Onboard Windows 10 and Windows 11 devices using Mobile Device Management tools
Applies to:
You can use mobile device management (MDM) solutions to configure devices. Microsoft 365 information protection supports MDM solutions by providing OMA-URIs to create policies to manage devices.
Tip
If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.
Before you begin
If you're using Microsoft Intune, the device must be enrolled in MDM.
For more information on enabling MDM with Microsoft Intune, see Device enrollment (Microsoft Intune).
Onboard devices using Microsoft Intune
Follow the instructions from Intune.
Note
The Health Status for onboarded devices policy uses read-only properties and can't be remediated.
Offboard and monitor devices using Mobile Device Management tools
For security reasons, the package used to offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When you download an offboarding package, you are notified of the package's expiry date. The expiry date is also included in the package name.
Note
Onboarding and offboarding policies must not be deployed on the same device at the same time. If they are, unpredictable collisions will result.
Get the offboarding package from the Microsoft Purview compliance portal.
In the navigation pane, select Settings > Device onboarding > Offboarding.
In the Deployment method field, select Mobile Device Management / Microsoft Intune.
Select Download package, and save the .zip file.
Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named DeviceCompliance_valid_until_YYYY-MM-DD.offboarding.
Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings.
OMA-URI: ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding Date type: String Value: [Copy and paste the value from the content of the DeviceCompliance_valid_until_YYYY-MM-DD.offboarding file]Note
If Microsoft Defender for Endpoint is already configured, you can Turn on device onboarding. If you do this, step 6 is not required.
Note
The Health Status for offboarded devices policy uses read-only properties and can't be remediated.
Important
Offboarding causes the device to stop sending sensor data to the portal. However, data from the device, including reference to any alerts it has received, will be retained for up to 6 months.
Related topics
- Onboard Windows 10 devices using Group Policy
- Onboard Windows 10 devices using Microsoft Endpoint Configuration Manager
- Onboard Windows 10 devices using a local script
- Onboard non-persistent virtual desktop infrastructure (VDI) devices
- Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for