Deploying Microsoft Defender for Business to Servers (GPO and Local Script)

1. Prerequisites

Before deploying, ensure you have:

Microsoft Defender for Business server licenses (this is an add-on for Defender for Business).
Access to the Microsoft Defender portal (https://security.microsoft.com).
A network share for the GPO method, accessible by the server computers with read-only permissions, to host the onboarding script.

The core of both deployment methods is the onboarding package:

Go to the Microsoft Defender portal (https://security.microsoft.com).
In the navigation pane, select System > Settings > Endpoints.
Under Device management, choose Onboarding.
Select the appropriate operating system for your servers (e.g., Windows Server 2019 and 2022 or Windows Server 2012 R2 and 2016).
In the Deployment method field, select the desired option (Group policy or Local script).
Select Download package and save the .zip file.
Extract the contents. The package will contain a file named WindowsDefenderATPOnboardingScript.cmd (and potentially an MSI installer for older Server OS versions).

This method is recommended for large environments with Active Directory. It uses the onboarding script in a Scheduled Task configured via GPO.

Create a shared folder on a file server (e.g., \\YourFileServer\DefenderOnboarding).
Copy the extracted contents of the onboarding package, especially the WindowsDefenderATPOnboardingScript.cmd file, to this share.
Ensure Domain Computers have Read and Execute permissions for the script and the folder.

Open the Group Policy Management Console (GPMC).
Right-click the Organizational Unit (OU) containing your servers, and select Create a GPO in this domain, and Link it here… (or create a new GPO in Group Policy Objects and link it later).
Name the GPO (e.g., Defender for Business Server Onboarding).
Right-click the new GPO and select Edit.
Navigate to: Computer Configuration > Preferences > Control Panel Settings > Scheduled Tasks.
Right-click Scheduled Tasks and select New > Immediate Task (At least Windows 7).

General Tab:
- Name: Install Defender for Business
- Security options:
  - Change user to NT AUTHORITY\SYSTEM.
  - Select Run whether user is logged on or not.
  - Check Run with highest privileges.
Actions Tab:
- Click New.
- Action: Start a program.
- Program/script: Enter the UNC path to the onboarding script on the network share.
  - Example: \\YourFileServer\DefenderOnboarding\WindowsDefenderATPOnboardingScript.cmd
- Click OK.
Common Tab: (Optional, but recommended for testing/pilot)
- Check Item-level targeting and configure it to apply only to a specific Security Group of pilot servers.

Close the Group Policy Management Editor.
Ensure the GPO is linked to the OU containing your target servers.
Run gpupdate /force on a target server to apply the GPO and initiate the scheduled task.

This method is suitable for individual servers or small groups where GPO or other management tools aren’t preferred.

For Windows Server 2012 R2 or 2016:
- You must first run the installation package (MSI file) downloaded in the onboarding zip.
- Open an elevated Command Prompt and run the command: Msiexec /i md4ws.msi /quiet.
For all supported Server OS:
- Copy the extracted onboarding script, WindowsDefenderATPOnboardingScript.cmd, to a local directory on the server (e.g., C:\Temp).

Open Command Prompt as an administrator.
Navigate to the location of the script and run it:
- Example: C:\Temp\WindowsDefenderATPOnboardingScript.cmd
The script will execute and onboard the device to Microsoft Defender for Business.

After deployment (it may take a few minutes for the GPO/script to run):

Go to the Microsoft Defender portal (https://security.microsoft.com).
In the navigation pane, select Assets > Devices.
Your servers should begin appearing in the device inventory, indicating a successful onboarding.