MDE Onboarding Best Practices

John Matrix Correct, the https://github.com/microsoft/mdefordownlevelserver/blob/main/Install.ps1 is for the new downlevel server MDE client for Windows Server 2012 R2/2016. Windows Server 2019 doesn't need to install a new .msi package, since it ships with the Windows Server 2019 OS.  For the onboarding script on Windows Server 2019 and your DC's, you can use GPO.   On the member Windows Servers, for AV policy management, we recommend to use the new MDE Security Management (https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/security-settings-management-in-microsoft-defender-for-endpoint/ba-p/3356970). For now, on the DC's continue using GPO/DSC (Desired State Configuration) to manage AV policies. When you get a moment, you should review the "Privileged administrator" documentation if you already haven't, it's available here https://docs.microsoft.com/en-us/security/compass/privileged-access-access-model. Thx.