Onboard Windows devices into Microsoft 365 overview
Applies to:
Endpoint data loss prevention (Endpoint DLP) and insider risk management require that Windows 10 Windows and Windows 11 devices be onboarded into the service so that they can send monitoring data to the services.
Endpoint DLP allows you to monitor Windows 10 or Windows 11 devices and detect when sensitive items are used and shared. This gives you the visibility and control you need to ensure that they are used and protected properly, and to help prevent risky behavior that might compromise them. For more information about all of Microsoft’s DLP offerings, see Learn about data loss prevention. To learn more about Endpoint DLP, see Learn about Endpoint data loss prevention.
Insider risk management uses the full breadth of service and 3rd-party indicators to help you quickly identify, triage, and act on risky user activity. By using logs from Microsoft 365 and Microsoft Graph, insider risk management allows you to define specific policies to identify risk indicators and to take action to mitigate these risks. For more information, see Learn about insider risk management.
Device onboarding is shared across Microsoft 365 and Microsoft Defender for Endpoint (MDE). If you've already onboarded devices to MDE, they'll appear in the managed devices list and no further steps are necessary to onboard those specific devices. Onboarding devices in Compliance portal also onboards them into MDE.
Tip
If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.
Before you begin
SKU/subscriptions licensing
Check the licensing requirements here.
Permissions
To enable device management, the account you use must be a member of any one of these roles:
- Global admin
- Security admin
- Compliance admin
If you want to use a custom account to view the device management settings, it must be in one of these roles:
- Global admin
- Compliance admin
- Compliance data admin
- Global reader
If you want to use a custom account to access the onboarding/offboarding page, it must be in one of these roles:
- Global admin
- Compliance admin
If you want to use a custom account to turn on/off device monitoring, it must be in one of these roles:
- Global admin
- Compliance admin
Prepare your Windows devices
Make sure that the Windows devices that you need to onboard meet these requirements.
Must be running one of the following builds of Windows or Windows Server:
- Windows (X64):
- Windows 10 21H2 (See update details)
- Windows 10 22H2 update (See update details)
- Windows (ARM64):
- Windows 11 21H2 (See update details)
- Windows 11 22H2 (See update details)
- Windows Server 2019 OS: 1809 onwards or Windows Server 2022 OS: 21H2 onwards.
- Windows (X64):
Antimalware Client Version is 4.18.2110 or newer. Check your current version by opening Windows Security app, select the Settings icon, and then select About. The version number is listed under Antimalware Client Version. Update to the latest Antimalware Client Version by installing Windows Update KB4052623. For more details, see: Microsoft Defender Antivirus in Windows.
Important
None of Windows Security components need to be active, but the Real-time protection and Behavior monitor must be enabled.
- Microsoft Defender Core Service – MdCoreSvc - MpDefenderCoreService.exe must be running on the device
- Microsoft Data Loss Prevention Service – MDDlpSvc - MpDlpService.exe must be running on the device.
All devices must be one of these:
A supported version of Microsoft 365 Apps is installed and up to date. For the most robust protection and user experience, ensure Microsoft 365 Apps version 16.0.14701.0 or later is installed.
Note
- If you are running Office 365 - KB 4577063 is required.
- If you are on Monthly Enterprise Channel of Microsoft 365 Apps versions 2004-2008, you need to update to version 2009 or later. See Update history for Microsoft 365 Apps (listed by date) for current versions. To learn more about known issue, see the Office Suite section of Release notes for Current Channel releases in 2020.
If you have endpoints that use a device proxy to connect to the internet, follow the procedures in Configure device proxy and internet connection settings for Information Protection.
Onboarding Windows 10 or Windows 11 devices
You must enable device monitoring and onboard your endpoints before you can monitor and protect sensitive items on a device. Both of these actions are done in the Microsoft Purview compliance portal.
When you want to onboard devices that haven't been onboarded yet, you download the appropriate script and deploy it to those devices. Follow the device onboarding procedures below.
If you already have devices onboarded into Microsoft Defender for Endpoint, they'll already appear in the managed devices list.
In this deployment scenario, you onboard Windows 10 or Windows 11 devices that haven't been onboarded yet.
Open the Microsoft Purview compliance portal. Choose Settings > Device onboarding > Devices.
Note
If you have previously deployed Microsoft Defender for Endpoint, all the devices that were onboarded during that process will be listed in the Devices list. There is no need to onboard them again. While it usually takes about 60 seconds for device onboarding to be enabled, please allow up to 30 minutes before engaging with Microsoft support.
Choose Turn on device onboarding.
Choose Onboarding to begin the onboarding process.
Choose the way you want to deploy to these other devices from the Deployment method list and then download package.
Choose the appropriate procedure to follow from the table below:
Article Description Intune Use Mobile Device Management tools or Microsoft Intune to deploy the configuration package on device. Configuration Manager You can use either use Microsoft Endpoint Configuration Manager (current branch) version 1606 or Microsoft Endpoint Configuration Manager (current branch) version 1602 or earlier to deploy the configuration package on devices. Group Policy Use Group Policy to deploy the configuration package on devices. Local script Learn how to use the local script to deploy the configuration package on endpoints. Virtual desktop infrastructure (VDI) devices Learn how to use the configuration package to configure VDI devices.
Device configuration and policy sync status
You can check the Configuration status and the Policy sync status of all your onboarded devices in the Devices list. For more information on the configuration and policy status, select an onboarded device to open the details pane.
Configuration status shows you if the device is configured correctly, is sending a heartbeat signal to Purview, and the last time the configuration was validated. For Windows devices configuration includes checking the status of Microsoft Defender Antivirus always-on protection and behavior monitoring.
Policy sync status shows you if the device received the latest policy version, or if the corresponding policies synced successfully to the device.
Field value | Configuration status | Policy sync status |
---|---|---|
Updated | Device health parameters are enabled and correctly set. | Device has been updated with the current versions of policies. |
Not updated | You need to enable the configuration settings for this device. Follow the procedures in Microsoft Defender Antivirus always-on protection | This device has not synced the latest policy updates. If the policy update was made within the last 2 hours, wait for the policy to reach your device. |
Not available | Device properties aren't available in the device list. This could be because the device doesn't meet the minimum OS version, or configuration or if the device was just onboarded. | Device properties aren't available in the device list. This could be because the device doesn't meet the minimum OS version, or configuration or if the device was just onboarded. |
It can take up to 2 hours for the sync status to get reflected on the dashboard. Devices must be online for the policy update to happen. If the status isn't updating, check the last time the device was seen.
See also
- Learn about insider risk management
- Learn about Endpoint data loss prevention
- Using Endpoint data loss prevention
- Learn about data loss prevention
- Create and Deploy data loss prevention policies
- Get started with Activity explorer
- Microsoft Defender for Endpoint
- Onboarding tools and methods for Windows 10 machines
- Microsoft 365 subscription
- Microsoft Entra joined devices
- Download the new Microsoft Edge based on Chromium
Feedback
Submit and view feedback for