Sign in Subscribe

3.0 Defender for Endpoint(MDE): Onboard Unmanaged Windows 10/11

Sakaldeep Yadav

2 min read
3.0 Defender for Endpoint(MDE): Onboard Unmanaged Windows 10/11

This is the continuation post of the MDE series. How we onboard your device to Microsoft Defender for Endpoint (MDE) depends on the infrastructure architecture and how we are managing the endpoint devices like laptops, mobile devices, and even servers. We will start with laptops (Windows 10 and Windows 11) and later on will cover other devices and OS flavors.

If you are an enterprise then your devices might get being managed by a device management solution like Microsoft Intune. If you are a small organization then there is a chance that your devices are unmanaged. An unmanaged device means the patch management, application management, etc are not centralized and you are doing such tasks manually.

Let's start onboarding unmanaged windows devices to Microsoft Defender for Endpoint. MDE provides a script that needs to run the unmanaged device locally.

Photo source: MS Docs

Unmanaged Device

Log into security.microsoft.com and go Assets section then click on Devices. We can see there are no devices onboarded yet. Let's onboard the first unmanaged device.

Defender for Endpoint portal

We need to run the script locally on the device to onboard to the MDE. To get the script, log in to security.microsoft.com and click on Settings->Endpoints.

Click on onboarding and select the operating system as windows 10 and 11. In the deployment method, choose Local Script and click on Download onboarding package.

Log in to the target device(unmanaged) and follow the below steps. We are using a machine name Win10-Unmanaged for this lab.

  1. Copy the previously downloaded script (.zip file) and paste it into this device.
  2. Extract the zip file.
  3. Open CMD and navigate to the extracted folder.
  4. Run the WindowsDefenderATPLocalOnboardingScript.cmd file and press Y when prompted.
  5. See the message Successfully onboarded machine to Microsoft Defender for Endpoint.

After a few minutes, log into security.microsoft.com and go Assets section then click on Devices. We can see the device has appeared in the MDE portal.

The device has been onboarded to the Microsoft Defender for Endpoint. We will talk about in future posts what to do after onboarding the devices.