KACE - Installing Microsoft Defender for Endpoint
Hello, has anyone successfully deployed / enabled Microsoft Defender for Endpoint through KACE? If so, I was wondering how you did it. I haven't been given the details yet but I dont think MDE is a regular software package. If I can figure it out, I will post how it was done in detail.
Answers (2)
We don't use defender so can't download the script but looks like Microsoft has a script on their site. Download the zip file from the Defender Portal (WindowsDefenderATPOnboardingPackage.zip)
You should be able to tweak the script (WindowsDefenderATPLocalOnboardingScript.cmd) and use it with Kace. It sounds like there may be a "pause" at the end of the cmd script, so I would definitely remove that if so.
Local Script:
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-endpoints-script?view=o365-worldwide
Comments:
-
Hello, yes, I see the onboarding script. I have not tested deployment yet through KACE but we did go through a manual install on a test server. MS wants you to install KB5005292 which is a "Definition Update". (exe file) This exe is not in the KACE software catalog and is not listed as an installed patch. So how would I be able to deploy / install the exe?
This doesnt work in the case of installing KB5005292:
https://support.quest.com/kb/4334727/how-to-deploy-32bit-and-64bit-software-installers-using-the-sma - lama01 8 months ago-
It seems to run silently when I install it. I would try downloading the update from the MS Catalog:
https://www.catalog.update.microsoft.com/Search.aspx?q=KB5005292
Then add that to the deployment script and bundle the update in.
START "" /WAIT "PathToUpdateFile\updatesenseclient_e09f95a5dbf249bd030455c06f91cd80e68d198d.exe" - AmberSDNB 8 months ago-
Thanks, so what I have found is that there are two parts. (For 2012+16 servers only) One, installing the EXE which does not show up in KACE as an update or software. Two, is the MDE install which is a MSI and does show up. This is just to get the MDE installed, but it looks like I might need to use GPO for "onboarding". How could I use KACE to first install the EXE then install the MSI after the EXE is done installing? Can that be done through KACE? I have already installed the MSI, inventoried the server and built the MSI package. But How can I tie installing the EXE first and MSI together? Its a little confusing. The KACE documents dont make sense to me. - lama01 8 months ago
-
Do you need it to be completely silent or just automated?
Either way, you can do it via script. Something like this...
@ECHO OFF
@ECHO Installing MS KB5005292, please wait...
START "" /WAIT "PathToUpdateFile\updatesenseclient_e09f95a5dbf249bd030455c06f91cd80e68d198d.exe"
@ECHO Installing x, please wait...
START "" /WAIT MSIEXEC /I "PathToMSIFile.msi" /qb
(qb is progress bars, if you need silent do /qn)
The msi will wait for the EXE to install before moving onto part two. (the msi) Save the script as a batch file.
Then just zip all the items together (msi, exe, and batch) and upload it to Kace scripting and call the batch file. - AmberSDNB 8 months ago -
Thanks! Let me give this a try on Monday - lama01 8 months ago
-
I am getting confused on the "path". If the EXE and MSI are in the zip file with the batch file, what would be the path? Would it be $(KACE_DEPENDENCY_DIR)? Or am I putting the files somewhere on the network? If thats the case, why am I zipping the EXE and MSI with the batch file? - lama01 8 months ago
-
$(KACE_DEPENDENCY_DIR) will only work if you are calling everything from within Kace. I would do the following...
Zip up the 3 files. Let's say it's called MicrosoftDefender.zip
Task 1:
1. Verify
Verify a file exists...
Directory: $(KACE_DEPENDENCY_DIR)
File: MicrosoftDefender.zip
On Success
1. Unzip a file...
Directory: $(KACE_DEPENDENCY_DIR)
File: MicrosoftDefender.zip
Target: C:\Temp (make sure this folder exists on your target machines)
Remediation
1. Log message...
Type: Status
Message: Failed - Could not locate zip file
2. Always Fail
This task should unzip your files into C:\Temp and log / fail if for some reason it can't find your zip file.
Then task 2 just call the batch file. In the batch file, point the path to C:\Temp
@ECHO Installing MS KB5005292, please wait...
START "" /WAIT "C:\Temp\updatesenseclient_e09f95a5dbf249bd030455c06f91cd80e68d198d.exe"
@ECHO Installing x, please wait...
START "" /WAIT MSIEXEC /I "C:\Temp\MicrosoftDefender.msi" /qb
Another way to do it would be to add the 2 items as dependencies (the msi, and exe) and call them from $(KACE_DEPENDENCY_DIR) within the script itself.
Task 1: Launch a program:
$(KACE_DEPENDENCY_DIR)\updatesenseclient_e09f95a5dbf249bd030455c06f91cd80e68d198d.exe
Task 2 Launch a program:
$(KBOX_SYS_DIR)\msiexec
Parameters: /i $(KACE_SYS_DIR)\MicrosoftDefender.msi /qb
I haven't used the built in Kace stuff in forever but this stuff should work if you mess around with it a bit. Personally I try to avoid the Kace stuff and do everything in batch or powershell, then package that into an exe (zip archive) using SFX Package Maker that launches the script on run. - AmberSDNB 8 months ago -
Hello, to update, KACE reports success but the MSI and EXE arent getting installed. The files get copied and unzipped to C:\temp and that is where it stops apparently. I am trying to figure out why. Do the commands need to run with elevated privileges? - lama01 7 months ago
-
Thanks this is more than amazing from you. Let me see if I can get it to work. - lama01 8 months ago
-
You're welcome. Good luck. :) - AmberSDNB 7 months ago
Top Answer
Thanks to AmberSDNB for the help. As promised, here is how the MDE install works for me:
For 2012/2016 you need to install the prereqs:
1. You need to download: KB4052623 - (.EXE name changes with time) & md4ws.msi
2. Create a bat file:
@ECHO Installing MS KB4052623, please wait...
START "" /WAIT "C:\YourFileLocation\updateplatform.amd64fre_xxxxx.exe"
@ECHO Installing md4ws, please wait...
START "" /WAIT MSIEXEC /I "C:\YourFileLocation\md4ws.msi" /quiet FORCEPASSIVEMODE=1
2. Zip updateplatform.amd64fre_xxxxx.exe, md4ws.msi & the Install.bat together
3. Created a new Offline Script
4. Upload the Zip file as a dependency
5. Verify:
Directory: $(KACE_DEPENDENCY_DIR)
File: YourZipFile.zip
6. On Success:
Task1
Unzip a file: $(KACE_DEPENDENCY_DIR)
File: YourZipFile.zip
Target: YourFileLocation
Task2
Launch a Program: YourFileLocation\YourZipFile.zip
From this point, you need to use GPO for onboarding. Microsoft recommends GPO, provides a script and most of the controls seem to be through GPO. There is an oboarding via script option but microsoft notes this is only for testing purposes. It doesnt appear that KACE can do the entire install unless you are testing MDE and add the onboarding script. Hopefully this helps anyone else suddenly facing this topic.
Onboard Windows servers to the Microsoft Defender for Endpoint service | Microsoft Learn