Hands-On Onboarding for MDE (Windows Server)

Comprehensive guide for Windows Server Local MDE onboarding: retrieving the MDE onboarding package from the Defender portal, installing the Agent using the housed scripts, and validating connectivity and security functionality post-implementation.

Gather Windows Server MDE Local Package

  1. Navigate to the Endpoint Onboarding – Microsoft Defender portal, from this page specify the Operating System as Windows Server 2019 and 2022, Connectivity Type as Streamlined, and the Deployment Method as Group Policy.
  2. Once the proper selections have been made, locate, and select Download Onboarding Package, a GatewayWindowsDefenderATPOnboardingPackage.zip file will be stored to the Downloads folder on the User account.
  3. We will need to extract the contents of the package, the extracted .zip folder should house a file named WindowsDefenderATPOnboardingScript.cmd.
  4. After the extraction process has been completed, we will want to relocate the .cmd file to a location where the file can be accessed by the desired Windows Servers that are wishing to MDE join, this can be done by uploading the file to a trusted SharePoint, Outlook email, or USB.

Deploy Windows Server MDE Local Package

  1. On the desired Windows Server, we will first want to verify that the WindowsDefenderATPOnboardingScript.cmd file is housed on a desired directory on the server.
  2. Once we have verified that the .cmd file is present on the device, we will want to initiate an elevated command line session. This can be done by leveraging the Windows Search functionality and within the search field providing Command Prompt, right click the returned result and select the Run as Administrator option.
  3. Once the elevated session is generated, we will want to supply the following command below into the session to initiate the installation of the MDE agent on the Server.

    Command

    Msiexec /i md4ws.msi /quiet


  4. After the command above has been executed, we will want to access the file directory where the .cmd file is currently housed, once inside the directory locate, and right click the file from the file explorer session and select the Run as administrator option. This will initiate an elevated command prompt that will run the configuration settings necessary to allow the MDE Agent to communicate with Microsoft Services.
  5. Running this script should initiate an elevated session to run for execution of the onboarding code. After a few seconds the session will close automatically, we will proceed to leveraging detection commands to verify that the necessary processes are now present on the Server.

Assess Windows Server MDE Deployment

  1. Utilizing the Windows Search functionality within the search field provide Command Prompt, right click the returned result, and select the Run as Administrator option to initiate an elevated command line session.
  2. Once the elevated session is generated, we will want to supply the following command below into the session to verify that the services initiated by the presence of the MDE agent on the Server are actively running, this command should return both services in a running state.

    Command

    sc.exe query Windefend && sc.exe query sense


  3. After the service detection command returned that the services are successfully running. We will move to a detection test for the Server communicating with the Microsoft Defender portal, verifying that data is successfully being transcribed to Microsoft Services.
  4. Within the elevated session, supply the following command to verify that the device has been successfully onboarded and that it is properly reporting to the Defender for Endpoint service in the Microsoft Defender portal.

    Command

    powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference = 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-MDATP-test\\invoice.exe');Start-Process 'C:\\test-MDATP-test\\invoice.exe'


  5. The session will be automatically closed upon execution. If successful, a new [Test Alert] Suspicious PowerShell commandline will appear in the Microsoft Defender portal in about 10-20 minutes.

Need Assistance?

Reach out to your Customer Success Manager to discuss how a Sittadel cybersecurity analyst can assist in managing these tasks for you. New to our services? Inquire about arranging a consultation to explore optimizing your Azure environment for painless management.