Rolling out endpoint protection across an organization can sometimes feel more complex than it should be. Microsoft has simplified the onboarding process for Microsoft Defender for Endpoint (MDE) in the past months with deployment packages that make onboarding devices straightforward, scalable, and consistent. In recent years, Microsoft has significantly improved Defender for Endpoint and made installation, especially on Linux and Windows Server, much easier.
| 11-05-2026: Feature is currently in public preview |
In this blog, we’ll walk through how to onboard Windows devices to Microsoft Defender for Endpoint using the Defender deployment tool, explain where to download it, and show how to deploy it efficiently across your environment.
What is the Defender deployment tool?
The Defender deployment tool streamlines the onboarding process by dynamically adapting to the operating system and delivering healthy endpoint security across a diverse estate of Windows devices. With the new Defender deployment tool, the installation and onboarding package is combined within a downloadable .exe file.
Interestingly, the tool takes care of prerequisites, automates migration from older solutions, removes the need for complex onboarding scripts, and separates downloads or manual installations. A big win is the automated update of the components, so the latest files and scripts are always used, this reduced the time that Defender is unmanaged or running out-of-supported versions/ platform versions
The following table describes some of the main features the tool supports. Source Microsoft
| Feature | Description |
|---|---|
| Prerequisite handling | The tool checks for required updates and remediates blocking issues, ensuring devices are ready for Defender onboarding. |
| Logging | All operations are logged locally in a detailed log. |
| Redundant installation avoidance | If Defender is already present, the tool skips redundant installations. |
| UI feedback | The tool provides UI feedback with error descriptions instead of exit codes. |
| Onboarding events | Onboarding events are discoverable on the device timeline and in advanced hunting. |
| Passive mode support | On server operating systems and Windows 7, Defender Antivirus can be set to passive mode. This can be helpful when migrating from non-Microsoft anti-malware solutions. |
| Automation | The tool supports a wide range of command-line options. |
| Device handling | Virtual Desktop Infrastructure (VDI) device support ensures that devices deleted and recreated under the same hostname can appear as a single device in the Defender portal. |
| Help | A built-in help function displays all available command-line options. |
| Configuration files | You can generate reusable configuration files that make bulk deployments more efficient and less error-prone. |
| Working without connectivity | When connectivity is temporarily unavailable, offline onboarding and offboarding are possible. |
| Deployment key entry | To add guardrails to the onboarding process and prevent accidental onboarding, using the Defender deployment tool requires entering a key generated in the portal onboarding page. |
| Custom expiry | Defender deployment packages allow you to specify when you’d like them to expire, for any time up to a year, so that the package won’t remain valid forever. This prevents adversaries from exploiting any old onboarding packages they might discover. Microsoft recommends making the validity period of packages as short as possible to reduce the risk of unauthorized deployment package use. |
| Ability to view deployment packages | You can see key properties of your deployment packages in one place by navigating to Settings > Endpoints > Deployment packages. You can filter by active, expired, or hidden deployment packages. |
When to use the tool?
The onboarding method for Microsoft Defender for Endpoint depends on the platform and management solution used within the organization. Different deployment methods are commonly used for client devices, on-premises servers, Azure virtual machines, and hybrid environments.
Microsoft Intune Managed Devices
For Windows client devices managed through Microsoft Intune, the recommended approach is to deploy and onboard Microsoft Defender for Endpoint directly from Intune with the native integration.
Devices not enrolled in Microsoft Intune
Not all devices within an organization are managed through Microsoft Intune. In these situations, Microsoft Defender for Endpoint can still be deployed using the Defender deployment tool. Examples are VDI machines/ or machines managed by SCCM/ GPO or other management methods.
On-Premises Servers
For traditional on-premises Windows Servers, the Defender deployment package can be used for onboarding through:
- Group Policy (GPO)
- Microsoft Configuration Manager (MECM/SCCM)
- PowerShell scripts
- Manual onboarding
- Third-party software deployment tools
For hybrid and multi-cloud environments, Azure Arc plays an important role in Defender for Servers onboarding. Azure Arc allows organizations to connect:
- On-premises servers
- Servers hosted in other cloud providers
- Hybrid infrastructure
When servers are connected through Azure Arc and protected with Defender for Servers, Microsoft Defender for Endpoint onboarding can be automated and installed via the MDE.Windows extension. So, in short, the Defender deployment tool is useful for servers where Azure Arc is not installed.
Azure Virtual Machines
Servers hosted in Microsoft Azure should preferably be onboarded through Microsoft Defender for Cloud with the Defender for Servers plan enabled. When Defender for Servers is enabled, Microsoft Defender for Endpoint is deployed automatically.
Defender deployment tool for Windows
Microsoft’s Defender deployment tool for Windows helps administrators manage device onboarding at scale with additional controls and updated progress visibility. The tool detects the operating systems automatically and installs all needed components.
Administrators can use a single executable that includes all required onboarding information, with no separate file needed. The onboarding file will be automatically downloaded. Installation files are getting downloaded via the URL: https://definitionupdates.microsoft.com/packages/?action=DefenderDeploymentToolInfo, so make sure the URLs as described in the documentation are whitelisted.
Just some examples of how the flow works:
Automated installation steps as part of the Deployment package (Windows Server 2016)
| Step | Action | Description |
|---|---|---|
| 1 | PrepareSystem | Prepare the Windows Server 2016 system for deployment. |
| 2 | RestartIfRequired | Restart the server if pending reboot actions are detected. |
| 3 | Update: windows10.0-kb5043124-x64.msu | Install the required Servicing Stack Update (SSU). |
| 4 | IfOldPlatform: Update: windows10.0-kb5044293-x64.msu | Install the cumulative update when an older platform version is detected. |
| 5 | RestartIfRequired | Restart the system if required after update installation. |
| 6 | IfDefenderDeleted: Uninstall | Remove the previous Defender MSI installation if the Defender feature was deleted. |
| 7 | RestartIfRequired | Perform another reboot if required after uninstall actions. |
| 8 | IfPlatformFound: Update: updateplatform.exe | Update the existing Microsoft Defender platform binaries. |
| 9 | MSI: md4ws.msi | Install the Microsoft Defender for Endpoint unified solution package. |
| 10 | Onboarding | Start and onboard the Microsoft Defender for Endpoint service. |
Automated installation steps as part of the Deployment package (Windows Server 2012R2)
| Step | Action | Description |
|---|---|---|
| 1 | UninstallSCEP | Uninstall Microsoft Security Client (System Center Endpoint Protection). |
| 2 | PrepareSystem | Prepare the operating system for Defender for Endpoint deployment. |
| 3 | RestartIfRequired | Restart the system if pending reboot actions are detected. |
| 4 | Update: Windows8.1-KB2919442-x64.msu | Install the 2014-03 Servicing Stack Update required for later cumulative updates. |
| 5 | Update: clearcompressionflag.exe | Install prerequisite component for the 2014-04 cumulative update process. |
| 6 | Update: Windows8.1-KB2919355-x64.msu | Install 2014-04 cumulative update part 2. |
| 7 | Update: Windows8.1-KB2932046-x64.msu | Install 2014-04 cumulative update part 3. |
| 8 | Update: Windows8.1-KB2959977-x64.msu | Install 2014-04 cumulative update part 4. |
| 9 | Update: Windows8.1-KB2937592-x64.msu | Install 2014-04 cumulative update part 5. |
| 10 | Update: Windows8.1-KB2938439-x64.msu | Install 2014-04 cumulative update part 6. |
| 11 | Update: Windows8.1-KB2934018-x64.msu | Install 2014-04 cumulative update part 7. |
| 12 | Update: Windows8.1-KB3080149-x64.msu | Install the Diagnostics and Telemetry tracking service update. |
| 13 | Update: Windows8.1-KB2999226-x64.msu | Install the Universal C Runtime update. |
| 14 | Update: Windows8.1-kb3045999-x64.msu | Install the 2015-04 security update. |
| 15 | RestartIfRequired | Restart the system after update installation if required. |
| 16 | MSI: md4ws.msi | Install the Microsoft Defender for Endpoint unified solution package. |
| 17 | Onboarding | St |
Automated installation steps as part of the Deployment package (Windows Server 2025)
| Step | Action | Description |
|---|---|---|
| 1 | PrepareSystem | Prepare the Windows Server 2025 system for deployment. |
| 2 | RestartIfRequired | Restart the system if pending reboot actions are detected. |
| 3 | IfPlatformFound: Update: updateplatform.exe | Update the existing Microsoft Defender platform binaries if a platform installation is detected. |
| 4 | recordetw:100 | Record ETW (Event Tracing for Windows) telemetry information during deployment for diagnostics and validation. |
| 5 | Onboarding | Start and onboard the Microsoft Defender for Endpoint service. |
One of the biggest benefits of the tool is that it always downloads the latest installation files. This means that when onboarding a new machine, the most recent platform version is automatically installed. You can verify this by running the tool with the -verbose option.
Interactive experience
When the interactive, double-click experience is used, the tool automatically begins the onboarding process and asks to input the Defender deployment tool key, which is generated via the Defender portal.
Non-interactively
The Defender deployment tool can be used non-interactively as part of management tools such as Group Policy, Microsoft Configuration Manager, or other tools used to deploy software. The tool provides additional command-line parameters to customize the onboarding process.
Command line options
The command-line interface is enterprise-ready and supports multiple commands, such as running prerequisite checks and applying the device tag. The following command line options are available:
| Option | Category | Description |
|---|---|---|
| -? / -help | General | Shows all available options for the tool |
| -key: | General | Downloading onboarding file via key |
| -quiet | General | Prevents any dialogs from displaying |
| -verbose | General | Displays detailed information and writes detailed logs |
| -allowreboot | Configuration | Allows device reboots if needed |
| -noresumeafterreboot | Configuration | Prevents the tool from resuming after a reboot |
| -proxy:https://host:port | Configuration | Configures proxy server settings |
| -precheck | Configuration | Checks prerequisites without installation or onboarding |
| -updateonly | Configuration | Install updates only (no onboarding) |
| -offboard | Configuration | Performs offboarding (requires -file and optional -Yes) |
| -uninstall | Configuration | Offboards device and removes installed components (requires -file and optional -Yes) |
| -removemma:<workspace-id> | Configuration | Removes specified MMA workspace connection |
| -file:<path> | Onboarding / Offboarding | Specifies path to onboarding or offboarding file |
| -source:<path> | Onboarding | Specifies path to installation files |
| -passive | Onboarding | Sets Defender AV to passive mode (Windows Server only) |
| -vdi | Onboarding | Marks device as non-persistent VDI |
| -devicetag:<tag> | Onboarding | Adds a tag to the device |
| -offline | Offboarding | Allows offboarding without connectivity |
| -makeconfig | Advanced | Generates a configuration file with default values |
| -stage:<path> | Advanced | Downloads installation files for staging |
| -config:<path> | Advanced | Specifies configuration file path |
Installation examples
Silent deployment with device tag and key.
./DefenderDT.exe -quiet -devicetag:tagexample -key:<key>This command performs a fully automated onboarding of a device into Microsoft Defender for Endpoint while immediately assigning a device tag in silent deployment mode. The key is provided as part of the deployment package.
Silent deployment with device tag and onboarding file
This command silently onboards a Windows device into Microsoft Defender for Endpoint using an onboarding file stored on a network share, while automatically assigning a device tag.
./DefenderDT.exe -Quiet -File:\\server\share\Defender.onboarding -devicetag:tagexampleSilent deployment with device tag and proxy configuration
This command silently deploys and onboards Microsoft Defender for Endpoint using a specified proxy server while automatically assigning a device tag.
./DefenderDT.exe -Proxy:192.168.0.255:8080 -quiet -devicetag:tagexampleUpdate machines
With the -updateonly command, the update process is now handled automatically. The deployment package can identify and update the intended machine without requiring manual intervention, significantly simplifying operational management and reducing administrative overhead. This parameter is also useful during troubleshooting scenarios where the agent is not correctly updating.
Checking Defender prerequisites
Deploying Microsoft Defender for Endpoint on Windows systems can sometimes be delayed by missing prerequisites, unsupported configurations, or connectivity issues. Traditionally, administrators had to manually verify whether a machine was ready before starting the onboarding or update process.
The introduction of the -precheck command changes this. The -precheck parameter allows administrators to validate whether a Windows device meets all required prerequisites before deploying or updating Microsoft Defender for Endpoint.
Instead of discovering issues during deployment, the system performs a readiness validation in advance and provides immediate feedback on potential problems. It checks the prerequisites required for the detected operating system version.
In the output, you can easily verify the minimum required Windows Updates, Quality Telemetry settings, and additional validation checks, such as download and connectivity tests.
Configuration file
The -makeconfig parameter creates a reusable configuration file that stores deployment settings for later use.
Instead of specifying every parameter manually during deployment, administrators can generate a configuration file once and reuse it across multiple systems.
What is -config
The -config parameter loads a previously created configuration file and applies all stored deployment settings automatically.
Example without configuration files:
DefenderDT.exe -Proxy:proxy.company.local:8080 -quiet -devicetag:Production -File:\\server\share\Defender.onboardingWith configuration files, the deployment becomes much simpler:
DefenderDT.exe -config:Productionconfig.txtHow to generate the Deployment tool?
Before onboarding Windows devices into Microsoft Defender for Endpoint, administrators first need to generate a deployment package. This package contains the onboarding configuration and deployment components required to connect systems securely to the Microsoft Defender for Endpoint platform.
Generating the deployment package is one of the first and most important steps in the deployment process.
- In the Microsoft Defender portal, go to System -> Settings -> Endpoints -> Onboarding
- Choose Windows as the operating system
- Click on the Defender deployment tool
- Fill in the required information and expiration date
- Copy the access key. The key is only visible during the creation phase. Another method is to use the standalone onboarding file with the required parameters to use the onboarding file. Expiration of the access key is max 1 year. Note: the executable and access key are linked together.
Troubleshooting
Deployment tool events are now available in the device timeline and advanced hunting tabs, providing greater visibility into onboarding progress and errors so you can quickly identify and resolve issues.
You can review the Defender Deployment Tool log to identify potential issues during installation and onboarding. The deployment log is stored at the following location:
C:\ProgramData\Microsoft\DefenderDeploymentTool\DefenderDeploymentTool-<COMPUTERNAME>.logSmall part of the log file:
In addition to the deployment log, onboarding and offboarding events are also written to the Windows Event Log.
| Action | Event Log Location |
|---|---|
| Onboarding | Windows Logs > Application Source: WDATPOnboarding |
| Offboarding | Windows Logs > Application Source: WDATPOffboarding |
Conclusions
The Defender Deployment Toolkit simplifies and streamlines the onboarding process by ensuring that the latest installation files and platform versions are always used. This reduces manual effort, minimizes version inconsistencies, and helps organizations deploy Defender more efficiently across new machines and during migrations from other AV/ EDR toolings.
Sources
