Workgroup Joined Device Enrollment to MDE Defender for Endpoint

Let’s learn Workgroup Joined Device Enrollment to MDE Defender for Endpoint, a groundbreaking solution developed by Microsoft to address a wide array of business situations. This innovation arises from recognising that some devices might not align with the prerequisites for Intune enrollment.

Microsoft is developing a new architecture where workgroup-joined Windows devices will also be eligible for MDE onboarding. Before, Microsoft imposed prerequisites such as hybrid Azure ready join or Azure AD join for device enrollment. However, with the emergence of the new architecture, the onboarding prerequisites have been simplified. This is also known as MDE attach.

We have an article highlighting how to Enable New MDE Security Settings Management Experience. A security policy is the backbone of an organizationā€™s protection strategy, embodying clear, comprehensive plans, rules, and practices. Another article highlights the Latest MDE Architecture Changes to Enhance the Onboarding Experience. It will explore two interesting Microsoft Defender for Endpoint (MDE) aspects.

In this article, we will walk you through onboarding a Windows device that’s workgroup joined. We’ll also explore how the device record is displayed across various portals, highlighting the unique contrasts in each interface. With this recent advancement, You could manage workgroup join and Windows devices using MDE, Windows devices, Linux servers, and Mac OS. All those kinds of devices would be able to manage directly via MDE.

Patch My PC

How to Onboard Workgroup Joint Devices to MDE?

Workgroup-Joined-Device

These scenarios exclude hybrid Azure AD and Azure join and do not necessitate Intune enrollment. The focus is on workgroup join devices. We’ll explore the onboarding process for Windows devices using a local script and examine the timeframe for the outcomes to be visible in the MDE portal.

Workgroup Joined Device Enrollment to MDE Defender for Endpoint

In the video, you have been provided with a comprehensive overview of the process for onboarding workgroup join devices to MDE. You can also see the demo part of it on how to onboard a device using the script, what are the challenge is using the script and what the detection method to understand whether the device got onboarded or not and then we have checked all the 4 portals where we will have this device record available. We will also discuss new architecture, communication flow etc.

Workgroup Joined Device Enrollment to MDE Defender for Endpoint – Video 1

Unified Endpoint Security Management Experience

This is the New enhancement that Microsoft introduced for Defender for an endpoint that helps you to efficiently handle Linux servers, Windows 10, Windows 11, and Mac OS devices without enrolling on Intune or Configuration Manager.

  • A previous video has covered the enhancements in MDE onboarding, highlighting how MD’s security settings enablement offers a seamless activation process within your MDE portal.
  • This empowers you to effectively oversee a range of devices, including Windows servers, Linux servers, and Windows 10 and Windows 11 devices. Regardless of whether they are workgroup joined, domain joined, or Azure AD joined.
Workgroup Joined Device Enrollment to MDE Defender for Endpoint - fig.1 - Creds to MS
Workgroup Joined Device Enrollment to MDE Defender for Endpoint – fig.1 – Creds to MS

Latest MDE Architecture Flow and Schema Diagram

In this high-level architecture diagram shared by Microsoft. Once a device is onboarded to MDE, it will seamlessly report to Microsoft Endpoint Manager (MEM). Previously known as Intune, MEM is the central hub for managing devices and their security settings. The device will undergo synthetic registration if not registered in Azure AD conventionally.

Workgroup Joined Device Enrollment to MDE Defender for Endpoint - fig.2 - Creds to MS
Workgroup Joined Device Enrollment to MDE Defender for Endpoint – fig.2 – Creds to MS

MDE Only Enrollment – Additional Prerequisites

When a domain-joined device creates trust with Azure Active Directory, this scenario is called a Hybrid Azure Active Directory join scenario. Security settings management fully supports this scenario with the following requirements.

Active Directory Requirements
Azure Active Directory Connect (Azure AD Connect) must be synchronized to the tenant used from Microsoft Defender for Endpoint.
Hybrid Azure Active Directory Join must be configured in your environment (either through Federation or Azure AD Connect Sync).
Azure AD Connect Sync must include the device objects in scope for synchronization with Azure Active Directory (when needed for join).
Azure AD Connect rules for sync must be modified for Server 2012 R2 (when support for Server 2012 R2 is needed).
All devices must register in the Azure Active Directory of the tenant that hosts Microsoft Defender for Endpoint; cross-tenant scenarios aren’t supported.
Workgroup Joined Device Enrollment to MDE Defender for Endpoint – Table 1
Workgroup Joined Device Enrollment to MDE Defender for Endpoint - fig.3
Workgroup Joined Device Enrollment to MDE Defender for Endpoint – fig.3

How to Download the Onboarding Package

Open Microsoft 365 Defender portal – security.microsoft.com and sign in using your admin account. Select the Settings tab on the Left side of Microsoft 365 Defender. Within the “Settings” section, proceed to select “Endpoints.

  • Select the Onboarding option from Device Management under Endpoints.
  • In the Onboarding tab, select Local Script. The local Script option is for 1 device. If you have more than one device, then probably it’s better to use group policy or some other method to Onboard these devices to MDE.
  • Click the “Download Onboard Package” button from the below window. The Onboarding tab selected Local Script.
Workgroup Joined Device Enrollment to MDE Defender for Endpoint - fig.4
Workgroup Joined Device Enrollment to MDE Defender for Endpoint – fig.4

Once you have clicked the “Download Onboard Package” button, a CMD file becomes available for download. You can easily download the CMD file. You can also Edit this setting by right-clicking on the file and selecting “Edit” from the context menu.

Workgroup Joined Device Enrollment to MDE Defender for Endpoint - fig.5
Workgroup Joined Device Enrollment to MDE Defender for Endpoint – fig.5

If you attempt to edit the CMD file, you’ll find that all the details are readily accessible within the Notepad window below. You can easily edit it from Notepad.

Workgroup Joined Device Enrollment to MDE Defender for Endpoint - fig.6
Workgroup Joined Device Enrollment to MDE Defender for Endpoint – fig.6

WindowsDefenderATPLocalOnboardingScript

Open the Administrator Command prompt and run the script. Enter the script here, and we will run it on both the Windows device to MDE without enrolling on Intune. After entering the script, we will get the message, “This script is for onboarding machines to the Microsoft Defender for Endpoint services, including security and compliance products. Once completed, the machine should light up in the portal within 5-30 minutes, depending on this machine’s internet connectivity availability and machine power state (plugged in vs. battery powered).”

WindowsDefenderATPLocalOnboardingScript.cmd

IMPORTANT: This script is optimized for onboarding a single machine and should not be used for large-scale deployment. For more information on large-scale deployment, please consult the MDE documentation (links available in the MDE portal under the endpoint onboarding section).

  • Press (Y)to confirm and continue or (N) to cancel and exit: Y
  • Starting Microsoft Defender for the Endpoint Onboarding process
  • Testing administrator privileges
  • The script is running with sufficient privileges
  • Performing onboarding operations
  • Starting the service, if not already running
  • Finished performing onboarding operations
  • waiting for the service to start
  • Successfully onboarded machine to Microsoft Defender for Endpoint
Workgroup Joined Device Enrollment to MDE Defender for Endpoint - fig.7
Workgroup Joined Device Enrollment to MDE Defender for Endpoint – fig.7

Run a Detection Test

Let’s try the second step, “Run a detection test“. It helps you to verify that the device is properly onboarded and reporting to the service; run the detection script on the newly onboarded device.

  • Open a Command Prompt window.
  • At the prompt, copy and run the command below. The Command Prompt window will close automatically.

powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference= ‘silentlycontinue’;(New-Object System.Net.WebClient).DownloadFile(‘http://127.0.0.1/1.exe’, ‘C:\test-WDATP-test\invoice.exe’);Start-Process ‘C:\test-WDATP-test\invoice.exe’

Workgroup Joined Device Enrollment to MDE Defender for Endpoint - fig.8
Workgroup Joined Device Enrollment to MDE Defender for Endpoint – fig.8

Copy the script from the above window, open a command prompt window, and run the command. This Powershell command detects whether the MDE onboarding is completed or not. If the prompt just disappeared, that means the onboarding is completed successfully.

Workgroup Joined Device Enrollment to MDE Defender for Endpoint - fig.9
Workgroup Joined Device Enrollment to MDE Defender for Endpoint – fig.9

Let’s return to the MD portal and check whether the device exists. Select the Devices option under Assets. In the Device inventory, you can see the total number is 2. Now the mdetestvm is part of onboarded devices. The below table helps you to show all the details related to mdetestvm.

NameDomainRisk levelOS platformWindows VersionOnboarding StatusSensor health stateLast device updateManaged by
mdetestvmWorkgroupMediumWindows 1122H2OnboardedActiveJuly 21,2023 12:26 AMMDE
Workgroup Joined Device Enrollment to MDE Defender for Endpoint – Table 2
Workgroup Joined Device Enrollment to MDE Defender for Endpoint - fig.10
Workgroup Joined Device Enrollment to MDE Defender for Endpoint – fig.10

Let’s go to Microsoft 365 Defender portal. Select the All Devices tab under Assets on the right side of Microsoft 365 Defender. Search the mdetestvm device, and it helps you to show the menu such as Overview, Incidents and Alerts, Timeline, Security recommendations, Security policies and Software inventory etc.

Workgroup Joined Device Enrollment to MDE Defender for Endpoint - fig.11
Workgroup Joined Device Enrollment to MDE Defender for Endpoint – fig.11

In the mdetestvm window, you can see the 3 dots (more options) on the right. Click the 3 dots, and it will show a set of options. The Policy sync option is enabled for this particular device because MDE is managed.

Workgroup Joined Device Enrollment to MDE Defender for Endpoint - fig.12
Workgroup Joined Device Enrollment to MDE Defender for Endpoint – fig.12

Microsoft Entra Admin Center

Now, navigate the Entra portal and look at the complete device list. Access the Entra portal by visiting Entra.microsoft.com, which is the Azure AD portal. Once there, on the right side of the Entra admin center, click on the “All Devices” tab under the “Identity” section. This will allow us to explore the comprehensive device inventory within the Entra platform.

Workgroup Joined Device Enrollment to MDE Defender for Endpoint - fig.13
Workgroup Joined Device Enrollment to MDE Defender for Endpoint – fig.13

Microsoft Intune Admin Center

Let’s go to Intune admin center portal and then check the devices available. The MDETestVM device is available, and MDE manages it. The table below helps you show all the details related to the device in Intune portal.

Device NameManaged byOSOS Version
MDETestVMMDEWindows10.0.22621.1992
Workgroup Joined Device Enrollment to MDE Defender for Endpoint – Table 3
Workgroup Joined Device Enrollment to MDE Defender for Endpoint - fig.14
Workgroup Joined Device Enrollment to MDE Defender for Endpoint – fig.14

Author

About Author Vidya is a computer enthusiast. She is here to share quick tips and tricks with Windows 11 or Windows 10 users. She loves writing on Windows 11 and related technologies. She is also keen to find solutions and write about day-to-day tech problems.

1 thought on “Workgroup Joined Device Enrollment to MDE Defender for Endpoint”

  1. Great article. However, Microsoft announced last year that they were going to keep it as Intune instead of MEM.

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.