Onboard Windows 10 Devices from GPO | Microsoft Defender for Endpoint

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi guys hope you're all doing well welcome back to our channel and in this video i'm going to talk about microsoft defender for endpoints and we're going to see that how we can onboard windows 10 devices with the help of group policy object now if you're watching the series from the beginning in the last video we have discussed about the onboarding process with the help of local script whereas in this video we are going to cover each and every aspect which is related to onboarding of devices with the help of group policy object now it typically starts with the package deployment itself there is a dedicated package that can be downloaded and then it will be installed on the devices or it will be pushed to the devices and then once that package runs on that particular device the device gets onboarded there is also one very important setting that has to be enabled which is moreover related to sample collection for deep analysis again the package that you will download that will have an admx and hdml file that will be pushed to the specific location and then the respective feature will be available this is also something which we are going to talk in this particular video then we will discuss that what are the events that you should check on the device that you're trying to onboard that means the logs on event viewer itself then you can go ahead and check and verify whether the device is onboarded successfully or not the last thing that we'll talk about is the client analyzer tool a script that is available that will capture moreover anything and everything that is required in terms of troubleshooting the onboarding issues from a device altogether okay so now let's understand how exactly the onboarding process is going to work according to me it's a three-step process the first one is when we will download the package from microsoft defender for endpoint portal the second is we will create the group policy object that will deploy the package and that will enable sample collection for d file analysis as well and then we will get this group policy object mapped to the respective ous for this demo i have created a specific ou wherein i will move the device object which i want to onboard now think about this as a practice a common practice that happens in every enterprise just to have a confirmation in terms of whatever configuration i have done is working as expected so since i have a dedicated ou i will move the object once it gets onboarded as i have expected i can then get the gpu marked to all the other ou's okay so if i talk about the first step it's as i've said it's exceptionally simple all you have to do is you have to log into securitycenter.windows.com or security.microsoft.com and then get the respective package downloaded okay so right now i'm signed in with global admin to security securitycenter.windows.com and then i'll click on settings and then i'll click on onboarding and here windows 10 should be selected and here you can select group policy and then click on download package that's all you have to do now most of the videos in fact every video that i have created till now for microsoft defender for endpoints i'm specifically using securitycenter.windows.com but just for your information the same kind of configuration is also available on security.microsoft.com all you have to do is click on settings and then click on end points i'll again click on settings and then click on end points and then you you're getting the same console or same set of configuration i can click on onboarding and i can select group policy and i can download the package now once this package is downloaded you can copy this package to your domain controller or the server from where you will be creating group policy object okay now as i said before the next step is the creation of group policy object itself it's a computer configuration that we are going to do okay and what exactly it is going to do in a nutshell it will create a task it will schedule a task on your client machine that will be initiated in system context and that will get the machine onboarded okay so now let's see how exactly this configuration will be done on your domain controller itself okay so this is my domain controller where i have copied the package which we have just downloaded and now i'm going to extract this particular package now inside this package there will be three different files which have their own purpose this one will be used to onboard the device whereas this one and this one will be used to enable the setting for sample collection of deep analysis okay now i'll go to my group policy management console and now i'm just going to right click and then i'll click on new now since i'm going to create an new group policy object i'm just going to name it as let's say onboarding device okay and i'll click on ok now since we are doing computer configuration it's very important for you to make sure the file is accessible to the client from the shared location itself now for that there is a set of configuration that i have already done which i will be showing you girl okay so this is my group policy object which is created and now i will click on edit i'll go to preferences in computer configuration then i'll go to control panel settings scheduled task and here i'm going to create a new task and i will select this particular option which says immediate task at least windows 7. now here i'm just going to define a name let's say device on board okay now this is the most important option because here exactly you are running a task or you are defining a task to be initiated in system context since you are selecting this particular option make sure you have also selected this option which says run this with highest privileges okay now the next thing that you have to do is you have to define an action now click on new and here you have to define the location where the file exists okay now for this demo what i have done is i have created a shared folder which is this one which is shared mdp onboarding script on the same machine or on the same server itself and here i have copied my package okay so if i try to share this particular folder the location will be something like my host name of this particular machine and then the folder name okay so make sure that there is a folder which has been properly shared and the devices have access to this particular folder now what do i mean by this in the security tab i have also allowed domain computers to have read only permission so if i talk about the exact location that will come with my file will be this one which is my host name then the actual folder where the package exists the package folder name and the file okay so this is the exact location which we can actually give in our configuration okay so if i'll copy this value and i'll come back to my configuration console i'll give this value here and i will click on ok that's it apply okay that means my new group policy object is created with the respective task okay now this is step number one from group policy object configuration perspective okay now let's talk about the other aspect and that is enablement of sample collection for deep analysis okay now if i use the same group policy object okay i can make the respective changes see there are two type of changes that has to reach a specific device so make sure you're using the same group policy object that'll keep things slightly more organized okay or let's say if you have a requirement wherein you don't want sample collection to be available for some set of devices then you can create two different gpus all together okay so for this demo i have already created a group policy object which is md atp gpo this is the one which i have just shown you how to create and this is the one which i have already created and it has the same configuration which i have just shown you that means the respective location where the file exists proper permission and then a task getting scheduled to be initiated with system context altogether okay now if i go ahead and edit this particular group policy object and this time if i go to policies and i go to admin templates and i go to windows components as you can see there is no as such folder named as windows defender atp there is no assets folder okay but if i talk about the previous configuration control panel settings scheduled task the device onboarding task is there which has the highest privilege as well as the respective location altogether okay so now if i'll come back to this particular setting of windows defender atp as you can see there is no assets folder now the question comes how exactly the setting will be enabled this will be enabled now with the package itself and there are two different files okay so i'll come back to my package i'll go to this particular location which is optional parameters policy i'll copy this file which is admx extension file and now i'll come back to windows and then i'll go to policy definition and here exactly i'm going to paste this particular file okay now i'll again come back to same location and there will be one more file named as adml i'll copy this i'll come back to c windows policy definition en us and i'm just going to paste that file here now typically the moment you paste these files and if you restart group policy management console you will start getting options but there were two different instances wherein these options were not coming so in that case i had to restart my server okay so make sure that the respective folder is coming if it does not you can just go ahead and restart your server i'm just telling you a rare case scenario this should typically won't happen but if it is happening you can just go ahead and restart okay so now i'll again come back to policies i'll go to admin templates i'll go to windows components and now i'll come to this particular folder which is windows defender atp and now i'm getting this option of enable and disable sample collection which i have just enabled okay so these are the two settings which are required from a group policy object perspective itself okay now if i talk about the steps that we have completed we have completed the first step which is downloading the package creation of group policy object now we are going to scope the object to the correct ou so in my environment i have multiple ou's wherein the gpo md atp gpa which we have created is mapped to an ou named as md atp itself and now what i'm going to do is i'm going to move my object which i want to join so this is my object or this is my device which should be onboarded okay now before i move this device i would like to show you a couple of things so this is my device and if i'll copy command prompt or sorry if i'll open command prompt and if i type host name you can see this value which says mdatp gpu4 that means this device as of now won't exist on my portal okay you see one two three but four is not coming here okay the fourth one is the one which we have to onboard as well as if i say sc query sense then also you can see this uh service as a stopped as of now okay now there are two more things which i would like to show you before i go ahead and just on board the device and that is two different location on event viewer itself that will help you to check the logs whether the device is successfully onboarded or not okay so this is my event viewer and if i'll go to windows logs and then if i'll go to the application console or application tab there is a log named as watp onboarding which you can see is as of now not coming here okay so when your machine will get successfully onboarded there will be a logged which will get reflected here and that will be wd atp onboarding the other folder that you can see is inside application and service logs then go to microsoft go to windows and here there will be a folder named as sense okay you can check the logs here as well there's nothing coming now the moment this machine will get onboarded both the folders will have some kind of details okay i'll close this first and now i'm going to launch command prompt with admin access so that we can actually query the current set of group policy objects which are getting applied to this particular machine okay so now i'm going to say gp result space forward slash wii this should show uh only the default domain policy getting applied because as of now we have not moved the object right so if i'll come back to computer settings as you can see only one policy is getting applied and that is the only reason why this device is not getting on board now one more thing which i would like to highlight here and that is make sure your network configuration is in place because if any of the endpoints which are required is not accessible from this particular device your device might not get onboarded okay so this is the default domain policy and md atp is not been scoped as of now okay so now i'll come back to my 80 and i will move this object to mdatpou where the group policy object is linked okay so if i'll come back to my group policy management console and if i'll go to my oh you as you can see this particular group policy object which has all the settings be it uh the one wherein device onboarding is required or be the one which has sample collection both of the settings are enabled for this particular group policy object and that's the only reason why my device will get onboarded okay so now if i'll come back to mdatp this device has been successfully moved and now i'll come back to my client machine itself and here i'm going to run gp updates space forward slash force once this part is completed we'll do gp result space forward slash v to verify whether the group policy object is applied to this particular machine or not and once that part is completed we'll again check the logs to see whether are we getting any details in the event viewer or not okay so i've again initiated a gp result space forward slash we and i'll scroll up to see whether the respective policy is applied or not okay so now i'll go to the computer settings section and as you can see md atp gpu is getting reflected here now if i'll come back to my event viewer and just refresh this you can see all the logs are getting listed over here this is the sense folder okay now if i'll scroll up and i'll go to the application folder you can see wt atp onboarding as showing successful onboard okay now just to verify everything is in place i'll come back to my portal and i'll refresh it and see whether the device is getting listed or not now at times it may take couple of minutes so you may wait for two three minutes and then just refresh the portal and you'll get the device listed okay as you can see i waited around one minute and my device is now getting listed over here okay so now the last thing which is left is the client analyzer itself so there is a link which i will be sharing in the description section from where you can go ahead and download the client analyzer tool for this demo i have already copied that and i'm just going to extract this as well now inside this package there will be multiple files in fact when you will initiate the client analyzer tool it is going to capture ample of information moreover anything and everything that you need to know in terms of troubleshooting if there are any on-boarding issues okay so i'll come back to this particular location on my command prompt with admin access and now i'm just going to run this particular file which is md atp client analyzer okay now this will take some time couple of minutes so i'll pause this video and we'll resume once we'll have all the information there will be a new folder here which just got populated and once this script has completed we'll get all the information so i'll wait for this script to get completed and then i'll resume the video so now my script has been completed and i'll go to this particular folder and as you can see i'm getting multiple entries here which are basically typically you know different set of information that can be accessed or that can be checked to get the right set of information okay now i'm not going to cover each and every aspect of client analyzer because there will be a different video for that itself but as you can see it's more over quoting the logs from the same folders that i have shown the first one was sense and the next one is sense ir itself and then there is one more log which is utc which is getting captured okay apart from this there are other details as well which can be reviewed depending upon the issue that you want to troubleshoot now when we will talk about end to end usage of client analyzer i'm going to let you know the purpose behind each of these files which are getting created okay so this was all about knowing how exactly uh you can onboard devices with group policy object to microsoft defender for endpoints the event logs that you can check is windows log application folder wherein you will see wd atp onboarding then if there are any issues with your group policy object you can go ahead and check the group policy folder if there is any issue in terms of task not getting triggered that means you can see your group policy getting listed in gp result but again the task is not getting initiated then you can see this particular folder and for the onboarding part itself you can see sense or sense ir folder okay so let's talk about a quick summary of what all we have discussed in this video we have discussed about onboarding of windows and devices with the help of group policy object we have seen package deployment with group policy object wherein the most important setting is to make sure that your group policy object has the access defined for the respective location now what do i mean by this that if i'll go to preferences and if i'll again go to scheduled task we have to be very precise in terms of defining this location as well as choosing these two options which says run with the highest privilege altogether okay now then we have also discussed about the logs that we can capture and we have discussed about the client analyzer tool i will be sharing the link in the description you can try understanding how the logs are getting generated but for sure i will be creating a very detailed video on that as well okay in the next video we are going to see how to onboard windows and devices with endpoint monitor now if you think that this channel is helping you to learn anything new please feel free to subscribe and share this video with your technical community thanks for your time thank you bye

Info

Channel: Concepts Work

Views: 2,530

Rating: undefined out of 5

Keywords: Microsoft, Security, CISO, Microsoft Security, Endpoint Security, Endpoint Detection and Response, Microsoft Endpoint Security, Azure, Microsoft azure, Threat and Vulnerability Management, Microsoft Threat Experts, MITRE, MDATP, Microsoft Defender Advanced Threat Protection

Id: RSsSDtKJ3Co

Channel Id: undefined

Length: 21min 28sec (1288 seconds)

Published: Sun Jun 13 2021