Windows Defender Advanced Threat Protection (ATP) is a security functionality built in Windows 10 to help detecting, investigating and protecting against threats, introduced with Windows 10 build 1607 (or known as Anniversary Build).

In this post, I’m going to implement ATP integrated with SCCM Current Branch (you can request a trial for ATP here http://aka.ms/register-wdatp)

Once you have requested the trial and get approved, you will receive an email to activate the trial.

 

Setting up ATP cloud instance

For this post I already have activated the trial and added it to my Azure/Office 365 tenant.

Then you can logon to the ATP Portal (https://securitycenter.windows.com) to complete the onboarding.

image

You have then to define where the data will be stored. This location can not be changed.

image

Then you define the ATP data retention policy to match your requirements (and probably legal/regulatory needs) – from 30 days to 180 days.

image

Next you define the size of your organization and your industry

imageimage

You can choose to enable preview experience, allowing to get first hand on what’s new is coming

image

You will be finally reminded that some of the settings can not be updated after the completion of the process

image

Your ATP instance is being provisioned

image

Once the instance is provisioned you can immediately download a packaged script to onboard at least one device. To start using ATP, you need to have at least one device on boarded.

You can complete the onboard process at later stage after you have downloaded the package. You can use either a local script, group policy, SCCM (from 2012 to Current Branch) or an MDM to onboard device(s)

For the purpose of this post, I’m using SCCM Current Branch which will give me a configuration file

image

As there may not be yet any devices on boarded, when you hit next you will be reminded the setup is incomplete; just proceed anyway as the onboarding will be completed at later stage

image

 

Additional ATP Portal Configuration

Once you have completed the initial setup and downloaded the client configuration package, you can access additional settings.

On the ATP Portal, go to the Preferences setup section to update some settings you have completed during the setup (remember the data location can not be changed) and configure additional settings like System Information and Event Management (SIEM), email notifications or Power BI integration for reporting

image

 

Onboarding Device(s)

The process of onboarding device using SCCM Current Branch has been improved with the latest build – previously it was still a preview feature.

Using SCCM console, go to the Assets and Compliance workspace and open the Endpoint Protection\Windows Defender ATP Policies section

image

Create an ATP policy to onboard devices

image

Import the configuration file downloaded from the ATP portal

image

Then you define the level of information sharing for analysis

image

You are done, the SCCM ATP Policy is now created. You just now need to deploy it.

For evaluation purpose I have created a device collection I have manually populated with the device(s) I want to use

image

Once deployed you can wait or force your client to refresh the C
omputer Policy
. You can check if the policy has been deployed by opening the SCCM client and check the Configurations tab to see if the ATP policy is there. You can then also force the refresh by running the Evaluate function.

image

You should also see the Windows Defender Advanced Threat Protection Service set to Automatic start mode and in Started state on your client.

 

ATP Dashboard

After you have completed the ATP setup and have on boarded at least one device, your dashboard will start reporting the state of your users/devices

image

image

And in the mean time you can also use your SCCM console to check the client state. Go to the Monitoring workspace and open the Security\Windows Defender Status section

image

 

Offboarding

If you need to offboard a device (or your organization), you just need to download the offboarding package from the ATP portal.

As for this post I used SCCM to on board, I’m doing the same to off board.

From the ATP Portal, go to the Endpoint Management\Clients section and go to the Endpoint offboarding option

image

Then deploy the offboarding package the same way you have on boarded your devices.