Onboard Windows 10 devices and Windows 11 using Group Policy

Applies to:

• Endpoint data loss prevention (DLP)
• Insider risk management
• Group Policy

Note

To use Group Policy (GP) updates to deploy the package, you must be on Windows Server 2008 R2 or later.

For Windows Server 2019, you may need to replace NT AUTHORITY\Well-Known-System-Account with NT AUTHORITY\SYSTEM of the XML file that the Group Policy preference creates.

Tip

If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.

Onboard devices using Group Policy

1. Open the Compliance center.

2. In the navigation pane, select Settings > Device Onboarding.

3. In the Deployment method field, select Group policy.

4. Click Download package and save the .zip file.

5. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the device. You should have a folder called OptionalParamsPolicy and the file DeviceComplianceLocalOnboardingScript.cmd.

6. Open the Group Policy Management Console (GPMC), right-click the Group Policy Object (GPO) you want to configure and click Edit.

7. In the Group Policy Management Editor, go to Computer configuration, then Preferences, and then Control panel settings.

8. Right-click Scheduled tasks, point to New, and then click Immediate Task (At least Windows 7).

9. In the Task window that opens, go to the General tab. Under Security options click Change User or Group and type SYSTEM and then click Check Names then OK. NT AUTHORITY\SYSTEM appears as the user account the task will run as.

10. Select Run whether user is logged on or not and check the Run with highest privileges check box.

11. Go to the Actions tab and click New... Ensure that Start a program is selected in the Action field. Enter the file name and location of the shared WindowsDefenderATPOnboardingScript.cmd file.

12. Click OK and close any open GPMC windows.

Offboard devices using Group Policy

For security reasons, the package used to offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.

Note

Onboarding and offboarding policies must not be deployed on the same device at the same time, otherwise this will cause unpredictable collisions.

1. Get the offboarding package from Microsoft Purview compliance portal.

2. In the navigation pane, select Settings > //Device onboarding > Offboarding.

3. In the Deployment method field, select Group policy.

4. Click Download package and save the .zip file.

5. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the device. You should have a file named DeviceComplianceOffboardingScript_valid_until_YYYY-MM-DD.cmd.

6. Open the Group Policy Management Console (GPMC), right-click the Group Policy Object (GPO) you want to configure and click Edit.

7. In the Group Policy Management Editor, go to Computer configuration, then Preferences, and then Control panel settings.

8. Right-click Scheduled tasks, point to New, and then click Immediate task.

9. In the Task window that opens, go to the General tab. Choose the local SYSTEM user account (BUILTIN\SYSTEM) under Security options.

10. Select Run whether user is logged on or not and check the Run with highest privileges check-box.

11. Go to the Actions tab and click New.... Ensure that Start a program is selected in the Action field. Enter the file name and location of the shared DeviceComplianceOffboardingScript_valid_until_YYYY-MM-DD.cmd file.

12. Click OK and close any open GPMC windows.

Important

Offboarding causes the device to stop sending sensor data to the portal but data from the device.

Monitor device configuration

With Group Policy there isn’t an option to monitor deployment of policies on the devices. Monitoring can be done directly on the portal, or by using the different deployment tools.

Monitor devices using the portal

1. Go to the Microsoft Purview compliance portal.
2. Click Devices list.
3. Verify that devices are appearing.

Note

It can take several days for devices to start showing on the Devices list. This includes the time it takes for the policies to be distributed to the device, the time it takes before the user logs on, and the time it takes for the endpoint to start reporting.

Related topics

• Onboard Windows 10 and Windows 11 devices using Microsoft Endpoint Configuration Manager
• Onboard Windows 10 and Windows 11 devices using Mobile Device Management tools
• Onboard Windows 10 and Windows 11 devices using a local script
• Onboard non-persistent virtual desktop infrastructure (VDI) devices
• Run a detection test on a newly onboarded Microsoft Defender for Endpoint devices
• Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues