Some information relates to prereleased product which may be substantially modified before it’s commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Want to experience Defender for Endpoint? Sign up for a free trial.

Deploying Microsoft Defender for Endpoint is a two-step process.

  • Onboard devices to the service
  • Configure capabilities of the service

Illustration of onboarding and configuration process

Onboard devices to the service

You’ll need to go the onboarding section of the Defender for Endpoint portal to onboard any of the supported devices. Depending on the device, you’ll be guided with appropriate steps and provided management and deployment tool options suitable for the device.

In general, to onboard devices to the service:

  • Verify that the device fulfills the minimum requirements
  • Depending on the device, follow the configuration steps provided in the onboarding section of the Defender for Endpoint portal
  • Use the appropriate management tool and deployment method for your devices
  • Run a detection test to verify that the devices are properly onboarded and reporting to the service

Onboarding and configuration tool options

The following table lists the available tools based on the endpoint that you need to onboard.

The following table lists the available tools based on the endpoint that you need to onboard.

Configure capabilities of the service

Onboarding devices effectively enables the endpoint detection and response capability of Micorosft Defender for Endpoint.

After onboarding the devices, you’ll then need to configure the other capabilities of the service. The following table lists the capabilities you can configure to get the best protection for your environment.

Capability Description
Configure Threat & Vulnerability Management (TVM) Threat & Vulnerability Management is a component of Microsoft Defender for Endpoint, and provides both security administrators and security operations teams with unique value, including:

– Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities.

– Invaluable device vulnerability context during incident investigations.

– Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager.

Configure Next-generation protection (NGP) Microsoft Defender Antivirus is a built-in antimalware solution that provides next-generation protection for desktops, portable computers, and servers. Microsoft Defender Antivirus includes:

-Cloud-delivered protection for near-instant detection and blocking of new and emerging threats. Along with machine learning and the Intelligent Security Graph, cloud-delivered protection is part of the next-gen technologies that power Microsoft Defender Antivirus.

– Always-on scanning using advanced file and process behavior monitoring and other heuristics (also known as “real-time protection”).

– Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research.

Configure attack surface reduction (ASR) Attack surface reduction capabilities in Microsoft Defender for Endpoint help protect the devices and applications in the organization from new and emerging threats.
Configure Auto Investigation & Remediation (AIR) capabilities Microsoft Defender for Endpoint uses Automated investigations to significantly reduce the volume of alerts that need to be investigated individually. The Automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives.
Configure Microsoft Threat Experts (MTE) capabilities Microsoft Threat Experts is a managed hunting service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don’t get missed.

Supported capabilities for Windows devices

Operating System Windows 10 & 11 Windows Server 2012 R2 [1] Windows Server 2016[1] Windows Server 2019 & 2022 Windows Server 1803+
Attack Surface Reduction rules Y Y Y Y Y
Device Control Y N N N N
Firewall Y Y Y Y Y
Network Protection Y Y Y Y Y
Next-generation protection Y Y Y Y Y
Tamper Protection Y Y Y Y Y
Web Protection Y Y Y Y Y
Advanced Hunting Y Y Y Y Y
Custom file indicators Y Y Y Y Y
Custom network indicators Y Y Y Y Y
EDR Block & Passive Mode Y Y Y Y Y
Sense detection sensor Y Y Y Y Y
Endpoint & network device discovery Y N N N N
Automated Investigation & Response (AIR) Y Y Y Y Y
Device response capabilities: isolation, collect investigation package, run AV scan Y Y Y Y Y
File response capabilities: collect file, deep analysis, block file, stop, and quarantine processes Y Y Y Y Y
Live Response Y Y Y Y Y

(1) Refers to the modern, unified solution for Windows Server 2012 and 2016. For more information, see Onboard Windows Servers to the Defender for Endpoint service.


Windows 7, 8.1, Windows Server 2008 R2 include support for the EDR sensor, and AV using System Center Endpoint Protection (SCEP).

Source : Official Microsoft Brand
Editor by : BEST Antivirus KBS Team

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

(Visited 2 times, 1 visits today)