Forum Discussion

mattmcb's avatar
mattmcb
Copper Contributor
Jun 26, 2025

Can onboard to MDE with stand-alone script, but gpo option does not work.

I'm sure this question has been asked before, but I have not been able to find anything. I can use the stand-alone script to get a workstation onboarded. But using the GPO option is not. If anyone ha...
MDE
Kidd_Ip's avatar
Kidd_Ip
MVP
Jun 27, 2025

Please check the below:

 

  • GPO Scope & Linkage
    • Ensure the GPO is linked to the correct OU where the target machines reside.
    • Confirm the security filtering includes the intended computers or groups.
  • Script Execution Policy
    • The onboarding script deployed via GPO must be allowed to run. Make sure the PowerShell execution policy isn’t blocking it (RemoteSigned or Unrestricted is usually safe).
  • Startup Script Timing
    • GPO onboarding uses a startup script, not a logon script. If the machine boots too quickly or the network isn’t ready, the script might silently fail.
  • Network Connectivity
    • The device must be able to reach the required MDE endpoints. You can test this using the MDE Client Analyzer tool.
  • Script Placement
    • The onboarding script should be placed in the SYSVOL share or a location accessible to all target machines.
  • Registry Clues
    • Check HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status for onboarding status.
    • Also look at HKLM\SOFTWARE\Microsoft\SenseCM\EnrollmentStatus for any enrollment errors.

 

Reference: Troubleshooting MDE On-Boarding issues | Microsoft Community Hub

mattmcb's avatar
mattmcb
Copper Contributor
Jun 27, 2025

Thank you for the information.  The script is in a location accessible from the machine.  But I will try moving it to sysvol in case there is an issue with perms on the share due to being run by the system account or whichever was specified in the onboarding instructions.  Powershell execution policy was restricted and that is now unrestricted.  I also turned off UAC just in case that was it.  GPO is linked properly -- added optional settings to it and they show up when running RSOP.  Concerning timing at startup.  Possible, but I have been logged on and ran gpupdate /force.  There are no onboarding errors and the status is a 2 which is apparently never onboarded.

 

I copied the script to the sysvol folder on the AD server and confirmed both that and the change to GPO replicated.  Waiting to see if that is the issue.  Note that this is different from the onboarding directions as they only state to put into a folder that the system has access to.

Resources