Hello Everyone! in this blog I will explain how to Onboard devices using local Script
Deploying MDE is a two-step process
1. Onboard Devices to the service 2. Configure capabilities of the service
There are different options to onboard devices to MDE below are some of them
Endpoint | Tool Options |
Windows | Local Script (Up to 10 Devices) |
| Group Policy |
| Microsoft Endpoint Manager/ Mobile Device Manager |
| Microsoft Endpoint Configuration Manager |
| VDI Scripts |
| Integration With Azure Defender |
Mac OS | Local Scripts |
| Microsoft Endpoint Manager |
| JAMF Pro |
| Mobile Device Management |
Linux Server | Local Script |
| Puppet |
| Ansible |
iOS | Microsoft Endpoint Manager |
Android | Microsoft Endpoint Manager |
Please watch this short video to have a quick look
Onboarding Windows device using Local Script
Microsoft recommends only 10 devices to be onboarded using Local script so this is not the best method, this is why we have different methods to onboard devices which we will cover in this blog and upcoming once, for any kind of onboarding method, we need to download the configuration file from the MDE portal, so let's go back to the security center portal Link
Step 1: Download the Onboarding script from the MDE portal, navigate to Settings in the MDE portal, select Endpoints
Step 2: From the endpoints page navigate to Device Management, select Onboarding, select the Operating system and deployment method, for now, I have selected server 2022 and Local Script
Step 3: Copy the downloaded onboarding package to the device which you need to onboard and extract the file
Before we run the script I will show you verify whether the device is already onboarded to MDE or not, you can check this from the registry value
Registry path
HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\StatusFor now, you can see there are no values under the status page, when we complete onboarding the device the registry values will get added and the onboarding status value will be added.
Step 4: Run the Script with admin privilege
Step 5: Type Y and tap enter to onboard the device to MDE
Once the script is completed running this will show the status as successfully onboarded
Step 6: You can verify the registry key as explained earlier you can see the onboarding state as 1 and other fields are added
You can see the device onboarded to the MDE portal as well
Step 7: If you are onboarding the first device to MDE you can run the detection test to confirm the device is reporting to MDE
run the detection test in the admin command prompt
You can see a new alert created under Incidents & Alert within 5 to 10 minutes
You can validate the onboarding status in Event Viewer and by validating if respective services are in running state,
To check the event viewer, open Event viewer and in Application Search for WDATPOnboarding and Operational events under SENSE ( you can find SENSE under Application and Service Logs ->Microsoft ->Windows -> SNESE)
If event ID is 20 for WDATPOnbaording this means the devices onboarded successfully
You can confirm by checking the status of Services in task manager / Services, by command, or by Powershell
Search for service called MSSENSE in Task Manager if the services are in running state the devices are sending cyber data to MDE
In services look for Windows Advance Threat protection service is running or not
You can use CMD to check the service status, this will return the current state of the services
Sc Query Sense
You can use the Powershell command as well
Get-Service -Name Sense
Reference