Onboard to the Microsoft Defender for Endpoint service

Applies to:

Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.

Learn about the various phases of deploying Microsoft Defender for Endpoint and how to configure the capabilities within the solution.

These are the steps you need to take to deploy Defender for Endpoint:

  • Step 1: Onboard endpoints to the service
  • Step 2: Configure capabilities

Illustration of the deployment steps

Step 1: Onboard endpoints using any of the supported management tools

The Plan deployment topic outlines the general steps you need to take to deploy Defender for Endpoint.

Watch this video for a quick overview of the onboarding process and learn about the available tools and methods.

After identifying your architecture, you'll need to decide which deployment method to use. The deployment tool you choose influences how you onboard endpoints to the service.

Onboarding tool options

The following table lists the available tools based on the endpoint that you need to onboard.

Endpoint Tool options
Windows Local script (up to 10 devices)
Group Policy
Microsoft Endpoint Manager/ Mobile Device Manager
Microsoft Endpoint Configuration Manager
VDI scripts
Integration with Microsoft Defender for Cloud
macOS Local scripts
Microsoft Endpoint Manager
JAMF Pro
Mobile Device Management
Linux Server Local script
Puppet
Ansible
iOS Microsoft Endpoint Manager
Android Microsoft Endpoint Manager

Step 2: Configure capabilities

After onboarding the endpoints, you'll then configure the capabilities. The following table lists the components that you can configure. Choose the components that you'd like to use and remove the ones that do not apply.

Capability Description
Endpoint Detection & Response (EDR) Defender for Endpoint endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats.
Threat & Vulnerability Management (TVM) Threat & Vulnerability Management is a component of Microsoft Defender for Endpoint, and provides both security administrators and security operations teams with unique value, including: - Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities - Invaluable device vulnerability context during incident investigations - Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager.
Next-generation protection (NGP) Microsoft Defender Antivirus is a built-in antimalware solution that provides next-generation protection for desktops, portable computers, and servers. Microsoft Defender Antivirus includes:

-Cloud-delivered protection for near-instant detection and blocking of new and emerging threats. Along with machine learning and the Intelligent Security Graph, cloud-delivered protection is part of the next-gen technologies that power Microsoft Defender Antivirus.

- Always-on scanning using advanced file and process behavior monitoring and other heuristics (also known as "real-time protection").

- Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research.
Attack Surface Reduction (ASR) Attack surface reduction capabilities in Microsoft Defender for Endpoint help protect the devices and applications in the organization from new and emerging threats.
Auto Investigation & Remediation (AIR) Microsoft Defender for Endpoint uses Automated investigations to significantly reduce the volume of alerts that need to be investigated individually. The Automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives.
Microsoft Threat Experts (MTE) Microsoft Threat Experts is a managed hunting service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don't get missed.

After onboarding the endpoints, you'll then configure the various capabilities such as endpoint detection and response, next-generation protection, and attack surface reduction.

Example deployments

In this deployment guide, we'll guide you through using two deployment tools to onboard endpoints and how to configure capabilities.

The tools in the example deployments are:

Using the mentioned deployment tools above, you'll then be guided in configuring the following Defender for Endpoint capabilities:

  • Endpoint detection and response configuration
  • Next-generation protection configuration
  • Attack surface reduction configuration