From 3e1f1d7f843ed5b7475afc25aeafd95e5a5fe867 Mon Sep 17 00:00:00 2001 From: jcaparas Date: Thu, 15 Mar 2018 00:45:57 -0700 Subject: [PATCH] onboard and offboard --- windows/security/threat-protection/TOC.md | 14 +++++++------- ...-windows-defender-advanced-threat-protection.md | 6 +++--- ...-windows-defender-advanced-threat-protection.md | 5 ++--- ...-windows-defender-advanced-threat-protection.md | 7 +++---- ...-windows-defender-advanced-threat-protection.md | 9 +++++---- ...-windows-defender-advanced-threat-protection.md | 6 +++--- ...-windows-defender-advanced-threat-protection.md | 4 ++-- ...-windows-defender-advanced-threat-protection.md | 12 ++++++------ ...-windows-defender-advanced-threat-protection.md | 13 +++++++++++++ ...-windows-defender-advanced-threat-protection.md | 2 +- ...-windows-defender-advanced-threat-protection.md | 2 +- .../windows-defender-advanced-threat-protection.md | 2 +- 12 files changed, 47 insertions(+), 35 deletions(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 0e87db3f82..5988e6476c 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -25,11 +25,11 @@ #### [Assign user access to the portal](windows-defender-atp\assign-portal-access-windows-defender-advanced-threat-protection.md) ### [Onboard machines](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md) #### [Onboard Windows 10 machines](windows-defender-atp\configure-endpoints-windows-defender-advanced-threat-protection.md) -##### [Onboard Windows 10 using Group Policy](windows-defender-atp\configure-endpoints-gp-windows-defender-advanced-threat-protection.md) -##### [Onboard Windows 10 using System Center Configuration Manager](windows-defender-atp\configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) -##### [Onboard Windows 10 using Mobile Device Management tools](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) -###### [Onboard Windows 10 using Microsoft Intune](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-microsoft-intune) -##### [Onboard Windows 10 using a local script](windows-defender-atp\configure-endpoints-script-windows-defender-advanced-threat-protection.md) +##### [Onboard machines using Group Policy](windows-defender-atp\configure-endpoints-gp-windows-defender-advanced-threat-protection.md) +##### [Onboard machines using System Center Configuration Manager](windows-defender-atp\configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) +##### [Onboard machines using Mobile Device Management tools](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) +###### [Onboard machines using Microsoft Intune](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#onboard-windows-10-machines-using-microsoft-intune) +##### [Onboard machines using a local script](windows-defender-atp\configure-endpoints-script-windows-defender-advanced-threat-protection.md) ##### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](windows-defender-atp\configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) #### [Onboard servers](windows-defender-atp\configure-server-endpoints-windows-defender-advanced-threat-protection.md) #### [Onboard non-Windows machines](windows-defender-atp\configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) @@ -205,9 +205,9 @@ ####Machine management ### [Onboarding machines](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md) -### [Offboarding machines](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md) +### [Offboarding machines](windows-defender-atp\offboard-machines-windows-defender-advanced-threat-protection.md) -#### [Configure Windows Defender ATP time zone settings](windows-defender-atp\settings-windows-defender-advanced-threat-protection.md) +### [Configure Windows Defender ATP time zone settings](windows-defender-atp\settings-windows-defender-advanced-threat-protection.md) ### [Access the Windows Defender ATP Community Center](windows-defender-atp\community-windows-defender-advanced-threat-protection.md) ### [Troubleshoot Windows Defender ATP](windows-defender-atp\troubleshoot-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md index 6caff99acd..d7e610f982 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md @@ -33,7 +33,7 @@ ms.date: 04/16/2018 > [!NOTE] > To use Group Policy (GP) updates to deploy the package, you must be on Windows Server 2008 R2 or later. -## Onboard endpoints +## Onboard machines using Group Policy 1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): a. In the navigation pane, select **Settings** > **Onboarding**. @@ -114,8 +114,8 @@ Possible values are: The default value in case the registry key doesn’t exist is Normal. -### Offboard endpoints -For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. +## Offboard machines using Group Policy +For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. > [!NOTE] > Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions. diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md index 41116eff3f..fbbd3d0809 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md @@ -121,9 +121,8 @@ Configuration for onboarded machines: diagnostic data reporting frequency | ./De -### Offboard and monitor endpoints - -For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. +## Offboard and monitor machines using Mobile Device Management tools +For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. > [!NOTE] > Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions. diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md index 6622a7e6aa..3fadce3af0 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md @@ -1,5 +1,5 @@ --- -title: Onboard non-Windows machines in Windows Defender ATP +title: Onboard non-Windows machines to the Windows Defender ATP service description: Configure non-Winodws machines so that they can send sensor data to the Windows Defender ATP service. keywords: onboard non-Windows machines, macos, linux, machine management, configure Windows ATP machines, configure Windows Defender Advanced Threat Protection machines search.product: eADQiWindows 10XVcnh @@ -28,8 +28,7 @@ Windows Defender ATP provides a centralized security operations experience for W You'll need to know the exact Linux distros and macOS X versions that are compatible with Windows Defender ATP for the integration to work. -## Onboard non-Windows endpoints -You'll need to take the following steps to onboard non-Windows endpoints: +You'll need to take the following steps to onboard non-Windows machines: 1. Turn on third-party integration 2. Run a detection test @@ -54,7 +53,7 @@ Create an EICAR test file by saving the string displayed on the portal in an emp The file should trigger a detection and a corresponding alert on Windows Defender ATP. -### Offboard non-Windows endpoints +## Offboard non-Windows machines To effectively offboard the endpoints from the service, you'll need to disable the data push on the third-party portal first then switch the toggle to off in Windows Defender Security Center. The toggle in the portal only blocks the data inbound flow. diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md index e2221c2beb..f7f66eec34 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md @@ -13,7 +13,7 @@ ms.localizationpriority: high ms.date: 04/16/2018 --- -# Onboards Windows 10 machines using System Center Configuration Manager +# Onboard Windows 10 machines using System Center Configuration Manager **Applies to:** @@ -44,7 +44,8 @@ You can use existing System Center Configuration Manager functionality to create - System Center Configuration Manager (current branch), version 1511 - System Center Configuration Manager (current branch), version 1602 -### Onboard Windows 10 machines +### Onboard machines using System Center Configuration Manager + 1. Open the SCCM configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): @@ -116,9 +117,9 @@ Possible values are: The default value in case the registry key doesn’t exist is Normal. -### Offboard endpoints +## Offboard machines using System Center Configuration Manager -For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. +For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. > [!NOTE] > Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions. diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md index e1ac9234f0..98c148cb39 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md @@ -32,7 +32,7 @@ You can also manually onboard individual endpoints to Windows Defender ATP. You > [!NOTE] > The script has been optimized to be used on a limited number of machines (1-10 machines). To deploy to scale, use other deployment options. For more information on using other deployment options, see [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md). -## Onboard endpoints +## Onboard machines 1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): a. In the navigation pane, select **Settings** > **Onboarding**. @@ -85,8 +85,8 @@ Possible values are: The default value in case the registry key doesn’t exist is 1. -## Offboard endpoints -For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. +## Offboard machines using a local script +For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. > [!NOTE] > Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions. diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md index c28c44813e..a0b50d219e 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md @@ -1,5 +1,5 @@ --- -title: Configure non-persistent virtual desktop infrastructure (VDI) machines +title: Onboard non-persistent virtual desktop infrastructure (VDI) machines description: Deploy the configuration package on virtual desktop infrastructure (VDI) machine so that they are onboarded to Windows Defender ATP the service. keywords: configure virtual desktop infrastructure (VDI) machine, vdi, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints search.product: eADQiWindows 10XVcnh @@ -13,7 +13,7 @@ ms.localizationpriority: high ms.date: 04/16/2018 --- -# Configure non-persistent virtual desktop infrastructure (VDI) machines +# Onboard non-persistent virtual desktop infrastructure (VDI) machines **Applies to:** - Virtual desktop infrastructure (VDI) machines diff --git a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md index 3a6509d8c8..e7bcb17e71 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- -title: Configure Windows Defender ATP server endpoints -description: Configure server endpoints so that they can send sensor data to the Windows Defender ATP sensor. -keywords: configure server endpoints, server, server onboarding, endpoint management, configure Windows ATP server endpoints, configure Windows Defender Advanced Threat Protection server endpoints +title: Onboard servers to the Windows Defender ATP service +description: Onboard servers so that they can send sensor data to the Windows Defender ATP sensor. +keywords: onboard server, server, server onboarding, machine management, configure Windows ATP servers, onboard Windows Defender Advanced Threat Protection servers search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -12,7 +12,7 @@ localizationpriority: high ms.date: 04/16/2018 --- -# Configure Windows Defender ATP server endpoints +# Onboard servers **Applies to:** @@ -105,7 +105,7 @@ You’ll be able to onboard in the same method available for Windows 10 client e If the result is ‘The specified service does not exist as an installed service’, then you'll need to install Windows Defender AV. For more information, see [Windows Defender Antivirus in Windows 10](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). -### Offboard server endpoints +## Offboard servers To offboard the server, you can uninstall the MMA agent from the server or detach it from reporting to your Windows Defender ATP workspace. After offboarding the agent, the server will no longer send sensor data to Windows Defender ATP. For more information, see [To disable an agent](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-windows-agents#to-disable-an-agent). @@ -114,7 +114,7 @@ For more information, see [To disable an agent](https://docs.microsoft.com/en-us ## Related topics - [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md) -- [Configure non-Windows endpoints](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) +- [Configure non-Windows machines](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) - [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) - [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md) - [Troubleshooting Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md index fff49b28f9..aa883fa645 100644 --- a/windows/security/threat-protection/windows-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md @@ -31,3 +31,16 @@ ms.date: 04/16/2018 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-offboardmachines-abovefoldlink) +Follow the corresponding instructions depending on your preferred deployment method. + +## Offboard Windows 10 machines + - [Offboard machines using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md#offboard-machines-using-group-policy) + - [Offboard machines using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md#offboard-machines-using-system-center-configuration-manager) + - [Offboard machines using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#offboard-and-monitor-machines-using-mobile-device-management-tools) + +## Offboard Servers + - [Offboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md#offboard-servers) + +## Offboard non-Windows machines + - [Offboard non-Windows machines](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md#offboard-non-windows-machines) + diff --git a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md index ede26bb2d4..cfee92cf05 100644 --- a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md @@ -54,7 +54,7 @@ Windows Defender ATP supports the use of Power BI data connectors to enable you - [Use the Windows Defender ATP exposed APIs](exposed-apis-windows-defender-advanced-threat-protection.md)
Windows Defender ATP exposes much of the available data and actions using a set of programmatic APIs that are part of the Microsoft Intelligence Security Graph. Those APIs will enable you, to automate workflows and innovate based on Windows Defender ATP capabilities. -- [Configure non-Windows endpoints](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md)
+- [Configure non-Windows machines](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md)
Windows Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in the Windows Defender ATP portal and better protect your organization's network. This experience leverages on a third-party security products' sensor data. - [Access the Windows Defender ATP Community Center](community-windows-defender-advanced-threat-protection.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md index 67e7ed903c..e31caf0232 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md @@ -53,7 +53,7 @@ If while accessing the Windows Defender ATP portal you get a **Your subscription You can choose to renew or extend the license at any point in time. When accessing the portal after the expiration date a **Your subscription has expired** message will be presented with an option to download the endpoint offboarding package, should you choose to not renew the license. > [!NOTE] -> For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. +> For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. ![Image of subscription expired](images\atp-subscription-expired.png) diff --git a/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md index f4ef07730e..80dfe3f9a8 100644 --- a/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md @@ -88,7 +88,7 @@ detect sophisticated cyber-attacks, providing: Topic | Description :---|:--- Get started | Learn about the minimum requirements, validate licensing and complete setup, know about preview features, understand data storage and privacy, and how to assign user access to the portal. -[Onboard endpoints and set up access](onboard-configure-windows-defender-advanced-threat-protection.md) | Learn about configuring client, server, and non-Windows endpoints. Learn how to run a detection test, configure proxy and Internet connectivity settings, and how to troubleshoot potential onboarding issues. +[Onboard endpoints](onboard-configure-windows-defender-advanced-threat-protection.md) | Learn about configuring client, server, and non-Windows machines. Learn how to run a detection test, configure proxy and Internet connectivity settings, and how to troubleshoot potential onboarding issues. [Understand the Windows Defender ATP portal](use-windows-defender-advanced-threat-protection.md) | Understand the Security operations and Secure score dashboard, and how to navigate the portal. Investigate and remediate threats | Investigate alerts, machines, and take response actions to remediate threats. API and SIEM support | Use the supported APIs to pull and create custom alerts, or automate workflows. Use the supported SIEM tools to pull alerts from the Windows Defender ATP portal.