Onboard to Microsoft Defender for Endpoint
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender Vulnerability Management
- Microsoft 365 Defender
Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.
Onboard devices using any of the supported management tools
The deployment tool you use influences how you onboard endpoints to the service.
To start onboarding your devices:
- Go to Select deployment method.
- Choose the Operating System for the devices you wish to Onboard.
- Select the tool you plan to use.
- Follow the instructions to Onboard your devices.
This video provides a quick overview of the onboarding process and the different tools and methods.
Deploy using a ring-based approach
A ring-based approach is a method of identifying a set of endpoints to onboard and verifying that certain criteria are met before proceeding to deploy the service to a larger set of devices. You can define the exit criteria for each ring and ensure that they're satisfied before moving on to the next ring. Adopting a ring-based deployment helps reduce potential issues that could arise while rolling out the service.
This table provides an example of the deployment rings you might use:
|Evaluate||Ring 1: Identify 50 devices to onboard to the service for testing.|
|Pilot||Ring 2: Identify and onboard the next 50-100 endpoints in a production environment. Microsoft Defender for Endpoint supports various endpoints that you can onboard to the service, for more information, see Select deployment method.|
|Full deployment||Ring 3: Roll out service to the rest of environment in larger increments. For more information, see Get started with your Microsoft Defender for Endpoint deployment.|
An example set of exit criteria for each ring can include:
- Devices show up in the device inventory list
- Alerts appear in dashboard
- Run a detection test
- Run a simulated attack on a device
For Windows and/or Windows Servers, you select several machines to test ahead of time (before patch Tuesday) by using the Security Update Validation program (SUVP).
For more information, see:
- What is the Security Update Validation Program
- Software Update Validation Program and Microsoft Malware Protection Center Establishment - TwC Interactive Timeline Part 4
With macOS and Linux, you could take a couple of systems and run in the Beta channel.
Ideally at least one security admin and one developer so that you are able to find compatibility, performance and reliability issues before the build makes it into the Current channel.
The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in Beta are the first ones to receive updates and new features, followed later by Preview and lastly by Current.
In order to preview new features and provide early feedback, it's recommended that you configure some devices in your enterprise to use either Beta or Preview.
Switching the channel after the initial installation requires the product to be reinstalled. To switch the product channel: uninstall the existing package, re-configure your device to use the new channel, and follow the steps in this document to install the package from the new location.
To provide some guidance on your deployments, in this section we'll guide you through using two deployment tools to onboard endpoints.
The tools in the example deployments are:
The example deployments will guide you on configuring some of the Defender for Endpoint capabilities, but you'll find more detailed information on configuring Defender for Endpoint capabilities in the next step.
After onboarding the endpoints move on to the next step where you'll configure the various capabilities such as endpoint detection and response, next-generation protection, and attack surface reduction.
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.