diff --git a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
index 3107054c50..e3329ddf3c 100644
--- a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
@@ -29,7 +29,7 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre
 
 For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx).
 
-### Onboard and monitor endpoints
+### Onboard and monitor endpoints using the classic Intune console
 
 1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
 
@@ -98,6 +98,24 @@ Configuration for onboarded machines: telemetry reporting frequency | ./Device/V
 > - The **Health Status for onboarded machines** policy uses read-only properties and can't be remediated.
 > - Configuration of telemetry reporting frequency is only available for machines on Windows 10, version 1703.
 
+### Onboard and monitor endpoints using the Microsoft Intune in the Azure portal
+
+1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
+
+    a.  Select **Endpoint Management** on the **Navigation pane**.
+
+    b.  Select **Mobile Device Management/Microsoft Intune** > **Download package** and save the .zip file.
+
+      ![Endpoint onboarding](images/atp-mdm-onboarding-package.png)
+
+2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named  *WindowsDefenderATP.onboarding*.
+
+3. Login to the (Microsoft Azure portal)[https://portal.azure.com]
+
+
+
+
+
 ### Offboard and monitor endpoints
 
 For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
diff --git a/windows/keep-secure/images/atp-azure-intune.png b/windows/keep-secure/images/atp-azure-intune.png
new file mode 100644
index 0000000000..63cf2d1ddf
Binary files /dev/null and b/windows/keep-secure/images/atp-azure-intune.png differ