This comprehensive guide walks you through deploying ShieldChecker, a security testing platform that validates Microsoft Defender XDR detections through real-world test execution.
Before beginning the deployment, ensure you have the following requirements:
- Azure PowerShell Module (latest version)
- PowerShell Core 7+
- Azure CLI (latest version)
- Bicep CLI (latest version)
- Dedicated Test Tenant (strongly recommended for production isolation)
- Microsoft 365 E5/A5 License (provides Microsoft Defender XDR capabilities)
- Azure Subscription with sufficient permissions
- Global Administrator or equivalent permissions for initial setup
- Estimated monthly cost: ~$200 USD (Azure pay-as-you-go pricing)
- CPU core availability for parallel worker VMs
- Storage requirements for test artifacts and logs
- Navigate to Entra ID in the Azure portal
- Create a new security group:
- Name:
sg-ShieldChecker-DB-Admins(or your preferred naming convention) - Type: Security
- Membership type: Assigned
- Name:
- Add members to the group:
- Add your user account for manual deployments
- For CI/CD pipelines, add the Service Principal instead
- Document the following for deployment:
- Group name
Confirm all required tools are properly installed:
# Verify PowerShell version (should be 7.0+)
$PSVersionTable.PSVersion
- Download the latest version from the GitHub Releases page
- Extract the archive to your preferred deployment directory
- Open PowerShell Core and navigate to the extracted folder:
cd "C:\Path\To\Extracted\ShieldChecker"Authenticate to Azure and select the target subscription:
# Connect to Azure (will open browser for authentication)
Connect-AzAccount
# List available subscriptions
Get-AzSubscription
# Select the target subscription
Select-AzSubscription -SubscriptionId "<YourSubscriptionId>"
# Verify current context
Get-AzContextRun the deployment script with your environment-specific parameters:
./Invoke-Deploy.ps1 -SQLAdminGroupName "<SQLAdminGroupName>" `
-ApplicationName "<ApplicationName>" `
-ResourceGroupName "<ResourceGroupName>" `
-adminPw (Read-Host -Prompt "Enter Admin Password" -AsSecureString) `
-CreateRessourceGroupIfNotExistsLocation "<AzureRegion>"| Parameter | Description | Example |
|---|---|---|
SQLAdminGroupName |
Entra ID group name for database administration | sg-ShieldChecker-DB-Admins |
ApplicationName |
Unique name for the application (used in resource naming) | sc-prod |
ResourceGroupName |
Azure resource group name (created if doesn't exist) | rg-shieldchecker-prod |
adminPw |
Secure password for administrative accounts | Prompted securely |
CreateRessourceGroupIfNotExistsLocation |
Azure region for deployment | East US, West Europe, ... |
./Invoke-Deploy.ps1 -SQLAdminGroupName "sg-ShieldChecker-DB-Admins" `
-ApplicationName "sc-prod" `
-ResourceGroupName "rg-shieldchecker-prod" `
-adminPw (Read-Host -Prompt "Enter Admin Password" -AsSecureString) `
-CreateRessourceGroupIfNotExistsLocation "westeurope"- Expected Duration: 15-30 minutes
- Progress Monitoring: Watch PowerShell output for deployment status
- Completion Indicator: "Deployment script completed successfully" message
Important: Document all deployment parameters for future updates and maintenance.
After successful deployment, access your ShieldChecker instance:
- Locate the Web App URL in the deployment output
- Navigate to the application in your browser
- Start the First Run Wizard to complete the setup
The First Run Wizard guides you through the essential configuration steps required for ShieldChecker operation.
- Review the setup overview and system requirements
- Verify deployment status of core components
- Click "Start Wizard" to begin configuration
Critical Configuration Step: To enable automatic MDE onboarding for worker devices, you must provide onboarding scripts from your Microsoft 365 Defender portal.
How to obtain MDE onboarding scripts:
- Navigate to Microsoft 365 Defender portal (security.microsoft.com)
- Go to Settings > Endpoints > Device management > Onboarding
- Select Windows as the operating system
- Choose VDI Onboarding Script as the deployment method
- Download the onboarding package
- Extract and copy the script content into the ShieldChecker configuration
- Repeat step 3-6 for Linux and Local Script.
Script Format Verification: Ensure your scripts match the format shown in the screenshots above.
Automatic Permission Verification: This step validates that all required Azure permissions were granted correctly during deployment. If missing then a script is provided for fixing the problem.
Common Permission Requirements:
- Microsoft Graph API permissions for Entra ID integration
- Azure Resource Manager permissions for VM management
- Microsoft Defender for Endpoint API access
Test Framework Integration: Import pre-built security tests to quickly start validation.
Available Test Sources:
- Atomic Red Team: Comprehensive collection of security tests mapped to MITRE ATT&CK
- Other Test Libraries: Other libraries will be integrated in the future.
Domain Controller Status Monitoring:
- Initializing: Domain controller deployment in progress
- Initialized: Ready for test execution
- Error: Review logs and troubleshoot deployment issues
Next Steps: Once the Domain Controller status shows "Initialized" and you have imported or created tests, you can begin executing security validations.
After the First Run Wizard completes:
- Verify all components are operational on the homepage/dashboard
- Create or import your first security tests
- Execute a test run to validate the platform
- Review the generated reports and detections
For detailed guidance on test creation and execution, refer to:
For version updates that only affect the web application and database components:
./Invoke-UpdateWebAppAndSql.ps1 -ResourceGroupName "<ResourceGroupName>" `
-sqlServerName "<SQLServerName>" `
-sqlServerDatabaseName "<SQLServerDatabaseName>" `
-webAppName "<WebAppName>" `
-TestDomainFQDN "<TestDomainFQDN>"When to use update vs. full deployment:
- Use Update Script: Minor version updates, web app changes only
- Use Full Deployment: Major version updates, infrastructure changes, new features
Parameter Reference for Web Update Only:
| Parameter | How to Find | Example |
|---|---|---|
ResourceGroupName |
Azure portal or original deployment parameters | rg-shieldchecker-prod |
sqlServerName |
Azure portal > SQL servers | sql-shieldchecker-prod |
sqlServerDatabaseName |
Azure portal > SQL databases | sqldb-shieldchecker |
webAppName |
Azure portal > App Services | app-shieldchecker-prod |
Automated Backups:
- SQL Database: Backups can be enabled
- Test Definitions: Backed up with database
Health Monitoring:
- Azure Application Insights integration
- Built-in health checks in the web application
- Domain Controller status monitoring ind dashboard
Common Issues and Solutions:
| Issue | Symptoms | Resolution |
|---|---|---|
| Domain Controller not initializing | Status remains "Initializing" | Check Azure VM deployment logs, and logs provided in the ShieldChecker UI |
| MDE onboarding failures | Worker VMs not appearing in Defender portal | Verify onboarding script configuration, check network connectivity |
- Contents - Documentation Index
- GitHub Issues - Report bugs and request features
- Project Homepage - Latest news and updates
Note: ShieldChecker is a community-driven project maintained as a hobby. While we strive to help, there are no guaranteed response times or support SLAs.