Microsoft Defender for Endpoint (MDE) Deployment and Configuration Steps with Security Policy Details

The following steps is only used for a selected environment to have a simplified deployments which is to target bringing MDE to all devices as fast as we can (in a week for 1k devices including windows, macOS, linux, servers, workstations, etc), also remove existing expired antimalware software, at the same time, has maximum possible security on the end point devices. 

The idea deployment will take 2-3 months with all thorough testing, planning and verifying. 

Background

Third Party Antivirus / Malicious program already deployed into all Workstations and Servers.

Microsoft Defender for Endpoints (P2) and Defender for Servers (P1) has been selected to replace this third party security software on all workstations (Windows and Mac) and all servers (Windows and Linux)

From Microsoft learn, https://learn.microsoft.com/en-us/defender-endpoint/mde-planning-guide,  the steps to deploy Defender for Endpoint are:

1. Step 1 - Set up Microsoft Defender for Endpoint deployment: This step focuses on getting your environment ready for deployment.
2. Step 2 - Assign roles and permissions: Identify and assign roles and permissions to view and manage Defender for Endpoint.
3. Step 3 - Identify your architecture and choose your deployment method: Identify your architecture and the deployment method that best suits your organization.
4. Step 4 - Onboard devices: Assess and onboard your devices to Defender for Endpoint.
5. Step 5 - Configure capabilities: You're now ready to configure Defender for Endpoint security capabilities to protect your devices.

Process related to MDE

High Level Deployment Steps for Workstation

1 Generating onboarding code

Onboard devices to Microsoft Defender for Endpoint using the onboarding configuration package that matches your preferred deployment method. For other device preparation instructions, read Onboard and set up.

Deployment methods:

• Group Policy

You can configure your devices using Group Policy.
For more information on how to configure and monitor Microsoft Defender for Endpoint devices see Configure devices using Group Policy section in the Microsoft Defender for Endpoint guide.

• Local Script (for up to 10 devices)

You can configure a single device by running a script locally.
Note: This script has been optimized for usage with a limited number of devices (1-10). To deploy at scale, please see other deployment options above.
For more information on how to configure and monitor Microsoft Defender for Endpoint devices, see Configure devices using a local script
section in the Microsoft Defender for Endpoint guide.

2 Deploy onboarding package (script) to all workstations 

It can be done phase by phase, starting from pilot machines, then departments by departments, or location by location.

Check MDE portal https://security.microsoft.com/ - Assets - Devices page to get the list of all machines and get the status of machines.

You can use Group Policy or third party deployment tools for your patching and software installation to deploy this script. 

3 If there is third party XDR software already installed on workstations, the MDE will run on passive mode.

Get-MpComputerStatus : Gets the status of antimalware software on the computer

PS C:\Users\User> get-mpcomputerstatus


AMEngineVersion                  : 1.1.25010.7
AMProductVersion                 : 4.18.24090.11
AMRunningMode                    : Normal
AMServiceEnabled                 : True
AMServiceVersion                 : 4.18.24090.11
AntispywareEnabled               : True
AntispywareSignatureAge          : 0
AntispywareSignatureLastUpdated  : 2/21/2025 11:24:41 AM
AntispywareSignatureVersion      : 1.423.36.0
AntivirusEnabled                 : True
AntivirusSignatureAge            : 0
AntivirusSignatureLastUpdated    : 2/21/2025 11:24:41 AM
AntivirusSignatureVersion        : 1.423.36.0
BehaviorMonitorEnabled           : True
ComputerID                       : C223A6B9-EE37-4983-B88D-09CC8C8BFA9F
ComputerState                    : 0
DefenderSignaturesOutOfDate      : False
DeviceControlDefaultEnforcement  :
DeviceControlPoliciesLastUpdated : 3/27/2023 10:12:31 AM
DeviceControlState               : Disabled

https://learn.microsoft.com/en-us/powershell/module/defender/get-mpcomputerstatus?view=windowsserver2025-ps
Get-MpComputerStatus gets the antimalware status of Defender AV. Use the command for validating the running mode. Check the following items:
AMRunningMode: Must be in normal mode for active Defender protection
AMProductVersion: Must be one of the latest released versions
AMServiceEnabled: Must be True
AntiSpywareEnabled: Must be True
BehaviorMonitorEnabled: Must be True
RealTimeProtectionEnabled: Must be True
IoavProtectionEnabled: Must be Tru

If the client is running MDE it will have processes like sensendr running
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status
+ I guess you could check for mssense.exe

4 After uninstalled third party XDR software, MDE will become active mode.

High Level Deployment Steps for Servers

1. MDE standard deployment

Microsoft article: Onboard Windows servers to the Microsoft Defender for Endpoint service

https://learn.microsoft.com/en-us/defender-endpoint/configure-server-endpoints?view=o365-worldwide

You need to complete the following general steps to successfully onboard servers.

Applies to:

• Microsoft Defender for Endpoint Server
• Microsoft Defender for Servers

Check the workflow in next section.

2.  Connect your non-azure machines to Microsoft Defender for Cloud with Defender for Endpoint

https://learn.microsoft.com/en-us/azure/defender-for-cloud/plan-defender-for-servers

1. Connect AWS / GCP machines

2. Connect on-premises machines

3. Enable Defender for servers (Tenant level or Powershell script for assigned resources)

4. Take advantage of free data ingestion

5. Prepare for OS assessment (Defender for server plan 2)

6. Set up File Integrity monitoring (Defender for server plan 2)

This tenant-level setting allows you to automatically and natively onboard any non-Azure server running Defender for Endpoint to Defender for Cloud, without any extra agent deployments. This onboarding path is ideal for customers with mixed and hybrid server estate who wish to consolidate server protection under Defender for Servers.

Enabling direct onboarding is an opt-in setting at the tenant level. It affects both existing and new servers onboarded to Defender for Endpoint in the same Microsoft Entra tenant. Shortly after you enable this setting, your server devices will show under the designated subscription. 

1. Go to Defender for Cloud > Environment Settings > Direct onboarding.
2. Switch the Direct onboarding toggle to On.
3. Select the subscription you would like to use for servers onboarded directly with Defender for Endpoint.
4. Select Save.

https://learn.microsoft.com/en-us/azure/defender-for-cloud/onboard-machines-with-defender-for-endpoint

Connect your non-azure machines to Microsoft defender for cloud

1. Connect on-premises machines by using Azure Arc
2. Connect on-premises machines by using the Azure portal
3. Microsoft Defender for Endpoint integration or agentless scanning

Pre-requirements

• Servers will not be onboarded if the windows defender AV component is not installed on the machine
• Defender AV is not disabled by GPO
• Make sure your server is having latest security updates
• Required URLs are whitelisted - https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx

To simplify server mgmt, use Azure Update Management Center. watch this playlist: https://www.youtube.com/playlist?list=PLboJ9yx0c_SUn_pQQrKfFUmk5mA0kC9MV

You might also want to configurare Azure Log Analytics and Antomation Account for Azure Arc and Update Management Center: 

https://www.youtube.com/watch?v=pSM1h29O_CQ&t=0s

1 Generate Azure Arc Script

2 Run Special PowerShell Script to Enable MDE 

Running Powershell script to enable defender for servers

https://github.com/Azure/Microsoft-Defender-for-Cloud/tree/main/Powershell%20scripts/Defender%20for%20Servers%20on%20resource%20level

3 Upload ResourceLevelPricingAtScale.ps1 into your cloud shell

Make sure use proper resource group or tag to enable MDE.

4 Put MDE in passive mode if you are using a third-party anti-malware solution.

You need to apply the following Microsoft Defender Antivirus passive mode setting. Verify that it was configured correctly: Set the following registry entry:

• Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
• Name: ForceDefenderPassiveMode
• Type: REG_DWORD
• Value: 1

5 Configure Defender Portal connect to Intune

Defender Settings

6 Configure Intune to Connect Windows Devices to Microsoft Defender for Endpoint

Intune - Endpoint Security - Setup - Microsoft Defender for Endpoints

7 Configure Antivirus and Expose Management Policy / Profiles in Intune

Workflow of Onboarding Servers 

This workflow is an example using onboarding script. If you are using Arc, it will be different in step 4.

1. Verify AV service installed and running on the machines

• sc query windefend
• sc qc windefend
• hostname 

2. Check the registries before onboarding

3. Check the event logs in the sense related folders

• sc qc sense
• sc query sense

the service is not running and no logs are in sense related folders

4. Run onboarding script

5. verify sense service is running

Offboard Windows Servers

You can offboard Windows Server 2012 R2, Windows Server 2016, Windows Server (SAC), Windows Server 2019, Windows Server 2019 Core edition, Windows Server 2022, and Windows Server 2025 (beginning in February 2025 and rolling out over the next several weeks) using the same method available for Windows 10 client devices.

• Offboard devices using Group Policy
• Offboard devices using Configuration Manager
• Offboard devices using Mobile Device Management tools
• Offboard devices using a local script

After offboarding, you can proceed to uninstall the unified solution package on Windows Server 2016 and Windows Server 2012 R2.

For other Windows server versions, you have two options to offboard Windows servers from the service:

• Uninstall the MMA agent
• Remove the Defender for Endpoint workspace configuration

Offboarding devices is a potential solution. This sounds interesting at first, but it won’t work in our case.

Two different ways exist to offboard devices:

• Locally, by running an offboarding script on a device (supported for macOS, Linux, and Windows (Server)).
• Through the offboarding API (supported for Windows 10 and Windows Server 2019).

It is important to understand that offboarding a device does not remove a device from the inventory. Instead, the device switches to an ‘inactive’ state 7 days after offboarding. This means that offboarding is not an efficient way to manage reimaged/repurposed devices.

The main goal of offboarding is to sever the connection between Microsoft Defender and the device. This is useful in several scenarios, including:

• A device encounters compatibility issues because the scanning process impacts performance and the standard operation of the server or legitimate processes are being blocked
• You are moving away from Microsoft Defender to a different EDR solution.
• The device is no longer in scope.

The last scenario is something I regularly encounter with customers: by accident, the customer onboarded personal devices into Microsoft Defender for Endpoint due to a misconfiguration. By using the offboarding API, I could block the device from sending data to Microsoft 365 Defender by moving it out of scope for the company. So offboarding devices do have a use case, but it is not a solution for managing inactive devices

Security Policies for Windows Workstation

 Learn about using Intune to manage Microsoft Defender settings on devices that aren't enrolled with Intune | Microsoft Learn

Intune - Endpoint Security -  Manage - AntiVirus

Security Policies for Windows Servers

 

Configuration Setttings:

Intune - Endpoint Security -  Manage - Attack surface reduction

Security Policies for Mac

 

Security Policies for Linux

 

• Linux servers onboarded through Microsoft Defender for Cloud have their initial configuration set to run Defender Antivirus in passive mode.

Microsoft Defender for Endpoint client analyzer

 

1. The latest stable edition is available for download from following URL: https://aka.ms/MDEAnalyzer
2. The latest preview edition is available for download from following URL: https://aka.ms/MDEClientAnalyzerPreview

3. The latest stable edition will be integrated into the MDE for Endpoint agent. Ensure that you are running the latest edition for either macOS or Linux.

4. The latest preview edition is available for direct download from following URL: https://aka.ms/XMDEClientAnalyzer

MDE VDI Deployments

 https://learn.microsoft.com/en-us/defender-endpoint/configure-endpoints-vdi

Onboard non-persistent virtual desktop infrastructure (VDI) devices in Microsoft Defender XDR

1. Open the VDI configuration package file (WindowsDefenderATPOnboardingPackage.zip) that you downloaded from the service onboarding wizard. You can also get the package from the Microsoft Defender portal.

   1. In the navigation pane, select Settings > Endpoints > Device management > Onboarding.

   2. Select the operating system.

   3. In the Deployment method field, select VDI onboarding scripts for non-persistent endpoints.

   4. Select Download package and save the file.

2. Copy the files from the WindowsDefenderATPOnboardingPackage folder extracted from the zipped folder into the golden/primary image under the path C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup. (The folder will be generated by local group policy from next step, if the folder is not presented in the system)

   • If you're implementing multiple entries for each device - one for each session, copy WindowsDefenderATPOnboardingScript.cmd.

   • If you're implementing a single entry for each device, copy both Onboard-NonPersistentMachine.ps1 and WindowsDefenderATPOnboardingScript.cmd.

3. Open a Local Group Policy Editor window and navigate to Computer Configuration > Windows Settings > Scripts > Startup.

    Note

   Domain Group Policy may also be used for onboarding non-persistent VDI devices.

4. Depending on the method you'd like to implement, follow the appropriate steps:

   Method	Steps
   Single entry for each device	1. Select the PowerShell Scripts tab, then select Add (Windows Explorer opens directly in the path where you copied the onboarding script earlier). 2. Navigate to onboarding PowerShell script Onboard-NonPersistentMachine.ps1. There's no need to specify the other file, as it's triggered automatically.
   Multiple entries for each device	1. Select the Scripts tab, then select Add (Windows Explorer opens directly in the path where you copied the onboarding script earlier). 2. Navigate to the onboarding bash script WindowsDefenderATPOnboardingScript.cmd.

5. Test your solution

For VDI Master image, it will not be onboarded into MDE portal. To avoid it to be onboarded, following scrip will check the hostname of machines before run VDI start up script. 

Write-Host "INFO: Checking hostname against a list of known master images... Please wait..."

# Get the current hostname
$CURRENT_HOSTNAME = (hostname)

# Define the target hostnames
$TARGET_HOSTNAMES = @("example1", "example2", "example3", "example4", "MDLT2")

Write-Host "INFO: Current hostname is $CURRENT_HOSTNAME"
Write-Host "INFO: Target hostnames are $($TARGET_HOSTNAMES -join ', ')"

# Initialize a flag to indicate if a match is found
$MATCH_FOUND = $false

# Check if the current hostname matches any of the target hostnames
foreach ($TARGET_HOSTNAME in $TARGET_HOSTNAMES) {
    if ($CURRENT_HOSTNAME -eq $TARGET_HOSTNAME) {
        $MATCH_FOUND = $true
        Write-Host "INFO: Hostname matches one of the target hostnames"
        Write-Host "WARNING: This machine is a master image... Exiting..."
        exit
    }
}

if (-not $MATCH_FOUND) {
    Write-Host "INFO: Hostname does not match any of the target hostnames"
    $script = $PSScriptRoot+"\Onboard-NonPersistentMachine.ps1"
    & $script
}

For 

For Windows 2012 R2 and Windows 2016, the onboarding script for VDI master image will be modified with :

@echo off
echo INFO: Checking hostname against a list of known master images... Please wait... 
for /f "tokens=*" %%i in ('hostname') do set CURRENT_HOSTNAME=%%i
set TARGET_HOSTNAMES=example1 exampl2 example3 exampel4
echo INFO: Current hostname is %CURRENT_HOSTNAME%
echo INFO: Target hostnames are %TARGET_HOSTNAMES%
set MATCH_FOUND=false
for %%h in (%TARGET_HOSTNAMES%) do (
    if "%CURRENT_HOSTNAME%"=="%%h" (
        set MATCH_FOUND=true
echo INFO: Hostname matches one of the target hostnames
echo WARNING: This machine is a master image... Exiting...
exit        
    )
)

echo This script is for onboarding machines to the Microsoft Defender for Endpoint services, including security and compliance products.

echo Once completed, the machine should light up in the portal within 5-30 minutes, depending on this machine's Internet connectivity availability and machine power state (plugged in vs. battery powered).

echo IMPORTANT: This script is optimized for onboarding a single machine and should not be used for large scale deployment.

echo For more information on large scale deployment, please consult the MDE documentation (links available in the MDE portal under the endpoint onboarding section).

echo.

:USER_CONSENT

...

...(omitted)

RBAC

 4 Steps:

1. Create Azure AD User Groups

2. Configure MDE RBAC

3. Create Device Tags

4. Create Device Groups

Check List Sample:

Device Groups / User Groups

Many users ask when to use user groups and when to use device groups. The answer depends on your goal. Here's some guidance to get you started.

Device groups

If you want to apply settings on a device, regardless of who's signed in, then assign your policies to a devices group. Settings applied to device groups always go with the device, not the user.

For example:

• Device groups are useful for managing devices that don't have a dedicated user. For example, you have devices that print tickets, scan inventory, are shared by shift workers, are assigned to a specific warehouse, and so on. Put these devices in a devices group, and assign your policies to this devices group.

• You create a Device Firmware Configuration Interface (DFCI) Intune profile that updates settings in the BIOS. For example, you configure this policy to disable the device camera, or lock down the boot options to prevent users from booting up another OS. This policy is a good scenario to assign to a devices group.

• On some specific Windows devices, you always want to control some Microsoft Edge settings, regardless of who's using the device. For example, you want to block all downloads, limit all cookies to the current browsing session, and delete the browsing history. For this scenario, put these specific Windows devices in a devices group. Then, create an Administrative Template in Intune, add these device settings, and then assign this policy to the devices group.

To summarize, use device groups when you don't care who's signed in on the device, or if anyone signs in. You want your settings to always be on the device.

User groups

Policy settings applied to user groups always go with the user, and go with the user when signed in to their many devices. It's normal for users to have many devices, such as a Surface Pro for work, and a personal iOS/iPadOS device. And, it's normal for a person to access email and other organization resources from these devices.

If a user has multiple devices on the same platform, then you can use filters on the group assignment. For example, a user has a personal iOS/iPadOS device, and an organization-owned iOS/iPadOS. When you assign a policy for that user, you can use filters to target only the organization-owned device.

Follow this general rule: If a feature belongs to a user, such as email or user certificates, then assign to user groups.

For example:

• You want to put a Help Desk icon for all users on all their devices. In this scenario, put these users in a users group, and assign your Help Desk icon policy to this users group.

• A user receives a new organization-owned device. The user signs in to the device with their domain account. The device is automatically registered in Microsoft Entra ID, and automatically managed by Intune. This policy is a good scenario to assign to a users group.

• Whenever a user signs in to a device, you want to control features in apps, such as OneDrive or Office. In this scenario, assign your OneDrive or Office policy settings to a users group.

  For example, you want to block untrusted ActiveX controls in your Office apps. You can create an Administrative Template in Intune, configure this setting, and then assign this policy to a users group.

To summarize, use user groups when you want your settings and rules to always go with the user, whatever device they use.

Sample Device Groups:

Create Custom Role:

Permissions:

Roles for Endpoints, Defender XDR, and Cloud Apps

Tags

 

https://www.matej.guru/p/microsoft-defender-for-endpoint-script?utm_source=publication-search

Here's an example of how to add a TAG to devices using the onboarding script:

1. Open the onboarding script file in a text editor

2. Locate the :SCRIPT_START section

3. Add a command to assign a TAG to the device. For instance, if we want to assign a TAG "Workgroup", we can use the following command:

REG add "HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging" /v Group /t REG_SZ /f /d "Workgroup" >NUL 2>&1

By incorporating a command to assign TAGs within the onboarding script, we can streamline the process and automatically categorize the devices during onboarding.



Device Group and Device Tag Check List Sample:

Tagging through Group Policy

Tagging through Defender Portal - Settings - XDR - Rules - Asset Rule Mgmt

Web Content Filtering

 

References

• Firewall settings: https://aka.ms/MDE-streamlined-urls
• Enforcement Scope Documentation (This is what we will use to facilitate the configuration of MDE using Intune): Learn about using Intune to manage Microsoft Defender settings on devices that aren't enrolled with Intune | Microsoft Learn
• Defender for Servers: Select a Defender for Servers plan in Microsoft Defender for Cloud - Microsoft Defender for Cloud | Microsoft Learn
• Generating an onboarding script: Onboard Windows devices using a local script - Microsoft Defender for Endpoint | Microsoft Learn
• Azure Arc: Quickstart - Connect hybrid machine with Azure Arc-enabled servers - Azure Arc | Microsoft Learn