Mixed mode Defender subscription & licensing for endpoints

-

I was recently asked by a customer about the possibility of using mixed licensing for Defender for Endpoint for endpoints. They had both MDE plan 1 and plan 2 licenses as part of M365 E3 and E5 respectively, but wanted all the Windows endpoints to be moved to MDE plan 1 capabilities until all the features under plan 2 were tested out. For a long time this was not possible and in cases of multiple subscriptions, the highest functional subscription would take precedence in the tenant. But not anymore. Microsoft now supports use of a mixture of subscriptions & licenses. Some of the most common scenarios are -

1. Mixed tenant - Different sets of capabilities for groups of users and their devices based off licenses like MDE plan 1 & plan 2, Microsoft 365 E3 & E5.

2. Mixed trial - Mixture of full and trial licenses like MDE plan 1, M365 E3 (purchased for all users) & MDE plan 2, M365 E5 trial (purchased for some users)

3. Phased upgrades - Upgrade user licenses in phases by moving users from MDE plan 1 to plan 2 and M365 E3 to E5.

There are some caveats to mixed licensing -

1. Mixed-mode settings apply to client endpoints only. Servers are not supported at the time of writing this blog.

2. Assigning user licenses in the Microsoft 365 admin center alone doesn't set the tenant to mixed mode.

3. At a minimum an active trial or paid licenses for both Defender for Endpoint Plan 1 and Plan 2 is needed.

Assigning the licenses in the M365 Admin Center

2. Go under the licenses and assign the licenses based on requirements and availability. For all intents and purposes, I am using a mixed licensing between M365 E5 which gives MDE plan 2 capabilities and standalone MDE plan 1 trial.



Configuring mixed mode in the Defender subscription settings & creating dynamic tagging asset rule

2. Go to Settings > Endpoints > Licenses.
3. Under Subscription state, select Manage subscription settings.
4. Choose the option to use Defender for Endpoint Plan 1 and Plan 2.
5. Create the Dynamic tagging rule. (Note: This step is important for mixed mode licensing to take into effect.)


Note: Again, for all intents and purposes, I am creating a dynamic rule looking at a specific device name. In a production setup, you can specify a set of criteria based on device name, domain, operating system platform, and/or device tags. 

There is also the option to manually tag endpoints or use Intune through a custom profile, but I will personally recommend dynamic tagging for its simplicity and the fact it is directly configurable from the Defender portal. Tagged devices will get plan 1 capabilities, all other devices will received plan 2 capabilities. Once again and at the time of writing this blog, servers are not supported for dynamic tagging.

The tagging and license usage report can take some time to update. In my experience, the information got updated in both customer's and my own tenant under 30 minutes, but it can take up to 3 hrs for tagging and 1 hr for usage report to update, so patience is the key. :-)

Validation

The targeted device as per the dynamic rule, got tagged with 'License MDE P1'. It also didn't have the P2 capabilities like vulnerabilities and security recommendations listing in the device page in the inventory.



Here is an example of a device with P2 capabilities.


The subscription switched to mixed mode licensing and the license usage report updated as well.


Final thoughts..

The best part is that there is no requirement for device-to-user mapping and assignment. The only thing is missing is support for servers. Since servers can be managed using Defender portal as well, it will be great if a similar mixed licensing can be achieved for Defender for Servers. Nonetheless, mixed mode licensing for MDE is a welcome feature.

Comments

Post a Comment

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

-
Image
Every now and then it so happens that BitLocker recovery keys do not escrow in AAD. The usual culprits are incorrect BitLocker policies and\or the device hardware configuration failing to meet the minimum requirements. The other scenario and something I recently experienced is when everything is setup right and still the recovery key doesn’t escrow in AAD. As I understand, this can happen if the escrow process got interrupted the first time due to network or local devices related issues and the process could not resume. To circumvent this issue, one can simply push a PowerShell script to the devices to force the escrow of the recovery keys to AAD. Here is a script to do so. try{ $BitlockerVol = Get-BitLockerVolume -MountPoint $env:SystemDrive         $KPID=""         foreach($KP in $BitlockerVol.KeyProtector){             if($KP.KeyProtectorType -eq "RecoveryPassword"){                 $KPID=$KP.KeyProtectorId                 break;             }         }        $o
Read more

Intune: Configure Printers for Non-Administrative Users

-
Image
Configuring printers for end users or giving them the ability to do it themselves is a normal requirement for organizations. Now if your users are Administrators, then the configuration can be straight forward, but in case of Non-Administrators there are additional steps required as Non-Administrators will not be able to add a driver in the driver store despite being able to install a printer. In this blog, I will cover the steps that I took to address this requirement using Intune. The setup involves 2 steps -  1. Setup registries. 2. Install the driver and configure the printer Setting up registries – The registries that need to be configured are actually part of a GPO setting – Allow non-administrators to install drivers for these device setup classes It can be found under: Computer Configuration -> Policies -> Administrative Templates -> System -> Driver Installation I used a Powershell script to set the values and wrapped it in a Win32 application. $Path1
Read more

Prevent users from running certain programs or applications on Windows endpoints using Intune

-
Image
  When it comes to blocking or preventing users from running an application on Windows devices, one normally uses App locker policy, Windows Defender Application Control and not so new but pretty useful method called Defender Vulnerability management within Microsoft 365 Defender Portal. A recent question on the Tech Community Microsoft forum prompted me to look for all possible alternatives. I started reminiscing over the legacy GPO policies and that is when I stumbled upon the policy  Don’t run specified Windows applications  located under User Administrative Templates - The policy setting does come with its own caveat - " This policy setting only prevents users from running programs that are started by the File Explorer process. It does not prevent users from running programs, such as Task Manager, which are started by the system process or by other processes. Also, if users have access to the command prompt (Cmd.exe), this policy setting does not prevent them from starting pr
Read more