You need to enroll a Windows 11 PC in Microsoft Defender for Endpoint, but the setup process is not immediately obvious. Microsoft Defender for Endpoint is a security service that detects, investigates, and responds to advanced threats across your network. This article explains the prerequisites, the exact steps to enroll a single device using the local script method, and what to do if enrollment fails.
Key Takeaways: Enrolling a Windows 11 PC in Microsoft Defender for Endpoint
- Microsoft Defender for Endpoint onboarding script: Downloads and runs a PowerShell script that registers the device with your tenant and applies the correct policies.
- Settings > Privacy & Security > Windows Security > Virus & threat protection: Shows the Defender for Endpoint status after enrollment; verify the device appears as “Active” in the Microsoft 365 Defender portal.
- Microsoft 365 Defender portal (security.microsoft.com): The central console where you can see enrolled devices, view alerts, and manage security configurations.
What Is Microsoft Defender for Endpoint Enrollment?
Microsoft Defender for Endpoint is an enterprise-grade endpoint security platform built into Windows 11 and Windows 10. Enrollment registers a device with your organization’s Defender for Endpoint tenant, enabling real-time threat detection, automated investigation, and remediation. The enrollment process applies a set of security policies and connects the device to the cloud-based Defender for Endpoint service.
Before you begin, confirm the following prerequisites:
- The Windows 11 PC must be running Windows 11 Pro, Enterprise, or Education edition. Home edition does not support Defender for Endpoint.
- You need a Microsoft 365 E5, E5 Security, or standalone Defender for Endpoint license assigned to the user.
- The device must have internet access to reach the Defender for Endpoint cloud service.
- You must have local administrator privileges on the Windows 11 PC.
- Access to the Microsoft 365 Defender portal at security.microsoft.com with the Global Administrator or Security Administrator role.
There are multiple enrollment methods: Group Policy, Microsoft Configuration Manager, Intune, and a local script. This article covers the local script method, which is best for testing a single device or enrolling a device not managed by a centralized management system.
Steps to Enroll a Windows 11 PC Using the Local Script
The enrollment process uses a PowerShell script that you download from the Microsoft 365 Defender portal. Follow these steps exactly. If you skip a step, the enrollment will fail silently.
- Sign in to the Microsoft 365 Defender portal
Open a web browser and go to security.microsoft.com. Sign in with an account that has the Security Administrator or Global Administrator role. If you see a prompt to accept permissions, click Accept. - Navigate to Device Management
In the left navigation pane, expand Endpoints if needed, then select Device management. Under the Onboarding tab, you will see a list of supported operating systems. Click Windows 10 and 11. - Select the onboarding package
In the Deployment method dropdown, choose Local script (for up to 10 devices). Click Download onboarding package. A .zip file named WindowsDefenderATPOnboardingPackage.zip downloads to your computer. - Extract the onboarding script
Right-click the downloaded .zip file and select Extract All. Choose a destination folder, such as Desktop. Inside the extracted folder, you will see a file named WindowsDefenderATPOnboardingScript.cmd. - Run the onboarding script as Administrator
Right-click the WindowsDefenderATPOnboardingScript.cmd file and select Run as administrator. If Windows prompts you with a User Account Control dialog, click Yes. A command prompt window opens and runs the script. The script completes in about 10 to 30 seconds. You will see a message stating Onboarding successful. - Verify enrollment in the portal
Return to the Microsoft 365 Defender portal. In the left navigation, go to Endpoints > Device inventory. Refresh the page. Your Windows 11 PC should appear in the list with a status of Active. It may take up to 5 minutes for the device to appear. - Verify enrollment on the local device
On the Windows 11 PC, open Settings > Privacy & Security > Windows Security > Virus & threat protection. Under the Microsoft Defender for Endpoint section, you should see a message that says Your device is managed by your organization and shows the tenant name.
Alternative: Enroll Using Group Policy
If you manage multiple devices in an Active Directory domain, you can use Group Policy to deploy the onboarding script. Download the onboarding package as described above, but choose Group Policy as the deployment method. Copy the script to a network share and configure a Group Policy Object to run the script at computer startup. This method requires Active Directory and Group Policy Management Console knowledge.
Alternative: Enroll Using Microsoft Intune
For devices managed by Microsoft Intune, you can create a configuration profile that enrolls devices automatically. In the Intune admin center, go to Endpoint security > Microsoft Defender for Endpoint and create a profile for Windows 10 and later. Set the Microsoft Defender for Endpoint client configuration package to the onboarding blob from the portal. This method pushes enrollment to all targeted devices without user intervention.
Common Enrollment Problems and Solutions
Onboarding script fails with error code 0x80070643
This error indicates a Windows Update or installation failure. Open Settings > Windows Update > Advanced options > Recovery. Click Reset this PC and choose Keep my files. After the reset, reinstall the latest quality update, then run the onboarding script again.
Device shows as “Inactive” or “Pending” in the portal
An inactive status means the device has not communicated with the Defender for Endpoint cloud service. Check the following:
- Ensure the device has internet access. Open a browser and go to https://security.microsoft.com. If the page loads, the connection is working.
- Verify that Windows Defender Firewall is not blocking outbound connections to Defender for Endpoint endpoints. The required URLs are listed in Microsoft documentation under Microsoft Defender for Endpoint network connectivity.
- Restart the Microsoft Defender Antivirus Network Inspection Service and Microsoft Defender Antivirus Service. Open Services.msc, find both services, right-click and select Restart.
Script runs but no success message appears
Open an elevated PowerShell window and run the following command to check the enrollment state: Get-MpComputerStatus | Select-Object -Property AMRunningMode, AMProductVersion, OnboardingState. If OnboardingState shows a value other than 1, the device is not enrolled. Re-download the onboarding package from the portal and run the script again. Make sure you use the same tenant that the device should be enrolled in.
Local Script vs Group Policy vs Intune Enrollment
| Item | Local Script | Group Policy | Microsoft Intune |
|---|---|---|---|
| Best for | Testing or single devices | Domain-joined devices with Active Directory | Cloud-managed or hybrid devices |
| Administrator effort | Low | Medium | Medium |
| Scalability | Up to 10 devices | Hundreds of devices | Thousands of devices |
| Requires infrastructure | None | Active Directory and Group Policy | Intune subscription and MDM enrollment |
| Enrollment speed | Immediate | Within Group Policy refresh cycle | Within Intune sync cycle |
| Automatic re-enrollment | No | Yes, on every Group Policy refresh | Yes, on every Intune sync |
You can now enroll a Windows 11 PC in Microsoft Defender for Endpoint using the local script method. Start by downloading the onboarding package from the Microsoft 365 Defender portal and running the script as Administrator. After enrollment, verify the device appears as Active in the Device inventory. For ongoing management, consider using Group Policy or Intune to automatically re-enroll devices if they are reset or replaced.