diff --git a/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md index be790b83a9..22f8170962 100644 --- a/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md @@ -34,6 +34,7 @@ Windows Defender ATP supports the following deployment tools and methods: System Center Configuration Manager (current branch) version 1606, currently in technical preview, has UI integrated support for configuring and managing Windows Defender ATP on endpoints. For more information see, the [Support for Windows Defender Advanced Threat Protection service](https://technet.microsoft.com/en-us/library/mt706220.aspx) section. ## Configure endpoints with System Center 2012 Configuration Manager or later versions +You can use System Center Configuration Manager’s existing functionality to create a policy to configure you endpoints. This is supported in System Center 2012 Configuration Manager or later versions, including: System Center 2012 R2 Configuration Manager, System Center Configuration Manager and System Center Configuration Manager (current branch), version 1602 or earlier. 1. Open the SCCM configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): @@ -41,7 +42,7 @@ System Center Configuration Manager (current branch) version 1606, currently in b. Select **System Center Configuration Manager**, click **Download package**, and save the .zip file. -2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file called *WindowsDefenderATPOnboardingScript.onboarding*. +2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file called *WindowsDefenderATPOnboardingScript.cmd*. 3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682112.aspx#BKMK_Import) topic. @@ -50,9 +51,9 @@ System Center Configuration Manager (current branch) version 1606, currently in a. Choose a predefined device collection to deploy the package to. ## Configure endpoints with Group Policy -Using the GP configuration package ensures your endpoints will be correctly configured to report to the Windows Defender ATP service. -> **Note**  To use GP updates to deploy the package, you must be on Windows Server 2008 R2 or later. The endpoints must be running Windows 10 Insider Preview Build 14332 or later. + +> **Note**  To use GP updates to deploy the package, you must be on Windows Server 2008 R2 or later. 1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): @@ -60,7 +61,7 @@ Using the GP configuration package ensures your endpoints will be correctly conf b. Select **Group Policy**, click **Download package** and save the .zip file. -2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a folder called *OptionalParamsPolicy* and the file *WindowsDefenderATPOnboardingScript.onboarding*. +2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a folder called *OptionalParamsPolicy* and the file *WindowsDefenderATPOnboardingScript.cmd*. 3. Open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**. @@ -72,7 +73,7 @@ Using the GP configuration package ensures your endpoints will be correctly conf 7. Select **Run whether user is logged on or not** and check the **Run with highest privileges** check box. -8. Go to the **Actions** tab and click **New...** Ensure that **Start a program** is selected in the **Action** field. Enter the file name and location of the shared *WindowsDefenderATPOnboardingScript.onboarding* file. +8. Go to the **Actions** tab and click **New...** Ensure that **Start a program** is selected in the **Action** field. Enter the file name and location of the shared *WindowsDefenderATPOnboardingScript.cmd* file. 9. Click **OK** and close any open GPMC windows. @@ -88,7 +89,7 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre b. Select **Microsoft Intune**, click **Download package** and save the .zip file. -2. Extract the contents of the configuration package to a location on the endpoint you want to onboard (for example, the Desktop). You should have a file called *WindowsDefenderATPOnboardingScript.onboarding*. +2. Extract the contents of the configuration package to a location on the endpoint you want to onboard (for example, the Desktop). You should have a file called *WindowsDefenderATPOnboardingInformation.mdm*. 3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune). @@ -126,7 +127,7 @@ You can also manually onboard individual endpoints to Windows Defender ATP. You b. Select **Local Script**, click **Download package** and save the .zip file. -2. Extract the contents of the configuration package to a location on the endpoint you want to onboard (for example, the Desktop). You should have a file called *WindowsDefenderATPOnboardingScript.onboarding*. +2. Extract the contents of the configuration package to a location on the endpoint you want to onboard (for example, the Desktop). You should have a file called *WindowsDefenderATPOnboardingScript.cmd*. 3. Open an elevated command-line prompt on the endpoint and run the script: @@ -136,7 +137,7 @@ You can also manually onboard individual endpoints to Windows Defender ATP. You ![Window Start menu pointing to Run as administrator](images/run-as-admin.png) -4. Type the location of the script file. If you copied the file to the desktop, type: *`%userprofile%\Desktop\WindowsDefenderATPOnboardingScript.onboarding`* +4. Type the location of the script file. If you copied the file to the desktop, type: *`%userprofile%\Desktop\WindowsDefenderATPOnboardingScript.cmd`* 5. Press the **Enter** key or click **OK**. diff --git a/windows/keep-secure/images/oma-uri.png b/windows/keep-secure/images/oma-uri.png index 24ce13c337..00cfe55d01 100644 Binary files a/windows/keep-secure/images/oma-uri.png and b/windows/keep-secure/images/oma-uri.png differ