Microsoft Defender Recipe (Win)

Description

Example recipe for ~~deploying~~onboarding Windows devices to Microsoft ~~Defender.~~Defender for Endpoint by running Microsoft's local onboarding script through a FileWave Fileset.

Scope check: Microsoft documents the local script method for testing and small deployments, currently up to 10 devices. Before using this recipe for a broader production rollout, confirm Microsoft's current recommended deployment method for your tenant.

Ingredients

On Windows ~~devices~~devices, ~~this~~the isrecipe ~~relatively~~needs ~~straight~~two ~~forward. Just a couple of items required:~~pieces:

~~Deployment~~Microsoft ~~Script:~~Defender ~~WindowsDefenderATPLocalOnboardingScript.bat~~for Endpoint onboarding package for Windows, downloaded from the Microsoft Defender portal.
~~Below~~The ~~provided~~example FileWave Fileset attached below.

Downloads:

Microsoft Defender Installer/Uninstaller Filesets

~~See~~Import ~~below~~the ~~directions~~example ~~for~~Fileset ~~deployment~~first, ~~before~~but ~~associating~~do not associate it with ~~devices.~~production devices until you have replaced the placeholder script with the tenant-specific Microsoft script and tested the result.

~~Microsoft Defender deployment script is available through the M365 Defender portal;~~ ~~details in~~In the Microsoft ~~Deployment~~Defender KBportal, go to System > Settings > Endpoints > Device management > Onboarding. Select Windows 10 and 11 and the local script deployment method, then download the onboarding package. Microsoft documents the current Windows onboarding flow here: Onboard Windows client devices to Microsoft Defender for Endpoint:. Microsoft also documents the local script method here: Onboard devices using a local script.

The ~~'WindowsDefenderATPLocalOnboardingScript.bat'~~Microsoft-generated isonboarding ~~built~~script bycontains ~~Microsoft~~tenant-specific ~~with~~onboarding ~~the~~data. ~~appropriate~~Treat ~~licence~~it ~~code~~as ~~embedded~~tenant-specific ~~into~~configuration; ~~the~~do ~~script,~~not ~~such~~reuse ~~that~~it ~~the~~across ~~download~~tenants isor ~~personal~~paste toa ~~the~~script ~~logged~~generated infrom ~~account,~~another ~~when~~customer ~~downloading.~~account.

ItThe tenant-specific data can be seen in the script ~~from~~near the ~~line~~OnboardingInfo ~~commencing~~registry asvalue, ~~below:~~for example:

REG add "HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection" /v OnboardingInfo /t REG_SZ /f /d "{\"body\":\"{\\\"previousOrgIds\\\":[],\\\"orgId\\\":\\\"

Directions

Download the example Fileset and import it into ~~FileWave~~FileWave.

Script: WindowsDefenderATPLocalOnboardingScript.bat

~~Edit~~

In the ~~text~~imported ofFileset, edit the ~~provided~~placeholder 'script file. Microsoft currently provides the local onboarding script in the downloaded ZIP package as WindowsDefenderATPLocalOnboardingScript.bat'cmd. ~~file~~If ~~within~~the example Fileset uses a .bat placeholder, paste the Microsoft-generated script contents into that placeholder and keep the Fileset ~~and~~execution ~~paste~~settings inpointed ~~a copy of~~at the ~~script~~same ~~contents~~file. ~~downloaded from Microsoft:~~

Assign to Devicesdevices

~~By way of either a 'Deployment' or 'Association' within FileWave, assign~~Assign the Fileset to ~~one~~a orsmall ~~more~~test group first, preferably by using a Deployment for new workflows. Associations can still be used where appropriate. Update the Model, let the test devices check in, and ~~once~~confirm ~~happy~~the ~~expand~~devices appear correctly in the Microsoft Defender portal before expanding the scope.

If you adapt this torecipe ~~more~~for ~~devices.~~offboarding, download a fresh offboarding package from Microsoft when needed. Microsoft states that local offboarding packages expire seven days after download.