Windows Defender ATP – Onboarding Windows 7 & 8

Supported OS for this post:

  • Windows 7 SP1 Enterprise
  • Windows 7 SP1 Pro
  • Windows 8.1 Pro
  • Windows 8.1 Enterprise

Microsoft’s Windows Defender ATP (WDATP) now supports previous versions of Windows listed above.

If you use System Center Endpoint Protection for Win 7 and 8, you will need to ensure the January 2017 platform update is installed and the SCEP client Cloud Protection Services membership is to Advanced in the ConfigMgr antimalware policy that is applied to the systems.

For Windows 7 SP1 Enterprise and Pro ensure the following are installed

You will need the Workspace ID and key from the WDATP portal.


Download the MMA agent setup file: Windows 64-bit agent or Windows 32-bit agent.

Once you downloaded the agent(s), extract them (I use 7-ZIP) and place them in your ConfigMgr source folder so you can add as an Application. [I am not going to go into details how to add an Application into ConfigMgr]

The setup.exe or MSI command line parameters to pass are:

MMA-specific options Notes
NOAPM=1 Optional parameter. Installs the agent without .NET Application Performance Monitoring.
ADD_OPINSIGHTS_WORKSPACE 1 = Configure the agent to report to a workspace
OPINSIGHTS_WORKSPACE_ID Workspace Id (guid) for the workspace to add
OPINSIGHTS_WORKSPACE_KEY Workspace key used to initially authenticate with the workspace
OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE Specify the cloud environment where the workspace is located
0 = Azure commercial cloud (default)
1 = Azure Government
OPINSIGHTS_PROXY_URL URI for the proxy to use
OPINSIGHTS_PROXY_USERNAME Username to access an authenticated proxy
OPINSIGHTS_PROXY_PASSWORD Password to access an authenticated proxy

Example:

setup.exe /qn NOAPM=1 ADD_OPINSIGHTS_WORKSPACE=1 OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE=0 OPINSIGHTS_WORKSPACE_ID=<your workspace id> OPINSIGHTS_WORKSPACE_KEY=<your workspace key> AcceptEndUserLicenseAgreement=1

Deploy the application to the collection that contains your target computers.

Once the agent is installed, you will see Microsoft Monitoring Agent in the Control Panel

Open the control panel applet and go to the second tab which is Azure Log Analytics (OMS). If there was a successful connection, you will see a green check box.

Within 30 minutes, you will see the computer show up on your WDATP portal.

Run the detection test on the Windows 7/8 computer

powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference= ‘silentlycontinue’;(New-Object System.Net.WebClient).DownloadFile(‘http://127.0.0.1/1.exe&#8217;, ‘C:\\test-WDATP-test\\invoice.exe’);Start-Process ‘C:\\test-WDATP-test\\invoice.exe’

Once the command is executed, in the Portal within a minute or so, you will see the Risk Score change to Medium

Digging into the machine, you will see the powershell command tagged as Suspicious.

If you do not see a green check box in MMA agent:

  • Check proxy and internet connectivity
  • Ensure the workspace ID and KEY are properly entered
  • Install the MMA agent manually on the machine and enter the information.
  • Check command line in your deployment for spelling, spaces, etc.

Configure server proxy and Internet connectivity settings

Each Windows server must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the OMS Gateway.

  • If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service:
  • If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service:
Agent Resource Ports
*.oms.opinsights.azure.com 443
*.blob.core.windows.net 443
*.azure-automation.net 443
*.ods.opinsights.azure.com 443
winatp-gw-cus.microsoft.com 443
winatp-gw-eus.microsoft.com 443
winatp-gw-neu.microsoft.com 443
winatp-gw-weu.microsoft.com 443
winatp-gw-uks.microsoft.com 443
winatp-gw-ukw.microsoft.com 443
winatp-gw-aus.microsoft.com 443
winatp-gw-aue.microsoft.com 443

ConfigMgr 1802 TP: Product Lifecycle Dashboard

The ConfigMgr team has been hard at work on adding features.  The Product Lifecycle dashboard (under Assets and Compliance\Overview\Asset Intelligence), can visually show you your installed products and support time frame.

Hopefully you don’t need this to tell you that you have less than 2 years to get off Windows 7.

2018-02-18_9-42-43

How to Remove Saved Passwords from a Web Browser

In order to remove stored passwords for your web browser please follow the instructions below based on whether you are using Internet Explorer, Safari, Firefox, or Google Chrome.

Internet Explorer (Win 7/8)

When you enter a username and password for Internet Explorer that it has not already stored for a website, it will ask if you want Internet Explorer to remember the password.

  • Click on Not for this site button on the pop-up menu.
  • This will set Internet Explorer not to prompt you to save this password for this site.

To remove individual passwords: when using IE and a saved password is pre-filled on your screen, simply highlight the username that displays there, and press the Delete key to remove just that one username/password combination from IE. Internet Explorer will then prompt you to confirm that you do want to delete it.

Win 8:  Internet explorer has a Manage Password or Web Credentials Manager.

To access this please do the following:

  1. Open the Tools menu.
  2. Select Internet Options.
  3. Click Content.
  4. Under AutoComplete, click Settings.
  5. Click on Manage Passwords
  6. Click on the Web Credentials Manager
  7. Click on the drop down arrow by the web site you want to remove the password.
  8. Click on Remove.

To remove all the saved passwords:

  1. Open the Tools menu.
  2. Select Internet Options.
  3. Click Content.
  4. Under AutoComplete, click Settings.
  5. Click Delete AutoComplete history…

To prevent AutoComplete in the future, make sure AutoComplete is deselected for User names and passwords on forms, and then click on OK.

Installing Secondary Sites and other Roles on Windows 2012 with Riverbed in the mix

During a new Configuration Manager 2012 implementation project, we tried to push a secondary site at another location (Datacenter B) from our primary site (in Datacenter A). We saw failures in the logs specifically it can’t connect to the secondary server’s c$ and failed other queries. Both Primary and the secondary servers are Windows Server 2012. Some testing showed we are not able to connect to c$ manually from the primary server from Datacenter A to the secondary server in Datacenter B. But we can connect from a Windows 7 desktop from Datacenter A to the server (2012) in Datacenter B.

After much research, we found this is was because the sites are optimized by Riverbed and the current firmware of the appliances do not support SMB3.

Riverbed just announced SMB3 support late July 2013 with the release of RiOS 8.5 for Q3 2013.

In RiOS 8.5, Riverbed is introducing new optimizations for business-critical Microsoft applications and environments including SharePoint® 2013, Exchange 2013, Office365® and file sharing applications that utilize the server message block 3 (SMB3) protocol in Windows® 8 and Server 2012 environments. As a result, mutual customers of Microsoft and Riverbed can increase productivity and efficiency, while enhancing business resilience.

Their blog (from August 5, 2013) also stated the same.

Work around is to disable Secure Negotiate.

To change this setting, set the following LanmanWorkstation parameter using PowerShell cmdlet:

Set-SmbClientConfiguration – RequireSecureNegotiate <0|1|2>

0 – Disabled

1 – Required

2 – Enabled if needed 

You can also edit the DWORD value through the registry editor.

HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecureNegotiate.

To change the default behavior, you need to define the registry key. If not present, its default value is “Required” in Windows 8 clients.

The registry key can be populated via GPP in the computer configuration.

More information on SMB on 2012 and previous version:

http://blogs.technet.com/b/josebda/archive/2012/06/06/windows-server-2012-which-version-of-the-smb-protocol-smb-1-0-smb-2-0-smb-2-1-or-smb-3-0-you-are-using-on-your-file-server.aspx

Client / Server OS Windows 8
Windows Server 2012
Windows 7
Windows Server 2008 R2
Windows Vista
Windows Server 2008
Previous versions
of Windows
Windows 8
Windows Server 2012
SMB 3.0 SMB 2.1 SMB 2.0 SMB 1.0
Windows 7
Windows Server 2008 R2
SMB 2.1 SMB 2.1 SMB 2.0 SMB 1.0
Windows Vista
Windows Server 2008
SMB 2.0 SMB 2.0 SMB 2.0 SMB 1.0
Previous versions
of Windows
SMB 1.0 SMB 1.0 SMB 1.0 SMB 1.0

Sync Internet Explorer Favorites with SkyDrive

With everyone having multiple devices today (laptops, desktops, work PCs, tablets), one of the features lacking in Internet Explorer (IE) is the ability to sync and backup favorites. This feature existed in Live Mesh but was removed when replaced with SkyDrive.

But you can still make this happen by redirecting Favorites to a Skydrive folder on your devices.

Follow these easy steps:

  1. Download SkyDrive http://windows.microsoft.com/en-us/skydrive/download
  2. Your SkyDrive folder by default is C:\Users\%username%\SkyDrive    (%username% is the name of the login ID you use to logon to your computer)
  3. Go to the SkyDrive folder and create a new folder called Favorites.
  4. Open the user profile directory c:\users\%username%
  5. Right click on Favorites and click Properties
  6. Click the Location tab
  7. Click Move
  8. Choose the new Favorites folder created in step #3
  9. When you install Skydrive on other devices, the favorites folder should already sync. Simply start with step #4 on those devices.

Note – the example here uses SkyDrive, but you can work with Dropbox and Google Drive as well

 

Inject PNP Drivers in Windows 7 post deployment

 If you need a process to find and install drivers post process (after Windows or later as an update)

  1. Populate this key with a path to your drivers
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UnattendSettings\PnPUnattend\DriverPaths\1
    Path = “d:\Drivers”
    <- String
  2. From a script, batch, MDT, setupcomplete.cmd, whatever, Run pnpunattend.exe
    (built into Windows 7 and also there for Vista )

Example: Pnpunattend.exe auditsystem

You can use /s to just search the drivers but not install.  Also, use the /L to output to command so you can pipe into a file if needed.

USAGE:

   PnPUnattend.exe [auditSystem | /help /? /h] [/s] [/L]

       auditSystem   Online driver install.

       /help /? /h    This help.

       /s             Search without installing.

       /L             Print Logging information to the command line.