Introduction
This article describes
- What is Microsoft's Defender for Endpoint (MDE) service
- How to get started with the service
- How to get additional training on the service
Contents
Explanation
Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help organizational unit (OU) admins prevent, detect, investigate, and respond to advanced threats. The MDE service supports macOS, Linux, and Windows devices. iOS and Android devices are not supported at this time. Below are some key elements of the service.
- Enables OU admins to identify vulnerable systems
- Prioritizes and provides remediation of endpoint vulnerabilities and misconfigurations
- Centralizes and automates monitoring and management
- Provides zero-day response to threats
This service allows departments to register up to five university devices (macOS, Linux, and Windows) for each departmental user with a Microsoft 365 (M365) A5 faculty-use license. A5 student-use licenses are not sufficient for this service. OU Admins can visit the Microsoft Defender for Endpoint Service Catalog entry to enroll their departments in the MDE service.
Getting Started Guide
If your hosts are sending Windows logs to the Virginia Tech Central Log Service (CLS), note that the Information Technology Security Office (ITSO) has approved dropping select Microsoft Defender for Endpoint internal debug logs. These logs will remain on the originating hosts but will be filtered from the outgoing logs by the configuration provided by the CLS.
- Register: Sign up for the service at the Microsoft Defender for Endpoint Service Catalog entry. It is required that your department completes this step before continuing.
- Verify: After registration is complete
- Verify that two security groups have been created within your OU, "Defender OU NAME Admins" and "Defender OU NAME View-Only Admins". "OU-NAME" refers to the OU name that you entered in the form when requesting the service.
- Verify that you are a member of the "Defender OU-NAME Admins" security group that was created during registration. If you are not a member, make sure you and other designated OU admins are added to this group. It is required that you have a minimum of two admins in this group.
- Deploy software: There are various paths to deploy MDE on devices: Intune (Windows), BigFix (Windows, Linux, and macOS), Jamf (macOS), and scripts for individual device installation.
- Tag devices: The mechanism to provide an OU-like structure and permissions within the service portal will be via device tagging.
- Windows
- Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\
- Registry key value (REG_SZ): Group
- Registry key data: OU-NAME
- macOS
- Push out the key via Configuration Profile (a .plist file). When you are creating the .plist file, you would need to add the following entry in order to configure the tag:
<dict>
<key>tags</key>
<array>
<dict>
<key>key</key>
<string>GROUP</string>
<key>value</key>
<string>OU-NAME
</dict>
</array>
</dict>
- Push out the key via Configuration Profile (a .plist file). When you are creating the .plist file, you would need to add the following entry in order to configure the tag:
- Linux
- How to Install and Use Microsoft Defender in Linux - Make Tech Easier
- https://learn.microsoft.com/en-us/microsoft-365/security/endpoint/microsoft-defender-endpoint-linux?view=o365-worldwide
- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/linux-install-manually?view=o365-worldwide
- If you find that your endpoints are not showing up in your subsite OU, consider running the following command:
$ sudo mdatp edr tag set --name GROUP --value OUName- OUName references your OU
- "Group" must be capitalized
- Windows
- Read overview: Before heading to the portal to manage the devices, we recommend reading this overview: Microsoft Defender for Endpoint.
- Explore enrolled devices: Individual devices can be explored at the portal: Windows Security Center - specifically within the Devices section.
Additional Training
There is a lot of information available within the MDE portal. Below are links to additional training available to guide you through the options.
- This module provides an overview of Microsoft Defender for Endpoint: Protect against threats with Microsoft Defender for Endpoint.
- This learning path provides you with information about security management and reporting: Microsoft 365 Defender.