Forum Discussion
Can onboard to MDE with stand-alone script, but gpo option does not work.
I'm sure this question has been asked before, but I have not been able to find anything. I can use the stand-alone script to get a workstation onboarded. But using the GPO option is not. If anyone ha...
Please check the below:
- GPO Scope & Linkage
- Ensure the GPO is linked to the correct OU where the target machines reside.
- Confirm the security filtering includes the intended computers or groups.
- Script Execution Policy
- The onboarding script deployed via GPO must be allowed to run. Make sure the PowerShell execution policy isn’t blocking it (RemoteSigned or Unrestricted is usually safe).
- Startup Script Timing
- GPO onboarding uses a startup script, not a logon script. If the machine boots too quickly or the network isn’t ready, the script might silently fail.
- Network Connectivity
- The device must be able to reach the required MDE endpoints. You can test this using the MDE Client Analyzer tool.
- Script Placement
- The onboarding script should be placed in the SYSVOL share or a location accessible to all target machines.
- Registry Clues
- Check HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status for onboarding status.
- Also look at HKLM\SOFTWARE\Microsoft\SenseCM\EnrollmentStatus for any enrollment errors.
Reference: Troubleshooting MDE On-Boarding issues | Microsoft Community Hub
I have tried the following things to resolve.
Turned of UAC just in case
setting execution policy to unrestricted
moving script to sysvol -- confirmed replication of script and updated GPO
set optional settings for MDE and confirmed they apply to the test system
No registry errors that I can tell the value for status is 2 which apparently is never onboarded
Concerning startup timing. It is a VM. Not sure how fast it boots. Is there a way to determine if that or something else is the issue?