From bea2377880df8bc689e9b1d7ef5c30e444eb587c Mon Sep 17 00:00:00 2001 From: amirsc3 <42802974+amirsc3@users.noreply.github.com> Date: Thu, 30 Jan 2020 17:57:50 +0200 Subject: [PATCH] Update configure-endpoints-sccm.md The suggested changes will help customers who are onboarding via SCCM and struggle with onboarding issues --- .../microsoft-defender-atp/configure-endpoints-sccm.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md index 60b3f33af2..0fa8689019 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md @@ -72,6 +72,13 @@ You can use existing System Center Configuration Manager functionality to create >[!TIP] > After onboarding the machine, you can choose to run a detection test to verify that an machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test.md). +> +> Note that it is possible to create a detection rule within SCCM to continuously check if a machine has been onboarded. +> If a machine is not yet onboarded (due to pending OOBE completion or any other reason), SCCM will retry to onboard the machine until the rule detects the status change. +This can be accomplished by creating a detection rule checking if the "OnboardingState" registry value (of type REG_DWORD) = 1. +> The above registry value is located under "HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status". +Refer to the following SCCM article for more information: https://docs.microsoft.com/en-us/configmgr/apps/deploy-use/create-applications#bkmk_detect-rule + ### Configure sample collection settings For each machine, you can set a configuration value to state whether samples can be collected from the machine when a request is made through Microsoft Defender Security Center to submit a file for deep analysis.