Microsoft Defender for Endpoint – Windows Device Onboarding

Windows Device Onboarding Guide

This guide provides a complete step-by-step walkthrough for onboarding Windows devices to Microsoft Defender for Endpoint (MDE) using Microsoft Intune, including all prerequisites, licensing requirements, role configurations, and best practice policies.

Prerequisites

Before beginning the onboarding process, ensure the following requirements are met.

Licensing Requirements

License TypeRequired For
Microsoft Defender for Endpoint Plan 1 or Plan 2Core MDE features and onboarding 
Microsoft IntuneDevice management and policy deployment
Microsoft Entra ID P1 or P2Conditional Access and identity features
Microsoft Defender for BusinessSmall and medium businesses (alternative)

Note: For server onboarding, you need Microsoft Defender for Servers Plan 1 or Plan 2, or Microsoft Defender for Endpoint Server license .

Supported Windows Client Operating Systems

The following Windows versions are supported for onboarding :

  • Windows 11 Enterprise, Education, Pro, Pro Education, IoT Enterprise
  • Windows 10 Enterprise, Education, Pro, Pro Education, IoT Enterprise
  • Windows 10/11 on ARM
  • Windows 10 LTSC 2016 or later
  • Windows 365 Cloud PCs
  • Azure Virtual Desktop (AVD)

Required Services

Before onboarding, ensure these services are configured and accessible:

ServicePurpose
Microsoft Entra ID (Azure AD)Device identity and join state management
Microsoft IntunePolicy creation and deployment
Microsoft Defender for EndpointEndpoint detection and response (EDR)
Microsoft 365 Defender portalCentralized security management (security.microsoft.com)

Required Roles and Permissions

In Microsoft Intune :

  • Endpoint Security Manager role (built-in)
  • OR custom role with:
    • Mobile Threat Defense permissions (Read and Modify)
    • Endpoint Detection and Response permissions (Assign, Create, Delete, Read, Update, View Reports)

In Microsoft Entra ID :

  • Security Administrator role

In Microsoft Defender portal :

  • Security Administrator role
  • OR “Manage security settings in Security Center” permission

Important: Microsoft recommends using roles with the fewest permissions. Global Administrator is a highly privileged role that should be limited to emergency scenarios.

Network Requirements

  • Devices must have stable internet connectivity
  • No SSL inspection blocking Microsoft security endpoints
  • Access to Microsoft Defender for Endpoint service endpoints

Step 1: Connect Microsoft Defender for Endpoint to Intune

This is a one-time setup per tenant that establishes the service-to-service connection .

1.1 Check Current Connection Status

  1. Sign in to the Microsoft Intune admin center at https://intune.microsoft.com
  2. Navigate to Endpoint security → Microsoft Defender for Endpoint
  3. Check the Connection status:
    • If Enabled – Already connected, proceed to Step 2
    • If Unavailable – Continue with the following steps

1.2 Enable the Connection in Microsoft Defender Portal

  1. From the Intune admin center, scroll to the bottom of the page and select Open the Microsoft Defender Security Center (or directly go to https://security.microsoft.com)
  2. In the Microsoft Defender portal, navigate to:
    System → Settings → Endpoints → General → Advanced features
  3. Locate Microsoft Intune connection and toggle it to On
  4. Click Save preferences

1.3 Verify the Connection

  1. Return to the Intune admin center (refresh if needed)
  2. Navigate to Endpoint security → Microsoft Defender for Endpoint
  3. Confirm Connection status shows Enabled (may take up to 15 minutes to update) 

Step 2: Configure Integration Settings

After the service connection is established, configure which platforms connect to Defender for Endpoint .

2.1 Configure Compliance Policy Evaluation

In the Intune admin center, go to Endpoint security → Microsoft Defender for Endpoint

Under Compliance policy evaluation, enable:

  • Connect Windows devices to Microsoft Defender for Endpoint – On

(Optional for mobile devices)

  • Connect Android devices – On/Off as needed
  • Connect iOS/iPadOS devices – On/Off as needed

2.2 Configure App Protection Policy Evaluation (Optional)

Under App protection policy evaluation, enable as needed:

  • Android and iOS/iPadOS device connections

2.3 Save Configuration

Click Save to apply all settings.

Step 3: Create an Entra ID Pilot Group (Recommended)

Create a pilot group for testing before broad deployment .

  1. Go to Microsoft Entra admin center (entra.microsoft.com)
  2. Navigate to Groups → All groups → New group
  3. Configure:
    • Group type: Security
    • Membership type: Assigned
    • Group name: GRP-WIN-MDE-Pilot
    • Members: Add test users or devices
  4. Click Create

Step 4: Onboard Windows Devices Using EDR Policy

Choose Your Deployment Approach

ApproachBest For
Quick SetupFast, broad deployment to all Windows devices with no additional configuration
Custom SetupGranular control, specific device groups, or custom scope tags

Option 1: Quick Setup (Preconfigured Policy)

Use this option for fast deployment to all Windows devices .

Quick Setup Steps:

  1. In the Intune admin center, go to Endpoint security → Endpoint detection and response
  2. Select the EDR Onboarding Status tab
  3. Click Deploy preconfigured policy
  4. Configure the policy:
    • Platform: Windows (Intune managed) or Windows (ConfigMgr) for Tenant Attach
    • Profile: Endpoint detection and response
    • Name: MDE EDR Onboarding – All Windows Devices
  5. Click Save

The policy immediately starts deploying to all Windows devices .

Option 2: Custom Setup (Manual Policy Creation)

Use this option for granular control over which devices receive the policy .

Step 4.1: Create the EDR Policy

  1. In the Intune admin center, go to Endpoint security → Endpoint detection and response
  2. Click Create Policy (or go to Summary tab → Create Policy)
  3. Basics tab:
    • Platform: Windows
    • Profile: Endpoint detection and response
    • Click Create
  4. Name your policy:
    • Name: WIN - MDE Onboarding - Pilot
    • Description: (Optional) Onboards Windows devices to Defender for Endpoint
    • Click Next

Step 4.2: Configure Settings

In the Configuration settings tab :

SettingRecommended ValueDescription
Microsoft Defender for Endpoint client configuration package typeAuto from connectorUses automatic onboarding package from MDE
Sample sharing for all filesNot Configured (or All)Enables sample sharing for enhanced threat detection

Note: Telemetry Reporting Frequency is deprecated and doesn’t affect new devices .

Click Next.

Step 4.3: Configure Scope Tags (Optional)

Add scope tags if needed for RBAC segmentation, then click Next.

Step 4.4: Assign the Policy

In the Assignments tab :

  1. Under Included groups, click Add groups
  2. Select your pilot group (e.g., GRP-WIN-MDE-Pilot)
  3. Important:
    • Device groups are recommended for immediate deployment
    • User groups require user sign-in before policy applies
  4. Click Next

Step 4.5: Review and Create

  1. Review all settings
  2. Click Create

The new EDR policy appears under Endpoint security → Endpoint detection and response .

Step 5: Verify Device Onboarding

5.1 Verify in Intune Admin Center

  1. Navigate to Endpoint security → Endpoint detection and response
  2. Select your policy → Device status
  3. Check that devices show successful onboarding status 

5.2 Verify in Microsoft Defender Portal (Primary Validation)

The most reliable verification is in the Defender portal :

  1. Go to Microsoft Defender portal at https://security.microsoft.com
  2. Navigate to Endpoints → Device inventory
  3. Search for your device by name
  4. Confirm:
    • Device is present in the list
    • Last seen time is recent
    • Sensor status shows healthy/active

5.3 Verify Onboarding Status Dashboard

In the Defender portal :

  • Go to Endpoints → Configuration management → Dashboard
  • Check the Onboarded devices card for onboarding rate

5.4 Verification Commands on Windows Device

Run these commands on the onboarded Windows device:

CommandPurpose
powershell Get-MpComputerStatusCheck Defender antivirus status and onboard status
dsregcmd /statusVerify Azure AD join (should show AzureAdJoined: YES)

Step 6: Deploy Defender Best Practice Security Policies

After onboarding, deploy these recommended security policies for maximum protection .

6.1 Antivirus Policy (Recommended Settings)

Create an antivirus policy via Endpoint security → Antivirus in Intune:

Setting CategoryRecommended Value
Real-time Protection
Real-time monitoringAllowed
Behavior monitoringAllowed
On access protectionAllowed
PUA ProtectionBlock
Cloud Protection
Cloud-delivered protectionAllowed
Cloud block levelHigh
Sample submission consentSend all samples automatically
Scan Settings
Email scanningAllowed
Script scanningAllowed
Archive scanningAllowed
Removable drive scanning (full scan)Allowed
Scheduled Scans
Scan typeQuick scan
Schedule dayEvery day
Remediation
All threat severity actionsQuarantine
Days to retain cleaned malware60

6.2 Attack Surface Reduction (ASR) Rules

Create an ASR policy via Endpoint security → Attack surface reduction :

ASR RuleRecommended Setting
Block executable content from email and webmail clientsBlock
Block Adobe Reader from creating child processesBlock
Block execution of potentially obfuscated scriptsBlock
Block Win32 API calls from Office macrosBlock
Block credential stealing from lsass.exeEnable
Block untrusted USB processesBlock
Block Office apps from injecting codeBlock

6.3 Network Protection

SettingRecommended Value
Enable Network ProtectionEnabled (block mode)

6.4 Windows Firewall Policy

Recommended firewall settings :

SettingDomain ProfilePrivate ProfilePublic Profile
Firewall enabledAllowedAllowedAllowed
Inbound connectionsBlockedBlockedBlocked
Outbound connectionsRequiredRequiredRequired
Unicast responsesRequiredRequiredRequired

Step 7: Monitor Deployment and Onboarding Status

7.1 Monitor EDR Onboarding Status

In the Intune admin center :

  • Endpoint security → Endpoint detection and response → EDR Onboarding Status tab
  • Review onboarding status for all Windows devices

7.2 Success Indicators

Onboarding is successful when:

  • Devices appear in Defender portal device inventory
  • EDR Onboarding Status shows “Successfully onboarded”
  • Device risk levels begin appearing in compliance reports
  • Last seen timestamp updates regularly

7.3 Policy Sync Timing

  • Standard policy delivery: Up to 90 minutes 
  • To expedite: For MDE-managed devices, use Policy sync from actions menu for ~10 minute delivery 

Final Outcome (Success)

After completing all steps:

  • Intune and Defender for Endpoint service-to-service connection established
  • Windows devices onboarded to Defender for Endpoint
  • Security policies configured for antivirus, ASR, and network protection
  • Device risk reporting to compliance policies enabled
  • Security telemetry flowing to Microsoft Defender portal

Common Failure Points and Troubleshooting

IssueSolution
Connection status unavailableVerify Security Administrator role in Entra ID; re-enable Intune connection in Defender Advanced Features
Devices not onboardingCheck device has required license, stable internet, and no SSL inspection blocking
Policy not applyingWait up to 90 minutes; use Policy sync action; verify device is in assigned group
Devices not appearing in Defender portalCheck sensor health; run Get-MpComputerStatus; verify onboarding package applied
Onboarding conflictsAvoid multiple onboarding methods on same device; use single method (Intune EDR policy)
Sample sharing errorsVerify sample submission consent settings; check network connectivity to Microsoft cloud

Best Practice Recommendations

  1. Pilot first – Always test with a small group before broad deployment 
  2. Use Auto from connector – Simplifies onboarding package management 
  3. Enable cloud protection – Set cloud block level to High for maximum protection 
  4. Deploy ASR rules gradually – Test in audit mode before enabling block mode
  5. Regular monitoring – Review device inventory and sensor health weekly
  6. Keep policies current – Update as new Defender features become available

Useful Commands Summary

CommandPurpose
Get-MpComputerStatusCheck Defender status and onboard state
Get-MpPreferenceView current antivirus configuration
dsregcmd /statusVerify Azure AD join status
Set-MpPreference -SubmitSamplesConsent 1Enable automatic sample submission

Useful Resources

Did you find this tutorial helpful? Check out my other guides:

2 thoughts on “Microsoft Defender for Endpoint – Windows Device Onboarding

    1. Thank you, Ujjwal ji! I truly appreciate your encouragement. 😊
      I’m glad the article was helpful for you. I’ll continue posting more practical and detailed guides. Stay tuned!

Leave a Reply

Your email address will not be published. Required fields are marked *