Deploying Microsoft Defender for Endpoint to Your First Machine
- 1 day ago
- 4 min read
If you're rolling out Microsoft Defender for Endpoint (MDE) for the first time, the jump from theory to practice can feel overwhelming. You've got your tenant provisioned, you're staring at the Microsoft 365 Defender portal, and now you need to actually get an agent on a workstation and confirm it's phoning home. This guide walks through onboarding your first Windows 10 or 11 endpoint from start to finish—no fluff, just the steps that matter.
I'm assuming you've already got MDE licensing sorted and access to the portal. If you're testing this in a lab, even better. We'll use the local script method since it's the fastest way to validate your first device before you scale to Group Policy or Intune.
Prerequisites
Active Microsoft Defender for Endpoint (Plan 1 or Plan 2) license
Global Administrator or Security Administrator role in Microsoft 365 Defender portal
Windows 10 (1607+) or Windows 11 workstation with local admin access
Internet connectivity on the workstation (outbound HTTPS to Microsoft endpoints)
Windows Defender Antivirus enabled (it's the sensor for MDE)
Step 1 – Access the Microsoft 365 Defender Portal
Log into the Microsoft 365 Defender portal at https://security.microsoft.com. Navigate to Settings > Endpoints > Onboarding.
If this is your first time here, you may be prompted to complete initial setup steps like choosing your data storage location. Go ahead and complete those—it only takes a minute.
Step 2 – Download the Onboarding Package
In the Onboarding section, ensure Windows 10 and 11 is selected as the operating system. Under Deployment method, choose Local Script.
Click Download onboarding package. You'll get a ZIP file named something like WindowsDefenderATPLocalOnboardingScript.zip. Extract it—you'll find a file called WindowsDefenderATPLocalOnboardingScript.cmd.
This script contains your tenant-specific configuration. Don't share it publicly.
Step 3 – Run the Onboarding Script on the Workstation
Copy the .cmd file to your target workstation. Right-click it and select Run as administrator.
You'll see a Command Prompt window appear briefly. If everything is configured correctly, you'll get a success message:
Press any key to continue . . .That's it. The script configures the MsSense.exe service (the MDE sensor) and connects it to your tenant.
Step 4 – Verify the Device Appears in the Portal
Back in the Microsoft 365 Defender portal, navigate to Assets > Devices. It can take 5–10 minutes for the device to show up initially. Refresh the page.
Once it appears, you should see:
Device name
Risk level (likely "Low" initially)
Onboarding status: Onboarded
Last seen timestamp
Click into the device to view its detailed timeline and sensor health.
Step 5 – Run a Detection Test
Microsoft provides a simple PowerShell script to trigger a test detection and confirm the sensor is working. On the workstation, open PowerShell as administrator and run:
powershell.exe -NoExit -ExecutionPolicy Bypass -File "C:\test\eicar.ps1"Wait—scratch that. The easier method is just to run the actual test Microsoft recommends. Open Command Prompt as administrator and execute:
powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden -EncodedCommand UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAIgBDADoAXAB0AGUAcwB0AFwAZQBpAGMAYQByAC4AZQB4AGUAIgA=Actually, skip the encoded nonsense. Here's the real test from Microsoft that actually works. Open PowerShell as administrator:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest -Uri "https://www.eicar.org/download/eicar.com.txt" -OutFile "$env:TEMP\eicar.com"This downloads the EICAR test file, which should immediately trigger a detection. Within a few minutes, you'll see an alert in the Microsoft 365 Defender portal under Incidents & alerts > Alerts.
The alert will show up as something like "Suspicious file detected" or reference the EICAR test string. This confirms end-to-end functionality.
Troubleshooting
Device doesn't appear in the portal after 15 minutes
Check that Windows Defender Antivirus is actually running. Open Windows Security and confirm Virus & threat protection is on. If third-party AV is installed, MDE won't work in active mode.
Verify the sensor is running:
Get-Service -Name SenseStatus should be Running. If it's stopped, start it:
Start-Service -Name SenseOnboarding script fails with "Access Denied"
You didn't run it as administrator. Right-click, Run as administrator.
Test detection doesn't fire
Make sure Real-time protection is enabled in Windows Security > Virus & threat protection settings. If it's off, MDE won't catch anything.
Also confirm Cloud-delivered protection is turned on. MDE relies on cloud lookups for detection logic.
Device shows "Inactive" status
The workstation hasn't communicated with the service in a while. Check internet connectivity and confirm these URLs are reachable:
*.blob.core.windows.net
crl.microsoft.com
events.data.microsoft.com
*.security.microsoft.com
If you're behind a proxy, you may need to configure proxy settings for the Sense service.
Hardening Considerations
Once you've got your first device onboarded, here's how to tighten things up:
Enable Tamper Protection in Settings > Endpoints > Advanced features. This prevents attackers (or users) from disabling MDE components locally.
Turn on Attack Surface Reduction (ASR) rules. Start with audit mode to baseline impact, then enforce the rules that make sense for your environment. Common starters:
Block executable content from email and webmail
Block Office applications from creating child processes
Block credential stealing from lsass.exe
Review Automation levels under Settings > Endpoints > Automation. By default, MDE will auto-remediate some threats. Make sure your team is comfortable with the actions it'll take.
Enable Endpoint Detection and Response (EDR) in block mode if you're on Plan 2. This adds a secondary protection layer even if your primary AV misses something.
Comments