mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-24 23:03:42 +00:00
Merge branch 'master' into 3705688
This commit is contained in:
Denise Vangel-MSFT
@ -129,11 +129,12 @@ Once completed, you should see onboarded servers in the portal within an hour.
|
||||
To onboard Windows Server, version 1803 or Windows Server 2019, please refer to the supported methods and versions below.
|
||||
|
||||
> [!NOTE]
|
||||
> The Onboarding package for Windows Server 2019 through Microsoft Endpoint Configuration Manager currently ships a script. For more information on how to deploy scripts in Microsoft Endpoint Configuration Manager, see [Packages and programs in Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/packages-and-programs).
|
||||
> The Onboarding package for Windows Server 2019 through Microsoft Endpoint Configuration Manager currently ships a script. For more information on how to deploy scripts in Configuration Manager, see [Packages and programs in Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/packages-and-programs).
|
||||
|
||||
Supported tools include:
|
||||
- Local script
|
||||
- Group Policy
|
||||
- Microsoft Endpoint Configuration Manager
|
||||
- System Center Configuration Manager 2012 / 2012 R2 1511 / 1602
|
||||
- VDI onboarding scripts for non-persistent machines
|
||||
|
||||
|
||||
@ -58,7 +58,7 @@ The following is in scope for this project:
|
||||
capabilities including automatic investigation and remediation
|
||||
|
||||
- Enabling Microsoft Defender ATP threat and vulnerability management (TVM)
|
||||
- Use of System Center Configuration Manager to onboard endpoints into the service.
|
||||
- Use of Microsoft Endpoint Configuration Manager to onboard endpoints into the service.
|
||||
|
||||
### Out of scope
|
||||
|
||||
|
||||
@ -25,13 +25,13 @@ ms.topic: article
|
||||
Proper planning is the foundation of a successful deployment. In this deployment scenario, you'll be guided through the steps on:
|
||||
- Tenant configuration
|
||||
- Network configuration
|
||||
- Onboarding using System Center Configuration Manager
|
||||
- Onboarding using Microsoft Endpoint Configuration Manager
|
||||
- Endpoint detection and response
|
||||
- Next generation protection
|
||||
- Attack surface reduction
|
||||
|
||||
>[!NOTE]
|
||||
>For the purpose of guiding you through a typical deployment, this scenario will only cover the use of System Center Configuration Manager. Microsoft Defnder ATP supports the use of other onboarding tools but will not cover those scenarios in the deployment guide. For more information, see [Onboard machines to Microsoft Defender ATP](onboard-configure.md).
|
||||
>For the purpose of guiding you through a typical deployment, this scenario will only cover the use of Microsoft Endpoint Configuration Manager. Microsoft Defender ATP supports the use of other onboarding tools but will not cover those scenarios in the deployment guide. For more information, see [Onboard machines to Microsoft Defender ATP](onboard-configure.md).
|
||||
|
||||
## Tenant Configuration
|
||||
|
||||
@ -111,7 +111,7 @@ under:
|
||||
Preview Builds \> Configure Authenticated Proxy usage for the Connected User
|
||||
Experience and Telemetry Service
|
||||
|
||||
- Set it to **Enabled** and select<63>**Disable Authenticated Proxy usage**
|
||||
- Set it to **Enabled** and select<63>**Disable Authenticated Proxy usage**
|
||||
|
||||
1. Open the Group Policy Management Console.
|
||||
2. Create a policy or edit an existing policy based off the organizational practices.
|
||||
@ -205,9 +205,9 @@ You can find the Azure IP range on [Microsoft Azure Datacenter IP Ranges](https:
|
||||
> [!NOTE]
|
||||
> As a cloud-based solution, the IP range can change. It's recommended you move to DNS resolving setting.
|
||||
|
||||
## Onboarding using System Center Configuration Manager
|
||||
## Onboarding using Microsoft Endpoint Configuration Manager
|
||||
### Collection creation
|
||||
To onboard Windows 10 devices with System Center Configuration Manager, the
|
||||
To onboard Windows 10 devices with Microsoft Endpoint Configuration Manager, the
|
||||
deployment can target either and existing collection or a new collection can be
|
||||
created for testing. The onboarding like group policy or manual method does
|
||||
not install any agent on the system. Within the Configuration Manager console
|
||||
@ -217,55 +217,54 @@ maintain that configuration for as long as the Configuration Manager client
|
||||
continues to receive this policy from the management point. Follow the steps
|
||||
below to onboard systems with Configuration Manager.
|
||||
|
||||
1. In System Center Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Device Collections**.
|
||||
1. In the Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Device Collections**.
|
||||
|
||||
|
||||
|
||||
|
||||
2. Right Click **Device Collection** and select **Create Device Collection**.
|
||||
|
||||
|
||||
|
||||
|
||||
3. Provide a **Name** and **Limiting Collection**, then select **Next**.
|
||||
|
||||
|
||||
|
||||
|
||||
4. Select **Add Rule** and choose **Query Rule**.
|
||||
|
||||
|
||||
|
||||
|
||||
5. Click **Next** on the **Direct Membership Wizard** and click on **Edit Query Statement**.
|
||||
|
||||
|
||||
|
||||
|
||||
6. Select **Criteria** and then choose the star icon.
|
||||
|
||||
|
||||
|
||||
|
||||
7. Keep criterion type as **simple value**, choose where as **Operating System - build number**, operator as **is equal to** and value **10240** and click on **OK**.
|
||||
|
||||
|
||||
|
||||
|
||||
8. Select **Next** and **Close**.
|
||||
|
||||
|
||||
|
||||
|
||||
9. Select **Next**.
|
||||
|
||||
|
||||
|
||||
|
||||
After completing this task, you now have a device collection with all the Windows 10 endpoints in the environment.
|
||||
|
||||
## Endpoint detection and response
|
||||
### Windows 10
|
||||
From within the Microsoft Defender Security Center it is possible to download
|
||||
the '.onboarding' policy that can be used to create the policy in System Center Configuration
|
||||
Manager and deploy that policy to Windows 10 devices.
|
||||
the '.onboarding' policy that can be used to create the policy in Microsoft Endpoint Configuration Manager and deploy that policy to Windows 10 devices.
|
||||
|
||||
1. From a Microsoft Defender Security Center Portal, select [Settings and then Onboarding](https://securitycenter.windows.com/preferences2/onboarding).
|
||||
|
||||
|
||||
|
||||
2. Under Deployment method select the supported version of **System Center Configuration Manager**.
|
||||
2. Under Deployment method select the supported version of **Configuration Manager**.
|
||||
|
||||
|
||||
|
||||
@ -274,15 +273,15 @@ Manager and deploy that policy to Windows 10 devices.
|
||||
|
||||
|
||||
4. Save the package to an accessible location.
|
||||
5. In System Center Configuration Manager, navigate to: **Assets and Compliance > Overview > Endpoint Protection > Microsoft Defender ATP Policies**.
|
||||
5. In Configuration Manager, navigate to: **Assets and Compliance > Overview > Endpoint Protection > Microsoft Defender ATP Policies**.
|
||||
|
||||
6. Right-click **Microsoft Defender ATP Policies** and select **Create Microsoft Defender ATP Policy**.
|
||||
|
||||
|
||||
|
||||
|
||||
7. Enter the name and description, verify **Onboarding** is selected, then select **Next**.
|
||||
|
||||
|
||||
|
||||
|
||||
8. Click **Browse**.
|
||||
|
||||
@ -305,7 +304,7 @@ Manager and deploy that policy to Windows 10 devices.
|
||||
|
||||
15. Click **Close** when the Wizard completes.
|
||||
|
||||
16. In the System Center Configuration Manager console, right-click the Microsoft Defender ATP policy you just created and select **Deploy**.
|
||||
16. In the Configuration Manager console, right-click the Microsoft Defender ATP policy you just created and select **Deploy**.
|
||||
|
||||
|
||||
|
||||
@ -371,14 +370,14 @@ Specifically, for Windows 7 SP1, the following patches must be installed:
|
||||
[KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework).
|
||||
Do not install both on the same system.
|
||||
|
||||
To deploy the MMA with System Center Configuration Manager, follow the steps
|
||||
To deploy the MMA with Microsoft Endpoint Configuration Manager, follow the steps
|
||||
below to utilize the provided batch files to onboard the systems. The CMD file
|
||||
when executed, will require the system to copy files from a network share by the
|
||||
System, the System will install MMA, Install the DependencyAgent, and configure
|
||||
MMA for enrollment into the workspace.
|
||||
|
||||
|
||||
1. In System Center Configuration Manager console, navigate to **Software
|
||||
1. In the Configuration Manager console, navigate to **Software
|
||||
Library**.
|
||||
|
||||
2. Expand **Application Management**.
|
||||
@ -387,15 +386,15 @@ MMA for enrollment into the workspace.
|
||||
|
||||
4. Provide a Name for the package, then click **Next**
|
||||
|
||||
|
||||
|
||||
|
||||
5. Verify **Standard Program** is selected.
|
||||
|
||||
|
||||
|
||||
|
||||
6. Click **Next**.
|
||||
|
||||
|
||||
|
||||
|
||||
7. Enter a program name.
|
||||
|
||||
@ -411,17 +410,17 @@ MMA for enrollment into the workspace.
|
||||
|
||||
13. Click **Next**.
|
||||
|
||||
|
||||
|
||||
|
||||
14. Verify the configuration, then click **Next**.
|
||||
|
||||
|
||||
|
||||
|
||||
15. Click **Next**.
|
||||
|
||||
16. Click **Close**.
|
||||
|
||||
17. In the System Center Configuration Manager console, right-click the Microsoft Defender ATP
|
||||
17. In the Configuration Manager console, right-click the Microsoft Defender ATP
|
||||
Onboarding Package just created and select **Deploy**.
|
||||
|
||||
18. On the right panel select the appropriate collection.
|
||||
@ -431,7 +430,7 @@ MMA for enrollment into the workspace.
|
||||
## Next generation protection
|
||||
Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers.
|
||||
|
||||
1. In the System Center Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Antimalware Polices** and choose **Create Antimalware Policy**.
|
||||
1. In the Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Antimalware Polices** and choose **Create Antimalware Policy**.
|
||||
|
||||
|
||||
|
||||
@ -481,9 +480,9 @@ Protection. All these features provide an audit mode and a block mode. In audit
|
||||
|
||||
To set ASR rules in Audit mode:
|
||||
|
||||
1. In the System Center Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
|
||||
1. In the Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
2. Select **Attack Surface Reduction**.
|
||||
@ -491,26 +490,26 @@ To set ASR rules in Audit mode:
|
||||
|
||||
3. Set rules to **Audit** and click **Next**.
|
||||
|
||||
|
||||
|
||||
|
||||
4. Confirm the new Exploit Guard policy by clicking on **Next**.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
5. Once the policy is created click **Close**.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
6. Right-click on the newly created policy and choose **Deploy**.
|
||||
|
||||
|
||||
|
||||
|
||||
7. Target the policy to the newly created Windows 10 collection and click **OK**.
|
||||
|
||||
|
||||
|
||||
|
||||
After completing this task, you now have successfully configured ASR rules in audit mode.
|
||||
|
||||
@ -541,15 +540,15 @@ detections](https://docs.microsoft.com/windows/security/threat-protection/micros
|
||||
|
||||
|
||||
### To set Network Protection rules in Audit mode:
|
||||
1. In the System Center Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
|
||||
1. In the Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
|
||||
|
||||
|
||||
|
||||
|
||||
2. Select **Network protection**.
|
||||
|
||||
3. Set the setting to **Audit** and click **Next**.
|
||||
|
||||
|
||||
|
||||
|
||||
4. Confirm the new Exploit Guard Policy by clicking **Next**.
|
||||
|
||||
@ -561,42 +560,42 @@ detections](https://docs.microsoft.com/windows/security/threat-protection/micros
|
||||
|
||||
6. Right-click on the newly created policy and choose **Deploy**.
|
||||
|
||||
|
||||
|
||||
|
||||
7. Select the policy to the newly created Windows 10 collection and choose **OK**.
|
||||
|
||||
|
||||
|
||||
|
||||
After completing this task, you now have successfully configured Network
|
||||
Protection in audit mode.
|
||||
|
||||
### To set Controlled Folder Access rules in Audit mode:
|
||||
|
||||
1. In the System Center Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
|
||||
1. In the Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
|
||||
|
||||
|
||||
|
||||
|
||||
2. Select **Controlled folder access**.
|
||||
|
||||
3. Set the configuration to **Audit** and click **Next**.
|
||||
|
||||
|
||||
|
||||
|
||||
4. Confirm the new Exploit Guard Policy by clicking on **Next**.
|
||||
|
||||
|
||||
|
||||
|
||||
5. Once the policy is created click on **Close**.
|
||||
|
||||
|
||||
|
||||
|
||||
6. Right-click on the newly created policy and choose **Deploy**.
|
||||
|
||||
|
||||
|
||||
|
||||
7. Target the policy to the newly created Windows 10 collection and click **OK**.
|
||||
|
||||
|
||||
|
||||
|
||||
After completing this task, you now have successfully configured Controlled folder access in audit mode.
|
||||
|
||||
|
||||
@ -219,7 +219,7 @@ Before you begin testing the deployed catalog file, make sure that the catalog s
|
||||
|
||||
## Deploy catalog files with Microsoft Endpoint Configuration Manager
|
||||
|
||||
As an alternative to Group Policy, you can use Microsoft Endpoint Configuration Manager to deploy catalog files to the managed computers in your environment. This approach can simplify the deployment and management of multiple catalog files as well as provide reporting around which catalog each client or collection has deployed. In addition to the deployment of these files, Microsoft Endpoint Configuration Manager can also be used to inventory the currently deployed catalog files for reporting and compliance purposes. Complete the following steps to create a new deployment package for catalog files:
|
||||
As an alternative to Group Policy, you can use Configuration Manager to deploy catalog files to the managed computers in your environment. This approach can simplify the deployment and management of multiple catalog files as well as provide reporting around which catalog each client or collection has deployed. In addition to the deployment of these files, Configuration Manager can also be used to inventory the currently deployed catalog files for reporting and compliance purposes. Complete the following steps to create a new deployment package for catalog files:
|
||||
|
||||
>[!NOTE]
|
||||
>The following example uses a network share named \\\\Shares\\CatalogShare as a source for the catalog files. If you have collection specific catalog files, or prefer to deploy them individually, use whichever folder structure works best for your organization.
|
||||
@ -294,7 +294,7 @@ Before you begin testing the deployed catalog file, make sure that the catalog s
|
||||
|
||||
## Inventory catalog files with Microsoft Endpoint Configuration Manager
|
||||
|
||||
When catalog files have been deployed to the computers within your environment, whether by using Group Policy or Microsoft Endpoint Configuration Manager, you can inventory them with the software inventory feature of Microsoft Endpoint Configuration Manager. The following process walks you through the enablement of software inventory to discover catalog files on your managed systems through the creation and deployment of a new client settings policy.
|
||||
When catalog files have been deployed to the computers within your environment, whether by using Group Policy or Configuration Manager, you can inventory them with the software inventory feature of Configuration Manager. The following process walks you through the enablement of software inventory to discover catalog files on your managed systems through the creation and deployment of a new client settings policy.
|
||||
|
||||
>[!NOTE]
|
||||
>A standard naming convention for your catalog files will significantly simplify the catalog file software inventory process. In this example, *-Contoso* has been added to all catalog file names.
|
||||
@ -332,7 +332,7 @@ When catalog files have been deployed to the computers within your environment,
|
||||
|
||||
9. Now that you have created the client settings policy, right-click the new policy, click **Deploy**, and then choose the collection on which you would like to inventory the catalog files.
|
||||
|
||||
At the time of the next software inventory cycle, when the targeted clients receive the new client settings policy, you will be able to view the inventoried files in the built-in Microsoft Endpoint Configuration Manager reports or Resource Explorer. To view the inventoried files on a client within Resource Explorer, complete the following steps:
|
||||
At the time of the next software inventory cycle, when the targeted clients receive the new client settings policy, you will be able to view the inventoried files in the built-in Configuration Manager reports or Resource Explorer. To view the inventoried files on a client within Resource Explorer, complete the following steps:
|
||||
|
||||
1. Open the Configuration Manager console, and select the Assets and Compliance workspace.
|
||||
|
||||
|
||||
Reference in New Issue
Block a user