Windows Defender Advanced Threat Protection (ATP) is a security functionality built in Windows 10 to help detecting, investigating and protecting against threats, introduced with Windows 10 build 1607 (or known as Anniversary Build).
In this post, I’m going to implement ATP integrated with SCCM Current Branch (you can request a trial for ATP here http://aka.ms/register-wdatp)
Once you have requested the trial and get approved, you will receive an email to activate the trial.
Setting up ATP cloud instance
For this post I already have activated the trial and added it to my Azure/Office 365 tenant.
Then you can logon to the ATP Portal (https://securitycenter.windows.com) to complete the onboarding.
You have then to define where the data will be stored. This location can not be changed.
Then you define the ATP data retention policy to match your requirements (and probably legal/regulatory needs) – from 30 days to 180 days.
Next you define the size of your organization and your industry
You can choose to enable preview experience, allowing to get first hand on what’s new is coming
You will be finally reminded that some of the settings can not be updated after the completion of the process
Your ATP instance is being provisioned
Once the instance is provisioned you can immediately download a packaged script to onboard at least one device. To start using ATP, you need to have at least one device on boarded.
You can complete the onboard process at later stage after you have downloaded the package. You can use either a local script, group policy, SCCM (from 2012 to Current Branch) or an MDM to onboard device(s)
For the purpose of this post, I’m using SCCM Current Branch which will give me a configuration file
As there may not be yet any devices on boarded, when you hit next you will be reminded the setup is incomplete; just proceed anyway as the onboarding will be completed at later stage
Additional ATP Portal Configuration
Once you have completed the initial setup and downloaded the client configuration package, you can access additional settings.
On the ATP Portal, go to the Preferences setup section to update some settings you have completed during the setup (remember the data location can not be changed) and configure additional settings like System Information and Event Management (SIEM), email notifications or Power BI integration for reporting
The process of onboarding device using SCCM Current Branch has been improved with the latest build – previously it was still a preview feature.
Using SCCM console, go to the Assets and Compliance workspace and open the Endpoint Protection\Windows Defender ATP Policies section
Create an ATP policy to onboard devices
Import the configuration file downloaded from the ATP portal
Then you define the level of information sharing for analysis
You are done, the SCCM ATP Policy is now created. You just now need to deploy it.
For evaluation purpose I have created a device collection I have manually populated with the device(s) I want to use
Once deployed you can wait or force your client to refresh the C
omputer Policy. You can check if the policy has been deployed by opening the SCCM client and check the Configurations tab to see if the ATP policy is there. You can then also force the refresh by running the Evaluate function.
You should also see the Windows Defender Advanced Threat Protection Service set to Automatic start mode and in Started state on your client.
After you have completed the ATP setup and have on boarded at least one device, your dashboard will start reporting the state of your users/devices
And in the mean time you can also use your SCCM console to check the client state. Go to the Monitoring workspace and open the Security\Windows Defender Status section
If you need to offboard a device (or your organization), you just need to download the offboarding package from the ATP portal.
As for this post I used SCCM to on board, I’m doing the same to off board.
From the ATP Portal, go to the Endpoint Management\Clients section and go to the Endpoint offboarding option
Then deploy the offboarding package the same way you have on boarded your devices.