Security Incident Response

If you think you have or know you have a Security Incident please fill in the form and our experienced Onevinn CSIRT team will reach out shortly.
 
The team has long experience in supporting customers in Incident Response and Compromised Recovery.
 
Keep calm and we will be with you shortly!

Jörgen Nilsson 09 Aug 2022
3 min

Logging the Co-management and Defender onboarding process during OSD

When starting to move workloads to Intune of the first workload to move is Compliance and Endpoint Protection. When moving the Endpoint protection workload the following configurations are moved to Intune instead of MEMCM:

  • Windows Defender Antimalware
  • Windows Defender Application Guard
  • Windows Defender Firewall
  • Windows Defender SmartScreen
  • Windows Encryption
  • Windows Defender Exploit Guard
  • Windows Defender Application Control
  • Windows Defender Security Center
  • Windows Defender for Endpoint (now known as Microsoft Defender for Endpoint)

This makes sense in many ways to move as we have better options to manage almost all of the settings above from Intune as newer settings are missing from MEMCM. Also for the future if using Hybrid joined today a lot of configuration is already in there when it is time to move to AAD Joined instead.
One question I get many times is how long does it take for a client to Hybrid Join, enroll in MDM and for the Defender enrollment policy to come down to the device. I wrote a little simple script to log this during OSD of a new client and I was thinking that I maybe could improve the time it takes…
The output of the script looks like this and ends with “Onboarded to Defender for Endpoint” as shown below:

Sample output of the script

This can be used in many different ways, show a dialog when a newly deployed device in i prestage center is ready to ship, display a message, post to teams and much more.
The times in the sample above is pretty great, but it took me a while to get there as many things affect the time it takes for all steps to complete. When I added a step to install Software Updates during OSD the Hybrid Join completes during the Task Sequence that is why the script logs the same time. I did the following to improve enrollment times:

  • Set the Co-Management policy to target all devices. (not having to wait for a collection update)
  • Set the Endpoint Protection Workload to “All Systems” , again not to have to wait for collection updates.
  • Configured the Defender for Endpoint onboarding to “All devices” instead of a Dynamic Group (use filters if you need instead = much faster)
  • Used and up to date Windows 10 / Windows 11 Image, solved a lot of delays compared to using a one year old media.
  • Make sure to use the latest MEMCM client in the Boot Image and install the latest one in the Task Sequence that solved some issues with Enrollment URL not being configured.
  • Of course make sure the device has Internet access, not having to wait for proxy configurations that will also delay things.
  • Another thing that can affect in large environments is the AAD connect sync of the computer object as that will affect Hybrid Join. After adding some more steps in my lab like install Software Updates so the Task Sequence takes more time. To be far also more close to production that timeout is not an issue anymore but could still be with multiple DC’s and replication.

The script

There a two scripts, one logs that OSD is complete and adds a Schedule task to trigger the script that will log how long time the different steps takes to C:\Windows\Temp\DefenderOnboarding.log file.
And when the process completes the script will delete the schedule task so it will not run again. The scripts can be downloaded from GitHub here: https://github.com/Ccmexec/MEMCM-OSD-Scripts/tree/master/Wait%20for%20Onboarding

Task Sequence step.

Task Sequence step

Running it from a package as the script imports the Schedule task using an .XML file.

The script:

# Script to write OSD Complete and register the Schedule Task that will monitor HYbrid Join, MDM enrollment, Defender for endpoint onboarding.
# Jorgen@ccmexec.com

$logfilepath="C:\Windows\Temp\DefenderOnboarding.log"

function WriteToLogFile ($message)
{
$message +" - "+ (Get-Date).ToString() >> $logfilepath
}

WriteToLogFile "OSD Complete"
Copy-Item -Path $PSScriptRoot'\WaitforOnboard.ps1' -Destination $env:Windir'\Temp'
Register-ScheduledTask -Xml (get-content $PSScriptRoot\WaitforOnboarding.xml | out-string) -TaskName "WaitforOnboarding"

The script triggered by the Schedule Task.

# Script to track the process HYbrid Join, MDM enrollment, Defender for endpoint onboarding.
# Jorgen@ccmexec.com

$logfilepath="C:\Windows\Temp\DefenderOnboarding.log"

function WriteToLogFile ($message)
{
$message +" - "+ (Get-Date).ToString() >> $logfilepath
}

WriteToLogFile "Script started"

do {
    $AADInfo = Get-Item "HKLM:/SYSTEM/CurrentControlSet/Control/CloudDomainJoin/JoinInfo"

$guids = $AADInfo.GetSubKeyNames()
foreach ($guid in $guids) {
    $guidSubKey = $AADinfo.OpenSubKey($guid);
    $DeviceDisplayName = ($Null -ne $guidSubKey.GetValue("DeviceDisplayName")
        )
       Start-Sleep -Seconds 1
    }
} while (
    $DeviceDisplayName -ne "True")
    WriteToLogFile "Hybrid Joined"

do {
    $MDMEnrollment = $Null -ne (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Provisioning\OMADM\MDMDeviceID).DeviceClientID
    Start-Sleep -Seconds 1
} while (
    $MDMEnrollment -ne "True")
    WriteToLogFile "Enrolled in MDM"

do {
       $MDEState = (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status").onboardingstate -eq "1"
       Start-Sleep -Seconds 1
} while (
    $MDEState -ne "True")
    WriteToLogFile "Onboarded to Defender for endpoint"

Unregister-ScheduledTask -TaskName waitforonboarding -Confirm:$false

I hope this can be useful and I will post more examples how to use it with going forward.