Switch to Microsoft Defender for Endpoint - Phase 3: Onboard

Applies to:

Phase 1: Prepare3
Phase 1: Prepare
Phase 2: Set up
Phase 2: Set up
Phase 3: Onboard
Phase 3: Onboard
You are here!

Welcome to Phase 3 of switching to Defender for Endpoint. This migration phase includes the following steps:

  1. Onboard devices to Defender for Endpoint.
  2. Run a detection test.
  3. Confirm that Microsoft Defender Antivirus is in passive mode on your endpoints.
  4. Get updates for Microsoft Defender Antivirus.
  5. Uninstall your non-Microsoft solution.
  6. Make sure Defender for Endpoint is working correctly.

Onboard devices to Microsoft Defender for Endpoint

  1. Go to the Microsoft 365 Defender portal (https://security.microsoft.com) and sign in.

  2. Choose Settings > Endpoints > Onboarding (under Device management).

  3. In the Select operating system to start onboarding process list, select an operating system.

  4. Under Deployment method, select an option. Follow the links and prompts to onboard your organization's devices. Need help? See Onboarding methods (in this article).

Onboarding methods

Deployment methods vary, depending on operating system and preferred methods. The following table lists resources to help you onboard to Defender for Endpoint:

Operating systems Methods
Windows 10 Group Policy

Configuration Manager

Mobile Device Management (Intune)

Local script

NOTE: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune.

Windows 8.1 Enterprise

Windows 8.1 Pro

Windows 7 SP1 Enterprise

Windows 7 SP1 Pro

Microsoft Monitoring Agent

NOTE: Microsoft Monitoring Agent is now Azure Log Analytics agent. To learn more, see Log Analytics agent overview.

Windows Server 2019 and later

Windows Server 2019 core edition

Windows Server version 1803 and later

Local script

Group Policy

Configuration Manager

System Center Configuration Manager

VDI onboarding scripts for non-persistent devices

NOTE: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune.

Windows Server 2016

Windows Server 2012 R2

Windows Server 2008 R2 SP1

Microsoft 365 Defender portal

Azure Defender

macOS:

11.3.1 (Big Sur)

10.15 (Catalina)

10.14 (Mojave)

Onboard non-Windows devices
iOS Onboard non-Windows devices
Linux:

RHEL 7.2+

CentOS Linux 7.2+

Ubuntu 16 LTS, or higher LTS

SLES 12+

Debian 9+

Oracle Linux 7.2

Onboard non-Windows devices

Run a detection test

To verify that your onboarded devices are properly connected to Defender for Endpoint, you can run a detection test.

Operating system Guidance
Windows 10

Windows Server 2019

Windows Server, version 1803

Windows Server 2016

Windows Server 2012 R2

See Run a detection test.

Visit the Defender for Endpoint demo scenarios site (https://demo.wd.microsoft.com) and try one or more of the scenarios. For example, try the Cloud-delivered protection demo scenario.

macOS:

11.3.1 (Big Sur)

10.15 (Catalina)

10.14 (Mojave)

Download and use the DIY app at https://aka.ms/mdatpmacosdiy.

For more information, see Defender for Endpoint on macOS.

Linux:

RHEL 7.2+

CentOS Linux 7.2+

Ubuntu 16 LTS, or higher LTS

SLES 12+

Debian 9+

Oracle Linux 7.2

1. Run the following command, and look for a result of 1:
mdatp health --field real_time_protection_enabled.

2. Open a Terminal window, and run the following command:
curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt.

3. Run the following command to list any detected threats:
mdatp threat list.

For more information, see Defender for Endpoint on Linux.

Confirm that Microsoft Defender Antivirus is in passive mode on your endpoints

Now that your endpoints have been onboarded to Defender for Endpoint, your next step is to make sure Microsoft Defender Antivirus is running in passive mode. You can use either Command Prompt or PowerShell to perform this task, as described in the following table:

Method What to do
Command Prompt 1. On a Windows device, open Command Prompt as an administrator.

2. Type sc query windefend, and then press Enter.

3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode.

PowerShell 1. On a Windows device, open Windows PowerShell as an administrator.

2. Run the Get-MpComputerStatus cmdlet.

3. In the list of results, look for either AMRunningMode: Passive Mode or AMRunningMode: SxS Passive Mode.

Note

You might see Windows Defender Antivirus instead of Microsoft Defender Antivirus in some versions of Windows.

Set Microsoft Defender Antivirus on Windows Server to passive mode manually

To set Microsoft Defender Antivirus to passive mode on Windows Server, version 1803 or newer, or Windows Server 2019, follow these steps:

  1. Open Registry Editor, and then navigate to
    Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection.

  2. Edit (or create) a DWORD entry called ForceDefenderPassiveMode, and specify the following settings:

    • Set the DWORD's value to 1.
    • Under Base, select Hexadecimal.

Note

You can use other methods to set the registry key, such as the following:

Start Microsoft Defender Antivirus on Windows Server 2016

If you are using Windows Server 2016, you might have to start Microsoft Defender Antivirus manually. You can do this by using the PowerShell cmdlet mpcmdrun.exe -wdenable on the device.

Get updates for Microsoft Defender Antivirus

Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques, even if Microsoft Defender Antivirus is running in passive mode. (See Microsoft Defender Antivirus compatibility.)

There are two types of updates related to keeping Microsoft Defender Antivirus up to date:

  • Security intelligence updates
  • Product updates

To get your updates, follow the guidance in Manage Microsoft Defender Antivirus updates and apply baselines.

Uninstall your non-Microsoft solution

If at this point you have:

  • Onboarded your organization's devices to Defender for Endpoint, and
  • Microsoft Defender Antivirus is installed and enabled,

Then your next step is to uninstall your non-Microsoft endpoint protection solution.

To get help with this task, reach out to your solution provider's technical support team.

Make sure Defender for Endpoint is working correctly

Now that you have onboarded to Defender for Endpoint, and you have uninstalled your former non-Microsoft solution, your next step is to make sure that Defender for Endpoint working correctly. One good way to do this is by visiting the Defender for Endpoint demo scenarios site (https://demo.wd.microsoft.com). Try one or more of the demo scenarios on that page, including at least the following:

  • Cloud-delivered protection
  • Potentially Unwanted Applications (PUA)
  • Network Protection (NP)

Next steps

Congratulations! You have completed your migration to Defender for Endpoint!