Onboarding Windows Server (2012 R2 and 2016) into Windows Defender ATP using the script feature in Configuration Manager (SCCM)

Introduction

Short and sweet post. I was looking into onboarding servers into Windows Defender ATP. The official documentation for such operation is listed here:ย https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection

In short, it’s about installing the Microsoft Monitoring Agent (if not installed already as a part of SCOM or OMS). I happen to have the agent installed already, and as of such the only requirement in this regard is to tell the agents to connect to another workspace. This can of course be done manually on each agent through the Microsoft Monitoring Agent properties in the control panel, but we don’t like to do stuff manually. That’s when I came up with the idea, to do this through the script feature in Configuration Manager. IMO this is a perfect fit, as this is a one time operation for existing servers. Curious? Read on ๐Ÿ™‚

Configuration

  • First off, login to the Windows Defender ATP portalย and take notes of your workspace id and workspace key. These are found on the settings page in the Machine management section

  • Secondly, use the id and key in following Powershell script
$workspaceId = "INSERT YOUR ID"
$workspaceKey = "INSERT YOUR KEY"

$mma = New-Object -ComObject 'AgentConfigManager.MgmtSvcCfg'
$mma.AddCloudWorkspace($workspaceId, $workspaceKey)
$mma.ReloadConfiguration()
  • Create a new script in the Configuration Manager console. This is done from the Software library workspace. Copy paste the script from above into the Create script wizard

  • Approve the script (depending on the settings in your environment, someone else than yourself has to do that)

Deployment

According to the documentation, only server 2012 R2 and 2016 are supported. So I’d recommend that you create a collection consisting only of those OS’es for targeting of the script. Below is an example of the output of running the script of a collection consisting of multiple servers.

Result

The result of a successfully run script can be seen on the Microsoft Monitoring Agent properties in the control panel. A new workspace is added and the computers will appear in the ATP portal within an hour.

Please share and leave a comment, if this was useful ๐Ÿ™‚

References:

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection

2 thoughts on “Onboarding Windows Server (2012 R2 and 2016) into Windows Defender ATP using the script feature in Configuration Manager (SCCM)”

  1. Hi Martin,

    Thanks alot for the script.

    In My case iam using the the script to add the log-analytics workspace ID and key from cloud.

    The script executes successfully but it adds only the workspace,but not the key.

    Can you help on this.

    Reply
  2. Just a question, Did you have any issues connecting your SCCM Server to the Windows Defender ATP?

    I am having problems getting mine connected, but I just had a thought that you are connecting a management service to another management service and that may not play nicely!

    Reply

Leave a Reply to Abdul Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.