How to fix devices in Intune not onboarding to Defender

Question

How to fix devices in Intune not onboarding to Defender

Shaun Slater 66

I have a problem and would like to know if there is a way to fix this.

The business has recently bought 790 defender P1 licenses to help protect endpoints so we have enough licenses to cover the number of devices that we have.

We have a total of 704 devices in Intune and 663 in Defender and we want these numbers to match. These 41 devices that are missing are active devices (made contact with Intune in the last 60 days) and the users have defender P1 license assigned but for some reason the Intune defender onboard policy says that the device is stuck in pending when I go to generate a report.

Intune Profile

The profile has been active for over 2 months and not changed at all. If it helps this is the configuration:

Microsoft Defender for Endpoint client configuration package type:

Onboard

Sample sharing for all files

Not configured

Expedite telemetry reporting frequency

Not configured

User's image

Errors:

Of those 37 errors it seems to be only 2 devices that are getting the error but 37 users. I can't show these as that will be too much information and names need to be hidden for privacy reasons.

User's image

These devices for whatever reason are still stuck in pending and if I go to look them up in Defender they aren't there which means they have not onboarded.

User's image

Things I have done to troubleshoot the issue:

Re-applied the Intune policy
Ran a bulk sync task using PowerShell
Checked that the user is assigned a Defender P1
The affected devices have made contact with Intune service in the last 7 days

Is there a solution for this and how do we get all the devices to onboard properly into Defender?

Kind Regards

Shaun Slater

Nick Eckermann 606 Reputation points

2023-10-27T20:16:59.6333333+00:00

What happens when you run Get-MpComputerStatus on one of the devices?
Shaun Slater 66 Reputation points

2023-11-14T14:27:14.8+00:00

Hi Nick,

Thanks for your response.

When I run Get-MpComputerStatus this is what I get as the output:

AMEngineVersion : 1.1.23100.2009

AMProductVersion : 4.18.23100.2009

AMRunningMode : Normal

AMServiceEnabled : True

AMServiceVersion : 4.18.23100.2009

AntispywareEnabled : True

AntispywareSignatureAge : 0

AntispywareSignatureLastUpdated : 13/11/2023 14:54:48

AntispywareSignatureVersion : 1.401.566.0

AntivirusEnabled : True

AntivirusSignatureAge : 0

AntivirusSignatureLastUpdated : 13/11/2023 14:54:47

AntivirusSignatureVersion : 1.401.566.0

BehaviorMonitorEnabled : True

ComputerID : DCD2C171-AAEA-4E3C-A2EC-65AAEC75EA99

ComputerState : 0

DefenderSignaturesOutOfDate : False

DeviceControlDefaultEnforcement : Unknown

DeviceControlPoliciesLastUpdated : 24/05/2023 17:00:11

DeviceControlState : Disabled

FullScanAge : 3

FullScanEndTime : 11/11/2023 03:02:50

FullScanOverdue : False

FullScanRequired : False

FullScanSignatureVersion : 1.401.369.0

FullScanStartTime : 11/11/2023 02:00:35

IoavProtectionEnabled : True

IsTamperProtected : False

IsVirtualMachine : False

LastFullScanSource : 2

LastQuickScanSource : 2

NISEnabled : True

NISEngineVersion : 1.1.23100.2009

NISSignatureAge : 0

NISSignatureLastUpdated : 13/11/2023 14:54:47

NISSignatureVersion : 1.401.566.0

OnAccessProtectionEnabled : True

ProductStatus : 524288

QuickScanAge : 0

QuickScanEndTime : 14/11/2023 02:11:37

QuickScanOverdue : False

QuickScanSignatureVersion : 1.401.566.0

QuickScanStartTime : 14/11/2023 02:00:35

RealTimeProtectionEnabled : True

RealTimeScanDirection : 0

RebootRequired : False

SmartAppControlExpiration :

SmartAppControlState : Off

TamperProtectionSource : Signatures

TDTMode : N/A

TDTSiloType : N/A

TDTStatus : N/A

TDTTelemetry : N/A

TroubleShootingDailyMaxQuota :

TroubleShootingDailyQuotaLeft :

TroubleShootingEndTime :

TroubleShootingExpirationLeft :

TroubleShootingMode :

TroubleShootingModeSource :

TroubleShootingQuotaResetTime :

TroubleShootingStartTime :

PSComputerName :

1 answer

Your answer

Nick Eckermann 606 Reputation points

2023-10-27T20:16:59.6333333+00:00

What happens when you run Get-MpComputerStatus on one of the devices?

Answer 1

@Shaun Slater, Thanks for posting in Q&A. From your description, I know there are some devices not onboard to Defender.

To troubleshoot the issue, please follow the steps in the following link to check the logs to see which phase we are failed and if we can find any related error message:

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-onboarding?view=o365-worldwide#troubleshoot-onboarding-issues-using-microsoft-intune

If there's any update, feel free to let us know.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Crystal-MSFT 53,991 Reputation points Microsoft External Staff

2023-11-01T01:35:44.3366667+00:00

@Shaun Slater, Hope things are going well. If there's any update, feel free to let us know.

Share via

How to fix devices in Intune not onboarding to Defender

1 answer

Your answer