Onboard devices to Microsoft Defender for Business

This article describes how to onboard devices to Defender for Business.

Visual depicting step 5 - onboarding devices to Defender for Business.

Onboard your business devices to protect them right away. You can choose from several options to onboard your company's devices. This article walks you through your options and describes how onboarding works.

What to do

  1. Select a tab:
    • Windows 10 and 11
    • Mac
    • Mobile (new capabilities are available for iOS and Android devices!)
    • Servers (Windows Server or Linux Server)
  2. View your onboarding options, and follow the guidance on the selected tab.
  3. View a list of onboarded devices.
  4. Run a phishing test on a device.
  5. Proceed to your next steps.

Windows 10 and 11

Note

Windows devices must be running one of the following operating systems:

  • Windows 10 or 11 Business
  • Windows 10 or 11 Professional
  • Windows 10 or 11 Enterprise

For more information, see Microsoft Defender for Business requirements.

Choose one of the following options to onboard Windows client devices to Defender for Business:

  • Local script (for onboarding devices manually in the Microsoft Defender portal)
  • Group Policy (if you're already using Group Policy in your organization)
  • Microsoft Intune (if you're already using Intune)

Local script for Windows 10 and 11

You can use a local script to onboard Windows client devices. When you run the onboarding script on a device, it creates a trust with Microsoft Entra ID (if that trust doesn't already exist), enrolls the device in Microsoft Intune (if it isn't already enrolled), and then onboards the device to Defender for Business. If you're not currently using Intune, the local script method is the recommended onboarding method for Defender for Business customers.

Tip

We recommend that you onboard up to 10 devices at a time when you use the local script method.

  1. Go to the Microsoft Defender portal (https://security.microsoft.com), and sign in.

  2. In the navigation pane, choose Settings > Endpoints, and then under Device management, choose Onboarding.

  3. Select Windows 10 and 11.

  4. Under Connectivity type, select Streamlined.

  5. In the Deployment method section, choose Local script, and then select Download onboarding package. We recommend that you save the onboarding package to a removable drive.

  6. On a Windows device, extract the contents of the configuration package to a location, such as the Desktop folder. You should have a file named WindowsDefenderATPLocalOnboardingScript.cmd.

  7. Open a command prompt as an administrator.

  8. Type the location of the script file. For example, if you copied the file to the Desktop folder, you would type %userprofile%\Desktop\WindowsDefenderATPLocalOnboardingScript.cmd, and then press the Enter key (or select OK).

  9. After the script runs, Run a detection test.

Group Policy for Windows 10 and 11

If you prefer to use Group Policy to onboard Windows clients, follow the guidance in Onboard Windows devices using Group Policy. This article describes the steps for onboarding to Microsoft Defender for Endpoint. The steps for onboarding to Defender for Business are similar.

Intune for Windows 10 and 11

You can onboard Windows clients and other devices in Intune by using the Intune admin center (https://intune.microsoft.com). There are several methods available for enrolling devices in Intune. We recommend using one of the following methods:

Enable automatic enrollment for Windows 10 and 11

When you set up automatic enrollment, users add their work account to the device. In the background, the device registers and joins Microsoft Entra ID and is enrolled in Intune.

  1. Go to the Azure portal (https://portal.azure.com/) and sign in.

  2. Select Microsoft Entra ID > Mobility (MDM and MAM) > Microsoft Intune.

  3. Configure the MDM User scope and the MAM user scope.

    Screenshot of setting MDM user scope and MAM user scope in Intune.

    • For MDM User scope, we recommend that you select All so that all users can automatically enroll their Windows devices.

    • In the MAM user scope section, we recommend the following default values for the URLs:

      • MDM Terms of use URL
      • MDM Discovery URL
      • MDM Compliance URL
  4. Select Save.

  5. After a device is enrolled in Intune, you can add it to a device group in Defender for Business. Learn more about device groups in Defender for Business.

Tip

To learn more, see Enable Windows automatic enrollment.

Ask users to enroll their Windows 10 and 11 devices

  1. Watch the following video to see how enrollment works:

  2. Share this article with users in your organization: Enroll Windows 10/11 devices in Intune.

  3. After a device is enrolled in Intune, you can add it to a device group in Defender for Business. Learn more about device groups in Defender for Business.

Run a detection test on a Windows 10 or 11 device

After you've onboarded Windows devices to Defender for Business, you can run a detection test on the device to make sure that everything is working correctly.

  1. On the Windows device, create a folder: C:\test-MDATP-test.

  2. Open Command Prompt as an administrator, and then run the following command:

    powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference = 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-MDATP-test\\invoice.exe');Start-Process 'C:\\test-MDATP-test\\invoice.exe'
    

After the command runs, the Command Prompt window closes automatically. If successful, the detection test is marked as completed, and a new alert appears in the Microsoft Defender portal (https://security.microsoft.com) for the newly onboarded device within about 10 minutes.

View a list of onboarded devices

  1. Go to the Microsoft Defender portal (https://security.microsoft.com), and sign in.

  2. In the navigation pane, go to Assets > Devices. The Device inventory view opens.

Run a phishing test on a device

After you've onboarded a device, you can run a quick phishing test to make sure the device is connected and that alerts are generated as expected.

  1. On a device, go to https://smartscreentestratings2.net. Defender for Business should block that URL on the user's device.

  2. As a member of your organization's security team, go to the Microsoft Defender portal (https://security.microsoft.com) and sign in.

  3. In the navigation pane, go to Incidents. You should see an informational alert that indicates a device tried to access a phishing site.

Next steps