How To Get Windows Defender Advanced Threat Protection
Here nosotros are, with the last function of our Windows Defender ATP blog series.
Allow's brainstorm with Offboarding machines:
Sometimes nosotros must remove machines from the ATP Service. This process is called offboarding. We can do this using Local Script.
For Offboarding Windows 7 Sp1 and 8.1, Windows Server 2008 R2 SP1, 2012 R2 and 2016
Nosotros take two different options for offboarding the machines from the service:
- Uninstall the MMA agent
- Remove the Microsoft Defender ATP workspace configuration
- Uninstall the MMA Amanuensis
- Get to control panel
- In the Microsoft Monitoring Amanuensis Properties, select the Azure Analytics (OMS) tab
- Select the Microsoft Defender ATP Workspace and click remove
- Run a PowerShell command to remove the configuration
Get your Workspace ID
- Login into the ATP Portal https://securitycenter.windows.com/
- In the navigation panel, select Settings > Onboarding.
- Select Windows Server 2012 R2 and 2016 as the operating arrangement and become your Workspace ID:
- Open PowerShell with ambassador privileges and run the next command, using the workspace obtained in the previous step
# Load agent scripting object
$AgentCfg = New-Object -ComObject AgentConfigManager.MgmtSvcCfg
# Remove OMS Workspace
$AgentCfg.RemoveCloudWorkspace($WorkspaceID)
# Reload the configuration and apply changes
$AgentCfg.ReloadConfiguration()
Offboarding Windows x and Windows Server 1803 and 2019
- Login into the ATP Portal https://securitycenter.windows.com/
- In the navigation console, select Settings > Offboarding.
- Select Windows 10 or Windows Server 1803 as the operating system.
- Select Local Script and Download Packet.
Extract the contents of the configuration package to a location on the machine you desire to offboard (for example, the Desktop). You must accept a file named WindowsDefenderATPOffboardingScript.cmd.
Open a elevated command prompt on the car and run the script equally following:
- Go to Start and blazon cmd.
- Correct-click Command prompt and select Run as administrator.
- In the command prompt become to the location where you excerpt the file cmd.
- Press Enter and click OK.
For security reasons, the offboarding script is valid only for 30 days.
Advanced Features:
Let's see the advanced features offered past Windows Defender ATP.
Automated Investigations
This feature allows ATP to examine alerts and accept immediate action to resolve them. This helps us minimize the alert volume. The listing of automated investigations shows all the investigations that were automatically initiated and includes details, such every bit condition, detection source, and when the investigation was initiated.
You lot tin see all features of this function in this link:
https://docs.microsoft.com/en-united states of america/windows/security/threat-protection/microsoft-defender-atp/automated-investigations
Live Response:
When y'all enable this feature, users with the advisable permissions tin start a live response session on the machines.
Auto resolve remediated Alerts:
For tenants created on Windows 10 or later, version 1809 the automated investigation and remediation capability is configured by default to resolve alerts where the status of the upshot of the automatic assay is "No threats plant" or "Remediated". If you don't want the alerts to exist resolved automatically, you must manually turn off the characteristic.
Allow or Cake file:
Blocking is only bachelor if your organization uses Windows Defender Antivirus, the antimalware solution, and if the cloud-based protection feature is enabled.
This characteristic allows you to cake files in your network. Locking a file will prevent it from being read, written, or executed on machines.
To turn Permit or block files on:
In the navigation pane, select Settings > Advanced features > Let or block file.
Toggle the setting betwixt On and Off.
Select Save preferences at the bottom of the page.
Custom Network Indicator:
With this feature, you can allow or cake domains or URLs. To apply information technology, machines must be running Windows 10 version 1709 or later. It also has network protection in cake mode and version four.18.1906.iii or later on of the anti-malware platform see KB 4052623.
Evidence User Details:
With this characteristic enabled, y'all can see user details stored in Azure such as flick, proper noun, title. You lot tin find user account information in the following views:
- Security operations dashboard
- Alarm queue
- Machine details page
Tips for Troubleshooting:
We have seen in this series of blog posts the local script method to onboard the car in the ATP service. At present, will see some errors that may appear and how to solve them.
| Event ID | Error Type | Resolution steps |
| 5 | Offboarding information was establish but couldn't be deleted | Check the permissions on the registry, specifically HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection. |
| 10 | Onboarding information couldn't be written to the registry | Check the permissions on the registry, specifically |
| HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat. | ||
| Verify that the script was run as an administrator. | ||
| 15 | Failed starting SENSE service | Check the service health (sc query sense control). Make sure it's not in an intermediate state ('Pending_Stopped', 'Pending_Running') and try to run the script again (with administrator rights). |
| If the machine is running Windows 10, version 1607 and running the command sc query sense returns START_PENDING, reboot the auto. If rebooting the car doesn't address the issue, upgrade to KB4015217 and effort onboarding again. | ||
| If the error message is: System error 577 or error 1058 has occurred. You need to enable the Windows Defender Antivirus ELAM driver . Run across the "Ensure that Windows Defender Antivirus is not disabled by a policy " instructions. | ||
| xxx | The script could non wait for the service to start running | The service could accept taken more fourth dimension to start or has encountered errors while trying to offset. For more data on events and errors related to SENSE, run across Review events and errors using Event viewer. |
| 35 | The script could not find needed onboarding condition registry value | When the SENSE service starts for the first time, it writes onboarding status to the registry location |
| HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Condition. | ||
| The script failed to notice it after several seconds. Y'all tin manually test information technology and check if information technology's there. For more information on events and errors related to SENSE, see Review events and errors using Event viewer. | ||
| 40 | SENSE service onboarding status is not set to 1 | The SENSE service has failed to onboard properly. For more data on events and errors related to SENSE, see Review events and errors using Event viewer. |
| 65 | Insufficient privileges | Run the script again with ambassador privileges. |
And with this weblog nosotros clonclude the Windows Defender ATP blog series.
We would like to know how this series has helped you lot or encouraged y'all to endeavour something new.
For farther queries and feedback, go out a comment and nosotros volition become in touch with you lot.
For more frequent Part 365, MS Azure, EMS and MS Teams tips and tricks, follow us on LinkedIn and Twitter.
Happy learning!!
Source: https://vnextiq.com/windows-defender-advanced-threat-protection-iv/
Posted by: cookgiviss74.blogspot.com
0 Response to "How To Get Windows Defender Advanced Threat Protection"
Post a Comment