I'm looking into transitioning from a 100% EPO environment with various software for both Linux and Windows to Microsoft Defender for Endpoint (MDE) exclusively. However, my situation is unique because everything we do is on air-gapped networks—there's no connection to the internet at all. My understanding is that MDE relies on cloud-based centralized management. This raises concerns since it sounds like it might function similarly to standalone Endpoint Security products like VSE or ENS. Additionally, I anticipate that deploying MDE might be a hassle since onboarding packages from the Microsoft 365 portal are necessary. I'm curious if anyone else has experience using MDE in a completely offline and air-gapped environment. How has that been for you?
5 Answers
In our setup, we use GPOs and have a DFS system across the enterprise. While we do utilize MECM, the higher-ups decided to stick with GPOs for management.
If it's truly air-gapped, it might not even be necessary to implement a solution like MDE. Air-gapped systems generally require much stricter security standards, especially regarding EDR configurations.
You can configure MDE through MECM or Group Policy. I haven't worked with MECM, but I use GPOs. You might run into some issues because exclusion lists don’t always merge well, and tamper protection is something to watch out for since it can be managed by both MECM and MDE.
Just a heads up, a lot of folks here might not realize that being air-gapped doesn't necessarily mean no external access at all. Sometimes users or admins can access the same network from outside the core workspace.
I've been wondering about the threat model for using EDR and AV solutions on air-gapped networks. What are the specific threats you're concerned about?
Definitely Stuxnet comes to mind. It's a reminder of potential risks even in secured environments.
Honestly, my role is just to automate software deployments all day, so I'm a bit out of the loop on this. But I know there’s a lot of data exchange happening via different forms of media. You can never underestimate the human factor.