Windows Defender ATP – Onboarding Windows 7 & 8

Supported OS for this post:

  • Windows 7 SP1 Enterprise
  • Windows 7 SP1 Pro
  • Windows 8.1 Pro
  • Windows 8.1 Enterprise

Microsoft’s Windows Defender ATP (WDATP) now supports previous versions of Windows listed above.

If you use System Center Endpoint Protection for Win 7 and 8, you will need to ensure the January 2017 platform update is installed and the SCEP client Cloud Protection Services membership is to Advanced in the ConfigMgr antimalware policy that is applied to the systems.

For Windows 7 SP1 Enterprise and Pro ensure the following are installed

You will need the Workspace ID and key from the WDATP portal.


Download the MMA agent setup file: Windows 64-bit agent or Windows 32-bit agent.

Once you downloaded the agent(s), extract them (I use 7-ZIP) and place them in your ConfigMgr source folder so you can add as an Application. [I am not going to go into details how to add an Application into ConfigMgr]

The setup.exe or MSI command line parameters to pass are:

MMA-specific options Notes
NOAPM=1 Optional parameter. Installs the agent without .NET Application Performance Monitoring.
ADD_OPINSIGHTS_WORKSPACE 1 = Configure the agent to report to a workspace
OPINSIGHTS_WORKSPACE_ID Workspace Id (guid) for the workspace to add
OPINSIGHTS_WORKSPACE_KEY Workspace key used to initially authenticate with the workspace
OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE Specify the cloud environment where the workspace is located
0 = Azure commercial cloud (default)
1 = Azure Government
OPINSIGHTS_PROXY_URL URI for the proxy to use
OPINSIGHTS_PROXY_USERNAME Username to access an authenticated proxy
OPINSIGHTS_PROXY_PASSWORD Password to access an authenticated proxy

Example:

setup.exe /qn NOAPM=1 ADD_OPINSIGHTS_WORKSPACE=1 OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE=0 OPINSIGHTS_WORKSPACE_ID=<your workspace id> OPINSIGHTS_WORKSPACE_KEY=<your workspace key> AcceptEndUserLicenseAgreement=1

Deploy the application to the collection that contains your target computers.

Once the agent is installed, you will see Microsoft Monitoring Agent in the Control Panel

Open the control panel applet and go to the second tab which is Azure Log Analytics (OMS). If there was a successful connection, you will see a green check box.

Within 30 minutes, you will see the computer show up on your WDATP portal.

Run the detection test on the Windows 7/8 computer

powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference= ‘silentlycontinue’;(New-Object System.Net.WebClient).DownloadFile(‘http://127.0.0.1/1.exe&#8217;, ‘C:\\test-WDATP-test\\invoice.exe’);Start-Process ‘C:\\test-WDATP-test\\invoice.exe’

Once the command is executed, in the Portal within a minute or so, you will see the Risk Score change to Medium

Digging into the machine, you will see the powershell command tagged as Suspicious.

If you do not see a green check box in MMA agent:

  • Check proxy and internet connectivity
  • Ensure the workspace ID and KEY are properly entered
  • Install the MMA agent manually on the machine and enter the information.
  • Check command line in your deployment for spelling, spaces, etc.

Configure server proxy and Internet connectivity settings

Each Windows server must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the OMS Gateway.

  • If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service:
  • If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service:
Agent Resource Ports
*.oms.opinsights.azure.com 443
*.blob.core.windows.net 443
*.azure-automation.net 443
*.ods.opinsights.azure.com 443
winatp-gw-cus.microsoft.com 443
winatp-gw-eus.microsoft.com 443
winatp-gw-neu.microsoft.com 443
winatp-gw-weu.microsoft.com 443
winatp-gw-uks.microsoft.com 443
winatp-gw-ukw.microsoft.com 443
winatp-gw-aus.microsoft.com 443
winatp-gw-aue.microsoft.com 443

ConfigMgr 1802 TP: Product Lifecycle Dashboard

The ConfigMgr team has been hard at work on adding features.  The Product Lifecycle dashboard (under Assets and Compliance\Overview\Asset Intelligence), can visually show you your installed products and support time frame.

Hopefully you don’t need this to tell you that you have less than 2 years to get off Windows 7.

2018-02-18_9-42-43

ConfigMgr 1802 TP – Report on Windows AutoPilot device information

The following text is from the MS docs site but screen shot from my lab (no need to recreate good document): https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1802#report-on-windows-autopilot-device-information

Windows AutoPilot is a solution for onboarding and configuring new Windows 10 devices in a modern way. For more information, see an overview of Windows AutoPilot. One method of registering existing devices with Windows AutoPilot is to upload device information to the Microsoft Store for Business and Education. This information includes the device serial number, Windows product identifier, and a hardware identifier. Use Configuration Manager to collect and report this device information.

Prerequisites

  • This device information only applies to clients on Windows 10, version 1703, and later
  1. In the Configuration Manager console, Monitoring workspace, expand the Reporting node, expand Reports, and select the Hardware – General node.
  2. Run the new report, Windows AutoPilot Device Information and view the results.


  1. In the report viewer click the Export icon, and select CSV (comma delimited) option.


  1. After saving the file, upload the data to the Microsoft Store for Business and Education. For more information, see add devices in Microsoft Store for Business and Education.

ConfigMgr 1802 TP – Improvements to Windows 10 in-place upgrade task sequence

In 1802 TP, when you create a upgrade Task Sequence, now there will be additional groups created that is based on recommendations what Microsoft and others have seen done in the field. These groups are just recommendations and the actual tasks/scripts to do the checks, installs, etc. will need to be done by you. Several example scripts are out on the next that can help you get started.

Some examples and additional recommendations are available here https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1802

-Jay

ConfigMgr 1802 TP – Microsoft Edge Browser Profiles

In the updated 1802 TP, we now have an option to create Edge policies.

In Assets and Compliance, under Compliance Settings, there is an option for Microsoft Edge Browser Profiles

Highlight that and choose from the Menu (or right click) to Create Microsoft Edge profile

In the Create Microsoft Edge Browser Policy wizard, name your profile/policy just as an example below. You can create multiple profiles to target different collections like any other deployment.

In the next screen, choose the configuration needed based on your corporate policies.

Once done, select next and choose the OS which will always be Windows 10 but you can target between x32 and x64.

Once all done, from the menu bar or right click to deploy the policy to a collection.

Servicing server group features of Configuration Manager CB 1511 and 1605

Technical Preview for System Center Configuration Manager, version 1511, included the ability to create a collection where all devices in the collection make up a server group. Then, you could configure the server group settings to use when you deploy software updates to the server group, control the percentage of computers that are updated at any given time, and configure pre-deployment and post-deployment PowerShell scripts to run custom actions.

Technical Preview for System Center Configuration Manager, version 1605, adds the ability to update the computers in the server group in a specified order that you define, adds enhanced monitoring to view the status for the computers in the server group, and provides the ability to clear the deployment locks that is useful when clients have failed to install the software updates and are preventing other clients from installing their software updates.

Reference: https://technet.microsoft.com/en-us/library/mt706220.aspx