Migrate to Microsoft Defender for Endpoint - Phase 3: Onboard
Applies to:
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender XDR
 Phase 1: Prepare |
 Phase 2: Set up |
 Phase 3: Onboard |
|---|---|---|
| You're here! |
Welcome to Phase 3 of migrating to Defender for Endpoint. This migration phase includes the following steps:
- Onboard devices to Defender for Endpoint.
- Run a detection test.
- Confirm that Microsoft Defender Antivirus is in passive mode on your endpoints.
- Get updates for Microsoft Defender Antivirus.
- Uninstall your non-Microsoft solution.
- Make sure Defender for Endpoint is working correctly.
Step 1: Onboard devices to Microsoft Defender for Endpoint
Go to the Microsoft Defender portal (https://security.microsoft.com) and sign in.
Choose Settings > Endpoints > Onboarding (under Device management).
In the Select operating system to start onboarding process list, select an operating system.
Under Deployment method, select an option. Follow the links and prompts to onboard your organization's devices. Need help? See Onboarding methods (in this article).
Note
If something goes wrong while onboarding, see Troubleshoot Microsoft Defender for Endpoint onboarding issues. That article describes how to resolve onboarding issues and common errors on endpoints.
Onboarding methods
Deployment methods vary, depending on operating system and preferred methods. The following table lists resources to help you onboard to Defender for Endpoint:
| Operating systems | Methods |
|---|---|
| Windows 10 or later Windows Server 2019 or later Windows Server, version 1803 or later Windows Server 2016 or Windows Server 2012 R2[1] |
Microsoft Intune or Mobile Device Management Microsoft Configuration Manager Group Policy VDI scripts Local script (up to 10 devices) The local script method is suitable for a proof of concept but shouldn't be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Configuration Manager, or Intune. |
| Windows Server 2008 R2 SP1 | Microsoft Monitoring Agent (MMA) or Microsoft Defender for Cloud The Microsoft Monitoring Agent is now Azure Log Analytics agent. To learn more, see Log Analytics agent overview. |
| Windows 8.1 Enterprise Windows 8.1 Pro Windows 7 SP1 Pro Windows 7 SP1 |
Microsoft Monitoring Agent (MMA) The Microsoft Monitoring Agent is now Azure Log Analytics agent. To learn more, see Log Analytics agent overview. |
| Windows servers Linux servers |
Integration with Microsoft Defender for Cloud |
| macOS | Local script Microsoft Intune JAMF Pro Mobile Device Management |
| Linux Server | Local script Puppet Ansible Chef |
| Android | Microsoft Intune |
| iOS | Microsoft Intune Mobile Application Manager |
(1) Windows Server 2016 and Windows Server 2012 R2 must be onboarded using the instructions in Onboard Windows servers.
Important
The standalone versions of Defender for Endpoint Plan 1 and Plan 2 do not include server licenses. To onboard servers, you'll need an additional license, such as Microsoft Defender for Servers Plan 1 or Plan 2. To learn more, see Defender for Endpoint onboarding Windows Server.
Step 2: Run a detection test
To verify that your onboarded devices are properly connected to Defender for Endpoint, you can run a detection test.
| Operating system | Guidance |
|---|---|
| Windows 10 or later Windows Server 2022 Windows Server 2019 Windows Server, version 1803, or later Windows Server 2016 Windows Server 2012 R2 |
See Run a detection test. |
| macOS (see System requirements | Download and use the DIY app at https://aka.ms/mdatpmacosdiy. For more information, see Defender for Endpoint on macOS. |
| Linux (see System requirements) | 1. Run the following command, and look for a result of 1: mdatp health --field real_time_protection_enabled.2. Open a Terminal window, and run the following command: curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt.3. Run the following command to list any detected threats: mdatp threat list.For more information, see Defender for Endpoint on Linux. |
Step 3: Confirm that Microsoft Defender Antivirus is in passive mode on your endpoints
Now that your endpoints have been onboarded to Defender for Endpoint, your next step is to make sure Microsoft Defender Antivirus is running in passive mode by using PowerShell.
On a Windows device, open Windows PowerShell as an administrator.
Run the following PowerShell cmdlet:
Get-MpComputerStatus|select AMRunningMode.Review the results. You should see Passive mode.
Note
To learn more about passive mode and active mode, see More details about Microsoft Defender Antivirus states.
Set Microsoft Defender Antivirus on Windows Server to passive mode manually
To set Microsoft Defender Antivirus to passive mode on Windows Server, version 1803 or newer, or Windows Server 2019, or Windows Server 2022, follow these steps:
Open Registry Editor, and then navigate to
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection.Edit (or create) a DWORD entry called ForceDefenderPassiveMode, and specify the following settings:
- Set the DWORD's value to 1.
- Under Base, select Hexadecimal.
Note
You can use other methods to set the registry key, such as the following:
Start Microsoft Defender Antivirus on Windows Server 2016
If you're using Windows Server 2016, you might have to start Microsoft Defender Antivirus manually. You can perform this task by using the PowerShell cmdlet mpcmdrun.exe -wdenable on the device.
Step 4: Get updates for Microsoft Defender Antivirus
Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques, even if Microsoft Defender Antivirus is running in passive mode. (See Microsoft Defender Antivirus compatibility.)
There are two types of updates related to keeping Microsoft Defender Antivirus up to date:
Security intelligence updates
Product updates
To get your updates, follow the guidance in Manage Microsoft Defender Antivirus updates and apply baselines.
Step 5: Uninstall your non-Microsoft solution
If, at this point you have onboarded your organization's devices to Defender for Endpoint, and Microsoft Defender Antivirus is installed and enabled, then your next step is to uninstall your non-Microsoft antivirus, antimalware, and endpoint protection solution. When you uninstall your non-Microsoft solution, Microsoft Defender Antivirus changes from passive mode to active mode. In most cases, this happens automatically.
Important
If, for some reason, Microsoft Defender Antivirus does not go into active mode after you have uninstalled your non-Microsoft antivirus/antimalware solution, see Microsoft Defender Antivirus seems to be stuck in passive mode.
To get help with uninstalling your non-Microsoft solution, contact their technical support team.
Step 6: Make sure Defender for Endpoint is working correctly
Now that you have onboarded to Defender for Endpoint, and you have uninstalled your former non-Microsoft solution, your next step is to make sure that Defender for Endpoint working correctly.
Go to the Microsoft Defender portal (https://security.microsoft.com) and sign in.
In the navigation pane, choose Endpoints > Device inventory. There, you're able to see protection status for devices.
To learn more, see Device inventory.
Next step
Congratulations! You have completed your migration to Defender for Endpoint!
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for