Onboard Windows Devices to MDE using Local Script

Updated: Jul 8

Hello Everyone! in this blog I will explain how to Onboard devices using local Script


Deploying MDE is a two-step process


1. Onboard Devices to the service 2. Configure capabilities of the service

There are different options to onboard devices to MDE below are some of them

Endpoint

Tool Options

Windows

Local Script (Up to 10 Devices)

Group Policy

Microsoft Endpoint Manager/ Mobile Device Manager

Microsoft Endpoint Configuration Manager

VDI Scripts

Integration With Azure Defender

Mac OS

Local Scripts

Microsoft Endpoint Manager

JAMF Pro

Mobile Device Management

Linux Server

Local Script

Puppet

Ansible

iOS

Microsoft Endpoint Manager

Android

Microsoft Endpoint Manager

Please watch this short video to have a quick look


Onboarding Windows device using Local Script


Microsoft recommends only 10 devices to be onboarded using Local script so this is not the best method, this is why we have different methods to onboard devices which we will cover in this blog and upcoming once, for any kind of onboarding method, we need to download the configuration file from the MDE portal, so let's go back to the security center portal Link


Step 1: Download the Onboarding script from the MDE portal, navigate to Settings in the MDE portal, select Endpoints





Step 2: From the endpoints page navigate to Device Management, select Onboarding, select the Operating system and deployment method, for now, I have selected server 2022 and Local Script

Step 3: Copy the downloaded onboarding package to the device which you need to onboard and extract the file


Before we run the script I will show you verify whether the device is already onboarded to MDE or not, you can check this from the registry value

Registry path 
HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status

For now, you can see there are no values under the status page, when we complete onboarding the device the registry values will get added and the onboarding status value will be added.


Step 4: Run the Script with admin privilege

Step 5: Type Y and tap enter to onboard the device to MDE

Once the script is completed running this will show the status as successfully onboarded

Step 6: You can verify the registry key as explained earlier you can see the onboarding state as 1 and other fields are added

You can see the device onboarded to the MDE portal as well

Step 7: If you are onboarding the first device to MDE you can run the detection test to confirm the device is reporting to MDE

run the detection test in the admin command prompt

You can see a new alert created under Incidents & Alert within 5 to 10 minutes

You can validate the onboarding status in Event Viewer and by validating if respective services are in running state,


To check the event viewer, open Event viewer and in Application Search for WDATPOnboarding and Operational events under SENSE ( you can find SENSE under Application and Service Logs ->Microsoft ->Windows -> SNESE)


If event ID is 20 for WDATPOnbaording this means the devices onboarded successfully

You can confirm by checking the status of Services in task manager / Services, by command, or by Powershell

Search for service called MSSENSE in Task Manager if the services are in running state the devices are sending cyber data to MDE


In services look for Windows Advance Threat protection service is running or not

You can use CMD to check the service status, this will return the current state of the services

Sc Query Sense

You can use the Powershell command as well

Get-Service -Name Sense

Reference

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/onboard-configure?view=o365-worldwide

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-onboarding?view=o365-worldwide

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-endpoints-script?view=o365-worldwide


125 views0 comments

Recent Posts

See All