Comprehensive guide for Windows MDE Detection and Remediation RMM Script Deployment: utilizing the retrieved MDE onboarding package, previously created detection script, and a preferred RMM tool for bulk deployment to desired Windows machines.
Required Windows Versions: Windows 10 1803+, Windows 11 (All)
Deploying MDE Detection and Response Script through RMM
- This deployment example will be leveraging Ninja RMM tool, while the RMM tool can vary the process should remain relatively the same.
- From the console of your desired RMM tool, we will want to access the portal that will allow the creation of scripts, here we will want to create a detection and remediation script that will determine if the agent is already present on the device and if not execute the onboarding script gathered from the organizations Microsoft Defender portal. Let’s start with the detection script
- Within Ninja RMM, you can either copy and paste the code into the console or leverage drag and drop functionality to upload the necessary code for script execution. We will be leveraging traditional copy and paste methodology for our example.
- Leveraging the previously created MDEDetection.cmd script from the MDE Detection and Remediation Script steps, we will want to open the file directly from a preferred text editor.
- Once opened, we will want to copy all the contents of the file and paste the contents from the text editor window into the RMM console.
- Once the script has been successfully ported over, provide a Name and Description that is relevant to the detection of the agent. We will want to specify that this is a Batch file (*.bat,*.cmd,*.nt), the OS is Windows, the Architecture can be either 32-bit or 64-bit, and we want to leverage administrative privileges during execution so specify Run As System. Once the script and additional configuration items have been configured, select Save to confirm the script creation.
- After the detection script creation, we will move to creating the remediation script.
- Leveraging the previously extracted WindowsDefenderATPOnboardingScript.cmd script from the MDE Detection and Remediation Script steps, we will want to open the file directly from a preferred text editor.
- Once opened, we will want to copy all the contents of the file and paste the contents from the text editor window into the RMM console.
- Once the script has been successfully ported over, provide a Name and Description that is relevant to the remediation of MDE detection failure. We will want to specify that this is a Batch file (*.bat,*.cmd,*.nt), the OS is Windows, the Architecture can be either 32-bit or 64-bit, and we want to leverage administrative privileges during execution so specify Run As System. Once the script and additional configuration items have been configured, select Save to confirm the script creation.
- After both scripts have been generated, we will want to access the area of the RMM tool that allows conditional remediation for devices.
- Provide a Name and Description that is relevant to the detection/remediation behavior of the scripts for the MDE agent. We will want to specify that this policy enforcement will be on Windows devices, and we will want to make sure that this policy is active once creation is completed, select Create to confirm the policy creation.
- After the creation we will need to specify what this policy is trying to achieve during execution. For this example, we will be utilizing a conditional based policy. Verify that the proper sections are selected to achieve this functionality within your designated RMM tool.
- Specifying the Condition for the remediation script to execute, we will want the launch criteria to be based on the Result Returned from the MDE Detection script we created earlier. You can specify the Run Time to be any desired spam, the Timeout should be higher due to the client server architecture being utilized. For the error detection metric, we will leverage the logic provided in the MDE detection script, in the code the catch for detection failure is based on either the registry key or process not being captured, this should return an exit value of 1 and display the ‘One or both checks failed.’ Once all the designated fields have been filled, select Apply to continue.
- After the condition has been specified, we will want to select the MDE Remediation script we created earlier as the script that will be leveraged on condition failures. Provide a Name that is relevant to the detection/remediation of the MDE agent. You can designate any sort of system flagging you desire for execution failures if your tool allows it. Within the policy if you can designate a re-execution state, make it fire when the compliance has failed. You can also specify if you want individuals to receive notifications if your tool allows it. Select Add, to continue to policy finalization.
- If done correctly the condition should be listed within the section, select Save to finalize the creation of the conditional based policy for the MDE Detection and Remediation Script RMM Deployment.
Need Assistance?
Reach out to your Customer Success Manager to discuss how a Sittadel cybersecurity analyst can assist in managing these tasks for you. New to our services? Inquire about arranging a consultation to explore optimizing your Azure environment for painless management.