MDE Onboarding Best Practices

John Matrix · ‎Jul 16 2022

We are migrating from Kaspersky to MDE.

Our plan for onboarding our devices:

-Windows Clients via MEM since they are HDJ and already enrolled in Intune.

-Windows Server Onboarding via GPO.

Windows Clients are pretty straightforward.

But Windows Server:

We have created a GPO with the installer script (install.ps1 from Github) to onboard 2012 R2 and 2016 - this should not be used for 2019 and above, right?

So a different GPO for Server 2019 and above with a scheduled task to trigger the onboarding cmd.

We are thinking about using the security management feature so we could have everything in MEM, but since Domain Controllers can‘t be used we need GPO anyway.

Is this good practice or is there a better way?

Thanks.

cheers,

John

Yong Rhee · ‎Jul 20 2022

@John Matrix Correct, the https://github.com/microsoft/mdefordownlevelserver/blob/main/Install.ps1 is for the new downlevel server MDE client for Windows Server 2012 R2/2016. Windows Server 2019 doesn't need to install a new .msi package, since it ships with the Windows Server 2019 OS. For the onboarding script on Windows Server 2019 and your DC's, you can use GPO. On the member Windows Servers, for AV policy management, we recommend to use the new MDE Security Management (https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/security-settings-management-...). For now, on the DC's continue using GPO/DSC (Desired State Configuration) to manage AV policies. When you get a moment, you should review the "Privileged administrator" documentation if you already haven't, it's available here https://docs.microsoft.com/en-us/security/compass/privileged-access-access-model. Thx.

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

MDE Onboarding Best Practices

MDE Onboarding Best Practices

Re: MDE Onboarding Best Practices