1.0 Microsoft Defender for Endpoint (MDE): Overview

Microsoft Defender for Endpoint(MDE) is a cloud-based endpoint security solution by Microsoft designed to help enterprises to prevent from threats. Below are its key features.

We can have more read about it at What is MDE. In this post, we want to more focus on the plan from an engineering perspective.

Let's assume we know what is MDE and how powerful is it and why we have chosen it. Also, we have the license and portal ready. We will discuss the MDE licensing in a future post.

MDE deployment differs on the architecture of the environment. There are multiple stages in the MDE rollout that need to be performed in sequence. There are several steps that need to cover as below.

1. Prepare infrastructure
2. Onboarding the device
3. Apply the policy
4. Monitoring deployment and operation
5. Reporting

Prepare infrastructure

First of all, we need to assess the current infrastructure and prepare it so it meets the MDE minimum requirements. There are several types of requirements such as having Azure AD, the network connection between the device and Defender for endpoint backend service (cloud), and endpoints meeting minimum hardware and software requirements. More information can be found at Minimum requirements for Microsoft Defender for Endpoint.

Onboarding the device

The first step is to onboard the device to the MDE. Onboarding means enabling the agent. Few windows OS has an inbuild agent so only need to enable it, and few have not so we need to install the agent and then enable it.  Onboarding of the devices differs based on the OS type and how they are being managed as below.

Windows 10 and 11

1. Onboard unmanaged device
2. Onboard Intune managed device
3. Onboard SCCM-managed device

Each of the above has a different onboarding method but the final outcome is the same. In each method, the MDE agent got installed/enabled, and the device reported back to Defender for Endpoint cloud service. Once the device is onboarded, the device starts sending events to the cloud and their events got analyzed using AI and machine learning to report back the findings on the Defender portal(security.microsoft.com).

For unmanaged devices, we have to run the script manually on the device. We can download the script from the Defender portal(settings->endpoints->onboarding). Please refer detailed guide at 3.0 Defender for Endpoint(MDE): Onboard Unmanaged Windows 10/11.

For Intune-managed devices, we have to create an onboarding policy from the Microsoft Intune admin center(endpoint.microsoft.com). The policy needs to be deployed to the target group. Once the policy is deployed to the group, then all the devices in the group and future devices will be onboarded to Defender for Endpint automatically. Please refer detailed guide at 4.0 Defender for Endpoint(MDE): Onboard Intune Managed windows 10/11.

For System Center Configuration Manager (SCCM) managed devices, first we need to prepare SCCM and then we can create a deployment package. We will discuss this in detail in a future post.

Windows Server

1. Onboard workgroup server
2. The onboard domain joined server
3. Onboard Azure VM

We can also onboard Linux, macOS, iOS, and Android which we will cover in the future. We will be posting on this soon.

Apply the policy

Once we have onboarded the device to Defender for Endpoint the second step is to apply/deploy/enforce the security policy. There are so many ways to push the policy.

1. If the device is being managed by Intune then we can push all the policies from Intune.
2. If the device is not being managed by Intune but has AD joined then we can push the policy using group policy(GPO).
3. If the device is being managed by SCCM then we can push the policy from SCCM.

For Intune-managed devices, we can push policy from the Microsoft Intune admin center. There are so many policies that need to be pushed like AV policy, firewall policy, Attack surface reduction(ASR) policy, device protection policy, etc. We can push all those policies one by one or we can push the security baseline policy. It is a set of recommended security configurations and settings that combines all the policies. Please refer detailed guide at 6.0 Defender for Endpoint(MDE): Apply Security Baseline Policy. One issue we find with Intune is when we deploy multiple policies from Intune then there is a chance the same settings are in multiple policies that resulting in conflicts so it's better to deploy the baseline policy. Another good part of the baseline security policy is that it's maintained by Microsoft so the required changes are made by Microsoft.

Hope this was helpful, contact me on Twitter @sakaldeep for any queries.