Disclaimer: The views expressed in my posts on this site are mine & mine alone & don’t necessarily reflect the views of Microsoft. All posts are provided “AS IS” with no warranties & confers no rights. If I post any code, scripts or demos, they are provided for the purpose of illustration & are not intended to be used in a production environment. They are provided ‘as is’ without warranty of any kind, expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose. I grant you a nonexclusive, royalty-free right to use & modify my sample code & to reproduce & distribute the object code form of the sample code, provided that you agree: (i) to not use my name, my companies name, logo, or trademarks to market your software product in which the sample code is embedded; (ii) to include a valid copyright notice on your software product in which the sample code is embedded; and (iii) to indemnify, hold harmless, and defend me, Microsoft & our suppliers from & against any claims or lawsuits, including attorneys’ fees, that arise or result from the use or distribution of the sample code.
Updated: N/A
Published: Apr. 15th, 2020
Applies to:
System Center Configuration Manager (SCCM) Current Branch (CB) running:
Microsoft Defender Advanced Threat Protection (MDATP formerly known as Windows Defender Advanced Threat Protection (aka Endpoint Detection and Response (EDR)) for these OS’es:
- Windows Server 2016
- Windows Server 2012 R2
- Windows 8.1
- Windows Server 2008 R2 SP1
- Windows 7 SP1
Hi world,
Continuing with setting up the SCCM-Endpoint Protection series.
In the previous blog:
SCCM-Endpoint Protection: Microsoft Defender Advanced Threat Protection (EDR) for Windows Server 2019 (Part 14)
In this blog post, we will be going over onboarding MDATP (EDR) for Windows 7 SP1, Windows 8.1, Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016 using SCCM CB.
For the latest information, please review:
- Previous versions of Windows Client (Windows 7 and Windows 8.1)
- https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/onboarding#previous-versions-of-windows-client-windows-7-and-windows-81
- Note: The MDATP deployment/onboarding method are the same for Windows 7 SP1 == Windows Server 2008 R2 SP1, Windows 8.1 == Windows Server 2012 R2 and Windows Server 2016.
- Onboard previous versions of Windows
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel - Onboard servers to the Microsoft Defender ATP service
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints
Step 1) Download the onboarding package for “Windows 7 SP1, Windows 8.1, Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016”
Login to the “Microsoft Defender Security Center” (https://securitycenter.microsoft.com/)
[Windows 7 SP1 and Windows 8.1]
Settings -> Machine Management -> Onboarding
Select operating system to start onboarding process: Windows 7 SP1 and 8.1
Jot down “Workspace ID” and “Workspace key”.
and/or
[Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016]
Settings -> Machine Management -> Onboarding
Select operating system to start onboarding process: Windows Server 2008 R2 SP1, 2012 R2, and 2016
Jot down “Workspace ID” and “Workspace key”.
Step 2) Download the Log Analytics Agent (used to be known as the Microsoft Monitoring Agent).
.
Depending on the version of Windows client and/or Windows Server, there are different pre-requisites:
| O.S. | Pre-requisites |
| 64-bit Windows 7 SP1 | February 13, 2018—KB4074598 (Monthly Rollup)
https://support.microsoft.com/en-us/help/4074598/windows-7-update-kb4074598 Note: If you are missing this security hotfix from 2018, you should really patch your boxes asap. 3080149 Update for customer experience and diagnostic telemetry Microsoft .NET Framework 4.5 or later (Prefered) https://www.microsoft.com/en-us/download/details.aspx?id=30653 or Support for TLS System Default Versions included in the .NET Framework 3.5.1 on Windows 7 SP1 and Server 2008 R2 SP1 (Alternative) |
| 32-bit Windows 7 SP1 | February 13, 2018—KB4074598 (Monthly Rollup)
https://support.microsoft.com/en-us/help/4074598/windows-7-update-kb4074598 Note: If you are missing this security hotfix from 2018, you should really patch your boxes asap. 3080149 Update for customer experience and diagnostic telemetry Microsoft .NET Framework 4.5 or later (Prefered) https://www.microsoft.com/en-us/download/details.aspx?id=30653 or Support for TLS System Default Versions included in the .NET Framework 3.5.1 on Windows 7 SP1 and Server 2008 R2 SP1 (Alternative) |
| 64-bit Windows 8.1 | 3045999 MS15-038: Description of the security update for Windows: April 14, 2015 https://support.microsoft.com/en-us/help/3045999/ms15-038-description-of-the-security-update-for-windows-april-14-2015 Note: If you are missing this security hotfix from 2015, you should really patch your boxes asap. |
| 32-bit Windows 8.1 | 3045999 MS15-038: Description of the security update for Windows: April 14, 2015 https://support.microsoft.com/en-us/help/3045999/ms15-038-description-of-the-security-update-for-windows-april-14-2015 Note: If you are missing this security hotfix from 2015, you should really patch your boxes asap. |
| 64-bit Windows Server 2008 R2 SP1 | February 13, 2018—KB4074598 (Monthly Rollup)
https://support.microsoft.com/en-us/help/4074598/windows-7-update-kb4074598 3080149 Update for customer experience and diagnostic telemetry Microsoft .NET Framework 4.5 or later (Prefered) https://www.microsoft.com/en-us/download/details.aspx?id=30653 or Support for TLS System Default Versions included in the .NET Framework 3.5.1 on Windows 7 SP1 and Server 2008 R2 SP1 (Alternative) |
| 64-bit Windows Server 2012 R2 | 3045999 MS15-038: Description of the security update for Windows: April 14, 2015 https://support.microsoft.com/en-us/help/3045999/ms15-038-description-of-the-security-update-for-windows-april-14-2015 Note: If you are missing this security hotfix from 2015, you should really patch your boxes asap. |
| 64-bit Windows Server 2016 | n/a |
.
64-bit Windows Log Analytics agent (LLA, used to be known as Microsoft Monitoring Agent (MMA))
https://go.microsoft.com/fwlink/?LinkId=828603
For example:
Start, CMD (Run as admin)
MMASetup-AMD64.exe /c /t:C:\MDATP_Onboarding_Downlevel_clients\Extracted
32-bit Windows Log Analytics agent (LLA, used to be known as Microsoft Monitoring Agent (MMA))
https://go.microsoft.com/fwlink/?LinkId=828604
Note: The 32-bit is not applicable to Windows Server 2008 R2, Windows Server 2012 R2, and Windows Server 2016, since they are 64-bit systems.
Step 3) Create the distribution package
.
Software Library -> Application Management –> Applications
Right-click on “Application”
Click on “Create Applications”
[General]
Select the radio button (default) “Automatically detect information about this application from installation files:”
Type: Windows Installer (*.msi file)
Location: \\ Browse…
Click on Browse and point it to where you extracted the files from Step 2.
For example:
\\sccm\deployment\MDATP_Onboarding_Downlevel_systems\Extracted\MOMAgent.msi
File name: MOMAgent
Windows Installer (*.msi)
Click on “Next”
[Import Information]
Name: Change from “Microsoft Monitoring Agent” to “MDATP Onboarding Down-level systems – Log Analytics Agent – Microsoft Monitoring Agent”
Administrator comments: MDATP EDR install for down-level systems such as Win7/W2K8r2/Win8.1/WinServer2012R2/WinServer2016
Publisher: Microsoft
Software version: 10.20.18018.0
Note: I got the version by installing on my tools machine and going to C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe
Optional reference:
Administrative categories:
Installation program:
msiexec /i “MOMAgent.msi” /qn NOAPM=1 ADD_OPINSIGHTS_WORKSPACE=1 OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE=0 OPINSIGHTS_WORKSPACE_ID=<32 alpha-numeric> OPINSIGHTS_WORKSPACE_KEY=<Workspace key>
Note: Where <32 alpha-numeric> is the actual Workspace ID from Step 1.
Note 2: Where <Workspace key> is the actual Workspace Key from Step 1.
Leave the box unchecked for “Run installation program as 32-bit process on 64-bit clients.
Install behavior: Install for system
Click on “Next”
[Summary]
Click on “Next”
[Progress]
Status: Working
[Completion]
Click on “Close”
Step 4) Deploy it to your test “Device Collection”
[General]
Right-click on MDATP Onboarding Down-level systems – Log Analytics Agent – Microsoft Monitoring Agent
Click on “Deploy”
Collection: Point to your phase 1 machines.
For example:
Click on Browse…
Change from “User Collections” to “Device Collections”
Leave the check box checked for “Automatically distribute content for dependencies”.
Select your “WindowsClients” or “WindowsServer” device collection.
Click on “OK”
Click on “Next”
[Content]
Click on Add “Distribution Point” or “Distribution Point Group”
For example:
Check the box next to “SCCM.contoso.com”
Click on “Next”
Click on “Next”
[Deployment Settings]
Action: Install
Purpose: Change from “Available” to “Required”
Leave the box unchecked for (defaults):
Allow end users to attempt to repair this application
Pre-deploy software to the user’s primary device
Send wake-up packages
Allow clients on a metered Internet connection to download content after the installation deadline, which might incur additional costs.
Click on “Next”
[Scheduling]
Time based on: UTC (Default)
Leave the check box unchecked for “Schedule the application to be available at”
Installation deadline:
Select the radio button: “As soon as possible after the available time”
Leave the check box unchecked for “Delay enforcement of this deployment according to user preferences, up to the grace period defined in client settings.”
Click on “Next”
[User Experience]
User notifications: Hide in Software Center and all notifications
When the installation deadline is reached, allow the following activities to be performed outside the maintenance window:
Check box, leave it unchecked (default) “Software installation”
Check box, leave it unchecked (default) “System restart (If required to complete the installation)
Write filter handling for Windows Embedded devices.
Check box, leave it checked (default) “Commit changes at deadline or during a maintenance window (requires restarts)
Click on “Next”
[Alerts]
<Leave it default>
Click on “Next”
[Summary]
Click on “Next”
Click on “Close”
Step 5) Check that it worked
Click on “Monitoring”
Sort it by “Date Created” (chevron pointing downwards)
And keep an eye on “Compliance %”
Repeat Step 4 to the remainder of the “Device Collections”.
Step 6) Verify agent connectivity to Log Analytics
Step 7) If the step 4 fails for any reason, use the TestCloudConnectivity tool (Alternate)
%SystemRoot%\Program Files\Microsoft Monitoring Agent\AgenTestCloudConnection.exe
How to troubleshoot issues with the Log Analytics agent for Windows4
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agent-windows-troubleshoot
If you have any other communication problem, please run the MDATP Client Analyzer Tool here (Preferred):
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#verify-client-connectivity-to-microsoft-defender-atp-service-urls
Thanks,
Yong
Twitter: @YongRheeMSFT
https://twitter.com/yongrheemsft
P.S. What is Azure Log Analytics agent (LA Agent/LLA)?
Previous names:
- Azure Operations Management Suite agent (OMS Agent)
- Microsoft Monitoring Agent (MMA Agent)
- System Center Operations Manager Agent (SCOM Agent)
- Microsoft Operations Manager Agent (MOM agent)
Q: What’s the minimum version of the LLA?
A: LLA Agent (MMA agent) version from SCOM 2016 (8.0.10879.0)
Download the 64-bit (multi-homed) supported agent for Windows
https://go.microsoft.com/fwlink/?LinkID=517476&clcid=0x409
Why version 8.0.10879.0? Since MDATP requires Multi-Home support
OMS Log Analytics Agent multi-homing support
https://blogs.technet.microsoft.com/msoms/2016/05/26/oms-log-analytics-agent-multi-homing-support/
Note 2: Action Required—Log Analytics agent for Windows will enforce SHA-2 signing on 18th May 2020 Aug. 30th, 2020.
https://azure.microsoft.com/en-in/updates/action-required-log-analytics-agent-for-windows-will-enforce-sha2-signing-on-5182020/
Reference:
SHA-2 Code Signing Support Requirement for Window
Q: LLA Agent for Windows, how many workspaces can it report to?
A: It can report to up to 4 workspaces and it is independent of the Automation Hybrid Runbook Worker role
Reference:
Connect computers without internet access by using the Log Analytics gateway in Azure Monitor
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/gateway
Q: What are the pre-requisites for the LLA?
A: Powershell version 3 or 4 required.
Note: I would recommend Powershell 5.0 since it has Transcription/Logging.
PowerShell ♥ the Blue Team
https://devblogs.microsoft.com/powershell/powershell-the-blue-team/
Q: What if I only have PoSh 2.0?
You need to install Windows Management Framework (WMF) 3.0 or Windows Management Framework 4.0
Windows Management Framework 4.0
https://www.microsoft.com/en-us/download/details.aspx?id=40855
Windows Management Framework 3.0
https://www.microsoft.com/en-us/download/details.aspx?id=34595
Q: How do we keep the LL Agent updated?
A: SCCM SUP WSUS, or Microsoft Update (Windows Update), whatever patching mechanisms that you might have.
Depending on the version of Windows client and/or Windows Server, there are different pre-requisites:
| O.S. | Pre-requisites |
| 64-bit Windows 7 SP1 | February 13, 2018—KB4074598 (Monthly Rollup)
https://support.microsoft.com/en-us/help/4074598/windows-7-update-kb4074598 Note: If you are missing this security hotfix from 2018, you should really patch your boxes asap. 3080149 Update for customer experience and diagnostic telemetry Microsoft .NET Framework 4.5 or later (Prefered) https://www.microsoft.com/en-us/download/details.aspx?id=30653 or Support for TLS System Default Versions included in the .NET Framework 3.5.1 on Windows 7 SP1 and Server 2008 R2 SP1 (Alternative) |
| 32-bit Windows 7 SP1 | February 13, 2018—KB4074598 (Monthly Rollup)
https://support.microsoft.com/en-us/help/4074598/windows-7-update-kb4074598 Note: If you are missing this security hotfix from 2018, you should really patch your boxes asap. 3080149 Update for customer experience and diagnostic telemetry Microsoft .NET Framework 4.5 or later (Prefered) https://www.microsoft.com/en-us/download/details.aspx?id=30653 or Support for TLS System Default Versions included in the .NET Framework 3.5.1 on Windows 7 SP1 and Server 2008 R2 SP1 (Alternative) |
| 64-bit Windows 8.1 | 3045999 MS15-038: Description of the security update for Windows: April 14, 2015 https://support.microsoft.com/en-us/help/3045999/ms15-038-description-of-the-security-update-for-windows-april-14-2015 Note: If you are missing this security hotfix from 2015, you should really patch your boxes asap. |
| 32-bit Windows 8.1 | 3045999 MS15-038: Description of the security update for Windows: April 14, 2015 https://support.microsoft.com/en-us/help/3045999/ms15-038-description-of-the-security-update-for-windows-april-14-2015 Note: If you are missing this security hotfix from 2015, you should really patch your boxes asap. |
| 64-bit Windows Server 2008 R2 SP1 | February 13, 2018—KB4074598 (Monthly Rollup)
https://support.microsoft.com/en-us/help/4074598/windows-7-update-kb4074598 3080149 Update for customer experience and diagnostic telemetry Microsoft .NET Framework 4.5 or later (Prefered) https://www.microsoft.com/en-us/download/details.aspx?id=30653 or Support for TLS System Default Versions included in the .NET Framework 3.5.1 on Windows 7 SP1 and Server 2008 R2 SP1 (Alternative) |
| 64-bit Windows Server 2012 R2 | 3045999 MS15-038: Description of the security update for Windows: April 14, 2015 https://support.microsoft.com/en-us/help/3045999/ms15-038-description-of-the-security-update-for-windows-april-14-2015 Note: If you are missing this security hotfix from 2015, you should really patch your boxes asap. |
| 64-bit Windows Server 2016 | n/a |
Reference:
Option 2: Onboard servers through Microsoft Defender Security Center https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#option-2-onboard-servers-through-microsoft-defender-security-center
2) You need to make that the time clock is within 15 min or otherwise Kerberos authentication will fail.
3) Make sure that if these are behind a firewall, or proxy that you’ll have an internal CRL revocation list.
4) If behind a firewall that does SSL inspection, please add the MDAP/MDAV/SCEP URL’s to the allowed list (aka whitelist/bypass).
Note: For firewall, please make sure that the firmware supports URL’s and not only IP Addresses.
Reference:
Firewall requirements – Log Analytics agent overview
5) Check that certificate store hasn’t been altered.
Use Sysinternals Sigcheck64 to check.
Start, CMD (Run as admin)
Sigcheck64.exe -tv > c:\temp\%Computername%_Sigcheck64.exe.exe
6) Windows Update service (WUAUServ) is set to default (in many cases Manual) and not disabled.
7) Make sure that TLS 1.2 is not disabled.
Check the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
DisabledByDefault = 1
Enabled = 0
// The sample above is showing what not to do.
Reference:
TLS 1.2 protocol – Log Analytics agent overview
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/log-analytics-agent#tls-12-protocol
Solution:
Configure Agent to use TLS 1.2
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agent-windows#configure-agent-to-use-tls-12
8) If you’ll decide to lockdown (do ‘security hardening’) on TLS 1.2, be aware that these different MDATP for Windows 7 SP1/8.1, Windows Server 2008R2/2012 R2/2016 require the following ciphers:
What ciphers does <GUID>.oms.opinsights.azure.com use? Uses these TLS 1.2 (suites in server-preferred order)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
What ciphers does https://winatp-gw-eus.microsoft.com/test use? Uses these TLS 1.2 (suites in server-preferred order):
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
.
P.P.S. Related content:
Evaluation (PoC) Guide for Microsoft Defender Antivirus (MDAV) and Microsoft Defender–Exploit Guard [Attack Surface Reduction Rules, Controlled Folder Access and Network Protection]
https://yongrhee.wordpress.com/2020/03/03/evaluation-poc-guide-for-microsoft-defender-antivirus-mdav-and-microsoft-defender-exploit-guard-attack-surface-reduction-rules-controlled-folder-access-and-network-protection/
How to find out why you can’t start the Windows Defender Antivirus service when you are trying to migrate.
https://yongrhee.wordpress.com/2020/04/07/how-to-find-out-why-you-cant-start-the-windows-defender-antivirus-service-when-you-are-trying-to-migrate/
Do macOS need an antimalware (antivirus) and EDR software?
https://yongrhee.wordpress.com/2020/03/08/do-macos-need-an-antimalware-antivirus-and-edr-software/
SCCM-Endpoint Protection: Setting up your System Center Configuration Manager lab for a PoC (Part 1)
https://yongrhee.wordpress.com/2020/02/22/sccm-endpoint-protection-setting-up-your-system-center-configuration-manager-lab-for-a-poc-part-1/
SCCM-Endpoint Protection: Enable “Software Update Point” (SUP) (Part 2)
https://yongrhee.wordpress.com/2020/02/22/sccm-endpoint-protection-enable-software-update-point-sup-part-2/
SCCM-Endpoint Protection: Enable “Endpoint Protection point” site system role (Part 3)
https://yongrhee.wordpress.com/2020/02/22/sccm-endpoint-protection-enable-endpoint-protection-point-site-system-role-part-3/
SCCM-Endpoint Protection: Enable SCCM “Client Settings” – “Endpoint Protection”(Part 3a)
https://yongrhee.wordpress.com/2020/03/04/sccm-endpoint-protection-enable-sccm-client-settings-endpoint-protectionpart-3a/
SCCM-Endpoint Protection: Enabling “Platform Update” for Microsoft Defender AV via SCCM ADR (Part 4)
https://yongrhee.wordpress.com/2020/02/22/sccm-endpoint-protection-enabling-platform-update-for-microsoft-defender-av-via-sccm-adr-part-4/
SCCM-Endpoint Protection: Enabling “Platform Update” for Microsoft SCEP via SCCM ADR (Part 5)
https://yongrhee.wordpress.com/2020/02/22/sccm-endpoint-protection-enabling-platform-update-for-microsoft-scep-via-sccm-adr-part-5/
SCCM-Endpoint Protection: Enabling “Security Intelligence Update” for MDAV via SCCM ADR (Part 6)
https://yongrhee.wordpress.com/2020/02/22/sccm-endpoint-protection-enabling-security-intelligence-update-for-mdav-via-sccm-adr-part-6/
SCCM-Endpoint Protection: Enabling “Security Intelligence Update” for SCEP via SCCM ADR (Part 7)
https://yongrhee.wordpress.com/2020/02/22/sccm-endpoint-protection-enabling-security-intelligence-update-for-scep-via-sccm-adr-part-7/
SCCM-Endpoint Protection: Windows client: MDAV and SCEP antimalware policies best practices(Part 8).
https://yongrhee.wordpress.com/2020/02/22/sccm-endpoint-protection-windows-client-mdav-and-scep-antimalware-policies-best-practicespart-8/
SCCM-Endpoint Protection: Windows server: MDAV and SCEP antimalware policies best practices(Part 9)
https://yongrhee.wordpress.com/2020/02/22/sccm-endpoint-protection-windows-server-mdav-and-scep-antimalware-policies-best-practicespart-9/
Managing System Center Endpoint Protection (SCEP, EPP (aka Antivirus)) policies via Group Policy
SCCM-Endpoint Protection: Microsoft Defender Exploit Guard: Attack Surface Reduction rules (Part 10)
https://yongrhee.wordpress.com/2020/02/22/sccm-endpoint-protection-microsoft-defender-exploit-guard-attack-surface-reduction-rules-part-10/
SCCM-Endpoint Protection: Microsoft Defender Exploit Guard: Network Protection (Part 11)
https://yongrhee.wordpress.com/2020/02/22/sccm-endpoint-protection-microsoft-defender-exploit-guard-network-protection-part-11/
SCCM-Endpoint Protection: Microsoft Defender Exploit Guard: Controlled Folder Access (Part 12)
https://yongrhee.wordpress.com/2020/02/22/sccm-endpoint-protection-microsoft-defender-exploit-guard-controlled-folder-access-part-12/
SCCM-Endpoint Protection: Microsoft Defender Advanced Threat Protection (EDR) for Windows 10 (Part 13)
https://yongrhee.wordpress.com/2020/03/20/sccm-endpoint-protection-microsoft-defender-advanced-threat-protection-edr-for-windows-10-part-13/
SCCM-Endpoint Protection: Microsoft Defender Advanced Threat Protection (EDR) for Windows Server 2019 (Part 14)
https://yongrhee.wordpress.com/2020/03/29/sccm-endpoint-protection-microsoft-defender-advanced-threat-protection-edr-for-windows-server-2019-part-14/
SCCM-Endpoint Protection: Microsoft Defender Advanced Threat Protection (EDR) for Windows 7 SP1, Windows 8.1, Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016 (Part 15)
Yong Rhee's blog 
One thought on “SCCM-Endpoint Protection: Microsoft Defender Advanced Threat Protection (EDR) for Windows 7 SP1, Windows 8.1, Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016 (Part 15)”