Defender for Endpoint noob questions...

Occasional Contributor

Hi everyone,

 

I am quite new to Defender for Endpoint therefore thought this resource would be useful for learning.

 

Recently one of our customers subscribed to Defender for Endpoint P2. The customer has approx. 50 Windows 10 devices and 5 Windows server 2019 devices. 

 

I onboarded the Windows 10 devices and Windows server 2019 devices using GPO and the onboarding script.

 

The customer does not have Intune licensing therefore I was unable to use Microsoft Endpoint Manager (MEM) to onboard devices.

 

My question and concern is this... Is my customer missing out on critical functionality by not having Intune licensing? Does Defender for Endpoint work best with Intune?

 

For example, if the customer adds a few new Windows 11 but does not want to domain join them, they will have to be manually onboarded, but how will they then be managed? They cannot be managed using GPO as they are not on the domain. So lets say an exclusion for Defender AV is made in the GPMC, how will this exclusion be applied to the new Windows 11 devices that are not on the domain? If they were managed via MEM then I assume this wouldn't be an issue.

 

The more I read about Defender for Endpoint the more I think its designed to be used with MEM as opposed to GPO.

 

Any help is greatly appreciated.

5 Replies

@olympusMons MEM still does not cover the same broad features as GPOs do. So you definitely do not miss out on features by not deploying via Intune, except the fact that you can actually onboard workgroup devices to your tenant and have them onboarded to MDE.

funny you should say that about workgroup devices as I was wondering about that!

I do have a handful of workgroup devices that I have had to manually onboard, do I need to manually configure a local GPO to match the settings of the GPO deployed by the DC?

We are using it without MEM or much in the way of GPOs. There are certain features, like ASR rules, that need MEM or GPO to manage them, but nothing I would call critical. We do have a couple settings like client latency set via GPO, you would have to set those locally on workgroup PCs with a script or something similar.   A bit of a pain but not the sort of thing you would change very often. If you are happy with the setting put in by the onboarding script then you wouldn't have to do anything. 

"If you are happy with the setting put in by the onboarding script then you wouldn't have to do anything." What setting are you referring to here please? Just the default configuration of Defender AV? Does the onboarding script just create a vanilla configuration of Defender AV?
There are a few settings related to the MDE client service configuration only, such as client latency and proxy settings. One thing to remember is that Defender AV, ASR rules, and other host configuration items are not really part of Defender for Endpoint, they are separate tools and are managed separately. MDE adds some threat intelligence and consumes telemetry events from them, but doesn't manage them.

As you have already seen, Defender AV for example isn't managed through MDE at all. It can be managed through MEM or GPO, and you don't need MDE to use it. Same with ASR rules.

In other words, the MDE onboarding script, or GPO, or MEM package, don't configure Defender AV etc. at all, that is something you have to do separately.