Incorporate servers or workstations with Windows Defender Advanced Threat Protection

Learn how to incorporate servers or windows workstations with Windows Defender Advanced Threat Protection.

If you have been keeping up with our blog posts so far, and we hope you have, up until this point we have already talked about configuring our ATP tenant. Our next step is to incorporate our servers or windows workstations, so let’s review how to do it.

Remember that incorporating ATP is a process to register a server or windows workstation with the service. Let’s look at the process:

Onboard Previous versions of windows

Microsoft Defender ATP supports onboarding the following versions of the Windows operating system:

Windows 7 SP1 Enterprise

  • Windows 7 SP1 Pro
  • Windows 8.1 Pro
  • Windows 8.1 Enterprise

The following are the prerequisites for these operating systems:

  • Install the February 2018 monthly rollup

Download it here: https://support.microsoft.com/en-us/help/4074598/windows-7-update-kb4074598

  • Install the customer experience and diagnostic telemetry

Download it here: https://support.microsoft.com/en-us/help/3080149/update-for-customer-experience-and-diagnostic-telemetry

  • Install either .NET Framework 4.5 or later

Download it here: https://www.microsoft.com/en-us/download/details.aspx?id=30653

  • Install the KB3154518

Download it here: https://support.microsoft.com/en-us/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework 

Once you meet the requirements, you must proceed to Install and configure Microsoft Monitoring Agent (MMA) to report the sensor data to Microsoft Defender ATP.

To install the agent, you can download it by following these URLs:

for x64 devices: https://go.microsoft.com/fwlink/?LinkId=828603

for x32 devices: https://go.microsoft.com/fwlink/?LinkId=828604

To follow, you must obtain the workspace ID.

In the Microsoft Defender ATP navigation panel, select Settings > Machine management > Onboarding

Select Windows 7 SP1 and 8.1 as the operating system.

Copy the workspace ID and workspace key.

Using the Workspace ID, manually install the agent using setup.

On the Agent Setup Options page, select Connect the agent to Azure Log Analytics (OMS) and provide the workspace ID and workspace Key.

Once that step is completed, you should see onboarded endpoints in the portal within an hour.

Onboard Windows 10 Versions

There are some methods to onboard Windows 10 workstations.  We will elaborate on the local script method:

*create the onboard configuration file

  • Go to the Microsoft Defender ATP online service and sign in. ( https://securitycenter.windows.com )
  • Click on the Machine Management item under Settings, then select Onboarding.
  • Select Windows 10 as the operating system.
  • In the Deployment method field, select Local Script.
  • Click Download package and save the .zip file.

Extract the contents of the configuration package to a location on the machine you want to onboard (for example, Desktop). You should have a file named WindowsDefenderATPOnboardingScript.cmd.

Open an elevated command prompt on the machine and run the script:

  • Go to Start and type cmd.
  • Right-click Command prompt and select Run As Administrator.

In the command prompt: go to the location where you extracted the file  WindowsDefenderATPOnboardingScript.cmd.

  • Press Enter and click

Onboard Windows Servers

As we have seen in previous blogs, WDATP supports these versions of Windows server:

  • Windows Server 2008 R2 SP1
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server, version 1803
  • Windows Server, 2019

There are two options to incorporate Windows Server 2008 R2 SP1, Windows Server 2012 R2 and Windows Server 2016 to Microsoft Defender ATP:

Option 1: Onboard through Azure Security Center

Option 2: Onboard through Microsoft Defender Security Center

You should consider which is the best way to onboard your servers, considering that each method requires different licenses.

We prefer the second one. Let’s see how to do it:

Onboard through Microsoft Defender Security Center

The next steps apply to Windows Server 2008 R2 SP1, Windows Server 2012 R2, Windows Server 2016.

First the prerequisites:

  • Install the February 2018 monthly rollup

Download it here: https://support.microsoft.com/en-us/help/4074598/windows-7-update-kb4074598

  • Install the customer experience and diagnostic telemetry

Download it here:  https://support.microsoft.com/en-us/help/3080149/update-for-customer-experience-and-diagnostic-telemetry

  • Install either .NET Framework 4.5 or later

Download it here: https://www.microsoft.com/en-us/download/details.aspx?id=30653

  • Install the KB3154518

Download it here:  https://support.microsoft.com/en-us/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework

Once you meet the requirements, you must proceed to Install and configure Microsoft Monitoring Agent (MMA) to report the sensor data to Microsoft Defender ATP

To install the agent, download it here:

for x64 devices: https://go.microsoft.com/fwlink/?LinkId=828603

for x32 devices: https://go.microsoft.com/fwlink/?LinkId=828604

Later, Obtain the workspace ID. To do that:

In the Microsoft Defender ATP navigation panel, select Settings > Machine management > Onboarding

Select Windows server 2008 R2 SP1, 2012 R2 or 2016 as the operating system

Copy the workspace ID and workspace key

  • Using the Workspace ID
  • Manually install the agent using setup
  • On the Agent Setup Options page, select Connect the agent to Azure Log Analytics (OMS) and provide the workspace ID and workspace Key
  • Once completed, you should see onboarded endpoints in the portal within an hour

Onboarding Windows server  1803 and 2019

For onboarding Windows server 2019, we can use the local script method.  To do that, we must:

 *create the onboard configuration file

  • Go to the Microsoft Defender ATP online service and sign in. ( https://securitycenter.windows.com )
  • Click on the Machine Management item under Settings, then select Onboarding.
  • Select Windows 10 as the operating system.
  • In the Deployment method field, select Local Script.
  • Click Download package and save the .zip file.

Extract the contents of the configuration package to a location on the machine you want to onboard (for example, the Desktop). You should have a file named WindowsDefenderATPOnboardingScript.cmd.

Open an elevated command prompt on the machine and run the script:

  • Go to Start and type cmd.
  • Right-click Command prompt and select Run as administrator.
  • In the command prompt go to the location where you extract the file WindowsDefenderATPOnboardingScript.cmd.
  • Press Enter and click OK

In our next blog post, we will see:

  • How to offboard machines from ATP
  • Advanced Features
  • Tips for Troubleshooting

Stay tuned…