Summary
With the continued expansion of Microsoft's cloud-native 365 offerings in tandem with the turbulence in the modern cybersecurity landscape, extreme visibility, vulnerability management and [security] control at the endpoint has become of paramount importance.
Of the tools that have been created for or evolved to suit this purpose, Microsoft's Defender for Endpoint offering has quickly grown into a "gold standard" solution, regularly leading the pack on the Gartner Magic Quadrant.
A pain point that becomes apparent in the adoption of this technology is accessible and reportable means of ensuring your devices are covered. In the document below, we'll dive into how to utilize the Automox Worklets module to ensure all Windows devices are onboarded to the Defender for Endpoint platform.
Prerequisites
Before beginning this process, please ensure the following conditions are satisfied:
- You have a live or development Microsoft365 tenant with the requisite licensing for Defender for Endpoint
- See M365 Maps for a detailed comparison of licenses that fulfill this requirement
- You can validate your Defender for Endpoint services are live by heading to the Microsoft 365 Defender portal and checking for the existence of an "Endpoints" option within the "Settings" menu
- You have an Office365 account with the required permissions to view and download the Onboarding and Offboarding settings sections and download the respective packages
- The Security Operator role is sufficient for this purpose
- All devices you wish to target for Defender onboarding have an Automox agent installed
- At this time, only Windows 10, 11 and Server operating systems are supported! Linux and MacOS are in development!
Deploying the Worklet
Obtaining the Payload
To onboard devices to Defender for Endpoint, Microsoft provides a "local onboarding" script package. This package contains an organization ID unique to your 365 environment, along with some certificate info used to validate communications with the 365 cloud throughout the onboarding process. To get this required data to our Worklet, we'll deliver it as a "payload".
- Head to the Microsoft 365 Defender admin portal
- From the left-hand menu, select Settings
- From the Settings menu, select the Endpoints link
- Scroll down in the left-hand Settings menu and select Onboarding under the Device management header
- Ensure the Select operating system... dropdown is set to Windows 10 and 11, and the Deployment method dropdown is set to Local Script (for up to 10 devices) then select Download onboarding package
-
- NOTE: this method is designated as "for up to 10 devices" - this can be safely disregarded.
- Microsoft steers clients toward SCCM or Group Policy deployment options for "larger" deployments as these offer more robust mechanisms ( satisfied by Automox's Worklet capability ) to validate and monitor your deployment.
- For our Worklet, we simply need this package to obtain your unique tenant information - the script itself will not be run.
- NOTE: this method is designated as "for up to 10 devices" - this can be safely disregarded.
- The zip file required for our device onboarding will begin downloading - be sure not to rename this zip file, as our worklet will reference the default name it downloads with (
"WindowsDefenderATPOnboardingPackage.zip" )!
Creating the Policy
To apply this Worklet to our organization, we'll create a policy where we can add the payload we downloaded in the previous section.
- Head to the Automox console and log in with an account of either Zone Operator if targeting a single zone, or Global Administrator if applying to the entire organization.
- From the navigation bar, select Manage > Worklet Catalog
- In the Search bar, enter Defender and hit Enter. From the results, find the Windows - Security - Windows Defender for Endpoint Onboarding Worklet and to the right select the ellipsis ( ... ) button, then Create Policy
- On the right-hand side of the Create worklet wizard, select + Associate Groups and tick any groups this policy should apply to.
- Scroll down to the Payload section, just below the Remediation Code panel, and select Upload File
- Navigate to, and select the zip file downloaded in the previous section. When the process completes, you'll now see a grey tile indicating your payload has been uploaded:
- Configure the remaining schedule settings to your preference and select Create Policy when finished!
- NOTE: after a device successfully completes a run of this Worklet, it can take between 5-30 minutes for the device to become visible in the Microsoft 365 Defender portal.