In the Select operating system to start onboarding process list, select an operating system.
Under Deployment method, select an option. Follow the links and prompts to onboard your organization's devices. Need help? See Onboarding methods (in this article).
Deployment methods vary, depending on operating system and preferred methods. The following table lists resources to help you onboard to Defender for Endpoint:
Local script (up to 10 devices) The local script method is suitable for a proof of concept but shouldn't be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Configuration Manager, or Intune.
Step 3: Confirm that Microsoft Defender Antivirus is in passive mode on your endpoints
Now that your endpoints have been onboarded to Defender for Endpoint, your next step is to make sure Microsoft Defender Antivirus is running in passive mode by using PowerShell.
On a Windows device, open Windows PowerShell as an administrator.
Run the following PowerShell cmdlet: Get-MpComputerStatus|select AMRunningMode.
Set Microsoft Defender Antivirus on Windows Server to passive mode manually
To set Microsoft Defender Antivirus to passive mode on Windows Server, version 1803 or newer, or Windows Server 2019, or Windows Server 2022, follow these steps:
Open Registry Editor, and then navigate to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection.
Edit (or create) a DWORD entry called ForceDefenderPassiveMode, and specify the following settings:
Set the DWORD's value to 1.
Under Base, select Hexadecimal.
Note
You can use other methods to set the registry key, such as the following:
Start Microsoft Defender Antivirus on Windows Server 2016
If you're using Windows Server 2016, you might have to start Microsoft Defender Antivirus manually. You can perform this task by using the PowerShell cmdlet mpcmdrun.exe -wdenable on the device.
Step 4: Get updates for Microsoft Defender Antivirus
Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques, even if Microsoft Defender Antivirus is running in passive mode. (See Microsoft Defender Antivirus compatibility.)
There are two types of updates related to keeping Microsoft Defender Antivirus up to date:
If, at this point you have onboarded your organization's devices to Defender for Endpoint, and Microsoft Defender Antivirus is installed and enabled, then your next step is to uninstall your non-Microsoft antivirus, antimalware, and endpoint protection solution. When you uninstall your non-Microsoft solution, Microsoft Defender Antivirus changes from passive mode to active mode. In most cases, this happens automatically.
To get help with uninstalling your non-Microsoft solution, contact their technical support team.
Step 6: Make sure Defender for Endpoint is working correctly
Now that you have onboarded to Defender for Endpoint, and you have uninstalled your former non-Microsoft solution, your next step is to make sure that Defender for Endpoint working correctly.
This module examines how Microsoft Defender for Endpoint helps enterprise networks prevent, detect, investigate, and respond to advanced threats by using endpoint behavioral sensors, cloud security analytics, and threat intelligence. MS-102
Plan and execute an endpoint deployment strategy, using essential elements of modern management, co-management approaches, and Microsoft Intune integration.