Understanding Microsoft's Defender for Endpoint


Introduction

This article describes

  • What is Microsoft's Defender for Endpoint (MDE) service
  • How to get started with the service
  • How to get additional training on the service

Contents

Explanation

Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help organizational unit (OU) admins prevent, detect, investigate, and respond to advanced threats. The MDE service supports macOS, Linux, and Windows devices. iOS and Android devices are not supported at this time. Below are some key elements of the service.

  • Enables OU admins to identify vulnerable systems
  • Prioritizes and provides remediation of endpoint vulnerabilities and misconfigurations
  • Centralizes and automates monitoring and management
  • Provides zero-day response to threats

This service allows departments to register up to five university devices (macOS, Linux, and Windows) for each departmental user with a Microsoft 365 (M365) A5 faculty-use license. A5 student-use licenses are not sufficient for this service. OU Admins can visit the Microsoft Defender for Endpoint Service Catalog entry to enroll their departments in the MDE service.

Getting Started Guide

  1. Register: Sign up for the service at the Microsoft Defender for Endpoint Service Catalog entry. It is required that your department completes this step before continuing.
  2. Verify: After registration is complete, verify that you are a member of the "Defender OU-NAME Admins" security group that was created during registration. "OU-NAME" refers to the OU name that you entered in the form when requesting the service. If you are not a member, make sure you and other designated OU admins are added to this group. We recommend having a minimum of two admins in this group.
  3. Deploy software: There are various paths to deploy MDE on devices: Intune (Windows), BigFix (Windows, Linux, and macOS), Jamf (macOS), and scripts for individual device installation.
  4. Tag devices: The mechanism to provide an OU-like structure and permissions within the service portal will be via device tagging.
    •  Windows
      • Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\
      • Registry key value (REG_SZ): Group
      • Registry key data: OU-NAME
    • macOS
      • Push out the key via Configuration Profile (a .plist file). When you are creating the .plist file, you would need to add the following entry in order to configure the tag:
        <dict>
          <key>tags</key>
           <array>
            <dict>
             <key>key</key>
             <string>GROUP</string>
             <key>value</key>
             <string>OU-NAME
            </dict>
           </array>
          </dict>
    • Linux
  5. Read overview: Before heading to the portal to manage the devices, we recommend reading this overview: Microsoft Defender for Endpoint.
  6. Explore enrolled devices: Individual devices can be explored at the portal: Windows Security Center - specifically within the Devices section

Additional Training

There is a lot of information available within the MDE portal. Below are links to additional training available to guide you through the options.