mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-15 14:57:23 +00:00
endpoint sweep
This commit is contained in:
jcaparas
parent
3e1f1d7f84
commit
181d315723
@ -29,7 +29,7 @@ Advanced hunting allows you to proactively hunt for possible threats across your
|
||||
|
||||
- **Powerful query language with IntelliSense** - Built on top of a query language that gives you the flexibility you need to take hunting to the next level.
|
||||
- **Query all stored telemetry** - All telemetry data is accessible in tables for you to query. For example, you can query process creation, network communication, and many other event types.
|
||||
- **Links to portal** - Certain query results, such as endpoint names and file names are actually direct links to the portal, consolidating the advanced hunting query experience and the existing portal investigation experience.
|
||||
- **Links to portal** - Certain query results, such as machine names and file names are actually direct links to the portal, consolidating the advanced hunting query experience and the existing portal investigation experience.
|
||||
- **Query examples** - A welcome page provides examples designed to get you started and get you familiar with the tables and the query language.
|
||||
|
||||
To get you started in querying your data, you can use the basic or advanced query examples that have some preloaded queries for you to understand the basic query syntax.
|
||||
|
||||
@ -27,7 +27,7 @@ ms.date: 04/16/2018
|
||||
|
||||
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-alertsq-abovefoldlink)
|
||||
|
||||
The **Alerts queue** shows a list of alerts that were flagged from endpoints in your network. Alerts are displayed in queues according to their current status. In each queue, you'll see details such as the severity of alerts and the number of machines the alerts were raised on.
|
||||
The **Alerts queue** shows a list of alerts that were flagged from machines in your network. Alerts are displayed in queues according to their current status. In each queue, you'll see details such as the severity of alerts and the number of machines the alerts were raised on.
|
||||
|
||||
Alerts are organized in queues by their workflow status or assignment:
|
||||
|
||||
@ -69,7 +69,6 @@ Medium </br>(Orange) | Threats rarely observed in the organization, such as anom
|
||||
Low </br>(Yellow) | Threats associated with prevalent malware and hack-tools that do not necessarily indicate an advanced threat targeting the organization.
|
||||
Informational </br>(Grey) | Informational alerts are those that might not be considered harmful to the network but might be good to keep track of.
|
||||
|
||||
Reviewing the various alerts and their severity can help you decide on the appropriate action to protect your organization's endpoints.
|
||||
|
||||
#### Understanding alert severity
|
||||
It is important to understand that the Windows Defender Antivirus (Windows Defender AV) and Windows Defender ATP alert severities are different because they represent different scopes.
|
||||
@ -92,7 +91,7 @@ So, for example:
|
||||
- Others
|
||||
|
||||
>[!NOTE]
|
||||
>The Windows Defender Antivirus filter will only appear if your endpoints are using Windows Defender Antivirus as the default real-time protection antimalware product.
|
||||
>The Windows Defender Antivirus filter will only appear if machines are using Windows Defender Antivirus as the default real-time protection antimalware product.
|
||||
|
||||
|
||||
### View
|
||||
|
||||
@ -52,4 +52,4 @@ Read the walkthrough document provided with each attack scenario. Each document
|
||||
|
||||
## Related topics
|
||||
- [Onboard and set up Windows Defender ATP](onboard-configure-windows-defender-advanced-threat-protection.md)
|
||||
- [Configure client endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
|
||||
- [Onboard machines](configure-endpoints-windows-defender-advanced-threat-protection.md)
|
||||
@ -27,7 +27,7 @@ ms.date: 04/16/2018
|
||||
|
||||
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-checksensor-abovefoldlink)
|
||||
|
||||
The sensor health tile provides information on the individual endpoint’s ability to provide sensor data and communicate with the Windows Defender ATP service. It reports how many machines require attention and helps you identify problematic machines and take action to correct known issues.
|
||||
The sensor health tile provides information on the individual machine’s ability to provide sensor data and communicate with the Windows Defender ATP service. It reports how many machines require attention and helps you identify problematic machines and take action to correct known issues.
|
||||
|
||||
|
||||
|
||||
|
||||
@ -44,7 +44,7 @@ ms.date: 04/16/2018
|
||||
|
||||
c. Click **Download package** and save the .zip file.
|
||||
|
||||
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a folder called *OptionalParamsPolicy* and the file *WindowsDefenderATPOnboardingScript.cmd*.
|
||||
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the machine. You should have a folder called *OptionalParamsPolicy* and the file *WindowsDefenderATPOnboardingScript.cmd*.
|
||||
|
||||
3. Open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
|
||||
|
||||
@ -61,10 +61,10 @@ ms.date: 04/16/2018
|
||||
9. Click **OK** and close any open GPMC windows.
|
||||
|
||||
>[!TIP]
|
||||
> After onboarding the endpoint, you can choose to run a detection test to verify that an endpoint is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md).
|
||||
> After onboarding the machine, you can choose to run a detection test to verify that the machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md).
|
||||
|
||||
## Additional Windows Defender ATP configuration settings
|
||||
For each endpoint, you can state whether samples can be collected from the endpoint when a request is made through the Windows Defender ATP portal to submit a file for deep analysis.
|
||||
For each machine, you can state whether samples can be collected from the machine when a request is made through the Windows Defender ATP portal to submit a file for deep analysis.
|
||||
|
||||
You can use Group Policy (GP) to configure settings, such as settings for the sample sharing used in the deep analysis feature.
|
||||
|
||||
@ -84,7 +84,7 @@ You can use Group Policy (GP) to configure settings, such as settings for the sa
|
||||
|
||||
5. Click **Windows components** and then **Windows Defender ATP**.
|
||||
|
||||
6. Choose to enable or disable sample sharing from your endpoints.
|
||||
6. Choose to enable or disable sample sharing from your machines.
|
||||
|
||||
>[!NOTE]
|
||||
> If you don't set a value, the default value is to enable sample collection.
|
||||
@ -97,7 +97,7 @@ In cases where high-value assets or machines are at high risk, you can configure
|
||||
> [!NOTE]
|
||||
> Using the Expedite mode might have an impact on the machine's battery usage and actual bandwidth used for sensor data. You should consider this when these measures are critical.
|
||||
|
||||
For each endpoint, you can configure a registry key value that determines how frequent a machine reports sensor data to the portal.
|
||||
For each machine, you can configure a registry key value that determines how frequent a machine reports sensor data to the portal.
|
||||
|
||||
The configuration is set through the following registry key entry:
|
||||
|
||||
@ -109,8 +109,8 @@ Value: Normal or Expedite
|
||||
Where:<br>
|
||||
Key type is a string. <br>
|
||||
Possible values are:
|
||||
- Normal - sets reporting frequency from the endpoint to Normal mode for the optimal speed and performance balance
|
||||
- Expedite - sets reporting frequency from the endpoint to Expedite mode
|
||||
- Normal - sets reporting frequency from the machine to Normal mode for the optimal speed and performance balance
|
||||
- Expedite - sets reporting frequency from the machine to Expedite mode
|
||||
|
||||
The default value in case the registry key doesn’t exist is Normal.
|
||||
|
||||
@ -118,7 +118,7 @@ The default value in case the registry key doesn’t exist is Normal.
|
||||
For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
|
||||
|
||||
> [!NOTE]
|
||||
> Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions.
|
||||
> Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions.
|
||||
|
||||
1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
|
||||
|
||||
@ -130,7 +130,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
|
||||
|
||||
d. Click **Download package** and save the .zip file.
|
||||
|
||||
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
|
||||
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the machine. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
|
||||
|
||||
3. Open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
|
||||
|
||||
@ -150,16 +150,16 @@ For security reasons, the package used to Offboard machines will expire 30 days
|
||||
> Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference to any alerts it has had will be retained for up to 6 months.
|
||||
|
||||
|
||||
## Monitor endpoint configuration
|
||||
With Group Policy there isn’t an option to monitor deployment of policies on the endpoints. Monitoring can be done directly on the portal, or by using the different deployment tools.
|
||||
## Monitor machine configuration
|
||||
With Group Policy there isn’t an option to monitor deployment of policies on the machines. Monitoring can be done directly on the portal, or by using the different deployment tools.
|
||||
|
||||
## Monitor endpoints using the portal
|
||||
## Monitor machines using the portal
|
||||
1. Go to the [Windows Defender ATP portal](https://securitycenter.windows.com/).
|
||||
2. Click **Machines list**.
|
||||
3. Verify that endpoints are appearing.
|
||||
3. Verify that machines are appearing.
|
||||
|
||||
> [!NOTE]
|
||||
> It can take several days for endpoints to start showing on the **Machines list**. This includes the time it takes for the policies to be distributed to the endpoint, the time it takes before the user logs on, and the time it takes for the endpoint to start reporting.
|
||||
> It can take several days for machines to start showing on the **Machines list**. This includes the time it takes for the policies to be distributed to the endpoint, the time it takes before the user logs on, and the time it takes for the endpoint to start reporting.
|
||||
|
||||
|
||||
## Related topics
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
title: Onboard Windows 10 machines using Mobile Device Management tools
|
||||
description: Use Mobile Device Management tools to deploy the configuration package on machines so that they are onboarded to the service.
|
||||
keywords: onboard machines using mdm, endpoint management, onboard Windows ATP machines, onboard Windows Defender Advanced Threat Protection machines, mdm
|
||||
keywords: onboard machines using mdm, machine management, onboard Windows ATP machines, onboard Windows Defender Advanced Threat Protection machines, mdm
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
@ -93,7 +93,7 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre
|
||||
|
||||
|
||||
|
||||
When the policy is deployed and is propagated, endpoints will be shown in the **Machines list**.
|
||||
When the policy is deployed and is propagated, machines will be shown in the **Machines list**.
|
||||
|
||||
You can use the following onboarding policies to deploy configuration settings on endpoints. These policies can be sub-categorized to:
|
||||
- Onboarding
|
||||
@ -117,15 +117,15 @@ Configuration for onboarded machines: diagnostic data reporting frequency | ./De
|
||||
|
||||
|
||||
>[!TIP]
|
||||
> After onboarding the endpoint, you can choose to run a detection test to verify that an endpoint is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md).
|
||||
> After onboarding the machine, you can choose to run a detection test to verify that a machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md).
|
||||
|
||||
|
||||
|
||||
## Offboard and monitor machines using Mobile Device Management tools
|
||||
For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
|
||||
For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a machine will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
|
||||
|
||||
> [!NOTE]
|
||||
> Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions.
|
||||
> Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions.
|
||||
|
||||
1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
|
||||
|
||||
@ -141,7 +141,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
|
||||
|
||||
3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune).
|
||||
|
||||
Offboarding - Use the offboarding policies to remove configuration settings on endpoints. These policies can be sub-categorized to:
|
||||
Offboarding - Use the offboarding policies to remove configuration settings on machines. These policies can be sub-categorized to:
|
||||
- Offboarding
|
||||
- Health Status for offboarded machines
|
||||
- Configuration for offboarded machines
|
||||
@ -163,5 +163,5 @@ Health Status for offboarded machines: Onboarding State | ./Device/Vendor/MSFT/W
|
||||
- [Onboard Windows 10 machines using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
|
||||
- [Onboard Windows 10 machines using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md)
|
||||
- [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
|
||||
- [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md)
|
||||
- [Run a detection test on a newly onboarded Windows Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md)
|
||||
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
@ -54,7 +54,7 @@ Create an EICAR test file by saving the string displayed on the portal in an emp
|
||||
The file should trigger a detection and a corresponding alert on Windows Defender ATP.
|
||||
|
||||
## Offboard non-Windows machines
|
||||
To effectively offboard the endpoints from the service, you'll need to disable the data push on the third-party portal first then switch the toggle to off in Windows Defender Security Center. The toggle in the portal only blocks the data inbound flow.
|
||||
To effectively offboard the machine from the service, you'll need to disable the data push on the third-party portal first then switch the toggle to off in Windows Defender Security Center. The toggle in the portal only blocks the data inbound flow.
|
||||
|
||||
|
||||
1. Follow the third-party documentation to opt-out on the third-party service side.
|
||||
@ -64,10 +64,10 @@ To effectively offboard the endpoints from the service, you'll need to disable t
|
||||
3. Turn off the third-party solution integration.
|
||||
|
||||
>[!WARNING]
|
||||
>If you decide to turn on the third-party integration again after disabling the integration, you'll need to regenerate the token and reapply it on endpoints.
|
||||
>If you decide to turn on the third-party integration again after disabling the integration, you'll need to regenerate the token and reapply it on machines.
|
||||
|
||||
## Related topics
|
||||
- [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md)
|
||||
- [Configure server endpoints](configure-server-endpoints-windows-defender-advanced-threat-protection.md)
|
||||
- [Configure servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md)
|
||||
- [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
|
||||
- [Troubleshooting Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Onboard Windows 10 machines using System Center Configuration Manager
|
||||
description: Use System Center Configuration Manager to deploy the configuration package on endpoints so that they are onboarded to the service.
|
||||
description: Use System Center Configuration Manager to deploy the configuration package on machines so that they are onboarded to the service.
|
||||
keywords: onboard machines using sccm, machine management, configure Windows ATP machines, configure Windows Defender Advanced Threat Protection machines, sccm
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
@ -30,14 +30,14 @@ ms.date: 04/16/2018
|
||||
|
||||
<span id="sccm1606"/>
|
||||
## Onboard Windows 10 machines using System Center Configuration Manager (current branch) version 1606
|
||||
System Center Configuration Manager (SCCM) (current branch) version 1606, has UI integrated support for configuring and managing Windows Defender ATP on endpoints. For more information, see [Support for Windows Defender Advanced Threat Protection service](https://go.microsoft.com/fwlink/p/?linkid=823682).
|
||||
System Center Configuration Manager (SCCM) (current branch) version 1606, has UI integrated support for configuring and managing Windows Defender ATP on machines. For more information, see [Support for Windows Defender Advanced Threat Protection service](https://go.microsoft.com/fwlink/p/?linkid=823682).
|
||||
|
||||
>[!NOTE]
|
||||
> If you’re using SCCM client version 1606 with server version 1610 or above, you must upgrade the client version to match the server version.
|
||||
|
||||
<span id="sccm1602"/>
|
||||
## Onboard Windows 10 machines using System Center Configuration Manager earlier versions
|
||||
You can use existing System Center Configuration Manager functionality to create a policy to configure your endpoints. This is supported in the following System Center Configuration Manager versions:
|
||||
You can use existing System Center Configuration Manager functionality to create a policy to configure your machines. This is supported in the following System Center Configuration Manager versions:
|
||||
|
||||
- System Center 2012 Configuration Manager
|
||||
- System Center 2012 R2 Configuration Manager
|
||||
@ -66,12 +66,12 @@ You can use existing System Center Configuration Manager functionality to create
|
||||
> Windows Defender ATP doesn't support onboarding during the [Out-Of-Box Experience (OOBE)](https://answers.microsoft.com/en-us/windows/wiki/windows_10/how-to-complete-the-windows-10-out-of-box/47e3f943-f000-45e3-8c5c-9d85a1a0cf87) phase. Make sure users complete OOBE after running Windows installation or upgrading.
|
||||
|
||||
>[!TIP]
|
||||
> After onboarding the endpoint, you can choose to run a detection test to verify that an endpoint is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md).
|
||||
> After onboarding the machine, you can choose to run a detection test to verify that an machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md).
|
||||
|
||||
### Configure sample collection settings
|
||||
For each endpoint, you can set a configuration value to state whether samples can be collected from the endpoint when a request is made through the Windows Defender ATP portal to submit a file for deep analysis.
|
||||
For each machine, you can set a configuration value to state whether samples can be collected from the machine when a request is made through the Windows Defender ATP portal to submit a file for deep analysis.
|
||||
|
||||
You can set a compliance rule for configuration item in System Center Configuration Manager to change the sample share setting on an endpoint.
|
||||
You can set a compliance rule for configuration item in System Center Configuration Manager to change the sample share setting on a machine.
|
||||
This rule should be a *remediating* compliance rule configuration item that sets the value of a registry key on targeted machines to make sure they’re complaint.
|
||||
|
||||
The configuration is set through the following registry key entry:
|
||||
@ -84,8 +84,8 @@ Value: 0 or 1
|
||||
Where:<br>
|
||||
Key type is a D-WORD. <br>
|
||||
Possible values are:
|
||||
- 0 - doesn't allow sample sharing from this endpoint
|
||||
- 1 - allows sharing of all file types from this endpoint
|
||||
- 0 - doesn't allow sample sharing from this machine
|
||||
- 1 - allows sharing of all file types from this machine
|
||||
|
||||
The default value in case the registry key doesn’t exist is 1.
|
||||
|
||||
@ -99,7 +99,7 @@ In cases where high-value assets or machines are at high risk, you can configure
|
||||
> [!NOTE]
|
||||
> Using the Expedite mode might have an impact on the machine's battery usage and actual bandwidth used for sensor data. You should consider this when these measures are critical.
|
||||
|
||||
For each endpoint, you can configure a registry key value that determines how frequent a machine reports sensor data to the portal.
|
||||
For each machine, you can configure a registry key value that determines how frequent a machine reports sensor data to the portal.
|
||||
|
||||
The configuration is set through the following registry key entry:
|
||||
|
||||
@ -111,18 +111,18 @@ Value: Normal or Expedite
|
||||
Where:<br>
|
||||
Key type is a string. <br>
|
||||
Possible values are:
|
||||
- Normal - sets reporting frequency from the endpoint to Normal mode for the optimal speed and performance balance
|
||||
- Expedite - sets reporting frequency from the endpoint to Expedite mode
|
||||
- Normal - sets reporting frequency from the machine to Normal mode for the optimal speed and performance balance
|
||||
- Expedite - sets reporting frequency from the machine to Expedite mode
|
||||
|
||||
The default value in case the registry key doesn’t exist is Normal.
|
||||
|
||||
|
||||
## Offboard machines using System Center Configuration Manager
|
||||
|
||||
For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
|
||||
For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an machine will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
|
||||
|
||||
> [!NOTE]
|
||||
> Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions.
|
||||
> Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions.
|
||||
|
||||
1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
|
||||
|
||||
@ -147,9 +147,9 @@ For security reasons, the package used to Offboard machines will expire 30 days
|
||||
### Monitor endpoint configuration
|
||||
Monitoring with SCCM consists of two parts:
|
||||
|
||||
1. Confirming the configuration package has been correctly deployed and is running (or has successfully run) on the endpoints in your network.
|
||||
1. Confirming the configuration package has been correctly deployed and is running (or has successfully run) on the machines in your network.
|
||||
|
||||
2. Checking that the endpoints are compliant with the Windows Defender ATP service (this ensures the endpoint can complete the onboarding process and can continue to report data to the service).
|
||||
2. Checking that the machines are compliant with the Windows Defender ATP service (this ensures the machine can complete the onboarding process and can continue to report data to the service).
|
||||
|
||||
**To confirm the configuration package has been correctly deployed:**
|
||||
|
||||
@ -161,11 +161,11 @@ Monitoring with SCCM consists of two parts:
|
||||
|
||||
4. Review the status indicators under **Completion Statistics** and **Content Status**.
|
||||
|
||||
If there are failed deployments (endpoints with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the endpoints. For more information see, [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md).
|
||||
If there are failed deployments (machines with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the machines. For more information see, [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md).
|
||||
|
||||
|
||||
|
||||
**Check that the endpoints are compliant with the Windows Defender ATP service:**<br>
|
||||
**Check that the machines are compliant with the Windows Defender ATP service:**<br>
|
||||
You can set a compliance rule for configuration item in System Center Configuration Manager to monitor your deployment.
|
||||
|
||||
This rule should be a *non-remediating* compliance rule configuration item that monitors the value of a registry key on targeted machines.
|
||||
@ -183,5 +183,5 @@ For more information about System Center Configuration Manager Compliance see [C
|
||||
- [Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
|
||||
- [Onboard Windows 10 machines using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md)
|
||||
- [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
|
||||
- [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md)
|
||||
- [Run a detection test on a newly onboarded Windows Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md)
|
||||
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
@ -27,10 +27,10 @@ ms.date: 04/16/2018
|
||||
|
||||
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink)
|
||||
|
||||
You can also manually onboard individual endpoints to Windows Defender ATP. You might want to do this first when testing the service before you commit to onboarding all endpoints in your network.
|
||||
You can also manually onboard individual machines to Windows Defender ATP. You might want to do this first when testing the service before you commit to onboarding all machines in your network.
|
||||
|
||||
> [!NOTE]
|
||||
> The script has been optimized to be used on a limited number of machines (1-10 machines). To deploy to scale, use other deployment options. For more information on using other deployment options, see [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).
|
||||
> The script has been optimized to be used on a limited number of machines (1-10 machines). To deploy to scale, use other deployment options. For more information on using other deployment options, see [Onboard machines](configure-endpoints-windows-defender-advanced-threat-protection.md).
|
||||
|
||||
## Onboard machines
|
||||
1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
|
||||
@ -44,9 +44,9 @@ You can also manually onboard individual endpoints to Windows Defender ATP. You
|
||||
d. Click **Download package** and save the .zip file.
|
||||
|
||||
|
||||
2. Extract the contents of the configuration package to a location on the endpoint you want to onboard (for example, the Desktop). You should have a file named *WindowsDefenderATPOnboardingScript.cmd*.
|
||||
2. Extract the contents of the configuration package to a location on the machine you want to onboard (for example, the Desktop). You should have a file named *WindowsDefenderATPOnboardingScript.cmd*.
|
||||
|
||||
3. Open an elevated command-line prompt on the endpoint and run the script:
|
||||
3. Open an elevated command-line prompt on the machine and run the script:
|
||||
|
||||
a. Go to **Start** and type **cmd**.
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user