cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Defender for Endpoint noob questions...

olympusMons
Copper Contributor

‎Jun 30 2022 01:28 AM - edited ‎Jun 30 2022 01:31 AM

‎Jun 30 2022 01:28 AM - edited ‎Jun 30 2022 01:31 AM

Defender for Endpoint noob questions...

Hi everyone,

 

I am quite new to Defender for Endpoint therefore thought this resource would be useful for learning.

 

Recently one of our customers subscribed to Defender for Endpoint P2. The customer has approx. 50 Windows 10 devices and 5 Windows server 2019 devices. 

 

I onboarded the Windows 10 devices and Windows server 2019 devices using GPO and the onboarding script.

 

The customer does not have Intune licensing therefore I was unable to use Microsoft Endpoint Manager (MEM) to onboard devices.

 

My question and concern is this... Is my customer missing out on critical functionality by not having Intune licensing? Does Defender for Endpoint work best with Intune?

 

For example, if the customer adds a few new Windows 11 but does not want to domain join them, they will have to be manually onboarded, but how will they then be managed? They cannot be managed using GPO as they are not on the domain. So lets say an exclusion for Defender AV is made in the GPMC, how will this exclusion be applied to the new Windows 11 devices that are not on the domain? If they were managed via MEM then I assume this wouldn't be an issue.

 

The more I read about Defender for Endpoint the more I think its designed to be used with MEM as opposed to GPO.

 

Any help is greatly appreciated.

1,465 Views
0 Likes
5 Replies
Reply
5 Replies
felixbrandsva

‎Jun 30 2022 05:34 AM

‎Jun 30 2022 05:34 AM

Re: Defender for Endpoint noob questions...

@olympusMons MEM still does not cover the same broad features as GPOs do. So you definitely do not miss out on features by not deploying via Intune, except the fact that you can actually onboard workgroup devices to your tenant and have them onboarded to MDE.

0 Likes
Reply
olympusMons

‎Jun 30 2022 05:52 AM

‎Jun 30 2022 05:52 AM

Re: Defender for Endpoint noob questions...

funny you should say that about workgroup devices as I was wondering about that!

I do have a handful of workgroup devices that I have had to manually onboard, do I need to manually configure a local GPO to match the settings of the GPO deployed by the DC?
0 Likes
Reply
jbmartin6

‎Jun 30 2022 06:47 AM

‎Jun 30 2022 06:47 AM

Re: Defender for Endpoint noob questions...

We are using it without MEM or much in the way of GPOs. There are certain features, like ASR rules, that need MEM or GPO to manage them, but nothing I would call critical. We do have a couple settings like client latency set via GPO, you would have to set those locally on workgroup PCs with a script or something similar.   A bit of a pain but not the sort of thing you would change very often. If you are happy with the setting put in by the onboarding script then you wouldn't have to do anything. 

0 Likes
Reply
olympusMons

‎Jun 30 2022 10:32 AM

‎Jun 30 2022 10:32 AM

Re: Defender for Endpoint noob questions...

"If you are happy with the setting put in by the onboarding script then you wouldn't have to do anything." What setting are you referring to here please? Just the default configuration of Defender AV? Does the onboarding script just create a vanilla configuration of Defender AV?
0 Likes
Reply
jbmartin6

‎Jul 01 2022 05:11 AM

‎Jul 01 2022 05:11 AM

Re: Defender for Endpoint noob questions...

There are a few settings related to the MDE client service configuration only, such as client latency and proxy settings. One thing to remember is that Defender AV, ASR rules, and other host configuration items are not really part of Defender for Endpoint, they are separate tools and are managed separately. MDE adds some threat intelligence and consumes telemetry events from them, but doesn't manage them.

As you have already seen, Defender AV for example isn't managed through MDE at all. It can be managed through MEM or GPO, and you don't need MDE to use it. Same with ASR rules.

In other words, the MDE onboarding script, or GPO, or MEM package, don't configure Defender AV etc. at all, that is something you have to do separately.
1 Like
Reply