Onboard Windows devices using Configuration Manager
- Microsoft Defender for Endpoint
- Microsoft 365 Defender
- Microsoft Endpoint Configuration Manager current branch
- System Center 2012 R2 Configuration Manager
Want to experience Defender for Endpoint? Sign up for a free trial.
You can use Configuration Manager to onboard endpoints to the Microsoft Defender for Endpoint service.
There are several options you can use to onboard devices using Configuration Manager:
For Windows Server 2012 R2 and Windows Server 2016 - after completing the onboarding steps, you'll need to Configure and update System Center Endpoint Protection clients.
Defender for Endpoint doesn't support onboarding during the Out-Of-Box Experience (OOBE) phase. Make sure users complete OOBE after running Windows installation or upgrading.
Note that it's possible to create a detection rule on a Configuration Manager application to continuously check if a device has been onboarded. An application is a different type of object than a package and program. If a device is not yet onboarded (due to pending OOBE completion or any other reason), Configuration Manager will retry to onboard the device until the rule detects the status change.
This behavior can be accomplished by creating a detection rule checking if the "OnboardingState" registry value (of type REG_DWORD) = 1. This registry value is located under "HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status". For more information, see Configure Detection Methods in System Center 2012 R2 Configuration Manager.
Configure sample collection settings
For each device, you can set a configuration value to state whether samples can be collected from the device when a request is made through Microsoft 365 Defender to submit a file for deep analysis.
These configuration settings are typically done through Configuration Manager.
You can set a compliance rule for configuration item in Configuration Manager to change the sample share setting on a device.
This rule should be a remediating compliance rule configuration item that sets the value of a registry key on targeted devices to make sure they're complaint.
The configuration is set through the following registry key entry:
Path: "HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection" Name: "AllowSampleCollection" Value: 0 or 1
Where Key type is a D-WORD. Possible values are:
- 0: Doesn't allow sample sharing from this device
- 1: Allows sharing of all file types from this device
The default value in case the registry key doesn't exist is 1.
For more information about System Center Configuration Manager Compliance, see Introduction to compliance settings in System Center 2012 R2 Configuration Manager.
Other recommended configuration settings
After onboarding devices to the service, it's important to take advantage of the included threat protection capabilities by enabling them with the following recommended configuration settings.
Device collection configuration
If you're using Endpoint Configuration Manager, version 2002 or later, you can choose to broaden the deployment to include servers or down-level clients.
Next generation protection configuration
The following configuration settings are recommended:
- Scan removable storage devices such as USB drives: Yes
- Enable Behavioral Monitoring: Yes
- Enable protection against Potentially Unwanted Applications at download and prior to installation: Yes
Cloud Protection Service
- Cloud Protection Service membership type: Advanced membership
Attack surface reduction
Configure all available rules to Audit.
Blocking these activities may interrupt legitimate business processes. The best approach is setting everything to audit, identifying which ones are safe to turn on, and then enabling those settings on endpoints which do not have false positive detections.
Prior to enabling network protection in audit or block mode, ensure that you've installed the antimalware platform update, which can be obtained from the support page.
Controlled folder access
Enable the feature in audit mode for at least 30 days. After this period, review detections and create a list of applications that are allowed to write to protected directories.
For more information, see Evaluate controlled folder access.
Run a detection test to verify onboarding
After onboarding the device, you can choose to run a detection test to verify that a device is properly onboarded to the service. For more information, see Run a detection test on a newly onboarded Microsoft Defender for Endpoint device.
Offboard devices using Configuration Manager
For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package, you will be notified of the packages expiry date and it will also be included in the package name.
Onboarding and offboarding policies must not be deployed on the same device at the same time, otherwise this will cause unpredictable collisions.
Offboard devices using Microsoft Endpoint Manager current branch
If you use Microsoft Endpoint Manager current branch, see Create an offboarding configuration file.
Offboard devices using System Center 2012 R2 Configuration Manager
Get the offboarding package from Microsoft 365 Defender portal:
- In the navigation pane, select Settings > Endpoints > Device management > Offboarding.
- Select Windows 10 or Windows 11 as the operating system.
- In the Deployment method field, select System Center Configuration Manager 2012/2012 R2/1511/1602.
- Select Download package, and save the .zip file.
Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd.
Deploy the package by following the steps in the Packages and Programs in System Center 2012 R2 Configuration Manager article.
Choose a predefined device collection to deploy the package to.
Offboarding causes the device to stop sending sensor data to the portal but data from the device, including reference to any alerts it has had will be retained for up to 6 months.
Monitor device configuration
If you're using Microsoft Endpoint Manager current branch, use the built-in Defender for Endpoint dashboard in the Configuration Manager console. For more information, see Defender for Endpoint - Monitor.
If you're using System Center 2012 R2 Configuration Manager, monitoring consists of two parts:
Confirming the configuration package has been correctly deployed and is running (or has successfully run) on the devices in your network.
Checking that the devices are compliant with the Defender for Endpoint service (this ensures the device can complete the onboarding process and can continue to report data to the service).
Confirm the configuration package has been correctly deployed
In the Configuration Manager console, click Monitoring at the bottom of the navigation pane.
Select Overview and then Deployments.
Select on the deployment with the package name.
Review the status indicators under Completion Statistics and Content Status.
If there are failed deployments (devices with Error, Requirements Not Met, or Failed statuses), you may need to troubleshoot the devices. For more information, see, Troubleshoot Microsoft Defender for Endpoint onboarding issues.
Check that the devices are compliant with the Microsoft Defender for Endpoint service
You can set a compliance rule for configuration item in System Center 2012 R2 Configuration Manager to monitor your deployment.
This rule should be a non-remediating compliance rule configuration item that monitors the value of a registry key on targeted devices.
Monitor the following registry key entry:
Path: "HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status" Name: "OnboardingState" Value: "1"
For more information, see Introduction to compliance settings in System Center 2012 R2 Configuration Manager.
- Onboard Windows devices using Group Policy
- Onboard Windows devices using Mobile Device Management tools
- Onboard Windows devices using a local script
- Onboard non-persistent virtual desktop infrastructure (VDI) devices
- Run a detection test on a newly onboarded Microsoft Defender for Endpoint device
- Troubleshoot Microsoft Defender for Endpoint onboarding issues