Deploy MDE Toolkit across your fleet with centralized telemetry collection, Azure Function App ingestion, and Power BI-ready dashboards.
The MDE Toolkit enterprise collector runs silently on each endpoint, collecting security telemetry and uploading it to a central Azure Function App for storage in Azure Table Storage.
┌──────────────────────────────────────┐ │ Endpoint (Windows PC) │ │ │ │ ┌────────────────────────────────┐ │ │ │ Scheduled Task: Collect │ │ HTTPS/Bearer ┌──────────────────────┐ Table API ┌─────────────────────┐ │ │ Runs as: SYSTEM │ │ │ Azure Function App │ │ Azure Table │ │ │ Every 8 hours │ │ │ (PowerShell, MI) │ │ Storage │ │ │ --collect --no-upload │──┼── writes to cache ──┐ │ │ │ │ │ └────────────────────────────────┘ │ │ │ • Validates JSON │ │ • HealthReports │ │ │ │ │ • Flattens fields │ │ • One row/device │ │ ┌────────────────────────────────┐ │ │ │ • Writes to Table │ │ • Power BI ready │ │ │ Scheduled Task: Upload │ │ reads cache ───────┘ │ │ │ │ │ │ Runs as: Interactive User │ │ ────────────────────► │ │ ──────────────────► │ │ │ │ (BUILTIN\Users group) │ │ POST /api/ingest │ │ Upsert entity │ │ │ │ Every 8 hours │ │ + Entra bearer token │ │ │ │ │ │ --upload │ │ │ │ │ │ │ └────────────────────────────────┘ │ └──────────────────────┘ └─────────────────────┘ │ │ │ │ │ Registry config │ │ Managed Identity │ Power BI │ HKLM\SOFTWARE\ │ │ (Storage Table │ or custom │ Policies\MDE-Toolkit │ │ Data Contributor) │ dashboard └──────────────────────────────────────┘
DefaultAzureCredential uses to authenticate. Splitting gives you the best of both worlds.
Follow these guides in order to deploy MDE Toolkit across your fleet.
Create Storage Account, Function App, Entra ID app. Deploy the ingestion script and lock down with Identity Provider + Conditional Access.
2Configure enterprise registry settings, deploy the MSI via Intune/SCCM/GPO, verify scheduled tasks and end-to-end upload.
3Connect Power BI to Table Storage with ready-to-use Power Query and DAX measures for fleet security dashboards.