Configure the necessary network connectivity
Prior to deploying Defender for Endpoint, please ensure you have accounted for the following:
Microsoft Defender for Endpoint communicates with the Microsoft Azure cloud using bidirectionally authenticated Transport Layer Security (TLS) via port 443. All communications are outbound, sensor-to-server.
Microsoft 365 Defender is built on Azure cloud, deployed in the following regions:
- uswestcentral
- useast2
- useast
- europenorth
- europewest
- uksouth
- ukwest
You can find more information in Microsoft Azure Datacenter IP Ranges on Microsoft.
Be sure that this address is authorized at network egress points and that traffic is not subject to manipulation or TLS interception.
Install Microsoft Defender for Endpoint
To install the Microsoft Defender for Endpoint sensor you will need access to Microsoft Defender to onboard any of the supported devices. Depending on the version of Windows, you'll be guided with appropriate steps and provided management and deployment tool options suitable for the device.
To install Microsoft Defender for Endpoint on Windows 10:
- In Red Canary, click Defender to navigate to the Microsoft Defender Security Center.
- Click Settings, Device Management, and then Onboarding.
- Click Select operating system to start onboarding process | Windows 10.
- Select a deployment method, and then click Download Package.
- Onboard your devices by running the package you downloaded.
- Follow the "Run a detection test" instructions to verify that the device is properly onboarded. If successful, a new alert will appear in a few minutes.
To install Microsoft Defender for Endpoint on Windows 7 SP1 and 8.1:
- In Red Canary, click Defender to navigate to the Microsoft Defender Security Center.
- Click Settings, Device Management, and then Onboarding.
- Click Select operating system to start onboarding process | Windows 7 SP1 and 8.1.
- Follow the steps listed under "Turn on client device monitoring, Install Microsoft Monitoring Agent, and Configure connection."
- Follow the "Run a detection test" instructions to verify that the device is properly onboarded. If successful, a new alert will appear in a few minutes.
To install Microsoft Defender for Endpoint on Windows Server 2008 R2 SP1, 2012 R2, 2016 and newer:
- In Red Canary, click Defender to navigate to the Microsoft Defender Security Center.
- Click Settings, Device Management, and then Onboarding.
- Click Select operating system to start onboarding process | Windows Server 2008 R2 SP1, 2012 R2 and 2016.
- Follow steps to "Turn on server device monitoring." When the setup completes, the Workspace ID and Workspace key fields are populated with unique values. You'll need to use these values to configure the Microsoft Monitoring Agent (MMA).
- Follow Onboard Windows servers to the Microsoft Defender for Endpoint service in Microsoft Docs.
- Follow "Configure connection" by configuring the agents to connect using the Workspace ID and Key listed.
- Follow the "Run a detection test" instructions to verify that the device is properly onboarded. If successful, a new alert will appear in a few minutes.
To install Microsoft Defender for Endpoint on Windows Server 2008 R2 SP1, 2012 R2 and 2016:
- In Red Canary, click Defender to navigate to the Microsoft Defender Security Center.
- Click Settings, Device Management, and then Onboarding.
- Click Select operating system to start onboarding process | Windows Server 1803 and 2019.
- Select a deployment method, and then Download Package.
- Onboard your device(s) by running the package you downloaded.
- Follow the Run a detection test instructions to verify that the device is properly onboarded. If successful, a new alert will appear in a few minutes.
Uninstall Microsoft Defender for Endpoint
For a comprehensive list of offboarding options, see Offboard Machines from Microsoft Defender on Microsoft Docs. The following instructions will assume a script-based offboarding scenario.
For security reasons, the package used to offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package, you will be notified of the packages expiry date and it will also be included in the package name.
To get the offboarding package from Microsoft Defender Security Center:
- In Red Canary, click Defender to navigate to the Microsoft Defender Security Center.
- Click Settings, Device Management, and then Offboarding.
- Select Windows 10 as the operating system.
- From Deployment Method, select Local Script.
- Click Download package and save the .zip file.
- Extract the contents of the .zip file to a shared, read-only location that can be accessed by the devices. You should have a file named something like
WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd
- On the target endpoint, click Start and type
cmd
. - Right-click Command prompt, and then select Run as administrator.
- Type the location of the script file. For example, if you copied the file to the desktop, type:
%userprofile%\Desktop\WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd
- Press the Enter key or click OK.
Comments
0 comments
Please sign in to leave a comment.