Already tested onboarding of the new ARM based Copilot+ PCs to Intune? In general, this works quiet well. But, Defender for Endpoint onboarding might become challenging. Even with business versions.
Update September 2024: Topic is now mentioned in KB5043950.
Test environment
Universally known, Intune onboarding requires devices with Windows Pro - so I've chosen the HP EliteBook Ultra G1q for testing. It features a Snapdragon processor, Windows 11 Pro, Microsoft Pluton etc. - sounds suitable!
Besides several profiles in Intune, important for this test: Defender for Endpoint onboarding via Endpoint security profile (under "Endpoint detection and response"):
Installation and Compliance
After adding the device to Autopilot, the branded Windows OOBE appears and ESP runs through smoothly. But, checking the Company Portal and Intune reveals: Compliance is not met. In details, there is no risk score available ("Require the device to be at or under the machine risk score").
Checking the Defender onboarding policy shows the problem - "Not applicable":
Tests with old profile and OMA-URI
First thought: Is the endpoint security profile not supporting Arm PCs!? Testing the old template profile from Windows > Configuration and the pure OMA-URI (WindowsAdvancedThreatProtection CSP) should be at least worth a try. First option did show "Success" (but, client is still not visible in Defender) and the second deployment method results in "Error".
The troubleshooting guide is pointing to the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
Normally, you will find the key "OnboardingInfo" that contains all information required for adding a device to Defender (this value can also be obtained from the onboarding package via security.microsoft.com > Settings > Endpoints > Onboarding):
On the Copilot+ PC, the folder "Windows Advanced Threat Protection" does not exist. So, Intune tries to contact the policy CSP, but setting the policy on the client seems to fail.
Maybe the event viewer helps!? Important for the Defender onboarding is the operational log under Applications and Services Logs > Microsoft > Windows > SENSE (which is the sensor behind Defender):
But, wait... Where is this log!? No SENSE folder on the Copilot+ PC. Is Defender not supporting Arm devices!? No, already since 2021: Microsoft Defender for Endpoint now supports Windows 10 on Arm devices
Add-WindowsCapability
So, the missing piece seems to be Sense client. The WindowsAdvancedThreatProtection CSP docs state:
Windows 11 Home devices that have been upgraded to one of the below mentioned applicable editions might require you to run the following command before onboarding: DISM /online /Add-Capability /CapabilityName:Microsoft.Windows.Sense.Client~~~~
But, on a pre-installed Windows 11 Pro device it should be installed already!? Anyway, let's try to add it is as capability:
Add-WindowsCapability -Name "Microsoft.Windows.Sense.Client~~~~" -Online
After this command has been executed, the SENSE folder appeared. Some minutes later, the "OnboardingInfo" gets filled. Finally, the devices gets visible in Defender portal and Intune compliance is met. Looking through some threads on reddit shows that this case seems to be common for Copilot+ PCs.
Install Defender sense client via Proactive remediation
To automate this, a simple PowerShell script should do the job. It searches for the sense service and adds the capability if not found:
Note, that a reboot is needed after adding the capability (also required for BitLocker compliance evaluation - so, we should have the reboot anyway).
Good thing: The added capability survives future OS wipes.
Comments