# Onboard Hosts to Microsoft Defender for Endpoint

In this guide, you'll gather a list of devices that are already onboarded to Microsoft Defender for Endpoint, as well as those currently managed by your organization through Azure Entra ID, Intune, or Active Directory. This comparison helps ensure full coverage and identify any unmanaged or unmonitored endpoints. 

{% hint style="info" %}
**Note**: Skip this step if this is your first time onboarding devices to Defender.
{% endhint %}

1. Access the [Microsoft Security](https://www.security.microsoft.com) portal.
2. On the left menu, click **Devices**.
3. On the **Computers & Mobiles** tab, you will see a list of the devices already registered on Defender for Endpoints.
4. Click the **Export** button to export the current view in order to compare with the list of managed devices in the organization.

### List devices registered on the organization

If the devices are registered on Azure Entra ID (Azure AD), then complete the following steps:

1. Log in to the [Microsoft Azure Portal](https://portal.azure.com/#home).
2. On the left menu, click on **Microsoft Entra ID**.
3. Click **Devices**, then click **All Devices**. 
4. This page provides the list of devices registered on the domain. 

<div align="left"><figure><img src="https://2439665791-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPsFulb2ZOtSPcRSc2rXE%2Fuploads%2FfpY1ZyhJUvKFdLVMjhbe%2FOnboarding_Hosts_To_Defender_02.webp?alt=media&#x26;token=f8e2b575-2311-46a5-8af9-ba871924b8c1" alt=""><figcaption></figcaption></figure></div>

5. Click **Download Devices** to export the current view in order to compare with the list of devices onboarded to Defender for Endpoint.

<div align="left"><figure><img src="https://2439665791-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPsFulb2ZOtSPcRSc2rXE%2Fuploads%2FJoJVHUZqa3uU6asKF5vT%2FOnboarding_Hosts_To_Defender_03.webp?alt=media&#x26;token=fc3c974f-ecc3-4fca-83a1-9fdd11f37685" alt=""><figcaption></figcaption></figure></div>

### Devices managed by Intune

If the devices are managed by Intune, then complete the following steps:

1. Access the [www.security.microsoft.com](http://security.microsoft.com/) portal.
2. On the left menu, click **Devices**, then click **All devices**.
3. This page provides the list of devices managed by Intune.
4. Click the **Export** button to export the current view in order to compare with the list of devices onboarded into Defender for Endpoint.

In case your organization has an on-premises Active Directory, get the list of registered computers by running the following command via Powershell on the AD:

```
Get-ADComputer -Filter * -Properties  * | Select Name, DistinguishedName
```

### Requirements for onboarding devices to Defender for Endpoint

There are some requirements for onboarding devices to the Defender for Endpoint service:

* [ ] For information on software requirements, check out [Microsoft documentation.](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/minimum-requirements?view=o365-worldwide#supported-windows-versions)
* [ ] Access to a global admin or security administrator account
* [ ] List of devices to onboard from previous step

For Windows devices we have the following onboarding methods available:

* [ ] Local script (up to 10 devices)
* [ ] Group Policy
* [ ] Microsoft Intune
* [ ] Mobile Device Manager
* [ ] Microsoft Configuration Manager
* [ ] VDI Scripts

Since some methods are heavily dependent on an organization's architecture and configuration, we'll only cover the first two onboarding methods: **local script** and **group policy.** For more detailed information on the other methods, please refer to the [Microsoft documentation](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/deployment-strategy?view=o365-worldwide#step-2-select-deployment-method).

### Local script

This is usually used to test the onboarding process and to onboard test devices.

1. Access the [www.security.microsoft.com](http://security.microsoft.com/) portal.
2. On the left menu, select **Settings** > **Endpoints** > **Device** **management** > **Onboarding**.

<div align="left"><figure><img src="https://2439665791-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPsFulb2ZOtSPcRSc2rXE%2Fuploads%2F5HIdCeI23HIjL1YDJPOa%2FOnboarding_Hosts_To_Defender_04.webp?alt=media&#x26;token=ee1807c7-74b6-4cca-b415-2e6efc2f6805" alt=""><figcaption></figcaption></figure> <figure><img src="https://2439665791-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPsFulb2ZOtSPcRSc2rXE%2Fuploads%2Fr0WkTBSe0c3sXDdw92fT%2FOnboarding_Hosts_To_Defender_05.webp?alt=media&#x26;token=3e7320a9-379b-4881-ab24-e64833b5f4b3" alt=""><figcaption></figcaption></figure></div>

3. In the **Select** **the operating system** drop-down, select the operating system.&#x20;
4. In the **Deployment** **Method** drop-down, select **Local** **Script** and then click **Download onboarding package**.

<div align="left"><figure><img src="https://2439665791-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPsFulb2ZOtSPcRSc2rXE%2Fuploads%2FGykzNreLRwbtRkvoWdRe%2FOnboarding_Hosts_To_Defender_06.webp?alt=media&#x26;token=6cd182c6-fe38-4ed7-9a7d-c3417bb16828" alt=""><figcaption></figcaption></figure></div>

5. Save the file and extract its content on the device you want to onboard. You should have a file named `WindowsDefenderATPLocalOnboardingScript.cmd`.
6. Hit the **Windows Key** and type **CMD,** then click on **Run as administrator**.
7. Type the path to the extract file with `WindowsDefenderATPLocalOnboardingScript.cmd` at the end to run the script.
8. Wait until the script finishes the onboarding process and then access the security portal and check if the device is listed under **Assets** > **Devices**.

### Group policy

This method uses a group policy to deploy and run the onboarding script on the selected devices.

1. Access the [www.security.microsoft.com](http://security.microsoft.com/) portal.
2. On the left menu, select **Settings** > **Endpoints** > **Device** **management** > **Onboarding**.

   <div align="left"><figure><img src="https://2439665791-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPsFulb2ZOtSPcRSc2rXE%2Fuploads%2F5HIdCeI23HIjL1YDJPOa%2FOnboarding_Hosts_To_Defender_04.webp?alt=media&#x26;token=ee1807c7-74b6-4cca-b415-2e6efc2f6805" alt=""><figcaption></figcaption></figure> <figure><img src="https://2439665791-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPsFulb2ZOtSPcRSc2rXE%2Fuploads%2Fr0WkTBSe0c3sXDdw92fT%2FOnboarding_Hosts_To_Defender_05.webp?alt=media&#x26;token=3e7320a9-379b-4881-ab24-e64833b5f4b3" alt=""><figcaption></figcaption></figure></div>
3. In the **Select** **the operating system** drop-down, select the operating system.
4. In the **Deployment** **Method** drop-down, select **Group Policy** and then click **Download onboarding package**.

<div align="left"><figure><img src="https://2439665791-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPsFulb2ZOtSPcRSc2rXE%2Fuploads%2FZ7TlKwAJijWU8czDB77t%2FOnboarding_Hosts_To_Defender_07.webp?alt=media&#x26;token=181f822b-55bd-44f7-bc38-dde44f05a016" alt=""><figcaption></figcaption></figure></div>

5. Click **Download onboarding package** and save the .zip file.
6. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the devices being onboarded. You should have a folder named `OptionalParamsPolicy` and the file **`WindowsDefenderATPOnboardingScript.cmd`.**
7. To create a new GPO, access your **Active Directory and** open the **Group Policy Management Console (GPMC)**, right-click **Group Policy Objects** you want to configure and click **New**. Enter the name of the new GPO in the dialogue box and click **OK**.
8. Open the **Group Policy Management Console (GPMC)**, right-click the **Group Policy Object (GPO)** you want to configure and click **Edit.**
9. In the **Group Policy Management Editor**, go to **Computer configuration**, then **Preferences**, and then **Control panel settings.**
10. Right-click **Scheduled tasks**, point to **New**, and then click **Immediate Task.**
11. In the Task window, go to the **General** tab.
    1. Under **Security** **options** click **Change User or Group** and type **SYSTEM**.
    2. Click **Check Names** then click **OK**. **NT AUTHORITY\SYSTEM** appears as the user account that the task will run as.
12. Select **Run** **whether user is logged on or not** and select the **Run with highest privileges** checkbox.
13. In the **Name** field, enter an appropriate name for the scheduled task (for example, Defender for Endpoint Deployment).
14. Go to the **Actions** tab and select **New.**
    1. Ensure that **Start a program** is selected in the **Action** field.
    2. Enter the **UNC path** using the file server's fully qualified domain name (FQDN), along with the full path to the **WindowsDefenderATPOnboardingScript.cmd** file.\
       Example:  `\\\\Server2.mydomain\\Share\\Test\\WindowsDefenderATPOnboardingScript.cmd`
15. Select **OK** and close any open GPMC windows.
16. To link the GPO to an Organization Unit (OU), right-click and select **Link** **an existing GPO**.
    1. In the dialogue box that is displayed, select the **Group Policy Object** that you wish to link. Click **OK**.