Legacy Windows Support for Microsoft Defender ATP

By Chris Blackburn

I’ve had several client recently who have talked about what’s entailed to support legacy operation systems (Windows 7/8/Server 2008) in Microsoft Defender ATP. In short, you’re essentially installing the Microsoft Monitoring Agent that’s part of what is legacy OMS (now Azure Security) and the

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-atp

If your Windows 7 build are up-to-date, you shouldn’t have to install the following 3 items:

Also check your .NET version before install. I attempted to go from version 4.0 to 4.8 on my test VM and it broke the MMS agent where I had to revert, but I was able to go from 4.0 to 4.5 with no disruption to services.

Use the following command:

reg query “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\full” /v version

image

Download the respective OMS client

Open your MD ATP console to the Onboarding page, and under Windows 7 as the OS copy your WORKSPACE ID and WORKSPACE KEY

https://securitycenter.microsoft.com/preferences2/onboarding

Specify <platform> as either x86 or AMD64 then extract the install

MMASetup-<platform>.exe /c /t:c:\MMASETUP-<platform>

Provide the documented WORKSPACE ID and WORKSPACE KEY then run the install

setup.exe /qn NOAPM=1 ADD_OPINSIGHTS_WORKSPACE=1 OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE=0 OPINSIGHTS_WORKSPACE_ID=”WORKSPACE ID” OPINSIGHTS_WORKSPACE_KEY=”WORKSPACE KEY” AcceptEndUserLicenseAgreement=1

After installation:

  • Check Services.msc to ensure the “Microsoft Monitoring Agent” service is running
  • Also check the Operations Manager event log for entries
    • %SystemRoot%\System32\Winevt\Logs\Operations Manager.evtx

In the Microsoft Defender ATP console you should see your Windows 7 machine:

clip_image004

If you need to remove a machine check out these steps:

https://techcommunity.microsoft.com/t5/microsoft-defender-atp/remove-devices-from-mdatp-portal/m-p/1418750/highlight/true#M520

Share your thoughts

This site uses Akismet to reduce spam. Learn how your comment data is processed.

css.php