Onboard Windows 10 and Windows 11 devices into Microsoft 365 overview

Applies to:

Microsoft 365 Endpoint data loss prevention (Endpoint DLP) and insider risk management require that Windows 10 Windows and Windows 11 devices be onboarded into the service so that they can send monitoring data to the services.

Microsoft 365 Endpoint DLP allows you to monitor Windows 10 or Windows 11 devices and detect when sensitive items are used and shared. This gives you the visibility and control you need to ensure that they are used and protected properly, and to help prevent risky behavior that might compromise them. For more information about all of Microsoft’s DLP offerings, see Learn about data loss prevention. To learn more about Endpoint DLP, see Learn about Endpoint data loss prevention.

Insider risk management uses the full breadth of service and 3rd-party indicators to help you quickly identify, triage, and act on risky user activity. By using logs from Microsoft 365 and Microsoft Graph, insider risk management allows you to define specific policies to identify risk indicators and to take action to mitigate these risks. For more information, see Learn about insider risk management in Microsoft 365.

Device onboarding is shared across Microsoft 365 and Microsoft Defender for Endpoint (MDE). If you've already onboarded devices to MDE, they will appear in the managed devices list and no further steps are necessary to onboard those specific devices. Onboarding devices in Compliance center also onboards them into MDE.

Before you begin

SKU/subscriptions licensing

Check the licensing requirements here.

Permissions

To enable device management, the account you use must be a member of any one of these roles:

  • Global admin
  • Security admin
  • Compliance admin

If you want to use a custom account to view the device management settings, it must be in one of these roles:

  • Global admin
  • Compliance admin
  • Compliance data admin
  • Global reader

If you want to use a custom account to access the onboarding/offboarding page, it must be in one of these roles:

  • Global admin
  • Compliance admin

If you want to use a custom account to turn on/off device monitoring, it must be in one of these roles:

  • Global admin
  • Compliance admin

Prepare your Windows devices

Make sure that the Windows devices that you need to onboard meet these requirements.

  1. Must be running Windows 10 x64 build 1809 or later or Windows 11.

  2. Antimalware Client Version is 4.18.2009.7 or newer. Check your current version by opening Windows Security app, select the Settings icon, and then select About. The version number is listed under Antimalware Client Version. Update to the latest Antimalware Client Version by installing Windows Update KB4052623.

    Note

    None of Windows Security components need to be active, but the Real-time protection and Behavior monitor) must be enabled.

  3. The following Windows Updates for Windows 10 are installed for devices that will be monitored.

    Note

    These updates are not a pre-requisite to onboard a device, but contain fixes for important issues thus must be installed before using the product.

    • For Windows 10 1809 - KB4559003, KB4577069, KB4580390
    • For Windows 10 1903 or 1909 - KB4559004, KB4577062, KB4580386
    • For Windows 10 2004 - KB4568831, KB4577063
  4. All devices must be one of these:

  5. For devices running Office 2016 (and not any other Office version) - KB4577063

  6. If you are on Monthly Enterprise Channel of Microsoft 365 Apps versions 2004-2008, there is a known issue with classifying Office content and you need to update to version 2009 or later. See Update history for Microsoft 365 Apps (listed by date) for current versions. To learn more about this issue, see the Office Suite section of Release notes for Current Channel releases in 2020.

  7. If you have endpoints that use a device proxy to connect to the internet, follow the procedures in Configure device proxy and internet connection settings for Information Protection.

Onboarding Windows 10 or Windows 11 devices

You must enable device monitoring and onboard your endpoints before you can monitor and protect sensitive items on a device. Both of these actions are done in the Microsoft 365 Compliance portal.

When you want to onboard devices that haven't been onboarded yet, you'll download the appropriate script and deploy it to those devices. Follow the device onboarding procedures below.

If you already have devices onboarded into Microsoft Defender for Endpoint, they will already appear in the managed devices list.

In this deployment scenario, you'll onboard Windows 10 or Windows 11 devices that have not been onboarded yet.

  1. Open the Microsoft compliance center. Choose Settings > Enable device monitoring.

    Note

    While it usually takes about 60 seconds for device onboarding to be enabled, please allow up to 30 minutes before engaging with Microsoft support.

  2. Open the Compliance Center settings page and choose Onboard devices.

    enable device management.

  3. Choose Device management to open the Devices list.

Note

If you have previously deployed Microsoft Defender for Endpoint, all the devices that were onboarded during that process will be listed in the Devices list. There is no need to onboard them again.

  1. Choose Onboarding to begin the onboarding process.

  2. Choose the way you want to deploy to these additional devices from the Deployment method list and then download package.

  3. Choose the appropriate procedure to follow from the table below:

Topic Description
Onboard Windows 10 or 11 devices using Group Policy Use Group Policy to deploy the configuration package on devices.
Onboard Windows 10 or 11 devices using Microsoft Endpoint Configuration Manager You can use either use Microsoft Endpoint Configuration Manager (current branch) version 1606 or Microsoft Endpoint Configuration Manager (current branch) version 1602 or earlier to deploy the configuration package on devices.
Onboard Windows 10 or 11 devices using Mobile Device Management tools Use Mobile Device Management tools or Microsoft Intune to deploy the configuration package on device.
Onboard Windows 10 or 11 devices using a local script Learn how to use the local script to deploy the configuration package on endpoints.
Onboard non-persistent virtual desktop infrastructure (VDI) devices Learn how to use the configuration package to configure VDI devices.

Once an device is onboarded, it should be visible in the devices list and also start reporting audit activity logs to Activity explorer.

Viewing Endpoint DLP alerts in DLP Alerts Management dashboard

  1. Open the Data loss prevention page in the Microsoft 365 compliance center and choose Alerts.

  2. Refer to the procedures in How to configure and view alerts for your DLP policies to view alerts for your Endpoint DLP policies.

Viewing Endpoint DLP data in activity explorer

  1. Open the Data classification page for your domain in the Microsoft 365 Compliance center and choose Activity explorer.

  2. Refer to the procedures in Get started with Activity explorer to access and filter all the data for your Endpoint devices.

    activity explorer filter for endpoint devices.

See also