deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-15 14:57:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Update symantec-to-microsoft-defender-atp-part3.md

Browse Source
This commit is contained in:
Denise Vangel-MSFT 2020-06-12 10:21:36 -07:00
parent 7862d05419
commit f51efd3dc4
1 changed files with 68 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

68
windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-part3.md
View File

@ -28,6 +28,8 @@ ms.topic: article
stuff (will draw from existing content here)
Set up Machine Groups or Device Collections or OU such as company department, administrative responsibility, or physical location or subnet.
## Deploy Microsoft Defender ATP and uninstall Symantec
@ -41,6 +43,72 @@ You can choose from several methods to onboard devices to Microsoft Defender ATP
stuff (will draw from existing content here)
For Windows 10, Windows Server 2016, and Windows Server 2019:
1. Deploy MDATP (EDR) can run side-by-side with any 3rd party EDR and/or AV and/or other security products.
2. SCCM Antimalware policies can be deployed ahead of time to the “Device Collections”.
3. SCCM ADR for MDAV “Platform update” and SCEP “Platform update” can be deployed ahead of time to the “Device Collections”.
4. MDAV (for Windows 10, Windows Server 2016, and Windows Server 2019) can run in passive-mode (no real-time protection) while the SEP AV is installed.
Note: Set “Passive Mode” registry for Windows Server 2016 and Windows Server 2019.
5. Uninstall 3rd party EDR (RSA NetWitness)
6. Uninstall 3rd party SEP AV
1) Unblock password (Anti-tamper, in order to remove)
2) Refresh SEP policy
<Add the command here.>
3) Uninstall the Endpoint Protection client using the command prompt
https://support.symantec.com/us/en/article.tech102470.html
There is an example for both PowerShell and DOS. This script could be automated to check for a ReturnValue to equal zero and if not then run “CleanWipe”
4) Download the CleanWipe removal tool to uninstall Endpoint Protection
https://support.symantec.com/us/en/article.howto124983.html
Note: SEP 14 now forces end-user interaction.
Article has the download and readme.
Select all apps in the tool and once completed it will require a reboot and once you log back in the software will continue and show completion. You will need to periodically check this article as they update the software versions often. You can also verify when running if it requires an update.
7. Change Passive Mode registry to disabled for Windows Server 2016 and Windows Server 2019.
8. Restart
What does this accomplish?
You stay protected with MDATP (EDR) while your 3rd party EDR is uninstalled.
Also protects you since after SEP is uninstalled, MDAV AV goes from “Passive Mode” to “Active Mode”.
For Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8.1, and Windows Server 2012 R2:
WARNING: Unlike MDAV, SCEP cannot run in passive-mode while any 3rd party AV (e.g. SEP AV) is installed.
1. Deploy MDATP (EDR) can run side-by-side with any 3rd party EDR and/or AV and/or other security products.
2. Uninstall 3rd party EDR
3. Uninstall 3rd party SEP AV
1) Unblock password (Anti-tamper, in order to remove)
2) Refresh SEP policy
%ProgramFiles(x86)\Symantec\Symantec Endpoint Protection\Smc.exe” -UpdateConfig
3) Uninstall the Endpoint Protection client using the command prompt
https://support.symantec.com/us/en/article.tech102470.html
TIP: Watch out for the different versions of SEP, instead of using the uninstall GUID, use the Powershell/WMI command in the article above.
There is an example for both PowerShell and DOS. This script could be automated to check for a ReturnValue to equal zero and if not then run “CleanWipe”
4) Download the CleanWipe removal tool to uninstall Endpoint Protection
https://support.symantec.com/us/en/article.howto124983.html
Article has the download and readme.
Select all apps in the tool and once completed it will require a reboot and once you log back in the software will continue and show completion. You will need to periodically check this article as they update the software versions often. You can also verify when running if it requires an update.
4. Install SCEP (for Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8.1, and Windows Server 2012 R2)
Add instructions on how to setup “Client Settings” in SCCM.
About uninstall of SEP
And install of SCEP.
5. Restart
What does this accomplish?
You stay protected with MDATP (EDR) while your 3rd party AV and/or EDR are uninstalled.
<br/><br/><br/><br/><br/>