Menu
CCMEXEC.COM – Enterprise Mobility
  • Home
  • General
  • Configuration Manager
  • Windows 10
  • Intune
  • GitHub
  • Windows 11
  • About the author
CCMEXEC.COM – Enterprise Mobility

Logging the Co-management and Defender onboarding process during OSD

Posted on August 9, 2022August 9, 2022 by Jörgen Nilsson

When starting to move workloads to Intune of the first workload to move is Compliance and Endpoint Protection. When moving the Endpoint protection workload the following configurations are moved to Intune instead of MEMCM:

  • Windows Defender Antimalware
  • Windows Defender Application Guard
  • Windows Defender Firewall
  • Windows Defender SmartScreen
  • Windows Encryption
  • Windows Defender Exploit Guard
  • Windows Defender Application Control
  • Windows Defender Security Center
  • Windows Defender for Endpoint (now known as Microsoft Defender for Endpoint)

This makes sense in many ways to move as we have better options to manage almost all of the settings above from Intune as newer settings are missing from MEMCM. Also for the future if using Hybrid joined today a lot of configuration is already in there when it is time to move to AAD Joined instead.
One question I get many times is how long does it take for a client to Hybrid Join, enroll in MDM and for the Defender enrollment policy to come down to the device. I wrote a little simple script to log this during OSD of a new client and I was thinking that I maybe could improve the time it takes…
The output of the script looks like this and ends with “Onboarded to Defender for Endpoint” as shown below:

Sample output of the script

This can be used in many different ways, show a dialog when a newly deployed device in i prestage center is ready to ship, display a message, post to teams and much more.
The times in the sample above is pretty great, but it took me a while to get there as many things affect the time it takes for all steps to complete. When I added a step to install Software Updates during OSD the Hybrid Join completes during the Task Sequence that is why the script logs the same time. I did the following to improve enrollment times:

  • Set the Co-Management policy to target all devices. (not having to wait for a collection update)
  • Set the Endpoint Protection Workload to “All Systems” , again not to have to wait for collection updates.
  • Configured the Defender for Endpoint onboarding to “All devices” instead of a Dynamic Group (use filters if you need instead = much faster)
  • Used and up to date Windows 10 / Windows 11 Image, solved a lot of delays compared to using a one year old media.
  • Make sure to use the latest MEMCM client in the Boot Image and install the latest one in the Task Sequence that solved some issues with Enrollment URL not being configured.
  • Of course make sure the device has Internet access, not having to wait for proxy configurations that will also delay things.
  • Another thing that can affect in large environments is the AAD connect sync of the computer object as that will affect Hybrid Join. After adding some more steps in my lab like install Software Updates so the Task Sequence takes more time. To be far also more close to production that timeout is not an issue anymore but could still be with multiple DC’s and replication.

The script

There a two scripts, one logs that OSD is complete and adds a Schedule task to trigger the script that will log how long time the different steps takes to C:\Windows\Temp\DefenderOnboarding.log file.
And when the process completes the script will delete the schedule task so it will not run again. The scripts can be downloaded from GitHub here: https://github.com/Ccmexec/MEMCM-OSD-Scripts/tree/master/Wait%20for%20Onboarding

Task Sequence step.

Task Sequence step

Running it from a package as the script imports the Schedule task using an .XML file.

The script:

# Script to write OSD Complete and register the Schedule Task that will monitor HYbrid Join, MDM enrollment, Defender for endpoint onboarding.
# Jorgen@ccmexec.com

$logfilepath="C:\Windows\Temp\DefenderOnboarding.log"

function WriteToLogFile ($message)
{
$message +" - "+ (Get-Date).ToString() >> $logfilepath
}

WriteToLogFile "OSD Complete"
Copy-Item -Path $PSScriptRoot'\WaitforOnboard.ps1' -Destination $env:Windir'\Temp'
Register-ScheduledTask -Xml (get-content $PSScriptRoot\WaitforOnboarding.xml | out-string) -TaskName "WaitforOnboarding"

The script triggered by the Schedule Task.

# Script to track the process HYbrid Join, MDM enrollment, Defender for endpoint onboarding.
# Jorgen@ccmexec.com

$logfilepath="C:\Windows\Temp\DefenderOnboarding.log"

function WriteToLogFile ($message)
{
$message +" - "+ (Get-Date).ToString() >> $logfilepath
}

WriteToLogFile "Script started"

do {
    $AADInfo = Get-Item "HKLM:/SYSTEM/CurrentControlSet/Control/CloudDomainJoin/JoinInfo"

$guids = $AADInfo.GetSubKeyNames()
foreach ($guid in $guids) {
    $guidSubKey = $AADinfo.OpenSubKey($guid);
    $DeviceDisplayName = ($Null -ne $guidSubKey.GetValue("DeviceDisplayName")
        )
       Start-Sleep -Seconds 1
    }
} while (
    $DeviceDisplayName -ne "True")
    WriteToLogFile "Hybrid Joined"

do {
    $MDMEnrollment = $Null -ne (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Provisioning\OMADM\MDMDeviceID).DeviceClientID
    Start-Sleep -Seconds 1
} while (
    $MDMEnrollment -ne "True")
    WriteToLogFile "Enrolled in MDM"

do {
       $MDEState = (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status").onboardingstate -eq "1"
       Start-Sleep -Seconds 1
} while (
    $MDEState -ne "True")
    WriteToLogFile "Onboarded to Defender for endpoint"

Unregister-ScheduledTask -TaskName waitforonboarding -Confirm:$false

I hope this can be useful and I will post more examples how to use it with going forward.

  • Co-Management
  • Configuration Manager
  • Defender Onboarding
  • Hybrid Join
  • OSD
  • 2 thoughts on “Logging the Co-management and Defender onboarding process during OSD”

    1. Pingback: Logging the Co-management and Defender onboarding process during OSD - CCMEXEC.COM - News
    2. mark says:
      March 16, 2023 at 10:54 am

      Jörgen,
      Thank you for taking time to write and post this article. Your overall timings are way faster than we currently achieve 😉
      May I ask what your AAD sync frequency time is set to?

      Mark

      Reply

    Leave a Reply Cancel reply

    Your email address will not be published. Required fields are marked *

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    My name is Jörgen Nilsson and I work as a Senior Consultant at Onevinn in Malmö, Sweden. This is my blog where I will share tips and stuff for my own and everyone elses use on Enterprise Mobility and Windows related topics.
    All code is provided "AS-IS" with no warranties.

    Recent Posts

    • Community tools demoed at WPNinjas 2023
    • PowerShell script to keep Personal Teams away in Windows 11
    • Windows 11 Multi-App kiosk – a first look
    • Playing around with Driver Updates in Intune
    • MMUGSE – Summer Meetup 8th of June 2023

    ©2023 CCMEXEC.COM – Enterprise Mobility | WordPress Theme by Superb Themes
    This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish.Accept Reject Read More
    Privacy & Cookies Policy

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT