Microsoft Defender for Endpoint Onboarding Requirements and Strategies
The first task for a full featured Microsoft Defender for Endpoints (MDE) deployment is onboarding. Onboarding also is the primary task to start using Endpoint Detection and Response (EDR) feature. However, before diving into onboarding your first endpoint, you should determine the appropriate deployment architecture based on your organizational needs. This entails satisfying minimum requirements, identifying method of deployment, and simply enrolling endpoints into MDE. The information in this article will help provide a guiding start and framework for your endpoint protection journey.
Requirements
There are several licensing, OS, and client requirements to satisfy prior to deploying MDE to endpoints. MDE is agentless and built into Windows 10, so no actual software is required to be installed.
MDE requires one of the following Microsoft Volume Licensing offers:
While Microsoft Defender is the ideal solution to run in conjunction with MDE, Defender does not have to be the primary solution in use. Keep in mind if another 3rd party solution is used with MDE then:
To obtain the package required for either of these options go to MDE Security Center Settings > Onboarding and select the appropriate operating system to download the package.
MDE does not actually install software on clients. The onboarding process configures several Registry keys to point to your specific instance of MDE and starts a service (MsSense.exe).
Strategies
There are four most common strategies to onboard endpoints to MDE. These include the following:
Script and Evaluation involves using a local script for a small sample of endpoints to provide an evaluation PoC of MDE. This script can only be used on up to 10 machines. The script can be obtained from the MDE Security Center in the Onboarding tab.
This strategy is recommended only in very small environments or true evaluations that do not wish to use management or deployment tools.
On-premises involves using Microsoft Endpoint Configuration Manager (MECM, formerly SCCM), to onboard. Group policy can also be used as well as non-Microsoft configuration management solutions. This allows organizations to continue to use familiar tools and investment in their on-premises solution. In addition, in most cases, organizations licensed for Microsoft 365 will have license usage rights to MECM.
This is recommended for enterprises that have a significant investment and footprint with MECM or other solution and is not ready to move any workloads to the cloud.
Cloud Native involves using Microsoft Endpoint Manager (MEM, formerly Intune) to onboard. MEM has built in, native policies that can simplify the onboarding process for a variety of OS platforms including Windows, MacOS, and Android. Using MEM, MDE can also report device state to assess risk level for compliance policies. Other MDM solutions can be used, however, only MEM, OMA-URI, and JAMF-based deployments are supported.
MEM is recommended for enterprises that do not have an on-premises MECM solution or those trying to reduce their on-premises infrastructure footprint.
Co-Management involves combining the best of Intune and SCCM into a single management solution. Co-Management provides integrated management tools and unique options to provision, deploy, and mange endpoints across an organization anywhere in the world.
Co-Management is recommended for enterprises that host both on-premises and cloud workloads to get the best of both environments.
Final Thoughts
Here are a few additional tips for deciding how to onboard to MDE:
Microsoft Defender for Endpoints is a massive undertaking. There is a tremendous amount of capabilities. It is a product responsible for the primary protection of the endpoints in your environment and should not be deployed without the proper knowledge and education as well as a full architecture and deployment plan. However, as overwhelming as it can be, MDE can be broken down into simpler and manageable phases, such as the first deployment phase of onboarding. Subsequent phases can be gradually layered, and with the appropriate end user communication and training, you will have a full featured, cloud powered, enterprise grade solution protecting all the endpoints in your environment.
Work with our team of Cloud Computing Consultants with years of experience that know all of the “minefields” to prevent missteps.