Ok so there are two parts to the onboarding process.
1) - Run
Install.ps1 - This will install the Unified Agent, this is used to report back to MDE. This is where the install is failing as one of the prerequisites is that defender is installed and running. In this environment it will run in passive mode along with Trend. The issue I'm having is whoever built these servers completely removed defender from them and installed trend which was the wrong way to set things up
Before UA Microsoft was something called MMA for the agent, but this is now being retired and UA is being used in it's place
2) One UA is installed I then run
WindowsDefenderATPOnboardingScript.cmd This will then onboard to MDE, but only if the UA agent has been installed
I've attached both files for your viewing
How is the Defender for Endpoint agent installed? With this command or in another way?
Code:
Msiexec /i md4ws.msi /quiet FORCEPASSIVEMODE=1
The above command is for the install of the UA agent not defender, however as explained above I use a PS Script provided by MS to install UA as the command above never works. This is the error that comes up on the problem server when I use the command above
This because the REG_DWORD value "ForceDefenderPassiveMode" is not present in the ATP.hiv. Since Trend Micro is the Primary AV-solution it is recommended to use the above command! What you can try is to add this value manually to see if it makes any difference in adding this server to the MDE config manager.
I will add the below to the reg and let you know
Code:
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection" /v ForceDefenderPassiveMode /t REG_DWORD /d 0x1 /f
This is what my onboarding folder looks like, Install.ps1 will call md4ws.msi and install it
Update - Attachments to large will upload via We transfer and post link in next post
