MDI Deployment Plan

Warnings & Blockers

✅ No blockers or warnings identified.

Server Deployment Overview

OS Version	Roles	RODC	Traffic (pkt/s)	Count	Sensor	Sizing (per sensor)	Notes
Windows Server 2022	AD DS	No	Unknown	4	v3.x	Run Sizing Tool ↗	Sizing Tool optional for v3.x — sensor resource usage is managed by MDE
WS 2016 or later (v2.x)	AD FS (standalone)	No	Role-based	2	v2.x	Minimal	Standalone role server — sensor v2.x required; DSA mandatory
WS 2016 or later (v2.x)	AD CS (standalone)	No	Role-based	2	v2.x	Minimal	Standalone role server — sensor v2.x required; DSA mandatory
WS 2016 or later (v2.x)	Entra Connect (Active)	No	Role-based	1	v2.x	Minimal	Standalone role server — sensor v2.x required; DSA mandatory
WS 2016 or later (v2.x)	Entra Connect (Staging)	No	Role-based	1	v2.x	Minimal	Standalone role server — sensor v2.x required; DSA mandatory

Sizing = sensor-only resource consumption (not total DC capacity). CPU = non-hyperthreaded cores only. Capacity Planning Guide ↗ | Download MDI Sizing Tool ↗

Directory Service Account (DSA)

Account type: Group Managed Service Account (gMSA)

Required DSA credentials: 1

Notes: Single forest — one DSA covers all domains.

gMSA Setup Steps

Create the gMSA account and security group using New-ADServiceAccount (see documentation script)
Add all sensor server computer accounts to the gMSA security group
Grant DSA read access to the Deleted Objects container using dsacls.exe LCRP
Verify the "Log on as a service" right on all v2.x sensor servers (secpol.msc or GPO) — only required for v2.x; the v2 sensor service impersonates the gMSA DSA
Purge Kerberos tickets after group membership changes: klist purge -li 0x3e7
Register the gMSA in Defender XDR: Settings > Identities > Directory service accounts > Add credentials

Full gMSA Setup Guide ↗

Connectivity Configuration

Method: Direct access to the dedicated MDI backend via the Internet (TLS encrypted)

Required URLs & Ports

<workspace-name>sensorapi.atp.azure.com — TCP 443 outbound (MDI cloud service)
The workspace name is derived from your Entra tenant name. Find it in the Defender portal: Settings > System > About > Workspace Name.
crl.microsoft.com, ctldl.windowsupdate.com, www.microsoft.com/pkiops/* — certificate validation
sensorpackage-prd.mdi.securitycenter.microsoft.com — TCP 443 (sensor package download)

SSL/TLS inspection is NOT supported. MDI uses certificate-based mutual authentication.

Proxy Configuration Guide ↗

Windows Event Auditing

Recommended approach: PowerShell — DefenderForIdentity module (recommended for v2.x or mixed environments)

Use the DefenderForIdentity PowerShell module to apply all required audit settings via Group Policy. This method works for both v2.x and v3.x sensors and provides a configuration report before applying changes.

PowerShell Commands

Install-Module DefenderForIdentity -Scope CurrentUser

# Review current configuration and gaps:
New-MDIConfigurationReport -Path 'C:\MDIReports' -Mode Domain -OpenHtmlReport

# Apply all required audit settings via Group Policy:
Set-MDIConfiguration -Mode Domain -Configuration All

Required Event IDs

Category	Subcategory	Event IDs
Account Logon	Credential Validation	4776
Account Management	Computer Account Management	4741, 4743
Account Management	Security Group Management	4728–4758
Account Management	User Account Management	4726
DS Access	Directory Service Changes	5136
DS Access	Directory Service Access	4662
System	Security System Extension	7045
NTLM (Group Policy)	Restrict NTLM	8004

Windows Event Auditing Guide ↗

Deployment Checklist

Phase 1: Pre-Deployment

🛑 Before running any PowerShell command in this phase: The cmdlets shown are pre-populated with -WhatIf to prevent unintended changes. Do not remove -WhatIf unless you have read the full cmdlet documentation, understand exactly what will be changed on the target system, and have obtained the necessary change-management approval. Some of these commands modify system configuration directly on all sensor servers in scope.

Assign Security Administrator role in Microsoft Entra ID to the deployment accountTenant📖
Install the DefenderForIdentity PowerShell module on the management workstationManagement workstation📖
Install-Module DefenderForIdentity -Scope CurrentUser📖
Confirm Microsoft Defender for Endpoint (MDE) is deployed on all v3.x target DCsv3.x DCs📖
Verify March 2026 or later cumulative update is installed on all v3.x target DCsv3.x DCs📖
Run Test-MdiReadiness.ps1 from a management workstation — queries all DCs, CA servers, and Entra Connect servers remotely and generates an HTML + JSON readiness report. Available from Defender portal: Settings > Identities > Tools, or GitHub.Management workstation📖
.\Test-MdiReadiness.ps1📖
Set Power Option to High Performance on all sensor serversAll sensor servers📖
Set-MDIConfiguration -Mode Domain -Configuration ProcessorPerformance -WhatIf📖
Verify VM memory is fully allocated — disable Dynamic Memory on Hyper-V / VMware (reserve all guest memory)All sensor servers (VM)📖
Verify time synchronization within 5 minutes across all sensor serversAll sensor servers📖

Phase 2: Connectivity

Allow outbound TCP 443 to <workspace-name>sensorapi.atp.azure.com from all sensor servers (no SSL inspection). The workspace name is derived from your Entra tenant name — find it in the Defender portal: Settings > System > About > Workspace Name.All sensor servers📖
Allow outbound TCP/UDP 53 (DNS) from all sensor serversAll sensor servers📖
Test connectivity from each sensor server to MDI cloud service using Test-MDISensorApiConnection or browser ping to <workspace>sensorapi.atp.azure.com/tri/sensor/api/pingAll sensor servers📖

Phase 3: Identity & DSA

Open Microsoft Defender portal (security.microsoft.com) — first sign-in with Security Administrator role creates the MDI workspace automaticallyTenant📖
Create gMSA account and associated security group using the New-ADServiceAccount PowerShell script from the documentationActive Directory📖
Add all sensor server computer accounts to the gMSA security groupActive Directory📖
Purge Kerberos tickets on sensor servers after group membership change: klist purge -li 0x3e7All sensor servers📖
Verify gMSA has "Log on as a service" right on all v2.x sensor servers — the v2 sensor service runs as LocalService and impersonates the gMSA DSA; grant the right via Local Security Policy (secpol.msc) or GPO if the right is restrictedv2.x sensor servers📖
Grant DSA read access to the Deleted Objects container using the PowerShell script provided in the docs (sets List Contents + Read Property via dsacls.exe)Active Directory📖
Register DSA credentials in Microsoft Defender XDR: Settings > Identities > Directory service accounts > Add credentialsDefender XDR Portal📖
Grant DSA db_datareader permission on the AD FS AdfsConfiguration database on all AD FS servers (T-SQL or PowerShell)AD FS Servers📖
Grant sensor computer account SELECT + EXECUTE permissions on ADSync database (required only if external SQL instance is used for Entra Connect)Entra Connect Servers📖

Phase 4: Windows Event Auditing

🛑 Before running any PowerShell command in this phase: The Set-MDIConfiguration cmdlets shown are pre-populated with -WhatIf. When executed without -WhatIf, these cmdlets create and link Group Policy Objects in your Active Directory domain, which will immediately affect all domain controllers or servers in scope. Do not proceed without fully understanding the cmdlet behavior, reviewing the WhatIf output, and obtaining change-management approval. Always run the -WhatIf version first, review every line of output, then re-run without -WhatIf only when you are certain the changes are correct and approved.

Phase 5: Sensor Deployment

Activate MDI sensor v3.x: Defender portal > Settings > Identities > Activation > select eligible DCs > Activatev3.x DCs📖
Wait up to 1 hour for the first v3.x sensor to show status Running in Defender portal (subsequent sensors appear within 5 minutes)Defender XDR Portal📖
Download MDI sensor v2.x package and copy access key: Defender portal > Settings > Identities > Sensors > Add sensor > Continue with classic sensorManagement workstation📖
Install MDI sensor on all standalone AD FS federation servers (NOT required on WAP servers)Standalone AD FS Servers📖
Configure resolver DC FQDN for AD FS sensors: Defender portal > Settings > Identities > Sensors > select sensor > Manage sensorDefender XDR Portal📖
Install MDI sensor on all AD CS servers with the Certification Authority Role Service (not required on offline AD CS servers)Standalone AD CS Servers📖
Install MDI sensor on BOTH active AND staging Entra Connect serversEntra Connect Servers (Active + Staging)📖
Configure resolver DC FQDN for Entra Connect sensors: Defender portal > Settings > Identities > Sensors > select sensor > Manage sensorDefender XDR Portal📖
Review and configure sensor settings in Defender portal: verify network adapters and description for each sensorDefender XDR Portal📖

Phase 6: Validation

Confirm all sensors show status Running in Defender portal: Settings > Identities > SensorsDefender XDR Portal📖
Configure Unified Sensor RPC Auditing for v3.x DCs: Defender portal > Settings > Microsoft Defender XDR > Asset Rule Management > Create rule > apply tag “Unified Sensor RPC Audit” targeting v3.x DCs. Unlocks additional identity detections. Allow up to 1 hour for the rule to take effect.v3.x DCs📖
Run DNS connectivity test from a member device: nslookup > server <DC-FQDN> > ls -d <domain>Member device📖
Verify MdiDnsQuery events appear in the device timeline in Defender portal (allow 15 minutes after first sensor activation)Defender XDR Portal
Review health alerts in Defender portal: Settings > Identities > Health issues — resolve any configuration warningsDefender XDR Portal📖
Validate AD FS detection: Advanced Hunting > IdentityLogonEvents | where Protocol contains "Adfs"Defender XDR Portal📖
Validate AD CS detection: Advanced Hunting > IdentityDirectoryEvents | where Protocol == "Adcs"Defender XDR Portal📖

References

All references: Microsoft Learn (learn.microsoft.com) — last verified April 2026.

MDI Deployment Plan — Zava