UPDATE: Thanks Amit from Microsoft for clarifying that you don’t need to restart after the installation.
Back in March, Microsoft announced their new next-gen threat protection tool. Windows Defender Advanced Threat Protection (ATP). Recently, they’ve expanded that program and opened it up to a broader Preview.
It has a few primary goals:
1) Detects Advanced Attacks provides key information on who, what, and why the attack happened. Sophisticated threat intelligence enables attack detection, informed by the world’s largest array of sensors and expert advanced threat protection, including a team of experts at Microsoft and expert security partners.
2) Response Recommendations. The service’s security operations data provides an easy way to investigate alerts, explore the entire network for signs of attacks, examine attacker actions on specific devices, and get detailed file footprints from across the organization to recommend responses.
3) Complements Microsoft Advanced Threat Detection Solutions. Because Windows Defender Advanced Threat Protection is being built into Windows 10, it will be kept continuously up-to-date, lowering costs, with no deployment effort needed. Powered by a cloud backend, no on premise server infrastructure or ongoing maintenance is required. It complements email protection services from Office 365 Advanced Threat Protection and Microsoft Advanced Threat Analytics.
Let’s walk through onboarding our machine.
NOTE: You must be running the Windows 10 preview release bits (build 14342 or above) on one or more machines and on-board machines to the Windows Defender ATP service. All it takes is three steps:
First, go to the portal https://securitycenter.windows.com
Select “Client Onboarding” in the navigation pane, then select “On-board local machine”, and finally, click the “Download Package” button.
Extract “WindowsATPOnboardingScript.cmd” from the downloaded archive, run it in an elevated command prompt (“run as administrator”).
Your machine will now connect to the Windows Defender ATP cloud service. Events being sent to the service will light up this machine in the Windows Defender ATP portal.
NOTE: It may take up to 15-30 minutes to report data in the console.
Looks like we have another non-demo machine reporting in!
Under Machines View, we can see my machine appearing
You can see it’s tracking quite a bit of data points.
We can even see some of the expanded view of some of the registry values.
Hopefully if you requested access you can play with this too!