Onboard Windows 10 and Windows 11 devices using Mobile Device Management tools

Note

Microsoft 365 compliance is now called Microsoft Purview and the solutions within the compliance area have been rebranded. For more information about Microsoft Purview, see the blog announcement.

Applies to:

• Endpoint data loss prevention (DLP)
• Insider risk management

You can use mobile device management (MDM) solutions to configure devices. Microsoft 365 information protection supports MDMs by providing OMA-URIs to create policies to manage devices.

Before you begin

If you're using Microsoft Intune, you must have the device MDM Enrolled. Otherwise, settings will not be applied successfully.

For more information on enabling MDM with Microsoft Intune, see Device enrollment (Microsoft Intune).

Onboard devices using Microsoft Intune

Follow the instructions from Intune.

Note

• The Health Status for onboarded devices policy uses read-only properties and can't be remediated.

Offboard and monitor devices using Mobile Device Management tools

For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.

Note

Onboarding and offboarding policies must not be deployed on the same device at the same time, otherwise this will cause unpredictable collisions.

1. Get the offboarding package from the Microsoft Purview compliance portal.

2. In the navigation pane, select Settings > Device onboarding > Offboarding.

3. In the Deployment method field, select Mobile Device Management / Microsoft Intune.

4. Click Download package, and save the .zip file.

5. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named DeviceCompliance_valid_until_YYYY-MM-DD.offboarding.

6. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings.

   OMA-URI: ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding
   Date type: String
   Value: [Copy and paste the value from the content of the DeviceCompliance_valid_until_YYYY-MM-DD.offboarding file]
   

Note

If Microsoft Defender for Endpoint is already configured, you can Turn on device onboarding and Step 6 is no longer required.

Note

The Health Status for offboarded devices policy uses read-only properties and can't be remediated.

Important

Offboarding causes the device to stop sending sensor data to the portal but data from the device, including reference to any alerts it has had will be retained for up to 6 months.

Related topics

• Onboard Windows 10 devices using Group Policy
• Onboard Windows 10 devices using Microsoft Endpoint Configuration Manager
• Onboard Windows 10 devices using a local script
• Onboard non-persistent virtual desktop infrastructure (VDI) devices
• Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues