Forum Discussion

David Caddick's avatar
David Caddick
Iron Contributor
Aug 19, 2019
Solved

MDATP - Deployment Guide & Best Practices?

Hi All,   Is anyone aware of a Best Practices or Deployment guide? Defender ATP has had a lot of changes in the last months and I'm guessing it doesn't exist, but asking the question anyway...
  • Ryen Macababbad's avatar
    Ryen Macababbad
    Jan 28, 2020

    Here you go: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/product-brief

Ryen Macababbad's avatar
Ryen Macababbad
Brass Contributor
Jan 28, 2020

Here you go: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/product-brief

  • David Caddick's avatar
    David Caddick
    Iron Contributor
    Jan 28, 2020

    Thanks Ryen Macababbad I've already provided some feedback on Yammer.

     

    Question - there doesn't appear to be much focus on applying the "Audit Only" settings and collecting data before changing to enforced? Some of the settings will have the capacity to be disruptive to business if pushed too aggressively too quickly? Thoughts?

    • mdowens750's avatar
      mdowens750
      Copper Contributor
      Mar 03, 2021
      David - I agree with your caution. I tried some deployment options on a R&D Subscription first and realised that it is easy to enable a blanket-wide enablement. This meant the deployment to each server would be in effect indeterminate and un-managed. I think there is a lot of complexity and confusion in this area. Especially for larger enterprises that desire a phased implementation.
    • Ryen Macababbad's avatar
      Ryen Macababbad
      Brass Contributor
      Jan 28, 2020

      David Caddick Are you talking about Attack Surface Reduction Rules? In the ASR section (https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/production-deployment#attack-surface-reduction) you'll see "In audit mode there is no end user impact all it does is collect additional telemetry and make it available in the Microsoft Defender Security Center. The goal with a deployment is to step by step move security controls into block mode."

      What do you propose?   

      • David Caddick's avatar
        David Caddick
        Iron Contributor
        Jan 30, 2020

        Hi Ryen Macababbad, I guess I'm hinting at the fact that it feels a bit like as a Deployment Guide it's a bit underdone? I'm not too worried as we have already run thru this ourselves and created our own.

        But even the link in the Deployment Guide for ASR under rank = 3 is just a link to the overview of ASR Settings - I would have thought that it's not a bad idea to at least mention the Audit mode and some basic recommendation with a direct link would be an improvement?

         

        Going slightly off topic - when we look at these specific settings in Intune they are all over the place, no grouping, not even in alphabetical order - that could really do with a clean up?

         

        Dave C  

Resources