Here we are, with the last part of our Windows Defender ATP blog series.
Let’s begin with Offboarding machines:
Sometimes we must remove machines from the ATP Service. This process is called offboarding. We can do this using Local Script.
For Offboarding Windows 7 Sp1 and 8.1, Windows Server 2008 R2 SP1, 2012 R2 and 2016
We have two different options for offboarding the machines from the service:
- Uninstall the MMA agent
- Remove the Microsoft Defender ATP workspace configuration
- Uninstall the MMA Agent
- Go to control panel
- In the Microsoft Monitoring Agent Properties, select the Azure Analytics (OMS) tab
- Select the Microsoft Defender ATP Workspace and click remove
- Run a PowerShell command to remove the configuration
Get your Workspace ID
- Login into the ATP Portal https://securitycenter.windows.com/
- In the navigation panel, select Settings > Onboarding.
- Select Windows Server 2012 R2 and 2016 as the operating system and get your Workspace ID:
- Open PowerShell with administrator privileges and run the next command, using the workspace obtained in the previous step
# Load agent scripting object
$AgentCfg = New-Object -ComObject AgentConfigManager.MgmtSvcCfg
# Remove OMS Workspace
$AgentCfg.RemoveCloudWorkspace($WorkspaceID)
# Reload the configuration and apply changes
$AgentCfg.ReloadConfiguration()
Offboarding Windows 10 and Windows Server 1803 and 2019
- Login into the ATP Portal https://securitycenter.windows.com/
- In the navigation panel, select Settings > Offboarding.
- Select Windows 10 or Windows Server 1803 as the operating system.
- Select Local Script and Download Package.
Extract the contents of the configuration package to a location on the machine you want to offboard (for example, the Desktop). You must have a file named WindowsDefenderATPOffboardingScript.cmd.
Open a elevated command prompt on the machine and run the script as following:
- Go to Start and type cmd.
- Right-click Command prompt and select Run as administrator.
- In the command prompt go to the location where you extract the file cmd.
- Press Enter and click OK.
For security reasons, the offboarding script is valid only for 30 days.
Advanced Features:
Let’s see the advanced features offered by Windows Defender ATP.
Automated Investigations
This feature allows ATP to examine alerts and take immediate action to resolve them. This helps us minimize the alert volume. The list of automated investigations shows all the investigations that were automatically initiated and includes details, such as status, detection source, and when the investigation was initiated.
You can see all features of this function in this link:
Live Response:
When you enable this feature, users with the appropriate permissions can start a live response session on the machines.
Auto resolve remediated Alerts:
For tenants created on Windows 10 or later, version 1809 the automated investigation and remediation capability is configured by default to resolve alerts where the status of the result of the automated analysis is “No threats found” or “Remediated”. If you don’t want the alerts to be resolved automatically, you must manually turn off the feature.
Allow or Block file:
Blocking is only available if your organization uses Windows Defender Antivirus, the antimalware solution, and if the cloud-based protection feature is enabled.
This feature allows you to block files in your network. Locking a file will prevent it from being read, written, or executed on machines.
To turn Allow or block files on:
In the navigation pane, select Settings > Advanced features > Allow or block file.
Toggle the setting between On and Off.
Select Save preferences at the bottom of the page.
Custom Network Indicator:
With this feature, you can allow or block domains or URLs. To use it, machines must be running Windows 10 version 1709 or later. It also has network protection in block mode and version 4.18.1906.3 or later of the anti-malware platform see KB 4052623.
Show User Details:
With this feature enabled, you can see user details stored in Azure such as picture, name, title. You can find user account information in the following views:
- Security operations dashboard
- Alert queue
- Machine details page
Tips for Troubleshooting:
We have seen in this series of blog posts the local script method to onboard the machine in the ATP service. Now, will see some errors that may appear and how to solve them.
Event ID |
Error Type |
Resolution steps |
5 |
Offboarding data was found but couldn’t be deleted |
Check the permissions on the registry, specifically HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection. |
10 |
Onboarding data couldn’t be written to the registry |
Check the permissions on the registry, specifically |
HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat. |
||
Verify that the script was run as an administrator. |
||
15 |
Failed starting SENSE service |
Check the service health (sc query sense command). Make sure it’s not in an intermediate state (‘Pending_Stopped’, ‘Pending_Running’) and try to run the script again (with administrator rights). |
If the machine is running Windows 10, version 1607 and running the command sc query sense returns START_PENDING, reboot the machine. If rebooting the machine doesn’t address the issue, upgrade to KB4015217 and try onboarding again. |
||
30 |
The script could not wait for the service to start running |
|
35 |
The script could not find needed onboarding status registry value |
When the SENSE service starts for the first time, it writes onboarding status to the registry location |
HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status. |
||
40 |
SENSE service onboarding status is not set to 1 |
|
65 |
Insufficient privileges |
Run the script again with administrator privileges. |
And with this blog we clonclude the Windows Defender ATP blog series.
We would like to know how this series has helped you or encouraged you to try something new.
For further queries and feedback, leave a comment and we will get in touch with you.
For more frequent Office 365, MS Azure, EMS and MS Teams tips and tricks, follow us on LinkedIn and Twitter.
Happy learning!!