Forum Discussion
Can onboard to MDE with stand-alone script, but gpo option does not work.
I'm sure this question has been asked before, but I have not been able to find anything. I can use the stand-alone script to get a workstation onboarded. But using the GPO option is not. If anyone has experience with this, please let me know of there are any nuances regarding getting the GPO option to work. I have followed the basic instructions for onboarding that way.
Thanks
3 Replies
Please check the below:
- GPO Scope & Linkage
- Ensure the GPO is linked to the correct OU where the target machines reside.
- Confirm the security filtering includes the intended computers or groups.
- Script Execution Policy
- The onboarding script deployed via GPO must be allowed to run. Make sure the PowerShell execution policy isn’t blocking it (RemoteSigned or Unrestricted is usually safe).
- Startup Script Timing
- GPO onboarding uses a startup script, not a logon script. If the machine boots too quickly or the network isn’t ready, the script might silently fail.
- Network Connectivity
- The device must be able to reach the required MDE endpoints. You can test this using the MDE Client Analyzer tool.
- Script Placement
- The onboarding script should be placed in the SYSVOL share or a location accessible to all target machines.
- Registry Clues
- Check HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status for onboarding status.
- Also look at HKLM\SOFTWARE\Microsoft\SenseCM\EnrollmentStatus for any enrollment errors.
Reference: Troubleshooting MDE On-Boarding issues | Microsoft Community Hub
I have tried the following things to resolve.
Turned of UAC just in case
setting execution policy to unrestricted
moving script to sysvol -- confirmed replication of script and updated GPO
set optional settings for MDE and confirmed they apply to the test system
No registry errors that I can tell the value for status is 2 which apparently is never onboarded
Concerning startup timing. It is a VM. Not sure how fast it boots. Is there a way to determine if that or something else is the issue?
Thank you for the information. The script is in a location accessible from the machine. But I will try moving it to sysvol in case there is an issue with perms on the share due to being run by the system account or whichever was specified in the onboarding instructions. Powershell execution policy was restricted and that is now unrestricted. I also turned off UAC just in case that was it. GPO is linked properly -- added optional settings to it and they show up when running RSOP. Concerning timing at startup. Possible, but I have been logged on and ran gpupdate /force. There are no onboarding errors and the status is a 2 which is apparently never onboarded.
I copied the script to the sysvol folder on the AD server and confirmed both that and the change to GPO replicated. Waiting to see if that is the issue. Note that this is different from the onboarding directions as they only state to put into a folder that the system has access to.
