Microsoft Defender for Endpoint

[Lydia Kronawetter]

Kia ora koutou, I have been seeing quite a few questions whizzing about Microsoft Defender for Endpoint.

To that end, we are running a 101 session for NZ school IT managers and partners at 3:00pm next Monday 13th December. This session will focus on the value of Microsoft DFE, how it can work for your school and what resources are available to support you. There will also be a Q&A segment.

Please register:

Defender for Endpoint | 101 Session for Partners and School IT Managers

If you can't make it (appreciate 'tis a busy time of year), we will be recording the session. Ngā mihi,

Lydia Microsoft Aotearoa

[Simon Wright]

Thanks, have registered.

Regards,

Simon Wright

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/techies-for-schools/1fd3b30b-80c2-4139-a4d6-394046e4af8bn%40googlegroups.com.

DISCLAIMER
This e-mail is intended for the addressee only and may contain information which is subject to legal privilege. This e-mail message and accompanying data may contain information that is confidential and subject to privilege. Its contents are not necessarily the official view Otago Boys’ High School or communication of the Otago Boys’ High School. If you are not the intended recipient you must not use, disclose, copy or distribute this e-mail or any information in, or attached to it. If you have received this e-mail in error, please contact the sender immediately or return the original message to Otago Boys’ High School by e-mail, and destroy any copies. Otago Boys’ High School does not accept any liability for changes made to this e-mail or attachments after sending.

[Lydia Kronawetter]

Kia ora ano,

Thank you to those that joined us for yesterday's Microsoft Defender for Endpoint Overview webinar.

As promised, please find follow up resources below:

MDFE Webinar Recording
MDFE Webinar Presentation

As a follow up from Monday's overview webinar, please join us for a live demo of a tenant walkthrough focused on enabling Microsoft Defend for Endpoint. This session will provide you with a hands-on insight to Defender for Endpoint and an opportunity to ask specific questions about your school's deployment plan for the product.

This session will be hosted at 1:00pm - 2:00pm this Friday 17th December, please register here. If you are unable to make it, the session will be recorded.

And if you would like more support:

• For information about Microsoft licensing, please reach out Datacom via nzsc...@datacom.co.nz.
• Join our 'M365 Aotearoa Akomanga' Yammer group by completing this Form and stay up to date with more sessions like this.
• If you would would like to book a 1-on-1 session with one of our cybersecurity experts, please book a session here.

Ngā mihi nui,

Lydia
Microsoft Aotearoa

[Matt Strickland]

Hi all,

Just a few questions (as I missed the last live-demo session, to be yet posted?) around licencing and configuration.

Licence Assignment: Do I assign licences to devices? (only owned devices?)
I've tested on-boarding using GPO and Azure MDM and both are working, but I have not assigned any licences - only to myself as a user to connect Azure to Microsoft Endpoint.

Security baselines/profiles:
Clicking 'learn more' in configuration settings for each policy doesn't give much information about what that policy does -eg ‘Network Protection’. (So manually finding support articles) I don't want to enforce a policy prematurely without knowing what impact it may have for end users.

Is anyone using security baselines with defender and taking a global approach? I can see the long-term benefit here but I'm more comfortable implementing incrementally. I do have separate profiles (around 2FA enforcement, encryption, and now Antivirus, which when comfortable I will combine in a security baseline)

The on-boarding I'm happy with, but at minimum I'd like to get a profile similar to what we have now, then as time allows enhance and combine it. All for the start of 2022 :)

Ngā mihi,

Matt
Karamu High School

[Andrew Godfrey]

When we watched the Livestream, we asked whether we can licence our devices and were told we needed to licence individuals and not devices.

Not so useful for the way we have our shared devices configured.

 

To view this discussion on the web visit https://groups.google.com/d/msgid/techies-for-schools/5bbd80c9-c4b7-4b3c-9122-6a6d86165a4dn%40googlegroups.com.

[Matt Strickland]

Thanks Andrew,

The Ministry stated:

"Please note: Microsoft Defender for Endpoint licensing only applies to school owned or leased desktops, laptops and tablets. Student Use Benefits do not apply."

and go on to say:

"Assign the Microsoft Defender for Endpoint Licences to users via the Microsoft 365 admin portal or the Azure Portal."

So we just assign each user a licence that might use one of those devices, which is easier for me, just much higher as I'll licence everyone.

Matt

[Pete Mundy]

I was hoping to install it on the Windows server that runs the pool gate... (headless - no 'users').

I guess we're destined to be square pegs in Microsoft's round hole!

[Marlon Yu]

Hi Matt,

 

Having missed the same session, I’ve decided to use my own Windows laptop as a guinea pig. Not sure if this helps but:

 

1. I have set the Attack Surface Reduction items to Audit except for “Block executable content download from email and webmail clients” which is set to Warn. This should give me an idea of what each setting will block if enabled.
2. I’ve pretty much accepted the default settings in the Firewall and Microsoft Defender sections
3. Configured Smart Screen to mimic our current settings (turned on and set to warn users but still allow them to ignore the warnings)
4. We don’t use the other sections like BitLocker (yet) so have set those as Not Configured

 

Have not noticed anything concerning so far … Outlook still works, browsers still open websites and I can get to OneDrive and Google Drive files as well as use the VPN and no alerts have been generated so far from any of the items I set to Audit.

 

 

 

 

Our Macs are all soon to be managed by Jamf so have set the recommended settings there too and no complaints thus far from the few that have been onboarded.

 

 

 

 

They have all appeared in the Security Center as well so I know Defender is active.

 

 

 

The licensing aspect is a bit interesting. I hope that since the MS NZ Education team are on this group, they’ll be able to shed light on our questions. In my experience with this change, having prioritized the onboarding rather than the license assignment since they were made available late, it doesn’t seem to affect the protection (at least the basic ones) Defender provides. I got alerted that it blocked a file one user tried to access that was infected with Zbot and warned me of a couple of users who downloaded Potentially Unwanted Apps; all of whom didn’t have a license assigned yet. So it may just be a compliance matter. If it is, that could be a path for shared devices provided the number of kiosks and lab machines we have is equal to or less than 4 x number of staff (each license is allowed for up to 5 devices I believe). Otherwise, in the absence of a device licensing scheme, it’s going to be a bit ridiculous to have to pay for ~1000 students who could potentially use ~200 lab machines (each of whom will only use the machine for 1 period a day).

 

Another problem is that the current MS/MoE agreement does not appear to cover servers as mentioned in the 1^st webinar. Since the onboarding process is the same, I assume here again that it is just a compliance issue. In any case, I’ve fired off a request to Datacom for pricing on the server licenses. My Google results have all indicated other sysadmins having the same questions and no one seems to know how to assign licenses to servers with a few commenting that they don’t and they just buy the licenses for coverage boosting my belief that it is just a compliance thing. From what I can glean online, the server license is of a different SKU so no joy on using the “extra” user licenses to cover them too.

 

Cheers and happy new year to everyone!

 

Marlon Yu, PMP, MIITP
IT Services Manager
Ph +64 (9) 477 0150 Ext 650

 

 

From: techies-f...@googlegroups.com <techies-f...@googlegroups.com> On Behalf Of Matt Strickland
Sent: Thursday, 30 December 2021 9:51 am
To: Techies for schools <techies-f...@googlegroups.com>
Subject: Re: [techies-for-schools] Microsoft Defender for Endpoint

 

CAUTION: This email originated from outside of Rangitoto College. Be careful about clicking on links or opening attachments. If in doubt, ask IT.

 

To view this discussion on the web visit https://groups.google.com/d/msgid/techies-for-schools/5bbd80c9-c4b7-4b3c-9122-6a6d86165a4dn%40googlegroups.com.

*** RANGITOTO COLLEGE EMAIL DISCLAIMER ***

The contents of this email and any attachments are confidential and may be legally privileged. If you are not the intended recipient please advise the sender immediately and delete the email and attachments. Any use, dissemination, reproduction or distribution of this email and any attachments by anyone other than the intended recipient is prohibited.

*** RANGITOTO COLLEGE EMAIL DISCLAIMER ***

[Kent Champion]

Hi Guys,

 

Pete - Marlon is right that there is a different SKU for server licensing. Go to time mark 50 minutes and 40 seconds in the first  MDFE Webinar Recording  to hear what is available for servers.

Matt – currently user licensing for onboarding not device assigned licensing. I have asked David Ogborne to query why we aren’t using device licensing. Here is the recording link https://microsoft-my.sharepoint.com/:v:/p/v-clockwood/EdEl1DDwS2BOg3gn8fAYx3UBwHig-IKV_1b42o5pIpUm3g from the Microsoft Defender for Endpoint - Live Demo of a Tenant Walkthrough, after clicking the link you’ll have request access.

FYI A5 licensing is not yet assigned to my tenant, lets hope it is just because of the public holidays.

Hope the above info helps.

[Stephen Rainey]

No, they gave us Microsoft 365 A3 for faculty instead which means all our users that use Office 365 A3 for faculty  might be getting a subscription has expired message. Have to give them the new subscription until they update it to a Microsoft 365 A5 for faculty subsroption.

Steve

To view this discussion on the web visit https://groups.google.com/d/msgid/techies-for-schools/c7cf4d72-d8de-4b2c-bc05-ed420e1cf1c1n%40googlegroups.com.

[Kent Champion]

Hey Steve,

You have to apply to get A5 licensing click on this link to apply Request for A5 I had already applied for A5 which are meant to be available from 1/1/2022 according to the new MOE agreement.

This is the state of our Tenant licensing, I assume yours will be the same, the new A3 and A5 are meant to be active now, clearly not, as you can see.

[Stephen Rainey]

I was looking at in Azure which showed that certain subscriptions were not being renewed.

Steve

To view this discussion on the web visit https://groups.google.com/d/msgid/techies-for-schools/5496a811-a04d-40c6-8727-932c705b450bn%40googlegroups.com.

[Sam McNeill]

Morning Guys,

Happy New Year - I've seen (briefly) some of the comments here whilst I was away on leave (first day back today).

I won't comment on the specific MoE Schools Agreement details as I'm no longer on that account (Lydia may chime in), but to address a couple of points:

• Defender for Endpoint is a user based license and not a device based license
• Each licensed user can install MDE for five devices that they use regularly - think iPad, smartphone, desktop and laptop etc
  • Minimum requirements for Microsoft Defender for Endpoint | Microsoft Docs
    
  • " Eligible licensed users may use Microsoft Defender for Endpoint on up to five concurrent devices."
• Student Use Benefit does not apply to MDE i.e. faculty are paid for licenses but there are no "free" student licenses, nor are shared devices covered typically.
  • Useful guide to Student Use Benefits under A3/A5 in this map:  Microsoft 365 Education Student Use Benefits - Simple | M365 Maps

For specific questions related to this deal with the MoE, suggest you reach out to Lydia or Datacom directly,

Hope this help,

Cheers

Sam

[Jeffrey B]

Hi Sam, thanks for the clarification. Do you know if there is a shared liscencing model like for office where the liscence just passes through each time.

Being user based only does seem to indicate that this deal is focused more on high schools and higher deccile schools that can allocate one dedicated device per user.  We have a lot of shared devices and so this model is not ideal.  May have to just use the built in windows defender till we can figure out something else.

Jeffrey.

---

From: techies-f...@googlegroups.com <techies-f...@googlegroups.com> on behalf of Sam McNeill <s...@mcneill.co.nz>
Sent: Thursday, January 6, 2022 8:43:21 AM

To view this discussion on the web visit https://groups.google.com/d/msgid/techies-for-schools/efcea5fd-b1fc-456f-accc-a80451f85288n%40googlegroups.com.

[Ben Green]

Hi Sam, thanks for joining in.

I think some licencing confusion has arisen out of previous MoE announcements, e.g.:

Paul Stephen to Techies for schools on 1st Oct 2021

"There is both user and device licensing for Defender for endpoint.  User for Faculty and device for school owned devices."

and

Paul Stephen to Techies for schools on 1st Nov 2021

"We have renewed our Microsoft software agreement for another three years.

[...]

The agreement also includes M365 A5 licences and Defender for Endpoint for all school-owned devices."

Also, Datacom's "Microsoft Defender for Endpoint Form" asked for a device count, not a user count.

The Joint MOE/Google/Microsoft presentation for school IT Administrators sessions (e.g. 3rd Nov) definitely talked about the provision of both A5-Faculty licences plus additional Defender-for-Endpoint licences for additional devices.

That was the high-level service being delivered. I could believe that the actual implementation involves only licencing users, and therefore there will need to be enough Defender licences to cover everyone that everyone that can log in (which includes all students).

- Ben.

---

From: techies-f...@googlegroups.com <techies-f...@googlegroups.com> on behalf of Sam McNeill <s...@mcneill.co.nz>

Sent: Thursday, 6 January 2022 8:43 am

To view this discussion on the web visit https://groups.google.com/d/msgid/techies-for-schools/efcea5fd-b1fc-456f-accc-a80451f85288n%40googlegroups.com.

Christchurch Boys' High School phone: +64 3 348 5003 address: 71 Straven Road, Riccarton, Christchurch 8014 postal: PO Box 8157, Riccarton, Christchurch 8440 web: www.cbhs.school.nz

[Sam McNeill]

Hi Jeffrey,

If the MDE client is installed on the shared device it will likely "work" ... I think Marlon indicated above this is a compliance issue/enforcement vs a technical issue/enforcement. This documentation also makes this clear and provides guidance on how to restrict access to  licensed users (i.e. faculty):

https://docs.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#how-can-the-service-be-applied-only-to-users-in-the-tenant-who-are-licensed-for-the-service-20 

I won't comment on the intricacies of the specific deal, aside from to repeat that Student Use Benefit does not apply for MDE so any students using shared devices (or even dedicated 1:1 with MDE installed) would need to be licensed users in any context/agreement as an education customer.

Ben - thank for the snips of the various comments and the context. Perhaps Paul/Datacom/Lydia will clarify here on this specific agreement.

Cheers

Sam

[Lydia Kronawetter]

Kia ora, 

A very happy new year to you all.

Linked below are resources from our second Defender for Endpoint session held at the end of December: 

Defender for Endpoint Onboarding Demo Recording

Defender for Endpoint Onboarding Demo Guide

As Sam mentioned and unlike the M365 licensing in A3/A5, there is no Student Use Benefit for Microsoft Defender for Endpoint - the same as the previous endpoint product, I understand. However, if a student is running a supported version of Windows, they already have Microsoft Defender built in, helping to protect them against viruses, spyware, and other malware. More information linked here. 

With regards to shared devices, we are currently working with Datacom to ensure Defender for Endpoint can compliantly be used on shared device (ie. computer labs, work stations), as this is the intention and expectation. This been raised as urgent with our licensing team and we will aim to have guidance for you within the next 48 hours. 

As a reminder, we have David Ogborne available for 1:1 sessions to work through any Defender for Endpoint, A3/A5 or general Microsoft queries. Please do leverage this support, as David is purely dedicated to assisting schools and edu IT partners with their configuration and set up. Book a session here now. 

Ngā mihi, 

Lydia

[Matt Strickland]

Thanks Marlon,

I've adapted your settings and applied to a few machines.

The only minor issue was for my desktop I was running RDP on a different port - So I added a config profile > W10 Later > Endpoint Protection and modified the Firewall Rules section to add a port and applied it to that machine.

I will assume 3389 might be trusted/enabled but haven't tested it yet.

 Next will be how shared devices are licenced (or at least considered within compliance if the users are not) so will wait on Datacom for that.

I also need to onboard Tela based Mac's and just need to check if the helpdesk can enrol these in Apple school manager or if Ill be using a personal device join. (I know there has been discussion about that previously)

Matt

[David Ogborne]

Hi All, 

Feel free to reach out to myself if you need any onboarding support for Defender for Endpoint. You can click here to book a slot in my calendar: https://outlook.office365.com/owa/calendar/MicrosoftSecu...@defend.co.nz/bookings/

As you are deploying Defender for Endpoint you will also want to consider enabling the ability to report on the firewall blocking connections. Check out this article for more details:  Host firewall reporting in Microsoft Defender for Endpoint | Microsoft Docs

And you may want to set device tags within Endpoint Manager (Intune) to easily identify devices within the security center (And set the auto remediation level). You can use Intune to set a device tag by creating a custom device configuration profile. The OMA-URI setting is ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/DeviceTagging/Group\

Data type is String and then set the value for the device tag. This can then be applied to devices with an Azure AD group. 

David. 

[Lydia Kronawetter]

Afternoon all, 

Just a note to say we making progress on the shared device scenario for Defender for Endpoint. Progress has been delayed but is looking positive for schools and partners. 

I look forward to sharing a more concrete update with you in the coming days. 

Lydia

[Matt Strickland]

Has anyone here enabled firewall reporting via endpoint?

There doesn't seem to be a policy in Admin Templates, so I've created a custom CSP.

Are these OMA-URI's correct?

./Vendor/MSFT/Policy/Config/Audit/ObjectAccess_AuditFilteringPlatformPacketDrop
./Vendor/MSFT/Policy/Config/Audit/ObjectAccess_AuditFilteringPlatformConnection

from reading:

https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-audit

Should this not be something included in the firewall section of endpoint templates?

Matt

[David Ogborne]

Hi Matt, 

This is still in preview - so probably awaiting integration into a policy somewhere. 

I created two Powershell scripts that enable the reporting and used the scripts feature within Intune. You could combine them: 

• The two PowerShell commands are:
• auditpol /set /subcategory:"Filtering Platform Packet Drop" /failure:enable
• auditpol /set /subcategory:"Filtering Platform Connection" /failure:enable

Results in reporting: 

To view this discussion on the web visit https://groups.google.com/d/msgid/techies-for-schools/311b834f-9f6d-49e9-9881-4a36834fd00an%40googlegroups.com.

--

Regards,
David Ogborne

+64 21 463 574

[Matt Strickland]

Thanks David,

FYI those OMA-URI's are correct if anyone wanted to avoid using scripts and use a configuration profile (I am trying to as much as I can using profiles/templates)

> auditpol /get /category:*

>  Filtering Platform Packet Drop          Failure
>  Filtering Platform Connection           Failure

Some of my users have issues with scanning on their home network back to their device so no doubt a firewall issue (I'm using a endpoint baseline) so will look at this further.

[Lydia Kronawetter]

Kia ora all,

Microsoft and the Ministry of Education can now confirm that Microsoft Defender for Endpoint can be used on school-owned shared devices, as part of the Schools' Agreement. This means devices used by students as part of computer labs and libraries can be onboarded and covered by the Defender for Endpoint product.

If you or your team would like assistance onboarding shared devices, please reach out to my colleague David Ogborne (v-dog...@microsoft.com) who is also in this thread. 

To request Defender for Endpoint licences, please submit a request directly to Datacom via this form.

Ngā mihi nui,

Lydia

[David Ogborne]

Hi All, 

I've put together a guide on deploying and configuring Defender for Endpoint. Please let me know if you have any feedback. 

Thanks,

David.