Hands-On Onboarding for MDE (Windows)

Comprehensive guide to Windows Local MDE onboarding: retrieving the MDE onboarding package from the Defender portal, installing the Agent utilizing the embedded scripts, and validating connectivity and security functionality post-implementation.

Gather Windows MDE Local Onboarding Package

  1. Prior to carrying out this procedure, we will need to verify that the device possesses the Pro version of the Windows Operating System, follow these steps here.
  2. Once the Windows Specification verification has been completed, navigate to the Endpoint Onboarding – Microsoft Defender portal, from this page specify the Operating System as Windows 10 and 11, Connectivity Type as Streamlined, and the Deployment Method as Group Policy.
  3. Once the proper selections have been made, locate, and select Download Onboarding Package, a GatewayWindowsDefenderATPOnboardingPackage.zip file will be stored to the Downloads folder on the User account.
  4. We will need to extract the contents of the package, the extracted .zip folder should house a file named WindowsDefenderATPOnboardingScript.cmd.
  5. After the extraction process has been completed, we will want to relocate the .cmd file to a location where the file can be accessed by the desired Windows machines that are wishing to MDE join, this can be done by uploading the file to a trusted SharePoint, Outlook email, or USB.

Deploy Windows MDE Local Onboarding Package

  1. On the desired Windows Device, we will first want to verify that the WindowsDefenderATPOnboardingScript.cmd file is housed on a desired directory on the machine.
  2. Once we have verified that the .cmd file is present on the device, we will want to initiate an elevated command line session. This can be done by leveraging the Windows Search functionality and within the search field providing Command Prompt, select the Run as Administrator option to initiate an elevated CMD.
  3. After the elevated CMD session has been initiated, we will want to access the file directory where the .cmd file is currently housed, once inside the directory locate, and right click the file from the file explorer session and select the Copy as Path option.
  4. Once the file path has been copied, we will return to the elevated CMD session and paste in the copied file path, hit enter to initiate the execution of the script.

Assessing a Windows MDE Local Onboarding Deployment

  1. Utilizing the Windows Search functionality, provide Windows PowerShell ISE within the search field, select the Run as Administrator option to initiate an elevated ISE session.
  2. Once the session is initiated, supply the following script to evaluate if the MDE agent has the proper security functionality enabled for proper communication to your Organizations Microsoft Defender portal.

    PowerShell Script

    $registryPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection"

    $registryValueName = "OnboardingInfo"

     

    function Check-RegistryValue {

       if (Test-Path $registryPath) {

           if (Get-ItemProperty -Path $registryPath -Name $registryValueName -ErrorAction Ignore) {

               if (Get-ItemPropertyValue -Path $registryPath -Name $registryValueName -ErrorAction Ignore) {

                   Write-Host "The registry value exists."

                   return $true

               }

           }

           else {

               Write-Warning "The registry value name does not exist."

               return $false

           }

       }

       else {

           Write-Warning "The path to this value does not exist."

           return $false

       }

    }

     

    function Check-ATPProcess {

       $WindowsDefenderATPExecutable = Get-Process -Name MsSense -ErrorAction SilentlyContinue

       if ($WindowsDefenderATPExecutable -eq $Null) {

           Write-Warning "Process is not running"

           return $false

       }

       else {

           Write-Host "Process is running"

           return $true

       }

    }

     

    $registryCheck = Check-RegistryValue

    $processCheck = Check-ATPProcess

     

    if ($registryCheck -and $processCheck) {

       Write-Host "Both checks passed."

       exit 0

    }

    else {

       Write-Warning "One or both checks failed."

       exit 1

    }

  3. From the elevated ISE session, we will copy and paste the text from the table above into the text section of the Untitled1.ps1 file.
  4. Once the script has been successfully migrated, you will want to save the .ps1 file somewhere locally on the machine. The ISE software requires that you save the file prior to execution.
  5. After the file has been saved, locate, and select the green play button to run the saved script.
  6. Upon execution of the script, you will see values returned in the window below.
  7. Depending on the results there will be two different paths forward: 
    1. If both checks return true, the agent is on the device and the MDE integration process was successful.
    2. If one or more error is displayed, that means that the MDE agent has not been successfully deployed and the process listed above will need to be followed again.

Need Assistance?

Reach out to your Customer Success Manager to discuss how a Sittadel cybersecurity analyst can assist in managing these tasks for you. New to our services? Inquire about arranging a consultation to explore optimizing your Azure environment for painless management.