Hello everybody,
we are currently deploying MDATP through SCCM and found something out that is, at least for me, quite shocking:
The onboarding is only processed correctly, after an user is signed in on the device.
If you have a couple of machines that are turned on, but are not frequently used, this could become a problem. For example, we have a lot of virtual machines which are mostly used for testing purposes, so it can happen that they are not used some time.
If no one is signed in after onboarding, there is Event Nr. 19 in the SENSE Eventlog stating that ‚OOBE has not yet completed‘ and the onboarding will not continues (e.g. Defender ATP is not running, device is not onboarded in the cloud portal)
In our case, OOBE is processed via the SCCM Tasksequence and Unattended.xml during the production of the machine, our users doesn‘t see the OOBE at any point.
The devices affected where not freshly build, but used for a couple of time and had countless userlogons - but not after Defender ATP was deployed.
The ATP onboarding is not performed until an „interactive logon“ was performed (either physically or via RDP). It’s not enough to establish a WINRM session.
After a successful logon, the SENSE Eventlog showing the Event Nr. 18 ‚OOBE is completed‘ and the onboardingprocess begins.
We opened a Ticket to the Microsoft Support and got the info that this is the expected behaviour.
If a Dev or Product Manager is reading: Could someone please tell me what was the design decision behind this behaviour? This could lead to severe security problems, because the devices are not ATP onboarded and a possible attacker could execute his attack on such devices and no one would see it, cause they are not protected by ATP.
Best regards
Stefan
