Forum Discussion

RajKumarPurview's avatar
RajKumarPurview
Occasional Reader
Jun 24, 2026

Onboarding Devices to Purview

I am not clear on how can I onboard devices to MDE so that I can enforce EDLP policies.

We have CrowdStrike as Primary AV and other policies. Devices are managed through Intune for Bitlocker encryption and all the other settings except they don't have Defender. These devices are not showing up in Purview nor under "Endpoint detection and response" location under Endpoint Security. If we create an EDR onboarding policy and deploy to devices, then it shows the devices and says that AMRUnningMode is Passive, but Antivirus is true. Which I feel like Defender is taking over CrowdStrike? or am I wrong. My goal is to make sure CrowdStrike still primary AV and devices should be onboarded to MDE and then to Purview so that we can scope EDLP policies properly. Can anyone help me to understand or provide right steps? 

data loss prevention
endpoint dlp
Information Protection
microsoft purview
purview

1 Reply

  • cder's avatar
    cder
    MCT
    Jun 25, 2026

    Endpoint DLP requires that Windows 10,Windows 11, Windows Server 2019 and later versions devices be onboarded into the service so that they can send monitoring data to the services. This is independent of whether Microsoft Defender Antivirus is your primary AV.

    Device onboarding is shared across Microsoft 365 and Microsoft Defender for Endpoint (MDE). If you've already onboarded devices to MDE, they appear in the managed devices list and no further steps are necessary to onboard those specific devices. Onboarding devices in Microsoft Purview portal also onboards them into MDE. https://learn.microsoft.com/en-us/purview/device-onboarding-overview

    In your case, you've already onboarded the devices using the Intune EDR onboarding policy, so there's nothing else you need to do from an onboarding perspective. You could have achieved the same result by using the onboarding package from the Purview portal. https://learn.microsoft.com/en-us/purview/device-onboarding-script 

    When you onboard the device to MDE, Microsoft Defender Antivirus can remain in Passive mode while CrowdStrike continues to provide primary antivirus protection. Seeing AMRunningMode = Passive is expected in that scenario and doesn't mean Defender AV has taken over. https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-passive-mode