If you are starting to test Windows Defender ATP you might be interested in importing the onboarding configuration file into Microsoft System Center Configuration Manager. This was one of my first steps after getting an account setup at https://securitycenter.windows.com.
To my surprise i immediately hit an error using the console where i hit the following problem: “The selected configuration file or signature is not valid for windows defender advanced threat protection”
At this point i decided to check out the New-CMAdvancedThreatProtectionPolicy cmdlet which basically resulted in a similar error: “The Certificate chain could not be verified or is not Microsoft-Rooted“.
I knew that the the permissions needed were Full Administrator and i had verified that my account was given explicit rights directly as Full Administrator as we have had reported cases of delegated rights being a problem previously. This was not the issue.
The configuration file was freshly exported from the ATP Portal so i knew the file was fine and was able to validate this in a test lab so there was something environmental that was causing this specific issue.
Luckily i was able to reach out to an Engineer and validate that on import of the onboarding configuration file we extract the signature of the file and try to validate the certificate chain all the way up to “Microsoft Root Certificate Authority 2011” root certificate. I verified that i indeed had this certificate in my Trusted Root Certification Authority Store but i had noticed that i had 2 of these certs listed. 1 looked proper as expected but i had a second one listed that was missing the friendly name. After removing this certificate from the store i was able to successfully import the onboarding configuration file.
If you are hitting any additional issues i would advise checking out our troubleshooting docs or open a case directly with CSS. https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection
An item of consideration once you get past these issues it can take up to an hour or more for your onboarded systems to show up in the ATP Portal so have patience and verify the sense service and review the sense log in eventvwr.msc for onboarding data.
Hopefully this helps someone else to test out Windows Defender ATP integration with ConfigMgr. Good luck and post any comments below on success or struggles.