Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article describes how to migrate (reonboard) devices that had been previously onboarded to Defender for Endpoint to use the streamlined device connectivity method. For more information on streamlined connectivity, see Onboarding devices using streamlined connectivity. Devices must meet the prerequisites listed in Streamlined connectivity.
In most cases, full device offboarding isn't required when reonboarding. You can run the updated onboarding package and reboot your device to switch connectivity over. See the following information for details on individual operating systems.
Important
Limitations and known issues:- For device migrations (reonboarding): Offboarding isn't required to switch over to streamlined connectivity method. Once the updated onboarding package is run, a full device reboot is required for Windows devices and a service restart for macOS and Linux. For more information, see the details included in this article.
- Windows 10 versions 1607, 1703, 1709, and 1803 don't support reonboarding. Offboard first and then onboard using the updated package. These versions also require a longer URL list.
- Devices running the MMA agent aren't supported and must continue using the MMA onboarding method.
Migrating devices using the streamlined method
Migration recommendation
- Start small. It's recommended to start with a small set of devices first. Apply the onboarding blob using any of the supported deployment tools, then monitor for connectivity. If you're using a new onboarding policy, to prevent conflicts make sure to exclude device from any other existing onboarding policies. 
- Validate and monitor. After onboarding the small set of devices, validate that devices are onboarded successfully and are communicating with the service. 
- Complete migration. At this stage, you can gradually roll out the migration to a larger set of devices. To complete the migration, you can replace previous onboarding policies and remove the old URLs from your network device. 
Validate device prerequisites before proceeding with any migrations. This information builds upon the previous article by focusing on migrating existing devices.
To reonboard devices, you need to use the streamlined onboarding package. For more information on how to access the package, see Streamlined connectivity.
Depending on the OS, migrations might require a device reboot or service restart once the onboarding package is applied:
- Windows: reboot the device 
- macOS: Reboot the device or restart the Defender for Endpoint service by running: - sudo launchctl unload /Library/LaunchDaemons/com.microsoft.fresno.plist
- sudo launchctl load /Library/LaunchDaemons/com.microsoft.fresno.plist
 
- Linux: Restart the Defender for Endpoint service by running: - sudo systemctl restart mdatp
The following table lists migration instructions for the available onboarding tools based on the device's operating system.
Windows 10 and 11
Important
Windows 10 versions 1607, 1703, 1709, and 1803 don't support reonboarding. To migrate existing devices, you need to fully offboard and onboard using the streamlined onboarding package.
For general information on onboarding Windows client devices, see Onboarding Windows Client.
Confirm prerequisites are met: Prerequisites for using streamlined method.
Local script
Follow the guidance in Local script (up to 10 devices) using the streamlined onboarding package. After completing the steps, you must restart the device for device connectivity to switch over.
Group policy
Follow the guidance in Group policy using the streamlined onboarding package. After completing the steps, you must restart the device for device connectivity to switch over.
Microsoft Intune
Follow the guidance in Intune using the streamlined onboarding package. You can use the "auto from connector" option; however, this option doesn't automatically reapply the onboarding package. Create a new onboarding policy and target a test group first. After completing the steps, you must restart the device for device connectivity to switch over.
Microsoft Configuration Manager
Follow the guidance in Configuration Manager.
VDI
Use the guidance in Onboard non-persistent virtual desktop infrastructure (VDI) devices. After completing the steps, you must restart the device for device connectivity to switch over.
Verifying device connectivity with streamlined method for migrated devices
You can use the following methods to check that you have successfully connected Windows devices:
- Client analyzer
- Tracking with advanced hunting in Microsoft Defender XDR
- Track locally using Event Viewer (for Windows)
- Run tests to confirm connectivity with Defender for Endpoint services
- Checking the registry editor
- PowerShell detection test
For macOS and Linux, you can use the following methods:
- MDATP connectivity tests
- Tracking with advanced hunting in Microsoft Defender XDR
- Run tests to confirm connectivity with Defender for Endpoint services
Use Defender for Endpoint Client Analyzer (Windows) to validate connectivity after onboarding for migrated endpoints
Once onboarded, run the MDE Client Analyzer to confirm your device is connecting to the appropriate updated URLs.
Download the Microsoft Defender for Endpoint Client Analyzer tool where Defender for Endpoint sensor is running.
You can follow the same instructions as in Verify client connectivity to Microsoft Defender for Endpoint service. The script automatically uses the onboarding package configured on the device (should be streamlined version) to test connectivity.
Ensure connectivity is established with the appropriate URLs.
Tracking with advanced hunting in Microsoft Defender XDR
You can use advanced hunting in Microsoft Defender portal to view the connectivity type status.
This information is found in the DeviceInfo table under the "ConnectivityType" column:
- Column Name: ConnectivityType
- Possible Values: <blank>, Streamlined, Standard
- Data type: String
- Description: Type of connectivity from the device to the cloud
Once a device is migrated to use the streamlined method and the device establishes successful communication with the EDR command & control channel, the value is represented as "Streamlined".
If you move the device back to the regular method, the value is "standard".
For devices that have not attempted to reonboard, the value remains empty.
Tracking locally on a device through Windows Event Viewer
You can use Windows Event Viewer's SENSE operational log to locally validate connections with the new streamlined approach. SENSE Event ID 4 tracks successful EDR connections.
Open the Defender for Endpoint service event log using the following steps:
- On the Windows menu, select Start, then type Event Viewer. Then select Event Viewer. 
- In the log list, under Log Summary, scroll down until you see Microsoft-Windows-SENSE/Operational. Double-click the item to open the log.   - You can also access the log by expandingApplications and Services Logs>Microsoft>Windows>SENSE and select Operational. 
- Event ID 4 tracks successful connections with Defender for Endpoint Command & Control channel. Verify successful connections with updated URL. For example: - Contacted server 6 times, all succeeded, URI: <region>.<geo>.endpoint.security.microsoft.com. <EventData> <Data Name="UInt1">6</Data> <Data Name="Message1">https://<region>.<geo>.endpoint.security.microsoft.com> </EventData>
- Message 1 contains the contacted URL. Confirm the event includes the streamlined URL (endpoint.security.microsoft, com). 
- Event ID 5 tracks errors if applicable. 
Note
SENSE is the internal name used to refer to the behavioral sensor that powers Microsoft Defender for Endpoint. 
Events recorded by the service appear in the log. 
For more information, see Review events and error using Event Viewer.
Run tests to confirm connectivity with Defender for Endpoint services
Once the device is onboarded to Defender for Endpoint, validate that it's continuing to appear in Device Inventory. The DeviceID should remain the same.
Check the Device Page Timeline tab to confirm events are flowing from the device.
Live Response
Ensure Live Response is working on your test device. Follow instructions in Investigate entities on devices using live response.
Make sure to run a couple of basic commands post-connection to confirm connectivity (such as cd, jobs, connect).
Automated investigation and response
Ensure that Automated investigation and response is working on your test device: Configure automated investigation and response capabilities.
For Auto-IR testing labs, navigate to Microsoft Defender XDR > Evaluations & Tutorials > Tutorials & Simulations > **Tutorials > Automated Investigation tutorials.
Cloud-delivered protection
- Open a Command Prompt as an administrator. 
- Right-click the item in the Start menu, select Run as administrator then select Yes at the permissions prompt. 
- Use the following argument with the Microsoft Defender Antivirus command-line utility (mpcmdrun.exe) to verify that your network can communicate with the Microsoft Defender Antivirus cloud service: - "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -ValidateMapsConnection
Note
This command only works on Windows 10, version 1703 or higher, or Windows 11. For more information, see Manage Microsoft Defender Antivirus with the mpcmdrun.exe commandline tool.
Test Block at First Sight
Follow instructions in Microsoft Defender for Endpoint Block at First Sight (BAFS) demonstration.
Test SmartScreen
Follow instructions in Microsoft Defender SmartScreen Demo (msft.net).
PowerShell detection test
- On the Windows device, create a folder: - C:\test-MDATP-test.
- Open Command Prompt as an administrator. 
- In the Command Prompt window, run the following PowerShell command: - powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference = 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-MDATP-test\\invoice.exe');Start-Process 'C:\\test-MDATP-test\\invoice.exe'
After the command runs, the Command Prompt window closes automatically. If successful, the detection test is marked as completed.
For macOS and Linux, you can use the following methods:
- MDATP connectivity tests
- Tracking with advanced hunting in Microsoft Defender XDR
- Run tests to confirm connectivity with Defender for Endpoint services
MDATP connectivity test (macOS and Linux)
Run mdatp health --details edr to confirm edr_partner_geo_location is available. The value should be GW_<geo> where 'geo' is your tenant's geo-location.
Run mdatp connectivity test. Ensure the streamlined URL pattern is present. You should expect two for '\storage', one for '\mdav', one for '\xplat', and one for '/packages'.
For example: https:mdav.us.endpoint.security.microsoft/com/storage
Tracking with advanced hunting in Microsoft Defender XDR
To view all devices (limit 30k) and their most recently reported connectivity type:
DeviceInfo
| where OnboardingStatus == "Onboarded"
| summarize arg_max(ConnectivityType, Timestamp) by DeviceName
To view a count of Devices by OSPlatform and their connectivity type in a bar chart:
DeviceInfo
| where OnboardingStatus == "Onboarded"
| summarize arg_max(ConnectivityType, Timestamp, OSPlatform) by DeviceName
| summarize count() by OSPlatform, ConnectivityType
| render columnchart 
Use Defender for Endpoint Client Analyzer (cross-platform) to validate connectivity for newly migrated endpoints
Download and run the client analyzer for macOS or Linux. For more information, see Download and run the client analyzer.
- Run - mdeclientanalyzer.cmd -o <path to cmd file>from within the MDEClientAnalyzer folder. The command uses parameters from the onboarding package to test connectivity.
- Run - mdeclientanalyzer.cmd -g <GW_US, GW_UK, GW_EU>(where parameter is of GW_US, GW_EU, GW_UK). GW refers to the streamlined option. Run with applicable tenant geo.