Onboarding devices to Microsoft Defender for Endpoint via Intune
Microsoft Defender for Endpoint (MDE) is the right EDR choice for most Microsoft-heavy environments, and Intune is the right deployment method for it when your devices are Entra-joined or hybrid-joined. The catch is that the onboarding package has to be deployed exactly right — wrong profile type, wrong assignment, or a stale onboarding blob all silently fail without a clear error message. This runbook walks through the correct process end to end.
Microsoft Defender for Endpoint Plan 2 is included in Microsoft 365 E5, Microsoft 365 E3 + the M365 E5 Security add-on, or as a standalone MDE P2 license. Defender for Endpoint Plan 1 is included in Microsoft 365 E3. Confirm licensing before starting — onboarded devices with no license enter a limited state and won't show full telemetry.
Prerequisites
- Intune enrolled devices (Entra-joined, hybrid-joined, or co-managed)
- Microsoft Defender for Endpoint license assigned to users
- Global Admin or Security Admin role to access the Microsoft Defender portal
- Intune Administrator role to create and assign profiles
The onboarding package you download from the Defender portal has format options: Intune, SCCM, Local Script, and others. Always download the Intune version. Using the Local Script or SCCM package via an Intune Win32 app works inconsistently and bypasses the proper enrollment path.
Create the onboarding configuration profile
In the Microsoft Intune admin center (intune.microsoft.com):
- Go to Endpoint security > Endpoint detection and response
- Click Create Policy
- Platform: Windows 10, Windows 11, and Windows Server
- Profile: Endpoint detection and response
- Name the policy (e.g., MDE Onboarding — All Devices)
- Under Microsoft Defender for Endpoint client configuration package type, select Auto from connector — this pulls the onboarding blob directly from the MDE tenant connector rather than requiring a manual file upload
Auto from connector is the correct option if you've set up the Intune-to-MDE service-to-service connector (recommended). The connector is configured under Intune > Endpoint security > Microsoft Defender for Endpoint. If the connector isn't set up, use Onboard and upload the onboarding package blob manually — but the connector is worth setting up because it auto-refreshes the package.
Assign the profile
Assign to a device group, not a user group. MDE onboarding is device-level. Create an Entra ID dynamic device group that targets all Windows devices, or assign to All Devices in Intune. Avoid targeting a user group — if the user is signed out or a device is shared, the policy won't apply.
Verify devices are onboarded
After the profile deploys (allow 30–60 minutes), verify onboarding status:
Method 1: Microsoft Defender portal
Go to security.microsoft.com > Settings > Endpoints > Device inventory. Devices that successfully onboarded will appear here within 1–2 hours of onboarding. Filter by onboarding status to see devices that haven't reported in.
Method 2: On the device
# Check if MDE sensor is running
sc query sense
# Should show: STATE: 4 RUNNING
# Service name "sense" is the MDE sensor
# Check onboarding state via registry
reg query "HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status" /v OnboardingState
# Value 1 = onboarded, Value 0 = not onboarded
Method 3: Intune profile status
In Intune admin center, navigate to the EDR profile > Device status. Any device showing Error or Conflict needs investigation. Click the device name to see the specific error code.
Common failure modes
| Symptom | Cause | Fix |
|---|---|---|
| Sense service missing entirely | Device is running Windows 10 1709 or earlier — MDE sensor not included | Update Windows to a supported version. MDE requires Windows 10 1709+ minimum. |
| Profile shows Error in Intune, no onboarding | Intune-MDE connector not configured or expired | Re-authorize the connector at Intune > Endpoint security > Microsoft Defender for Endpoint |
| Device appears in Defender portal but shows Inactive | Sensor stopped or device hasn't checked in for 7+ days | Restart the Sense service: net stop sense && net start sense |
| Onboarded but no alerts generating | Policy conflict — another AV solution is still active and blocking MDE | Ensure Windows Defender is the active AV. Remove third-party AV or configure MDE in passive mode. |
| Server 2016 not onboarding | Server 2016 requires the MMA-based sensor, not the unified agent | Use the legacy onboarding package for Server 2016. Unified agent requires Server 2019+. |
Configuring exclusions via Intune
Application-specific exclusions (for LOB apps, backup agents, monitoring tools that generate false positives) should be deployed via Intune, not configured locally on endpoints. Local exclusions don't survive a device wipe or re-enrollment.
In Intune: Endpoint security > Antivirus > Create Policy > Windows > Microsoft Defender Antivirus. The Defender AV profile includes exclusion path, extension, and process settings. Scope these policies to specific device groups — don't apply broad exclusions to all devices.
Every exclusion is a blind spot. Document the business justification for each exclusion, limit scope to the devices that need it, and review exclusions quarterly. Attackers specifically target known exclusion paths.
Summary
MDE onboarding via Intune works reliably when the EDR profile uses the Intune connector, is assigned to a device group, and the Sense service is able to run. The most common failures are a misconfigured or expired connector, a conflicting third-party AV product, and Server 2016 being treated like a modern Windows release when it needs the legacy onboarding path. Verify onboarding with reg query or the Defender portal device inventory before calling the deployment done.