Onboard devices and configure Microsoft Defender for Endpoint capabilities

Applies to:

Important

Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Want to experience Defender for Endpoint? Sign up for a free trial.

Deploying Microsoft Defender for Endpoint is a two-step process.

  • Onboard devices to the service
  • Configure capabilities of the service

Illustration of onboarding and configuration process

Onboard devices to the service

You'll need to go the onboarding section of the Defender for Endpoint portal to onboard any of the supported devices. Depending on the device, you'll be guided with appropriate steps and provided management and deployment tool options suitable for the device.

In general, to onboard devices to the service:

  • Verify that the device fulfills the minimum requirements
  • Depending on the device, follow the configuration steps provided in the onboarding section of the Defender for Endpoint portal
  • Use the appropriate management tool and deployment method for your devices
  • Run a detection test to verify that the devices are properly onboarded and reporting to the service

Onboarding and configuration tool options

The following table lists the available tools based on the endpoint that you need to onboard.

Endpoint Tool options
Windows Local script (up to 10 devices)
Group Policy
Microsoft Endpoint Manager/ Mobile Device Manager
Microsoft Endpoint Configuration Manager
VDI scripts
Integration with Microsoft Defender for Cloud
macOS Local scripts
Microsoft Endpoint Manager
JAMF Pro
Mobile Device Management
Linux Server Local script
Puppet
Ansible
iOS Microsoft Endpoint Manager
Android Microsoft Endpoint Manager

The following table lists the available tools based on the endpoint that you need to onboard.

Configure capabilities of the service

Onboarding devices effectively enables the endpoint detection and response capability of Micorosft Defender for Endpoint.

After onboarding the devices, you'll then need to configure the other capabilities of the service. The following table lists the capabilities you can configure to get the best protection for your environment.

Capability Description
Configure Threat & Vulnerability Management (TVM) Threat & Vulnerability Management is a component of Microsoft Defender for Endpoint, and provides both security administrators and security operations teams with unique value, including:

- Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities.

- Invaluable device vulnerability context during incident investigations.

- Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager.
Configure Next-generation protection (NGP) Microsoft Defender Antivirus is a built-in antimalware solution that provides next-generation protection for desktops, portable computers, and servers. Microsoft Defender Antivirus includes:

-Cloud-delivered protection for near-instant detection and blocking of new and emerging threats. Along with machine learning and the Intelligent Security Graph, cloud-delivered protection is part of the next-gen technologies that power Microsoft Defender Antivirus.

- Always-on scanning using advanced file and process behavior monitoring and other heuristics (also known as "real-time protection").

- Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research.
Configure attack surface reduction (ASR) Attack surface reduction capabilities in Microsoft Defender for Endpoint help protect the devices and applications in the organization from new and emerging threats.
Configure Auto Investigation & Remediation (AIR) capabilities Microsoft Defender for Endpoint uses Automated investigations to significantly reduce the volume of alerts that need to be investigated individually. The Automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives.
Configure Microsoft Threat Experts (MTE) capabilities Microsoft Threat Experts is a managed hunting service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don't get missed.

Supported capabilities for Windows devices

Operating System Windows 10 & 11 Windows Server 2012 R2 [1] Windows Server 2016[1] Windows Server 2019 & 2022 Windows Server 1803+
Prevention
Attack Surface Reduction rules Y Y Y Y Y
Device Control Y N N N N
Firewall Y Y Y Y Y
Network Protection Y Y Y Y Y
Next-generation protection Y Y Y Y Y
Tamper Protection Y Y Y Y Y
Web Protection Y Y Y Y Y
Detection
Advanced Hunting Y Y Y Y Y
Custom file indicators Y Y Y Y Y
Custom network indicators Y Y Y Y Y
EDR Block & Passive Mode Y Y Y Y Y
Sense detection sensor Y Y Y Y Y
Endpoint & network device discovery Y N N N N
Response
Automated Investigation & Response (AIR) Y Y Y Y Y
Device response capabilities: isolation, collect investigation package, run AV scan Y Y Y Y Y
File response capabilities: collect file, deep analysis, block file, stop, and quarantine processes Y Y Y Y Y
Live Response Y Y Y Y Y

(1) Refers to the modern, unified solution for Windows Server 2012 and 2016. For more information, see Onboard Windows Servers to the Defender for Endpoint service.

Note

Windows 7, 8.1, Windows Server 2008 R2 include support for the EDR sensor, and AV using System Center Endpoint Protection (SCEP).