Onboard to Microsoft Defender for Endpoint

Applies to:

Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.

Onboard devices using any of the supported management tools

The deployment tool you use influences how you onboard endpoints to the service.

To start onboarding your devices:

  1. Go to Select deployment method.
  2. Choose the Operating System for the devices you wish to Onboard.
  3. Select the tool you plan to use.
  4. Follow the instructions to Onboard your devices.

This video provides a quick overview of the onboarding process and the different tools and methods.

Deploy using a ring-based approach

New deployments

A ring-based approach is a method of identifying a set of endpoints to onboard and verifying that certain criteria are met before proceeding to deploy the service to a larger set of devices. You can define the exit criteria for each ring and ensure that they're satisfied before moving on to the next ring. Adopting a ring-based deployment helps reduce potential issues that could arise while rolling out the service.

This table provides an example of the deployment rings you might use:

Deployment ring Description
Evaluate Ring 1: Identify 50 devices to onboard to the service for testing.
Pilot Ring 2: Identify and onboard the next 50-100 endpoints in a production environment. Microsoft Defender for Endpoint supports various endpoints that you can onboard to the service, for more information, see Select deployment method.
Full deployment Ring 3: Roll out service to the rest of environment in larger increments. For more information, see Get started with your Microsoft Defender for Endpoint deployment.

Exit criteria

An example set of exit criteria for each ring can include:

Existing deployments

Windows endpoints

For Windows and/or Windows Servers, you select several machines to test ahead of time (before patch Tuesday) by using the Security Update Validation program (SUVP).

For more information, see:

Non-Windows endpoints

With macOS and Linux, you could take a couple of systems and run in the Beta channel.


Ideally at least one security admin and one developer so that you are able to find compatibility, performance and reliability issues before the build makes it into the Current channel.

The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in Beta are the first ones to receive updates and new features, followed later by Preview and lastly by Current.

The insider rings.

In order to preview new features and provide early feedback, it's recommended that you configure some devices in your enterprise to use either Beta or Preview.


Switching the channel after the initial installation requires the product to be reinstalled. To switch the product channel: uninstall the existing package, re-configure your device to use the new channel, and follow the steps in this document to install the package from the new location.

Example deployments

To provide some guidance on your deployments, in this section we guide you through using two deployment tools to onboard endpoints.

The tools in the example deployments are:

For some additional information and guidance, check out the PDF or Visio to see the various paths for deploying Defender for Endpoint.

The example deployments will guide you on configuring some of the Defender for Endpoint capabilities, but you'll find more detailed information on configuring Defender for Endpoint capabilities in the next step.

Next step

After onboarding the endpoints move on to the next step where you'll configure the various capabilities such as endpoint detection and response, next-generation protection, and attack surface reduction.


Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.