SOLVED

MDATP - Deployment Guide & Best Practices?

%3CLINGO-SUB%20id%3D%22lingo-sub-810458%22%20slang%3D%22en-US%22%3EMDATP%20-%20Deployment%20Guide%20%26amp%3B%20Best%20Practices%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-810458%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20anyone%20aware%20of%20a%20Best%20Practices%20or%20Deployment%20guide%3F%3C%2FP%3E%3CP%3EDefender%20ATP%20has%20had%20a%20lot%20of%20changes%20in%20the%20last%20months%20and%20I'm%20guessing%20it%20doesn't%20exist%2C%20but%20asking%20the%20question%20anyway...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-822317%22%20slang%3D%22en-US%22%3ERe%3A%20MDATP%20-%20Deployment%20Guide%20%26amp%3B%20Best%20Practices%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-822317%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F129396%22%20target%3D%22_blank%22%3E%40David%20Caddick%3C%2FA%3E%26nbsp%3B-%20here's%20the%20MDATP%20onboarding%20step%20by%20step%20guide%20-%20deployment%20options%3A%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fonboard-configure%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fonboard-configure%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-822342%22%20slang%3D%22en-US%22%3ERe%3A%20MDATP%20-%20Deployment%20Guide%20%26amp%3B%20Best%20Practices%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-822342%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F49603%22%20target%3D%22_blank%22%3E%40Hesham%20Saad%3C%2FA%3E%2C%20understood%2C%20maybe%20I%20didn't%20phrase%20it%20very%20well%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20I%20was%20looking%20for%20was%20anything%20similar%20to%20%22Deployment%20Guide%22%20for%20Azure%20MFA%20for%20instance%3F%3C%2FP%3E%3CP%3EBy%20this%20I%20mean%2C%20a%20very%20real%20and%20practical%20guide%20to%20a%20list%20of%20the%20the%20design%20decisions%20%2B%20various%20options%2C%20plus%20guidance%20on%20the%20consequences%20of%20those%20decisions%20-%20I'm%20going%20to%20assume%20that%20this%20doesn't%20exist%20as%20yet.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20on-boarding%20%26amp%3B%20off-boarding%20process%20is%20quite%20well%20documented%20in%20the%20Admin%20console%20under%20settings%20on%20the%20last%20two%20items%20-%20what%20I%20was%20looking%20for%20was%20any%20docs%20around%20these%20design%20decisions%2C%20but%20that's%20OK%20I've%20started%20creating%20it%20based%20on%20the%20latest%20high%20level%20slide%20deck.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1133719%22%20slang%3D%22en-US%22%3ERe%3A%20MDATP%20-%20Deployment%20Guide%20%26amp%3B%20Best%20Practices%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1133719%22%20slang%3D%22en-US%22%3E%3CP%3EHere%20you%20go%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fproduct-brief%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fproduct-brief%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1135854%22%20slang%3D%22en-US%22%3ERe%3A%20MDATP%20-%20Deployment%20Guide%20%26amp%3B%20Best%20Practices%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1135854%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F135506%22%20target%3D%22_blank%22%3E%40Ryen%20Macababbad%3C%2FA%3E%26nbsp%3BI've%20already%20provided%20some%20feedback%20on%20Yammer.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EQuestion%20-%20there%20doesn't%20appear%20to%20be%20much%20focus%20on%20applying%20the%20%22Audit%20Only%22%20settings%20and%20collecting%20data%20before%20changing%20to%20enforced%3F%20Some%20of%20the%20settings%20will%20have%20the%20capacity%20to%20be%20disruptive%20to%20business%20if%20pushed%20too%20aggressively%20too%20quickly%3F%20Thoughts%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1136099%22%20slang%3D%22en-US%22%3ERe%3A%20MDATP%20-%20Deployment%20Guide%20%26amp%3B%20Best%20Practices%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1136099%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F129396%22%20target%3D%22_blank%22%3E%40David%20Caddick%3C%2FA%3E%26nbsp%3BAre%20you%20talking%20about%20Attack%20Surface%20Reduction%20Rules%3F%20In%20the%20ASR%20section%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fproduction-deployment%23attack-surface-reduction%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fproduction-deployment%23attack-surface-reduction%3C%2FA%3E)%20you'll%20see%20%22%3CSPAN%3EIn%20audit%20mode%20there%20is%20no%20end%20user%20impact%20all%20it%20does%20is%20collect%20additional%20telemetry%20and%20make%20it%20available%20in%20the%20Microsoft%20Defender%20Security%20Center.%20The%20goal%20with%20a%20deployment%20is%20to%20step%20by%20step%20move%20security%20controls%20into%20block%20mode.%22%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EWhat%20do%20you%20propose%3F%26nbsp%3B%20%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1139027%22%20slang%3D%22en-US%22%3ERe%3A%20MDATP%20-%20Deployment%20Guide%20%26amp%3B%20Best%20Practices%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1139027%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F135506%22%20target%3D%22_blank%22%3E%40Ryen%20Macababbad%3C%2FA%3E%2C%20I%20guess%20I'm%20hinting%20at%20the%20fact%20that%20it%20feels%20a%20bit%20like%20as%20a%20Deployment%20Guide%20it's%20a%20bit%20underdone%3F%20I'm%20not%20too%20worried%20as%20we%20have%20already%20run%20thru%20this%20ourselves%20and%20created%20our%20own.%3CBR%20%2F%3E%3CBR%20%2F%3EBut%20even%20the%20link%20in%20the%20Deployment%20Guide%20for%20ASR%20under%20rank%20%3D%203%20is%20just%20a%20link%20to%20the%20overview%20of%20ASR%20Settings%20-%20I%20would%20have%20thought%20that%20it's%20not%20a%20bad%20idea%20to%20at%20least%20mention%20the%20Audit%20mode%20and%20some%20basic%20recommendation%20with%20a%20direct%20link%20would%20be%20an%20improvement%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGoing%20slightly%20off%20topic%20-%20when%20we%20look%20at%20these%20specific%20settings%20in%20Intune%20they%20are%20all%20over%20the%20place%2C%20no%20grouping%2C%20not%20even%20in%20alphabetical%20order%20-%20that%20could%20really%20do%20with%20a%20clean%20up%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDave%20C%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1139115%22%20slang%3D%22en-US%22%3ERe%3A%20MDATP%20-%20Deployment%20Guide%20%26amp%3B%20Best%20Practices%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1139115%22%20slang%3D%22en-US%22%3EDirect%20messaged%20you%20to%20gain%20more%20clarity%20on%20the%20deployment%20guide%20feedback.%3CBR%20%2F%3E%3CBR%20%2F%3EAs%20far%20as%20Intune%20is%20concerned%2C%20I%20expect%20Microsoft%20Endpoint%20Manager%20(MEM)%20and%20the%20work%20on%20the%20DMAC%20portal%20at%20%3CA%20href%3D%22https%3A%2F%2Fdevicemanager.microsoft.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdevicemanager.microsoft.com%3C%2FA%3E%20will%20address%20this%20%22clean%20up%22%20%3A)%3C%2Fimg%3E%20Stay%20tuned%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2093540%22%20slang%3D%22en-US%22%3ERe%3A%20MDATP%20-%20Deployment%20Guide%20%26amp%3B%20Best%20Practices%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2093540%22%20slang%3D%22en-US%22%3E%3CP%3EAudit%20mode%20is%20not%20available%20for%20Automated%20Investigations%20unless%20you%20prompt%20user%20or%20auto-respond%20and%20EDR%20block%20mode%20also%20has%20to%20audit%20mode%20feature.%20Also%20ASR%20rules%20and%20EDR%20Block%20Mode%20can't%20be%20applied%20per%20group%20%3A(%3C%2Fimg%3E%20This%20looks%20like%20a%20beta%20version%20to%20be%20honest.%20Definitely%20desires%20better%20documentation.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2181472%22%20slang%3D%22en-US%22%3ERe%3A%20MDATP%20-%20Deployment%20Guide%20%26amp%3B%20Best%20Practices%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2181472%22%20slang%3D%22en-US%22%3EDavid%20-%20I%20agree%20with%20your%20caution.%20I%20tried%20some%20deployment%20options%20on%20a%20R%26amp%3BD%20Subscription%20first%20and%20realised%20that%20it%20is%20easy%20to%20enable%20a%20blanket-wide%20enablement.%20This%20meant%20the%20deployment%20to%20each%20server%20would%20be%20in%20effect%20indeterminate%20and%20un-managed.%20I%20think%20there%20is%20a%20lot%20of%20complexity%20and%20confusion%20in%20this%20area.%20Especially%20for%20larger%20enterprises%20that%20desire%20a%20phased%20implementation.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2596918%22%20slang%3D%22en-US%22%3ERe%3A%20MDATP%20-%20Deployment%20Guide%20%26amp%3B%20Best%20Practices%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2596918%22%20slang%3D%22en-US%22%3EHere%20is%20the%20guide%20that%20we%20use%20to%20configure%20Microsoft%20Defender%20for%20Endpoint%20best%20practices%20%3CA%20href%3D%22https%3A%2F%2Fwww.thecloudtechnologist.com%2Fmdatp-best-practices%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.thecloudtechnologist.com%2Fmdatp-best-practices%2F%3C%2FA%3E%3C%2FLINGO-BODY%3E
Frequent Contributor

Hi All,

 

Is anyone aware of a Best Practices or Deployment guide?

Defender ATP has had a lot of changes in the last months and I'm guessing it doesn't exist, but asking the question anyway...

10 Replies

Thanks @Hesham Saad, understood, maybe I didn't phrase it very well?

 

What I was looking for was anything similar to "Deployment Guide" for Azure MFA for instance?

By this I mean, a very real and practical guide to a list of the the design decisions + various options, plus guidance on the consequences of those decisions - I'm going to assume that this doesn't exist as yet.

 

The on-boarding & off-boarding process is quite well documented in the Admin console under settings on the last two items - what I was looking for was any docs around these design decisions, but that's OK I've started creating it based on the latest high level slide deck. 

best response confirmed by David Caddick (Frequent Contributor)

Thanks @Ryen Macababbad I've already provided some feedback on Yammer.

 

Question - there doesn't appear to be much focus on applying the "Audit Only" settings and collecting data before changing to enforced? Some of the settings will have the capacity to be disruptive to business if pushed too aggressively too quickly? Thoughts?

@David Caddick Are you talking about Attack Surface Reduction Rules? In the ASR section (https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/productio...) you'll see "In audit mode there is no end user impact all it does is collect additional telemetry and make it available in the Microsoft Defender Security Center. The goal with a deployment is to step by step move security controls into block mode."

What do you propose?   

Hi @Ryen Macababbad, I guess I'm hinting at the fact that it feels a bit like as a Deployment Guide it's a bit underdone? I'm not too worried as we have already run thru this ourselves and created our own.

But even the link in the Deployment Guide for ASR under rank = 3 is just a link to the overview of ASR Settings - I would have thought that it's not a bad idea to at least mention the Audit mode and some basic recommendation with a direct link would be an improvement?

 

Going slightly off topic - when we look at these specific settings in Intune they are all over the place, no grouping, not even in alphabetical order - that could really do with a clean up?

 

Dave C  

Direct messaged you to gain more clarity on the deployment guide feedback.

As far as Intune is concerned, I expect Microsoft Endpoint Manager (MEM) and the work on the DMAC portal at https://devicemanager.microsoft.com will address this "clean up" :) Stay tuned

Audit mode is not available for Automated Investigations unless you prompt user or auto-respond and EDR block mode also has to audit mode feature. Also ASR rules and EDR Block Mode can't be applied per group :( This looks like a beta version to be honest. Definitely desires better documentation.

David - I agree with your caution. I tried some deployment options on a R&D Subscription first and realised that it is easy to enable a blanket-wide enablement. This meant the deployment to each server would be in effect indeterminate and un-managed. I think there is a lot of complexity and confusion in this area. Especially for larger enterprises that desire a phased implementation.
Here is the guide that we use to configure Microsoft Defender for Endpoint best practices https://www.thecloudtechnologist.com/mdatp-best-practices/