Search This Blog

Monday, August 12, 2019

Microsoft Defender ATP

This time we will take a closer look on how easy it is to onboard clients into Microsoft Defender Advanced Threat Protection with System Center Configuration Manager.

First we will go the the Microsoft Defender Security Center https://securitycenter.windows.com/

On this page we select Settings – Onboarding - Windows 10 – System Center Configuration Manager (current branch) version 1606 and later and the Download Package.

image

image

Extract the downloaded ZIP-file to get an onboard-file like this.

image

Now got to the SCCM console – Assets and ComplianceEndpoint ProtectionMicrosoft Defender ATP Policies and then select Create Microsoft Defender ATP Policy.

2019-08-05 11_19_56-Window

Name the policy and select Onboarding.

image

Select Browse.

image

Select the extracted onboarding-file.

image

With the file selected click Next.

image

Select the settings after your own choice.

image

Select Next.

image

Select Close.

image

Now lets deploy the Policy, by selecting the policy we just created in SCCM and then Deploy.

image

Select the collection used for your Microsoft Defender ATP devices, in this example a specific collection is used holding devices running Windows 10 and at the same time with active ATP license.

image

After deployment it will show up at the client as a configuration baseline, and we will speedup onboarding by forcing a Evaluation by selecting Evaluate.

image

Status will then change to Compliant.

image

When onboarded you will be able to see the computer in the Machine List in the portal.

2019-08-05 12_56_55-Window

We will also be able to see the onboarding status in the SCCM Console, in the Monitoring node.

image

On the Client we can follow onboarding in the log Applications and Services LogsMicrosoftWindows - SENSE.

image

When onboarded the client will have a running service called Windows Defender Advanced Threat Protection Service.

image

For this test we will simply try to isolate the computer from the portal, just to see if we are connected as expected.

First open the the client by clicking on the client name.

2019-08-05 13_20_35-Window

Then we select Isolate machine.

image

Allow Outlook, Teams and Skype for business communication if needed and enter a comment about why we want to isolate the computer, then select Confirm.

image

We will then see the Action, you can just close this unless we need to cancel the action.

image

Soon after the client is unable to reach the Office 365 portal.

2019-08-05 13_23_15-Window

Back in the Portal we can allow connection again by selecting Release from isolation.

image

Again we comment why we now allow connection to the machine and select Confirm.

image

Again we just close the message from Action Center.

image

And the client can again access the Office 365 portal.

2019-08-05 13_24_55-Window

The level of information and the overview is impressive, and if you have access to the licenses for Microsoft Defender ATP, the is no reason not to get started. Now test yourself.

image

No comments:

Post a Comment