The first task for a full featured Microsoft Defender for Endpoints (MDE) deployment is onboarding. Onboarding also is the primary task to start using Endpoint Detection and Response (EDR) feature. However, before diving into onboarding your first endpoint, you should determine the appropriate deployment architecture based on your organizational needs. This entails satisfying minimum requirements, identifying method of deployment, and simply enrolling endpoints into MDE. The information in this article will help provide a guiding start and framework for your endpoint protection journey.
There are several licensing, OS, and client requirements to satisfy prior to deploying MDE to endpoints. MDE is agentless and built into Windows 10, so no actual software is required to be installed.
MDE requires one of the following Microsoft Volume Licensing offers:
- Windows 10 Enterprise E5
- Windows 10 Education A5
- Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5
- Microsoft 365 E5 Security
- Microsoft 365 A5 (M365 A5)
Supported Windows versions
- Windows 7 SP1 Enterprise
- Windows 7 SP1 Pro
- Windows 8.1 Enterprise
- Windows 8.1 Pro
- Windows 10, version 1607 or later
- Windows 10 Enterprise
- Windows 10 Enterprise LTSC
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows server
- Windows Server 2008 R2 SP1
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server, version 1803 or later
- Windows Server 2019
Other supported operating systems
While Microsoft Defender is the ideal solution to run in conjunction with MDE, Defender does not have to be the primary solution in use. Keep in mind if another 3rd party solution is used with MDE then:
- Defender cannot be disabled. It will run in passive mode
- Defender must keep updating signature files
- Threats will be detected by MDE, but not remediated
To obtain the package required for either of these options go to MDE Security Center Settings > Onboarding and select the appropriate operating system to download the package.
MDE does not actually install software on clients. The onboarding process configures several Registry keys to point to your specific instance of MDE and starts a service (MsSense.exe).
There are four most common strategies to onboard endpoints to MDE. These include the following:
- Script and Evaluation
- Cloud Native
Script and Evaluation involves using a local script for a small sample of endpoints to provide an evaluation PoC of MDE. This script can only be used on up to 10 machines. The script can be obtained from the MDE Security Center in the Onboarding tab.
This strategy is recommended only in very small environments or true evaluations that do not wish to use management or deployment tools.
On-premises involves using Microsoft Endpoint Configuration Manager (MECM, formerly SCCM), to onboard. Group policy can also be used as well as non-Microsoft configuration management solutions. This allows organizations to continue to use familiar tools and investment in their on-premises solution. In addition, in most cases, organizations licensed for Microsoft 365 will have license usage rights to MECM.
This is recommended for enterprises that have a significant investment and footprint with MECM or other solution and is not ready to move any workloads to the cloud.
Cloud Native involves using Microsoft Endpoint Manager (MEM, formerly Intune) to onboard. MEM has built in, native policies that can simplify the onboarding process for a variety of OS platforms including Windows, MacOS, and Android. Using MEM, MDE can also report device state to assess risk level for compliance policies. Other MDM solutions can be used, however, only MEM, OMA-URI, and JAMF-based deployments are supported.
MEM is recommended for enterprises that do not have an on-premises MECM solution or those trying to reduce their on-premises infrastructure footprint.
Co-Management involves combining the best of Intune and SCCM into a single management solution. Co-Management provides integrated management tools and unique options to provision, deploy, and mange endpoints across an organization anywhere in the world.
Co-Management is recommended for enterprises that host both on-premises and cloud workloads to get the best of both environments.
Here are a few additional tips for deciding how to onboard to MDE:
- Develop overall architecture and integration points before determining design strategies.
- Plan each feature component and what you intend to configure.
- Onboard endpoints before implementing other MDE feature sets (ASR, NGP, etc.)
- Onboarding is the primary task for EDR
- Implement additional features after onboarding in phases or layers
- Do not try to implement everything at once. Start small and build up.
- Always pilot and evaluate before mass deployment, especially if replacing another solution
- MDE supports VDI infrastructure for both persistent and non-persistent endpoints
- Windows Servers require Azure Security Center Standard Licenses or MDE for Servers license
- MDE is not able to be deployed during OOBE
Microsoft Defender for Endpoints is a massive undertaking. There is a tremendous amount of capabilities. It is a product responsible for the primary protection of the endpoints in your environment and should not be deployed without the proper knowledge and education as well as a full architecture and deployment plan. However, as overwhelming as it can be, MDE can be broken down into simpler and manageable phases, such as the first deployment phase of onboarding. Subsequent phases can be gradually layered, and with the appropriate end user communication and training, you will have a full featured, cloud powered, enterprise grade solution protecting all the endpoints in your environment.
For more information about protecting your organization attend our upcoming webinar: FORTIFYING YOUR LAST LAYER OF SECURITY | OCT 13 | 2PM EST