What I learned while implementing Microsoft EDR

In this article I’m not going to cover how EDR work, instead this article will aim to elaborate on the tiresome troubleshoot I’ve experienced in the past few months.

Working on a MDE attached tenant, I had issues with several stations. A few didn’t register properly, others were’nt visible at all in the Microsoft 365 Defender. Some were registered in the 365 Defender portal but not in the Intue portal.

This is what I learned:

1. Assuming your using Windows 10, you must upgrade to the latest (and last) version of Windows 10: 22H2 (aka 19045 build).
2. Aside for the latest build, it will be helpful if the Windows endpoint will be updated to the latest Windows Updates.
3. On 365 Defender, the computer object must have the proper Tags. This can be verified with another computer object that is registered properly. Each company uses a different tag.
4. Upgrade to Windows 11
5. Run the magic command: dsregcmd /leave
6. If you choose to solely manage the machine via Intune with out SCCM interference, it would be wise to uninstall the SCCM client you had installed. This can simply be accomplished by running the following:

cd "c:\Windows\ccmsetup"
ccmsetup.exe /uninstall

7. I’ve mentioned MDE tenant. If you don’t want to operate in Intune. Go to the Intune portal, look for the object, click on Retire. It will disconnect it from Intune as well as will revert it to MDE only.

The above list is aimed to summarize my experience to reach the goal of having all Windows endpoints in MDE only configuration. Not all are needed, but some are very helpful to have the station listed and goverened properly.