Study Guide Series: Exam MS-500 – Plan a Microsoft Defender ATP solution

This post is part of the overall MS-500 Exam Study Guide. Links to each topic as they are posted can be found here.

Note: Microsoft Defender ATP has recently been renamed Microsoft Defender for Endpoint. This post will refer to it using the new name but the exam may contain references to the older name. For any topics referencing Microsoft Defender ATP, read as Microsoft Defender for Endpoint.

Microsoft Defender for Endpoint is an Enterprise Endpoint Security Platform which allows us to secure our client machines and servers using Microsoft Defender enhanced with the advanced threat protection feature set.

When planning deployment of Defender for Endpoint, there are a few considerations to take into account based on the configuration of your existing environment:

Identify Architecture

Identifying which architecture to use when deploying Defender for Endpoint is heavily influenced by your existing device management configuration. The different architectures to select from are:

  • Cloud-native
    • Microsoft Endpoint Manager (Intune) can onboard and configure endpoints easy
    • Supports Windows 10, Android, iOS and MacOS
    • Perfect for organizations with no on-premises Config Manager deployment including Cloud-Only organizations
    • Fully cloud based
  • Co-management
    • For organizations who currently use Config Manager and Intune to manage client devices
    • Can use Config Manager or GPO to enroll machines en masse
    • Perfect for organizations who currently use co-management with Endpoint Manager
  • On-Premises
    • For organizations who use Config Manager or other on-premises solutions such as GPO and want to remain in that state
    • Can use Config Manager or GPO to enroll machines en masse
  • Evaluation and local onboarding
    • For testing purposes only
    • Manually enroll devices by local script
    • Perfect for evaluating Defender for Endpoint

Deployment Method

Choosing a deployment method that your environment can support will help to enrol your devices with minimal effort. Deployment methods available:

  • Local Script
    • A local script downloaded from the Microsoft Defender for Endpoint portal can be used to manually enrol devices, this is best used for testing and “Once-off” enrolment of unmanaged devices
  • Group Policy
    • A GPO can be used to configure devices to enroll, this can be useful when no Endpoint Manager deployment is in place
  • Microsoft Endpoint Manager / Mobile Device Manager (Intune)
    • Endpoint Manager / Device Manager can be used for Cloud managed devices. This scenario is common when there is no on-premises footprint and devices are managed via Intune
  • Microsoft Endpoint Configuration Manager
    • Many large organizations use Endpoint Configuration Manager to manage and maintain client devices. This can be used to enroll devices to Defender for Endpoint
  • VDI Script
    • Non-persistent VDI images can also be configured to auto-enrol using the configuration located here

In the next post we will go through configuring and managing Defender for endpoint. For more information on planning a deployment, check out the Microsoft Documentation below:

Threat Protection (Windows 10) – Windows security | Microsoft Docs

Microsoft Defender for Endpoint – Windows security | Microsoft Docs

Plan your Microsoft Defender ATP deployment – Windows security | Microsoft Docs

Deployment phases – Windows security | Microsoft Docs

2 thoughts on “Study Guide Series: Exam MS-500 – Plan a Microsoft Defender ATP solution

  1. Pingback: Study Guide Series – Exam MS-500: Microsoft 365 Security Administration – Sean McAvinue

  2. Pingback: Study Guide Series: Exam MS-500 – Implement Microsoft Defender ATP – Sean McAvinue

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s