Disclaimer: The views expressed in my posts on this site are mine & mine alone & don’t necessarily reflect the views of Microsoft. All posts are provided “AS IS” with no warranties & confers no rights. If I post any code, scripts or demos, they are provided for the purpose of illustration & are not intended to be used in a production environment. They are provided ‘as is’ without warranty of any kind, expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose. I grant you a nonexclusive, royalty-free right to use & modify my sample code & to reproduce & distribute the object code form of the sample code, provided that you agree: (i) to not use my name, my companies name, logo, or trademarks to market your software product in which the sample code is embedded; (ii) to include a valid copyright notice on your software product in which the sample code is embedded; and (iii) to indemnify, hold harmless, and defend me, Microsoft & our suppliers from & against any claims or lawsuits, including attorneys’ fees, that arise or result from the use or distribution of the sample code.
Updated: N/A
Published: Mar 29, 2020
Applies to:
System Center Configuration Manager (SCCM) Current Branch (CB) running:
Microsoft Defender Advanced Threat Protection (MDATP formerly known as Windows Defender Advanced Threat Protection (aka Endpoint Detection and Response (EDR)) for these OS’es:
- Windows Server 2019 (Desktop Experience)
- Windows Server 2019 (Core, command console)
In the previous blog:
SCCM-Endpoint Protection: Microsoft Defender Advanced Threat Protection (EDR) for Windows 10 (Part 13)
https://yongrhee.wordpress.com/2020/03/20/sccm-endpoint-protection-microsoft-defender-advanced-threat-protection-edr-for-windows-10-part-13/
In this blog post, we will be going over onboarding MDATP (EDR) for Windows Server 2019 using SCCM CB.
Step 1)
Download the onboarding package for “Windows Server 2019”
Settings -> Machine Management -> Onboarding
Select operating system to start onboarding process: Windows Server 1803 and 2019
Deployment method: System Center Configuration Manager
Step 2)
Software Library -> Application Management -> Packages
Right-click on “Packages”
Click on “Create Package”
[Package]
Name: MDATP Onboarding Windows Server 2019
Description: Enable the ‘Windows Defender Advanced Threat Protection’ (SENSE) service on “Windows Server 2019”
Manufacturer: Microsoft
Language: EN-US
Version: 1.0
Check the box for “This package contains source files”
Click on “Browse…”
[[Set Source Folder]]
Select the radio button “Network path (UNC name) (default)
Source folder:
Example: \\sccm\deployment\MDATP_Onboarding_W2K19
Click on OK
Architecture: x64
Language: English (United States)
Click on Next
[Program Type]
Select the radio button “Standard program”
Name: MDATP Onboarding package for Windows Server 2019
Command line:
Click on “Browse…”
Change from “Executable Files *.exe” to “All files (*.*)”
\\sccm\deployment\MDATP_Onboarding_W2K19\WindowsDefenderATPOnboardingScript.cmd
Click on “Open”
Now, you should see “Command line: WindowsDefenderATPOnboardingScript.cmd”
Startup folder: <blank> (default)
Run: Hidden
Program can run: Whether or not a user is logged on
Run mode: Run with administrative rights (grayed out)
Leave the following unchecked (default): ‘Allow users to view and interact with the program installation’
Drive mode: Runs with UNC name
Click on Next
[Requirements]
Leave the following unchecked (default): ‘Run another program first’
Under “Platform requirements”
Select the radio button “This program can run only on specified platforms”
check the box “All Windows Server 2019 and higher (64-bit)”
Estimated disk space: “Unknown”
Maxiumm allowed run time (minutes): Change from 120 to 15.
Click on Next
[Summary]
Click on Next
[Completion]
Click on Close
Right click on “MDATP Onboarding Windows Server 2019”
Click on “Deploy”
[[General]]
Software: MDATP Onboarding Windows Server 2019 (MDATP Onboarding package for Windows Server 2019)
Collection:
Click on “Browse…”
Select the “Device Collection” where your Windows Server 2019’s reside. For example: “WindowsServer2019”
Click on OK
Click on Next
[[Content]]
Click on “Add”
Select “Distribution Point” or “Distribution Point Group”
[[[Add Distribution Points]]]
Check the box for the “<Distribution Point name>” For example: “SCCM.CONTOSO.COM”
Click on OK
Click on Next
[[Deployment Settings]]
Click on “Action:” Install (default)
Purpose: Change from “Available” to “Required”
Leave the checkbox (default) “Allow end users to attemp to repair this application”
Check the box for “Pre-deploy software to the user’s primary device
Leave the checkbox (default) “Send wake-up packets”
Leave the checkbox (default) “Allow clients on a metered Internet connection to download content after the installation deadline, which might incur additional costs”
Click on Next
[[Scheduling]]
Assignment scheduled:
Click on “New…”
[[[Assignment Schedule]]]
Click on the radio button “As soon as possible”
Click on OK
Rerun behavior: Rerun if failed previous attempt (default, grayed out)
Click on Next
[[User Experience]]
<default>
Click on Next
[[Distribution Points]]
Deployment options:
Download content from distribution point and run locally (default)
Deployment options:
Select “Download content from distribution point and run locally”
Leave default “Allow clinets to use distribution points from the default site boundary group”
Click on Next
[[Summary]]
Click on Next
Click on Close
In the next blog post, we will go over Microsoft Defender Advanced Threat Protection (MDATP, formerly known as Windows Defender Advanced Threat Protection) for Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8.1, Windows Server 2012 R2, and Windows Server 2016.
Or you can get started now:
Previous versions of Windows Client (Windows 7 and Windows 8.1)
Note: The MDATP deployment/onboarding method are the same for Windows 7 SP1 == Windows Server 2008 R2 SP1, Windows 8.1 == Windows Server 2012 R2 and Windows Server 2016.
Thanks,
Yong
Twitter: @YongRheeMSFT
https://twitter.com/yongrheemsft
P.S. Related content regarding these series:
Evaluation (PoC) Guide for Microsoft Defender Antivirus (MDAV) and Microsoft Defender–Exploit Guard [Attack Surface Reduction Rules, Controlled Folder Access and Network Protection]
https://yongrhee.wordpress.com/2020/03/03/evaluation-poc-guide-for-microsoft-defender-antivirus-mdav-and-microsoft-defender-exploit-guard-attack-surface-reduction-rules-controlled-folder-access-and-network-protection/
Do macOS need an antimalware (antivirus) and EDR software?
https://yongrhee.wordpress.com/2020/03/08/do-macos-need-an-antimalware-antivirus-and-edr-software/
SCCM-Endpoint Protection: Setting up your System Center Configuration Manager lab for a PoC (Part 1)
https://yongrhee.wordpress.com/2020/02/22/sccm-endpoint-protection-setting-up-your-system-center-configuration-manager-lab-for-a-poc-part-1/
SCCM-Endpoint Protection: Enable “Software Update Point” (SUP) (Part 2)
https://yongrhee.wordpress.com/2020/02/22/sccm-endpoint-protection-enable-software-update-point-sup-part-2/
SCCM-Endpoint Protection: Enable “Endpoint Protection point” site system role (Part 3)
https://yongrhee.wordpress.com/2020/02/22/sccm-endpoint-protection-enable-endpoint-protection-point-site-system-role-part-3/
SCCM-Endpoint Protection: Enable SCCM “Client Settings” – “Endpoint Protection”(Part 3a)
https://yongrhee.wordpress.com/2020/03/04/sccm-endpoint-protection-enable-sccm-client-settings-endpoint-protectionpart-3a/
SCCM-Endpoint Protection: Enabling “Platform Update” for Microsoft Defender AV via SCCM ADR (Part 4)
https://yongrhee.wordpress.com/2020/02/22/sccm-endpoint-protection-enabling-platform-update-for-microsoft-defender-av-via-sccm-adr-part-4/
SCCM-Endpoint Protection: Enabling “Platform Update” for Microsoft SCEP via SCCM ADR (Part 5)
https://yongrhee.wordpress.com/2020/02/22/sccm-endpoint-protection-enabling-platform-update-for-microsoft-scep-via-sccm-adr-part-5/
SCCM-Endpoint Protection: Enabling “Security Intelligence Update” for MDAV via SCCM ADR (Part 6)
https://yongrhee.wordpress.com/2020/02/22/sccm-endpoint-protection-enabling-security-intelligence-update-for-mdav-via-sccm-adr-part-6/
SCCM-Endpoint Protection: Enabling “Security Intelligence Update” for SCEP via SCCM ADR (Part 7)
https://yongrhee.wordpress.com/2020/02/22/sccm-endpoint-protection-enabling-security-intelligence-update-for-scep-via-sccm-adr-part-7/
SCCM-Endpoint Protection: Windows client: MDAV and SCEP antimalware policies best practices(Part 8).
https://yongrhee.wordpress.com/2020/02/22/sccm-endpoint-protection-windows-client-mdav-and-scep-antimalware-policies-best-practicespart-8/
SCCM-Endpoint Protection: Windows server: MDAV and SCEP antimalware policies best practices(Part 9)
https://yongrhee.wordpress.com/2020/02/22/sccm-endpoint-protection-windows-server-mdav-and-scep-antimalware-policies-best-practicespart-9/
Managing System Center Endpoint Protection (SCEP, EPP (aka Antivirus)) policies via Group Policy
SCCM-Endpoint Protection: Microsoft Defender Exploit Guard: Attack Surface Reduction rules (Part 10)
https://yongrhee.wordpress.com/2020/02/22/sccm-endpoint-protection-microsoft-defender-exploit-guard-attack-surface-reduction-rules-part-10/
SCCM-Endpoint Protection: Microsoft Defender Exploit Guard: Network Protection (Part 11)
https://yongrhee.wordpress.com/2020/02/22/sccm-endpoint-protection-microsoft-defender-exploit-guard-network-protection-part-11/
SCCM-Endpoint Protection: Microsoft Defender Exploit Guard: Controlled Folder Access (Part 12)
https://yongrhee.wordpress.com/2020/02/22/sccm-endpoint-protection-microsoft-defender-exploit-guard-controlled-folder-access-part-12/
SCCM-Endpoint Protection: Microsoft Defender Advanced Threat Protection (EDR) for Windows 10 (Part 13)
https://yongrhee.wordpress.com/2020/03/20/sccm-endpoint-protection-microsoft-defender-advanced-threat-protection-edr-for-windows-10-part-13/
Yong Rhee's blog 
3 thoughts on “SCCM-Endpoint Protection: Microsoft Defender Advanced Threat Protection (EDR) for Windows Server 2019 (Part 14)”