Skip to main content
Red Canary help

Installing and uninstalling the Microsoft Defender for Endpoint sensor on Windows

  • Updated .

Prerequisites

Prior to deploying Defender for Endpoint, please ensure you have accounted for the following:

Configure the necessary network connectivity

Microsoft Defender for Endpoint communicates with the Microsoft Azure cloud using bidirectionally authenticated Transport Layer Security (TLS) via port 443. All communications are outbound, sensor-to-server.

Microsoft 365 Defender is built on Azure cloud, deployed in the following regions:

  • uswestcentral
  • useast2
  • useast
  • europenorth
  • europewest
  • uksouth
  • ukwest

You can find the Azure IP range on Microsoft Azure Datacenter IP Ranges.

Please be sure that this address is authorized at network egress points and that traffic is not subject to manipulation or TLS interception.

Installing Microsoft Defender for Endpoint

To install the Microsoft Defender for Endpoint sensor you will need access to the Microsoft Defender portal to onboard any of the supported devices. Depending on the version of Windows, you will be guided with appropriate steps and provided management and deployment tool options suitable for the device. 

To install Microsoft Defender ATP on Windows 10:

  1. Log into Red Canary.
  2. Click the Defender icon to navigate to the Microsoft Defender Security Center.
  3. Click Settings > Device Management > Onboarding.
  4. Click Select operating system to start onboarding process > Windows 10.
  5. Select a deployment method and click Download Package.
  6. Onboard your device(s) by running the package you downloaded.
  7. Follow the Run a detection test instructions to verify that the device is properly onboarded. If successful, a new alert will appear in a few minutes.

To install Microsoft Defender ATP on Windows 7 SP1 and 8.1:

  1. Log into Red Canary.
  2. Click the Defender icon to navigate to the Microsoft Defender Security Center.
  3. Click Settings > Device Management > Onboarding.
  4. Click Select operating system to start onboarding process > Windows 7 SP1 and 8.1.
  5. Follow the steps listed under  Turn on client device monitoring, Install Microsoft Monitoring Agent, and Configure connection.
  6. Follow the Run a detection test instructions to verify that the device is properly onboarded. If successful, a new alert will appear in a few minutes.

To install Microsoft Defender for Endpoint on Windows Server 2008 R2 SP1, 2012 R2 and 2016:

  1. Log into Red Canary.
  2. Click the Defender icon to navigate to the Microsoft Defender Security Center.
  3. Click Settings > Device Management > Onboarding.
  4. Click Select operating system to start onboarding process > Windows Server 2008 R2 SP1, 2012 R2 and 2016.
  5. Follow steps to Turn on server device monitoring. When the setup completes, the Workspace ID and Workspace key fields are populated with unique values. You'll need to use these values to configure the MMA agent.
  6. Follow step Install Microsoft Monitoring Agent by following this guide from Microsoft to Onboard servers to the Microsoft Defender service.
  7. Follow step Configure connection by configuring the agents to connect using the Workspace ID and Key listed.
  8. Follow the Run a detection test instructions to verify that the device is properly onboarded. If successful, a new alert will appear in a few minutes.

To install Microsoft Defender for Endpoint on Windows Server 2008 R2 SP1, 2012 R2 and 2016:

  1. Log into Red Canary.
  2. Click the Defender icon to navigate to the Microsoft Defender ATP Security Center.
  3. Click Settings > Device Management > Onboarding.
  4. Click Select operating system to start onboarding process > Windows Server 1803 and 2019.
  5. Select a deployment method and click Download Package.
  6. Onboard your device(s) by running the package you downloaded.
  7. Follow the Run a detection test instructions to verify that the device is properly onboarded. If successful, a new alert will appear in a few minutes.

Uninstalling Microsoft Defender for Endpoint

For a comprehensive list of offboarding options, please see Offboard Machines from Microsoft Defender on the Microsoft Support site. The following instructions will assume a script-based offboarding scenario. 

For security reasons, the package used to offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package, you will be notified of the packages expiry date and it will also be included in the package name.

To get the offboarding package from Microsoft Defender Security Center:

  1. In the navigation pane, select Settings > Offboarding.
  2. Select Windows 10 as the operating system.
  3. In the Deployment method field, select Local Script.
  4. Click Download package and save the .zip file.
  5. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the devices. You should have a file named something like 
    WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd
  6. On the target endpoint, click Start and type cmd.
  7. Right-click Command prompt and select Run as administrator.
  8. Type the location of the script file. For example, if you copied the file to the desktop, type: 
    %userprofile%\Desktop\WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd
  9. Press the Enter key or click OK.