Onboard devices to Microsoft Defender for Business

Alextheonlyone 196 Reputation points
2022-04-19T14:49:11.993+00:00

Hi All!

We would like to try Microsoft Defender for Business (We have Microsoft 365 Business Premium subscription). We have approx. 100 windows 10/11 machines.

I follow this guide: https://learn.microsoft.com/en-us/microsoft-365/security/defender-business/mdb-onboard-devices?view=o365-worldwide&tabs=WindowsClientDevices#endpoint-manager-for-windows-clients

I have some problems:

1) The guide above say: "When you run the onboarding script on a device, it creates a trust with Azure Active Directory (if that trust doesn't already exist), enrolls the device in Microsoft Endpoint Manager (if it isn't already enrolled), and then onboards the device to Defender for Business. "

I onboareded two PC via "Local script" and they have appeared fine in the Defender for Business (security.microsoft.com/machines subpage). However, they haven't appeared in the Endpoint Manager (endpoint.microsoft.com). Why?

2) There is a video in the guide, under the "To have users enroll their own Windows devices". I have tried to enroll another PC with the downloaded "Company Portal" app, but the app just in waiting status for two hours. See the attached picture.

194279-companyportlenroll.png

This PC neither appeared in the Defender for Business or Endpoint Manager , but it has appeared in the portal.azure.com portal.

I'm a little bit frustrted and I don't understand a whole procedure. Is there anybody who can help me? Many thanks in advace!

Alex

Windows 365 Business
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,767 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Crystal-MSFT 43,721 Reputation points Microsoft Vendor
    2022-04-20T01:10:21.903+00:00

    @Alextheonlyone , For the script, it is used to onboard the device to Defender for Business. To enroll devices to Intune., the steps are separate. Firstly, we need to make sure the Microsoft Intune and Azure AD Premium (This is for auto-enroll) licenses are assigned to the user who enroll the device.. To enroll the devices into Intune, there are many methods. Here is a link with the information for the reference:
    https://learn.microsoft.com/en-us/mem/intune/enrollment/device-enrollment#windows-enrollment-methods

    Hope it can help.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  2. Alextheonlyone 196 Reputation points
    2022-04-20T12:07:15.35+00:00

    Hi Crystal,

    "enrolls the device in Microsoft Endpoint Manager (if it isn't already enrolled" - so this is not true?

    Your suggested link mentions the Company Portal's method, which was tried it by me, and it was unsuccessfull, as I wrote. However I don't understand the followwing sentences: "These types of devices are good for point-of-sale or utility apps, for example, but not for users who need to access email or company resources. " The "Learn more about DEM." says nothing about it or i just don' understand.

    "Firstly, we need to make sure the Microsoft Intune and Azure AD Premium (This is for auto-enroll) licenses are assigned to the user who enroll the device.." My O365 user has Business Premium licence which contains Intune licence, am I right? By the way I could set the auto-enrollment in the Azure, so probably my settings are good.

    Maybe I should open a ticket (where can I do it?), where a Microsoft specialist can check our tenant and licences?

    Best regards,
    Alex

    0 comments
  3. Crystal-MSFT 43,721 Reputation points Microsoft Vendor
    2022-04-21T01:56:32.093+00:00

    @Alextheonlyone , To check if the device is enrolled into Intune, we can see if the device is existing in "All devices" on the Intune portal.

    For Microsoft 365 Business Premium, I find the Intune license is included.
    https://learn.microsoft.com/en-us/mem/intune/fundamentals/licenses

    Please also ensure it is selected as well. To check it, we can find the user, choose Licenses, click Microsoft 365 Business Premium and see if the "Microsoft Intune" is on.
    Note: As I didn't have Microsoft 365 Business Premium license. So I use Enterprise Mobility + Security E5 as an example instead.
    194828-image.png
    In addition, for Windows BYOD devices, the MAM user scope takes precedence if both the MAM user scope and the MDM user scope (automatic MDM enrollment) are enabled for all users (or the same groups of users). The device will not be MDM enrolled, Here, please make sure the MAM user scope it set as None.
    194878-image.png
    https://learn.microsoft.com/en-us/mem/intune/enrollment/windows-enroll#configure-automatic-mdm-enrollment

    Meanwhile, for the sentence you mentioned, this means the DEM enrollment method is suitable for the devices which are used for point-of-sale or utility apps, it has limitation that the device enrolled with this method, user can't access mail or company resource.

    In addition, I notice you prefer to open a ticket to check the issue. You can refer to the steps in the following link to open case.
    https://learn.microsoft.com/en-us/mem/get-support

    Hope it can help.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments