In this second part of the Windows Defender ATP series we are going go through the process of provisioning our tenant and onboard our first endpoint, a Windows 10 Enterprise computer. You can find part 1 here
Creating a new tenant
To implement Windows Defender ATP after ordering your trial HERE, you will receive a link to start the creation of your new tenant. Click the link you will be brought to the below screen (sans username of course).
Note: Windows Defender ATP is a separate tenant to your Office 365 tenant and will not appear in the Office 365 Admin portal so take note of the URL for administrative access. Currently all ATP tenants are under https://securitycenter.windows.com.
Here we select the data retention period for our tenant. We are going to select 180 days and move on the next screen.
Select your organization size and move along to the next screen.
Select your industry to match as closely as possible and move along to the next screen.
Select if you want preview features to be enabled in your tenant (of course we do!) and move along to the next screen.
This is the final confirmation before the creation of the tenant. After this point you cannot some settings such as the data location. If you have everything set correctly, hit continue and your tenant will be provisioned.
That's all of the tenant setup completed and now we are onto onboarding some endpoints. At this point it will ask you to select a deployment method to on board your endpoints. You can skip this option for the moment and we will go into the deployment methods next.
At the time of writing Windows Defender ATP supports the following endpoints for onboarding broken down into three categories.
- Windows 10 Client Endpoints (version 1607 or greater)
- Windows 10 Enterprise
- Windows 10 Pro
- Windows 10 Education
- Windows 10 Pro Education
- Server Endpoints
- Server 2012R2
- Server 2016
- Non Windows Endpoints
- Mac OS X (via Bitdefender integration)
- Linux (via Bitdefender integration
To onboard any endpoint you first need to meet the licensing requirements for ATP Defender. These are illustrated below, check your licence agreements as you may already have access to Win10 Enterprise E5 licencing. You can see a comparison of the Windows 10 editions HERE.
- Windows 10 Enterprise E5
- Windows 10 Education E5
- Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5
Since we meet the license requirements, let's get on and onboard our Windows 10 endpoint.
On Boarding Client Endpoints
All client endpoint on boarding is done by deploying a package generated from the Windows ATP Defender portal. The onboarding package is tailored to the deployment method. These are.
- Group Policy
- System Center Configuration Manager Current Branch 1606 or later
- System Center Configuration Manager 2012/2012R2/1511/1602
- Mobile Device Management (including Microsoft Intune)
- Local script (optimized to onboard up to 10 devices)
Let's go ahead and onboard a Win 10 client via Group Policy. First of all we need the deployment package.
- Navigate to the Endpoint Management window in the portal and select "Clients". In the drop down menu select "Group Policy" and download the deployment package.
- Extract the deployment package to read only area that is accessible to all client machines to be onboarded via the network. The WindowsDefenderATPOnboardingScript.cmd file is the file we will be setting our test machine to run. It's a pre generated batch script that configures all the relevant built in services and sensors for Windows Defender ATP with the ID for our newly created tenant. The below steps are from the official docs to get a GPO setup to complete the onboarding. Let's go ahead and complete them.
- Open the Group Policy Management Console, you can either create a new GPO or edit and existing on. Right-click the Group Policy Object (GPO) you want to configure and click Edit.
- In the Group Policy Management Editor, go to Computer configuration, then Preferences, and then Control panel settings.
- Right-click Scheduled tasks, point to New, and then click Immediate task.
- In the Task window that opens, go to the General tab. Choose the local SYSTEM user account under Security options.
- Select Run whether user is logged on or not and check the Run with highest privileges check box.
- Go to the Actions tab and click New... Ensure that Start a program is selected in the Action field. Enter the file name and location of the shared WindowsDefenderATPOnboardingScript.cmd file.
- The eagle eyed among you will have noticed a couple of extra files in the extracted folder from the deployment package. These are for an optional configuration for each endpoint to allow for sample collections to be sent to Microsoft for deep analysis when selected from the ATP dashboard. These are applied as standard GPO's, just copy the ADMX and ADML files to your GPO store and create a new policy or edit an existing one and the policy option will be under Administrative Templates > Windows Defender ATP.
- Once the GPO is applied the machine will be displayed in the ATP Defender dashboard and is now fully onboarded!
That's it, all done! In Part 3 of the series we will start going into alerts and the actions we can take from an alert to respond to the threat.
Note: For full deployment options of Server and non-Windows endpoints check the Defender ATP docs at https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection for full details.