Microsoft Defender Advanced Threat Protection

Applies to: Configuration Manager (current branch)

Endpoint Protection can help manage and monitor Microsoft Defender Advanced Threat Protection (ATP) (formerly known as Windows Defender ATP). Microsoft Defender ATP helps enterprises detect, investigate, and respond to advanced attacks on their networks. Configuration Manager policies can help you onboard and monitor Windows 10 clients.

Microsoft Defender ATP is a service in the Microsoft Defender Security Center. By adding and deploying a client onboarding configuration file, Configuration Manager can monitor deployment status and Microsoft Defender ATP agent health. Microsoft Defender ATP is supported on PCs running the Configuration Manager client or managed by Microsoft Intune.

Prerequisites

  • Subscription to the Microsoft Defender Advanced Threat Protection online service
  • Clients computers running the Configuration Manager client
  • Clients using an OS listed in the Supported client operating systems section below.

Supported client operating systems

Based on the version of Configuration Manager you're running, the following client operating systems can be onboarded:

Configuration Manager version 1910 and prior

  • Clients computers running Windows 10, version 1607 and later

Configuration Manager version 2002 and later

Starting in Configuration Manager version 2002, you can onboard the following operating systems:

  • Windows 8.1
  • Windows 10, version 1607 or later
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2016, version 1803 or later
  • Windows Server 2019

About onboarding to ATP with Configuration Manager

Different operating systems have different needs for onboarding to ATP. Windows 8.1 and other down-level operating system devices need the Workspace key and Workspace ID to onboard. Up-level devices, such as Windows Server version 1803, need the onboarding configuration file. Configuration Manager also installs the Microsoft Monitoring Agent (MMA) when needed by onboarded devices but it doesn't update the agent automatically.

Up-level operating systems include:

  • Windows 10, version 1607 and later
  • Windows Server 2016, version 1803 or later
  • Windows Server 2019

Down-level operating systems include:

  • Windows 8.1
  • Windows Server 2012 R2
  • Windows Server 2016, version 1709 and earlier

When you onboard devices to ATP with Configuration Manager, you deploy the ATP policy to a target collection or multiple collections. Sometimes the target collection contains devices running any number of the supported operating systems. The instructions for onboarding these devices vary based on if you're targeting a collection containing devices with operating systems that are up-level, down-level, or both.

Warning

  • If your target collection contains up-level devices, and you use the instructions for down-level devices, then the up-level devices won't be onboarded.
  • If your target collection contains down-level devices, and you use the instructions for up-level devices, then the down-level devices won't be onboarded.

Onboard devices with any supported operating system to ATP (recommended)

You can onboard devices running any of the supported operating systems to ATP by providing the configuration file, Workspace key, and Workspace ID to Configuration Manager.

Get the configuration file, Workspace ID, and Workspace key

  1. Go to the Microsoft Defender ATP online service and sign in.

  2. Select Settings, then select Onboarding under the Device management heading.

  3. For the operating system, select Windows 10.

  4. Choose Microsoft Endpoint Configuration Manager current branch and later for the deployment method.

  5. Click Download package.

    Onboarding configuration file download

  6. Download the compressed archive (.zip) file and extract the contents.

  7. Select Settings, then select Onboarding under the Device management heading.

  8. For the operating system, select either Windows 7 SP1 and 8.1 or Windows Server 2008 R2 Sp1, 2012 R2 and 2016 from the list.

    • The Workspace key and Workspace ID will be the same regardless of which of these options you choose.
  9. Copy the values for the Workspace key and Workspace ID from the Configure connection section.

    Important

    The Microsoft Defender ATP configuration file contains sensitive information which should be kept secure.

Onboard the devices

  1. In the Configuration Manager console, navigate to Assets and Compliance > Endpoint Protection > Microsoft Defender ATP Policies.

  2. Select Create Microsoft Defender ATP Policy to open the Microsoft Defender ATP Policy Wizard.

  3. Type the Name and Description for the Microsoft Defender ATP policy and select Onboarding.

  4. Browse to the configuration file you extracted from the downloaded .zip file.

  5. Supply the Workspace key and Workspace ID then click Next.

    Create Microsoft Defender ATP Policy Wizard

  6. Specify the file samples that are collected and shared from managed devices for analysis.

    • None
    • All file types
  7. Review the summary and complete the wizard.

  8. Right-click on the policy you created, then select Deploy to target the Microsoft Defender ATP policy to clients.

Onboard devices running up-level operating systems to ATP

Up-level clients require an onboarding configuration file for onboarding to ATP. Up-level operating systems include:

  • Windows 10, version 1607 and later
  • Windows Server 2016, version 1803 and later
  • Windows Server 2019

If your target collection contains both up-level and down-level devices, or if you're not sure, then use the instructions to onboard devices running any supported operating system (recommended).

Get an onboarding configuration file for up-level devices

  1. Go to the Microsoft Defender ATP online service and sign in.
  2. Select Settings, then select Onboarding under the Device management heading.
  3. For the operating system, select Windows 10.
  4. Choose Microsoft Endpoint Configuration Manager current branch and later for the deployment method.
  5. Click Download package.
  6. Download the compressed archive (.zip) file and extract the contents.

Important

The Microsoft Defender ATP configuration file contains sensitive information which should be kept secure.

Onboard the up-level devices

  1. In the Configuration Manager console, navigate to Assets and Compliance > Endpoint Protection > Microsoft Defender ATP Policies and select Create Microsoft Defender ATP Policy. The Microsoft Defender ATP Policy Wizard opens.
  2. Type the Name and Description for the Microsoft Defender ATP policy and select Onboarding.
  3. Browse to the configuration file you extracted from the downloaded .zip file.

    Note

    For Configuration Manager version 2002, you'll need the Workspace key and Workspace ID even if you're onboarding only up-level devices. Get these values by selecting Settings > Onboarding > Windows 7 and 8.1 from the Microsoft Defender ATP online service.

  4. Specify the file samples that are collected and shared from managed devices for analysis.
    • None
    • All file types
  5. Review the summary and complete the wizard.
  6. Right-click on the policy you created, then select Deploy to target the Microsoft Defender ATP policy to clients.

Onboard devices running down-level operating systems to ATP

Down-level clients require Workspace key and Workspace ID for ATP onboarding. Down-level operating systems include:

  • Windows 8.1
  • Windows Server 2012 R2
  • Windows Server 2016, version 1709 and earlier

If your target collection contains both up-level and down-level devices, or if you're not sure, then use the instructions to onboard devices running any supported operating system (recommended).

Get the Workspace ID and Workspace key for down-level devices

  1. Go to the Microsoft Defender ATP online service and sign in.
  2. Select Settings, then select Onboarding under the Device management heading.
  3. For the operating system, select either Windows 7 SP1 and 8.1 or Windows Server 2008 R2 Sp1, 2012 R2 and 2016 from the list.
    • The Workspace key and Workspace ID will be the same regardless of which of these options you choose.
  4. Copy the values for the Workspace key and Workspace ID from the Configure connection section.

Onboard the down-level devices

  1. In the Configuration Manager console, navigate to Assets and Compliance > Endpoint Protection > Microsoft Defender ATP Policies and select Create Microsoft Defender ATP Policy. The Microsoft Defender ATP Policy Wizard opens.
  2. Type the Name and Description for the Microsoft Defender ATP policy and select Onboarding.
  3. Provide the Workspace key and Workspace ID.

    Note

    • For Configuration Manager version 2002, you'll need the configuration file even if you're onboarding only down-level devices. Get these values by selecting Settings > Onboarding > Windows 10 from the Microsoft Defender ATP online service.
    • The Microsoft Defender ATP configuration file contains sensitive information which should be kept secure.
  4. Specify the file samples that are collected and shared from managed devices for analysis.
    • None
    • All file types
  5. Review the summary and complete the wizard.
  6. Right-click on the policy you created, then select Deploy to target the Microsoft Defender ATP policy to clients.

Monitor

  1. In the Configuration Manager console, navigate Monitoring > Security and then select Microsoft Defender ATP.

  2. Review the Microsoft Defender Advanced Threat Protection dashboard.

    • Microsoft Defender ATP Agent Onboarding Status: The number and percentage of eligible managed client computers with active Microsoft Defender ATP policy onboarded

    • Microsoft Defender ATP Agent Health: Percentage of computer clients reporting status for their Microsoft Defender ATP agent

      • Healthy - Working properly

      • Inactive - No data sent to service during time period

      • Agent state - The system service for the agent in Windows isn't running

      • Not onboarded - Policy was applied but the agent hasn't reported policy onboard

Create an offboarding configuration file

  1. Sign in to the Microsoft Defender ATP online service.

  2. Select Settings, then select Offboarding under the Device management heading.

  3. Select Windows 10 for the operating system and Microsoft Endpoint Configuration Manager current branch and later for the deployment method.

    • Using the Windows 10 option ensures that all devices in the collection are offboarded and the MMA is uninstalled when needed.
  4. Download the compressed archive (.zip) file and extract the contents. Offboarding files are valid for 30 days.

  5. In the Configuration Manager console, navigate to Assets and Compliance > Endpoint Protection > Microsoft Defender ATP Policies and select Create Microsoft Defender ATP Policy. The Microsoft Defender ATP Policy Wizard opens.

  6. Type the Name and Description for the Microsoft Defender ATP policy and select Offboarding.

  7. Browse to the configuration file you extracted from the downloaded .zip file.

  8. Review the summary and complete the wizard.

Select Deploy to target the Microsoft Defender ATP policy to clients.

Important

The Microsoft Defender ATP configuration files contains sensitive information which should be kept secure.

Next steps