Prerequisites

• Client computers should already be running the Configuration Manager client and be onboarded to the EPM Campus Configuration Manager.
• Set the utexasEduAzureSingle1 attribute on any OUs in Active Directory to the department code most closely associated with the devices in it. 
  • If all of your devices fall under one department code, BUSD, for example, place BUSD in utexasEduAzureSingle1 on austin.utexas.edu/Departments/BUSD.
  • If you are an IT Support Org and have other departments in your hierarchy, set those appropriately.  i.e. Campus Solutions is managed by TRECS, and objects for 'EIS1' exist under austin.utexas.edu/Departments/VPFA/VPFA Sites/EIS1.  The utexasEduAzureSingle1 attribute on that OU is set to 'EIS1'.
• Endpoint network line-of-sight to Azure.

How to set an attribute on an OU

Open Active Directory Users and Computers (ADUC), click on View and then enable "Advanced Features" if it's not already checked. Right click on the OU you want to set the attribute on, then click on Properties. Click on the Attribute Editor tab and scroll until you find utexasEduAzureSingle1. Select it and click the Edit button to set your department code. Click the OK buttons to save your changes.

Remove Non-Microsoft Antivirus/Antimalware

Even if a device is enrolled in MDE, but has a non-Microsoft AV installed, Defender will operate in passive mode. With no 3rd party AV product installed, Defender is in active mode, and when onboarded to MDE it will forward metrics and settings that have been configured via Configuration Manager will apply.
Cisco Endpoint Protection (formerly AMP) as well as any other 3rd party antivirus product can be removed at any stage of the onboarding process for versions of Windows that include Defender.

Per ISO guidance, camps units are advised to migrate to Defender as soon as possible. https://security.utexas.edu/education-outreach/anti-virus

Device Tagging

Create a Configuration Item/Configuration Baseline in Configuration Manager to remediate setting the registry key for tag to the department code. Only one tag may be set this way and it MUST be the Top-Level Department Code used to onboard to Endpoint Platform service.  

Configuration Items

Start by navigating to Assets and Compliance > Compliance Settings > Configuration Items > Your Dept Code

1. Click on Create Configuration Item.
2. General: Provide a name and select Windows Desktops and Servers (custom) then click Next.
   
   
   
3. Support Platforms: Select the supported versions of Windows you will be applying this CI to, such as Windows 10, 11.
4. Settings: Click New.
   1. Use the following information under the General tab.
      1. Provide a Name
      2. Setting type: Registry Value
      3. Data type: String
      4. Hive Name: HKEY_LOCAL_MACHINE
      5. Key Name: SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging
      6. Value Name: Group

      7. Click OK then Next.
         

         Important:

         Do not browse for the Hive and Key name as the key does not yet exist on clients that have not been onboarded. You can copy and paste the key name into the blank field.
         Browsing will cause unintended consequences. 

5. Compliance Rules: Click New...
   
   1. 1. Provide a Name
      2. Selected setting: Click Browse and select the CI you are creating. It should show (current) in the CI Name, then click on Select.
      3. Rule Type: Existential 
      4. The setting must comply with the following rule: Registry key must exist on client devices
      5. Click OK
   2. Click New...
      1. Provide a Name
      2. Selected setting: Click Browse and select the CI you are creating. It should show (current) in the CI Name, then click on Select.
      3. Rule Type: Value
      4. Operator: Equals
      5. For the following values: Your department code (e.g. VPFA)
      6. Select the check box Remediate noncompliant rules when supported
      7. Click OK
   3. Click OK then Next.
6. Summary: Verify the Details look correct, then click Next to finish up.

Configuration Baselines

Now you need to create a baseline configuration and deploy it to your device collection to enforce what you set above.

Navigate to Assets and Compliance > Compliance Settings > Configuration Baselines > Your Dept Code

1. Click on Create Configuration Baseline.
   1. Provide a Name
   2.  Click on Add and then select Configuration Items from the drop down. Select the CI you created in the previous steps from the list and click Add and then OK.
2. Select the baseline you created and click deploy.
   1. Check the boxes for "Remediate noncompliant rules when supported" and "Allow remediation outside the maintenance window".
   2. Generate an Alert: This can be left off or set to your choice.
   3. Collection: Choose the device collection you want this baseline to apply to (your choice), such as your "All <DEPT> Clients" collection.
   4. Schedule: Your choice of schedule that you'd like for clients to evaluate this CB.
   5. Click OK to complete the deployment.
      
      

Verify Tagging Success

Wait for the success rate of the above CI/CB to get over an acceptable percentage (it may take several days or longer for most clients to apply the CI/CB and set the registry key). Without this tag, any data the ISO gets from MDE may or may not be properly associated with your department.

Deployment

There is no software package to Deploy as Defender is built into Windows. However, endpoints must be using a version of Windows that includes Defender.
Microsoft Defender for Endpoint support will follow the respective operating system's lifecycle.

Related Information

• Page:
  Microsoft Defender for Endpoints (MDE) (Endpoint Management)

  • configmgr
  • mde
• Page:
  Managing MDE Policies (Endpoint Management)

  • configmgr
  • mde
  • onboarding
  • unrestored-unknown-attachment