Setting up Microsoft Defender for Endpoint (MDE) is a critical step in securing your infrastructure. Whether you are using a production environment or an enterprise-level trial (E5 License), the process is streamlined but requires precision.

Prerequisites & Supported Systems

Before you begin, ensure your environment meets the licensing requirements. For this guide, we are utilizing the Microsoft 365 E5 trial.

MDE supports a wide range of operating systems, including:

  • Windows Server 2012 R2
  • Windows Server 2016 and later
  • Azure Stack HCI OS (Version 23H2 and later)

Phase 1: Navigating the Portal

The first hurdle is simply finding where the onboarding tools live.

  1. Log in to the Microsoft Defender Security Portal (security.microsoft.com).
  2. On the left-hand navigation pane, scroll to the bottom.
  3. Click on Settings and then select Endpoints.
  4. Under the "Device Management" section, select Onboarding.

Phase 2: The Onboarding Process

Step 1: Download the Package

In the Onboarding menu, select your operating system from the dropdown.

  • Choose Local Script for a single-machine manual setup.
  • Click Download onboarding package.
  • Important: Extract the .zip file and save the binary to a folder you can easily access via the command line.

Step 2: Execute the Script

To link the device to your tenant, you need to run the script with elevated privileges.

  1. Open PowerShell as an Administrator.
  2. Navigate to your extracted folder.
  3. Run the script (the .cmd or .ps1 file).
  4. Type Y when prompted to confirm the onboarding.

Step 3: Verification (The Detection Test)

Once the script finishes, you want to ensure the device is actually communicating with the portal. You can trigger a "mock" detection to see if the alert fires.

Note: This command simulates a download from a local test server (127.0.0.1). It is non-malicious but is designed to trigger Defender's detection engine.

Copy and paste the following into your elevated PowerShell window:

PowerShell

powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference = 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\test-MDATP-test\invoice.exe');Start-Process 'C:\test-MDATP-test\invoice.exe'

If successful, within a few minutes, you should see a "Test Alert" appear in the "Incidents & alerts" section of your Microsoft Defender portal.

Final Thoughts

Onboarding is just the beginning. Once your devices are "checking in," you can begin looking into automated investigations and advanced hunting.

Happy Securing!