MS Defender – Fix Sensor Onboarding Issue

Sometimes you will notice that few machines will fail to complete the Defender Onboarding process.

This issue could occur due to multiple reasons, one of the common reasons is machine unexpectedly restarted during the onboarding process.

There is no article or any documentation from Microsoft explaining this behavior however, on further troubleshooting using process monitor, it was found that on second attempt the machine keeps checking for specific registry key to continue the process and the subsequent attempts fail as the registry key doesn’t exist.

I prepared below PowerShell script to be executed on such machines and get them onboarded quickly.

# Script to fix the MDATP Sensor Onboarding Issues

# Creates the reg key entry if missing

New-Item -Path “HKLM:\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection” -Force -ErrorAction SilentlyContinue

New-Item -Path “HKLM:\SOFTWARE\Microsoft\Windows Advanced Threat Protection” -Force -ErrorAction SilentlyContinue

# Restarts the Windows Defender Threat Protection Service

Restart-Service -Name Sense -Force -ErrorAction SilentlyContinue

# Trigger CM Baseline for ATP Onboarding

$Name=’Defender Machines Onboarding’

([wmiclass]”root\ccm\dcm:SMS_DesiredConfiguration”).TriggerEvaluation(((Get-WmiObject -Namespace root\ccm\dcm -class SMS_DesiredConfiguration | Where-Object {$_.DisplayName -eq $Name}).Name), ((Get-WmiObject -Namespace root\ccm\dcm -class SMS_DesiredConfiguration | Where-Object {$_.DisplayName -eq $Name}).Version))