Intune admin center, go to Endpoint security → Endpoint detection and response
- Select the EDR Onboarding Status tab
- Click Deploy preconfigured policy
- Configure the policy:
- Platform: Windows (Intune managed) or Windows (ConfigMgr) for Tenant Attach
- Profile: Endpoint detection and response
- Name:
MDE EDR Onboarding – All Windows Devices
- Click Save
The policy immediately starts deploying to all Windows devices .
Option 2: Custom Setup (Manual Policy Creation)
Use this option for granular control over which devices receive the policy .
Step 4.1: Create the EDR Policy
- In the Intune admin center, go to Endpoint security → Endpoint detection and response
- Click Create Policy (or go to Summary tab → Create Policy)
- Basics tab:
- Platform: Windows
- Profile: Endpoint detection and response
- Click Create
- Name your policy:
- Name:
WIN - MDE Onboarding - Pilot - Description: (Optional) Onboards Windows devices to Defender for Endpoint
- Click Next
- Name:
Step 4.2: Configure Settings
In the Configuration settings tab :
| Setting | Recommended Value | Description |
|---|---|---|
| Microsoft Defender for Endpoint client configuration package type | Auto from connector | Uses automatic onboarding package from MDE |
| Sample sharing for all files | Not Configured (or All) | Enables sample sharing for enhanced threat detection |
Note: Telemetry Reporting Frequency is deprecated and doesn’t affect new devices .
Click Next.
Step 4.3: Configure Scope Tags (Optional)
Add scope tags if needed for RBAC segmentation, then click Next.
Step 4.4: Assign the Policy
- Under Included groups, click Add groups
- Select your pilot group (e.g.,
GRP-WIN-MDE-Pilot) - Important:
- Device groups are recommended for immediate deployment
- User groups require user sign-in before policy applies
- Click Next
Step 4.5: Review and Create
- Review all settings
- Click Create
The new EDR policy appears under Endpoint security → Endpoint detection and response .
Step 5: Verify Device Onboarding
5.1 Verify in Intune Admin Center
- Navigate to Endpoint security → Endpoint detection and response
- Select your policy → Device status
- Check that devices show successful onboarding status
5.2 Verify in Microsoft Defender Portal (Primary Validation)
The most reliable verification is in the Defender portal :
- Go to Microsoft Defender portal at https://security.microsoft.com
- Navigate to Endpoints → Device inventory
- Search for your device by name
- Confirm:
- Device is present in the list
- Last seen time is recent
- Sensor status shows healthy/active
5.3 Verify Onboarding Status Dashboard
- Go to Endpoints → Configuration management → Dashboard
- Check the Onboarded devices card for onboarding rate
5.4 Verification Commands on Windows Device
Run these commands on the onboarded Windows device:
| Command | Purpose |
|---|---|
powershell Get-MpComputerStatus | Check Defender antivirus status and onboard status |
dsregcmd /status | Verify Azure AD join (should show AzureAdJoined: YES) |
Step 6: Deploy Defender Best Practice Security Policies
After onboarding, deploy these recommended security policies for maximum protection .
6.1 Antivirus Policy (Recommended Settings)
Create an antivirus policy via Endpoint security → Antivirus in Intune:
| Setting Category | Recommended Value |
|---|---|
| Real-time Protection | |
| Real-time monitoring | Allowed |
| Behavior monitoring | Allowed |
| On access protection | Allowed |
| PUA Protection | Block |
| Cloud Protection | |
| Cloud-delivered protection | Allowed |
| Cloud block level | High |
| Sample submission consent | Send all samples automatically |
| Scan Settings | |
| Email scanning | Allowed |
| Script scanning | Allowed |
| Archive scanning | Allowed |
| Removable drive scanning (full scan) | Allowed |
| Scheduled Scans | |
| Scan type | Quick scan |
| Schedule day | Every day |
| Remediation | |
| All threat severity actions | Quarantine |
| Days to retain cleaned malware | 60 |
6.2 Attack Surface Reduction (ASR) Rules
Create an ASR policy via Endpoint security → Attack surface reduction :
| ASR Rule | Recommended Setting |
|---|---|
| Block executable content from email and webmail clients | Block |
| Block Adobe Reader from creating child processes | Block |
| Block execution of potentially obfuscated scripts | Block |
| Block Win32 API calls from Office macros | Block |
| Block credential stealing from lsass.exe | Enable |
| Block untrusted USB processes | Block |
| Block Office apps from injecting code | Block |
6.3 Network Protection
| Setting | Recommended Value |
|---|---|
| Enable Network Protection | Enabled (block mode) |
6.4 Windows Firewall Policy
Recommended firewall settings :
| Setting | Domain Profile | Private Profile | Public Profile |
|---|---|---|---|
| Firewall enabled | Allowed | Allowed | Allowed |
| Inbound connections | Blocked | Blocked | Blocked |
| Outbound connections | Required | Required | Required |
| Unicast responses | Required | Required | Required |
Step 7: Monitor Deployment and Onboarding Status
7.1 Monitor EDR Onboarding Status
- Endpoint security → Endpoint detection and response → EDR Onboarding Status tab
- Review onboarding status for all Windows devices
7.2 Success Indicators
Onboarding is successful when:
- Devices appear in Defender portal device inventory
- EDR Onboarding Status shows “Successfully onboarded”
- Device risk levels begin appearing in compliance reports
- Last seen timestamp updates regularly
7.3 Policy Sync Timing
- Standard policy delivery: Up to 90 minutes
- To expedite: For MDE-managed devices, use Policy sync from actions menu for ~10 minute delivery
Final Outcome (Success)
After completing all steps:
- Intune and Defender for Endpoint service-to-service connection established
- Windows devices onboarded to Defender for Endpoint
- Security policies configured for antivirus, ASR, and network protection
- Device risk reporting to compliance policies enabled
- Security telemetry flowing to Microsoft Defender portal
Common Failure Points and Troubleshooting
| Issue | Solution |
|---|---|
| Connection status unavailable | Verify Security Administrator role in Entra ID; re-enable Intune connection in Defender Advanced Features |
| Devices not onboarding | Check device has required license, stable internet, and no SSL inspection blocking |
| Policy not applying | Wait up to 90 minutes; use Policy sync action; verify device is in assigned group |
| Devices not appearing in Defender portal | Check sensor health; run Get-MpComputerStatus; verify onboarding package applied |
| Onboarding conflicts | Avoid multiple onboarding methods on same device; use single method (Intune EDR policy) |
| Sample sharing errors | Verify sample submission consent settings; check network connectivity to Microsoft cloud |
Best Practice Recommendations
- Pilot first – Always test with a small group before broad deployment
- Use Auto from connector – Simplifies onboarding package management
- Enable cloud protection – Set cloud block level to High for maximum protection
- Deploy ASR rules gradually – Test in audit mode before enabling block mode
- Regular monitoring – Review device inventory and sensor health weekly
- Keep policies current – Update as new Defender features become available
Useful Commands Summary
| Command | Purpose |
|---|---|
Get-MpComputerStatus | Check Defender status and onboard state |
Get-MpPreference | View current antivirus configuration |
dsregcmd /status | Verify Azure AD join status |
Set-MpPreference -SubmitSamplesConsent 1 | Enable automatic sample submission |
Useful Resources
- Microsoft Defender Portal: https://security.microsoft.com
- Intune Admin Center: https://intune.microsoft.com
- Microsoft Entra Admin Center: https://entra.microsoft.com
Did you find this tutorial helpful? Check out my other guides:
Very Useful Article with full details. Keep posting ! All the best.
Thank you, Ujjwal ji! I truly appreciate your encouragement. 😊
I’m glad the article was helpful for you. I’ll continue posting more practical and detailed guides. Stay tuned!