deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-21 13:23:36 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

move topic up

Browse Source
This commit is contained in:
Joey Caparas
2018-02-15 17:17:36 -08:00
parent 6e71c85ea7
commit 7688db31a3
3 changed files with 31 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md
View File

@ -30,7 +30,7 @@ Windows Defender ATP supports the onboarding of the following servers:
- Windows Server 2012 R2
- Windows Server 2016
## Onboard server endpoints
## Onboard server endpoints [MICHAL - SHOULD THIS BE JUST FOR 2012R2?]
To onboard your servers to Windows Defender ATP, youll need to:
@ -40,6 +40,31 @@ To onboard your servers to Windows Defender ATP, youll need to:
>[!TIP]
> After onboarding the endpoint, you can choose to run a detection test to verify that an endpoint is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md).
## Onboard Windows Server 2016
Youll be able to onboard in the same method available for Windows 10 client endpoints. For more information, see [Configure client endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md). Support for Windows Server 2016 provides deeper insight into activities happening on the server, coverage for kernel and memory attack, and enables response actions on Windows Server endpoint as well.
1. Install the latest Windows Server Insider build on an endpoint. For more information, see [Windows Server Insider Preview](https://www.microsoft.com/en-us/software-download/windowsinsiderpreviewserver).
2. Configure Windows Defender ATP onboarding settings on the Server endpoint. For more information, see [Windows Defender ATP client onboarding](configure-endpoints-windows-defender-advanced-threat-protection.md).
3. If youre running a third party antimalware solution, you'll need to apply the following Windows Defender AV passive mode settings and verify it was configured correctly:
a. Set the following registry entry:
- Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`
- Name: ForceDefenderPassiveMode
- Value: 1
b. Run the following PowerSHell command to verify that the passive mode was configured:
```Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=84}```
c. Confirm that a recent event containing the passive mode event is found:
![Image of passive mode verification result](images/atp-verify-passive-mode.png)
4. Run the following command to check if Windows Defender AV is installed:
```sc query Windefend```
If the result is The specified service does not exist as an installed service, then you'll need to install Windows Defender AV. For more information, see [Windows Defender Antivirus in Windows 10](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10).
### Turn on Server monitoring from the Windows Defender Security Center portal
@ -79,30 +104,6 @@ Once completed, you should see onboarded servers in the portal within an hour.
| winatp-gw-neu.microsoft.com | 443 |
| winatp-gw-weu.microsoft.com | 443 |
## Onboard Windows Server 2016
Youll be able to onboard in the same method available for Windows 10 client endpoints. For more information, see [Configure client endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md). Support for Windows Server 2016 provides deeper insight into activities happening on the server, coverage for kernel and memory attack, and enables response actions on Windows Server endpoint as well.
1. Install the latest Windows Server Insider build on an endpoint. For more information, see [Windows Server Insider Preview](https://www.microsoft.com/en-us/software-download/windowsinsiderpreviewserver).
2. Configure Windows Defender ATP onboarding settings on the Server endpoint. For more information, see [Windows Defender ATP client onboarding](configure-endpoints-windows-defender-advanced-threat-protection.md).
3. If youre running a third party antimalware solution, you'll need to apply the following Windows Defender AV passive mode settings and verify it was configured correctly:
a. Set the following registry entry:
- Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`
- Name: ForceDefenderPassiveMode
- Value: 1
b. Run the following PowerSHell command to verify that the passive mode was configured:
```Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=84}```
c. Confirm that a recent event containing the passive mode event is found:
![Image of passive mode verification result](images/atp-verify-passive-mode.png)
4. Run the following command to check if Windows Defender AV is installed:
```sc query Windefend```
If the result is The specified service does not exist as an installed service, then you'll need to install Windows Defender AV. For more information, see [Windows Defender Antivirus in Windows 10](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10).
### Offboard server endpoints

2
windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
View File

@ -128,6 +128,8 @@ You must configure the signature updates on the Windows Defender ATP endpoints w
When Windows Defender Antivirus is not the active antimalware in your organization and you use the Windows Defender ATP service, Windows Defender Antivirus goes on passive mode. If your organization has disabled Windows Defender Antivirus through group policy or other methods, machines that are onboarded to Windows Defender ATP must be excluded from this group policy.
Depending on the server version you're onboarding, you might need to configure a Group Policy setting to run on passive mode. For more information, see [Configure server endpoints](configure-server-endpoints-windows-defender-advanced-threat-protection.md).
For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
## Windows Defender Antivirus Early Launch Antimalware (ELAM) driver is enabled

3
windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md
View File

@ -47,6 +47,9 @@ You must configure the signature updates on the Windows Defender ATP endpoints w
When Windows Defender Antivirus is not the active antimalware in your organization and you use the Windows Defender ATP service, Windows Defender Antivirus goes on passive mode. If your organization has disabled Windows Defender Antivirus through group policy or other methods, machines that are onboarded to Windows Defender ATP must be excluded from this group policy.
If you are onboarding servers and Windows Defender Antivirus is not the active antimalware on your servers, you shouldn't uninstall Windows Defender Antivirus. You'll need to configure it to run on passive mode. For more information, see [Configure server endpoints](configure-server-endpoints-windows-defender-advanced-threat-protection.md).
For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).