With the release of windows 10 anniversary update the client site of Windows Defender Advanced Threat Protection (WDATP) will be integrated.
To read more about Windows Defender Advanced Threat Protection (WDATP) take a look here: https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp
This blog post is not how the WDATP is working but how to get a Windows 10 onboarded with the help of Intune MDM policy.
First of all it requires some basic understanding about how the CSP is working.
Here is a the layout of the configuration service provider (CSP) settings for WDATP – more info at https://msdn.microsoft.com/en-us/library/windows/hardware/mt723296(v=vs.85).aspx
Intune and Windows 10 both native supports CSP.
To setup the Onboarding first download the configuration file from WDATP.
In the menu go to Endpoint Management
Choose Mobile Device Management and download the packages
The file will be downloaded as a .zip file – extract the file and you get
The content of this file is what connects your Windows 10 devices to the WDATP tenant.
Now for the Intune part of the onboarding process.
In the Intune Console
Go to Policy -> Configuration Policy -> Add…
Create a Custom Configuration (Windows 10 Desktop and Mobile and later) policy
- Enter a name for the policy
- Enter a description
- Click Add.. to create the CSP setting
Now you need to enter all the setting for the Onboarding CSP
- Settings name: Onboarding (I always use the setting name)
- Settings description (I always use the OMA-URL)
- Data type : String (It is very important to use the correct data type otherwise the policy will fail)
- OMA-URI : ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding
- Value : use the content from the previous downloaded WindowsDefenderATP.onboarding file
- Click : ok
Click Save Policy
Click yes to deploy the policy
Find a device group to deploy the policy to (when dealing with CSP policy that starts with ./Device/ always deploy it to devices, and if it starts with ./User/ deploy it to a group of users)
Now you can manual sync the Windows with Intune to onboard the device to WDATP – or just wait to the next sync cycle.
The you can see in the WDATP console that the devices is coming into the Machine View
Please note that there is one mistake in the text (the screenshot is accurate).
The OMA-URI is missing the “/Onboarding” and should be ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding
Thanks – it has been changed.
It’s an remarkable paragraph designed for all the online
visitors; they will take benefit from it I am sure.