Onboard Windows 10 and Windows 11 devices using Microsoft Configuration Manager

Applies to:

Onboard devices using Configuration Manager

  1. Get the configuration package .zip file (DeviceComplianceOnboardingPackage.zip) from Microsoft Purview compliance portal.

  2. In the navigation pane, select Settings > Device Onboarding > Onboarding.

  3. In the Deployment method field, select Microsoft Configuration Manager.

  4. Select Download package, and save the .zip file.

  5. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named DeviceCompliance.onboarding.

  6. Deploy the package by following the steps in the Packages and programs - Configuration Manager article.

  7. Choose a predefined device collection to deploy the package to.

Note

Microsoft 365 information protection doesn't support onboarding during the Out-Of-Box Experience (OOBE) phase. Make sure users complete OOBE after running Windows installation or upgrading.

Tip

It is possible to create a detection rule on a Configuration Manager application to continuously check if a device has been onboarded. An application is a different type of object than a package and program. If a device is not yet onboarded (due to pending OOBE completion or any other reason), Configuration Manager will retry to onboard the device until the rule detects the status change.

This behavior can be accomplished by creating a detection rule to determine if the OnboardingState registry value (of type REG_DWORD) = 1. This registry value is located under HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status".

For more information, see Deployment type Detection Method options.

Configure sample collection settings

For each device, you can set a configuration value to state whether samples can be collected from the device when a request is made through Microsoft Defender Security Center to submit a file for deep analysis.

Note

These configuration settings are typically done through Configuration Manager.

You can set a compliance rule for configuration item in Configuration Manager to change the sample share setting on a device.

This rule should be a remediating compliance rule configuration item that sets the value of a registry key on targeted devices to make sure they're complaint.

The configuration is set through the following registry key entry:

Path: "HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection"
Name: "AllowSampleCollection"
Value: 0 or 1

Where:

Key type is a D-WORD.

Possible values are:

  • 0 - doesn't allow sample sharing from this device
  • 1 - allows sharing of all file types from this device

The default value in case the registry key doesn't exist is 1. Configuration Manager, see Create custom configuration items for Windows desktop and server computers managed with the Configuration Manager client.

Tip

If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview trials hub. Learn details about signing up and trial terms.

After onboarding devices to the service, it's important to take advantage of the included threat protection capabilities by enabling them with the following recommended configuration settings.

Next generation protection configuration

The following configuration settings are recommended:

Scan

  • Scan removable storage devices such as USB drives: Yes

Real-time Protection

  • Enable Behavioral Monitoring: Yes
  • Enable protection against Potentially Unwanted Applications at download and prior to installation: Yes

Cloud Protection Service

  • Cloud Protection Service membership type: Advanced membership

Attack surface reduction Configure all available rules to Audit.

Note

Blocking these activities may interrupt legitimate business processes. The best approach is setting everything to audit, identifying which ones are safe to turn on, and then enabling those settings on endpoints which do not have false positive detections.

Network protection

Prior to enabling network protection in audit or block mode, ensure that you've installed the antimalware platform update, which can be obtained from the support page.

Controlled folder access

Enable the feature in audit mode for at least 30 days. After this period, review detections and create a list of applications that are allowed to write to protected directories.

For more information, see Evaluate controlled folder access.

Offboard devices using Configuration Manager

For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package, you will be notified of the packages expiry date and it will also be included in the package name.

Note

Onboarding and offboarding policies must not be deployed on the same device at the same time, otherwise this will cause unpredictable collisions.

Offboard devices using Microsoft Configuration Manager current branch

If you use Microsoft Configuration Manager current branch, see Create an offboarding configuration file.

Monitor device configuration

With Microsoft Configuration Manager current branch, use the built-in Microsoft Defender for Endpoint dashboard in the Configuration Manager console. For more information, see Microsoft Defender Advanced Threat Protection - Monitor.

Check that the devices are compliant with the Endpoint data loss prevention service

You can set a compliance rule for configuration item in Configuration Manager to monitor your deployment.

Note

This procedure and registry entry applies to Endpoint DLP as well as Defender for Endpoint.

This rule should be a non-remediating compliance rule configuration item that monitors the value of a registry key on targeted devices.

Monitor the following registry key entry:

Path: "HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status"
Name: "OnboardingState"
Value: "1"

For more information, see Plan for and configure compliance settings.