Identify Defender for Endpoint architecture and deployment method

Applies to:

Want to experience Defender for Endpoint? Sign up for a free trial.

You've already completed steps to set up your Microsoft Defender for Endpoint deployment and assigned roles and permissions for Defender for Endpoint. Next, plan for onboarding your devices by identifying your architecture and choosing your deployment method.

We understand that every enterprise environment is unique, so we've provided several options to give you the flexibility in choosing how to deploy the service. Deciding how to onboard endpoints to the Defender for Endpoint service comes down to two important steps:

The deployment flow

Step 1: Identify your architecture

Depending on your environment, some tools are better suited for certain architectures. Use the table below to decide which Defender for Endpoint architecture best suits your organization.

Architecture Description
Cloud-native We recommend using Microsoft Intune to onboard, configure, and remediate endpoints from the cloud for enterprises that don't have an on-premises configuration management solution or are looking to reduce their on-premises infrastructure.
Co-management For organizations that host both on-premises and cloud-based workloads we recommend using Microsoft's ConfigMgr and Intune for their management needs. These tools provide a comprehensive suite of cloud-powered management features, as well as unique co-management options to provision, deploy, manage, and secure endpoints and applications across an organization.
On-premises For enterprises that want to take advantage of the cloud-based capabilities of Microsoft Defender for Endpoint while also maximizing their investments in Configuration Manager or Active Directory Domain Services, we recommend this architecture.
Evaluation and local onboarding We recommend this architecture for SOCs (Security Operations Centers) that are looking to evaluate or run a Microsoft Defender for Endpoint pilot, but don't have existing management or deployment tools. This architecture can also be used to onboard devices in small environments without management infrastructure, such as a DMZ (Demilitarized Zone).

Step 2: Select deployment method

Once you have determined the architecture of your environment and have created an inventory as outlined in the requirements section, use the table below to select the appropriate deployment tools for the endpoints in your environment. This will help you plan the deployment effectively.

Endpoint Deployment tool
Windows Local script (up to 10 devices)
Group Policy
Microsoft Intune/ Mobile Device Manager
Microsoft Configuration Manager
VDI scripts
Windows servers
Linux servers
Integration with Microsoft Defender for Cloud
macOS Local script
Microsoft Intune
Mobile Device Management
Linux servers Local script
Android Microsoft Intune
iOS Microsoft Intune
Mobile Application Manager


For devices that aren't managed by Microsoft Intune or Microsoft Configuration Manager, you can use the Security Management for Microsoft Defender for Endpoint to receive security configurations for Microsoft Defender directly from Intune.

Next step

After choosing your Defender for Endpoint architecture and deployment method continue to Step 4 - Onboard devices.


Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.