Great walkthrough - Maybe it is also worth mentioning that for onboarding MacOS to MDE incl. Purview (Endpoint dip) would require a few deployments of config profiles to configure the accessibility, FDA, and background service permissions to Defender for Endpoint in order to for example enable the DLP sensor.
If sophos antivirus is installed still we can use onboard logic and how to perform with sccm 2) how to deploy windows 10 defender parches or definition via SCCM it is called EDR and endpoint protection role has to be installed to deploy windows 10 defender parches or definition via SCCM
I have SOPHOS on our endpoint, but want to onboard MD defender for few devices first to see how it works. do you think i need to uninstall SOPHOS first, or i should go ahead with the onboarding and allow MD for endpoint to go passive or SOPHOS will automatically go passive? Any advice would be really appreiated
Hello, just got a Defender for Endpoint P2 licence for my lab, however I cannot see "Endpoints" in the settings of the Microsoft 365 Center, does it take long time to appear after I populated the licence to a user ?
Thanks the explaining in detail. What license the users have to be for end point management to work ? Or just get defender license and assigning just it to the admin profile will do the needful ?
Awesome Video. I have a Question. What is the difference beetwen Microsoft Defender For Endpoint and Microsoft Defender For Business? And Which one is the best?
Awesome video! We are in the process of moving off Trend Micro and plan to move over to using this for our AV and security software. Do you have any suggestions on where I can also find information on how other's may have migrated off another security product onto MDE?
Sorry Joseph, I've been out on vacation! I have migrated many companies from 3rd party security products onto MDE. One of the great features of the MDE/ Defender AV design is that on Windows 10 machines, Defender AV never truly leaves the machine. When a 3rd party AV is installed on a Windows 10 machine, Defender AV will turn itself off. When the 3rd party AV is removed, Defender will turn itself back on (unless configured to be disabled by GPO). This means that the device will be protected throughout the migration to Defender for Endpoint. Here is a link that goes into more detail on the migration process. Thanks for the comment, I'll be posting more videos next week! docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/migration-guides?view=o365-worldwide
@@mountaineersecurity Thanks! I think now the only main thing I need to check on is roles and permissions. I assume we can piggy back off how we have it setup for Intune or since the Security portal is different we would need to start from scratch?
Hi, thank you for the video! Question: What is the difference between this Configuration Policy you created and the EDR onboarding policy you can create with the setting "Auto from Connector"? Another Question: If I onboard devices from Intune to MDE, are the devices fully integrated to Microsoft Defender for Endpoint? Can I manage the Security just from Defender for Endpoint if I want to? When should / can I use the Security Settings in Intune and when should / can I use the settings in the Defender for Endpoint? What exactly is the difference in capabilities between an Intune managed device onboarded to MDE and a device directly onboarded to MDE? I am quite confused why you can manage the security settings on both ends..
Hi Cedric! There is no difference between the configuration profile that was created in the demo, and the EDR onboarding policy. It is just a matter of preference as to where you want to configure the policy. You can manage security settings a few different ways. The first being with Intune and applying policy that way. The second is using MDE to manage settings by tagging the device in MDE, then using the Endpoint Security policies in Intune to deploy. This method is more for folks who want to utilize Intune security policies, but don't have devices onboarded onto Intune yet. This method does have some limitations such as not being able to configure and apply ASR rules, device compliance, etc. Below is a link to more on that. It's a great read! docs.microsoft.com/en-us/mem/intune/protect/mde-security-integration#which-solution-should-i-use
@@mountaineersecurity Thank you! That really helped me out. As I understand it now: 1. When a device gets onboarded to MDE only, it will show up in MEM as an MDE managed device but you only have a limited amount of settings you can push. Still, most of the settings need to be configured in MEM within the security portal regardless of the onboarding. 2. With an Intune onboarded device which is integrated to MDE, you have the full capabilities and security settings. You also have to manage and configure the settings from within MEM in the security portal.
That is correct! Remember, when you are wanting to use MDE only to manage the settings ported from Intune, you will need to add the MDE-Management tag to the device. You will also need to enable the connector for this by going to the Intune portal>Endpoint Security>Microsoft Defender for Endpoint> "Allow Microsoft Defender for Endpoint to enforce Endpoint Security Configurations" and switching the button to "On".
Thank you, i've been stuck in the Microsoft documentation that keeps sending you in a loop of links that end up in the same place, whoever does those documentations at Microsoft should just learn to get to the damn point.
Hi there, first of all great video. Helps me with connecting the MDE and MEM. Now i already enrolled a device in MEM but in MDE it does not show up in MDE. Do you have any idea why is that?
Hi, Awesome Video. Question- Do you use the configuration profiles to set ASR rules or can you use endpoint security? Which one will pull through to the security portal if in audit mode? ASR rules set from within Endpoint security - or if ASR rules are set to audit in a configuration profile? and if they are handled differently, which would you recommend? Thanks in advance!
We (in our company) only configure the ASR rules with Endpoint Security policy for Servers. We use the configuration profiles for regular devices since you can't add servers to configuration profiles. Other than that, if you onboard devices from Defender portal>Settings>Endpoints>Onboard, as shown in the video, you can use Endpoint Security polies for those devices (Considering tenants with no Intune license) Audit report will be there in both cases since they are technically the same settings in different places with Servers as an exception.
Hello, I have a problem with Intune defender, it detects the virus but it doesn't remove it even though the threat is serious and I have configured the Policy correctly, can you help me please? I've been looking for more than one but I can't find anything.
Hi Dileep! This will work with an M365 E3 License as that license provides MDE Plan 1. You can also purchase the separate license for MDE as well. docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/minimum-requirements?view=o365-worldwide
Thank you very much! The best most clear video I have seen on setting this up.
Great walkthrough - Maybe it is also worth mentioning that for onboarding MacOS to MDE incl. Purview (Endpoint dip) would require a few deployments of config profiles to configure the accessibility, FDA, and background service permissions to Defender for Endpoint in order to for example enable the DLP sensor.
How do you add devices to a group?
If sophos antivirus is installed still we can use onboard logic and how to perform with sccm 2) how to deploy windows 10 defender parches or definition via SCCM it is called EDR and endpoint protection role has to be installed to deploy windows 10 defender parches or definition via SCCM
I have SOPHOS on our endpoint, but want to onboard MD defender for few devices first to see how it works. do you think i need to uninstall SOPHOS first, or i should go ahead with the onboarding and allow MD for endpoint to go passive or SOPHOS will automatically go passive? Any advice would be really appreiated
Thanks, really well laid out step by step guide, thanks!
Glad it was helpful!
@@mountaineersecurity The way you cover, the how, why, this is well laid out (thank you!)
Thank You!
Hello, just got a Defender for Endpoint P2 licence for my lab, however I cannot see "Endpoints" in the settings of the Microsoft 365 Center, does it take long time to appear after I populated the licence to a user ?
Did you see it yet or what was the fix if yet it was
@@skoul27 The solution was time haha, I had to wait almost 24 hours to see the modules related to the licence
man great explanation thanks!
You solved my problems. TANK'S.
Thank You!
Thanks the explaining in detail. What license the users have to be for end point management to work ? Or just get defender license and assigning just it to the admin profile will do the needful ?
users will need an Intune license in order for it to work. If you do not have Intune, you can still use MDE, you just can't use Intune to manage it.
Awesome Video. I have a Question.
What is the difference beetwen Microsoft Defender For Endpoint and Microsoft Defender For Business?
And Which one is the best?
Awesome video! We are in the process of moving off Trend Micro and plan to move over to using this for our AV and security software. Do you have any suggestions on where I can also find information on how other's may have migrated off another security product onto MDE?
Sorry Joseph, I've been out on vacation! I have migrated many companies from 3rd party security products onto MDE. One of the great features of the MDE/ Defender AV design is that on Windows 10 machines, Defender AV never truly leaves the machine. When a 3rd party AV is installed on a Windows 10 machine, Defender AV will turn itself off. When the 3rd party AV is removed, Defender will turn itself back on (unless configured to be disabled by GPO). This means that the device will be protected throughout the migration to Defender for Endpoint. Here is a link that goes into more detail on the migration process. Thanks for the comment, I'll be posting more videos next week!
docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/migration-guides?view=o365-worldwide
@@mountaineersecurity Thanks! I think now the only main thing I need to check on is roles and permissions. I assume we can piggy back off how we have it setup for Intune or since the Security portal is different we would need to start from scratch?
Hi, thank you for the video!
Question: What is the difference between this Configuration Policy you created and the EDR onboarding policy you can create with the setting "Auto from Connector"?
Another Question:
If I onboard devices from Intune to MDE, are the devices fully integrated to Microsoft Defender for Endpoint? Can I manage the Security just from Defender for Endpoint if I want to?
When should / can I use the Security Settings in Intune and when should / can I use the settings in the Defender for Endpoint?
What exactly is the difference in capabilities between an Intune managed device onboarded to MDE and a device directly onboarded to MDE? I am quite confused why you can manage the security settings on both ends..
Hi Cedric! There is no difference between the configuration profile that was created in the demo, and the EDR onboarding policy. It is just a matter of preference as to where you want to configure the policy.
You can manage security settings a few different ways. The first being with Intune and applying policy that way. The second is using MDE to manage settings by tagging the device in MDE, then using the Endpoint Security policies in Intune to deploy. This method is more for folks who want to utilize Intune security policies, but don't have devices onboarded onto Intune yet. This method does have some limitations such as not being able to configure and apply ASR rules, device compliance, etc. Below is a link to more on that. It's a great read!
docs.microsoft.com/en-us/mem/intune/protect/mde-security-integration#which-solution-should-i-use
@@mountaineersecurity Thank you! That really helped me out.
As I understand it now:
1. When a device gets onboarded to MDE only, it will show up in MEM as an MDE managed device but you only have a limited amount of settings you can push. Still, most of the settings need to be configured in MEM within the security portal regardless of the onboarding.
2. With an Intune onboarded device which is integrated to MDE, you have the full capabilities and security settings. You also have to manage and configure the settings from within MEM in the security portal.
That is correct! Remember, when you are wanting to use MDE only to manage the settings ported from Intune, you will need to add the MDE-Management tag to the device. You will also need to enable the connector for this by going to the Intune portal>Endpoint Security>Microsoft Defender for Endpoint> "Allow Microsoft Defender for Endpoint to enforce Endpoint Security Configurations" and switching the button to "On".
Thank you, i've been stuck in the Microsoft documentation that keeps sending you in a loop of links that end up in the same place, whoever does those documentations at Microsoft should just learn to get to the damn point.
Does this work exactly this way with hybrid joined devices?
Great question! Yes, as long as the hybrid joined devices are enrolled into Intune.
Hi there, first of all great video. Helps me with connecting the MDE and MEM. Now i already enrolled a device in MEM but in MDE it does not show up in MDE. Do you have any idea why is that?
Hi,
Awesome Video.
Question- Do you use the configuration profiles to set ASR rules or can you use endpoint security?
Which one will pull through to the security portal if in audit mode?
ASR rules set from within Endpoint security - or if ASR rules are set to audit in a configuration profile?
and if they are handled differently, which would you recommend?
Thanks in advance!
We (in our company) only configure the ASR rules with Endpoint Security policy for Servers. We use the configuration profiles for regular devices since you can't add servers to configuration profiles. Other than that, if you onboard devices from Defender portal>Settings>Endpoints>Onboard, as shown in the video, you can use Endpoint Security polies for those devices (Considering tenants with no Intune license)
Audit report will be there in both cases since they are technically the same settings in different places with Servers as an exception.
Hello, I have a problem with Intune defender, it detects the virus but it doesn't remove it even though the threat is serious and I have configured the Policy correctly, can you help me please? I've been looking for more than one but I can't find anything.
Hi, This works with E3 license?
Hi Dileep! This will work with an M365 E3 License as that license provides MDE Plan 1. You can also purchase the separate license for MDE as well.
docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/minimum-requirements?view=o365-worldwide