Onboard devices to Microsoft Defender for Business

Onboard your business devices to protect them right away. You can choose from several options to onboard your company's devices. This article walks you through your options and describes how onboarding works.

What to do

  1. Select a tab:
    • Windows 10 and 11
    • Mac
    • Servers (NEW! Windows Server or Linux Server)
    • Mobile (for iOS/iPadOS or Android devices)
  2. View your onboarding options, and follow the guidance on the selected tab.
  3. Proceed to your next steps.

Windows 10 and 11

Choose one of the following options to onboard Windows client devices to Defender for Business:

  • Local script (for onboarding devices manually in the Microsoft 365 Defender portal)
  • Group Policy (if you're already using Group Policy in your organization)
  • Microsoft Intune (if you're already using Intune)

Local script for Windows 10 and 11

You can use a local script to onboard Windows client devices. When you run the onboarding script on a device, it creates a trust with Azure Active Directory, if that trust doesn't already exist; enrolls the device in Microsoft Intune, if it isn't already enrolled; and then onboards the device to Defender for Business. If you're not currently using Intune, the local script method is the recommended onboarding method for Defender for Business customers.


We recommend that you onboard up to 10 devices at a time when you use the local script method.

  1. Go to the Microsoft 365 Defender portal (https://security.microsoft.com), and sign in.

  2. In the navigation pane, choose Settings > Endpoints, and then under Device management, choose Onboarding.

  3. Select Windows 10 and 11, and then, in the Deployment method section, choose Local script.

  4. Select Download onboarding package. We recommend that you save the onboarding package to a removable drive.

  5. On a Windows device, extract the contents of the configuration package to a location, such as the Desktop folder. You should have a file named WindowsDefenderATPLocalOnboardingScript.cmd.

  6. Open a command prompt as an administrator.

  7. Type the location of the script file. For example, if you copied the file to the Desktop folder, you would type %userprofile%\Desktop\WindowsDefenderATPLocalOnboardingScript.cmd, and then press the Enter key (or select OK).

  8. After the script runs, Run a detection test.

Group Policy for Windows 10 and 11

If you prefer to use Group Policy to onboard Windows clients, follow the guidance in Onboard Windows devices using Group Policy. This article describes the steps for onboarding to Microsoft Defender for Endpoint. The steps for onboarding to Defender for Business are similar.

Intune for Windows 10 and 11

You can onboard Windows clients and other devices in Intune by using the Intune admin center (https://intune.microsoft.com). There are several methods available for enrolling devices in Intune. We recommend using one of the following methods:

Enable automatic enrollment for Windows 10 and 11

When you set up automatic enrollment, users add their work account to the device. In the background, the device registers and joins Azure Active Directory (Azure AD) and is enrolled in Intune.

  1. Go to the Azure portal (https://portal.azure.com/) and sign in.

  2. Select Azure Active Directory > Mobility (MDM and MAM) > Microsoft Intune.

  3. Configure the MDM User scope and the MAM user scope.

    Screenshot of setting MDM user scope and MAM user scope in Intune.

    • For MDM User scope, we recommend that you select All so that all users can automatically enroll their Windows devices.

    • In the MAM user scope section, we recommend the following default values for the URLs:

      • MDM Terms of use URL
      • MDM Discovery URL
      • MDM Compliance URL
  4. Select Save.

  5. After a device is enrolled in Intune, you can add it to a device group in Defender for Business. Learn more about device groups in Defender for Business.


To learn more, see Enable Windows automatic enrollment.

Ask users to enroll their Windows 10 and 11 devices

  1. Watch the following video to see how enrollment works:

  2. Share this article with users in your organization: Enroll Windows 10/11 devices in Intune.

  3. After a device is enrolled in Intune, you can add it to a device group in Defender for Business. Learn more about device groups in Defender for Business.

Run a detection test on a Windows 10 or 11 device

After you've onboarded Windows devices to Defender for Business, you can run a detection test on the device to make sure that everything is working correctly.

  1. On the Windows device, create a folder: C:\test-MDATP-test.

  2. Open Command Prompt as an administrator.

  3. In the Command Prompt window, run the following PowerShell command:

    powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference = 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('', 'C:\\test-MDATP-test\\invoice.exe');Start-Process 'C:\\test-MDATP-test\\invoice.exe'

After the command runs, the Command Prompt window will close automatically. If successful, the detection test will be marked as completed, and a new alert will appear in the Microsoft 365 Defender portal (https://security.microsoft.com) for the newly onboarded device in about 10 minutes.

View a list of onboarded devices

To view the list of devices that are onboarded to Defender for Business, go to the Microsoft 365 Defender portal (https://security.microsoft.com). In the navigation pane, go to Assets > Devices.

Next steps