Hi Community
I've got a customer who's busy deploying Windows Defender and has purchased several thousand Defender for Endpoint on Server licenses.
The AD team has raised some concerns on what control the Defender for Endpoint Administrators will have over Domain Controllers once the DC's have been onboarded.
This customer is being rolling out a hardened AD environment including the tiered model and bastion forests etc. The AD team is responsible for patching the DCs via WSUS.
The DCs already have MDI installed on them and Defender AV
So basically what they are asking for is the following:
1.) Best practices for configuration of Defender for Endpoint on domain controllers
2.) An RBAC model, probably based on tags, that blocks. or at least limits what the ATP Administrators can do on the DCs
3.) Any potential security risks to the DC's by going down this route?
The documentation for MDE states that any one with Defender for Global Administrator privileges has full control over all devices irrespective of their device group affilications and Azure AD Group role assignments. Does this also apply to the Domain Controllers?
I'm assuming that best practice advises that anyone with MDE Global Admin privileges should be leveraging PIM via MFA to access that role.
Any guidance would be appreciated.
