Microsoft
MicrosoftHi yycc1. As a general statement, we need to ensure we have coverage of a variety of situations in managed environments but that at a high level you can certainly jump to #5 for a simple environment or test deployment.
The short answer and to summarize:
It's unfortunate this is not your takeaway (the high level steps are at Onboard Windows servers to the Microsoft Defender for Endpoint service | Microsoft Docs?) so let me let me answer each of your points in sequence:
1. The previous solution required the installation and configuration of the Microsoft Monitoring Agent as well as SCEP on Windows Server 2012 R2. Installation and configuration of the Microsoft Monitoring Agent and enabling Defender Antivirus on Windows Server 2016 (as well as having to meet dependencies for running the Microsoft Monitoring Agent on both OS).
The new package still requires the enablement of Defender Antivirus, however it takes away the need for the Microsoft Monitoring Agent and its dependencies. Prerequisites will be met by simply updating the operating system using the latest rollup packages.
2. Assuming you have updated the servers (and you should, always) this means installation of the .MSI package then execution of the onboarding script are your only 2 steps to take. Note that we are aware of the complexities involved in running a controlled datacenter environment and as such we provide detailed instructions, to give customers the opportunity to deploy at scale as opposed to a manual, single server deployment.
3. There has been no update released yet, however in preparation for the arrival of this update, we would like to inform customers using patch management software ahead of time that this is coming.
4. There are various starting points possible we need to account for, including from 3rd party or alternative deployment tools or methods. Please choose the one that most closely resembles what is relevant to your environment. The installer script is very capable and helps overcome some of the variance. Our customers are in control of their datacenters and we aim to offer flexibility aside from ease of use. The basic onboarding steps are captured at Onboard Windows servers to the Microsoft Defender for Endpoint service | Microsoft Docs.
For customers using Microsoft Endpoint Configuration Manager or Azure Defender we will have additional full, automated/orchestrated deployment options available soon.
5. This is not a choice rather than two steps instead of the one for newer OS like Windows Server 2019 and Windows 10, where all components have been built into the operating system. The diagram at the top of the this page and the overall onboarding page for servers (again Onboard Windows servers to the Microsoft Defender for Endpoint service | Microsoft Docs) both reflect this. Again, prerequisites should already be met by applying regular Windows updates and ensuring Defender Antivirus is already up to date on Windows Server 2016.
6. ASR rules are configurable mitigations that can impact production workloads. As such, we always advise to enable these in audit mode first regardless of OS. I would also advise that in any managed datacenter environment, the introduction of change should be evaluated according to an organization's risk appetite and process. Attack surface reduction frequently asked questions (FAQ) | Microsoft Docs provides a great starting point.
Hope this helps. As always, feel free to suggest changes to our public documentation if you feel something can be improved! There's a feedback button on each page.