search

Deploy via Microsoft Defender Endpoint

hashtag
Overview

Microsoft Defender for Endpoint provides centralized visibility and remote management for enterprise devices. Microsoft Defender Live Response allows you to run scripts remotely on managed devices.

You can use Microsoft Defender Live Response to deploy the Akto MCP Endpoint Shield hook on developer machines. Hook installation enables Akto to monitor agent interactions from tools such as Cursor, Claude, or Gemini.

hashtag
Prerequisites

Microsoft Defender integration requires the following environment configuration.

  • Administrator access to the Microsoft Defender portal

  • Microsoft Defender for Endpoint license

  • Devices onboarded to Microsoft Defender for Endpoint

  • Supported operating systems: macOS, Windows, Linux

Devices must be onboarded using one of the supported onboarding methods:

  • Microsoft Intune onboarding

  • Local onboarding script or installation package

Verify device enrolment before running queries or deploying hooks.

  1. Open the Microsoft Defender portal.

  2. Navigate to Assets → Devices.

  3. Confirm that device status shows Active.

Active device status confirms that Microsoft Defender receives endpoint telemetry.

hashtag
Steps to Deploy

The deployment workflow consists of two stages:

  1. Optional visibility queries to identify AI agents and MCP usage across devices.

  2. Installation of the Akto MCP Endpoint Shield hook on developer machines.

1

hashtag
(Optional) Identify AI Agent Software Installed on Devices

Software inventory queries help you identify which AI development tools exist across enterprise devices.

  1. Open the Microsoft Defender portal.

  2. Navigate to Investigation & response → Hunting → Advanced hunting.

  3. Paste the following query into the query editor.

  4. Replace <your-device-name> with a hostname from the Devices inventory.

  5. Click Run query.

Query results show devices where AI tools such as Cursor, Windsurf, Claude, VS Code, or Codex are installed.

Remove the DeviceName filter to scan the entire device fleet.

2

hashtag
(Optional) Identify AI CLI Activity on Devices

Process telemetry queries help you determine which devices actively run AI CLI agents.

  1. Open Advanced hunting in the Microsoft Defender portal.

  2. Paste the following query into the query editor.

  3. Replace <your-device-name> with the target device hostname.

  4. Click Run query.

Query results show which CLI tools run on enterprise devices, including Claude CLI, GitHub Copilot CLI, Gemini CLI, Codex CLI, and Cursor CLI.

3

hashtag
(Optional) Detect MCP Configuration File Usage

MCP configuration files often define agent integrations and tool execution paths. Process telemetry queries help you detect devices referencing MCP configuration files.

  1. Open Advanced hunting in the Microsoft Defender portal.

  2. Paste the following query into the editor.

  3. Replace <your-device-name> with the device hostname.

  4. Click Run query.

Query results show devices referencing MCP configuration files such as:

  • mcp.json

  • mcp_config.json

  • claude_desktop_config.json

You can modify the query to add or remove file names depending on the MCP configurations used in your environment.

4

hashtag
Request the MCP Endpoint Shield Hook Script from Akto

MCP Endpoint Shield deployment requires a hook installation script provided by Akto.

circle-info

Contact the Akto support team at [email protected]envelope to obtain the required hook script.

5

hashtag
Upload the Hook Script to the Microsoft Defender Live Response Library

Microsoft Defender Live Response allows you to run scripts remotely on enterprise devices.

  1. Open the Microsoft Defender portal.

  2. Navigate to Settings.

  3. Select Endpoints → General → Live response library.

  4. Click Upload file.

  5. Upload the hook script received from the Akto support team.

Example script files include:

  • install_cursor_hooks.sh

  • install_claude_hooks.sh

  1. Add a description such as Akto – Install MCP Endpoint Shield hooks.

  2. Click Save.

The script must exist in the Live Response library before execution. Upload the script again whenever the script version changes.

6

hashtag
Run the Hook Script on a Device Using Live Response

Microsoft Defender Live Response allows script execution on individual devices.

  1. Open the Microsoft Defender portal.

  2. Navigate to Assets → Devices.

  3. Select the target device.

  4. Open the device details page.

  5. Click Initiate live response session.

  6. Wait until the Live Response session connects. Session initialization may take up to two minutes.

  7. After the Live Response console opens, run the hook installation command.

    Here we have taken the cursor hook script example:

The script name must match the file uploaded to the Live Response library.

The console displays execution output as the script runs.

  • Successful execution ends with:

  • Devices without the required IDE installed exit safely with the following output:

hashtag
Operational Notes

  • Microsoft Defender Live Response requires Microsoft Defender for Endpoint Plan 2.

  • Microsoft Defender Advanced Hunting queries support a maximum time range of 30 days.

  • Queries scope to a single device by default using DeviceName contains.

  • Removing the device filter runs queries across the entire device fleet and may return larger result sets.

hashtag
Get Support for your Akto setup

There are multiple ways to request support from Akto. We are 24X7 available on the following:

  1. In-app intercom support. Message us with your query on intercom in Akto dashboard and someone will reply.

  2. Join our discord channelarrow-up-right for community support.

  3. Contact [email protected] for email support.

PreviousGemini CLI HooksNextAI Agent Activity

Last updated