mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-21 01:37:22 +00:00

ManikaDhiman 813228a677 Second set of doc updates - machine-->device

2020-05-20 17:41:04 -07:00

6.7 KiB

Raw Blame History

title, description, keywords, search.product, search.appverid, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, ms.author, author, ms.localizationpriority, manager, audience, ms.collection, ms.topic

title	description	keywords	search.product	search.appverid	ms.prod	ms.mktglfcycl	ms.sitesec	ms.pagetype	ms.author	author	ms.localizationpriority	manager	audience	ms.collection	ms.topic
Onboard Windows 10 devices using a local script	Use a local script to deploy the configuration package on devices so that they are onboarded to the service.	configure devices using a local script, device management, configure Windows ATP devices, configure Microsoft Defender Advanced Threat Protection devices	eADQiWindows 10XVcnh	met150	w10	deploy	library	security	macapara	mjcaparas	medium	dansimp	ITPro	M365-security-compliance	article

Onboard Windows 10 devices using a local script

Applies to:

Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)

Want to experience Microsoft Defender ATP? Sign up for a free trial.

You can also manually onboard individual devices to Microsoft Defender ATP. You might want to do this first when testing the service before you commit to onboarding all devices in your network.

Note

The script has been optimized to be used on a limited number of devices (1-10 devices). To deploy to scale, use other deployment options. For more information on using other deployment options, see Onboard Window 10 devices.

Onboard devices

Open the GP configuration package .zip file (WindowsDefenderATPOnboardingPackage.zip) that you downloaded from the service onboarding wizard. You can also get the package from Microsoft Defender Security Center:

a. In the navigation pane, select Settings > Onboarding.

b. Select Windows 10 as the operating system.

c. In the Deployment method field, select Local Script.

d. Click Download package and save the .zip file.
Extract the contents of the configuration package to a location on the device you want to onboard (for example, the Desktop). You should have a file named WindowsDefenderATPOnboardingScript.cmd.
Open an elevated command-line prompt on the device and run the script:

a. Go to Start and type cmd.

b. Right-click Command prompt and select Run as administrator.
Type the location of the script file. If you copied the file to the desktop, type: %userprofile%\Desktop\WindowsDefenderATPOnboardingScript.cmd
Press the Enter key or click OK.

For information on how you can manually validate that the device is compliant and correctly reports sensor data see, Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues.

Tip

After onboarding the device, you can choose to run a detection test to verify that an device is properly onboarded to the service. For more information, see Run a detection test on a newly onboarded Microsoft Defender ATP endpoint.

Configure sample collection settings

For each device, you can set a configuration value to state whether samples can be collected from the device when a request is made through Microsoft Defender Security Center to submit a file for deep analysis.

You can manually configure the sample sharing setting on the device by using regedit or creating and running a .reg file.

The configuration is set through the following registry key entry:

Path: “HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection”
Name: "AllowSampleCollection"
Value: 0 or 1

Where:
Name type is a D-WORD.
Possible values are:

0 - doesn't allow sample sharing from this device
1 - allows sharing of all file types from this device

The default value in case the registry key doesn’t exist is 1.

Offboard devices using a local script

For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an device will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.

Note

Onboarding and offboarding policies must not be deployed on the same device at the same time, otherwise this will cause unpredictable collisions.

Get the offboarding package from Microsoft Defender Security Center:

a. In the navigation pane, select Settings > Offboarding.

b. Select Windows 10 as the operating system.

c. In the Deployment method field, select Local Script.

d. Click Download package and save the .zip file.
Extract the contents of the .zip file to a shared, read-only location that can be accessed by the devices. You should have a file named WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd.
Open an elevated command-line prompt on the device and run the script:

a. Go to Start and type cmd.

b. Right-click Command prompt and select Run as administrator.
Type the location of the script file. If you copied the file to the desktop, type: %userprofile%\Desktop\WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd
Press the Enter key or click OK.

Important

Offboarding causes the device to stop sending sensor data to the portal but data from the device, including reference to any alerts it has had will be retained for up to 6 months.

Monitor device configuration

You can follow the different verification steps in the Troubleshoot onboarding issues to verify that the script completed successfully and the agent is running.

Monitoring can also be done directly on the portal, or by using the different deployment tools.

Monitor devices using the portal

Go to Microsoft Defender Security Center.
Click Devices list.
Verify that devices are appearing.

6.7 KiB Raw Blame History Unescape Escape