Microsoft Defender for Endpoint

Windows

• Windows 10
• Windows Server 2016
• Windows Server, version 1803 or later
• Windows Server 2019

Mac OS X

• Mac OS X 11 (Big Sur)
• Mac OS X 10.15 (Catalina)
• Mac OS X 10.14 (Mojave), 

Linux

• Red Hat Enterprise Linux 7.2 or higher
• CentOS 7.2 or higher
• Ubuntu 18.04 LTS or higher LTS

All windows client should receive the client through a BigFix fixlet

All Mac OS X clients will receive the client through JAMF enrollment

• Install the following repo if running RHEL 7.x: 

yum-config-manager --add-repo=https://packages.microsoft.com/config/rhel/7.4/prod.repo

• Install the following repo if running RHEL 8.x: 

yum-config-manager --add-repo=https://packages.microsoft.com/config/rhel/8/prod.repo

• Install MDfE (mdatp) 

yum install mdatp -y

• Download the Linux python onboarding script and install the license 

GCC Installers

• unzip WindowsDefenderATPOnboardingPackageLinuxServer.zip 
• chmod 755 MicrosoftDefenderATPOnboardingLinuxServer.py 
• ./MicrosoftDefenderATPOnboardingLinuxServer.py 

Generating /etc/opt/microsoft/mdatp/mdatp_onboard.json … 

• Verify installation (It may take a few minutes before it’s up to date, etc.) 

mdatp health --field org_id 

“8e911e4a-576e-42e9-b142-7edf1ab491ed” 

mdatp health --field healthy 

True 

mdatp health --field definitions_status 

“up_to_date” 

mdatp health --field real_time_protection_enabled 

True 

• Add Weekly scan to crontab
  • sudo crontab -e
  • Add the following line
    • 0 2 * * sat /bin/mdatp scan quick > ~/mdatp_cron_job.log
      • (or other appropriate start day/time)
    • save file
• Add exclusions of NFS file systems and “special” kernel file systems.  Also, if you experience performance issues with Java applications, add exclusions for compressed files. 

• mdatp exclusion folder add --path /home 
• mdatp exclusion folder add --path /proc 
• mdatp exclusion extension add --name .jar 
• mdatp exclusion extension add --name .war 
• mdatp exclusion extension add --name .zip 
• mdatp exclusion list 

===================================== 

• Excluded folder 
• Path: “/home/” 
• — 
• Excluded folder 
• Path: “/proc/” 
• — 
• Excluded extension 
• Extension: .jar 
• — 
• Excluded extension 
• Extension: .war 
• — 
• Excluded extension 
• Extension: .zip 

===================================== 

• Troubleshooting 

NOTE:  The MDfE audit service will not start if there are any issues with /etc/audit/audit.rules.  For example: 

systemctl status mdatp.service 

• ● mdatp.service – Microsoft Defender ATP 
•    Loaded: loaded (/usr/lib/systemd/system/mdatp.service; enabled; vendor preset: disabled) 
•    Active: active (running) since Tue 2021-03-02 17:43:58 EST; 2s ago 
• Main PID: 14562 (wdavdaemon) 
•    CGroup: /system.slice/mdatp.service 
•            ├─14562 /opt/microsoft/mdatp/sbin/wdavdaemon 
•            ├─14565 /opt/microsoft/mdatp/sbin/crashpad_handler –database=/var/opt/microsoft/mdatp/crash –metrics-dir=/var/opt/microsoft/mdatp/cra… 
•            ├─14585 /opt/microsoft/mdatp/sbin/wdavdaemon edr 11 10 3 
•            ├─14624 /opt/microsoft/mdatp/sbin/wdavdaemon unprivileged_v1 17 16 3 
•            └─14708 /opt/microsoft/mdatp/sbin/telemetryd_v2 https://us-v20.events.data.microsoft.com/ 491035d7-cd38-4cfd-8fe6-4a3ff9c4e9ef Microsof… 

Mar 02 17:43:59 naddevww01 wdavdaemon[14562]: Error sending add rule data request (No such file or directory) 

Mar 02 17:43:59 naddevww01 wdavdaemon[14562]: There was an error in line 75 of /etc/audit/audit.rules 

In this example, line 75 has the entry for Symantec which was just removed. Since the audit.rules file can be generated from the files in /etc/audit/rules.d, make sure Symantec is removed from both places.  Then restart auditd.  And finally restart MDfE.

Prerequisites for Ubuntu

curl, gpg, libplist-utils, apt-transport-https must be installed

Installation Steps for Ubuntu found in the link below

https://doimspp.sharepoint.com/:w:/r/sites/BUTST/Shared%20Documents/BUTST_Shared/TST%20Documents/MDfE%20Install%20-%20Ubuntu.docx?d=w422216e33350452ca5f304ef224b8169&csf=1&web=1&e=03TttX

Fixlets that configure prerequisites and install the Microsoft Defender Endpoint agents have been deployed. Some servers will need to run the following command in an Administrative Powershell session to ensure the Windows Defender feature is installed and running:   

Install-WindowsFeature -Name Windows-Defender

If your Windows Defender service is still not running, please perform the following steps manually.

First confirm that Defender is installed on the system.  Go to Server Manager->Add roles and features.  Under features verify that Defender is selected: 

You can also check these IEM reports: 

GS: Windows Servers – Windows Defender Antivirus Service – Not Exist 

GS: Windows Systems – Windows Defender for Endpoint – Status 

Open Defender on your server by going to Settings, Update & Security, Windows Defender:

Click on Turn on Windows Defender

In the window that opens, click Turn on, allow the UAC prompt and click Close.

In the remaining Windows Defender Window, click Turn On

The defender service will start and the virus definitions will update in the background.

If you now go to Services you should see the Window Defender service running and set to Automatic: 

To monitor the status of your Defender service, run the following command in powershell:

Get-MpComputerStatus

If the service is running and has checked in, the following registry entry will be present under HKLM\Software\Microsoft\Windows Advanced Threat Protection:

Your system should have a key titled senseId as shown above. The actual entry is unique to each system.

For systems that are not enrolling, go to the Event viewer (Applications & Services> Microsoft > Windows > SENSE\operational) to see if it has any errors in the operational log.

Use the following guide to get more information on the error codes in your logs.

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/event-error-codes

• The Service should start and change to Automatic

• If the service is running and has checked in, the following registry entry will be present under HKLM\Software\Microsoft\Windows Advanced Threat Protection.

• Your system should have a key titled senseId as shown above. The actual entry is unique to each system. After a few hours, the BigFix Web Report should update and the system should be compliant.

Running sysprep and then re-joining the system to the domain on systems may resolve different error codes with Server OS and windows 10 that can not be resolved with previous troubleshooting.

Some of these issues may include:

• Windows Event Viewer showing EVENTID 19 under Applications and Services > Microsoft > Windows > SENSE > operational
• SENSE service set to manual and/or being unable to set to auto start

Caution needs to be taken, as running sysprep may corrupt various applications (SQL, APACHE, IIS, etc)

1. Verify there is a current backup for the server, user data, and any application data before continuing
2. from admin cmd run C:\Windows\System32\Sysprep\Sysprep.exe
3. Choose “OOBE” – Out of Box Experience
4. Important – Make sure “Generalize” is not checked
5. reboot system
6. Re-join the domain
   • if system has been disabled in AD then contact e-Patching and request system be re-enabled

Fixlets that configure prerequisites and install the Microsoft Defender Endpoint agents have been deployed. (See email sent on January 12, 2021 here).

As of March, 2021 – Enrollment in Jamf will trigger installation of Defender

If the hostname isn’t the same as dns / computer name, it will never map up with the Microsoft Defender for Endpoint (MDfE) records.

Configure System Name – Required
Open Terminal

1. Change ComputerName:
sudo scutil –-set ComputerName “newcompname”

2. Change HostName:
sudo scutil –-set HostName “newhostname”

3. Change Local HostName:
sudo scutil –-set LocalHostName “newlocalhostname”

If the fixlet fails to install or to allow the kernel extension (kext) in System Preferences>Security & Privacy, Defender is not reporting properly. 

If it’s running you will see one of these icons in the menu bar

or

Please make sure it’s reporting to the console by opening a terminal window and type 

mdatp –health

You should see the following output

The first value ‘edrMachineID’ will have a unique value for each system.

The next two ‘realTimProtetionAvailable’ and realTimeProtectionEnabled‘ must read ‘true’. If they read ‘null’, you can reboot and run the command again. Otherwise, go to manual install (below).  

If you see no shield in the menu bar, open Defender in the Applications folder

 

Double-click the Defender app. If it opens and you see this

Delete the current install from the Applications folder.  

If you see this (no license found) you need to run the Python script.  

Manual Installation and Running the Script

Get the installer and script you will need here

Please reboot after every failed installation/removal

Run the manual installation and follow the prompts. If it’s successful you will see

If not

Delete the application and run the installer again. 

If you continue to see no shield or the shield with the ! or X, open Defender from the menu bar and click on ‘Action Needed’ If you’re still getting the error screen ‘We’re having trouble starting this app’, delete from Applications and install again. 

If you get the ‘No license found’ error, run the Python script from Terminal. Please be sure to change directory to where you copied the script. This must be run with an admin account.

/usr/bin/python MicrosoftDefenderATPOnboardingMacOs.py

That should fix the no license issue. 

Microsoft Update will generate an update

After the update you may need to license the install again.

Run the Python script. If the shield disappears after Auto Update, run the install again. 

To check if the extension is installed run 

kextstat | grep wdav from terminal 

and see if you get anything to return.

If you don’t get the prompt to ‘Allow’ the extension

From an admin account in terminal, run

sudo kextutil /Library/Extensions/wdavkext.kext

Tips

Please make sure the hostname is the same as dns / computer name or it will never map up with the Microsoft Defender for Endpoint (MDfE) records.

You may have to delete and run the install several times before it’s successful. We don’t know why this happens, but it can. You may get it right in one try. 

You may also see a degradation in performance after the installation since Symantec is still on the system. This is normal. Symantec is to remain on systems until we receive further notice. 

Some people have reported success by disabling Gatekeeper and Firewall in System Preferences.

To disable Gatekeeper

sudo spctl –master-disable (two dashes)spctl –status to see if its enabled or disabled (two dashes)Be sure to enable it again when you’re done or VPN will not work!

Resources for Microsoft Defender ATP for Mac https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-resources#logging-installation-issues

Users have reported success with these instructions here and here.

Defender for Endpoint Deployment Failures – Status Reports for Mac OS X:   

Review the report GS: Mac OS X Systems – Microsoft Defender for Endpoint – Status 

Review the “GS-MacOS-Defender-Enrollment-Status” column: 

• A GUID#  – No Action Is Needed.  
• No GUID# – Defender deployment has failed or the system has not been online or communicating with BigFix and is at risk for being disabled. 

Email the Service Desk (ServiceDesk@usgs.gov) to open a ticket with the ePatching Team if additional support is needed to resolve problems. 

1. Contact e-Patching to have system enabled
   • If you have more than one system that needs enabled e-Patching will only enable the system a COUA is currently working on. They will not enable all disabled devices at once
2. Work through appropriate troubleshooting steps from above troubleshooting
3. verify with e-Patching that system is reporting to Big-Fix and Microsoft Defender for Endpoints console properly
4. Once communication is verified then local admin can change the description field