RMM Tool "Detection and Remediation" Script Creation for MDE (Windows)

Comprehensive guide for Windows MDE Detection and Remediation RMM Script Creation: retrieving the MDE onboarding package from the Defender portal and creating the detection script for future RMM deployment.

Gather Windows MDE Local Package

  1. Navigate to the Endpoint Onboarding – Microsoft Defender portal, from the page section the Operating System as Windows 10 and 11, Connectivity Type as Streamlined, and the Deployment Method as Group Policy.
  2. Once the proper selections have been made, locate, and select Download onboarding package, the GatewayWindowsDefenderATPOnboardingPackage.zip file will be stored to the Downloads folder on the User account.
  3. We will need to extract the contents of the package, the extracted .zip should house a file named WindowsDefenderATPOnboardingScript.cmd.

Creating the Windows MDE Detection Script

  1. Open a preferred Text Editing software, in this example we will be using Notepad++ but you can utilize any utility that allows creating and saving of custom file types.
  2. From the software window we will want to initiate a Save As action since we will be leveraging this script through our RMM Detection and Remediation Script deployment in a separate article. For the file location specify somewhere easily accessible such as the Downloads or Desktop folder, we will want to specify the Save as type as All Types (*.*) and for the File name supply MDEDetection.cmd. Once the .cmd file has been specified at the desired directory, select Save to begin script creation.
  3. After the saving process has been conducted, we will copy and paste the provided contents in the table below into the text field in our software window.

    Detection Script

    @echo off

    setlocal

     

    set "registryPath=HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection"

    set "registryValueName=OnboardingInfo"

    set "regQueryCmd=reg query "%registryPath%" /v "%registryValueName%" 2>nul"

     

    set "registryCheck=0"

    set "processCheck=0"

     

    :CheckRegistryValue

    %regQueryCmd%

    if %ERRORLEVEL% equ 0 (

       echo The registry value exists.

       set "registryCheck=1"

    ) else (

       if exist "%registryPath%" (

           echo The registry value name does not exist.

       ) else (

           echo The path to this value does not exist.

       )

    )

     

    :CheckATPProcess

    tasklist /fi "imagename eq MsSense.exe" 2>NUL | find /I /N "MsSense.exe" >NUL

    if "%ERRORLEVEL%" equ "0" (

       echo Process is running

       set "processCheck=1"

    ) else (

       echo Process is not running

    )

     

    if %registryCheck% equ 1 (

       if %processCheck% equ 1 (

           echo Both checks passed.

           exit /b 0

       ) else (

           echo One or both checks failed.

           exit /b 1

       )

    ) else (

       echo One or both checks failed.

       exit /b 1

    )

     

    endlocal


  4. After copying and pasting the desired contents from the table into the software window, the newly configured detection script should be ready to be uploaded for the RMM Detection and Remediation Script deployment.

Need Assistance?

Reach out to your Customer Success Manager to discuss how a Sittadel cybersecurity analyst can assist in managing these tasks for you. New to our services? Inquire about arranging a consultation to explore optimizing your Azure environment for painless management.