This time we will take a closer look on how easy it is to onboard clients into Microsoft Defender Advanced Threat Protection with System Center Configuration Manager.
First we will go the the Microsoft Defender Security Center https://securitycenter.windows.com/
On this page we select Settings – Onboarding – Windows 10 – System Center Configuration Manager (current branch) version 1606 and later and the Download Package.
Extract the downloaded ZIP-file to get an onboard-file like this.
Now got to the SCCM console – Assets and Compliance – Endpoint Protection – Microsoft Defender ATP Policies and then select Create Microsoft Defender ATP Policy.
Name the policy and select Onboarding.
Select Browse.
Select the extracted onboarding-file.
With the file selected click Next.
Select the settings after your own choice.
Select Next.
Select Close.
Now lets deploy the Policy, by selecting the policy we just created in SCCM and then Deploy.
Select the collection used for your Microsoft Defender ATP devices, in this example a specific collection is used holding devices running Windows 10 and at the same time with active ATP license.
After deployment it will show up at the client as a configuration baseline, and we will speedup onboarding by forcing a Evaluation by selecting Evaluate.
Status will then change to Compliant.
When onboarded you will be able to see the computer in the Machine List in the portal.
We will also be able to see the onboarding status in the SCCM Console, in the Monitoring node.
On the Client we can follow onboarding in the log Applications and Services Logs – Microsoft – Windows – SENSE.
When onboarded the client will have a running service called Windows Defender Advanced Threat Protection Service.
For this test we will simply try to isolate the computer from the portal, just to see if we are connected as expected.
First open the the client by clicking on the client name.
Then we select Isolate machine.
Allow Outlook, Teams and Skype for business communication if needed and enter a comment about why we want to isolate the computer, then select Confirm.
We will then see the Action, you can just close this unless we need to cancel the action.
Soon after the client is unable to reach the Office 365 portal.
Back in the Portal we can allow connection again by selecting Release from isolation.
Again we comment why we now allow connection to the machine and select Confirm.
Again we just close the message from Action Center.
And the client can again access the Office 365 portal.
The level of information and the overview is impressive, and if you have access to the licenses for Microsoft Defender ATP, the is no reason not to get started. Now test yourself.
