Enterprise Setup Guide

Deploy MDE Toolkit across your fleet with centralized telemetry collection, Azure Function App ingestion, and Power BI-ready dashboards.

Architecture Overview

The MDE Toolkit enterprise collector runs silently on each endpoint, collecting security telemetry and uploading it to a central Azure Function App for storage in Azure Table Storage.

┌──────────────────────────────────────┐
│         Endpoint (Windows PC)        │
│                                      │
│  ┌────────────────────────────────┐  │
│  │  Scheduled Task: Collect       │  │      HTTPS/Bearer       ┌──────────────────────┐      Table API       ┌─────────────────────┐
│  │  Runs as: SYSTEM               │  │                         │  Azure Function App  │                      │  Azure Table        │
│  │  Every 8 hours                 │  │                         │  (PowerShell, MI)    │                      │  Storage            │
│  │  --collect --no-upload         │──┼── writes to cache ──┐   │                      │                      │                     │
│  └────────────────────────────────┘  │                     │   │  • Validates JSON    │                      │  • HealthReports    │
│                                      │                     │   │  • Flattens fields   │                      │  • One row/device   │
│  ┌────────────────────────────────┐  │                     │   │  • Writes to Table   │                      │  • Power BI ready   │
│  │  Scheduled Task: Upload        │  │  reads cache ───────┘   │                      │                      │                     │
│  │  Runs as: Interactive User     │  │ ────────────────────►   │                      │ ──────────────────►  │                     │
│  │  (BUILTIN\Users group)         │  │    POST /api/ingest     │                      │    Upsert entity     │                     │
│  │  Every 8 hours                 │  │   + Entra bearer token  │                      │                      │                     │
│  │  --upload                      │  │                         │                      │                      │                     │
│  └────────────────────────────────┘  │                         └──────────────────────┘                      └─────────────────────┘
│                                      │                                 │                                            │
│  Registry config                     │                                 │  Managed Identity                          │  Power BI
│  HKLM\SOFTWARE\                      │                                 │  (Storage Table                            │  or custom
│  Policies\MDE-Toolkit                │                                 │   Data Contributor)                        │  dashboard
└──────────────────────────────────────┘
No secrets on endpoints. Collection runs as SYSTEM while upload runs as the interactive user (Entra ID PRT). The Function App uses Managed Identity to write to Table Storage. No keys, connection strings, or certificates on endpoints.
Why two tasks? SYSTEM reads all local Defender configuration but cannot acquire an Entra ID user token. The logged-on user has a PRT that DefaultAzureCredential uses to authenticate. Splitting gives you the best of both worlds.

Setup Steps

Follow these guides in order to deploy MDE Toolkit across your fleet.

Prerequisites

Azure Resources

  • Azure Subscription (Commercial or Government)
  • Azure Function App (PowerShell runtime)
  • Azure Storage Account with Table Storage
  • Entra ID App Registration

Endpoints

  • Windows 10 1809+ or Windows 11
  • .NET 8 Desktop Runtime
  • Entra ID joined or Hybrid joined
  • Network access to Function App URL

Start Setup →