Monday, 2 January 2017

Manage Windows Defender ATP with ConfigMgr or Intune

As a result of a customer request I was recently reading about Windows Defender Advanced Threat Protection (ATP). It is a really cool Microsoft cloud service that integrates with Windows 10 v1607 (Enterprise, Education and Professional versions) and allows organizations to detect, investigate and respond to advanced threats on their networks. The service uses telemetry data sent from the Windows 10 devices to a private and isolated cloud instance of Windows Defender ATP. This telemetry data is supplemented by advanced threat intelligence and is translated into detections and recommended responses.

This sounded great to me so I wanted to give it a go. I was very curious to find out how straightforward it would be to deploy the technology in an organization and how quickly and easily I could receive meaningful information and recommendations.

How do you get Windows Defender ATP?

A Windows 10 Enterprise E3 license includes advanced security features such as Device Guard, Credential Guard and Managed User Experience. A Windows 10 Enterprise E5 license includes all the features and functionality available in Windows 10 Enterprise E3 plus Windows Defender Advanced Threat Protection and advanced IT administration management.

OR you can do what I did for this blog post and apply for a trial. Sign up for a Windows Defender ATP trial here

Tip: There is no guarantee that you will be accepted for a trial. I was turned down once but was approved the second time. In my second application I was economical with the truth regarding the number of PCs in my company.

You will get an acknowledgment to tell you that your application will now be reviewed and that you will be contacted within 7 business days. In actual fact it will be more like 3 days.


You will then receive an email with log in details and endpoint onboarding instructions.


Welcome to the Windows Defender Security Center.


Endpoint onboarding

Select Endpoint Management > Endpoint Onboarding


There are five methods of onboarding available. Select the one you need and click "Download package".

Group Policy
Use this method if you have no device management tool.

The package contains an admx and adml file that are to be deployed to the endpoints. You will find full instructions here

SCCM 2012/2012R2/1511/1602
Use this method for SCCM versions earlier than 1606. Why are there two different deployment methods for SCCM? This is because Windows Defender ATP Policies are natively integrated with SCCM v1606 and later.


This download package contains a single script that you can deploy using the traditional package/program method - full instructions here

Microsoft Intune

This package contains a single .onboarding file. This is to be deployed using a Windows 10 custom configuration policy with the following OMA-URI settings:
  • Setting name: eg Windows Defender ATP Policy
  • Setting description: eg Windows Defender ATP Policy
  • Data type: Select String.
  • OMA-URI: ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding
  • Value: Copy and paste the contents of the WindowsDefenderATP.onboarding file you downloaded.
Local script
Use this option if want to onboard devices manually (for testing purpose perhaps).


The package contains a single script file that you can run manually (as administrator) on a Windows 10 device.

SCCM v1606
This is the option I am interested in for this blog post.


The package contains a single .onboarding file which we can deploy with SCCM.


First navigate to Administration > Cloud Services > Updates and Servicing > Features. Right click and Turn on Windows Defender Advanced Threat Protection. 


Restart the console and navigate to Assets and ComplianceEndpoint Protection. Windows Defender ATP Policies is new.


Right click to create a new policy.


Name the policy and choose onboarding.


Browse to the .onboarding file that you downloaded earlier. The Organization ID automatically populates.


Choose All files. The default is not to share any files.


Click Next to continue and create the policy.


The policy has been created and now can be deployed to a collection of Windows 10 1607 devices.

Troubleshooting endpoint onboarding

I manually ran Machine Policy retrieval on my test computer (I only had one) but nothing seemed to happen for about an hour. I wasn't sure how long it should take so I carried out some troubleshooting in the mean-time.

Deployment status:


All looked normal with the SCCM deployment.

Event log:

Applications and Services Logs > Microsoft > Windows > SENSE


No errors in event log. Actually there was evidence that the local Defender ATP service had successfully contacted the cloud service.

Telemetry and diagnostics service:


Service enabled and started.

Defender ATP Service:


Service started.

If your endpoints are running a third-party antimalware client, the Windows Defender ATP agent needs the Windows Defender Early Launch Antimalware (ELAM) driver to be enabled. You must ensure that it's not disabled in system policy. You can find full details of this here

So what now??

After about an hour of unnecessary troubleshooting and second-guessing I could see my endpoint onboarded and healthy.


Navigate to Monitoring > Security > Windows Defender ATP Status to see the health of your endpoints.


You can also see the status in the Windows Defender Security Center.


Now refer back to the welcome email. We are given instructions on how to run an attack simulation.


We are invited to open a safe looking MS Word document which could be delivered by email.


Once we enable macros an attacker's command shell opens on the computer.


The attacker can then run some innocent looking commands remotely.


Almost immediately the attack is detected in the Windows Defender Security Center (this was literally almost instantaneous).


Details of the attack and recommended actions are provided.


Note that we can configure email notifications for high severity alerts.

I have to say that I'm seriously impressed with how easy it was to get started with this service. It was very straightforward to onboard devices and the speed of threat detection was alarming.

Have a look at a recent Microsoft blog post describing a real life attack. It's quite impressive.

I hope this blog post was useful. Until next time.....




No comments:

Post a Comment