Learn how to onboard computers with Microsoft Defender Advanced Threat Protection (MDATP), which goes beyond Microsoft Defender’s endpoint anti-virus protection.
As device, or endpoint, management in the cloud continues to mature – and hybrid-joined devices become a tighter management strategy than domain-joined or Azure-joined alone – the idea of securing a floating endpoint becomes far more critical. From zero-hour detection and remediation to advanced persistent threat (APT) detection, response and reporting, Microsoft Defender Advanced Threat Protection (MDATP) covers all your endpoint threat protection needs.
In this blog, I’ll cover how simple it is to onboard computers and begin using the MDATP service.
Microsoft Defender Advanced Threat Protection (MDATP) Onboarding
MDATP is integrated with multiple services throughout the Microsoft 365 suite, including Microsoft Endpoint Manager and Microsoft Endpoint Configuration Manager.
Microsoft Endpoint Manager is an umbrella over the following technologies and is integrated with Microsoft Endpoint Configuration Manager:
- Endpoint Manager – multi-strategy threat detection and response
- Intune – traditional cloud-based MDM/MAM solution in Azure
- Desktop Analytics – log analysis
- Autopilot and more – automated setup and pre-configuration of devices
Here is the common list of products known as ATP (Advanced Threat Protection), associated with Microsoft’s Azure environment:
- Office 365 ATP – safe links and safe attachments for Exchange online email
- Microsoft Defender ATP – enterprise endpoint security for threat management, detection and response
- Azure ATP – integrated with most of the security products in the Azure environment this is managed by a sensor installed on domain controllers ingesting network traffic and events and supplying SIEMs, Cloud App Security or MDATP for analysis
MDATP has expanded its coverage over the last few years and can now be onboarded to operating systems using the methods listed below. There are a variety of options available, so I recommend considering your needs and asset inventories before designing a total onboarding plan.
Windows Operating Systems
The following installation methods are available for Windows-based operating systems:
Windows 7 SP1 and 8.1
- Download and install the Microsoft Monitoring Agent to the device
- Configure the agent with workspace ID and Key
Windows Server 2008 R2 SP1, 2012 R2, and 2016
- Download and install the Microsoft Monitoring Agent to the device
- Configure the agent with workspace ID and Key
Windows 1803 and 2019
- Local script – command-line file installation for up to 10 devices
- Involves a service, event category installations, registry additions and a test
- Group Policy – includes command-line file installation as above plus ADMX/ADML configuration files
- SCCM – software delivery via System Center Configuration Manager
- VDI – onboarding scripts for non-persistent devices, or Virtual Desktop Infrastructure
Windows 10
- Local script – command-line file installation for up to 10 devices
- Involves a service, event category installations, registry additions and a test
- Group Policy – includes command-line file installation as above plus ADMX/ADML configuration files
- Microsoft Endpoint Configuration Manager current branch or later – version 1606+ uses integrated Defender ATP policies onboarded with a JSON file
- SCCM – software delivery via System Center Configuration Manager 2012 / 2012R2 / 1511 / 1602
- MDM/Intune – Office 365 and Azure policies integrated via JSON file
- VDI – onboarding scripts for non-persistent devices, or Virtual Desktop Infrastructure
Non-Windows Operating Systems
The following installation methods are available for non-Windows-based operating systems:
- macOS – install via Intune, JAMF or BASH
- Linux Server – BASH install
- iOS – no app yet; configure via Intune
- Android – contact atpm@microsoft.com for access to an app via managed Google Play
For More Information
All the scripts and information are located in the Onboarding settings section in the Microsoft Defender Security Center along with the rest of the MDATP management tools at https://securitycenter.windows.com.
Also, here is a great reference to the capabilities of the service by subscription, with the E5 subscription offering the complete security package.
But, as always, the requirements defined by your organization should serve as your guide to purchasing, configuring and using software.