Share via


Onboard Windows devices into Microsoft 365 overview

Applies to:

Endpoint data loss prevention (Endpoint DLP) and insider risk management require that Windows 10 Windows and Windows 11 devices be onboarded into the service so that they can send monitoring data to the services.

Endpoint DLP allows you to monitor Windows 10 or Windows 11 devices and detect when sensitive items are used and shared. This gives you the visibility and control you need to ensure that they're used and protected properly, and to help prevent risky behavior that might compromise them. For more information about all of Microsoft’s DLP offerings, see Learn about data loss prevention. To learn more about Endpoint DLP, see Learn about Endpoint data loss prevention.

Endpoint DLP also allows you to onboard devices running the following versions of Windows Server:

Note

Installing the supported Windows Server KBs disables the Classification feature on the server. This means that Endpoint DLP won't classify files on the server. However, Endpoint DLP will still protect those files on the server that were classified before those KBs were installed on server. To ensure this protection, install Microsoft Defender version 4.18.23100 (October 2023) or later.

By default, Endpoint DLP isn't enabled for Windows servers when they're initially onboarded. Before you can see Endpoint DLP events for your servers in Activity Explorer, you must first turn on Endpoint DLP support for onboarded servers.

Once properly configured, the same data loss protection policies can be automatically applied to both Windows PCs and Windows servers.

Insider risk management uses the full breadth of service and 3rd-party indicators to help you quickly identify, triage, and act on risky user activity. By using logs from Microsoft 365 and Microsoft Graph, insider risk management allows you to define specific policies to identify risk indicators and to take action to mitigate these risks. For more information, see Learn about insider risk management.

Device onboarding is shared across Microsoft 365 and Microsoft Defender for Endpoint (MDE). If you've already onboarded devices to MDE, they appear in the managed devices list and no further steps are necessary to onboard those specific devices. Onboarding devices in Microsoft Purview portal also onboards them into MDE.

Before you begin

SKU/subscriptions licensing

For information on licensing, see

Permissions

Important

Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should only be used in scenarios where a lesser privileged role can't be used.

To enable device management, the account you use must be a member of any one of these roles:

  • Security admin
  • Compliance admin
  • Global admin

If you want to use a custom account to view the device management settings, it must be in one of these roles:

  • Compliance admin
  • Compliance data admin
  • Global reader
  • Security admin
  • Global admin

If you want to use a custom account to access the onboarding/offboarding page, it must be in one of these roles:

  • Compliance admin
  • Security admin
  • Global admin

If you want to use a custom account to turn on/off device monitoring, it must be in one of these roles:

  • Compliance admin
  • Security admin
  • Global admin

Prepare your Windows devices

Make sure that the Windows devices that you need to onboard meet these requirements.

  1. Must be running one of the following builds of Windows or Windows Server:

    1. Windows (X64):

      1. Windows 11 24H2 (See update details)
      2. Windows 11 23H2 (See update details)
      3. Windows 11 22H2 update (See update details)
      4. Windows 11 21H2 (See update details)
      5. Windows 10 22H2 update (See update details)
    2. Windows (ARM64):

      1. Windows 11 24H2 (See update details)
      2. Windows 11 23H2 (See update details)
      3. Windows 11 22H2 update (See update details)
      4. Windows 11 21H2 (See update details)
    3. Windows Server 2019 OS: 1809 onwards or Windows Server 2022 OS: 21H2 onwards.

    4. Anti-malware Client Version is 4.18.2110 or newer. Check your current version by opening Windows Security app, select the Settings icon, and then select About. The version number is listed under anti-malware Client Version. Update to the latest anti-malware Client Version by installing Windows Update KB4052623. For more information, see: Microsoft Defender Antivirus in Windows. After a new anti-malware Client version or a new anti-malware Engine version is released, versions older than N-2 are no longer supported.

    Important

    None of Windows Security components need to be active, but the Real-time protection and Behavior monitor must be enabled.

    After a new anti-malware Client version or a new anti-malware Engine version is released, versions older than N-2 are no longer supported.

  2. All devices must be one of these:

  3. A supported version of Microsoft 365 Apps is installed and up to date. For the most robust protection and user experience, ensure Microsoft 365 Apps version 16.0.14701.0 or later is installed.

    Note

  4. If you have endpoints that use a device proxy to connect to the internet, follow the procedures in Configure device proxy and internet connection settings for Information Protection.

    Important

    Make sure you allow MpDlpService.exe through your firewall, third-party antivirus software, or application control.

  5. Here are the prerequisites for each feature.

Feature Prerequisite
Add hyperlink support in warn and block toast messages (Roadmap ID 480733) Anti-malware Client Version 4.18.25010 or newer is required.
IP or IP address ranges support within Sensitive service domain groups (Roadmap ID 479759) Anti-malware Client Version 4.18.25010 or newer is required.
Allow and Off modes in the policy (Roadmap ID 481356) anti-malware Client Version 4.18.25010 or newer is required.
Device and Device group-based policy scoping support for Endpoint DLP (Roadmap ID 480732) Windows 10: See update details
Windows 11 22H2: See update details
Windows 11 23H2: See update details
Windows 11 24H2: See update details
Full file evidence support for restricted apps (Roadmap ID 479757) Anti-malware Client Version 4.18.25020 or newer is required.
Pause and Resume support for printer (Roadmap ID 486369) Anti-malware Client Version 4.18.25030 or newer is required.
Increase file type coverage to 100+ (Roadmap ID 416481) Windows 10: See update details
Windows 11 22H2: See update details
Windows 11 23H2: See update details
Windows 11 24H2: See update details
Endpoint DLP support for Teams Anti-malware Client Version 4.18.25050 or newer is required.
Advanced label-based protection for all files on devices (Roadmap ID 487859) Information protection client version: 3.1.309 or newer is required.
Anti-malware Client Version 4.18.25050 or newer is required.
Windows 10: See update details
Windows 11 22H2: See update details
Windows 11 23H2: See update details
Windows 11 24H2: See update details
Network share/Removable media/Printer group support on Edge (Roadmap ID 486370) Edge: 137 or newer is required.
Anti-malware Client Version 4.18.25050 or newer is required.

Onboarding Windows 10 or Windows 11 devices

You must enable device monitoring and onboard your endpoints before you can monitor and protect sensitive items on a device. Both of these actions are done in the Microsoft Purview portal.

When you want to onboard devices that haven't been onboarded yet, you download the appropriate script and deploy it to those devices. Follow the device onboarding procedures below.

If you already have devices onboarded into Microsoft Defender for Endpoint, they'll already appear in the managed devices list.

In this deployment scenario, you onboard Windows 10 or Windows 11 devices that haven't been onboarded yet.

  1. Open the Microsoft Purview portal. Choose Settings > Device onboarding > Devices.

    Note

    If you have previously deployed Microsoft Defender for Endpoint, all the devices that were onboarded during that process will be listed in the Devices list. There's no need to onboard them again. While it usually takes about 60 seconds for device onboarding to be enabled, allow up to 30 minutes before engaging with Microsoft support.

  2. Choose Turn on device onboarding.

  3. Choose Onboarding to begin the onboarding process.

  4. Choose the way you want to deploy to these other devices from the Deployment method list and then download package.

  5. Choose the appropriate procedure to follow from the table below:

    Article Description
    Intune Use Mobile Device Management tools or Microsoft Intune to deploy the configuration package on device.
    Configuration Manager You can use either use Microsoft Endpoint Configuration Manager (current branch) version 1606 or Microsoft Endpoint Configuration Manager (current branch) version 1602 or earlier to deploy the configuration package on devices.
    Group Policy Use Group Policy to deploy the configuration package on devices.
    Local script Learn how to use the local script to deploy the configuration package on endpoints.
    Virtual desktop infrastructure (VDI) devices Learn how to use the configuration package to configure VDI devices.

Check device status

After you've onboarded your devices, you can check the status of the devices in the Devices list. Check the Configuration status first. Configuration status shows you if the device is configured correctly, is sending a heartbeat signal to Purview, and the last time the configuration was validated. For Windows devices configuration includes checking the status of Microsoft Defender Antivirus always-on protection and behavior monitoring.

If there aren't any DLP policies scoped to the Devices location, you won't see valid information in the Policy sync status field.

Note

Onboarded devices will continue to appear for 180 days after the device is offline.

For information on how to troubleshoot device Configuration status and Policy sync status issues, see: Troubleshooting endpoint data loss prevention configuration and policy sync

See also