GPO Onboarding for MDE (Windows)

Comprehensive guide to Windows GPO MDE onboarding: retrieving the MDE onboarding package from the Defender portal and utilizing a Domain Controller to deploy the Agent to connected Windows devices.

Gather Windows MDE Group Policy Package

  1. Navigate to the Endpoint Onboarding – Microsoft Defender portal, from this page specify the Operating System as Windows 10 and 11, Connectivity Type as Streamlined, and the Deployment Method as Group Policy.
  2. Once the proper selections have been made, locate, and select Download onboarding package, a GatewayWindowsDefenderATPOnboardingPackage.zip file will be stored to the Downloads folder on the User account.
  3. We will need to extract the contents of the package, the extracted .zip folder should house a file named WindowsDefenderATPOnboardingScript.cmd.
  4. After the extraction process has been completed, we will want to relocate the .cmd file to a location where the file can be accessed by the desired File Server that can distribute the MDE agent onboarding package to the Windows Devices that have access to the share.

Deploying Windows Group Policy MDE Package

  1. On the Domain Controller where desired Windows Devices that are wishing to MDE join are connected. Open the Group Policy Management Console (GRMC), once opened we will want to locate the Group Policy Objects under our desired Right-click and select New.
  2. A window will be displayed, supply a Name for the New GPO in the text field then select Ok to continue.
  3. The new entry will be generated under the Group Policy Objects list, locate and right-click the New GPO that was created, select Edit to define the policy enforcement.
  4. This will open the Group Policy Management Editor, from the new window, we will want to traverse the directory until we get to the Scheduled Tasks section under Computer Configuration --> Preferences --> Control Panel Settings. Once there, right-click Scheduled Tasks, select New --> Immediate Task (At least Windows 7).
  5. In the Task window that opens, go to the General Under Security options select Change User or Group, within the User or Group window type SYSTEM and then select Check Names followed by OK. NT AUTHORITY\SYSTEM appears as the user account the task will run as. In the Name field, type an appropriate name for the scheduled task such as Defender for Endpoint Deployment. Select Run whether user is logged on or not and check the Run with highest privileges check box. Specify the desired Windows Server OS that your File Server is currently running off under the Configure for drop-down.
  6. After the configuration items have been implemented under the General tab, we will locate the Actions tab, we will select New… Once the New Action window opens verify that Start a program is selected from the Action dropdown. We will want to supply the UNC path, using the file server’s fully qualified domain name, of the shared extracted WindowsDefenderATPOnboardingScript.cmd file. Select OK to confirm the action that the task will perform, the action will generate in the list, we will want to select Apply to save our configured settings and then select OK to complete the Scheduled Tasks deployment. Close out of any Group Policy Management windows.
  7. To link the GPO to an Organization Unit (OU), right-click the OU and select Link an existing GPO. In the dialogue box that is displayed, select the Group Policy Object that you wish to link. Click OK.

Need Assistance?

Reach out to your Customer Success Manager to discuss how a Sittadel cybersecurity analyst can assist in managing these tasks for you. New to our services? Inquire about arranging a consultation to explore optimizing your Azure environment for painless management.