How to get Windows 10 onboarded with Windows Defender ATP – Intune (MDM) – Mobile-First Cloud-First

With the release of windows 10 anniversary update the client site of Windows Defender Advanced Threat Protection (WDATP) will be integrated.

To read more about Windows Defender Advanced Threat Protection (WDATP) take a look here: https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp

This blog post is not how the WDATP is working but how to get a Windows 10 onboarded with the help of Intune MDM policy.

First of all it requires some basic understanding about how the CSP is working.

Here is a the layout of the configuration service provider  (CSP) settings for WDATP – more info at https://msdn.microsoft.com/en-us/library/windows/hardware/mt723296(v=vs.85).aspx

Intune and Windows 10 both native supports CSP.

To setup the Onboarding first download the configuration file from WDATP.

In the menu go to Endpoint Management

Choose Mobile Device Management and download the packages

The file will be downloaded as a .zip file – extract the file and you get

The content of this file is what connects your Windows 10 devices to the WDATP tenant.

Now for the Intune part of the onboarding process.

In the Intune Console

Go to Policy -> Configuration Policy -> Add…

Create a Custom Configuration (Windows 10 Desktop and Mobile and later) policy

  1. Enter a name for the policy
  2. Enter a description
  3. Click Add.. to create the CSP setting

Now you need to enter all the setting for the Onboarding CSP

  1. Settings name: Onboarding (I always use the setting name)
  2. Settings description (I always use the OMA-URL)
  3. Data type : String (It is very important to use the correct data type otherwise the policy will fail)
  4. OMA-URI :  ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding
  5. Value : use the content from the previous downloaded WindowsDefenderATP.onboarding file
  6. Click : ok

Click Save Policy

Click yes to deploy the policy

Find a device group to deploy the policy to (when dealing with CSP policy that starts with ./Device/ always deploy it to devices, and if it starts with ./User/ deploy it to a group of users)

Now you can manual sync the Windows with Intune to onboard the device to WDATP – or just wait to the next sync cycle.

The you can see in the WDATP console that the devices is coming into the Machine View

Related Posts