Microsoft Defender for Endpoint deployment overview

Applies to:

Want to experience Defender for Endpoint? Sign up for a free trial.

Learn how to deploy Microsoft Defender for Endpoint so that your enterprise can take advantage of preventative protection, post-breach detection, automated investigation, and response.

This guide helps you work across stakeholders to prepare your environment and then onboard devices in a methodical way, moving from evaluation, to a meaningful pilot, to full deployment.

Each section corresponds to a separate article in this solution.

The deployment phases with details from the table

The summary of deployment phases: prepare, setup, onboard

Phase Description
Phase 1: Prepare Learn about what you need to consider when deploying Defender for Endpoint such as stakeholder approvals, environment considerations, access permissions, and adoption order of capabilities.
Phase 2: Setup Get guidance on the initial steps you need to take so that you can access the portal such as validating licensing, completing the set up wizard, and network configuration.
Phase 3: Onboard Learn how to make use of deployment rings, supported onboarding tools based on the type of endpoint, and configuring available capabilities.

After you've completed this guide, you'll be set up with the right access permissions, your endpoints will be onboarded and reporting sensor data to the service, and capabilities such as next-generation protection and attack surface reduction will be in place.

Regardless of the environment architecture and method of deployment you choose outlined in the Plan deployment guidance, this guide is going to support you in onboarding endpoints.

Key capabilities

While Microsoft Defender for Endpoint provides many capabilities, the primary purpose of this deployment guide is to get you started by onboarding devices. In addition to onboarding, this guidance gets you started with the following capabilities.

Capability Description
Endpoint detection and response Endpoint detection and response capabilities are put in place to detect, investigate, and respond to intrusion attempts and active breaches.
Next-generation protection To further reinforce the security perimeter of your network, Microsoft Defender for Endpoint uses next-generation protection designed to catch all types of emerging threats.
Attack surface reduction Provide the first line of defense in the stack. By ensuring the configuration settings are properly set and the exploit mitigation techniques are applied, these capabilities resist attacks and exploitation.

All these capabilities are available for Microsoft Defender for Endpoint license holders. For more information, see Licensing requirements.


In scope

  • Use of Microsoft Endpoint Manager and Microsoft Endpoint Configuration Manager to onboard endpoints into the service and configure capabilities
  • Enabling Defender for Endpoint endpoint detection and response (EDR) capabilities
  • Enabling Defender for Endpoint endpoint protection platform (EPP) capabilities
    • Next-generation protection
    • Attack surface reduction

Out of scope

The following are out of scope of this deployment guide:

  • Configuration of third-party solutions that might integrate with Defender for Endpoint
  • Penetration testing in production environment

See also