Onboarding Windows 10 devices into Windows Defender Advanced Threat Protection with ConfigMgr
Windows 10 version 1607 (also refered to as Redstone 1 or Anniversary Build) comes with built-in support for the Windows Defender Advanced Threat Protection (Windows Defender ATP) service. With the release of ConfigMgr 1606, we can now onboard supported Windows 10 devices running the latest version into Windows Defender ATP. In this blog post, we’ll take a look at what’s required to get started.
Before you can go ahead and enable the support for managing Windows Defender ATP policies for Windows 10 devices with ConfigMgr, you’ll need to have the following requirements fulfilled:
- ConfigMgr 1606 installed and the Windows Defender ATP feature enabled (we’ll cover this later in the post)
- Windows Defender ATP tenant
- Windows 10 devices running version 1607 or later (or Insider Preview Build 14332 and up)
What’s Windows Defender ATP
Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service, built into Windows 10 that enables enterprise customers detect, investigate, and respond to advanced threats on their networks.
Windows Defender ATP uses the following combination of technology built into Windows 10 and Microsoft’s robust cloud service:
- Endpoint behavioral sensors: Embedded in Windows 10, these sensors collect and process behavioral signals from the operating system (for example, process, registry, file, and network communications) and sends this telemetry to your private, isolated, cloud instance of Windows Defender ATP.
- Cloud security analytics: Leveraging big-data, machine-learning, and unique Microsoft optics across the Windows ecosystem (such as the Microsoft Malicious Software Removal Tool, enterprise cloud products (such as Office 365), and online assets (such as Bing and SmartScreen URL reputation), behavioral signals are translated into insights, detections, and recommended responses to advanced threats.
- Threat intelligence: Generated by Microsoft hunters, security teams, and augmented by threat intelligence provided by partners, threat intelligence enables Windows Defender ATP to identify attacker tools, techniques, and procedures, and generate alerts when these are observed in collected telemetry.
The above description of Windows Defender ATP comes directly from TechNet, and you can read more on the following page:
Enable Windows Defender ATP feature in ConfigMgr
First of, if not already enabled, we need to turn on the Windows Defender Advanced Threat Protection feature under Administration – Cloud Services – Updates and Servicing – Features in the ConfigMgr console.
When you click on Turn on, you’ll see the following popup:
Once the feature has been replicated and turned on, the ConfigMgr console will automatically update itself. With the console updated, we can now see the Windows Defender ATP Policies node under Assets and Compliance – Endpoint Protection.
Before we go ahead and create a policy in this node, we need to download an onboarding package from the Windows Defender ATP portal.
Create an onboarding package in Windows Defender ATP portal
Windows 10 devices requires an onboarding package for deploying Windows Defender ATP configuration settings. This package is created in the Windows Defender ATP portal, and is later referenced in the policy deployed through ConfigMgr to your endpoints (also referenced as you Windows 10 devices).
1. Log in to the Windows Defender ATP portal.
2. Click on the Endpoint Management node, make sure to select System Center Configuration Manager (current branch) version 1606 or later and select Download package.
3. The WindowsDefenderATPOnboardingPackage.zip file download should now begin.
4. Extract the WindowsDefenderATP.onboarding file from the ZIP-file and save it on your Primary Site server in a suitable location.
With the onboarding package downloaded and extracted, we can go ahead and create a Windows Defender ATP Policy in ConfigMgr, referencing this onboarding package and deploy it to our suitable Windows 10 devices.
Create a Windows Defender ATP Policy
Next step is to create a Windows Defender ATP Policy in ConfigMgr. This can be accomplished, like shown earlier, from the Assets and Compliance – Endpoint Protection – Windows Defender ATP Policies node.
1. Browse to the Windows Defender ATP Policies node in the ConfigMgr console and select Create Windows Defender ATP Policy.
2. Give the policy a suitable name, make sure to select Onboarding – Add devices to the onlince service and start sending threat data for analysis under Policy type and click Next.
3. Click Browse, select the WindowsDefenderATP.onboarding file extracted earlier and click Next.
4. Select All file types as for what samples are sent for analysis by Windows Defender ATP service and click Next.
5. On the Summary page, click Next.
6. Finally on the Completion page, click Close.
With the Windows Defender ATP Policy created, we can go ahead and target it for deployment towards eligible Windows 10 devices that supports Windows Defender ATP (Windows 10 version 1607 and above).
Deploy a Windows Defender ATP Policy
Deploying a Windows Defender ATP Policy is no rocket science, in fact it’s extremely easy. However, I’d advice you to target a device collection that contains only eligible Windows 10 devices running version 1607 or later. Below is a collection query that will only contain Windows 10 devices that are eligible for a Windows Defender ATP Policy (note that I’ve not included Insider Previews, only Redstone 1 and above):
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_OPERATING_SYSTEM on SMS_G_System_OPERATING_SYSTEM.ResourceID = SMS_R_System.ResourceId where SMS_G_System_OPERATING_SYSTEM.BuildNumber >= "14393" and SMS_G_System_OPERATING_SYSTEM.Caption like "Microsoft Windows 10%"
I’d advice you to use the above query to create a limiting device collection, that you’ll use when creating a collection that you will target with the Windows Defender ATP Policy for onboarding endpoints. Follow the high level steps below to properly deploy your Windows Defender ATP Policy for onboarding (or follow your already implemented workflows in your organization for collection design):
1. Create a Device Collection from the above query and call it e.g. All Supported Clients for Windows Defender ATP.
2. Create a Device Collection called Onboarding for Windows Defender ATP, select the All Supported Clients for Windows Defender ATP device collection as limiting collection and add it as an Include membership rule as well.
3. Select the Onboarding for Windows 10 Windows Defender ATP Policy and click on Deploy.
4. Select the Onboarding for Windows Defender ATP device collection and click OK.
The Windows Defender ATP Policy has now been deployed and it’s being handled as a Configuration Policy, meaning that it’s the DCMAgent component of a ConfigMgr client that will enforce it. As of writing this post, once the Configuration Policy was discovered by one of my Windows 10 devices, it didn’t start the evaluation automatically (feedback about this has been sent to Microsoft). In order to spin things up, I manually evaluated the compliance of the policy in the Configuration Manager Client control panel applet, as seen in the picture below:
Once the Configuration Policy is evaluated, it should change compliance state to Compliant.
Compliance and Onboarding Status
Now that we have a Windows 10 device that is reporting the Windows Defender ATP Policy to be Compliant, let’s explore some additional nodes in the ConfigMgr console. Microsoft has added a new node under Monitoring – Security – Windows Defender ATP Status. Within this dashboard, we get an overview of the onboarding status and agent health:
Analyze and respond to threats in Windows Security Center
The dashboard on the ConfigMgr console is a real treat, but what’s actually really cool is the Windows Defender ATP Portal itself. This is where you’ll be able to detect, investigate and respond to threats and attacks that might occur in your organization. Below is a screenshot from the Windows Defender ATP Portal showing my lab device that has just been onboarded properly through the Windows Defender ATP Policy that we’ve deployed:
By clicking on the device, we can drill down to get a timeline of the events that has occurred on the device:
For instance, on a device that has detected threats, there will be alerts like in the screen show below:
Troubleshoot Windows Defender ATP Onboarding
In the event that something goes wrong during the onboarding process, Microsoft has written a comprehensive documentation for how to troubleshoot such a scenario. I suggest that you take a look at the documentation page, even though if you’re not experiencing any onboarding issues, because it gives quite a lot of hints of what’s going on in the background. Read more here:
I’d really recommend organizations that are deploying Windows 10 version 1607, or thinking of deploying, and using Windows Defender today, to have a look at Windows Defender ATP. It gives a lot of insight in terms of detecting, investigating and respond to attacks. Since it’s an online service provided by Microsoft, there’s no requirement for internal infrastructure (except for onboarded devices sending data).
Principal Consultant and Enterprise Mobility MVP since 2016. Nickolaj has been in the IT industry for the past 10 years specializing in Enterprise Mobility and Security, Windows devices and deployments including automation. Currently working for TrueSec as a Principal Consultant. Awarded as PowerShell Hero in 2015 by the community for his script and tools contributions. Creator of ConfigMgr Prerequisites Tool, ConfigMgr OSD FrontEnd, ConfigMgr WebService to name a few. Frequent speaker at conferences and user groups.