With the release of windows 10 anniversary update the client site of Windows Defender Advanced Threat Protection (WDATP) will be integrated.

To read more about Windows Defender Advanced Threat Protection (WDATP) take a look here: https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp

This blog post is not how the WDATP is working but how to get a Windows 10 onboarded with the help of Intune MDM policy.

First of all it requires some basic understanding about how the CSP is working.

Here is a the layout of the configuration service provider  (CSP) settings for WDATP – more info at https://msdn.microsoft.com/en-us/library/windows/hardware/mt723296(v=vs.85).aspx


Intune and Windows 10 both native supports CSP.

To setup the Onboarding first download the configuration file from WDATP.

In the menu go to Endpoint Management

Choose Mobile Device Management and download the packages


The file will be downloaded as a .zip file – extract the file and you get


The content of this file is what connects your Windows 10 devices to the WDATP tenant.

Now for the Intune part of the onboarding process.

In the Intune Console

Go to Policy -> Configuration Policy -> Add…

WATP - Intune 01

Create a Custom Configuration (Windows 10 Desktop and Mobile and later) policy

WATP - Intune 02

  1. Enter a name for the policy
  2. Enter a description
  3. Click Add.. to create the CSP setting

WATP - Intune 03

Now you need to enter all the setting for the Onboarding CSP

  1. Settings name: Onboarding (I always use the setting name)
  2. Settings description (I always use the OMA-URL)
  3. Data type : String (It is very important to use the correct data type otherwise the policy will fail)
  4. OMA-URI :  ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding
  5. Value : use the content from the previous downloaded WindowsDefenderATP.onboarding file
  6. Click : ok

WATP - Intune 04

Click Save Policy

WATP - Intune 05

Click yes to deploy the policy

WATP - Intune 06

Find a device group to deploy the policy to (when dealing with CSP policy that starts with ./Device/ always deploy it to devices, and if it starts with ./User/ deploy it to a group of users)

WATP - Intune 07

Now you can manual sync the Windows with Intune to onboard the device to WDATP – or just wait to the next sync cycle.

The you can see in the WDATP console that the devices is coming into the Machine View