Microsoft Defender for Endpoint provides enterprise-grade endpoint detection and response (EDR) capabilities across Windows, macOS, Linux, iOS, and Android devices. This guide walks you through onboarding devices to Defender for Endpoint using various methods appropriate for different deployment scenarios.
Prerequisites
Before onboarding devices, ensure you have:
- Microsoft 365 Defender portal access with Security Administrator or Global Administrator role
- Appropriate licenses (Microsoft 365 E5, E5 Security, Defender for Endpoint P1/P2, or standalone)
- Supported operating systems (Windows 10/11, Windows Server 2012 R2+, macOS 11+, supported Linux distributions)
- Network connectivity to Microsoft Defender cloud services
- Local administrator access on devices to be onboarded
Understanding Onboarding Methods
Choose the appropriate onboarding method based on your environment:
| Method | Best For | Platforms |
|---|---|---|
| Microsoft Intune | Cloud-managed devices | Windows, macOS, iOS, Android |
| Group Policy | Domain-joined Windows | Windows 10/11, Windows Server |
| SCCM/MECM | Hybrid enterprise environments | Windows |
| Local Script | Testing, small deployments | Windows, macOS, Linux |
| VDI Scripts | Virtual desktop infrastructure | Windows |
Step 1: Access the Onboarding Packages
- Sign in to the Microsoft Defender portal
- Navigate to Settings > Endpoints > Device management > Onboarding
- Select your operating system from the dropdown
- Choose your deployment method
- Click Download package to get the onboarding package
Important: Onboarding packages are tenant-specific and contain your unique workspace ID. Never share these packages publicly.
Step 2: Onboard Windows Devices
Method A: Local Script (Testing/Small Deployments)
- Download the Local Script package from the Defender portal
- Extract the ZIP file to get
WindowsDefenderATPLocalOnboardingScript.cmd - On the target device, open Command Prompt as Administrator
- Navigate to the script location and run:
WindowsDefenderATPLocalOnboardingScript.cmd
- Press Y when prompted to confirm
- Wait for the script to complete (typically 1-2 minutes)
Method B: Group Policy (Domain Environments)
-
Download the Group Policy package from the Defender portal
-
Extract the ZIP file containing:
WindowsDefenderATPOnboardingScript.cmdWindowsDefenderATPOnboardingPackage.zip
-
Copy files to a network share accessible by target devices:
\\domain.local\SYSVOL\domain.local\scripts\DefenderATP\
-
Open Group Policy Management Console
-
Create a new GPO or edit an existing one linked to target OUs
-
Navigate to Computer Configuration > Policies > Windows Settings > Scripts > Startup
-
Click Add and browse to the onboarding script
-
Configure the script parameters:
- Script Name:
WindowsDefenderATPOnboardingScript.cmd - Script Parameters: (leave blank)
- Script Name:
-
Link the GPO to appropriate OUs
-
Run
gpupdate /forceon target devices or wait for policy refresh
Method C: Microsoft Intune (Cloud-Managed)
- In the Microsoft Intune admin center, go to Endpoint security > Endpoint detection and response
- Click Create Policy
- Select:
- Platform: Windows 10 and later
- Profile: Endpoint detection and response
- Configure settings:
- Microsoft Defender for Endpoint client configuration package type: Auto from connector
- Sample sharing: All (or as per policy)
- Telemetry reporting frequency: Normal
- Assign to device groups
- Click Create
Method D: Microsoft Endpoint Configuration Manager
- In the SCCM console, go to Assets and Compliance > Endpoint Protection > Microsoft Defender ATP Policies
- Right-click and select Create Microsoft Defender ATP Policy
- Configure:
- Name:
Defender ATP Onboarding - Client configuration file: Browse to downloaded onboarding package
- Name:
- Deploy the policy to target device collections
Step 3: Onboard macOS Devices
Method A: Local Script
- Download the macOS onboarding package from the Defender portal
- Transfer
WindowsDefenderATPOnboardingPackage.zipto the Mac - Extract and locate the
.pkgfile - Open Terminal and run:
sudo installer -pkg /path/to/wdav.pkg -target /
- After installation, onboard using the script:
sudo /usr/local/bin/mdatp onboard
Method B: Microsoft Intune
- In Intune admin center, go to Devices > macOS > Configuration profiles
- Create a profile using Settings catalog
- Add Microsoft Defender for Endpoint settings:
- Enable real-time protection
- Enable cloud-delivered protection
- Configure onboarding blob (from portal)
- Assign to macOS device groups
Method C: JAMF Pro
- Download the macOS onboarding package
- In JAMF Pro, create a new Configuration Profile
- Add the Microsoft Defender payload
- Upload the onboarding configuration
- Scope to target devices
Step 4: Onboard Linux Devices
Supported Distributions
- RHEL 7.2+, CentOS 7.2+
- Ubuntu 16.04 LTS+
- Debian 9+
- SLES 12+
- Oracle Linux 7.2+
- Amazon Linux 2
- Fedora 33+
Installation Steps
- Add the Microsoft repository:
For RHEL/CentOS:
sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/rhel/8/prod.repo
For Ubuntu/Debian:
curl -o microsoft.list https://packages.microsoft.com/config/ubuntu/22.04/prod.list
sudo mv microsoft.list /etc/apt/sources.list.d/microsoft-prod.list
sudo apt-get update
- Install the Defender package:
RHEL/CentOS:
sudo yum install mdatp
Ubuntu/Debian:
sudo apt-get install mdatp
- Download the Linux onboarding package from the Defender portal
- Extract and run the onboarding script:
unzip WindowsDefenderATPOnboardingPackage.zip
sudo python MicrosoftDefenderATPOnboardingLinuxServer.py
- Verify onboarding status:
mdatp health --field org_id
Step 5: Onboard Mobile Devices
iOS Devices (via Intune)
- Ensure Microsoft Defender app is deployed via Intune
- Create an App configuration policy for iOS
- Configure:
- VPN profile for web protection
- Supervised mode settings (if applicable)
- Assign to user groups
Android Devices (via Intune)
- Deploy Microsoft Defender app from Managed Google Play
- Create an App configuration policy for Android
- Configure permissions and settings
- Assign to user groups
Step 6: Verify Onboarding Status
Check in Microsoft Defender Portal
- Go to Assets > Devices
- Search for the onboarded device by name
- Verify:
- Onboarding status: Onboarded
- Health state: Active
- Sensor health: No issues
Run Detection Test
Validate Defender is working by running a detection test:
Windows:
# Run from elevated PowerShell
powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference='silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-MDATP-test\\invoice.exe');Start-Process 'C:\\test-MDATP-test\\invoice.exe'
macOS/Linux:
curl -o /tmp/safe_eicar.txt https://www.eicar.org/download/eicar.com.txt
After running the test, an alert should appear in the Defender portal within 10-30 minutes.
Check Local Health (Windows)
# Check Defender service status
Get-Service -Name Sense
# Check onboarding status via registry
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status"
# Run connectivity test
& "C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe" -test
Check Local Health (macOS/Linux)
# Check health status
mdatp health
# Check specific fields
mdatp health --field healthy
mdatp health --field org_id
mdatp health --field real_time_protection_enabled
Troubleshooting Common Issues
Device Not Appearing in Portal
Symptoms: Device shows successful onboarding locally but doesn't appear in Defender portal.
Solutions:
- Verify network connectivity to
*.securitycenter.windows.com - Check proxy/firewall allows required URLs
- Ensure system clock is accurate
- Run the connectivity test tool:
MDATPClientAnalyzer.cmd - Review
C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Cyber\logs
Onboarding Script Fails
Symptoms: Script returns error or doesn't complete.
Solutions:
- Run as Administrator
- Temporarily disable other security software
- Verify package is for correct OS version
- Check Windows Event logs for errors
- Ensure .NET Framework 4.5+ is installed
Sensor Health Issues
Symptoms: Device shows "Inactive" or health warnings in portal.
Solutions:
- Restart the Sense service:
net stop sense net start sense - Verify network connectivity
- Check for conflicting security software
- Update to latest OS version
- Re-run onboarding script
Best Practices
- Test first: Onboard a few devices manually before large-scale deployment
- Use automation: Leverage Intune or GPO for consistent, scalable onboarding
- Monitor health: Regularly check device health status in the portal
- Document process: Create runbooks for onboarding new devices
- Plan offboarding: Know how to offboard devices when decommissioned
- Network preparation: Pre-configure firewall rules for Defender URLs
Network Requirements
Ensure the following URLs are accessible:
| URL Pattern | Purpose |
|---|---|
*.securitycenter.windows.com | Primary service |
*.security.microsoft.com | Portal access |
*.microsoft.com | Updates and telemetry |
*.blob.core.windows.net | Cloud storage |
For complete URL list, refer to Microsoft documentation.
Next Steps
After successful onboarding:
- Configure alert notifications for security events
- Run remote antivirus scans on devices
- Configure Attack Surface Reduction rules for enhanced protection
- Review Security recommendations in the portal for device hardening
Need help with your Defender for Endpoint deployment? Inventive HQ provides comprehensive endpoint security services, from initial deployment to ongoing management and incident response. Contact us for a free consultation.