Intune / EndpointFREE

Onboarding devices to Microsoft Defender for Endpoint via Intune

Microsoft Defender for Endpoint (MDE) is the right EDR choice for most Microsoft-heavy environments, and Intune is the right deployment method for it when your devices are Entra-joined or hybrid-joined. The catch is that the onboarding package has to be deployed exactly right — wrong profile type, wrong assignment, or a stale onboarding blob all silently fail without a clear error message. This runbook walks through the correct process end to end.

ⓘ License requirement

Microsoft Defender for Endpoint Plan 2 is included in Microsoft 365 E5, Microsoft 365 E3 + the M365 E5 Security add-on, or as a standalone MDE P2 license. Defender for Endpoint Plan 1 is included in Microsoft 365 E3. Confirm licensing before starting — onboarded devices with no license enter a limited state and won't show full telemetry.

Prerequisites

  • Intune enrolled devices (Entra-joined, hybrid-joined, or co-managed)
  • Microsoft Defender for Endpoint license assigned to users
  • Global Admin or Security Admin role to access the Microsoft Defender portal
  • Intune Administrator role to create and assign profiles
⚠ Don't use the SCCM onboarding script via Intune

The onboarding package you download from the Defender portal has format options: Intune, SCCM, Local Script, and others. Always download the Intune version. Using the Local Script or SCCM package via an Intune Win32 app works inconsistently and bypasses the proper enrollment path.

Create the onboarding configuration profile

In the Microsoft Intune admin center (intune.microsoft.com):

  1. Go to Endpoint security > Endpoint detection and response
  2. Click Create Policy
  3. Platform: Windows 10, Windows 11, and Windows Server
  4. Profile: Endpoint detection and response
  5. Name the policy (e.g., MDE Onboarding — All Devices)
  6. Under Microsoft Defender for Endpoint client configuration package type, select Auto from connector — this pulls the onboarding blob directly from the MDE tenant connector rather than requiring a manual file upload
ⓘ Auto from connector vs manual package

Auto from connector is the correct option if you've set up the Intune-to-MDE service-to-service connector (recommended). The connector is configured under Intune > Endpoint security > Microsoft Defender for Endpoint. If the connector isn't set up, use Onboard and upload the onboarding package blob manually — but the connector is worth setting up because it auto-refreshes the package.

Assign the profile

Assign to a device group, not a user group. MDE onboarding is device-level. Create an Entra ID dynamic device group that targets all Windows devices, or assign to All Devices in Intune. Avoid targeting a user group — if the user is signed out or a device is shared, the policy won't apply.

Verify devices are onboarded

After the profile deploys (allow 30–60 minutes), verify onboarding status:

Method 1: Microsoft Defender portal

Go to security.microsoft.com > Settings > Endpoints > Device inventory. Devices that successfully onboarded will appear here within 1–2 hours of onboarding. Filter by onboarding status to see devices that haven't reported in.

Method 2: On the device

# Check if MDE sensor is running
sc query sense

# Should show: STATE: 4 RUNNING
# Service name "sense" is the MDE sensor

# Check onboarding state via registry
reg query "HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status" /v OnboardingState
# Value 1 = onboarded, Value 0 = not onboarded

Method 3: Intune profile status

In Intune admin center, navigate to the EDR profile > Device status. Any device showing Error or Conflict needs investigation. Click the device name to see the specific error code.

Common failure modes

SymptomCauseFix
Sense service missing entirelyDevice is running Windows 10 1709 or earlier — MDE sensor not includedUpdate Windows to a supported version. MDE requires Windows 10 1709+ minimum.
Profile shows Error in Intune, no onboardingIntune-MDE connector not configured or expiredRe-authorize the connector at Intune > Endpoint security > Microsoft Defender for Endpoint
Device appears in Defender portal but shows InactiveSensor stopped or device hasn't checked in for 7+ daysRestart the Sense service: net stop sense && net start sense
Onboarded but no alerts generatingPolicy conflict — another AV solution is still active and blocking MDEEnsure Windows Defender is the active AV. Remove third-party AV or configure MDE in passive mode.
Server 2016 not onboardingServer 2016 requires the MMA-based sensor, not the unified agentUse the legacy onboarding package for Server 2016. Unified agent requires Server 2019+.

Configuring exclusions via Intune

Application-specific exclusions (for LOB apps, backup agents, monitoring tools that generate false positives) should be deployed via Intune, not configured locally on endpoints. Local exclusions don't survive a device wipe or re-enrollment.

In Intune: Endpoint security > Antivirus > Create Policy > Windows > Microsoft Defender Antivirus. The Defender AV profile includes exclusion path, extension, and process settings. Scope these policies to specific device groups — don't apply broad exclusions to all devices.

⚠ Exclusions reduce protection

Every exclusion is a blind spot. Document the business justification for each exclusion, limit scope to the devices that need it, and review exclusions quarterly. Attackers specifically target known exclusion paths.

Summary

MDE onboarding via Intune works reliably when the EDR profile uses the Intune connector, is assigned to a device group, and the Sense service is able to run. The most common failures are a misconfigured or expired connector, a conflicting third-party AV product, and Server 2016 being treated like a modern Windows release when it needs the legacy onboarding path. Verify onboarding with reg query or the Defender portal device inventory before calling the deployment done.