If you have been keeping up with our blog posts so far, and we hope you have, up until this point we have already talked about configuring our ATP tenant. Our next step is to incorporate our servers or windows workstations, so let’s review how to do it.
Remember that incorporating ATP is a process to register a server or windows workstation with the service. Let’s look at the process:
Onboard Previous versions of windows
Microsoft Defender ATP supports onboarding the following versions of the Windows operating system:
Windows 7 SP1 Enterprise
- Windows 7 SP1 Pro
- Windows 8.1 Pro
- Windows 8.1 Enterprise
The following are the prerequisites for these operating systems:
- Install the February 2018 monthly rollup
Download it here: https://support.microsoft.com/en-us/help/4074598/windows-7-update-kb4074598
- Install the customer experience and diagnostic telemetry
Download it here: https://support.microsoft.com/en-us/help/3080149/update-for-customer-experience-and-diagnostic-telemetry
- Install either .NET Framework 4.5 or later
Download it here: https://www.microsoft.com/en-us/download/details.aspx?id=30653
- Install the KB3154518
Download it here: https://support.microsoft.com/en-us/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework
Once you meet the requirements, you must proceed to Install and configure Microsoft Monitoring Agent (MMA) to report the sensor data to Microsoft Defender ATP.
To install the agent, you can download it by following these URLs:
for x64 devices: https://go.microsoft.com/fwlink/?LinkId=828603
for x32 devices: https://go.microsoft.com/fwlink/?LinkId=828604
To follow, you must obtain the workspace ID.
In the Microsoft Defender ATP navigation panel, select Settings > Machine management > Onboarding
Select Windows 7 SP1 and 8.1 as the operating system.
Copy the workspace ID and workspace key.
Using the Workspace ID, manually install the agent using setup.
On the Agent Setup Options page, select Connect the agent to Azure Log Analytics (OMS) and provide the workspace ID and workspace Key.
Once that step is completed, you should see onboarded endpoints in the portal within an hour.
Onboard Windows 10 Versions
There are some methods to onboard Windows 10 workstations. We will elaborate on the local script method:
*create the onboard configuration file
- Go to the Microsoft Defender ATP online service and sign in. ( https://securitycenter.windows.com )
- Click on the Machine Management item under Settings, then select Onboarding.
- Select Windows 10 as the operating system.
- In the Deployment method field, select Local Script.
- Click Download package and save the .zip file.
Extract the contents of the configuration package to a location on the machine you want to onboard (for example, Desktop). You should have a file named WindowsDefenderATPOnboardingScript.cmd.
Open an elevated command prompt on the machine and run the script:
- Go to Start and type cmd.
- Right-click Command prompt and select Run As Administrator.
In the command prompt: go to the location where you extracted the file WindowsDefenderATPOnboardingScript.cmd.
- Press Enter and click
Onboard Windows Servers
As we have seen in previous blogs, WDATP supports these versions of Windows server:
- Windows Server 2008 R2 SP1
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server, version 1803
- Windows Server, 2019
There are two options to incorporate Windows Server 2008 R2 SP1, Windows Server 2012 R2 and Windows Server 2016 to Microsoft Defender ATP:
Option 1: Onboard through Azure Security Center
Option 2: Onboard through Microsoft Defender Security Center
You should consider which is the best way to onboard your servers, considering that each method requires different licenses.
We prefer the second one. Let’s see how to do it:
Onboard through Microsoft Defender Security Center
The next steps apply to Windows Server 2008 R2 SP1, Windows Server 2012 R2, Windows Server 2016.
First the prerequisites:
- Install the February 2018 monthly rollup
Download it here: https://support.microsoft.com/en-us/help/4074598/windows-7-update-kb4074598
- Install the customer experience and diagnostic telemetry
Download it here: https://support.microsoft.com/en-us/help/3080149/update-for-customer-experience-and-diagnostic-telemetry
- Install either .NET Framework 4.5 or later
Download it here: https://www.microsoft.com/en-us/download/details.aspx?id=30653
- Install the KB3154518
Download it here: https://support.microsoft.com/en-us/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework
Once you meet the requirements, you must proceed to Install and configure Microsoft Monitoring Agent (MMA) to report the sensor data to Microsoft Defender ATP
To install the agent, download it here:
for x64 devices: https://go.microsoft.com/fwlink/?LinkId=828603
for x32 devices: https://go.microsoft.com/fwlink/?LinkId=828604
Later, Obtain the workspace ID. To do that:
In the Microsoft Defender ATP navigation panel, select Settings > Machine management > Onboarding
Select Windows server 2008 R2 SP1, 2012 R2 or 2016 as the operating system
Copy the workspace ID and workspace key
- Using the Workspace ID
- Manually install the agent using setup
- On the Agent Setup Options page, select Connect the agent to Azure Log Analytics (OMS) and provide the workspace ID and workspace Key
- Once completed, you should see onboarded endpoints in the portal within an hour
Onboarding Windows server 1803 and 2019
For onboarding Windows server 2019, we can use the local script method. To do that, we must:
*create the onboard configuration file
- Go to the Microsoft Defender ATP online service and sign in. ( https://securitycenter.windows.com )
- Click on the Machine Management item under Settings, then select Onboarding.
- Select Windows 10 as the operating system.
- In the Deployment method field, select Local Script.
- Click Download package and save the .zip file.
Extract the contents of the configuration package to a location on the machine you want to onboard (for example, the Desktop). You should have a file named WindowsDefenderATPOnboardingScript.cmd.
Open an elevated command prompt on the machine and run the script:
- Go to Start and type cmd.
- Right-click Command prompt and select Run as administrator.
- In the command prompt go to the location where you extract the file WindowsDefenderATPOnboardingScript.cmd.
- Press Enter and click OK
In our next blog post, we will see:
- How to offboard machines from ATP
- Advanced Features
- Tips for Troubleshooting
Stay tuned…