It is time for part 3 of the ultimate Microsoft Defender for Endpoint (MDE) series. After part 2 (configuration MDE) we are now going to deep-dive more into the initial onboarding of Defender for Endpoint. In part 2 the question; how to configure Defender for Endpoint service settings is answered – view the previous part here.

Important: Defender AV/ Next Generation Protection onboarding is critical and part of the complete protection platform. All AV/ Next Generation Protection information will be explained more in-depth including migration from other AV/ Passive mode/ EDR block and more.

Introduction blog series

This ultimate blog series will contain as much information as possible based on my Defender experience in the past years. Other platforms like iOS, Android, Linux, and macOS will follow when it’s a success.

NOTE: Blog series is focussing on features in Microsoft Defender for Endpoint P2 all Microsoft Defender for Endpoint P1 features are available in P2.

Specific question or content idea part of Defender for Endpoint? Use the contact submission form and share the post ideas.


Prerequisites

Defender for Endpoint needs some prerequisites for correctly using the services. To avoid onboarding problems start with configuring the prerequisites and validate the configuration based on some machines.

View all prerequisites here: Minimum requirements for Microsoft Defender for Endpoint

Network

Internet connectivity on devices is required directly or through a system proxy. The Defender for Endpoint sensor requires Microsoft Windows HTTP (WinHTTP) for communication with the Defender for Endpoint service. Defender for Endpoint sensors runs in system context based on the LocalSystem account.

It is recommended to validate the service domains and confirm access to Defender for Endpoint service URL’s

The following downloadable spreadsheet lists the services and their associated URL that must be available for each endpoint. Confirm there are no firewalls or created network filtering rules blocking the URLs. Download the commercial spreadsheet here

The spreadsheet contains multiple geography URLs, open all URLs where the geography column is WW and the specific location where Defender data is located (data storage location) – View part 2 for more information.

Important: HTTPS scanning / SSL inspection is common in larger environments. When using HTTPS scanning make sure all URLs are excluded from the SSL inspection technique.

For devices with no direct internet connection, the use of a proxy solution is recommended. Previous it was possible to use MMA-based solutions and the OMS gateway. With the new modern Defender solution proxy is advised.

For Windows devices, see Configure device proxy and Internet connectivity settings

Diagtrack

Windows diagnostic data service must be enabled and configured in start_type: AUTO_START. Validating is possible using:

sc qc diagtrack

When not configured correctly use the following command to set the service to automatically start:

sc config diagtrack start=auto

Validating pre-requisites using Client Analyzer

The Client Analyzer can be used for validating the prerequisites. The Client Analyzer can run with or without Defender for Endpoint actively installed.

Download the client analyzer directly: https://aka.ms/mdeanalyzer

  • Unzip the download
  • Run MDEClientAnalyzer.cmd as admin
  • Open folder MDEClientAnalyzerResult

View the MDEClientAnalyzer.HTM file. When onboarded the results page shows more in-depth information including Organization ID/ Device ID/ SENSE ID and EDR information.

During the pre-onboarding, it is more interesting to view the MDEClientAnalyzer.txt file in the SysteminfoLogs folder for the details of the analyzer script execution. MDEClientAnalyzer.txt contains more in-depth information and the network test

More information: Run the client analyzer on Windows


Onboarding methods Defender for Endpoint

Microsoft Defender for Endpoint can be onboarded using multiple methods, which will be explained in this part of the series. For customers evaluating Defender for Endpoint the evaluation lab can be used for onboarding some machines and testing Defender for Endpoint.

The following tools can be used for Windows:

Onboard methods Windows
Local script (PowerShell)
Group Policy
Microsoft Endpoint Manager
Microsoft Endpoint Configuration Manager
VDI scripts
Onboarded using Defender for Cloud integration

Of course – sometimes customers use different platforms; most of the time the Group Policy script can be used easily via other deployment toolings like for example; Altiris, DesktopCentral, and Ansible for Windows.

Important; Announced August 3, 2022; Microsoft announced the following: Announcement Microsoft Defender for Endpoint for Servers removal from price list. There are upcoming changes to our server protection offering. Source. Based on the announcement it sounds Defender for Endpoint for Servers will be removed in the future – and the only way is to use Defender for Cloud for server onboardings.

Based on my own opinion, the advice is the following:

OSPlatformRecommended onboarding
Windows 10/11On-premisesMicrosoft Endpoint Manager
Windows 10/11 CloudMicrosoft Endpoint Manager
Windows Cloud PCCloudMicrosoft Endpoint Manager
Windows Server 2012R2/ 2016On-premisesDefender for Cloud integration using Azure Arc
Windows Server 2012R2/ 2016CloudDefender for Cloud integration
Windows Server 2019 and higherOn-premisesDefender for Cloud integration using Azure Arc
Windows Server 2019 and higherCloudDefender for Cloud integration

Personally; Microsoft Endpoint Manager and Defender for Cloud enable multiple modern features which enable directly modern management. When using still “legacy” methods like Group Policy it can be advised to use more modern solutions. Of course; sometimes there is no option to use Azure Arc/ Defender for Cloud / Microsoft Endpoint Manager where methods like Microsoft Endpoint Configuration Manager or Group Policy can be used. Common situations are based on Retail/ POS which are more strict for cloud-based solutions.

I often get the question; Defender for Cloud is more expensive in comparison with the Defender for Endpoint Server licensing? – It was more expensive some months ago and of course, enables more features (FIM, Adaptive network hardening, Qualys vulnerability assessment, Just-in-time VM access, and more. Currently there are two plans (Defender for Servers P1 and P2). Defender for Endpoint P1 is currently $5/Server/Month. The P1 $5 pricing makes it way more interesting for onboarding only Defender for Endpoint.

P2 plan:

P1 plan:

Note: Most of the available onboarding methods will be explained in the next parts more in-depth.


Difference in platform

Previously onboarding for Server 2012R2/ Server 2016 was only possible using the Microsoft Monitoring Agent. Currently, the new unified agent is available for Server 2012R2 and 2016. In comparison with Server 2019, the onboarding process was quite complex with the Microsoft Monitoring Agent. The MMA agent was required as the EDR sensor wasn’t built-in, for Server 2016 en Server 2012R2.

Tip: Always go for the new installer, do not use the Microsoft Monitoring Agent for Server 2012R2 and Server 2016.

Server 2016 is by default installed with Microsoft Defender Antivirus. For Server 2012R2 there was no installed AV by default, and you had to install System Center Endpoint Protection (SCEP). With the Microsoft Monitoring Agent and Defender AV/SCEP, there were still some missing protection features – like Attack Surface Reduction, Automated Investigation, Network Protection, and many more protection features. 

Currently in general availability is the new unified solution for Server 2012R2 and Server 2016. More information can be founded here: Install the new unified Microsoft Defender for Endpoint agent on Server 2012R2 and 2016  | Jeffreyappel.nl

The new agent makes the onboarding different for multiple OS versions:

OSEDR sensorPre-requisites
Windows 10/11 1607+Build-inNone
Windows Server 2012R2Part of installationUnified agent installed
Windows Server 2016Part of installationUnified agent installed
Windows Server 2019Build-inNone
Windows Server 2022Build-inNone

For Windows Server 2019+ and Windows 10 1607+, the EDR sensor is built-in and required only the Defender for Endpoint onboarding script deployed.


Where to download onboarding files?

From the Microsoft 365 Defender portal, it is possible to download the installation and onboarding files that are needed.

For downloading onboarding files go to Security.Microsoft.com -> Settings -> Endpoints -> Onboarding

The following deployment methods can be used:

  • Local
  • Group Policy
  • Microsoft Endpoint Configuration Manager current branch and later
  • Mobile Device Management / Microsoft Intune

Only when not using Defender for Cloud or Microsoft Endpoint Manager integrations it is required to download the onboarding files. Tip: When PowerShell is the only available options use always the Group Policy file (Local Script is not silent, and requires user input).

Note: Most of the available onboarding methods will be explained in the next parts more in-depth.


Onboard simulation machines using evaluation lab

Defender for Endpoint evaluation lab is a great feature that allows evaluating Defender for Endpoint without configuration or any manual additional onboarding. With the Evaluation lab, it is possible to onboard pre-created machines or onboard domain joined machines.

You can access the lab from the menu. In the navigation menu, select Evaluation and tutorials > Evaluation lab.

When accessing the evaluation lab for the first time within the Microsoft Defender ATP portal, you will see a welcome message. Click on Setup Lab to start setting up the lab environment. It can take some time before the environment is ready.

The test devices provided with the evaluation lab are only available for a limited duration, during the setup you have the option to configure devices for a specific set of devices/ available hours:

The setup is completed after some time and shows the option to add new devices using the button Add device

The following devices are currently available:

  • Windows 10
  • Windows 11
  • Windows Server 2019
  • Windows Server 2016
  • Linux Ubuntu Server

Pro-tip: When choosing Server 2019 it is possible to onboard the machine as a Domain Controller. When the domain controller has been provisioned – it is possible to join Windows 10/Windows 11 machines to the domain.

The following tools can be automatically included during the provisioning:

  • Java Runtime
  • Python
  • Office
  • Sysinternals

The following security components are pre-configured in the test devices:

  • Attack surface reduction
  • Block at first sight
  • Controlled folder access
  • Exploit protection
  • Network protection
  • Potentially unwanted application detection
  • Cloud-delivered protection
  • Microsoft Defender SmartScreen

During the provisioning of a device, the machine is provisioned within Azure in a dedicated network. You can run any attack or use the pre-created simulations. Part of the provisioning is the onboarding of Defender for Endpoint with some basic pre-configured settings. Name convention of the test machines: Testmachine(number).

Important; The password is only displayed once. Copy the password. Reset of the password is possible, it takes some time.

Defender shows the status: Setting up, it can take some time before the machine is correctly onboarded and provisioned (+- 15-30 minutes).

View the overview page for tracking the device allocation status.

After some time it is possible to connect using the RDP file and pre-created credentials.

Defender for Endpoint Device Inventory shows the device and all information. The experience is the same in comparison with normal onboarded devices. All MDE device actions can be used. Run Get-MpPreference on the machine for viewing the actual configuration. By default Cloud Protection is configured in High+ mode and ASR in audit mode.

When the machine is ready and the simulation agent is installed – it is time for running some simulations via the simulation gallery. Multiple simulations from AttackIQ and SafeBreach are available.


Troubleshooting during onboarding

When devices are not visible in the portal more in-depth troubleshooting is possibly needed. When encountering issues it is always recommended to validate the MDE requirements.

Onboarding information is visible in the registry: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection

Two recommended steps:

  • Use MDEClientAnalyzer after onboarding to view connectivity/ sensor health/ service issues
  • View the SENSE event log: Applications and Services Logs > Microsoft > Windows > SENSE

View all event ID part of the SENSE service. View agent onboarding errors in the device event | Microsoft Doc


Devices in Defender for Endpoint

After the initial onboarding the device is visible in Defender for Endpoint with the status “onboarded”.

The device status can be used for validating the correct health state. The following device states are available in Defender for Endpoint.

StatusActionDescription
InactiveDevice isn’t in use for 7 daysDevice is going to inactive after 7 days no activity
InactiveDevice was reinstalled or renamedA new device entity is generated in Microsoft 365 Defender for reinstalled or renamed devices. Previous device entity remains in Defender for Endpoint.
InactiveDevice was offboardedAfter offboarding the health state should change to inactive. The device will still appear in the device overview.
InactiveDevice isn’t sending signalsIf the device isn’t sending any signals to any Microsoft Defender for Endpoint channels for more than seven days for any reason, a device can be considered inactive
Misconfigured Impaired communicationsLimit communication between device and Defender for Endpoint.
Misconfigured devicesNo sensor dataDevice with status ‘No sensor data’ has communication with the service but can only report partial sensor data.

Conclusion

Part3 of the Microsoft Defender for Endpoint series is completed – focussed on the initial Defender for Endpoint onboard. Stay tuned for the next parts; where more in-depth knowledge and experience will be shared around Defender for Endpoint focussing on all the components and additional settings.

Next time some smaller sub-parts focussing on the initial deployment for:

  • Onboarded using Defender for Cloud integration
  • Microsoft Endpoint Configuration Manager
  • Microsoft Endpoint Manager
  • Group Policy
  • Local script (PowerShell)

Searching for specific Defender for Endpoint information? Use the contact submission form and share the post ideas or contact using Linkedin or Twitter. I will take all suggestions into the Defender for Endpoint series and help the community as far as possible.

View previous part – Microsoft Defender for Endpoint series – Configure Defender for Endpoint – Part2


Sources

Microsoft: Defender for Endpoint documentation

Microsoft: Defender for Endpoint deployment guide

Microsoft: Configure device proxy and Internet connectivity settings