Uredi

Deli z drugimi prek


Onboarding using Microsoft Configuration Manager

Applies to:

Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.

This article acts as an example onboarding method.

In the Planning article, there were several methods provided to onboard devices to the service. This article covers the co-management architecture.

The cloud-native architecture Diagram of environment architectures

While Defender for Endpoint supports onboarding of various endpoints and tools, this article doesn't cover them. For information on general onboarding using other supported deployment tools and methods, see Onboarding overview.

This article guides users in:

  • Step 1: Onboarding Windows devices to the service
  • Step 2: Configuring Defender for Endpoint capabilities

This onboarding guidance walks you through the following basic steps that you need to take when using Microsoft Configuration Manager:

  • Creating a collection in Microsoft Configuration Manager
  • Configuring Microsoft Defender for Endpoint capabilities using Microsoft Configuration Manager

Note

Only Windows devices are covered in this example deployment.

Step 1: Onboard Windows devices using Microsoft Configuration Manager

Collection creation

To onboard Windows devices with Microsoft Configuration Manager, the deployment can target an existing collection or a new collection can be created for testing.

Onboarding using tools such as Group policy or manual method doesn't install any agent on the system.

Within the Microsoft Configuration Manager, console the onboarding process will be configured as part of the compliance settings within the console.

Any system that receives this required configuration maintains that configuration for as long as the Configuration Manager client continues to receive this policy from the management point.

Follow the steps below to onboard endpoints using Microsoft Configuration Manager.

  1. In Microsoft Configuration Manager console, navigate to Assets and Compliance > Overview > Device Collections.

    The Microsoft Configuration Manager wizard1

  2. Right select Device Collection and select Create Device Collection.

    The Microsoft Configuration Manager wizard2

  3. Provide a Name and Limiting Collection, then select Next.

    The Microsoft Configuration Manager wizard3

  4. Select Add Rule and choose Query Rule.

    The Microsoft Configuration Manager wizard4

  5. Select Next on the Direct Membership Wizard and select on Edit Query Statement.

    The Microsoft Configuration Manager wizard5

  6. Select Criteria and then choose the star icon.

    The Microsoft Configuration Manager wizard6

  7. Keep criterion type as simple value, choose whereas Operating System - build number, operator as is greater than or equal to and value 14393 and select on OK.

    The Microsoft Configuration Manager wizard7

  8. Select Next and Close.

    The Microsoft Configuration Manager wizard8

  9. Select Next.

    The Microsoft Configuration Manager wizard9

After completing this task, you now have a device collection with all the Windows endpoints in the environment.

Step 2: Configure Microsoft Defender for Endpoint capabilities

This section guides you in configuring the following capabilities using Microsoft Configuration Manager on Windows devices:

Endpoint detection and response

Windows 10 and Windows 11

From within the Microsoft Defender portal it's possible to download the .onboarding policy that can be used to create the policy in System Center Configuration Manager and deploy that policy to Windows 10 and Windows 11 devices.

  1. From a Microsoft Defender portal, select Settings and then Onboarding.

  2. Under Deployment method, select the supported version of Microsoft Configuration Manager.

    The Microsoft Configuration Manager wizard10

  3. Select Download package.

    The Microsoft Configuration Manager wizard11

  4. Save the package to an accessible location.

  5. In Microsoft Configuration Manager, navigate to: Assets and Compliance > Overview > Endpoint Protection > Microsoft Defender ATP Policies.

  6. Right-click Microsoft Defender ATP Policies and select Create Microsoft Defender ATP Policy.

    The Microsoft Configuration Manager wizard12

  7. Enter the name and description, verify Onboarding is selected, then select Next.

    The Microsoft Configuration Manager wizard13

  8. Select Browse.

  9. Navigate to the location of the downloaded file from step 4 above.

  10. Select Next.

  11. Configure the Agent with the appropriate samples (None or All file types).

    The configuration settings1

  12. Select the appropriate telemetry (Normal or Expedited) then select Next.

    The configuration settings2

  13. Verify the configuration, then select Next.

    The configuration settings3

  14. Select Close when the Wizard completes.

  15. In the Microsoft Configuration Manager console, right-click the Defender for Endpoint policy you created and select Deploy.

    The configuration settings4

  16. On the right panel, select the previously created collection and select OK.

    The configuration settings5

Previous versions of Windows Client (Windows 7 and Windows 8.1)

Follow the steps below to identify the Defender for Endpoint Workspace ID and Workspace Key that will be required for the onboarding of previous versions of Windows.

  1. From a Microsoft Defender portal, select Settings > Endpoints > Onboarding (under Device Management).

  2. Under operating system, choose Windows 7 SP1 and 8.1.

  3. Copy the Workspace ID and Workspace Key and save them. They'll be used later in the process.

    The onboarding process

  4. Install the Microsoft Monitoring Agent (MMA).

    MMA is currently (as of January 2019) supported on the following Windows Operating Systems:

    • Server SKUs: Windows Server 2008 SP1 or Newer
    • Client SKUs: Windows 7 SP1 and later

    The MMA agent needs to be installed on Windows devices. To install the agent, some systems need to download the Update for customer experience and diagnostic telemetry in order to collect the data with MMA. These system versions include but may not be limited to:

    • Windows 8.1
    • Windows 7
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2

    Specifically, for Windows 7 SP1, the following patches must be installed:

  5. If you're using a proxy to connect to the Internet see the Configure proxy settings section.

Once completed, you should see onboarded endpoints in the portal within an hour.

Next generation protection

Microsoft Defender Antivirus is a built-in anti-malware solution that provides next generation protection for desktops, portable computers, and servers.

  1. In the Microsoft Configuration Manager console, navigate to Assets and Compliance > Overview > Endpoint Protection > Antimalware Polices and choose Create Antimalware Policy.

    The antimalware policy

  2. Select Scheduled scans, Scan settings, Default actions, Real-time protection, Exclusion settings, Advanced, Threat overrides, Cloud Protection Service and Security intelligence updates and choose OK.

    The next-generation protection pane1

    In certain industries or some select enterprise customers might have specific needs on how Antivirus is configured.

    Quick scan versus full scan and custom scan

    For more information, see Windows Security configuration framework.

    The next-generation protection pane2

    The next-generation protection pane3

    The next-generation protection pane4

    The next-generation protection pane5

    The next-generation protection pane6

    The next-generation protection pane7

    The next-generation protection pane8

    The next-generation protection pane9

  3. Right-click on the newly created anti-malware policy and select Deploy.

    The next-generation protection pane10

  4. Target the new anti-malware policy to your Windows collection and select OK.

    The next-generation protection pane11

After completing this task, you now have successfully configured Microsoft Defender Antivirus.

Attack surface reduction

The attack surface reduction pillar of Defender for Endpoint includes the feature set that is available under Exploit Guard. Attack surface reduction rules, Controlled Folder Access, Network Protection, and Exploit Protection.

All these features provide a test mode and a block mode. In test mode, there's no end-user impact. All it does is collect other telemetry and make it available in the Microsoft Defender portal. The goal with a deployment is to step-by-step move security controls into block mode.

To set attack surface reduction rules in test mode:

  1. In the Microsoft Configuration Manager console, navigate to Assets and Compliance > Overview > Endpoint Protection > Windows Defender Exploit Guard and choose Create Exploit Guard Policy.

    The Microsoft Configuration Manager console0

  2. Select Attack Surface Reduction.

  3. Set rules to Audit and select Next.

    The Microsoft Configuration Manager console1

  4. Confirm the new Exploit Guard policy by selecting Next.

    The Microsoft Configuration Manager console2

  5. Once the policy is created select Close.

    The Microsoft Configuration Manager console3

  6. Right-click on the newly created policy and choose Deploy.

    The Microsoft Configuration Manager console4

  7. Target the policy to the newly created Windows collection and select OK.

    The Microsoft Configuration Manager console5

After completing this task, you now have successfully configured attack surface reduction rules in test mode.

Below are more steps to verify whether attack surface reduction rules are correctly applied to endpoints. (This may take few minutes)

  1. From a web browser, go to Microsoft Defender XDR.

  2. Select Configuration management from left side menu.

  3. Select Go to attack surface management in the Attack surface management panel.

    The attack surface management

  4. Select Configuration tab in Attack surface reduction rules reports. It shows attack surface reduction rules configuration overview and attack surface reduction rules status on each device.

    The attack surface reduction rules reports1

  5. Select each device shows configuration details of attack surface reduction rules.

    The attack surface reduction rules reports2

See Optimize attack surface reduction rule deployment and detections for more details.

Set Network Protection rules in test mode

  1. In the Microsoft Configuration Manager console, navigate to Assets and Compliance > Overview > Endpoint Protection > Windows Defender Exploit Guard and choose Create Exploit Guard Policy.

    The System Center Configuration Manager1

  2. Select Network protection.

  3. Set the setting to Audit and select Next.

    The System Center Configuration Manager2

  4. Confirm the new Exploit Guard Policy by selecting Next.

    The Exploit Guard policy1

  5. Once the policy is created select on Close.

    The Exploit Guard policy2

  6. Right-click on the newly created policy and choose Deploy.

    The Microsoft Configuration Manager-1

  7. Select the policy to the newly created Windows collection and choose OK.

    The Microsoft Configuration Manager-2

After completing this task, you now have successfully configured Network Protection in test mode.

To set Controlled Folder Access rules in test mode

  1. In the Microsoft Configuration Manager console, navigate to Assets and Compliance > Overview > Endpoint Protection > Windows Defender Exploit Guard and then choose Create Exploit Guard Policy.

    The Microsoft Configuration Manager-3

  2. Select Controlled folder access.

  3. Set the configuration to Audit and select Next.

    The Microsoft Configuration Manager-4

  4. Confirm the new Exploit Guard Policy by selecting Next.

    The Microsoft Configuration Manager-5

  5. Once the policy is created select on Close.

    The Microsoft Configuration Manager-6

  6. Right-click on the newly created policy and choose Deploy.

    The Microsoft Configuration Manager-7

  7. Target the policy to the newly created Windows collection and select OK.

The Microsoft Configuration Manager-8

You have now successfully configured Controlled folder access in test mode.

Related article

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.