Windows - Security - Windows Defender for Endpoint Onboarding

What the Defender for Endpoint onboarding Worklet does

This Automox Worklet™ performs automated enrollment of Windows endpoints into Microsoft Defender for Endpoint (MDE). The Worklet extracts onboarding configuration from the Microsoft-provided local script package and applies the necessary registry settings to complete endpoint registration.

The onboarding process configures several security components. The Worklet installs the Early Launch Anti-Malware (ELAM) certificate to protect the Windows Defender boot driver. It sets telemetry reporting preferences and disables enterprise authentication proxy settings that could interfere with Defender communications.

After configuring registry entries, the Worklet starts the Microsoft Defender ATP service (Sense) and monitors for successful onboarding completion. The script waits up to 50 seconds for the OnboardingState registry value to confirm enrollment before reloading the Defender engine.

Why deploy Defender for Endpoint through Automox

Microsoft Defender for Endpoint provides advanced threat protection, endpoint detection and response, and security analytics. Onboarding endpoints manually through Group Policy or configuration tools requires significant administrative effort, especially in environments with diverse network configurations.

Using Automox for MDE deployment enables consistent onboarding across remote, hybrid, and on-premises endpoints. The Worklet handles architecture detection automatically, executing in 64-bit context even when triggered from 32-bit processes. This resolves common deployment failures caused by registry virtualization.

Organizations pursuing Cyber Essentials certification or similar compliance frameworks benefit from documented, repeatable MDE deployment. The Automox Activity Log provides audit evidence of successful onboarding across your endpoint fleet.

How Defender for Endpoint onboarding works

1. Evaluation phase: The Worklet checks the registry key HKLM:\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status for the OnboardingState property. If the value is not 1, the endpoint requires onboarding and triggers remediation. Already-onboarded endpoints exit without changes.

2. Remediation phase: The Worklet extracts the WindowsDefenderATPOnboardingPackage.zip payload, reads the onboarding configuration from the embedded CMD script, and writes it to the OnboardingInfo registry property. It installs the WdBoot.sys ELAM certificate, removes any prior offboarding artifacts, starts the Sense service, and monitors for successful onboarding before reloading the Defender engine.

Defender for Endpoint onboarding requirements

• Windows 10 or Windows 11 workstations, Windows Server 2016 or later

• Microsoft 365 Defender license (E5 Security, Microsoft Defender for Endpoint P1/P2)

• Local Script onboarding package downloaded from Microsoft 365 Defender portal

• WindowsDefenderATPOnboardingPackage.zip attached as Worklet payload

• Network connectivity to Microsoft Defender cloud services

• Administrative privileges on target endpoints

Expected Defender for Endpoint enrollment state

After successful onboarding, the endpoint appears in the Microsoft 365 Defender portal within 5 to 30 minutes. The registry key HKLM:\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status\OnboardingState contains the value 1, indicating active enrollment. You can verify this change through the Automox Activity Log or by checking the endpoint configuration directly.

The Sense service runs continuously, providing endpoint telemetry to the Microsoft security platform. Subsequent Worklet executions skip onboarding for already-enrolled endpoints. The Worklet cleans up the extracted payload files after successful completion to minimize disk footprint.

How to validate microsoft defender for endpoint onboarding changes

1. Run this Worklet on a pilot Windows endpoint and review evaluation output for microsoft defender for endpoint onboarding.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as Get-ItemPropertyValue, Write-Output.

4. Validate remediation effects from script operations such as Add-Prop, Test-Path, New-Item, then rerun evaluation for compliance.