Skip to main content
Red Canary help

Install and uninstall the Microsoft Defender for Endpoint sensor on Windows

  • Updated .

Configure the necessary network connectivity

Prior to deploying Defender for Endpoint, please ensure you have accounted for the following:

Microsoft Defender for Endpoint communicates with the Microsoft Azure cloud using bidirectionally authenticated Transport Layer Security (TLS) via port 443. All communications are outbound, sensor-to-server.

Microsoft 365 Defender is built on Azure cloud, deployed in the following regions:

  • uswestcentral
  • useast2
  • useast
  • europenorth
  • europewest
  • uksouth
  • ukwest

You can find more information in Microsoft Azure Datacenter IP Ranges on Microsoft. 

Be sure that this address is authorized at network egress points and that traffic is not subject to manipulation or TLS interception.

Install Microsoft Defender for Endpoint

To install the Microsoft Defender for Endpoint sensor you will need access to Microsoft Defender to onboard any of the supported devices. Depending on the version of Windows, you'll be guided with appropriate steps and provided management and deployment tool options suitable for the device. 

To install Microsoft Defender for Endpoint on Windows 10:

  1. In Red Canary, click Defender to navigate to the Microsoft Defender Security Center.
  2. Click SettingsDevice Management, and then Onboarding.
  3. Click Select operating system to start onboarding processWindows 10.
  4. Select a deployment method, and then click Download Package.
  5. Onboard your devices by running the package you downloaded.
  6. Follow the "Run a detection test" instructions to verify that the device is properly onboarded. If successful, a new alert will appear in a few minutes.

To install Microsoft Defender for Endpoint on Windows 7 SP1 and 8.1:

  1. In Red Canary, click Defender to navigate to the Microsoft Defender Security Center.
  2. Click SettingsDevice Management, and then Onboarding.
  3. Click Select operating system to start onboarding processWindows 7 SP1 and 8.1.
  4. Follow the steps listed under "Turn on client device monitoring, Install Microsoft Monitoring Agent, and Configure connection."
  5. Follow the "Run a detection test" instructions to verify that the device is properly onboarded. If successful, a new alert will appear in a few minutes.

To install Microsoft Defender for Endpoint on Windows Server 2008 R2 SP1, 2012 R2, 2016 and newer:

  1. In Red Canary, click Defender to navigate to the Microsoft Defender Security Center.
  2. Click SettingsDevice Management, and then Onboarding.
  3. Click Select operating system to start onboarding processWindows Server 2008 R2 SP1, 2012 R2 and 2016.
  4. Follow steps to "Turn on server device monitoring." When the setup completes, the Workspace ID and Workspace key fields are populated with unique values. You'll need to use these values to configure the Microsoft Monitoring Agent (MMA).
  5. Follow Onboard Windows servers to the Microsoft Defender for Endpoint service in Microsoft Docs. 
  6. Follow "Configure connection" by configuring the agents to connect using the Workspace ID and Key listed.
  7. Follow the "Run a detection test" instructions to verify that the device is properly onboarded. If successful, a new alert will appear in a few minutes.

To install Microsoft Defender for Endpoint on Windows Server 2008 R2 SP1, 2012 R2 and 2016:

  1. In Red Canary, click Defender to navigate to the Microsoft Defender Security Center.
  2. Click SettingsDevice Management, and then Onboarding.
  3. Click Select operating system to start onboarding processWindows Server 1803 and 2019.
  4. Select a deployment method, and then Download Package.
  5. Onboard your device(s) by running the package you downloaded.
  6. Follow the Run a detection test instructions to verify that the device is properly onboarded. If successful, a new alert will appear in a few minutes.

Uninstall Microsoft Defender for Endpoint

For a comprehensive list of offboarding options, see Offboard Machines from Microsoft Defender on Microsoft Docs. The following instructions will assume a script-based offboarding scenario. 

For security reasons, the package used to offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package, you will be notified of the packages expiry date and it will also be included in the package name.

To get the offboarding package from Microsoft Defender Security Center:

  1. In Red Canary, click Defender to navigate to the Microsoft Defender Security Center.
  2. Click SettingsDevice Management, and then Offboarding.
  3. Select Windows 10 as the operating system.
  4. From Deployment Method, select Local Script.
  5. Click Download package and save the .zip file.
  6. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the devices. You should have a file named something like 
    WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd
  7. On the target endpoint, click Start and type cmd.
  8. Right-click Command prompt, and then select Run as administrator.
  9. Type the location of the script file. For example, if you copied the file to the desktop, type: 
    %userprofile%\Desktop\WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd
  10. Press the Enter key or click OK.

Comments

0 comments

Please sign in to leave a comment.