From 40e44df8e51541d606c7a6cfe8b775c47233d15a Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 10 Dec 2018 14:22:54 -0800 Subject: [PATCH 1/8] add steps to go to asc to onboard servers --- ...ts-windows-defender-advanced-threat-protection.md | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md index 32cc18106d..5a5b8f85c8 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.sitesec: library ms.pagetype: security author: mjcaparas ms.localizationpriority: medium -ms.date: 11/02/2018 +ms.date: 12/10/2018 --- # Onboard servers to the Windows Defender ATP service @@ -41,14 +41,14 @@ For a practical guidance on what needs to be in place for licensing and infrastr ## Windows Server 2012 R2 and Windows Server 2016 -To onboard Windows Server 2012 R2 and Windows Server 2016 to Windows Defender ATP, you’ll need to: +To onboard Windows Server 2012 R2 and Windows Server 2016 to Windows Defender ATP, you’ll need to take the following steps: - For Windows Server 2012 R2: Configure and update System Center Endpoint Protection clients. >[!NOTE] >This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2012 R2. -- Turn on server monitoring from Windows Defender Security Center. +- Go to Azure Security Center to onboard servers (recommended) or turn on server monitoring from Windows Defender Security Center. For more information on how to onboard servers in Azure Security Center - If you're already leveraging System Center Operations Manager (SCOM) or Operations Management Suite (OMS), simply attach the Microsoft Monitoring Agent (MMA) to report to your Windows Defender ATP workspace through [Multi Homing support](https://blogs.technet.microsoft.com/msoms/2016/05/26/oms-log-analytics-agent-multi-homing-support/). Otherwise, install and configure MMA to report sensor data to Windows Defender ATP as instructed below. >[!TIP] @@ -64,6 +64,12 @@ The following steps are required to enable this integration: - Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie) - Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting +### Onboard servers through Azure Security Center (recommended) +1. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**. + +2. Select Windows server 2012, 2012R2 and 2016 as the operating system. + +3. Click **Go to Azure Security Center to onboard servers**. ### Turn on Server monitoring from the Windows Defender Security Center portal From d0558198ac74ca3566bd0f292ffa356a4b915bb8 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Fri, 14 Dec 2018 13:26:46 -0800 Subject: [PATCH 2/8] update date --- ...ndpoints-sccm-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md index 707a5887a8..7780c8b9eb 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 04/24/2018 +ms.date: 12/11/2018 --- # Onboard Windows 10 machines using System Center Configuration Manager From 55de32ffd23465a4110d0364f98714efe23b4cc6 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 17 Dec 2018 16:07:13 -0800 Subject: [PATCH 3/8] add options in --- ...ows-defender-advanced-threat-protection.md | 24 +++++++++++++------ 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md index 5a5b8f85c8..14151cc1cc 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md @@ -41,7 +41,23 @@ For a practical guidance on what needs to be in place for licensing and infrastr ## Windows Server 2012 R2 and Windows Server 2016 -To onboard Windows Server 2012 R2 and Windows Server 2016 to Windows Defender ATP, you’ll need to take the following steps: +There are two options to onboard Windows Server 2012 R2 and Windows Server 2016 to Windows Defender ATP: +- **Option 1**: Onboard through Azure Security Center (recommended) +- **Option 2** Onboard through Windows Defender Security Center + + +### Option 1: Onboard servers through Azure Security Center (recommended) +1. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**. + +2. Select Windows server 2012, 2012R2 and 2016 as the operating system. + +3. Click **Go to Azure Security Center to onboard servers**. + +4. Follow the onboarding steps in Azure Security Center. + + +### Option 2: Onboard servers through Windows Defender Security Center +You'll need to take the following steps if you opt to onboard servers through Windows Defender Security Center. - For Windows Server 2012 R2: Configure and update System Center Endpoint Protection clients. @@ -64,12 +80,6 @@ The following steps are required to enable this integration: - Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie) - Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting -### Onboard servers through Azure Security Center (recommended) -1. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**. - -2. Select Windows server 2012, 2012R2 and 2016 as the operating system. - -3. Click **Go to Azure Security Center to onboard servers**. ### Turn on Server monitoring from the Windows Defender Security Center portal From a7b9ec6f3fd1011f90f0d7f7b7b2f28428b05b35 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 17 Dec 2018 16:19:55 -0800 Subject: [PATCH 4/8] remove 2012 --- ...ver-endpoints-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md index 54976ad8b9..d0d4e81ca1 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md @@ -69,7 +69,7 @@ The following steps are required to enable this integration: 1. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**. -2. Select Windows server 2012, 2012R2 and 2016 as the operating system. +2. Select **Windows server 2012R2 and 2016** as the operating system. 3. Click **Turn on server monitoring** and confirm that you'd like to proceed with the environment set up. When the set up completes, the **Workspace ID** and **Workspace key** fields are populated with unique values. You'll need to use these values to configure the MMA agent. From 4c761809ca190af054bdf8d638f7a087129009f9 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 17 Dec 2018 16:21:51 -0800 Subject: [PATCH 5/8] update date --- ...ver-endpoints-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md index d0d4e81ca1..006fad4ca9 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.sitesec: library ms.pagetype: security author: mjcaparas ms.localizationpriority: medium -ms.date: 12/14/2018 +ms.date: 12/17/2018 --- # Onboard servers to the Windows Defender ATP service From b0a89df225f8ae70f0ba2b3cbc0d456d06c46310 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 17 Dec 2018 16:38:07 -0800 Subject: [PATCH 6/8] add options back in --- ...ows-defender-advanced-threat-protection.md | 21 +++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md index 006fad4ca9..54ba5609cf 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md @@ -41,7 +41,23 @@ For a practical guidance on what needs to be in place for licensing and infrastr ## Windows Server 2012 R2 and Windows Server 2016 -To onboard Windows Server 2012 R2 and Windows Server 2016 to Windows Defender ATP, you’ll need to: +There are two options to onboard Windows Server 2012 R2 and Windows Server 2016 to Windows Defender ATP: +- **Option 1**: Onboard through Azure Security Center (recommended) +- **Option 2** Onboard through Windows Defender Security Center + + +### Option 1: Onboard servers through Azure Security Center (recommended) +1. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**. + +2. Select **Windows server 2012R2 and 2016** as the operating system. + +3. Click **Go to Azure Security Center to onboard servers**. + +4. Follow the onboarding steps in Azure Security Center. + + +### Option 2: Onboard servers through Windows Defender Security Center +You'll need to take the following steps if you opt to onboard servers through Windows Defender Security Center. - For Windows Server 2012 R2: Configure and update System Center Endpoint Protection clients. @@ -71,7 +87,8 @@ The following steps are required to enable this integration: 2. Select **Windows server 2012R2 and 2016** as the operating system. -3. Click **Turn on server monitoring** and confirm that you'd like to proceed with the environment set up. When the set up completes, the **Workspace ID** and **Workspace key** fields are populated with unique values. You'll need to use these values to configure the MMA agent. +3. Select **Onboard Servers through Windows Defender ATP**. +4. Click **Turn on server monitoring** and confirm that you'd like to proceed with the environment set up. When the set up completes, the **Workspace ID** and **Workspace key** fields are populated with unique values. You'll need to use these values to configure the MMA agent. ### Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Windows Defender ATP From 3174d25d39077507e2190a0c8f5726aba153ada1 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 17 Dec 2018 16:44:51 -0800 Subject: [PATCH 7/8] typo --- ...ints-windows-defender-advanced-threat-protection.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md index 54ba5609cf..bf5a390ced 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md @@ -43,7 +43,7 @@ For a practical guidance on what needs to be in place for licensing and infrastr There are two options to onboard Windows Server 2012 R2 and Windows Server 2016 to Windows Defender ATP: - **Option 1**: Onboard through Azure Security Center (recommended) -- **Option 2** Onboard through Windows Defender Security Center +- **Option 2**: Onboard through Windows Defender Security Center ### Option 1: Onboard servers through Azure Security Center (recommended) @@ -70,7 +70,7 @@ You'll need to take the following steps if you opt to onboard servers through Wi >[!TIP] > After onboarding the machine, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md). -### Configure and update System Center Endpoint Protection clients +#### Configure and update System Center Endpoint Protection clients >[!IMPORTANT] >This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2012 R2. @@ -81,7 +81,7 @@ The following steps are required to enable this integration: - Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting -### Turn on Server monitoring from the Windows Defender Security Center portal +#### Turn on Server monitoring from the Windows Defender Security Center portal 1. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**. @@ -91,7 +91,7 @@ The following steps are required to enable this integration: 4. Click **Turn on server monitoring** and confirm that you'd like to proceed with the environment set up. When the set up completes, the **Workspace ID** and **Workspace key** fields are populated with unique values. You'll need to use these values to configure the MMA agent. -### Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Windows Defender ATP +#### Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Windows Defender ATP 1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603). @@ -105,7 +105,7 @@ The following steps are required to enable this integration: Once completed, you should see onboarded servers in the portal within an hour. -### Configure server proxy and Internet connectivity settings +#### Configure server proxy and Internet connectivity settings - Each Windows server must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the [OMS Gateway](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-gateway). - If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service: From c4e694bd82ee3e31cf187f28d2dcbbf2f04cd71c Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 14 Jan 2019 16:58:38 -0800 Subject: [PATCH 8/8] add link to step 4 in option 1. move integ with asc up. --- ...ows-defender-advanced-threat-protection.md | 70 ++++++++++--------- 1 file changed, 36 insertions(+), 34 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md index bf5a390ced..79b21babce 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md @@ -10,7 +10,6 @@ ms.sitesec: library ms.pagetype: security author: mjcaparas ms.localizationpriority: medium -ms.date: 12/17/2018 --- # Onboard servers to the Windows Defender ATP service @@ -42,18 +41,18 @@ For a practical guidance on what needs to be in place for licensing and infrastr ## Windows Server 2012 R2 and Windows Server 2016 There are two options to onboard Windows Server 2012 R2 and Windows Server 2016 to Windows Defender ATP: -- **Option 1**: Onboard through Azure Security Center (recommended) +- **Option 1**: Onboard through Azure Security Center - **Option 2**: Onboard through Windows Defender Security Center -### Option 1: Onboard servers through Azure Security Center (recommended) +### Option 1: Onboard servers through Azure Security Center 1. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**. 2. Select **Windows server 2012R2 and 2016** as the operating system. 3. Click **Go to Azure Security Center to onboard servers**. -4. Follow the onboarding steps in Azure Security Center. +4. Follow the onboarding steps in Azure Security Center. For more information, see [Windows Defender Advanced Threat Protection with Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp). ### Option 2: Onboard servers through Windows Defender Security Center @@ -70,16 +69,6 @@ You'll need to take the following steps if you opt to onboard servers through Wi >[!TIP] > After onboarding the machine, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md). -#### Configure and update System Center Endpoint Protection clients ->[!IMPORTANT] ->This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2012 R2. - -Windows Defender ATP integrates with System Center Endpoint Protection to provide visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware. - -The following steps are required to enable this integration: -- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie) -- Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting - #### Turn on Server monitoring from the Windows Defender Security Center portal @@ -90,6 +79,17 @@ The following steps are required to enable this integration: 3. Select **Onboard Servers through Windows Defender ATP**. 4. Click **Turn on server monitoring** and confirm that you'd like to proceed with the environment set up. When the set up completes, the **Workspace ID** and **Workspace key** fields are populated with unique values. You'll need to use these values to configure the MMA agent. + +#### Configure and update System Center Endpoint Protection clients +>[!IMPORTANT] +>This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2012 R2. + +Windows Defender ATP integrates with System Center Endpoint Protection to provide visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware. + +The following steps are required to enable this integration: +- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie) +- Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting + #### Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Windows Defender ATP @@ -125,6 +125,28 @@ Agent Resource | Ports | winatp-gw-aus.microsoft.com | 443| | winatp-gw-aue.microsoft.com |443 | + +## Integration with Azure Security Center +Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers. + +>[!NOTE] +>You'll need to have the appropriate license to enable this feature. + +The following capabilities are included in this integration: +- Automated onboarding - Windows Defender ATP sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/azure/security-center/security-center-onboarding). + + >[!NOTE] + > Automated onboarding is only applicable for Windows Server 2012 R2 and Windows Server 2016. + +- Servers monitored by Azure Security Center will also be available in Windows Defender ATP - Azure Security Center seamlessly connects to the Windows Defender ATP tenant, providing a single view across clients and servers. In addition, Windows Defender ATP alerts will be available in the Azure Security Center console. +- Server investigation - Azure Security Center customers can access Windows Defender Security Center to perform detailed investigation to uncover the scope of a potential breach + +>[!IMPORTANT] +>- When you use Azure Security Center to monitor servers, a Windows Defender ATP tenant is automatically created. The Windows Defender ATP data is stored in Europe by default. +>- If you use Windows Defender ATP before using Azure Security Center, your data will be stored in the location you specified when you created your tenant even if you integrate with Azure Security Center at a later time. + + + ## Windows Server, version 1803 and Windows Server 2019 To onboard Windows Server, version 1803 or Windows Server 2019, use the same method used when onboarding Windows 10 machines. @@ -160,26 +182,6 @@ Supported tools include: If the result is ‘The specified service does not exist as an installed service’, then you'll need to install Windows Defender AV. For more information, see [Windows Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). -## Integration with Azure Security Center -Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers. - ->[!NOTE] ->You'll need to have the appropriate license to enable this feature. - -The following capabilities are included in this integration: -- Automated onboarding - Windows Defender ATP sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/azure/security-center/security-center-onboarding). - - >[!NOTE] - > Automated onboarding is only applicable for Windows Server 2012 R2 and Windows Server 2016. - -- Servers monitored by Azure Security Center will also be available in Windows Defender ATP - Azure Security Center seamlessly connects to the Windows Defender ATP tenant, providing a single view across clients and servers. In addition, Windows Defender ATP alerts will be available in the Azure Security Center console. -- Server investigation - Azure Security Center customers can access Windows Defender Security Center to perform detailed investigation to uncover the scope of a potential breach - ->[!IMPORTANT] ->- When you use Azure Security Center to monitor servers, a Windows Defender ATP tenant is automatically created. The Windows Defender ATP data is stored in Europe by default. ->- If you use Windows Defender ATP before using Azure Security Center, your data will be stored in the location you specified when you created your tenant even if you integrate with Azure Security Center at a later time. - - ## Offboard servers You can offboard Windows Server, version 1803 and Windows 2019 in the same method available for Windows 10 client machines.