RMM Tool "Single Run" Script Creation for MDE (Windows)

Comprehensive guide for Windows MDE Single-Run RMM Script Creation: retrieving the MDE onboarding package from the Defender portal and creating the detection/remediation combo script for future RMM deployment.

Gather Windows MDE Local Package

1. Navigate to the Endpoint Onboarding – Microsoft Defender portal, from the page section the Operating System as Windows 10 and 11, Connectivity Type as Streamlined, and the Deployment Method as Group Policy.
   
2. Once the proper selections have been made, locate, and select Download onboarding package, the GatewayWindowsDefenderATPOnboardingPackage.zip file will be stored to the Downloads folder on the User account.
   
3. We will need to extract the contents of the package, the extracted .zip should house a file named WindowsDefenderATPOnboardingScript.cmd.
   

Creating the Windows MDE Single-Run Script

1. Open a preferred Text Editing software, in this example we will be using Notepad++ but you can utilize any utility that allows creating and saving of custom file types.
2. From the software window we will want to initiate a Save As action since we will be leveraging this script through our RMM Single-Run Script deployment in a separate article. For the file location specify somewhere easily accessible such as the Downloads or Desktop folder, we will want to specify the Save as type as All Types (*.*) and for the File name supply MDEOnboarding.cmd. Once the .cmd file has been specified at the desired directory, select Save to begin script creation.
   
3. After the saving process has been conducted, we will copy and paste the provided contents in the table below into the text field in our software window.
   
   

   Onboarding Script

   @echo off setlocal   set "registryPath=HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection" set "registryValueName=OnboardingInfo" set "regQueryCmd=reg query "%registryPath%" /v "%registryValueName%" 2>nul"   set "registryCheck=0" set "processCheck=0"   :CheckRegistryValue %regQueryCmd% if %ERRORLEVEL% equ 0 (    echo The registry value exists.    set "registryCheck=1" ) else (    if exist "%registryPath%" (        echo The registry value name does not exist.    ) else (        echo The path to this value does not exist.    ) )   :CheckATPProcess tasklist /fi "imagename eq MsSense.exe" 2>NUL | find /I /N "MsSense.exe" >NUL if "%ERRORLEVEL%" equ "0" (    echo Process is running    set "processCheck=1" ) else (    echo Process is not running )   if %registryCheck% equ 1 (    if %processCheck% equ 1 (        echo Both checks passed.        exit /b 0    ) else (        echo One or both checks failed.        goto Remediation    ) ) else (    echo One or both checks failed.    goto Remediation )   :Remediation #Copy and Paste the extracted WindowsDefenderATPOnboardingScript.cmd contents here, do not remove endlocal listed below, removal will cause script failure#   endlocal

   
   
4. After copying and pasting the desired contents from the table into the software window, we will want to focus on line 47 of the code.
   
5. Based on the prompt we will want to initiate an Open action from our text editor window to view the contents of the previously extracted WindowsDefenderATPOnboardingScript.cmd file.
   
6. From the opened file, we will want to copy all the contents from the WindowsDefenderATPOnboardingScript.cmd window and paste it as a replacement for line 47 of the MDEOnboarding.cmd window.
   
7. After the line 47 replacement has been made, the newly configured onboarding script should be ready to be uploaded for the RMM Single-Run Script deployment.

Need Assistance?

Reach out to your Customer Success Manager to discuss how a Sittadel cybersecurity analyst can assist in managing these tasks for you. New to our services? Inquire about arranging a consultation to explore optimizing your Azure environment for painless management.