cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MDI Sensor vs Standalone Sensor - Updated Guidance

MDIAdminMax
Copper Contributor

‎Feb 24 2021 08:35 AM - edited ‎Feb 24 2021 11:51 AM

‎Feb 24 2021 08:35 AM - edited ‎Feb 24 2021 11:51 AM

MDI Sensor vs Standalone Sensor - Updated Guidance

It appears that guidance on MDI Sensor vs Standalone Sensor has shifted towards discouraging Standalone sensors altogether. Standalone is now lacking functionality, while all the older materials highlighting its benefits had been removed. (E.g. higher stability/throughput; better security and separation of duties, especially when deployed as a member of a Workgroup etc.)

 

This begs the question - is Standalone on its way out? And what are the use cases you still believe it is best suited for?

 

Thank you!

4,988 Views
1 Like
5 Replies
Reply
5 Replies
Eli Ofek

‎Feb 24 2021 01:18 PM

‎Feb 24 2021 01:18 PM

Re: MDI Sensor vs Standalone Sensor - Updated Guidance

@MDIAdminMax 
Integrated is clearly superior to standalone because it has many more data sources we can use to do detection and add additional security.

Using a Workgroup standalone is better security wise only in theory, assuming that it will be maintained and patched in the same level of a domain joined machine. In most cases it is not...
There is no throughput change compared to integrated, but there is a possible scale issue if your DC is limited to scaling up, and your current spec will not allow the additional resources needed for the sensor (old physical machine for example).

As of today, only 3.19% of sensors we have are standalone. the number keeps dropping monthly.
For now there is no planned decision to remove this option, but in theory this can happen some time in the future once this umber will go down to a ridiculous number...

The Advice is clear - use Integrated whenever possible, use standalone as last option. 

1 Like
Reply
Ru

‎May 09 2022 11:52 PM

‎May 09 2022 11:52 PM

Re: MDI Sensor vs Standalone Sensor - Updated Guidance

Hey @Eli Ofek,

 

Do you have current data on the % sensors that are standalone? I am trying to discourage all customers from doing this, but some have concerns about allowing any internet traffic to DCs. It would be useful to get a steer about the roadmap of this, supportability, etc.

 

Thanks!

0 Likes
Reply
Martin_Schvartzman

‎May 10 2022 01:33 AM

‎May 10 2022 01:33 AM

Re: MDI Sensor vs Standalone Sensor - Updated Guidance

@Ru 

You don't need to allow any internet traffic from the DCs, you can use a proxy to allow only the specific url for the sensors API (as described on Configure your proxy or firewall to enable Microsoft Defender for Identity communication with the se...

As for the % of standalone sensors, we see less than 0.5% worldwide.

1 Like
Reply
Eli Ofek

‎May 10 2022 02:12 AM

‎May 10 2022 02:12 AM

Re: MDI Sensor vs Standalone Sensor - Updated Guidance

Total standalone sensors WW significantly reduced since the last update (and keeps shrinking).
There is no change as of now in supportability, but I can say that the product group focus is not on standalone. most of the features require the integrated version nowadays.

You don't need to directly connect the DC to the internet.
A common design would be to use an internet proxy, with authentication, which is limited only to MDI urls or service tag IP ranges.
When installing the sensor, use the silent option with proxy parameters, which means only the sensor processes on the machine can use the proxy, and only to connect to the MDI backend.
1 Like
Reply
Ru

‎May 10 2022 02:25 AM

‎May 10 2022 02:25 AM

Re: MDI Sensor vs Standalone Sensor - Updated Guidance

@Eli Ofek @Martin_Schvartzman 

 

Thanks both, useful info & appreciate the metric on usage.

0 Likes
Reply