Onboarding devices to Microsoft Defender for Endpoint individually through the Security Center is time-consuming and difficult to track at scale. Using PowerShell and the Microsoft Graph Security API, you can automate onboarding, verify sensor health, and generate compliance reports across your entire device fleet.
Prerequisites
You need an Entra ID app registration with Machine.ReadWrite.All and SecurityEvents.ReadWrite.All Microsoft Graph permissions, and Defender for Endpoint Plan 2 or Microsoft 365 Defender.
Connect-MgGraph -Scopes "Machine.ReadWrite.All","SecurityEvents.ReadWrite.All"
$tenantId = (Get-MgContext).TenantIdChecking Onboarding Status
Before deploying the onboarding package, verify which devices are already reporting to Defender.
$machines = Invoke-MgGraphRequest -Method GET `
-Uri "https://api.securitycenter.microsoft.com/api/machines"
$machines.value | Select-Object computerDnsName, osPlatform, healthStatus, onboardingStatus `
| Export-Csv "MDE-Status-$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation
Write-Host "Total machines: $($machines.value.Count)"Deploying the Onboarding Script via Intune
Use PowerShell to upload and assign the Defender onboarding script to an Intune device configuration profile targeting un-onboarded endpoints.
$scriptContent = Get-Content "WindowsDefenderATPOnboardingScript.cmd" -Raw
$base64 = [Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes($scriptContent))
$body = @{
"@odata.type" = "#microsoft.graph.deviceManagementScript"
displayName = "MDE Onboarding"
description = "Onboards device to Microsoft Defender for Endpoint"
scriptContent = $base64
runAsAccount = "system"
enforceSignatureCheck = $false
runAs32Bit = $false
}
New-MgDeviceManagementDeviceManagementScript -BodyParameter $bodyIsolating a Compromised Machine
When an alert fires, use the Security API to immediately isolate the affected machine while your team investigates.
$machineId = "abc123-machine-id"
$body = @{ Comment = "Isolating due to active incident INC-4521"; IsolationType = "Full" }
Invoke-MgGraphRequest -Method POST `
-Uri "https://api.securitycenter.microsoft.com/api/machines/$machineId/isolate" `
-Body ($body | ConvertTo-Json)
Write-Host "Machine $machineId isolated"Summary
Scripting Defender for Endpoint management through the Graph Security API gives you a consistent, auditable way to onboard devices, monitor sensor health, and respond to incidents at scale. Combine this with a Logic App triggered by Defender alerts and you have an automated incident-response pipeline that acts in seconds rather than minutes.
