Onboard Windows 10 devices using Mobile Device Management tools

Important

Welcome to Microsoft Defender for Endpoint, the new name for Microsoft Defender Advanced Threat Protection. Read more about this and other updates here. We'll be updating names in products and in the docs in the near future.

Applies to:

Want to experience Microsoft Defender ATP? Sign up for a free trial.

You can use mobile device management (MDM) solutions to configure devices. Microsoft Defender ATP supports MDMs by providing OMA-URIs to create policies to manage devices.

For more information on using Microsoft Defender ATP CSP see, WindowsAdvancedThreatProtection CSP and WindowsAdvancedThreatProtection DDF file.

Before you begin

If you're using Microsoft Intune, you must have the device MDM Enrolled. Otherwise, settings will not be applied successfully.

For more information on enabling MDM with Microsoft Intune, see Device enrollment (Microsoft Intune).

Onboard devices using Microsoft Intune

Follow the instructions from Intune.

For more information on using Microsoft Defender ATP CSP see, WindowsAdvancedThreatProtection CSP and WindowsAdvancedThreatProtection DDF file.

Note

  • The Health Status for onboarded devices policy uses read-only properties and can't be remediated.
  • Configuration of diagnostic data reporting frequency is only available for devices on Windows 10, version 1703.

Tip

After onboarding the device, you can choose to run a detection test to verify that a device is properly onboarded to the service. For more information, see Run a detection test on a newly onboarded Microsoft Defender ATP device.

Offboard and monitor devices using Mobile Device Management tools

For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.

Note

Onboarding and offboarding policies must not be deployed on the same device at the same time, otherwise this will cause unpredictable collisions.

  1. Get the offboarding package from Microsoft Defender Security Center:

    a. In the navigation pane, select Settings > Offboarding.

    b. Select Windows 10 as the operating system.

    c. In the Deployment method field, select Mobile Device Management / Microsoft Intune.

    d. Click Download package, and save the .zip file.

  2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named WindowsDefenderATP_valid_until_YYYY-MM-DD.offboarding.

  3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings.

    OMA-URI: ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding
    Date type: String
    Value: [Copy and paste the value from the content of the WindowsDefenderATP_valid_until_YYYY-MM-DD.offboarding file]

For more information on Microsoft Intune policy settings see, Windows 10 policy settings in Microsoft Intune.

Note

The Health Status for offboarded devices policy uses read-only properties and can't be remediated.

Important

Offboarding causes the device to stop sending sensor data to the portal but data from the device, including reference to any alerts it has had will be retained for up to 6 months.