From 7fbffa54c4f1f9b59bcb39a785cab234872720cf Mon Sep 17 00:00:00 2001 From: JanKeller1 Date: Fri, 15 Jul 2016 17:51:39 -0700 Subject: [PATCH 01/23] Folded in add'l feedback from Suhas --- ...sed-security-and-code-integrity-policies.md | 6 +++--- ...ent-planning-guidelines-for-device-guard.md | 18 ++++++++++-------- 2 files changed, 13 insertions(+), 11 deletions(-) diff --git a/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md b/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md index 07a789467a..f0e196b799 100644 --- a/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md +++ b/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md @@ -27,11 +27,11 @@ The following table lists security threats and describes the corresponding Devic | Security threat in the enterprise | How a Device Guard feature helps protect against the threat | | --------------------------------- | ----------------------------------------------------------- | -| **Exposure to new malware**, for which the "signature" is not yet known | **Code integrity policies**:  You can maintain a whitelist of software that is allowed to run (a configurable code integrity policy), rather than trying to stay ahead of attackers by maintaining a constantly-updated list of "signatures" of software that should be blocked. This approach uses the trust-nothing model well known in mobile device operating systems.

**Specialized hardware required?** No security-related hardware features are required, although code integrity policies are strengthened by such features, as described in the last three rows of this table. | +| **Exposure to new malware**, for which the "signature" is not yet known | **Code integrity policies**:  You can maintain a whitelist of software that is allowed to run (a configurable code integrity policy), rather than trying to stay ahead of attackers by maintaining a constantly-updated list of "signatures" of software that should be blocked. This approach uses the trust-nothing model well known in mobile device operating systems.
Only code that is verified by Code Integrity, usually through the digital signature that you have identified as being from a trusted signer, is allowed to run. This allows full control over allowed code in both kernel and user mode.

**Specialized hardware required?** No security-related hardware features are required, although code integrity policies are strengthened by such features, as described in the last three rows of this table. | | **Exposure to unsigned code** (most malware is unsigned) | **Code integrity policies, plus catalog files as needed**:  Because most malware is unsigned, using a code integrity policy (which in most cases requires signed code) can immediately help protect against a large number of threats. However, many organizations use unsigned line-of-business (LOB) applications, for which the process of signing might be difficult. This has changed in Windows 10, because you can use a tool called Package Inspector to create a *catalog* of all deployed and executed binary files for your trusted applications. After you sign and distribute the catalog, your trusted applications can be handled by code integrity policies in the same way as any other signed application. With this foundation, you can more easily block all unsigned applications, allowing only signed applications to run.

**Specialized hardware required?** No security-related hardware features are required for creating and using code integrity policies and catalogs. However, code integrity policies and catalogs are strengthened by the hardware features, as described in later rows of this table. | -| **Malware that gains access to the kernel** and then, from within the kernel, captures sensitive information or damages the system | **Virtualization-based security (VBS)**:  This is protection that uses the hypervisor to help protect the kernel and other parts of the operating system. When VBS is enabled, it strengthens either the default kernel-mode code integrity policy (which protects against bad drivers or system files), or the configurable code integrity policy that you deploy. With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code.

**Specialized hardware required?** Yes, VBS requires at least CPU virtualization extensions and SLAT, as described in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). | +| **Malware that gains access to the kernel** and then, from within the kernel, captures sensitive information or damages the system | **Virtualization-based security (VBS)**:  This is protection that uses the hypervisor to help protect the kernel and other parts of the operating system. When VBS is enabled, it strengthens either the default kernel-mode code integrity policy (which protects against bad drivers or system files), or the configurable code integrity policy that you deploy.
With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code. The hypervisor, the most privileged level of system software, enforces R/W/X permissions across system memory. Code integrity checks are performed in a secure environment which is resistant to attack from kernel mode software, and page permissions for kernel mode are set and maintained by the hypervisor. Even if there are vulnerabilities that allow memory modification, like a buffer overflow, the modified memory cannot be executed.

**Specialized hardware required?** Yes, VBS requires at least CPU virtualization extensions and SLAT, as described in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). | | **DMA-based attacks**, for example, attacks launched from a malicious device that reads secrets from memory, making the enterprise more vulnerable to attack | **Virtualization-based security (VBS) using IOMMUs**:  With this type of VBS protection, when the DMA-based attack makes a memory request, input/output memory management units (IOMMUs) will evaluate the request and deny access.

**Specialized hardware required?** Yes, IOMMUs are a hardware feature that supports the hypervisor, and if you choose hardware that includes them, they can help protect against malicious attempts to access memory. | -| **Exposure to boot kits** or to other forms of malware that runs early in the boot process, or in kernel after startup | **Universal Extensible Firmware Interface (UEFI) Secure Boot**:   Secure Boot and related methods protect the boot process and firmware from tampering.

**Specialized hardware required?** With UEFI Secure Boot, the requirements are firmware requirements. For more information, see [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). | +| **Exposure to boot kits or to a physically present attacker at boot time** | **Universal Extensible Firmware Interface (UEFI) Secure Boot**:   Secure Boot and related methods protect the boot process and firmware from tampering. This tampering can come from a physically present attacker or from forms of malware that run early in the boot process or in kernel after startup. UEFI is locked down (Boot order, Boot entries, Secure Boot, Virtualization extensions, IOMMU, Microsoft UEFI CA), so the settings in UEFI cannot be changed to compromise Device Guard security.

**Specialized hardware required?** With UEFI Secure Boot, the requirements are firmware requirements. For more information, see [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). | In this guide, you learn about the individual features found within Device Guard as well as how to plan for, configure, and deploy them. Device Guard with configurable code integrity is intended for deployment alongside additional threat-mitigating Windows features such as [Credential Guard](credential-guard.md) and [AppLocker](applocker-overview.md). diff --git a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md index 9a91fc9bee..3fe868fb12 100644 --- a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md +++ b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md @@ -17,7 +17,7 @@ This article describes the following: - [Hardware, firmware, and software requirements for Device Guard](#hardware-firmware-and-software-requirements-for-device-guard) - [Device Guard requirements for baseline protections](#device-guard-requirements-for-baseline-protections) - - [Device Guard requirements for additional protections](#device-guard-requirements-for-additional-protections) + - [Device Guard requirements for improved security](#device-guard-requirements-for-improved-security) - [Device Guard deployment in different scenarios: types of devices](#device-guard-deployment-in-different-scenarios-types-of-devices) - [Reviewing your applications: application signing and catalog files](#reviewing-your-applications-application-signing-and-catalog-files) - [Code integrity policy formats and signing](#code-integrity-policy-formats-and-signing) @@ -32,11 +32,13 @@ For example, hardware that includes CPU virtualization extensions and SLAT will You can deploy Device Guard in phases, and plan these phases in relation to the computer purchases you plan for your next hardware refresh. -The following tables provide more information about the hardware, firmware, and software required for deployment of various Device Guard features. +The following tables provide more information about the hardware, firmware, and software required for deployment of various Device Guard features. - + -> **Note**  For new computers running Windows 10, Trusted Platform Module (TPM 2.0) must be enabled by default. This requirement is not restated in the tables that follow. +> **Notes** +> - To understand the requirements in the following tables, you will need to be familiar with the main features in Device Guard: configurable code integrity policies, virtualization-based security (VBS), and Universal Extensible Firmware Interface (UEFI) Secure Boot. For information about these features, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies#how-device-guard-features-help-protect-against-threats). +> - For new computers running Windows 10, Trusted Platform Module (TPM 2.0) must be enabled by default. This requirement is not restated in the tables that follow. ## Device Guard requirements for baseline protections @@ -51,15 +53,15 @@ The following tables provide more information about the hardware, firmware, and -> **Important**  The preceding table lists requirements for baseline protections. The following table lists requirements for additional protections. You can use Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support additional protections. +> **Important**  The preceding table lists requirements for baseline protections. The following table lists requirements for improved security. You can use Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security, to significantly strengthen the level of security that Device Guard can provide. -## Device Guard requirements for additional protections +## Device Guard requirements for improved security -The following tables describes additional hardware and firmware requirements, and the additional protections that are available when those requirements are met. We strongly recommend the following additional protections, which help you maximize the benefits that Device Guard can provide. +The following tables describes additional hardware and firmware requirements, and the improved security that is available when those requirements are met. ### 2015 Additional Qualification Requirements for Device Guard (Windows 10, version 1507 and Windows 10, version 1511) -|Additional Protections - requirement | Description | +| Protections for Improved Security - requirement | Description | |---------------------------------------------|----------------------------------------------------| | Firmware: **Securing Boot Configuration and Management** | **Requirements**:
- BIOS password or stronger authentication must be supported.
- In the BIOS configuration, BIOS authentication must be set.
- There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.
- In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.

**Security benefits**:
- BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.
- Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. | From 8b94e572c540946802a3a066bac9edea7a7acc37 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Sat, 16 Jul 2016 20:15:59 -0700 Subject: [PATCH 02/23] added localization priority --- ...-windows-operating-system-components-to-microsoft-services.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 4c01926131..f127fe3045 100644 --- a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -6,6 +6,7 @@ keywords: privacy, manage connections to Microsoft ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library +LocalizationPriority: High author: brianlic-msft --- From 11d3a695ab9ae7cdce85ba5b35e72ab5cc7fb073 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Sat, 16 Jul 2016 20:22:17 -0700 Subject: [PATCH 03/23] fixed link --- ...ments-and-deployment-planning-guidelines-for-device-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md index 3fe868fb12..9db41d44f1 100644 --- a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md +++ b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md @@ -37,7 +37,7 @@ The following tables provide more information about the hardware, firmware, and > **Notes** -> - To understand the requirements in the following tables, you will need to be familiar with the main features in Device Guard: configurable code integrity policies, virtualization-based security (VBS), and Universal Extensible Firmware Interface (UEFI) Secure Boot. For information about these features, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies#how-device-guard-features-help-protect-against-threats). +> - To understand the requirements in the following tables, you will need to be familiar with the main features in Device Guard: configurable code integrity policies, virtualization-based security (VBS), and Universal Extensible Firmware Interface (UEFI) Secure Boot. For information about these features, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats). > - For new computers running Windows 10, Trusted Platform Module (TPM 2.0) must be enabled by default. This requirement is not restated in the tables that follow. ## Device Guard requirements for baseline protections From 5796f0c8fae7af25872357b48b8175e0e5bd518c Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 18 Jul 2016 16:20:01 +1000 Subject: [PATCH 04/23] create new individual topics for onboarding --- ...ows-defender-advanced-threat-protection.md | 104 ++++++++++++++ ...ows-defender-advanced-threat-protection.md | 90 ++++++++++++ ...ows-defender-advanced-threat-protection.md | 81 +++++++++++ ...ows-defender-advanced-threat-protection.md | 62 +++++++++ ...ows-defender-advanced-threat-protection.md | 131 +----------------- ...ows-defender-advanced-threat-protection.md | 20 --- 6 files changed, 339 insertions(+), 149 deletions(-) create mode 100644 windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md create mode 100644 windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md create mode 100644 windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md create mode 100644 windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md diff --git a/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..f169e2f545 --- /dev/null +++ b/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md @@ -0,0 +1,104 @@ +--- +title: Configure Windows Defender ATP endpoints using Group Policy +description: Use Group Policy to deploy the configuration package on endpoints so that they are onboarded to the service. +keywords: configure endpoints using group policy, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints, group policy +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +--- + +## Configure endpoints using Group Policy + +**Applies to:** + +- Windows 10 Insider Preview Build 14332 or later +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] + +> **Note**  To use GP updates to deploy the package, you must be on Windows Server 2008 R2 or later. + +1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): + + a. Click **Endpoint Management** on the **Navigation pane**. + + b. Select **Group Policy**, click **Download package** and save the .zip file. + +2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a folder called *OptionalParamsPolicy* and the file *WindowsDefenderATPOnboardingScript.cmd*. + +3. Open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**. + +4. In the **Group Policy Management Editor**, go to **Computer configuration**, then **Preferences**, and then **Control panel settings**. + +5. Right-click **Scheduled tasks**, point to **New**, and then click **Immediate task**. + +6. In the **Task** window that opens, go to the **General** tab. Choose the local SYSTEM user account under **Security options**. + +7. Select **Run whether user is logged on or not** and check the **Run with highest privileges** check box. + +8. Go to the **Actions** tab and click **New...** Ensure that **Start a program** is selected in the **Action** field. Enter the file name and location of the shared *WindowsDefenderATPOnboardingScript.cmd* file. + +9. Click **OK** and close any open GPMC windows. + +## Additional Windows Defender ATP configuration settings + +You can use Group Policy (GP) to configure settings, such as settings for the sample sharing used in the deep analysis feature. + +## Configure sample collection settings using Group Policy +1. On your GP management machine, copy the following files from the + configuration package: + + a. Copy _AtpConfiguration.admx_ into _C:\\Windows\\PolicyDefinitions_ + + b. Copy _AtpConfiguration.adml_ into _C:\\Windows\\PolicyDefinitions\\en-US_ + +2. Open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), right-click the GPO you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor**, go to **Computer configuration**. + +4. Click **Policies**, then **Administrative templates**. + +5. Click **Windows components** and then **Windows Advanced Threat Protection**. + +6. Choose to enable or disable sample sharing from your endpoints. + +## Offboard endpoints using Group Policy +For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. + +> **Note**  Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions. + +1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): + + a. Click **Endpoint Management** on the **Navigation pane**. + b. Under **Endpoint offboarding** section, select **Group Policy**, click **Download package** and save the .zip file. + +2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*. + +3. Open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click Edit. + +4. In the **Group Policy Management Editor**, go to **Computer configuration,** then **Preferences**, and then **Control panel settings**. + +5. Right-click **Scheduled tasks**, point to **New**, and then click **Immediate task**. + +6. In the **Task** window that opens, go to the **General** tab. Choose the local SYSTEM user account under **Security options**. + +7. Select **Run whether user is logged on or not** and check the **Run with highest privileges** check-box. + +8. Go to the **Actions** tab and click **New...**. Ensure that **Start a program** is selected in the **Action** field. Enter the file name and location of the shared *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd* file. + +9. Click **OK** and close any open GPMC windows. + +## Monitor endpoint configuration using Group Policy +With Group Policy there isn’t an option to monitor deployment of policies on the endpoints. Monitoring can be done directly on the portal, or by using the different deployment tools. + +## Monitor endpoints using the portal +1. Go to the [Windows Defender ATP portal](https://securitycenter.windows.com/). +2. Click **Machines view**. +3. Verify that endpoints are appearing. + +> **Note**  It can take several days for endpoints to start showing on the **Machines view**. This includes the time it takes for the policies to be distributed to the endpoint, the time it takes before the user logs on, and the time it takes for the endpoint to start reporting. + + diff --git a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..9d0c4df281 --- /dev/null +++ b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md @@ -0,0 +1,90 @@ +--- +title: Configure Windows Defender ATP endpoints using Mobile Device Management tools +description: Use Mobile Device Management tools to deploy the configuration package on endpoints so that they are onboarded to the service. +keywords: configure endpoints using mdm, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints, mdm +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +--- + +# Configure endpoints using Mobile Device Management tools + +**Applies to:** + +- Windows 10 Insider Preview Build 14332 or later +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] + +You can use mobile device management (MDM) solutions to configure endpoints. Windows Defender ATP supports MDMs by providing OMA-URIs to create policies to manage endpoints. + +For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723297(v=vs.85).aspx). + +> **Note**   If you intend to use this deployment tool, ensure that you are on Windows 10 Insider Preview Build 14379 or later. This deployment method is only available from that build or later. + +## Configure endpoints using Microsoft Intune + +For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723297(v=vs.85).aspx). + +> **Note**   If you intend to use this deployment tool, ensure that you are on Windows 10 Insider Preview Build 14379 or later. This deployment method is only available from that build or later. + +1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): + + a. Click **Endpoint Management** on the **Navigation pane**. + + b. Select **Microsoft Intune**, click **Download package** and save the .zip file. + +2. Extract the contents of the configuration package to a location on the endpoint you want to onboard (for example, the Desktop). You should have a file called *WindowsDefenderATP.onboarding*. + +3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune). + +Onboarding - Use the onboarding policies to deploy configuration settings on endpoints. These policies can be sub-categorized to: + - Onboarding + - Health Status for onboarded machines + - Configuration for onboarded machines + +> **Warning**  These two groups must not be deployed on the same machine at same time, otherwise this will cause unpredictable collisions. + +Policy | OMA-URI | Type | Description | Value +:---|:---|:---|:---|:--- +Onboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding | String | Onboarding | Copy content from onboarding MDM file +Health Status for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | Windows Defender ATP service is running | TRUE + | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | Onboarded to Windows Defender ATP | 1 + | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OrgId | String | Onboarded to Organization ID | Use OrgID from onboarding file + Configuration for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/SampleSharing | Integer | Windows Defender ATP Sample sharing is enabled | 0 or 1
Default value: 1 + + +> **Note**  Policies **Health Status for onboarded machines** and **Health Status for offboarded machines** use read-only properties and can't be remediated. + +## Offboard and monitor endpoints using Mobile Device Management tools + +For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. + +> **Note**  Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions. + +1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): + + a. Click **Endpoint Management** on the **Navigation pane**. + b. Under **Endpoint offboarding** section, select **Group Policy**, click **Download package** and save the .zip file. + +2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.offboarding*. + +3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune). + +Offboarding - Use the offboarding policies to remove configuration settings on endpoints. These policies can be sub-categorized to: + - Offboarding + - Health Status for offboarded machines + - Configuration for offboarded machines + +Policy | OMA-URI | Type | Description | Value +:---|:---|:---|:---|:--- +Offboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding | String | Offboarding | Copy content from offboarding MDM file + Health Status for offboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | Windows Defender ATP service is not running | FALSE + | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | Offboarded from Windows Defender ATP | 0 + +> **Note**  Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions. + + diff --git a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..7536a1eee6 --- /dev/null +++ b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md @@ -0,0 +1,81 @@ +--- +title: Configure Windows Defender ATP endpoints using System Center Configuration Manager +description: Use System Center Configuration Manager to deploy the configuration package on endpoints so that they are onboarded to the service. +keywords: configure endpoints using sccm, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints, sccm +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +--- + +# Configure endpoints with System Center Configuration Manager + +**Applies to:** + +- Windows 10 Insider Preview Build 14332 or later +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] + +## Configure endpoints using System Center Configuration Manager (current branch) version 1606 +System Center Configuration Manager (current branch) version 1606, currently in technical preview, has UI integrated support for configuring and managing Windows Defender ATP on endpoints. For more information, see the [Support for Windows Defender Advanced Threat Protection service](https://technet.microsoft.com/en-us/library/mt706220.aspx#BKMK_ATP) section. + +> **Note**   If you intend to use this deployment tool, ensure that you are on Windows 10 Insider Preview Build 14379 or later. This deployment method is only available from that build or later. + +## Configure endpoints using System Center 2012 Configuration Manager or later versions +You can use System Center Configuration Manager’s existing functionality to create a policy to configure your endpoints. This is supported in System Center 2012 Configuration Manager or later versions, including: System Center 2012 R2 Configuration Manager, System Center Configuration Manager and System Center Configuration Manager (current branch), version 1602 or earlier. + +1. Open the SCCM configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): + + a. Click **Endpoint Management** on the **Navigation pane**. + + b. Select **System Center Configuration Manager**, click **Download package**, and save the .zip file. + +2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file called *WindowsDefenderATPOnboardingScript.cmd*. + +3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682112.aspx#BKMK_Import) topic. + +4. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682178.aspx) topic. + + a. Choose a predefined device collection to deploy the package to. + +## Offboard endpoints using System Center Configuration Manager +For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. + +> **Note**  Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions. + +1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): + + a. Click Endpoint Management on the Navigation pane. + b. Under Endpoint offboarding section, select System Center Configuration Manager (current branch) version 1602 or earlier, click Download package, and save the .zip file. + +2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*. + +3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682112.aspx#BKMK_Import) topic. + +4. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682178.aspx) topic. + + a. Choose a predefined device collection to deploy the package to. + +## Monitor endpoint configuration using System Center Configuration Manager +Monitoring with SCCM consists of two parts: + +1. Confirming the configuration package has been correctly deployed and is running (or has successfully run) on the endpoints in your network. + +2. Checking that the endpoints are compliant with the Windows Defender ATP service (this ensures the endpoint can complete the onboarding process and can continue to report data to the service). + +**To confirm the configuration package has been correctly deployed:** + +1. In the SCCM console, click **Monitoring** at the bottom of the navigation pane. + +2. Click **Overview** and then **Deployments**. + +3. Click on the deployment with the package name. + +4. Review the status indicators under **Completion Statistics** and **Content Status**. + +If there are failed deployments (endpoints with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the endpoints. See the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) topic for more information. + +![SCCM showing successful deployment with no errors](images/sccm-deployment.png) \ No newline at end of file diff --git a/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..2209348988 --- /dev/null +++ b/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md @@ -0,0 +1,62 @@ +--- +title: Configure Windows Defender ATP endpoints using a local script +description: Use a local script to deploy the configuration package on endpoints so that they are onboarded to the service. +keywords: configure endpoints using a local script, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +--- + +# Configure endpoints using a local script +You can also manually onboard individual endpoints to Windows Defender ATP. You might want to do this first when testing the service before you commit to onboarding all endpoints in your network. + + +1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): + + a. Click **Endpoint Management** on the **Navigation pane**. + + b. Select **Local Script**, click **Download package** and save the .zip file. + + +2. Extract the contents of the configuration package to a location on the endpoint you want to onboard (for example, the Desktop). You should have a file called *WindowsDefenderATPOnboardingScript.cmd*. + +3. Open an elevated command-line prompt on the endpoint and run the script: + + a. Click **Start** and type **cmd**. + + b. Right-click **Command prompt** and select **Run as administrator**. + + ![Window Start menu pointing to Run as administrator](images/run-as-admin.png) + +4. Type the location of the script file. If you copied the file to the desktop, type: *`%userprofile%\Desktop\WindowsDefenderATPOnboardingScript.cmd`* + +5. Press the **Enter** key or click **OK**. + +See the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) topic for details on how you can manually validate that the endpoint is compliant and correctly reports telemetry. + +## Offboard endpoints using a local script +For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. + +> **Note**  Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions. + +1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): + + a. Click **Endpoint Management** on the **Navigation pane**. + b. Under **Endpoint offboarding** section, select **Group Policy**, click **Download package** and save the .zip file. + +2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*. + +3. Open an elevated command-line prompt on the endpoint and run the script: + + a. Click **Start** and type **cmd**. + + b. Right-click **Command prompt** and select **Run as administrator**. + + ![Window Start menu pointing to Run as administrator](images/run-as-admin.png) + +4. Type the location of the script file. If you copied the file to the desktop, type: *`%userprofile%\Desktop\WindowsDefenderATPOnboardingScript.cmd`* + +5. Press the **Enter** key or click **OK**. \ No newline at end of file diff --git a/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md index d2cc59754d..8ad58fa146 100644 --- a/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md @@ -24,137 +24,10 @@ Endpoints in your organization must be configured so that the Windows Defender A Windows Defender ATP supports the following deployment tools and methods: - Group Policy -- System Center Configuration Manager (current branch) version 1606 -- System Center 2012 Configuration manager or later versions -- Mobile Device Management -- Microsoft Intune +- System Center Configuration Manager +- Mobile Device Management (including Microsoft Intune) - Local script -## Configure endpoints with Group Policy - -> **Note**  To use GP updates to deploy the package, you must be on Windows Server 2008 R2 or later. - -1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - - a. Click **Endpoint Management** on the **Navigation pane**. - - b. Select **Group Policy**, click **Download package** and save the .zip file. - -2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a folder called *OptionalParamsPolicy* and the file *WindowsDefenderATPOnboardingScript.cmd*. - -3. Open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**. - -4. In the **Group Policy Management Editor**, go to **Computer configuration**, then **Preferences**, and then **Control panel settings**. - -5. Right-click **Scheduled tasks**, point to **New**, and then click **Immediate task**. - -6. In the **Task** window that opens, go to the **General** tab. Choose the local SYSTEM user account under **Security options**. - -7. Select **Run whether user is logged on or not** and check the **Run with highest privileges** check box. - -8. Go to the **Actions** tab and click **New...** Ensure that **Start a program** is selected in the **Action** field. Enter the file name and location of the shared *WindowsDefenderATPOnboardingScript.cmd* file. - -9. Click **OK** and close any open GPMC windows. - -For additional settings, see the [Additional configuration settings section](additional-configuration-windows-defender-advanced-threat-protection.md). - -## Configure endpoints with System Center Configuration Manager (current branch) version 1606 -System Center Configuration Manager (current branch) version 1606, currently in technical preview, has UI integrated support for configuring and managing Windows Defender ATP on endpoints. For more information, see the [Support for Windows Defender Advanced Threat Protection service](https://technet.microsoft.com/en-us/library/mt706220.aspx#BKMK_ATP) section. - -> **Note**   If you intend to use this deployment tool, ensure that you are on Windows 10 Insider Preview Build 14379 or later. This deployment method is only available from that build or later. - -## Configure endpoints with System Center 2012 Configuration Manager or later versions -You can use System Center Configuration Manager’s existing functionality to create a policy to configure your endpoints. This is supported in System Center 2012 Configuration Manager or later versions, including: System Center 2012 R2 Configuration Manager, System Center Configuration Manager and System Center Configuration Manager (current branch), version 1602 or earlier. - -1. Open the SCCM configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - - a. Click **Endpoint Management** on the **Navigation pane**. - - b. Select **System Center Configuration Manager**, click **Download package**, and save the .zip file. - -2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file called *WindowsDefenderATPOnboardingScript.cmd*. - -3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682112.aspx#BKMK_Import) topic. - -4. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682178.aspx) topic. - - a. Choose a predefined device collection to deploy the package to. - -## Configure endpoints with Mobile Device Management tools -You can use mobile device management (MDM) solutions to configure endpoints. Windows Defender ATP supports MDMs by providing OMA-URIs to create policies to manage endpoints. - -For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723297(v=vs.85).aspx). - -> **Note**   If you intend to use this deployment tool, ensure that you are on Windows 10 Insider Preview Build 14379 or later. This deployment method is only available from that build or later. - -## Configure endpoints with Microsoft Intune - -For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723297(v=vs.85).aspx). - -> **Note**   If you intend to use this deployment tool, ensure that you are on Windows 10 Insider Preview Build 14379 or later. This deployment method is only available from that build or later. - -1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - - a. Click **Endpoint Management** on the **Navigation pane**. - - b. Select **Microsoft Intune**, click **Download package** and save the .zip file. - -2. Extract the contents of the configuration package to a location on the endpoint you want to onboard (for example, the Desktop). You should have a file called *WindowsDefenderATP.onboarding*. - -3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune). - -These policies are categorized into two groups: -- Onboarding - Use the onboarding policies to deploy configuration settings on endpoints. These policies can be sub-categorized to: - - Onboarding - - Health Status for onboarded machines - - Configuration for onboarded machines -- Offboarding - Use the offboarding policies to remove configuration settings on endpoints. These policies can be sub-categorized to: - - Offboarding - - Health Status for offboarded machines - - Configuration for offboarded machines - -> **Warning**  These two groups must not be deployed on the same machine at same time, otherwise this will cause unpredictable collisions. - -Policy | OMA-URI | Type | Description | Value -:---|:---|:---|:---|:--- -Onboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding | String | Onboarding | Copy content from onboarding MDM file -Health Status for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | Windows Defender ATP service is running | TRUE - | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | Onboarded to Windows Defender ATP | 1 - | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OrgId | String | Onboarded to Organization ID | Use OrgID from onboarding file - Configuration for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/SampleSharing | Integer | Windows Defender ATP Sample sharing is enabled | 0 or 1
Default value: 1 - Offboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding | String | Offboarding | Copy content from offboarding MDM file - Health Status for offboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | Windows Defender ATP service is not running | FALSE - | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | Offboarded from Windows Defender ATP | 0 - -> **Note**  Policies **Health Status for onboarded machines** and **Health Status for offboarded machines** use read-only properties and can't be remediated. - -## Configure endpoints individually with a local script - -You can also manually onboard individual endpoints to Windows Defender ATP. You might want to do this first when testing the service before you commit to onboarding all endpoints in your network. - - -1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - - a. Click **Endpoint Management** on the **Navigation pane**. - - b. Select **Local Script**, click **Download package** and save the .zip file. - - -2. Extract the contents of the configuration package to a location on the endpoint you want to onboard (for example, the Desktop). You should have a file called *WindowsDefenderATPOnboardingScript.cmd*. - -3. Open an elevated command-line prompt on the endpoint and run the script: - - a. Click **Start** and type **cmd**. - - b. Right-click **Command prompt** and select **Run as administrator**. - - ![Window Start menu pointing to Run as administrator](images/run-as-admin.png) - -4. Type the location of the script file. If you copied the file to the desktop, type: *`%userprofile%\Desktop\WindowsDefenderATPOnboardingScript.cmd`* - -5. Press the **Enter** key or click **OK**. - -See the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) topic for details on how you can manually validate that the endpoint is compliant and correctly reports telemetry. ## Related topics - [Configure endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/monitor-onboarding-windows-defender-advanced-threat-protection.md b/windows/keep-secure/monitor-onboarding-windows-defender-advanced-threat-protection.md index 8babe1f172..1fbfe3d5ef 100644 --- a/windows/keep-secure/monitor-onboarding-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/monitor-onboarding-windows-defender-advanced-threat-protection.md @@ -36,27 +36,7 @@ Monitoring can be done directly on the portal, or by using System Center Configu > **Note**  It can take several days for endpoints to start showing on the **Machines view**. This includes the time it takes for the policies to be distributed to the endpoint, the time it takes before the user logs on, and the time it takes for the endpoint to start reporting. -## Monitor with System Center Configuration Manager -Monitoring with SCCM consists of two parts: - -1. Confirming the configuration package has been correctly deployed and is running (or has successfully run) on the endpoints in your network. - -2. Checking that the endpoints are compliant with the Windows Defender ATP service (this ensures the endpoint can complete the onboarding process and can continue to report data to the service). - -**To confirm the configuration package has been correctly deployed:** - -1. In the SCCM console, click **Monitoring** at the bottom of the navigation pane. - -2. Click **Overview** and then **Deployments**. - -3. Click on the deployment with the package name. - -4. Review the status indicators under **Completion Statistics** and **Content Status**. - -If there are failed deployments (endpoints with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the endpoints. See the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) topic for more information. - -![SCCM showing successful deployment with no errors](images/sccm-deployment.png) ## Related topics From 6ba7e97cc95453970e87d5bbf99b81e424c1e9fa Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 18 Jul 2016 16:28:50 +1000 Subject: [PATCH 05/23] add new topics in TOC --- windows/keep-secure/TOC.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 6d463f47d2..0d946ebdf1 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -682,6 +682,13 @@ #### [Assign user access to the portal](assign-portal-access-windows-defender-advanced-threat-protection.md) #### [Onboard endpoints and set up access](onboard-configure-windows-defender-advanced-threat-protection.md) ##### [Configure endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) +###### [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) +###### [Configure endpoints using System Security Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) +####### [Configure endpoints using SCCM 2016](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-system-center-configuration-manager-(current-branch)-version-1606)) +####### [Configure endpoints using SCCM 2012](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-system-center-configuration-manager-2012-or-later-versions) +###### [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) +####### [Configure endpoints using Microsoft Intune](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-microsoft-intune) +###### [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) ##### [Configure proxy and Internet settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) ##### [Additional configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md) ##### [Monitor onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md) From 1a852d7c04059ad22b1404146ae2e61da1aa080f Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 18 Jul 2016 17:51:45 +1000 Subject: [PATCH 06/23] fix extension names --- windows/keep-secure/TOC.md | 4 +--- ...-windows-defender-advanced-threat-protection.md | 5 +++-- ...-windows-defender-advanced-threat-protection.md | 6 ++++-- ...-windows-defender-advanced-threat-protection.md | 14 ++++++++------ ...-windows-defender-advanced-threat-protection.md | 4 ++-- 5 files changed, 18 insertions(+), 15 deletions(-) diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 0d946ebdf1..33111e697a 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -684,14 +684,12 @@ ##### [Configure endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) ###### [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) ###### [Configure endpoints using System Security Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) -####### [Configure endpoints using SCCM 2016](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-system-center-configuration-manager-(current-branch)-version-1606)) +####### [Configure endpoints using SCCM 1606](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-system-center-configuration-manager-(current-branch)-version-1606)) ####### [Configure endpoints using SCCM 2012](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-system-center-configuration-manager-2012-or-later-versions) ###### [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) ####### [Configure endpoints using Microsoft Intune](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-microsoft-intune) ###### [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) ##### [Configure proxy and Internet settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) -##### [Additional configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md) -##### [Monitor onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md) ##### [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) #### [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md) #### [Use the Windows Defender ATP portal](use-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md index f169e2f545..4a37f932dc 100644 --- a/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md @@ -21,6 +21,7 @@ author: mjcaparas > **Note**  To use GP updates to deploy the package, you must be on Windows Server 2008 R2 or later. +### Onboard endpoints 1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): a. Click **Endpoint Management** on the **Navigation pane**. @@ -47,7 +48,7 @@ author: mjcaparas You can use Group Policy (GP) to configure settings, such as settings for the sample sharing used in the deep analysis feature. -## Configure sample collection settings using Group Policy +### Configure sample collection settings using Group Policy 1. On your GP management machine, copy the following files from the configuration package: @@ -65,7 +66,7 @@ You can use Group Policy (GP) to configure settings, such as settings for the sa 6. Choose to enable or disable sample sharing from your endpoints. -## Offboard endpoints using Group Policy +### Offboard endpoints For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. > **Note**  Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions. diff --git a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md index 9d0c4df281..72fa25d9dd 100644 --- a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md @@ -31,6 +31,8 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre > **Note**   If you intend to use this deployment tool, ensure that you are on Windows 10 Insider Preview Build 14379 or later. This deployment method is only available from that build or later. +### Onboard and monitor endpoints + 1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): a. Click **Endpoint Management** on the **Navigation pane**. @@ -59,7 +61,7 @@ Health Status for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThrea > **Note**  Policies **Health Status for onboarded machines** and **Health Status for offboarded machines** use read-only properties and can't be remediated. -## Offboard and monitor endpoints using Mobile Device Management tools +### Offboard and monitor endpoints For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. @@ -70,7 +72,7 @@ For security reasons, the package used to offboard endpoints will expire 30 days a. Click **Endpoint Management** on the **Navigation pane**. b. Under **Endpoint offboarding** section, select **Group Policy**, click **Download package** and save the .zip file. -2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.offboarding*. +2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATP_valid_until_YYYY-MM-DD.offboarding*. 3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune). diff --git a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md index 7536a1eee6..c4ac346a95 100644 --- a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security author: mjcaparas --- -# Configure endpoints with System Center Configuration Manager +# Configure endpoints uisng System Center Configuration Manager **Applies to:** @@ -24,8 +24,10 @@ System Center Configuration Manager (current branch) version 1606, currently in > **Note**   If you intend to use this deployment tool, ensure that you are on Windows 10 Insider Preview Build 14379 or later. This deployment method is only available from that build or later. -## Configure endpoints using System Center 2012 Configuration Manager or later versions -You can use System Center Configuration Manager’s existing functionality to create a policy to configure your endpoints. This is supported in System Center 2012 Configuration Manager or later versions, including: System Center 2012 R2 Configuration Manager, System Center Configuration Manager and System Center Configuration Manager (current branch), version 1602 or earlier. +## Configure endpoints using System Center Configuration Manager (current branch) version 1602 or earlier versions +You can use System Center Configuration Manager’s existing functionality to create a policy to configure your endpoints. This is supported in System Center Configuration Manager (current branch), version 1602 or earlier, including: System Center 2012 R2 Configuration Manager and System Center 2012 Configuration Manager. + +### Onboard endpoints 1. Open the SCCM configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): @@ -41,7 +43,7 @@ You can use System Center Configuration Manager’s existing functionality to cr a. Choose a predefined device collection to deploy the package to. -## Offboard endpoints using System Center Configuration Manager +### Offboard endpoints For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. > **Note**  Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions. @@ -51,7 +53,7 @@ For security reasons, the package used to offboard endpoints will expire 30 days a. Click Endpoint Management on the Navigation pane. b. Under Endpoint offboarding section, select System Center Configuration Manager (current branch) version 1602 or earlier, click Download package, and save the .zip file. -2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*. +2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP_valid_until_YYYY-MM-DD.cmd*. 3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682112.aspx#BKMK_Import) topic. @@ -59,7 +61,7 @@ For security reasons, the package used to offboard endpoints will expire 30 days a. Choose a predefined device collection to deploy the package to. -## Monitor endpoint configuration using System Center Configuration Manager +### Monitor endpoint configuration using System Center Configuration Manager Monitoring with SCCM consists of two parts: 1. Confirming the configuration package has been correctly deployed and is running (or has successfully run) on the endpoints in your network. diff --git a/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md index 2209348988..61c7f401cc 100644 --- a/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md @@ -47,7 +47,7 @@ For security reasons, the package used to offboard endpoints will expire 30 days a. Click **Endpoint Management** on the **Navigation pane**. b. Under **Endpoint offboarding** section, select **Group Policy**, click **Download package** and save the .zip file. -2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*. +2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_\.cmd*. 3. Open an elevated command-line prompt on the endpoint and run the script: @@ -57,6 +57,6 @@ For security reasons, the package used to offboard endpoints will expire 30 days ![Window Start menu pointing to Run as administrator](images/run-as-admin.png) -4. Type the location of the script file. If you copied the file to the desktop, type: *`%userprofile%\Desktop\WindowsDefenderATPOnboardingScript.cmd`* +4. Type the location of the script file. If you copied the file to the desktop, type: *%userprofile%\Desktop\WindowsDefenderATPOffboardingScript_valid_until_\.cmd* 5. Press the **Enter** key or click **OK**. \ No newline at end of file From 42ad97dacef62abc76f51a7f8fb76b7687ed74a0 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 18 Jul 2016 18:24:44 +1000 Subject: [PATCH 07/23] add related topics, update table --- ...p-windows-defender-advanced-threat-protection.md | 4 ++++ ...m-windows-defender-advanced-threat-protection.md | 4 ++++ ...m-windows-defender-advanced-threat-protection.md | 7 ++++++- ...t-windows-defender-advanced-threat-protection.md | 8 +++++++- ...s-windows-defender-advanced-threat-protection.md | 13 +++++++------ ...e-windows-defender-advanced-threat-protection.md | 2 -- 6 files changed, 28 insertions(+), 10 deletions(-) diff --git a/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md index 4a37f932dc..60cced9f5d 100644 --- a/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md @@ -103,3 +103,7 @@ With Group Policy there isn’t an option to monitor deployment of policies on t > **Note**  It can take several days for endpoints to start showing on the **Machines view**. This includes the time it takes for the policies to be distributed to the endpoint, the time it takes before the user logs on, and the time it takes for the endpoint to start reporting. +## Related topics +- [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) +- [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) +- [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md index 72fa25d9dd..1b027dbcf2 100644 --- a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md @@ -90,3 +90,7 @@ Offboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding | > **Note**  Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions. +## Related topics +- [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) +- [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) +- [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) \ No newline at end of file diff --git a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md index c4ac346a95..d4cb1cc475 100644 --- a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md @@ -80,4 +80,9 @@ Monitoring with SCCM consists of two parts: If there are failed deployments (endpoints with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the endpoints. See the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) topic for more information. -![SCCM showing successful deployment with no errors](images/sccm-deployment.png) \ No newline at end of file +![SCCM showing successful deployment with no errors](images/sccm-deployment.png) + +## Related topics +- [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) +- [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) +- [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) \ No newline at end of file diff --git a/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md index 61c7f401cc..ee77bcc824 100644 --- a/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md @@ -59,4 +59,10 @@ For security reasons, the package used to offboard endpoints will expire 30 days 4. Type the location of the script file. If you copied the file to the desktop, type: *%userprofile%\Desktop\WindowsDefenderATPOffboardingScript_valid_until_\.cmd* -5. Press the **Enter** key or click **OK**. \ No newline at end of file +5. Press the **Enter** key or click **OK**. + + +## Related topics +- [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) +- [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) +- [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) \ No newline at end of file diff --git a/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md index 8ad58fa146..0028b5478b 100644 --- a/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md @@ -28,9 +28,10 @@ Windows Defender ATP supports the following deployment tools and methods: - Mobile Device Management (including Microsoft Intune) - Local script - -## Related topics -- [Configure endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) -- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md) -- [Monitor the Windows Defender ATP onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md) -- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) +## In this section +Topic | Description +:---|:--- +[Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) | Use Group Policy to deploy the configuration package on endpoints. +[Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) | You can use either use System Center Configuration Manager (current branch) version 1606 or System Center Configuration Manager(current branch) version 1602 or earlier to deploy the configuration package on endpoints. +[Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) | Use Mobile Device Managment tools or Microsoft Intune to deploy the configuration package on endpoints. +[Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) | Learn how to use the local script to deploy the configuration package on endpoints. diff --git a/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md b/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md index 668883a264..3cfcbb1cde 100644 --- a/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md @@ -36,6 +36,4 @@ Topic | Description :---|:--- [Configure endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) | You'll need to configure endpoints for it to report to the Windows Defender ATP service. Learn about the tools and methods you can use to configure endpoints in your enterprise. [Configure proxy and Internet settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)| Enable communication with the Windows Defender ATP cloud service by configuring the proxy and Internet connectivity settings. -[Additional configuration settings] (additional-configuration-windows-defender-advanced-threat-protection.md) | Learn how to configure settings for sample sharing used in the deep analysis feature. -[Monitor onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md) | Learn how you can monitor the onboarding to ensure your endpoints are correctly configured and are sending telemetry reports. [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) | Learn about resolving issues that might arise during onboarding. From 503fcca7068431ff5392fdfcf3db2e8baf2da72d Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 18 Jul 2016 18:37:45 +1000 Subject: [PATCH 08/23] fixing anchor links --- windows/keep-secure/TOC.md | 2 +- ...ndpoints-sccm-windows-defender-advanced-threat-protection.md | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 33111e697a..9275942925 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -684,7 +684,7 @@ ##### [Configure endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) ###### [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) ###### [Configure endpoints using System Security Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) -####### [Configure endpoints using SCCM 1606](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-system-center-configuration-manager-(current-branch)-version-1606)) +####### [Configure endpoints using SCCM 1606]() ####### [Configure endpoints using SCCM 2012](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-system-center-configuration-manager-2012-or-later-versions) ###### [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) ####### [Configure endpoints using Microsoft Intune](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-microsoft-intune) diff --git a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md index d4cb1cc475..0def99f471 100644 --- a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md @@ -19,6 +19,7 @@ author: mjcaparas [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] + ## Configure endpoints using System Center Configuration Manager (current branch) version 1606 System Center Configuration Manager (current branch) version 1606, currently in technical preview, has UI integrated support for configuring and managing Windows Defender ATP on endpoints. For more information, see the [Support for Windows Defender Advanced Threat Protection service](https://technet.microsoft.com/en-us/library/mt706220.aspx#BKMK_ATP) section. From 61b75109aa088eb6cc5aec05cc7dcc760c149566 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 18 Jul 2016 19:11:25 +1000 Subject: [PATCH 09/23] fixing anchor link --- windows/keep-secure/TOC.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 9275942925..75bdcca63f 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -684,7 +684,7 @@ ##### [Configure endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) ###### [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) ###### [Configure endpoints using System Security Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) -####### [Configure endpoints using SCCM 1606]() +####### [Configure endpoints using SCCM 1606] ####### [Configure endpoints using SCCM 2012](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-system-center-configuration-manager-2012-or-later-versions) ###### [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) ####### [Configure endpoints using Microsoft Intune](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-microsoft-intune) From f25776cd8bb71c6bdd4189c9b5f871405282eec1 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 18 Jul 2016 19:46:31 +1000 Subject: [PATCH 10/23] update anchor, update toc, update title --- windows/keep-secure/TOC.md | 2 +- ...-endpoints-gp-windows-defender-advanced-threat-protection.md | 2 +- ...ndpoints-sccm-windows-defender-advanced-threat-protection.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 75bdcca63f..634f47eedf 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -684,7 +684,7 @@ ##### [Configure endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) ###### [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) ###### [Configure endpoints using System Security Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) -####### [Configure endpoints using SCCM 1606] +####### [Configure endpoints using SCCM 1606](#sccm1606) ####### [Configure endpoints using SCCM 2012](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-system-center-configuration-manager-2012-or-later-versions) ###### [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) ####### [Configure endpoints using Microsoft Intune](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-microsoft-intune) diff --git a/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md index 60cced9f5d..2f8fc98460 100644 --- a/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security author: mjcaparas --- -## Configure endpoints using Group Policy +# Configure endpoints using Group Policy **Applies to:** diff --git a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md index 0def99f471..d33636f939 100644 --- a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md @@ -19,7 +19,7 @@ author: mjcaparas [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] - + ## Configure endpoints using System Center Configuration Manager (current branch) version 1606 System Center Configuration Manager (current branch) version 1606, currently in technical preview, has UI integrated support for configuring and managing Windows Defender ATP on endpoints. For more information, see the [Support for Windows Defender Advanced Threat Protection service](https://technet.microsoft.com/en-us/library/mt706220.aspx#BKMK_ATP) section. From 3ae5868b0b944fd20678c733413e25b743dd9acd Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 18 Jul 2016 19:56:00 +1000 Subject: [PATCH 11/23] fixing link --- windows/keep-secure/TOC.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 634f47eedf..4847d00389 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -684,7 +684,7 @@ ##### [Configure endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) ###### [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) ###### [Configure endpoints using System Security Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) -####### [Configure endpoints using SCCM 1606](#sccm1606) +####### [Configure endpoints using SCCM 1606](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md#sccm1606) ####### [Configure endpoints using SCCM 2012](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-system-center-configuration-manager-2012-or-later-versions) ###### [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) ####### [Configure endpoints using Microsoft Intune](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-microsoft-intune) From 21fba964ecf0d96ad25481c6bb68f3ee7f310f24 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 18 Jul 2016 20:02:43 +1000 Subject: [PATCH 12/23] remove old text topic --- ...gure-windows-defender-advanced-threat-protection.md | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md b/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md index 3cfcbb1cde..942dfa02ee 100644 --- a/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md @@ -21,16 +21,6 @@ author: iaanw You need to onboard to Windows Defender ATP before you can use the service. - - - - ## In this section Topic | Description :---|:--- From f6c56953a10819057c3a2ad897e489655ab086a4 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 18 Jul 2016 20:03:56 +1000 Subject: [PATCH 13/23] fix typo --- ...dpoints-sccm-windows-defender-advanced-threat-protection.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md index d33636f939..fef8fdb284 100644 --- a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md @@ -10,7 +10,8 @@ ms.pagetype: security author: mjcaparas --- -# Configure endpoints uisng System Center Configuration Manager +# Configure endpoints using System Center Configuration Manager + **Applies to:** From dc779d17515afb8f4d424f428a11c82cd9ddd9b1 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 18 Jul 2016 20:18:02 +1000 Subject: [PATCH 14/23] test link --- ...ndpoints-sccm-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md index fef8fdb284..6c7eaeb7d1 100644 --- a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md @@ -20,7 +20,7 @@ author: mjcaparas [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] - + ## Configure endpoints using System Center Configuration Manager (current branch) version 1606 System Center Configuration Manager (current branch) version 1606, currently in technical preview, has UI integrated support for configuring and managing Windows Defender ATP on endpoints. For more information, see the [Support for Windows Defender Advanced Threat Protection service](https://technet.microsoft.com/en-us/library/mt706220.aspx#BKMK_ATP) section. From 6234a105d3465fdf03f088b3a3481f56f634ec31 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 18 Jul 2016 20:30:16 +1000 Subject: [PATCH 15/23] fix Related topics --- ...ows-defender-advanced-threat-protection.md | 47 ------- ...ows-defender-advanced-threat-protection.md | 3 - ...ows-defender-advanced-threat-protection.md | 3 - ...ows-defender-advanced-threat-protection.md | 46 ------- ...ows-defender-advanced-threat-protection.md | 121 ------------------ ...ows-defender-advanced-threat-protection.md | 4 +- 6 files changed, 1 insertion(+), 223 deletions(-) delete mode 100644 windows/keep-secure/additional-configuration-windows-defender-advanced-threat-protection.md delete mode 100644 windows/keep-secure/monitor-onboarding-windows-defender-advanced-threat-protection.md delete mode 100644 windows/keep-secure/service-onboarding-windows-defender-advanced-threat-protection.md diff --git a/windows/keep-secure/additional-configuration-windows-defender-advanced-threat-protection.md b/windows/keep-secure/additional-configuration-windows-defender-advanced-threat-protection.md deleted file mode 100644 index 93d466aa32..0000000000 --- a/windows/keep-secure/additional-configuration-windows-defender-advanced-threat-protection.md +++ /dev/null @@ -1,47 +0,0 @@ ---- -title: Additional Windows Defender ATP configuration settings -description: Use the Group Policy Console to configure settings that enable sample sharing from your endpoints. These settings are used in the deep analysis feature. -keywords: configuration settings, Windows Defender ATP configuration settings, Windows Defender Advanced Threat Protection configuration settings, group policy Management Editor, computer configuration, policies, administrative templates, -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.pagetype: security -ms.sitesec: library -author: mjcaparas ---- - -# Additional Windows Defender ATP configuration settings - -**Applies to** - -- Windows 10 Insider Preview Build 14332 or later -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] - -You can use Group Policy (GP) to configure settings, such as settings for the sample sharing used in the deep analysis feature. - -## Configure sample collection settings with Group Policy -1. On your GP management machine, copy the following files from the - configuration package: - - a. Copy _AtpConfiguration.admx_ into _C:\\Windows\\PolicyDefinitions_ - - b. Copy _AtpConfiguration.adml_ into _C:\\Windows\\PolicyDefinitions\\en-US_ - -2. Open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), right-click the GPO you want to configure and click **Edit**. - -3. In the **Group Policy Management Editor**, go to **Computer configuration**. - -4. Click **Policies**, then **Administrative templates**. - -5. Click **Windows components** and then **Windows Advanced Threat Protection**. - -6. Choose to enable or disable sample sharing from your endpoints. - -## Related topics - -- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) -- [Configure endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) -- [Monitor the Windows Defender ATP onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md) -- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md index 0c31cc5832..27177d0829 100644 --- a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md @@ -179,8 +179,5 @@ Verify the proxy configuration completed successfully, that WinHTTP can discover If the any of the verification steps indicate a fail, then verify that you have performed the proxy configuration steps to enable server discovery and access to the service URLs. ## Related topics - - [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) -- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md) -- [Monitor the Windows Defender ATP onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md) - [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md b/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md index 6e239a2aea..f019d14fdf 100644 --- a/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md @@ -242,9 +242,6 @@ See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defen ## Related topics - - [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) - [Configure endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) -- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md) -- [Monitor the Windows Defender ATP onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md) - [Troubleshoot Windows Defender ATP](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/monitor-onboarding-windows-defender-advanced-threat-protection.md b/windows/keep-secure/monitor-onboarding-windows-defender-advanced-threat-protection.md deleted file mode 100644 index 1fbfe3d5ef..0000000000 --- a/windows/keep-secure/monitor-onboarding-windows-defender-advanced-threat-protection.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -title: Monitor Windows Defender ATP onboarding -description: Monitor the onboarding of the Windows Defender ATP service to ensure your endpoints are correctly configured and are sending telemetry reports. -keywords: monitor onboarding, monitor Windows Defender ATP onboarding, monitor Windows Defender Advanced Threat Protection onboarding -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -author: mjcaparas ---- - -# Monitor Windows Defender Advanced Threat Protection onboarding - -**Applies to:** - -- Windows 10 Insider Preview Build 14322 or later -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] - -You can monitor the onboarding of the Windows Defender ATP service to ensure your endpoints are correctly configured and are sending telemetry reports. - -You might need to monitor the onboarding if the package did not configure the registry correctly, or the reporting client did not start or execute correctly. - -Monitoring can be done directly on the portal, or by using System Center Configuration Manager (SCCM). - -## Monitor with the portal - -1. Go to the [Windows Defender ATP portal](https://securitycenter.windows.com/). - -2. Click **Machines view**. - -3. Verify that endpoints are appearing. - - -> **Note**  It can take several days for endpoints to start showing on the **Machines view**. This includes the time it takes for the policies to be distributed to the endpoint, the time it takes before the user logs on, and the time it takes for the endpoint to start reporting. - - - -## Related topics - -- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) -- [Configure endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) -- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md) -- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/service-onboarding-windows-defender-advanced-threat-protection.md b/windows/keep-secure/service-onboarding-windows-defender-advanced-threat-protection.md deleted file mode 100644 index 790d75a1dd..0000000000 --- a/windows/keep-secure/service-onboarding-windows-defender-advanced-threat-protection.md +++ /dev/null @@ -1,121 +0,0 @@ ---- -title: Windows Defender ATP service onboarding -description: Assign users to the Windows Defender ATP service application in Azure Active Directory to grant access to the portal. -keywords: service onboarding, Windows Defender Advanced Threat Protection service onboarding, manage users, -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -author: mjcaparas ---- - -# Windows Defender ATP service onboarding - -**Applies to:** - -- Windows 10 Insider Preview Build 14332 or later -- Azure Active Directory -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] - -You have to assign users to the Windows Defender ATP Service application in Azure Active Directory (AAD) before they can access the portal. - -**Manage user access to the Windows Defender ATP portal**: - -1. When you first go to the [Windows Defender ATP portal](https://securitycenter.windows.com/) and your directory does not - have users assigned to the Windows ATP Service application, you will - be directed to open the [Microsoft Azure Dashboard](https://portal.azure.com) to manage user access. - - > **Note**  In AAD, a directory is essentially a tenant. See the [Azure AD documentation](https://msdn.microsoft.com/en-us/library/azure/jj573650.aspx) for more information on how tenants work with AAD. - -2. Ensure you have logged in to Microsoft Azure with an account that - has permissions to assign users to an application in AAD. You might - need to sign out of Microsoft Azure and then sign back in again if - you used a different account to sign in to the Windows Defender ATP - portal: - - a. On the top menu, click the signed-in user’s name. - - b. Click **Sign out**. - - ![Azure sign out](images/azure-signout.png) - - c. Go the [Microsoft Azure Dashboard](https://portal.azure.com) again where you will be asked to sign in. - - d. Sign in with the correct user name and password for an account that has permissions to assign users in AAD. - -3. On the **Microsoft Azure Dashboard**, click **Browse** in the navigation pane and then click **Active Directory** to open the [Azure Management Portal](https://manage.windowsazure.com/). - - ![Azure Active Directory menu](images/azure-browse.png) - -4. You might need to open the **Directory** section of the [Azure Management Portal](https://manage.windowsazure.com/) so you can access your directory. There are two ways you can do this: - - a. Click the arrow icon above the list of directories to see the full list of directories in the main area of the portal. - - ![Azure organization menu](images/azure-org-directory.png) - - b. Scroll down in the navigation pane and click **Active Directory**. - - ![Azure active directory](images/azure-active-directory.png) - -5. Click the directory that contains the Windows Defender ATP application. In the following example, the directory is - called **Contoso**. - - ![Azure active directory list](images/azure-active-directory-list.png) - - > **Note**  You can also access your directory by going straight to the [Azure Management Portal](https://manage.windowsazure.com/), clicking Active Directory and then finding your directory in the list. - -6. Click **Applications** from the top menu bar. - - ![Example organization in Azure Active Directory](images/contoso.png) - -7. Click the **Windows ATP Service** application. The dashboard for the application is shown. - - ![Example selected organization in Azure Active Directory](images/contoso-application.png) - - > **Note**  The application might have a slightly different name than the one shown here. It might be called **Windows Defender ATP Service**. - -8. Click **Users** from the top menu bar. A list of users that are in the directory is displayed. - - ![Example windows atp service users](images/windows-atp-service.png) - - ![Example user assignment to the windows atp service](images/assign-users.png) - - > **Note**  If you do not normally work with AAD, you might not see any users in the directory, or we might have created a test tenant specifically for a single user’s account. See the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) section for instructions on adding users to a directory. - -9. Select the user you want manage. - -10. Click **Assign**. - -11. Confirm that you want to enable access for the user from the notification bar. If you click **Yes**, the user is given access to the Windows Defender ATP portal. One or more progress bars will appear that indicates the user is being assigned a role, and you will see confirmation messages. You don’t need to do anything with the messages, they will go away after a short period of time. - - ![Confirmation page to enable access to users](images/confirm-user-access.png) - -12. To remove the user's access, click **Remove**. - -13. Select the **Disable access to this app for the selected users** checkbox, and then click **Complete** ![Complete icon](images/check-icon.png). One or more progress bars will appear, followed by confirmation messages. The messages will disappear after a short period. - - ![Remove menu](images/remove-menu.png) - -14. To remove the access for all users, click **Manage access**. If you click **Complete** ![Complete icon](images/check-icon.png), you will not see the Windows ATP Service in the list of applications in your directory. - - > **Note**  If you want to give access to users again, see the Manage access for all users in Azure Active Directory topic in [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md). - -15. You can continue assigning roles for other users in your organization now, or you can return to the Windows Defender ATP portal to complete the service onboarding wizard. - - > **Note**  You need to assign roles for every user in your organization that requires access to the Windows Defender ATP portal. You can assign roles at any time by going to the Azure Management Portal, clicking **Active Directory**, and then finding your directory in the list and following the steps above. - -When you have finished assigning roles, return to the [Windows Defender ATP portal](https://securitycenter.windows.com) and refresh the -page. - -Follow the steps in the onboarding wizard to complete the onboarding process. - -At the end of the wizard, you can download the Group Policy configuration package which you will use to configure endpoints on your network. You can also download the package from the **Endpoint Management** menu on the portal after you have completed the onboarding wizard. - -## Related topics -- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) -- [Monitor the Windows Defender ATP onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md) -- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md) -- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md index 5cb5400bb0..b9baeb947e 100644 --- a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md @@ -436,8 +436,6 @@ Log in to the application in the Azure Management Portal again: --> ## Related topics - - [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) - [Configure endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) -- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md) -- [Monitor the Windows Defender ATP onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md) + From 2a590e99160f488b3f89d48c1f4777321ca11fb7 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 18 Jul 2016 20:40:33 +1000 Subject: [PATCH 16/23] swap description and value from table --- ...dm-windows-defender-advanced-threat-protection.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md index 1b027dbcf2..a06b2c7212 100644 --- a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md @@ -50,13 +50,13 @@ Onboarding - Use the onboarding policies to deploy configuration settings on end > **Warning**  These two groups must not be deployed on the same machine at same time, otherwise this will cause unpredictable collisions. -Policy | OMA-URI | Type | Description | Value +Policy | OMA-URI | Type | Value | Description :---|:---|:---|:---|:--- -Onboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding | String | Onboarding | Copy content from onboarding MDM file -Health Status for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | Windows Defender ATP service is running | TRUE - | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | Onboarded to Windows Defender ATP | 1 - | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OrgId | String | Onboarded to Organization ID | Use OrgID from onboarding file - Configuration for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/SampleSharing | Integer | Windows Defender ATP Sample sharing is enabled | 0 or 1
Default value: 1 +Onboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding | String | Copy content from onboarding MDM file | Onboarding +Health Status for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | TRUE | Windows Defender ATP service is running + | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 1 | Onboarded to Windows Defender ATP + | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OrgId | String | Use OrgID from onboarding file | Onboarded to Organization ID + Configuration for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/SampleSharing | Integer | 0 or 1
Default value: 1 | Windows Defender ATP Sample sharing is enabled > **Note**  Policies **Health Status for onboarded machines** and **Health Status for offboarded machines** use read-only properties and can't be remediated. From 430159e5140f2b40603bbf9d1e14879f038f5889 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 18 Jul 2016 20:42:02 +1000 Subject: [PATCH 17/23] add anchor, update TOC --- windows/keep-secure/TOC.md | 2 +- ...ndpoints-sccm-windows-defender-advanced-threat-protection.md | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 4847d00389..aea7299ce0 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -685,7 +685,7 @@ ###### [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) ###### [Configure endpoints using System Security Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) ####### [Configure endpoints using SCCM 1606](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md#sccm1606) -####### [Configure endpoints using SCCM 2012](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-system-center-configuration-manager-2012-or-later-versions) +####### [Configure endpoints using SCCM 2012](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md#sccm1602) ###### [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) ####### [Configure endpoints using Microsoft Intune](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-microsoft-intune) ###### [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md index 6c7eaeb7d1..a46848c5fc 100644 --- a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md @@ -26,6 +26,7 @@ System Center Configuration Manager (current branch) version 1606, currently in > **Note**   If you intend to use this deployment tool, ensure that you are on Windows 10 Insider Preview Build 14379 or later. This deployment method is only available from that build or later. + ## Configure endpoints using System Center Configuration Manager (current branch) version 1602 or earlier versions You can use System Center Configuration Manager’s existing functionality to create a policy to configure your endpoints. This is supported in System Center Configuration Manager (current branch), version 1602 or earlier, including: System Center 2012 R2 Configuration Manager and System Center 2012 Configuration Manager. From d2d42ea05710513e32aeb27117cc023720841e4a Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 18 Jul 2016 20:45:36 +1000 Subject: [PATCH 18/23] fix dead link --- ...stigate-files-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md index c7e1a14928..5dfb3959f9 100644 --- a/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md @@ -121,7 +121,7 @@ HKLM\SOFTWARE\Policies\Microsoft\Sense\AllowSampleCollection Value = 0 - block sample collection Value = 1 - allow sample collection ``` -5. Change the organizational unit through the Group Policy. See [Configure with Group Policy](additional-configuration-windows-defender-advanced-threat-protection.md#configure-with-group-policy). +5. Change the organizational unit through the Group Policy. See [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md). 6. If these steps do not resolve the issue, contact [winatp@microsoft.com](mailto:winatp@microsoft.com). > **Note**  If the value *AllowSampleCollection* is not available, the client will allow sample collection by default. From 037efac74643b5c26a0c2d26c0168054be6b57b8 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 18 Jul 2016 21:07:43 +1000 Subject: [PATCH 19/23] remove extra note, update file extension --- ...-windows-defender-advanced-threat-protection.md | 2 +- ...-windows-defender-advanced-threat-protection.md | 14 ++++++-------- ...-windows-defender-advanced-threat-protection.md | 2 +- 3 files changed, 8 insertions(+), 10 deletions(-) diff --git a/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md index 2f8fc98460..9f63869e32 100644 --- a/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md @@ -19,7 +19,7 @@ author: mjcaparas [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] -> **Note**  To use GP updates to deploy the package, you must be on Windows Server 2008 R2 or later. +> **Note**  To use Group Policy (GP) updates to deploy the package, you must be on Windows Server 2008 R2 or later. ### Onboard endpoints 1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): diff --git a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md index a06b2c7212..4d464268ea 100644 --- a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md @@ -29,8 +29,6 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723297(v=vs.85).aspx). -> **Note**   If you intend to use this deployment tool, ensure that you are on Windows 10 Insider Preview Build 14379 or later. This deployment method is only available from that build or later. - ### Onboard and monitor endpoints 1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): @@ -44,9 +42,9 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre 3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune). Onboarding - Use the onboarding policies to deploy configuration settings on endpoints. These policies can be sub-categorized to: - - Onboarding - - Health Status for onboarded machines - - Configuration for onboarded machines +- Onboarding +- Health Status for onboarded machines +- Configuration for onboarded machines > **Warning**  These two groups must not be deployed on the same machine at same time, otherwise this will cause unpredictable collisions. @@ -77,9 +75,9 @@ For security reasons, the package used to offboard endpoints will expire 30 days 3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune). Offboarding - Use the offboarding policies to remove configuration settings on endpoints. These policies can be sub-categorized to: - - Offboarding - - Health Status for offboarded machines - - Configuration for offboarded machines +- Offboarding +- Health Status for offboarded machines +- Configuration for offboarded machines Policy | OMA-URI | Type | Description | Value :---|:---|:---|:---|:--- diff --git a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md index a46848c5fc..2fab49e4ef 100644 --- a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md @@ -56,7 +56,7 @@ For security reasons, the package used to offboard endpoints will expire 30 days a. Click Endpoint Management on the Navigation pane. b. Under Endpoint offboarding section, select System Center Configuration Manager (current branch) version 1602 or earlier, click Download package, and save the .zip file. -2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP_valid_until_YYYY-MM-DD.cmd*. +2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*. 3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682112.aspx#BKMK_Import) topic. From a1772b7bc300ecc680ecda8f740f1d1e65eeba02 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 18 Jul 2016 21:28:46 +1000 Subject: [PATCH 20/23] updates based on Naama's feedback --- windows/keep-secure/TOC.md | 2 -- ...indows-defender-advanced-threat-protection.md | 8 +++++--- ...indows-defender-advanced-threat-protection.md | 16 ++++++++-------- ...indows-defender-advanced-threat-protection.md | 15 +++++++++------ ...indows-defender-advanced-threat-protection.md | 3 ++- 5 files changed, 24 insertions(+), 20 deletions(-) diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index aea7299ce0..c34ebed59a 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -684,8 +684,6 @@ ##### [Configure endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) ###### [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) ###### [Configure endpoints using System Security Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) -####### [Configure endpoints using SCCM 1606](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md#sccm1606) -####### [Configure endpoints using SCCM 2012](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md#sccm1602) ###### [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) ####### [Configure endpoints using Microsoft Intune](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-microsoft-intune) ###### [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md index 9f63869e32..d8db5694c4 100644 --- a/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md @@ -48,7 +48,7 @@ author: mjcaparas You can use Group Policy (GP) to configure settings, such as settings for the sample sharing used in the deep analysis feature. -### Configure sample collection settings using Group Policy +### Configure sample collection settings 1. On your GP management machine, copy the following files from the configuration package: @@ -74,6 +74,7 @@ For security reasons, the package used to offboard endpoints will expire 30 days 1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): a. Click **Endpoint Management** on the **Navigation pane**. + b. Under **Endpoint offboarding** section, select **Group Policy**, click **Download package** and save the .zip file. 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*. @@ -92,7 +93,7 @@ For security reasons, the package used to offboard endpoints will expire 30 days 9. Click **OK** and close any open GPMC windows. -## Monitor endpoint configuration using Group Policy +## Monitor endpoint configuration With Group Policy there isn’t an option to monitor deployment of policies on the endpoints. Monitoring can be done directly on the portal, or by using the different deployment tools. ## Monitor endpoints using the portal @@ -106,4 +107,5 @@ With Group Policy there isn’t an option to monitor deployment of policies on t ## Related topics - [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) - [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) -- [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) +- [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) +- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md index 4d464268ea..410e537b06 100644 --- a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md @@ -14,7 +14,7 @@ author: mjcaparas **Applies to:** -- Windows 10 Insider Preview Build 14332 or later +- Windows 10 Insider Preview Build 14379 or later - Windows Defender Advanced Threat Protection (Windows Defender ATP) [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] @@ -35,9 +35,9 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre a. Click **Endpoint Management** on the **Navigation pane**. - b. Select **Microsoft Intune**, click **Download package** and save the .zip file. + b. Select **Mobile Device Management/Microsoft Intune**, click **Download package** and save the .zip file. -2. Extract the contents of the configuration package to a location on the endpoint you want to onboard (for example, the Desktop). You should have a file called *WindowsDefenderATP.onboarding*. +2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file called *WindowsDefenderATP.onboarding*. 3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune). @@ -68,9 +68,10 @@ For security reasons, the package used to offboard endpoints will expire 30 days 1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): a. Click **Endpoint Management** on the **Navigation pane**. - b. Under **Endpoint offboarding** section, select **Group Policy**, click **Download package** and save the .zip file. -2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATP_valid_until_YYYY-MM-DD.offboarding*. + b. Under **Endpoint offboarding** section, select **Mobile Device Management /Microsoft Intune**, click **Download package** and save the .zip file. + +2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP_valid_until_YYYY-MM-DD.offboarding*. 3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune). @@ -85,10 +86,9 @@ Offboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding | Health Status for offboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | Windows Defender ATP service is not running | FALSE | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | Offboarded from Windows Defender ATP | 0 -> **Note**  Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions. - ## Related topics - [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) - [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) -- [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) \ No newline at end of file +- [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) +- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) \ No newline at end of file diff --git a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md index 2fab49e4ef..1c057d851f 100644 --- a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md @@ -15,7 +15,7 @@ author: mjcaparas **Applies to:** -- Windows 10 Insider Preview Build 14332 or later +- Windows 10 Insider Preview Build 14379 or later - Windows Defender Advanced Threat Protection (Windows Defender ATP) [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] @@ -36,7 +36,7 @@ You can use System Center Configuration Manager’s existing functionality to cr a. Click **Endpoint Management** on the **Navigation pane**. - b. Select **System Center Configuration Manager**, click **Download package**, and save the .zip file. + b. Select **System Center Configuration Manager (current branch) version 1602**, click **Download package**, and save the .zip file. 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file called *WindowsDefenderATPOnboardingScript.cmd*. @@ -47,14 +47,16 @@ You can use System Center Configuration Manager’s existing functionality to cr a. Choose a predefined device collection to deploy the package to. ### Offboard endpoints + For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. > **Note**  Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions. 1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - a. Click Endpoint Management on the Navigation pane. - b. Under Endpoint offboarding section, select System Center Configuration Manager (current branch) version 1602 or earlier, click Download package, and save the .zip file. + a. Click **Endpoint Management** on the **Navigation pane**. + + b. Under **Endpoint offboarding** section, select **System Center Configuration Manager (current branch) version 1602 or earlier**, click **Download package**, and save the .zip file. 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*. @@ -64,7 +66,7 @@ For security reasons, the package used to offboard endpoints will expire 30 days a. Choose a predefined device collection to deploy the package to. -### Monitor endpoint configuration using System Center Configuration Manager +### Monitor endpoint configuration Monitoring with SCCM consists of two parts: 1. Confirming the configuration package has been correctly deployed and is running (or has successfully run) on the endpoints in your network. @@ -88,4 +90,5 @@ If there are failed deployments (endpoints with **Error**, **Requirements Not Me ## Related topics - [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) - [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) -- [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) \ No newline at end of file +- [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) +- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) \ No newline at end of file diff --git a/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md index ee77bcc824..eacde8021a 100644 --- a/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md @@ -65,4 +65,5 @@ For security reasons, the package used to offboard endpoints will expire 30 days ## Related topics - [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) - [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) -- [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) \ No newline at end of file +- [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) +- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) \ No newline at end of file From edbd2654237e9127c4c8308ec77614dfa49f38db Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 18 Jul 2016 21:40:08 +1000 Subject: [PATCH 21/23] add or earlier --- ...ndpoints-sccm-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md index 1c057d851f..5a35bad778 100644 --- a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md @@ -36,7 +36,7 @@ You can use System Center Configuration Manager’s existing functionality to cr a. Click **Endpoint Management** on the **Navigation pane**. - b. Select **System Center Configuration Manager (current branch) version 1602**, click **Download package**, and save the .zip file. + b. Select **System Center Configuration Manager (current branch) version 1602 or earlier**, click **Download package**, and save the .zip file. 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file called *WindowsDefenderATPOnboardingScript.cmd*. From ac5820fcd75a587fdeb7648322c0522d76661b40 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 18 Jul 2016 21:46:40 +1000 Subject: [PATCH 22/23] swap desc and value, update build number --- ...nts-mdm-windows-defender-advanced-threat-protection.md | 8 ++++---- ...ts-sccm-windows-defender-advanced-threat-protection.md | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md index 410e537b06..ec376fe348 100644 --- a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md @@ -80,11 +80,11 @@ Offboarding - Use the offboarding policies to remove configuration settings on e - Health Status for offboarded machines - Configuration for offboarded machines -Policy | OMA-URI | Type | Description | Value +Policy | OMA-URI | Type | Value | Description :---|:---|:---|:---|:--- -Offboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding | String | Offboarding | Copy content from offboarding MDM file - Health Status for offboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | Windows Defender ATP service is not running | FALSE - | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | Offboarded from Windows Defender ATP | 0 +Offboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding | String | Copy content from offboarding MDM file | Offboarding + Health Status for offboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | FALSE |Windows Defender ATP service is not running + | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 0 | Offboarded from Windows Defender ATP ## Related topics diff --git a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md index 5a35bad778..3f7fac27dc 100644 --- a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md @@ -15,7 +15,7 @@ author: mjcaparas **Applies to:** -- Windows 10 Insider Preview Build 14379 or later +- Windows 10 Insider Preview Build 14332 or later - Windows Defender Advanced Threat Protection (Windows Defender ATP) [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] From c9fa2bb11b6b34a8350161c716906e6159924465 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 18 Jul 2016 22:44:56 +1000 Subject: [PATCH 23/23] updates on style and remove notes --- ...dm-windows-defender-advanced-threat-protection.md | 12 +++++------- ...pt-windows-defender-advanced-threat-protection.md | 6 +++--- 2 files changed, 8 insertions(+), 10 deletions(-) diff --git a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md index ec376fe348..22692ee168 100644 --- a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md @@ -23,8 +23,6 @@ You can use mobile device management (MDM) solutions to configure endpoints. Win For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723297(v=vs.85).aspx). -> **Note**   If you intend to use this deployment tool, ensure that you are on Windows 10 Insider Preview Build 14379 or later. This deployment method is only available from that build or later. - ## Configure endpoints using Microsoft Intune For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723297(v=vs.85).aspx). @@ -46,8 +44,6 @@ Onboarding - Use the onboarding policies to deploy configuration settings on end - Health Status for onboarded machines - Configuration for onboarded machines -> **Warning**  These two groups must not be deployed on the same machine at same time, otherwise this will cause unpredictable collisions. - Policy | OMA-URI | Type | Value | Description :---|:---|:---|:---|:--- Onboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding | String | Copy content from onboarding MDM file | Onboarding @@ -57,7 +53,7 @@ Health Status for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThrea Configuration for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/SampleSharing | Integer | 0 or 1
Default value: 1 | Windows Defender ATP Sample sharing is enabled -> **Note**  Policies **Health Status for onboarded machines** and **Health Status for offboarded machines** use read-only properties and can't be remediated. +> **Note**  Policies **Health Status for onboarded machines** use read-only properties and can't be remediated. ### Offboard and monitor endpoints @@ -85,8 +81,10 @@ Policy | OMA-URI | Type | Value | Description Offboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding | String | Copy content from offboarding MDM file | Offboarding Health Status for offboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | FALSE |Windows Defender ATP service is not running | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 0 | Offboarded from Windows Defender ATP - - + +> **Note**  Policies **Health Status for offboarded machines** use read-only properties and can't be remediated. + + ## Related topics - [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) - [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md index eacde8021a..37cff93fb6 100644 --- a/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md @@ -31,7 +31,7 @@ You can also manually onboard individual endpoints to Windows Defender ATP. You ![Window Start menu pointing to Run as administrator](images/run-as-admin.png) -4. Type the location of the script file. If you copied the file to the desktop, type: *`%userprofile%\Desktop\WindowsDefenderATPOnboardingScript.cmd`* +4. Type the location of the script file. If you copied the file to the desktop, type: *%userprofile%\Desktop\WindowsDefenderATPOnboardingScript.cmd* 5. Press the **Enter** key or click **OK**. @@ -47,7 +47,7 @@ For security reasons, the package used to offboard endpoints will expire 30 days a. Click **Endpoint Management** on the **Navigation pane**. b. Under **Endpoint offboarding** section, select **Group Policy**, click **Download package** and save the .zip file. -2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_\.cmd*. +2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*. 3. Open an elevated command-line prompt on the endpoint and run the script: @@ -57,7 +57,7 @@ For security reasons, the package used to offboard endpoints will expire 30 days ![Window Start menu pointing to Run as administrator](images/run-as-admin.png) -4. Type the location of the script file. If you copied the file to the desktop, type: *%userprofile%\Desktop\WindowsDefenderATPOffboardingScript_valid_until_\.cmd* +4. Type the location of the script file. If you copied the file to the desktop, type: *%userprofile%\Desktop\WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd* 5. Press the **Enter** key or click **OK**.