Forum Discussion
Verify the device is connected to the network and has internet access to communicate with MDE.
When onboarding a device using the DFE (Device Functionality Enhancement) onboarding script, it is expected that the device will be properly enrolled in Microsoft Defender for Endpoint (MDE) and reflect its status as "Managed" in the Defender portal. However, if the device is showing as "Managed by Unknown" and the "MDE Enrollment status" is displayed as "N/A," it indicates that the device has not successfully registered or communicated with the MDE service.
This issue can occur for several reasons, including incorrect configuration of the DFE onboarding script, connectivity issues between the device and Defender for Endpoint services, or issues with permissions or policies applied during the enrollment process. It may also be a result of the device not receiving the required Defender for Endpoint agent or its enrollment being interrupted during the onboarding process.
To resolve this issue, try the following steps:
- Verify the device is connected to the network and has internet access to communicate with MDE.
- Ensure that the onboarding script is correctly executed with the appropriate permissions and settings.
- Confirm that the correct version of the Defender for Endpoint agent is installed on the device.
- Review the Defender for Endpoint portal for any alerts or errors related to the device enrollment.
- Restart the device and check the enrollment status again.
If the issue persists, re-running the onboarding script or re-enrolling the device may be necessary.
- Mks_1973Iron Contributor
Test internet connectivity:
ping www.microsoft.comEnsure HTTPS communication is allowed:
Test-NetConnection -ComputerName wdatp.microsoft.com -Port 443
Verify that required URLs and ports for MDE are allowed through your firewall/proxy
Execute the onboarding script as an administrator:
powershell -ExecutionPolicy Bypass -File OnboardingScript.ps1
(Download the latest onboarding script from the Defender portal under Settings > Device Management > Onboarding.)
Get-WindowsFeature -Name "Windows-Defender-Features"
if not installed:
Install-WindowsFeature -Name "Windows-Defender-Features"
Use PowerShell to check MDE status:
Get-MpPreference
MpCmdRun.exe -SignatureUpdate (To ensure defender difinitions are up to date)
Reebot and run: sc qc sense
Offboard the device if necessary by running the offboarding script:
powershell -ExecutionPolicy Bypass -File OffboardingScript.ps1
sc control sense paramchange (Trigger a sync)