Table of Contents

Prerequisites

Client computers should already be running the Configuration Manager client and be onboarded to the EPM Campus Configuration Manager.

Set the utexasEduAzureSingle1 attribute on any OUs in Active Directory to the Department Code that own the devices under it.

If all of your devices fall under one department code, BUSD, for example, place BUSD in utexasEduAzureSingle1 on austin.utexas.edu/Departments/BUSD.

Set the utexasEduAzureSingle2 attribute on any OUs in Active Directory to the Department Code for the IT Support Organization that supports the devices under it.

If all of your devices fall under the support of one particular IT Support Organization, like FISH, place FISH in utexasEduAzureSingle2 on austin.utexas.edu/Departments/ITS. Otherwise place the appropriate ITSO on the appropriate OU's utexasEduAzureSingle2 attribute.

Endpoint network line-of-sight to Azure.

How to set an attribute on an OU

Open Active Directory Users and Computers (ADUC).
1. click on View and then enable "Advanced Features" if it's not already checked.
Right click on the OU you want to set the attribute on, then click on Properties.
Click on the Attribute Editor tab and scroll until you find utexasEduAzureSingle1.
1. Select it and click the Edit button to set your department code.
Click the OK buttons to save your changes.

To make the above changes your account must be an owner of the OU you are editing.

Remove Non-Microsoft Antivirus/Antimalware

Even if a device is enrolled in MDE, but has a non-Microsoft AV installed, Defender will operate in passive mode. With no 3rd party AV product installed, Defender is in active mode, and when onboarded to MDE it will forward metrics and settings that have been configured via Configuration Manager will apply.
Cisco Endpoint Protection (formerly AMP) as well as any other 3rd party antivirus product can be removed at any stage of the onboarding process for versions of Windows that include Defender.

Per ISO guidance, camps units are advised to migrate to Defender as soon as possible. https://security.utexas.edu/education-outreach/anti-virus

Important

Defender protection and policies will not be active until 3rd party Anti-Virus solutions have been removed.

Device Tagging

Create a Configuration Item/Configuration Baseline in Configuration Manager to remediate setting the registry key for tag to the department code. Only one tag may be set this way and it MUST be the Top-Level Department Code used to onboard to Endpoint Platform service.

Configuration Items

Start by navigating to Assets and Compliance > Compliance Settings > Configuration Items > Your Dept Code

Click on Create Configuration Item.
General: Provide a name and select Windows Desktops and Servers (custom) then click Next.
Support Platforms: Select the supported versions of Windows you will be applying this CI to, such as Windows 10, 11.
Settings: Click New.
1. Use the following information under the General tab.
  1. Provide a Name
  2. Setting type: Registry Value
  3. Data type: String
  4. Hive Name: HKEY_LOCAL_MACHINE
  5. Key Name: SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging
  6. Value Name: Group
  7. Click OK then Next.
Compliance Rules: Click New...
1. 1. Provide a Name
  2. Selected setting: Click Browse and select the CI you are creating. It should show (current) in the CI Name, then click on Select.
  3. Rule Type: Existential
  4. The setting must comply with the following rule: Registry key must exist on client devices
  5. Click OK
2. Click New...
  1. Provide a Name
  2. Selected setting: Click Browse and select the CI you are creating. It should show (current) in the CI Name, then click on Select.
  3. Rule Type: Value
  4. Operator: Equals
  5. For the following values: Your department code (e.g. VPFA)
  6. Select the check box Remediate noncompliant rules when supported
  7. Click OK
3. Click OK then Next.
Summary: Verify the Details look correct, then click Next to finish up.

Configuration Baselines

Now you need to create a baseline configuration and deploy it to your device collection to enforce what you set above.

Navigate to Assets and Compliance > Compliance Settings > Configuration Baselines > Your Dept Code

Click on Create Configuration Baseline.
1. Provide a Name
2. Click on Add and then select Configuration Items from the drop down. Select the CI you created in the previous steps from the list and click Add and then OK.
Select the baseline you created and click deploy.
1. Check the boxes for "Remediate noncompliant rules when supported" and "Allow remediation outside the maintenance window".
2. Generate an Alert: This can be left off or set to your choice.
3. Collection: Choose the device collection you want this baseline to apply to (your choice), such as your "All <DEPT> Clients" collection.
4. Schedule: Your choice of schedule that you'd like for clients to evaluate this CB.
5. Click OK to complete the deployment.

Note

When the configuration baseline is deployed to a computer, it is evaluated for compliance within two hours of the start time that you schedule.

Verify Tagging Success

Wait for the success rate of the above CI/CB to get over an acceptable percentage (it may take several days or longer for most clients to apply the CI/CB and set the registry key). Without this tag, any data the ISO gets from MDE may or may not be properly associated with your department.

Deployment

There is no software package to Deploy as Defender is built into Windows. However, endpoints must be using a version of Windows that includes Defender.
Microsoft Defender for Endpoint support will follow the respective operating system's lifecycle.

Windows versions that include Defender

Related Information

Page:
MDE Onboarding and Deployment (Endpoint Management)
Page:
Endpoint Protection (Endpoint Management)
- configmgr
- mde
Page:
Managing Defender Policies (Endpoint Management)

Section Content

MDE Onboarding and Deployment