Onboard devices to Microsoft Defender for Business

With Microsoft Defender for Business, you have several options to choose from for onboarding your company's devices. This article walks you through your options and includes an overview of how onboarding works.

Got a minute? Please take our short survey about security. We'd love to hear from you!

What to do

  1. Select the tab for your operating system: Windows clients, macOS computers, or mobile devices.
  2. View your onboarding options and follow the guidance on the selected tab.
  3. Proceed to your next steps.

Windows clients

Choose one of the following options to onboard Windows client devices to Defender for Business:

Local script for Windows clients

You can use a local script to onboard Windows client devices. When you run the onboarding script on a device, it creates a trust with Azure Active Directory (if that trust doesn't already exist), enrolls the device in Microsoft Intune (if it isn't already enrolled), and then onboards the device to Defender for Business. The local script method works even if you don't currently have Intune. We recommend onboarding up to 10 devices at a time using this method.


We recommend onboarding up to 10 devices at a time when you use the local script method.

  1. Go to the Microsoft 365 Defender portal (https://security.microsoft.com), and sign in.

  2. In the navigation pane, choose Settings > Endpoints, and then under Device management, choose Onboarding.

  3. Select an operating system, such as Windows 10 and 11, and then, in the Deployment method section, choose Local script.

  4. Select Download onboarding package. We recommend saving the onboarding package to a removable drive.

  5. On a Windows device, extract the contents of the configuration package to a location, such as the Desktop folder. You should have a file named WindowsDefenderATPLocalOnboardingScript.cmd.

  6. Open Command Prompt as an administrator.

  7. Type the location of the script file. For example, if you copied the file to the Desktop folder, you would type %userprofile%\Desktop\WindowsDefenderATPLocalOnboardingScript.cmd, and then press the Enter key (or select OK).

  8. After the script runs, proceed to Run a detection test.

Group Policy for Windows clients

If you prefer to use Group Policy to onboard Windows clients, follow the guidance in Onboard Windows devices using Group Policy. This article describes the steps for onboarding to Microsoft Defender for Endpoint; however, the steps for onboarding to Defender for Business are similar.

Microsoft Intune for Windows clients

If your subscription includes Intune, you can onboard Windows clients and other devices in the Microsoft Endpoint Manager admin center (https://endpoint.microsoft.com). For example, if you have Microsoft 365 Business Premium, you've Intune as part of your subscription.

There are several methods available for enrolling devices in Intune. We recommend starting with one of the following methods:

To enable automatic enrollment for Windows devices

When you set up automatic enrollment, users add their work account to the device. In the background, the device registers and joins Azure Active Directory (Azure AD), and is enrolled in Intune.

  1. Go to the Azure portal (https://portal.azure.com/) and sign in.

  2. Select Azure Active Directory > Mobility (MDM and MAM) > Microsoft Intune.

  3. Configure the MDM User scope and the MAM user scope.

    Screenshot of setting MDM user scope and MAM user scope in Intune.

    • For MDM User scope, we recommend selecting All so that all users can automatically enroll their Windows devices.

    • In the MAM user scope section, we recommend using the following default values for the URLs:

      • MDM Terms of use URL
      • MDM Discovery URL
      • MDM Compliance URL
  4. Choose Save.

  5. After a device has been enrolled in Intune, you can add it to a device group. Learn more about device groups in Microsoft Defender for Business.


To learn more about automatic enrollment, see Enable Windows automatic enrollment.

To have users enroll their own Windows devices

  1. Watch the following video to see how enrollment works:

  2. Share this article with users in your organization: Enroll Windows 10/11 devices in Intune.

  3. After a device has been enrolled in Intune, you can add it to a device group. Learn more about device groups in Microsoft Defender for Business.

Running a detection test on a Windows client

After you've onboarded Windows devices to Defender for Business, you can run a detection test on a Windows device to make sure that everything is working correctly.

  1. On the Windows device, create a folder: C:\test-MDATP-test.

  2. Open Command Prompt as an administrator.

  3. In the Command Prompt window, run the following PowerShell command:

    powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference = 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('', 'C:\\test-MDATP-test\\invoice.exe');Start-Process 'C:\\test-MDATP-test\\invoice.exe'

After the command has run, the Command Prompt window will close automatically. If successful, the detection test will be marked as completed, and a new alert will appear in the Microsoft 365 Defender portal (https://security.microsoft.com) for the newly onboarded device in about 10 minutes.

View a list of onboarded devices

To view the list of devices that are onboarded to Defender for Business, in the Microsoft 365 Defender portal (https://security.microsoft.com), in the navigation pane, under Endpoints, choose Device inventory.

Next steps