Defender for Endpoint on Domain Controllers and restricting control

Brass Contributor

Hi Community


I've got a customer who's busy deploying Windows Defender and has purchased several thousand Defender for Endpoint on Server licenses. 


The AD team has raised some concerns on what control the Defender for Endpoint Administrators will have over Domain Controllers once the DC's have been onboarded. 


This customer is being rolling out a hardened AD environment including the tiered model and bastion forests etc. The AD team is responsible for patching the DCs via WSUS. 


The DCs already have MDI installed on them and Defender AV


So basically what they are asking for is the following:


1.) Best practices for configuration of Defender for Endpoint on domain controllers

2.) An RBAC model, probably based on tags, that blocks. or at least limits what the ATP Administrators can do on the DCs

3.) Any potential security risks to the DC's by going down this route?


The documentation for MDE states that any one with Defender for Global Administrator privileges has full control over all devices irrespective of their device group affilications and Azure AD Group role assignments. Does this also apply to the Domain Controllers?


I'm assuming that best practice advises that anyone with MDE Global Admin privileges should be leveraging PIM via MFA to access that role.


Any guidance would be appreciated.


1 Reply
@PeterJoInobits, the first question is, are there more than 2 Global Admin's? If so, probably needs to be looked into, but that is not a topic that we will go into this forum. Yes, PIM + MFA should be used by Global Admin account, but also for other Identity accounts managing your infrastructure. You then would tag the Domain Controllers (DC's), and assign it to a "Device Group", which then you would assign a MDE RBAC "Security Group" for the SOC/IR folks that would be able to see, and/or investigate and/or remediate. Hope this helps, Yong