Forum Discussion
MDI Activation vs. Manual/Scripted Install.
Hi, we recently noticed the new ‘Activation’ feature MDI added with MDE in our portal (https://learn.microsoft.com/en-us/defender-for-identity/deploy/activate-capabilities), and we’re very interested in the capabilities, but concerned about one thing the documentation states.
In the documentation, it says that the activation is just the ‘core’ protections, while the installer package is a more robust defense. I was wondering if there were key differences, like losing out on some stuff, or if both installations would cover the same activities, etc. before we go through with preferring one method to the other.
Thanks!
"I was wondering if there were key differences, like losing out on some stuff, or if both installations would cover the same activities"
It is not supported to run both side by side, and the documentation states that if you already have the classic sensor, this new version is not a replacement (yet). The classic sensor is still the way to go because (1) this is a brand new capability and there is already one out of band hotfix KB5037422 to fix a memory leak, so let this thing bake a bit, and (2) the MDE installable version is limited to only these features at this time:
Investigation features on the ITDR dashboard, identity inventory, and identity advanced hunting data
Specified security posture recommendations
Specified alert detections
Remediation actions
Automatic attack disruption
So you would be missing any MDI capability not listed above.In my opinion, this newer installer is for customers who need to urgently get MDI deployed to a large number of domain controllers to take advantage of the hunting and automatic attack disruption (ex: incident response scenarios)
Reference: https://learn.microsoft.com/en-us/defender-for-identity/deploy/activate-capabilities#test-activated-capabilities
2 Replies
"I was wondering if there were key differences, like losing out on some stuff, or if both installations would cover the same activities"
It is not supported to run both side by side, and the documentation states that if you already have the classic sensor, this new version is not a replacement (yet). The classic sensor is still the way to go because (1) this is a brand new capability and there is already one out of band hotfix KB5037422 to fix a memory leak, so let this thing bake a bit, and (2) the MDE installable version is limited to only these features at this time:
Investigation features on the ITDR dashboard, identity inventory, and identity advanced hunting data
Specified security posture recommendations
Specified alert detections
Remediation actions
Automatic attack disruption
So you would be missing any MDI capability not listed above.In my opinion, this newer installer is for customers who need to urgently get MDI deployed to a large number of domain controllers to take advantage of the hunting and automatic attack disruption (ex: incident response scenarios)
Reference: https://learn.microsoft.com/en-us/defender-for-identity/deploy/activate-capabilities#test-activated-capabilities
That’s what I was thinking, didn’t even notice that section when reading through the documentation, thanks for the good reply!
