Is an individual able to activate Enteprise on a single device, without needing to connect it to a Microsoft cloud subscription or Enterprise server/domain? Does activating Enterprise using MassGravel, for example, also activate the E3 or E5 tiers of Microsoft Defender for Endpoint (formerly MicrosoftATP)?
Enterprise allows disabling the most telemetry, and in general just gives access to more configuration options and control over the OS through the group policy editor and the like, it lets you disable a pretty large amount of Microsoft’s BS.
And yes, enterprise can be activated through the script you linked without requiring a domain or Microsoft cloud subscription, or anything of the like. There’s really no downsides imo. I’m unsure if it activates the E3 or E5 tiers of Microsoft Defender for Endpoint.
Ok thanks! I know about the telemetry benefits - but there’s dozens of ways to disable telemetry, including just blocking domains or limiting network access via any firewall app. The biggest thing I’d be interested to know is if it adds some specific feature to Defender that makes it more robust.
I think this can only ever be partially effective. Or at least not effective enough on its own to give you any certainty.
Domain based blocking can be very effective if you can block entire domains or subdomains, but in cases where the things you want to block and the things need or want come from the same place, domain based blocking is too crude of a tool to be 100% effective.
It seems like this would be the case with Windows, if you outright block all Microsoft or Windows domains, you would also be blocking windows updates, defender updates, etc. But if you don’t outright block Microsoft domains, I don’t see how you can know what information is or isn’t being transmitted back to Microsoft.
I found the complete answer here: Windows security features licensing and edition requirements - Windows Security | Microsoft Learn
It’s a table listing Windows security feature availability per OS edition. The TLDR is that Pro has almost everything, but Enterprise does have a few more features. Besides some things like Direct Access and Federated Sign-in that really just seem useful if you have multiple devices, Enterprise additionally has MDAG For Office (not just for Edge), Windows Autopatch (basically seems like an improved Windows Update? Not sure), and Credential Guard.
MDAG For Office seems like the most interesting thing, as it’s like Protected View but it also lets you edit unsafe docs while still restricting them and isolating them from the rest of the system.
…also, Enterprise edition is necessary if you want to take advantage of the robust Microsoft Defender For Endpoint security suites. But that requires a separate paid subscription; it’s not built into the OS.