Onboard Windows 10 Devices | Microsoft Defender for Endpoints | MDATP | Local Script

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi guys hope you're all doing well welcome back to our channel and in this video we are going to start off with the onboarding process and we will onboard windows 10 devices to microsoft defender for endpoint with the help of local script now if you're watching the series from the beginning in the last video we have discussed about the rbac capabilities whereas the core agenda of this video will be knowing how does the onboarding process works what are the different deployment methods which are available how to verify whether a device is onboarded or not then there is a very important setting that has to be enabled on windows defender for endpoint or microsoft defender for endpoint portal as well as microsoft endpoint manager portal now this setting is basically a connection between these two services which help these services to work in conjunction okay that means you can use microsoft endpoint manager portal some of the profiles uh to be very precise to get the devices onboarded to microsoft defender for endpoints now since our scope for this video will be windows 10 so we are going to talk about the services that runs on a device which is successfully onboarded to microsoft defender for endpoints and what are the registry settings that can be checked now before you proceed with this particular video the second video of this entire series list down all the prerequisites and in order to proceed further and on board devices you need valid licenses and you have to make sure all the service url and points for microsoft defender for endpoints should be accessible from the device that you're trying to onboard so these two predicts which are there make sure your network is in place that means all the endpoint are accessible from the device and you have a valid license then only proceed with this particular video now if i talk about process okay uh the video wherein i have listed the general prerequisites or basically all the requirements that should exist before you move on with microsoft defender for endpoints that excel sheet also contains this particular list just for your awareness but these are different process which runs on a device once it is onboarded to microsoft defender for endpoint okay now the onboarding process with the help of local script is exceptionally simple all you have to do is you have to download a script from the portal itself so right now i'm into securitycenter.windows.com and as you can see there are three different machines onboarded the machine that i will on board now will have a device named cowork hyphen zero zero four okay now the question comes how to do onboarding click on setting and then there is an option named as onboarding you have to click on that and then it will give you the option to choose the platform and the respective method so as you can see this option can be selected to choose other platforms as well and depending upon the platform that you are selecting the set of options that are available for the onboarding process will get changed okay so our scope is windows 10 for this particular video and local script so i'll keep both this option selected and then i'll click on download path edge now what is happening as of now that there is a specific download there is a specific package which has been downloaded and now i have to run this script file on my device itself which i have to onboard now one more suggestion that i would like to give for this kind of on onboarding that you can use this method for initial pilot devices that means let's say you're planning to get this rolled out or wide but you have to make sure that all the network king configuration is in place all the licensing is in place so you can choose four or five machines to get on board with the help of this package itself and then you can use the group policy method which i will be showing in the upcoming videos okay now before i go ahead and simply onboard the machine i would like to show you some of the information which is very important okay so if i talk about this machine which i will be onboarding which is cowork hyphen zero zero four this machine is as of now not onboarded okay but if i talk about a machine which is already onboarded there is a specific service which will be running and to check that what you can do is you can type this command which is sc query sense and what does this means that the sensor which is required to capture all the telemetry from a specific device and then send it to microsoft defender for endpoints is up and running if i run the same query on the machine which is not onboarded it will show stopped okay so let's say if i do sc query and then if i type sense what i will get is that this service is as of now not running on this particular machine altogether okay now if i talk about the list of all the services with the help of powershell we can run couple of commands on the machine which is onboarded as well as the machine which is not onboarded just to get insights in terms of how the services run okay so if i paste this command on a machine which is as if now not onboarded this is the machine which is not onboarded you see most of the services are not running and to be very precise this is the service ms sense that should run that actually captures all the telemetry and then send that to microsoft defender for endpoints now as you can see that if i would try to relate uh the purpose of these services with their respective names they may have different features and as we move along with the playlist or with the set of videos that i'm going to post i'm going to talk about each and every service and where exactly they are used or what is the purpose behind a specific service altogether okay so now if i come back to that machine which is successfully onboarded and if i run the same command you will see it will show you ms sense is running apart from that there are other services as well which are responsible but this is the one which typically means that the sensor service is running on this particular machine or you know it's there it's working and it's capturing the information to be very precise it's actually a process which you can go ahead and check and then it will route you to the respective service altogether and that's exactly what i'm doing i'm quitting all the processes and then i'm checking the respective service whether it is running or not okay now to show you uh the same this is the set of commands i will be sharing this in the description section as well if you want you can use it now the next thing that i would like to talk about is the registry which gets updated once your device is successfully onboarded to microsoft defender for endpoints and this is that particular registry which can be found on the local machine software microsoft windows advanced threat protection and then status now onboarding status or onboarding state should be one that means your machine is successfully onboarded for those machines which are not on board successfully this will be zero okay or uh org id is a kind of value that can be matched when you sign in to the portal itself okay so if i click on my account i'll get the org id and as you can see this value is same as compared to what we get here okay now let me come to the machine which is as of now onboarded so this is my machine which is onboarded as you can see i'm getting this service up and running and now i'll go to the registry of this particular machine and show you where exactly you can check this information which is moreover related to registry okay so the registry console is open now i'll go to local machine then i'll go to software then i'll go to microsoft and then i'll go to windows advanced thread protection this is that particular key and this is the sub key which you have to check and as you can see i'm getting onboarding state as one and org id is the same value which we can see on the portal okay now let's go to that machine which is not onboarded okay this is that particular machine and as you can see ms sense is not running so if i'll open registry on this particular machine it should not show me any information in the status tab okay so here also the registry console is open local machine software microsoft windows advanced thread protection and then status and you can see these values are not getting populated okay now what i will do is i will onboard this device and in the meanwhile the device will get onboarded all the values which must exist here will get populated so what i'll do is i'll copy the onboarding package from my base machine to my vm and then i'll show you the onboarding process of how to run this okay so i have copied this windows package now and i'll come back to my machine which i have to onboard which is this one and i'll just paste my package here and then i'll extract that particular package and then we'll run the onboarding script with the help of admin access itself okay so i'll minimize this this and this as well and this is the package which i have downloaded so i'll just right click and click on extract all this will extract this particular folder and as i said before they should be in onboarding script which is this one that has to be initiated so i'll just copy this particular location now i will run a command prompt with the help of admin access or with admin privileges itself and then i'll come back to this location and i will initiate this onboarding script now as i've said before that in the meanwhile your device is getting onboarded these registries will get updated okay but what you have to make sure that all the end points are accessible i'm saying this again and again because most of the issues are phased when you don't have proper network connectivity or some of the endpoints are missed or they are not updated okay so now i'm just going to run this particular script and i'm just going to say yes and then i'll click on enter now in the meanwhile this device is getting onboarded there are a couple of checks and there are multiple registries which are added okay now the question comes how you can check this information you can simply check this information with the help of opening this script in a notepad itself okay so let's say if i open notepad and if i open this script i can show you that there are multiple values which are getting updated depending upon the kind of information relative to different services altogether but this is just for your information in terms of knowing how exactly this script is going to work okay and as you can see it does a lot of check that means it checks whether the device was previously onboarded to any of the organization or not and then it will show you your org id there are multiple information which is which are available here and depending upon your requirement you can just have a look on this this is something which is typically going to give you more insights in terms of knowing the purpose of each and every registry change that's happening okay so now if i come back to my command prompt it shows me successfully onboarded machine to windows defender atp and if i come back to registry console and if i just refresh this let's see whether the respective identities are being added or not and as you can see the respective keys are getting listed over here okay i'm not just showing you onboarding state as one as well okay now once you have onboarded the device to microsoft defender for endpoint it should get reflected or it must be available on the portal within an r if it is not the case i'm telling you the current uh limitations i'm telling you the current process maybe this time gets revised in upcoming future maybe this time gets reduced or increased but i'm telling you something from a troubleshooting perspective that if your device is not getting reflected in an rso then for sure there is an amount of troubleshooting which is required in terms of figuring out what exactly going wrong okay so now if i come back to my portal and see whether the device is onboarded or not if it is not then we'll wait for a couple of minutes and once it is shown here we'll resume the video okay so now as you can see the device is getting listed over here and i have waited around one and a half minute for this device to get reflected on the portal okay now there is one more aspect of checking whether the device is successfully onboarded to microsoft defender for endpoints or not and that is with the help of this detection test so you can run these command in powershell and if the powershell gets automatically closed then there will be a sort of a notification that will come on the portal in some time and which is just an acknowledgement that yes your device is onboarded successfully so this is the one which we have just onboarded and i'll come back to powershell and i'll run the same command and this should get closed now in a couple of minutes uh there will be a set of information that is available on the portal which will act as an acknowledgement that yes your device is onboarded okay now the last thing which is left is the integration between microsoft defender for endpoints and endpoint manager portal so for that what you have to do is you have to click on settings and then click on advanced features and then scroll down and make sure this option is enabled on microsoft defender for endpoints portal this is one setting okay this particular section as well as when you go to endpoint security section of your endpoint manager portal make sure that microsoft defender for endpoint shows as available okay you have to enable this part as well to make sure that all the capabilities which can work provided both the portals are available likewise assigning security tasks this is something which will for sure come come on in uh you know the next videos or upcoming videos but just for your awareness make sure all these settings are in place okay now there is one more very important aspect of device onboarding and that is all the devices that you are on boarding to microsoft defender for endpoints will also get listed in the compliance center and the reason behind that is so that you can have one single pane of configuration that you are doing or one set of configuration that you are doing to be very precise and you can manage all the aspects okay so think about this when you are on boarding a device to microsoft defender for endpoints you are managing the security aspects that means to be very precise the endpoint security aspects okay but the best part is any device that has been onboarded to microsoft defender for endpoints will also get listed in the compliance center so if you also take care of dlp capabilities for your organization think about this the devices that you are on boarding in one particular console are also available here now this is just to have more ease in terms of defining more robust policies that means configuration done on one single portal or through one single portal is getting replicated across multiple services this is something which is going to help you and define more precise endpoint dlp policy because we know that compliance center requires onboarding to make sure endpoint dlp works as expected okay so this was all about knowing how the device onboarding works let's talk about a quick summary of what all we have discussed we have discussed about the onboarding process to microsoft defender for endpoints and the platform that we have covered as windows 10. we have also discussed about the different deployment methods available that means group policy object and microsoft endpoint manager or if i talk about the option that that gets listed is mdm or microsoft in tune then we have also discussed how to verify onboarding with with the help of running a detection test that can be seen from uh settings tab and then going to onboarding and then running these particular commands and then we have also seen how to enable the connection between microsoft defender for endpoints and your endpoint manager portal okay now in the next video we are going to talk about the onboarding process or how to onboard device with the help of group policy object now if you think that this channel is helping you to learn anything new please feel free to subscribe and share this video with your technical community thank you so much thanks for your time
Info
Channel: Concepts Work
Views: 1,978
Rating: undefined out of 5
Keywords: Microsoft, Security, CISO, Microsoft Security, Endpoint Security, Endpoint Detection and Response, Microsoft Endpoint Security, Azure, Microsoft azure, Threat and Vulnerability Management, Microsoft Threat Experts, MITRE, MDATP, Microsoft Defender Advanced Threat Protection
Id: jRdX1K8vHb4
Channel Id: undefined
Length: 19min 5sec (1145 seconds)
Published: Sun Jun 13 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.