Today Microsoft announced that it’s now possible to onboard older legacy operatingsystems to ATP (Advanced Threat Protection) when the public preview that is available.
- Windows 7 SP1 Enterprise
- Windows 7 SP1 Pro
- Windows 8.1 Pro
- Windows 8.1 Enterprise
Even though we Always recommend using the latest versions there might be scenarios where you need the advanced detection and response capatibilities and of ATP and it’s not possible to upgrade the machines.
The difference between Windows 10 and the older versions is that is not built-in and you have to install an Microsoft Monitoring agent which will connect to your workspace and report the sensor data.
Installing the agent
64-bit agent is available here:
32-bit agent is available here:
When you have downloaded the setup file you extract it using “/c” parameter
setup.exe /qn NOAPM=1 ADD_OPINSIGHTS_WORKSPACE=1 OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE=0 OPINSIGHTS_WORKSPACE_ID= OPINSIGHTS_WORKSPACE_KEY= AcceptEndUserLicenseAgreement=1
The workspace ID and Key is available in your ATP Portal https://securitycenter.windows.com
The clients will connect to the service using HTTPS and can be a direct connection or through a proxy or OMS gateway.
When your clients are configured you should start seeing them in the ATP console
As you may have noticed there’s a link to Azure ATP alerts where you can dig further on advanced attacks in your environment.
On the following link you can find more information about onboarding older Windows Versions to Defender ATP
Pingback: Threat Hunting with Windows Defender ATP – SEC-LABS R&D