Run a detection test on a newly onboarded Microsoft Defender for Endpoint device

Applies to:

Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.

When you add a device to the Microsoft Defender for Endpoint service for management, this is also called onboarding devices. Onboarding allows devices to report signals about their health status to the service.

Making sure, or verifying, that a device has been added to the service successfully is a critical step in the entire deployment process. It assures that all the devices expected are being managed.

Verify Microsoft Defender for Endpoint onboarding of a device using a PowerShell detection test

Run the following PowerShell script on a newly onboarded device to verify that it's properly reporting to the Defender for Endpoint service.

  1. Open an elevated command-line prompt on the device and run the script:

    1. Go to Start and type cmd.

    2. Right-click Command Prompt and select Run as administrator.

      The Start menu pointing to Run as administrator

  2. At the prompt, copy and run the following command:

    powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference = 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('', 'C:\\test-MDATP-test\\invoice.exe');Start-Process 'C:\\test-MDATP-test\\invoice.exe'

The Command Prompt window closes automatically. If successful, a new alert appears in the portal for the onboarded device in about 10 minutes.


You can also use the EICAR test string to perform this test. Create a text file, paste the EICAR line, and save the file as an executable file to your endpoint's local drive. You will receive a test endpoint notification and an alert in the Microsoft 365 Defender portal.


Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.