跳到主要內容

Deploy Defender for Endpoint

Implementation Effort: Medium
Security and IT teams must validate licensing, configure onboarding methods, and ensure compatibility across supported Windows Server versions and environments.

User Impact: Low
Deployment is handled by administrators; end users are not directly involved.

Overview

Deploying Microsoft Defender for Endpoint (MDE) in Defender for Servers provides advanced endpoint detection and response (EDR), threat analytics, and vulnerability management for Windows Server workloads. This integration is included in both Defender for Servers Plan 1 and Plan 2, and is essential for securing hybrid and multicloud environments.

Supported Platforms

  • Windows Server 2012 R2 (requires unified onboarding)
  • Windows Server 2016, 2019, 2022, and 2025 (Defender Antivirus is built-in and can be enabled directly) 1

Deployment Steps

  1. Validate Licensing:

    • Ensure Defender for Servers Plan 1 or Plan 2 is enabled in Microsoft Defender for Cloud.
    • Confirm that Microsoft Defender for Endpoint licensing is included 2.
  2. Choose Onboarding Method:

    • Use Microsoft Defender for Cloud to auto-onboard Azure VMs.
    • For non-Azure machines (on-premises, AWS, GCP), onboard via Azure Arc and use the unified onboarding package 3.
  3. Install Microsoft Defender Antivirus (if not already installed):

    • Use PowerShell:

      Install-WindowsFeature -Name Windows-Defender
    • Or use the Add Roles and Features Wizard to install both the engine and GUI 1.

  4. Configure Defender for Endpoint Settings:

    • Set Defender Antivirus to active or passive mode depending on your AV strategy.
    • Enable real-time protection, cloud-delivered protection, and automatic sample submission.
  5. Verify Onboarding:

    • Use the Microsoft 365 Defender portal to confirm that the server appears as onboarded and healthy.

Failing to deploy Defender for Endpoint leaves server workloads without advanced threat detection and response capabilities. This deployment supports the "Assume Breach" principle of Zero Trust by enabling continuous monitoring and rapid response to endpoint threats.

Reference