160 likes | 217 Views
How to onboard your clients to Windows Defender Advanced Threat Protection. black belt Workplace Consultant baseVISION AG Mirko Colemberg @mirkocolemberg. THR3088. WDATP Portal Configuration. Note : Define how long you want to keep the data. Max. 180 days.
E N D
How to onboard your clients to Windows Defender Advanced Threat Protection black belt Workplace Consultant baseVISION AG Mirko Colemberg @mirkocolemberg THR3088
WDATP Portal Configuration Note: Define how long you want to keep the data. Max. 180 days. Note: The storage location cannot be changed After initial setup.
Onboarding Windows 10 Devices Windows 10 Devices can be onboarded by using one of the following methods: Local Script Group Policy System Center Configuration Manager Mobile Device Management, Microsoft Intune VDI onboarding Scripts for non-persistent devices Windows 7 and Windows Server requires the installation of the Microsoft Monitoring Agent (and SCEP for Win7) Linux devices require a 3rd party agent from Bitdefender, Ziften or SentinelOne
Have a look on WDATP DEMO ATP Console Onboard (Console) Intune Integration
Onboarding using the Script • Download the package • Extract the WindowsDefenderATPOnboardingScript.cmd • Open an elevated prompt and run the script • Run the detection test • Wait for the client and alert to appear in the console. powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\test-WDATP-test\invoice.exe');Start-Process 'C:\test-WDATP-test\invoice.exe'
Onboarding using ConfigMgr • Download the package • Extract the WindowsDefenderATPOnboardingScript.cmd • Open the ConfigMgr Console, Select Assets and Compliance \ Endpoint Protection • Create Windows Defender ATP Policy • Follow the steps in the Wizard. • Deploy the WDATP Policy to a device collection.
Server and Win7 integration • Server 2012R2 / 2016 and Win7 supported • Install Agent MMASetup-AMD64.exe /Q:A /R:N /C:"setup.exe /qnADD_OPINSIGHTS_WORKSPACE=1 OPINSIGHTS_WORKSPACE_ID=<your workspace id> OPINSIGHTS_WORKSPACE_KEY=<your workspace key> AcceptEndUserLicenseAgreement=1“ • Install SCEP Agent (Security Endpoint Protection Agent) on Win7 scepinstall.exe /s /q (//policy C:\Sources\standalone.xml) (/NoSigsUpdateAtInitialExp)
Onboarding using Microsoft Intune • Download the package • Extract the WindowsDefenderATPOnboardingScript.cmd • Open the Microsoft Intune Portal, Device Configuration Policies • Create Windows Defender ATP Policy • Follow the steps in the Wizard. • Assign the WDATP Policy to a device group. • Add WDATP Compliance risk score
Microsoft Intune Connection Define risk score for compliance
risk score for Device compliance Integrate the Risk score for Compliance Helps to detect non compliance Devices Prohibit access to resources Conditional Access control
Run detection test • macOS and Linux • X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* • Windows Client and Server • powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\test-WDATP-test\invoice.exe');Start-Process 'C:\test-WDATP-test\invoice.exe'
Onboarding Troubleshooting Services Diagtrack Sense Registry HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status\OnboardingState HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\OnboardedInfo HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection HKLM:\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status\LastConnected $LastConnected = Get-ItemPropertyValue "HKLM:\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status" -Name LastConnected [DateTime]::FromFiletime([Int64]::Parse($LastConnected))
Onboarding Troubleshooting Windows Event Log Script based onboarding: Log: Application Source; WDATPOnboarding Microsoft\Windows\DeviceManagement-EnterpriseDiagnostics-Provider Microsoft\Windows\SENSE Telemetry Frequency Windows Defender ATP reporting frequency was tested over a large number of machines and is optimized to provide a recommended balance between speed and performance. In cases where high-value assets or machines are at high risk, you can configure the reporting frequency to expedite mode, allowing the machine to report at a higher frequency.
Please evaluate this sessionYour feedback is important to us! Please evaluate this session through MyEvaluations on the mobile appor website. Download the app:https://aka.ms/ignite.mobileApp Go to the website: https://myignite.techcommunity.microsoft.com/evaluations