Onboard Hosts to Defender

Obtain the list of assets that do not require onboarding to Defender for Endpoint.

In this guide, you'll gather a list of devices that are already onboarded to Microsoft Defender for Endpoint, as well as those currently managed by your organization through Azure Entra ID, Intune, or Active Directory. This comparison helps ensure full coverage and identify any unmanaged or unmonitored endpoints.

Note: Skip this step if this is your first time onboarding devices to Defender.

  1. Access the www.security.microsoft.com portal.

  2. On the left menu, click Devices.

  3. On the Computers & Mobiles tab, you will see a list of the devices already registered on Defender for Endpoints.

  4. Click the Export button to export the current view in order to compare with the list of managed devices in the organization.

List devices registered on the organization

If the devices are registered on Azure Entra ID (Azure AD), then complete the following steps:

  1. Log in to the Microsoft Azure Portal.

  2. On the left menu, click on Microsoft Entra ID.

  3. Click Devices, then click All Devices.

  4. This page provides the list of devices registered on the domain.

  1. Click Download Devices to export the current view in order to compare with the list of devices onboarded to Defender for Endpoint.

Devices managed by Intune

If the devices are managed by Intune, then complete the following steps:

  1. Access the www.security.microsoft.com portal.

  2. On the left menu, click Devices, then click All devices.

  3. This page provides the list of devices managed by Intune.

  4. Click the Export button to export the current view in order to compare with the list of devices onboarded into Defender for Endpoint.

In case your organization has an on-premises Active Directory, get the list of registered computers by running the following command via Powershell on the AD:

Get-ADComputer -Filter * -Properties  * | Select Name, DistinguishedName

Requirements for onboarding devices to Defender for Endpoint

There are some requirements for onboarding devices to the Defender for Endpoint service:

For Windows devices we have the following onboarding methods available:

Since some methods are heavily dependent on an organization's architecture and configuration, we'll only cover the first two onboarding methods: local script and group policy. For more detailed information on the other methods, please refer to the Microsoft documentation.

Local script

This is usually used to test the onboarding process and to onboard test devices.

  1. Access the www.security.microsoft.com portal.

  2. On the left menu, select Settings > Endpoints > Device management > Onboarding.

  1. In the Select the operating system drop-down, select the operating system.

  2. In the Deployment Method drop-down, select Local Script and then click Download onboarding package.

  1. Save the file and extract its content on the device you want to onboard. You should have a file named WindowsDefenderATPLocalOnboardingScript.cmd.

  2. Hit the Windows Key and type CMD, then click on Run as administrator.

  3. Type the path to the extract file with WindowsDefenderATPLocalOnboardingScript.cmd at the end to run the script.

  4. Wait until the script finishes the onboarding process and then access the security portal and check if the device is listed under Assets > Devices.

Group policy

This method uses a group policy to deploy and run the onboarding script on the selected devices.

  1. Access the www.security.microsoft.com portal.

  2. On the left menu, select Settings > Endpoints > Device management > Onboarding.

  3. In the Select the operating system drop-down, select the operating system.

  4. In the Deployment Method drop-down, select Group Policy and then click Download onboarding package.

  1. Click Download onboarding package and save the .zip file.

  2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the devices being onboarded. You should have a folder named OptionalParamsPolicy and the file WindowsDefenderATPOnboardingScript.cmd.

  3. To create a new GPO, access your Active Directory and open the Group Policy Management Console (GPMC), right-click Group Policy Objects you want to configure and click New. Enter the name of the new GPO in the dialogue box and click OK.

  4. Open the Group Policy Management Console (GPMC), right-click the Group Policy Object (GPO) you want to configure and click Edit.

  5. In the Group Policy Management Editor, go to Computer configuration, then Preferences, and then Control panel settings.

  6. Right-click Scheduled tasks, point to New, and then click Immediate Task.

  7. In the Task window, go to the General tab.

    1. Under Security options click Change User or Group and type SYSTEM.

    2. Click Check Names then click OK. NT AUTHORITY\SYSTEM appears as the user account that the task will run as.

  8. Select Run whether user is logged on or not and select the Run with highest privileges checkbox.

  9. In the Name field, enter an appropriate name for the scheduled task (for example, Defender for Endpoint Deployment).

  10. Go to the Actions tab and select New.

    1. Ensure that Start a program is selected in the Action field.

    2. Enter the UNC path using the file server's fully qualified domain name (FQDN), along with the full path to the WindowsDefenderATPOnboardingScript.cmd file. Example: \\\\Server2.mydomain\\Share\\Test\\WindowsDefenderATPOnboardingScript.cmd

  11. Select OK and close any open GPMC windows.

  12. To link the GPO to an Organization Unit (OU), right-click and select Link an existing GPO.

    1. In the dialogue box that is displayed, select the Group Policy Object that you wish to link. Click OK.

PreviousOktaNextPalo Alto Networks (syslog)

Last updated