How to onboard Defender via userdata scripts?

Byron Liu 0 Reputation points
2024-06-27T05:15:24.6066667+00:00

I am trying to onboard defender to windows servers.

By following onboarding steps 1 to 4 in this doco, I was able to onboard defender to windows servers manually. However, we are using userdata powershell scripts for our windows server. I need to put all the steps into the scripts so when a new server is launched, defender will be onboarded automatically. I couldn't find the proper commands in any doco.

Could you please if it's possible to put those steps into powershell commands? If so, could you please advise the commands?

Thanks.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,573 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,262 questions
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,289 questions
Microsoft Defender for Endpoint Training
Microsoft Defender for Endpoint Training
Microsoft Defender for Endpoint: A Microsoft unified security platform for preventative protection, postbreach detection, and automated investigation and response. Previously known as Microsoft Defender Advanced Threat Protection.Training: Instruction to develop new skills.
28 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Andrew Blumhardt 9,841 Reputation points Microsoft Employee
    2024-06-28T12:45:03.19+00:00

    Those instructions are as for non-persistent virtual desktops, meaning virtual desktops that are reimaged on a regular basis. This is a special process that allows a device to be reimaged repeatedly while retaining the same device ID. Ordinarily, all devices get a new ID when onboarding, even if they have the same name. Without this control, these devices all get loaded with the device ID of the host which is extremely problematic.

    There are several onboarding options for servers that should be considered instead. https://learn.microsoft.com/en-us/defender-endpoint/onboard-windows-server

    1. Most common is Defender for Servers, which onboards servers to MDE automatically.
    2. GPO for domain joined servers.
    3. I am seeing more and more using Settings Management (formerly MDE Attach) https://learn.microsoft.com/en-us/defender-endpoint/mde-security-settings-management
    4. You also have MECM and local script which are less common. The later only used in testing.

    Point being that there are many well tested methods for deploying MDE automatically without resorting to some form of custom script. You should try to use one of these options instead. This will also reduce confusion as other employees and consultants take responsibility for onboarding in the future. They are more likely to recognize one of these standard methods.