Onboarding Windows Server (2012 R2 and 2016) into Windows Defender ATP (Using the script feature in Configuration Manager)

Introduction

Short and sweet post. I was looking into onboarding servers into Windows Defender ATP. The official documentation for such operation is listed here: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection

In short, it’s about installing the Microsoft Monitoring Agent (if not installed already as a part of SCOM or OMS). I happen to have the agent installed already, and as of such the only requirement in this regard is to tell the agents to connect to another workspace. This can of course be done manually on each agent through the Microsoft Monitoring Agent properties in the control panel, but we don’t like to do stuff manually. That’s when I came up with the idea, to do this through the script feature in Configuration Manager. IMO this is a perfect fit, as this is a one time operation for existing servers. Curious? Read on 🙂

Configuration

  • First off, login to the Windows Defender ATP portal and take notes of your workspace id and workspace key. These are found on the settings page in the Machine management section

  • Secondly, use the id and key in following Powershell script

  • Create a new script in the Configuration Manager console. This is done from the Software library workspace. Copy paste the script from above into the Create script wizard

  • Approve the script (depending on the settings in your environment, someone else than yourself has to do that)

Deployment

According to the documentation, only server 2012 R2 and 2016 are supported. So I’d recommend that you create a collection consisting only of those OS’es for targeting of the script. Below is an example of the output of running the script of a collection consisting of multiple servers.

Result

The result of a successfully run script can be seen on the Microsoft Monitoring Agent properties in the control panel. A new workspace is added and the computers will appear in the ATP portal within an hour.

Please share and leave a comment, if this was useful 🙂

References:

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection

Leave a Comment