Plan - environment analysis

This section provides a list of the key considerations and recommendations when deploying the Windows Defender ATP service.

Client types:

  • Endpoints should be running Windows 10 version 1706 (Creators Update)
  • Confirm that the standard build is configured appropriately to ensure the service can run without impacting the performance of the device
  • Run a test to ensure all sensor information is collected correctly (refer to details about collecting an investigation package in the Take responsive actions section later in this chapter)
  • Sufficient licenses should be owned and assigned to users and devices
  • Internet connectivity should be enabled to ensure communication between endpoints and the ATP service, and sufficient bandwidth available for the number of clients that will be reporting daily
  • Consider which clients are at high risk and may require a higher reporting frequency
  • Also mark which clients should be excluded from submitting samples for deep inspection

Choice of anti-malware:

  • The solution will work with compatible third-party antivirus and security solutions, but no response actions will be available; only alerting and investigation
  • Using Windows Defender Antivirus (AV) will enable automatic block file across the organization as well as any other response actions that are developed in future

Locations:

  • Data will be stored in US or EU data centers only. Consider which is most appropriate for your organization. This option cannot be changed once the tenant is deployed.
  • Consider if the security of all endpoints will be managed by the same team. With a global deployment, there may be multiple teams that require access to the ATP portal to view alerts and carry out investigations. Does this require separate tenants, or can all devices report to a single tenant?

Managing clients and alerts:

  • Decide which options will be used to manage the endpoints: GPO, System Center Configuration Manager (SCCM), or Mobile device management (MDM).
  • Consider using the manual script for configuring individual endpoints during proof of concept, first pilot, and some BYOD deployments.
  • Decide who will administer the portal for configuration and for monitoring alerts. Configuration requires the security admin role. Monitoring alerts only requires the security reader role.
  • Develop a procedure to ensure that alerts are monitored, assigned, investigated, and resolved appropriately.