From 67acc71d0da74638200937bc9c6a118c59e7dd65 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 7 Oct 2020 14:55:13 -0700 Subject: [PATCH 1/6] update sections --- windows/security/threat-protection/TOC.md | 2 +- .../configure-server-endpoints.md | 61 ++++++++++++------- 2 files changed, 40 insertions(+), 23 deletions(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index f69cdfadb5..c7f7335c43 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -448,7 +448,7 @@ ##### [Onboard devices using a local script](microsoft-defender-atp/configure-endpoints-script.md) ##### [Onboard non-persistent virtual desktop infrastructure (VDI) devices](microsoft-defender-atp/configure-endpoints-vdi.md) -#### [Onboard servers](microsoft-defender-atp/configure-server-endpoints.md) +#### [Onboard Windows servers](microsoft-defender-atp/configure-server-endpoints.md) #### [Onboard non-Windows devices](microsoft-defender-atp/configure-endpoints-non-windows.md) #### [Onboard devices without Internet access](microsoft-defender-atp/onboard-offline-machines.md) #### [Run a detection test on a newly onboarded device](microsoft-defender-atp/run-detection-test.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md index 38b47a18f9..d1a8195e28 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md @@ -54,16 +54,36 @@ For guidance on how to download and use Windows Security Baselines for Windows s You can onboard Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016 to Microsoft Defender ATP by using any of the following options: -- **Option 1**: [Onboard through Microsoft Defender Security Center](#option-1-onboard-windows-servers-through-microsoft-defender-security-center) +- **Option 1**: Onboard by installing and configuring Microsoft Monitoring Agent (MMA) - **Option 2**: [Onboard through Azure Security Center](#option-2-onboard-windows-servers-through-azure-security-center) - **Option 3**: [Onboard through Microsoft Endpoint Configuration Manager version 2002 and later (only for Windows Server 2012 R2 and Windows Server 2016)](#option-3-onboard-windows-servers-through-microsoft-endpoint-configuration-manager-version-2002-and-later) + +After completing the onboarding steps using any of the provided options, you'll need to [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients). + + > [!NOTE] > Microsoft defender ATP standalone server license is required, per node, in order to onboard a Windows server through Microsoft Defender Security Center (Option 1), or an Azure Security Center Standard license is required, per node, in order to onboard a Windows server through Azure Security Center (Option 2), see [Supported features available in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-services). -### Option 1: Onboard Windows servers through Microsoft Defender Security Center -Perform the following steps to onboard Windows servers through Microsoft Defender Security Center: +### Option 1: Onboard by installing and configuring Microsoft Monitoring Agent (MMA) +You'll need to install and configure MMA for Windows servers to report sensor data to Microsoft Defender ATP. For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). + +If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), attach the Microsoft Monitoring Agent (MMA) to report to your Microsoft Defender ATP workspace through Multihoming support. + +In general, you'll need to take the following steps: +1. Fulfill the onboarding requirements outlined in **Before you begin section**. +2. Turn on server monitoring from Microsoft Defender Security center. +3. Install and configure MMA for the server to report sensor data to Microsoft Defender ATP. +4. Configure and update System Center Endpoint Protection clients. + + +> [!TIP] +> After onboarding the device, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP endpoint](run-detection-test.md). + + +#### Before you begin +Perform the following steps to fulfill the onboarding requirements: - For Windows Server 2008 R2 SP1 or Windows Server 2012 R2, ensure that you install the following hotfix: - [Update for customer experience and diagnostic telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry) @@ -77,26 +97,8 @@ Perform the following steps to onboard Windows servers through Microsoft Defende > [!NOTE] > This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2008 R2 SP1 and Windows Server 2012 R2. - - [Turn on server monitoring from Microsoft Defender Security Center](#turn-on-server-monitoring-from-the-microsoft-defender-security-center-portal). - - If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), attach the Microsoft Monitoring Agent (MMA) to report to your Microsoft Defender ATP workspace through Multihoming support. - - Otherwise, [install and configure MMA to report sensor data to Microsoft Defender ATP](#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-atp). For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). - -> [!TIP] -> After onboarding the device, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP endpoint](run-detection-test.md). - -### Configure and update System Center Endpoint Protection clients - -Microsoft Defender ATP integrates with System Center Endpoint Protection. The integration provides visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware. - -The following steps are required to enable this integration: -- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie). - -- Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting. - - -### Turn on Server monitoring from the Microsoft Defender Security Center portal +### Turn on Server monitoring from the Microsoft Defender Security Center portal -MICHAEL TO VERIFY 1. In the navigation pane, select **Settings** > **Device management** > **Onboarding**. @@ -135,9 +137,24 @@ Once completed, you should see onboarded Windows servers in the portal within an 4. Follow the onboarding instructions in [Microsoft Defender Advanced Threat Protection with Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp). +After completing the onboarding steps, you'll need to [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients). + ### Option 3: Onboard Windows servers through Microsoft Endpoint Configuration Manager version 2002 and later You can onboard Windows Server 2012 R2 and Windows Server 2016 by using Microsoft Endpoint Configuration Manager version 2002 and later. For more information, see [Microsoft Defender Advanced Threat Protection in Microsoft Endpoint Configuration Manager current branch](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/defender-advanced-threat-protection). +After completing the onboarding steps, you'll need to [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients). + +## Configure and update System Center Endpoint Protection clients + +Microsoft Defender ATP integrates with System Center Endpoint Protection. The integration provides visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware. + +The following steps are required to enable this integration: +- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie). + +- Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting. + + + ## Windows Server (SAC) version 1803, Windows Server 2019, and Windows Server 2019 Core edition You can onboard Windows Server (SAC) version 1803, Windows Server 2019, or Windows Server 2019 Core edition by using the following deployment methods: From a84b75dab2eef7e2cedfe87eca78142937593cf0 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 7 Oct 2020 15:09:39 -0700 Subject: [PATCH 2/6] update anchor --- .../microsoft-defender-atp/configure-server-endpoints.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md index d1a8195e28..85b7f737b9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md @@ -54,7 +54,7 @@ For guidance on how to download and use Windows Security Baselines for Windows s You can onboard Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016 to Microsoft Defender ATP by using any of the following options: -- **Option 1**: Onboard by installing and configuring Microsoft Monitoring Agent (MMA) +- **Option 1**: [Onboard by installing and configuring Microsoft Monitoring Agent (MMA)](#option-1-onboard-by-installing-and-configuring-microsoft-monitoring-agent-mma) - **Option 2**: [Onboard through Azure Security Center](#option-2-onboard-windows-servers-through-azure-security-center) - **Option 3**: [Onboard through Microsoft Endpoint Configuration Manager version 2002 and later (only for Windows Server 2012 R2 and Windows Server 2016)](#option-3-onboard-windows-servers-through-microsoft-endpoint-configuration-manager-version-2002-and-later) @@ -72,7 +72,7 @@ You'll need to install and configure MMA for Windows servers to report sensor da If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), attach the Microsoft Monitoring Agent (MMA) to report to your Microsoft Defender ATP workspace through Multihoming support. In general, you'll need to take the following steps: -1. Fulfill the onboarding requirements outlined in **Before you begin section**. +1. Fulfill the onboarding requirements outlined in **Before you begin** section. 2. Turn on server monitoring from Microsoft Defender Security center. 3. Install and configure MMA for the server to report sensor data to Microsoft Defender ATP. 4. Configure and update System Center Endpoint Protection clients. From db33b71b9c8a914c06ea4780e1b8fde25b9a19d2 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 8 Oct 2020 16:34:25 -0700 Subject: [PATCH 3/6] Update configure-server-endpoints.md --- .../configure-server-endpoints.md | 54 ++++++++----------- 1 file changed, 23 insertions(+), 31 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md index 85b7f737b9..1544d16c1a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md @@ -37,14 +37,6 @@ ms.topic: article Microsoft Defender ATP extends support to also include the Windows Server operating system. This support provides advanced attack detection and investigation capabilities seamlessly through the Microsoft Defender Security Center console. -The service supports the onboarding of the following Windows servers: -- Windows Server 2008 R2 SP1 -- Windows Server 2012 R2 -- Windows Server 2016 -- Windows Server (SAC) version 1803 and later -- Windows Server 2019 and later -- Windows Server 2019 core edition - For a practical guidance on what needs to be in place for licensing and infrastructure, see [Protecting Windows Servers with Microsoft Defender ATP](https://techcommunity.microsoft.com/t5/What-s-New/Protecting-Windows-Server-with-Windows-Defender-ATP/m-p/267114#M128). For guidance on how to download and use Windows Security Baselines for Windows servers, see [Windows Security Baselines](https://docs.microsoft.com/windows/device-security/windows-security-baselines). @@ -56,7 +48,7 @@ You can onboard Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows - **Option 1**: [Onboard by installing and configuring Microsoft Monitoring Agent (MMA)](#option-1-onboard-by-installing-and-configuring-microsoft-monitoring-agent-mma) - **Option 2**: [Onboard through Azure Security Center](#option-2-onboard-windows-servers-through-azure-security-center) -- **Option 3**: [Onboard through Microsoft Endpoint Configuration Manager version 2002 and later (only for Windows Server 2012 R2 and Windows Server 2016)](#option-3-onboard-windows-servers-through-microsoft-endpoint-configuration-manager-version-2002-and-later) +- **Option 3**: [Onboard through Microsoft Endpoint Configuration Manager version 2002 and later](#option-3-onboard-windows-servers-through-microsoft-endpoint-configuration-manager-version-2002-and-later) After completing the onboarding steps using any of the provided options, you'll need to [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients). @@ -98,14 +90,6 @@ Perform the following steps to fulfill the onboarding requirements: > This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2008 R2 SP1 and Windows Server 2012 R2. -### Turn on Server monitoring from the Microsoft Defender Security Center portal -MICHAEL TO VERIFY - -1. In the navigation pane, select **Settings** > **Device management** > **Onboarding**. - -2. Select **Windows Server 2008 R2 SP1, 2012 R2 and 2016** as the operating system. - -3. Click **Turn on server monitoring** and confirm that you'd like to proceed with the environment setup. When the setup completes, the **Workspace ID** and **Workspace key** fields are populated with unique values. You'll need to use these values to configure the MMA agent. - ### Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Microsoft Defender ATP @@ -117,16 +101,22 @@ Perform the following steps to fulfill the onboarding requirements: On the **Agent Setup Options** page, choose **Connect the agent to Azure Log Analytics (OMS)**. - [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#add-a-workspace-using-a-script). -3. You'll need to configure proxy settings for the Microsoft Monitoring Agent. For more information, see [Configure proxy settings](configure-proxy-internet.md). -Once completed, you should see onboarded Windows servers in the portal within an hour. -### Configure Windows server proxy and Internet connectivity settings +### Configure Windows server proxy and Internet connectivity settings if needed +If your servers need to use a proxy to communicate with Microsoft Defender ATP, use one of the following methods to configure the MMA to use the proxy server: -- Each Windows server must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the OMS Gateway. -- If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that you [enable access to Microsoft Defender ATP service URLs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server). + +- [Configure the MMA to use a proxy server](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#install-agent-using-setup-wizard). + +- [Configure the Windows to use a proxy server for all connections](configure-proxy-internet.md) + +If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that you [enable access to Microsoft Defender ATP service URLs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server). + + +Once completed, you should see onboarded Windows servers in the portal within an hour. ### Option 2: Onboard Windows servers through Azure Security Center 1. In the Microsoft Defender Security Center navigation pane, select **Settings** > **Device management** > **Onboarding**. @@ -144,15 +134,6 @@ You can onboard Windows Server 2012 R2 and Windows Server 2016 by using Microsof After completing the onboarding steps, you'll need to [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients). -## Configure and update System Center Endpoint Protection clients - -Microsoft Defender ATP integrates with System Center Endpoint Protection. The integration provides visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware. - -The following steps are required to enable this integration: -- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie). - -- Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting. - ## Windows Server (SAC) version 1803, Windows Server 2019, and Windows Server 2019 Core edition @@ -218,6 +199,17 @@ Data collected by Microsoft Defender ATP is stored in the geo-location of the te Server endpoint monitoring utilizing this integration has been disabled for Office 365 GCC customers. +## Configure and update System Center Endpoint Protection clients + +Microsoft Defender ATP integrates with System Center Endpoint Protection. The integration provides visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware. + +The following steps are required to enable this integration: +- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie). + +- Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting. + + + ## Offboard Windows servers You can offboard Windows Server (SAC), Windows Server 2019, and Windows Server 2019 Core edition in the same method available for Windows 10 client devices. From 5411d76ba7c0f5e424a77389ac6c438244bb59f3 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 8 Oct 2020 16:58:56 -0700 Subject: [PATCH 4/6] period --- .../microsoft-defender-atp/configure-server-endpoints.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md index 1544d16c1a..59eabd5750 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md @@ -109,7 +109,7 @@ Perform the following steps to fulfill the onboarding requirements: If your servers need to use a proxy to communicate with Microsoft Defender ATP, use one of the following methods to configure the MMA to use the proxy server: -- [Configure the MMA to use a proxy server](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#install-agent-using-setup-wizard). +- [Configure the MMA to use a proxy server](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#install-agent-using-setup-wizard) - [Configure the Windows to use a proxy server for all connections](configure-proxy-internet.md) From d2fe6ae9a12873962509b3ec309e06f48740a9eb Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Fri, 16 Oct 2020 10:19:37 -0700 Subject: [PATCH 5/6] minor updates --- .../microsoft-defender-atp/configure-server-endpoints.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md index 59eabd5750..0ddcd8c630 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md @@ -111,10 +111,9 @@ If your servers need to use a proxy to communicate with Microsoft Defender ATP, - [Configure the MMA to use a proxy server](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#install-agent-using-setup-wizard) -- [Configure the Windows to use a proxy server for all connections](configure-proxy-internet.md) - -If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that you [enable access to Microsoft Defender ATP service URLs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server). +- [Configure Windows to use a proxy server for all connections](configure-proxy-internet.md) +If a proxy or firewall is in use, please ensure that servers can access all of the Microsoft Defender ATP service URLs directly and without SSL interception. For more information, see [enable access to Microsoft Defender ATP service URLs](configure-proxy-internet.md#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server). Use of SSL interception will prevent the system from communicating with the Defender for Endpoint service. Once completed, you should see onboarded Windows servers in the portal within an hour. From 5bd71e4a71d3a64f6e34485f6c7c69e659d5cb27 Mon Sep 17 00:00:00 2001 From: Tudor Dobrila Date: Fri, 16 Oct 2020 13:13:53 -0700 Subject: [PATCH 6/6] Add note on panics on Big Sur --- .../threat-protection/microsoft-defender-atp/mac-whatsnew.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md index ca4617cc28..98c20cb71d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md @@ -46,6 +46,10 @@ ms.topic: conceptual ## 101.09.50 - This product version has been validated on macOS Big Sur 11 beta 9 + + > [!IMPORTANT] + > Extensive testing of MDE (Microsoft Defender for Endpoint) with new macOS system extensions revealed an intermittent issue that impacts macOS devices with specific graphic cards models. In rare cases on impacted macOS devices calls into macOS system extensions were seen resulting in kernel panic. Microsoft is actively working with Apple engineering to clarify profile of impacted devices and to address this macOS issue. + - The new syntax for the `mdatp` command-line tool is now the default one. For more information on the new syntax, see [Resources for Microsoft Defender ATP for Mac](mac-resources.md#configuring-from-the-command-line) > [!NOTE]