Deploy Microsoft Defender Antivirus in rings

Applies to:


  • Windows
  • Windows Server

Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.

Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.


Microsoft Defender for Endpoint is available in two plans, Defender for Endpoint Plan 1 and Plan 2. A new Microsoft Defender Vulnerability Management add-on is now available for Plan 2.

Deploying Microsoft Defender for Endpoint can be done using a ring-based deployment approach and updating using the gradual rollout process.

Ring deployment overview

It's important to ensure that client components are up to date to deliver critical protection capabilities and prevent attacks. Capabilities are provided through several components:

Updates are released monthly using a gradual release process. This process helps to enable early failure detection to identify problematic results in your unique environment as it occurs and address it quickly before a larger rollout.


For more information on how to control daily security intelligence updates, see Schedule Microsoft Defender Antivirus protection updates. Updates ensure that next-generation protection can defend against new threats, even if cloud-delivered protection is not available to the endpoint.

This article provides overview information about deploying Microsoft Defender Antivirus in rings for a gradual rollout process.

Management tools

To create your own custom gradual rollout process for daily and/or monthly updates, you can use the following methods that use the tools:

  • Microsoft Intune and Microsoft Update microsoft-intune-and-microsoft-update - Requires direct access to the internet. Microsoft Update (MU), formerly known as Windows Update (WU)
  • System Center Configuration Manager and Windows Server Update Services - System Center Configuration Manager (SCCM) Software Update Point (SUP) = SCCM + Windows Server Update Services (WSUS)
  • Group Policy and Microsoft Update - Requires direct access to the internet
  • Group Policy and network share - For example, UNC path, SMB, CIFS
  • Group Policy and WSUS

For details on how to use these tools, see Create a custom gradual rollout process for Microsoft Defender updates.

Customers that prioritize availability over security, should take a crawl, walk, run approach.

Deployment scenarios