使用 Configuration Manager 载入 Windows 10 设备Onboard Windows 10 devices using Configuration Manager

适用于:Applies to:

想要体验适用于终结点的 Defender?Want to experience Defender for Endpoint? 注册免费试用版。Sign up for a free trial.

支持的客户端操作系统Supported client operating systems

根据正在运行的 Configuration Manager 版本,可以载入以下客户端操作系统:Based on the version of Configuration Manager you're running, the following client operating systems can be onboarded:

Configuration Manager 版本 1910 及之前版本Configuration Manager version 1910 and prior

  • 运行 Windows 10 的客户端计算机Clients computers running Windows 10

Configuration Manager 版本 2002 及更高版本Configuration Manager version 2002 and later

从 Configuration Manager 版本 2002 开始,你可以载入以下操作系统:Starting in Configuration Manager version 2002, you can onboard the following operating systems:

  • Windows 8.1Windows 8.1
  • Windows 10Windows 10
  • Windows Server 2012 R2Windows Server 2012 R2
  • Windows Server 2016Windows Server 2016
  • Windows Server 2016 版本 1803 或更高版本Windows Server 2016, version 1803 or later
  • Windows Server 2019Windows Server 2019

备注

若要详细了解如何载入 Windows Server 2012 R2、Windows Server 2016 和 Windows Server 2019,请参阅载入 Windows 服务器For more information on how to onboard Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019, see, Onboard Windows servers.

使用 System Center Configuration Manager 载入设备Onboard devices using System Center Configuration Manager

显示各种部署路径的 PDF 图像Image of the PDF showing the various deployment paths

请查看 PDF 或 Visio 以查看部署 Microsoft Defender for Endpoint 的各种路径。Check out the PDF or Visio to see the various paths in deploying Microsoft Defender for Endpoint.

  1. 打开 Configuration Manager 配置包 .zip (WindowsDefenderATPOnboardingPackage.zip) 从服务载入向导下载的文件。Open the Configuration Manager configuration package .zip file (WindowsDefenderATPOnboardingPackage.zip) that you downloaded from the service onboarding wizard. 还可以从 Microsoft Defender 安全中心 获取程序包You can also get the package from Microsoft Defender Security Center:

    1. 在导航窗格中,选择"设置 > ""载入"。In the navigation pane, select Settings > Onboarding.

    2. 选择 Windows 10 作为操作系统。Select Windows 10 as the operating system.

    3. 在"部署方法" 字段中,选择 "System Center Configuration Manager 2012/2012 R2/1511/1602"。In the Deployment method field, select System Center Configuration Manager 2012/2012 R2/1511/1602.

    4. 选择 "下载程序包",然后保存 .zip 文件。Select Download package, and save the .zip file.

  2. 将 .zip 文件的内容提取到将部署包的网络管理员可以访问的共享只读位置。Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. 你应该有一个名为 WindowsDefenderATPOnboardingScript.cmd 的文件You should have a file named WindowsDefenderATPOnboardingScript.cmd.

  3. 按照 R2 Configuration Manager 中的程序包System Center 2012 中的步骤部署 程序包。Deploy the package by following the steps in the Packages and Programs in System Center 2012 R2 Configuration Manager article.

    a.a. 选择要将程序包部署到的预定义设备集合。Choose a predefined device collection to deploy the package to.

备注

OOBE 体验阶段,Defender for Endpoint 不支持 (载入) 阶段。Defender for Endpoint doesn't support onboarding during the Out-Of-Box Experience (OOBE) phase. 确保用户在运行 Windows 安装或升级后完成 OOBE。Make sure users complete OOBE after running Windows installation or upgrading.

提示

载入设备后,你可以选择运行检测测试来验证设备是否正确载入到服务。After onboarding the device, you can choose to run a detection test to verify that an device is properly onboarded to the service. 有关详细信息,请参阅对新载入的适用于终结点 设备的 Defender运行检测测试。For more information, see Run a detection test on a newly onboarded Defender for Endpoint device.

请注意,在 Configuration Manager 应用程序上创建检测规则可以持续检查设备是否已载入。Note that it is possible to create a detection rule on a Configuration Manager application to continuously check if a device has been onboarded. 应用程序是一种与包和程序不同的对象类型。An application is a different type of object than a package and program. 如果由于挂起的 OOBE (或其他任何原因) ,设备尚未载入,Configuration Manager 将重试载入设备,直到规则检测到状态更改。If a device is not yet onboarded (due to pending OOBE completion or any other reason), Configuration Manager will retry to onboard the device until the rule detects the status change.

通过创建检测规则检查"OnboardingState"注册表值是否为 (= 1,REG_DWORD) 实现此行为。This behavior can be accomplished by creating a detection rule checking if the "OnboardingState" registry value (of type REG_DWORD) = 1. 此注册表值位于"HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status"下。This registry value is located under "HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status". 有关详细信息,请参阅 Configure Detection Methods in System Center 2012 R2 Configuration Manager。For more information, see Configure Detection Methods in System Center 2012 R2 Configuration Manager.

配置示例集合设置Configure sample collection settings

对于每个设备,你可以设置一个配置值,以指示当通过 Microsoft Defender 安全中心提出提交文件进行深入分析的请求时是否可以从该设备收集示例。For each device, you can set a configuration value to state whether samples can be collected from the device when a request is made through Microsoft Defender Security Center to submit a file for deep analysis.

备注

这些配置设置通常通过 Configuration Manager 完成。These configuration settings are typically done through Configuration Manager.

可以在 Configuration Manager 中为配置项设置合规性规则,以更改设备上的示例共享设置。You can set a compliance rule for configuration item in Configuration Manager to change the sample share setting on a device.

此规则应为 修正合规性 规则配置项,用于设置目标设备上注册表项的值,以确保它们有投诉。This rule should be a remediating compliance rule configuration item that sets the value of a registry key on targeted devices to make sure they’re complaint.

通过以下注册表项设置配置:The configuration is set through the following registry key entry:

Path: "HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection"
Name: "AllowSampleCollection"
Value: 0 or 1

其中:Where:
键类型为 D-WORD。Key type is a D-WORD.
可能的值是:Possible values are:

  • 0 - 不允许从此设备共享示例0 - doesn't allow sample sharing from this device
  • 1 - 允许从此设备共享所有文件类型1 - allows sharing of all file types from this device

如果注册表项不存在,则默认值为 1。The default value in case the registry key doesn’t exist is 1.

有关 System Center Configuration Manager 合规性的信息,请参阅 System Center 2012 R2 Configuration Manager 中的合规性设置简介For more information about System Center Configuration Manager Compliance, see Introduction to compliance settings in System Center 2012 R2 Configuration Manager.

将设备载入服务后,必须利用包含的威胁防护功能,通过以下建议的配置设置启用这些功能。After onboarding devices to the service, it's important to take advantage of the included threat protection capabilities by enabling them with the following recommended configuration settings.

设备集合配置Device collection configuration

如果你使用的是 Endpoint Configuration Manager 版本 2002 或更高版本,可以选择扩大部署范围以包括服务器或低级别客户端。If you're using Endpoint Configuration Manager, version 2002 or later, you can choose to broaden the deployment to include servers or down-level clients.

下一代保护配置Next generation protection configuration

建议使用以下配置设置:The following configuration settings are recommended:

扫描Scan

  • 扫描可移动存储设备(如 USB 驱动器):是Scan removable storage devices such as USB drives: Yes

实时保护Real-time Protection

  • 启用行为监视:是Enable Behavioral Monitoring: Yes
  • 在下载时和安装之前启用对可能不需要的应用程序的保护:是Enable protection against Potentially Unwanted Applications at download and prior to installation: Yes

云保护服务Cloud Protection Service

  • 云保护服务成员身份类型:高级成员身份Cloud Protection Service membership type: Advanced membership

攻击面减少 将所有可用规则配置为审核。Attack surface reduction Configure all available rules to Audit.

备注

阻止这些活动可能会中断合法的业务流程。Blocking these activities may interrupt legitimate business processes. 最佳方法是设置要审核的所有内容,确定哪些内容可安全打开,然后在没有误报检测的终结点上启用这些设置。The best approach is setting everything to audit, identifying which ones are safe to turn on, and then enabling those settings on endpoints which do not have false positive detections.

网络保护Network protection
在审核或阻止模式下启用网络保护之前,请确保你已安装反恶意软件平台更新,该更新可以从支持 页面获取Prior to enabling network protection in audit or block mode, ensure that you've installed the antimalware platform update, which can be obtained from the support page.

受控文件夹访问Controlled folder access
在审核模式下启用该功能至少 30 天。Enable the feature in audit mode for at least 30 days. 在此时间段后,检查检测并创建允许写入受保护目录的应用程序列表。After this period, review detections and create a list of applications that are allowed to write to protected directories.

有关详细信息,请参阅评估 受控文件夹访问权限For more information, see Evaluate controlled folder access.

使用 Configuration Manager 的载出设备Offboard devices using Configuration Manager

出于安全考虑,用于"载出"设备的程序包将在下载日期 30 天后过期。For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. 发送到设备的过期载出包将被拒绝。Expired offboarding packages sent to a device will be rejected. 下载载出包时,你将收到程序包到期日期的通知,并且该日期也将包含在程序包名称中。When downloading an offboarding package, you will be notified of the packages expiry date and it will also be included in the package name.

备注

载入和载出策略不得同时部署在同一设备上,否则将导致不可预知的冲突。Onboarding and offboarding policies must not be deployed on the same device at the same time, otherwise this will cause unpredictable collisions.

使用 Microsoft Endpoint Manager 当前分支的载出设备Offboard devices using Microsoft Endpoint Manager current branch

如果使用 Microsoft Endpoint Manager 当前分支,请参阅 创建载出配置文件If you use Microsoft Endpoint Manager current branch, see Create an offboarding configuration file.

使用 R2 Configuration Manager System Center 2012载设备Offboard devices using System Center 2012 R2 Configuration Manager

  1. 从 Microsoft Defender 安全中心获取载 出程序包Get the offboarding package from Microsoft Defender Security Center:

    1. 在导航窗格中,选择"设置 > ""载出"。In the navigation pane, select Settings > Offboarding.

    2. 选择 Windows 10 作为操作系统。Select Windows 10 as the operating system.

    3. 在"部署方法" 字段中,选择 "System Center Configuration Manager 2012/2012 R2/1511/1602"。In the Deployment method field, select System Center Configuration Manager 2012/2012 R2/1511/1602.

    4. 选择 "下载程序包",然后保存 .zip 文件。Select Download package, and save the .zip file.

  2. 将 .zip 文件的内容提取到将部署包的网络管理员可以访问的共享只读位置。Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. 你应该有一个名为 WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd 的文件You should have a file named WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd.

  3. 按照 R2 Configuration Manager 中的程序包System Center 2012 中的步骤部署 程序包。Deploy the package by following the steps in the Packages and Programs in System Center 2012 R2 Configuration Manager article.

    a.a. 选择要将程序包部署到的预定义设备集合。Choose a predefined device collection to deploy the package to.

重要

"载出"会导致设备停止向门户发送传感器数据,但设备数据(包括对已保留的任何警报的引用)最多保留 6 个月。Offboarding causes the device to stop sending sensor data to the portal but data from the device, including reference to any alerts it has had will be retained for up to 6 months.

监视设备配置Monitor device configuration

如果你使用的是 Microsoft Endpoint Manager 当前分支,请使用 Configuration Manager 控制台中的内置 Defender for Endpoint 仪表板。If you're using Microsoft Endpoint Manager current branch, use the built-in Defender for Endpoint dashboard in the Configuration Manager console. 有关详细信息,请参阅 Defender for Endpoint - MonitorFor more information, see Defender for Endpoint - Monitor.

如果使用 R2 配置System Center 2012,监视由两部分组成:If you're using System Center 2012 R2 Configuration Manager, monitoring consists of two parts:

  1. 确认配置包已正确部署,并且正在 (或已成功) 网络中设备上运行配置包。Confirming the configuration package has been correctly deployed and is running (or has successfully run) on the devices in your network.

  2. 检查设备是否符合 Defender for Endpoint 服务 (这可确保设备可以完成载入过程,并可以继续将数据报告给服务) 。Checking that the devices are compliant with the Defender for Endpoint service (this ensures the device can complete the onboarding process and can continue to report data to the service).

确认配置包已正确部署Confirm the configuration package has been correctly deployed

  1. 在 Configuration Manager 控制台中 ,单击导航 窗格底部的"监视"。In the Configuration Manager console, click Monitoring at the bottom of the navigation pane.

  2. 选择 "概述",然后选择"部署"。Select Overview and then Deployments.

  3. 使用程序包名称选择部署。Select on the deployment with the package name.

  4. 查看"完成统计信息"和 "内容 状态" 下的状态指示器Review the status indicators under Completion Statistics and Content Status.

    如果设备部署失败 (错误、不满足要求或失败状态) ,你可能需要对设备进行故障排除。 If there are failed deployments (devices with Error, Requirements Not Met, or Failed statuses), you may need to troubleshoot the devices. 有关详细信息,请参阅 Microsoft Defender 终结点载入问题疑难解答For more information, see, Troubleshoot Microsoft Defender for Endpoint onboarding issues.

    显示成功部署(无错误)的 Configuration Manager

检查设备是否符合 Microsoft Defender for Endpoint 服务Check that the devices are compliant with the Microsoft Defender for Endpoint service

可以在 R2 Configuration Manager 中为配置项设置System Center 2012规则,以监视部署。You can set a compliance rule for configuration item in System Center 2012 R2 Configuration Manager to monitor your deployment.

此规则应为非 修正 性合规性规则配置项,用于监视目标设备上注册表项的值。This rule should be a non-remediating compliance rule configuration item that monitors the value of a registry key on targeted devices.

监视以下注册表项:Monitor the following registry key entry:

Path: "HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status"
Name: "OnboardingState"
Value: "1"

有关详细信息,请参阅 System Center 2012 R2 Configuration Manager 中的合规性设置简介For more information, see Introduction to compliance settings in System Center 2012 R2 Configuration Manager.