Onboard devices to Microsoft Defender using Intune

  • 9 minutes

Onboarding devices is the first step in using Microsoft Defender as your endpoint protection platform. Microsoft Intune provides a centralized way to onboard managed devices to Defender.

Prepare Intune and Defender onboarding

Before you start onboarding, confirm that your environment is ready. Devices must be enrolled in Microsoft Intune, and your tenant must have Microsoft Defender for Endpoint licensing and tenant onboarding configured.

Supported device types for Intune-based onboarding include Windows 10 and Windows 11 devices. macOS devices can also be onboarded through Intune when they're managed by Intune and meet Defender requirements. Intune is the deployment mechanism; Defender then collects telemetry from the onboarded devices.

Important prerequisites include:

  • A valid Microsoft Intune license and Microsoft Defender for Endpoint license.
  • Devices enrolled in Microsoft Intune and joined to Entra ID or hybrid Entra ID.
  • Service connection between Microsoft Intune and Microsoft Defender for Endpoint.
  • Permissions to create and assign Intune policies and access Defender device inventory.
  • Supported operating system versions and hardware for the target devices.

Connect Microsoft Defender for Endpoint to Intune

The service connection is a one-time tenant configuration. It enables Intune to communicate with Defender and retrieve the onboarding configuration automatically.

  1. In the Microsoft Intune admin center, go to Endpoint security > Microsoft Defender for Endpoint.
  2. Check the connection status. If the connection isn't enabled, open the Microsoft Defender portal from the Intune page or go directly to the Defender portal.
  3. In the Microsoft Defender portal, go to System > Settings > Endpoints > General > Advanced features.
  4. Turn on Microsoft Intune connection and select Save preferences.

Onboard Windows devices

For Windows devices, the recommended onboarding method is to use an Intune Endpoint detection and response policy. This policy deploys the Defender onboarding configuration to managed devices.

You can use a preconfigured Windows EDR policy for a fast deployment:

  1. In the Microsoft Intune admin center, go to Endpoint security > Endpoint detection and response.
  2. Select the EDR Onboarding Status tab.
  3. Choose the Windows platform and the Endpoint detection and response profile.
  4. Enter a descriptive policy name, review the settings and create the policy.

You can also create a custom Endpoint detection and response policy in Intune when you want more control over assignments, scope tags, sample sharing, or other EDR policy settings, and then assign it to the appropriate device groups for deployment.

Onboard other supported devices

Other supported platforms, such as macOS, Android, and iOS/iPadOS, can also be integrated with Defender, but the onboarding experience differs by platform.

Defender on macOS

For macOS, the Microsoft Defender app must be deployed to devices, and the onboarding package is downloaded from the Microsoft Defender portal. In the Defender portal, administrators select Settings > Endpoints > Device management > Onboarding, choose macOS, and select Mobile Device Management / Microsoft Intune as the deployment method. The onboarding package is then deployed through Intune as a configuration profile.

You also need to deploy Intune configuration profiles for required macOS permissions and services, including system extensions, network filtering, Full Disk Access, background services, notifications, Microsoft AutoUpdate, and Microsoft Defender preferences. Additional profiles may be needed depending on the Defender capabilities your organization plans to use, such as network protection, device control, or data loss prevention.

For more information follow the guidelines here: Deploy Microsoft Defender for Endpoint on macOS with Microsoft Intune

Defender on Android and iOS/iPadOS

For Android and iOS/iPadOS devices, Microsoft Defender is onboarded as a mobile threat defense solution. Instead of using the same Endpoint detection and response onboarding policy as Windows, mobile onboarding typically involves deploying the Microsoft Defender app through Intune and applying the required app configuration or device configuration policies.

After the Defender app is installed and configured, the device can send mobile threat signals to Defender. These signals support capabilities such as web protection, network protection, unified alerting, privacy controls, and mobile vulnerability assessment. Android devices can also use malware protection for malicious apps and APK files, while iOS/iPadOS devices can report risks such as jailbreak detection.

Important onboarding considerations

Onboarding is a required first step, but it isn't the complete endpoint security configuration. An EDR onboarding policy enables the device to communicate with Defender and send security telemetry. It doesn't automatically configure all Microsoft Defender Antivirus settings, attack surface reduction rules, firewall settings, web protection, or custom detection logic. Those settings should be deployed separately by using Intune endpoint security policies or other supported management methods.

Avoid deploying multiple policies that configure the same onboarding settings. Using multiple policy types, such as device configuration policies and Endpoint detection and response policies, to manage the same Defender onboarding settings can create policy conflicts.

For most Intune-managed Windows environments, use Auto from connector because it retrieves the onboarding package from the active Intune-to-Defender service connection.