UPDATE: Thanks Amit from Microsoft for clarifying that you don’t need to restart after the installation.

Back in March, Microsoft announced their new next-gen threat protection tool. Windows Defender Advanced Threat Protection (ATP). Recently, they’ve expanded that program and opened it up to a broader Preview.

It has a few primary goals:

1) Detects Advanced Attacks provides key information on who, what, and why the attack happened. Sophisticated threat intelligence enables attack detection, informed by the world’s largest array of sensors and expert advanced threat protection, including a team of experts at Microsoft and expert security partners.

2) Response Recommendations. The service’s security operations data provides an easy way to investigate alerts, explore the entire network for signs of attacks, examine attacker actions on specific devices, and get detailed file footprints from across the organization to recommend responses.

3) Complements Microsoft Advanced Threat Detection Solutions. Because Windows Defender Advanced Threat Protection is being built into Windows 10, it will be kept continuously up-to-date, lowering costs, with no deployment effort needed.  Powered by a cloud backend, no on premise server infrastructure or ongoing maintenance is required. It complements email protection services from Office 365 Advanced Threat Protection and Microsoft Advanced Threat Analytics.

Let’s walk through onboarding our machine.

NOTE: You must be running the Windows 10 preview release bits (build 14342 or above) on one or more machines and on-board machines to the Windows Defender ATP service. All it takes is three steps:

052316_1344_InstallingW1.png

First, go to the portal https://securitycenter.windows.com

052316_1344_InstallingW2.png

Select “Client Onboarding” in the navigation pane, then select “On-board local machine”, and finally, click the “Download Package” button.

052316_1344_InstallingW3.png

Extract “WindowsATPOnboardingScript.cmd” from the downloaded archive, run it in an elevated command prompt (“run as administrator”).

052316_1344_InstallingW4.png 052316_1344_InstallingW5.png 052316_1344_InstallingW6.png

Your machine will now connect to the Windows Defender ATP cloud service. Events being sent to the service will light up this machine in the Windows Defender ATP portal.

NOTE: It may take up to 15-30 minutes to report data in the console.

Looks like we have another non-demo machine reporting in!

052316_1344_InstallingW7.png

Under Machines View, we can see my machine appearing

052316_1344_InstallingW8.png

You can see it’s tracking quite a bit of data points.

052316_1344_InstallingW9.png

We can even see some of the expanded view of some of the registry values.

052316_1344_InstallingW10.png

Hopefully if you requested access you can play with this too!

  1. Please note that restarting the machine after running the script is NOT required. Running the script is sufficient to complete the machine onboarding

  2. So there is no offline (LAN/WAN) management component? That makes this “security solution” useless. It was nonsensical since its concept phase. wow…

    • Correct, the ability to provide that type of analytics on-prem just can’t scale.

      That being said, Configuration Manager does support managing the Defender ATP policies.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>