Microsoft Defender for Endpoint deployment to devices that aren't in a domain or active directory

Copper Contributor

We recently deployed Defender for Endpoint with Group Policy to the devices within the domain. And we are looking to deploy Defender to devices that aren't in the domain. I know we can use a local script to do it but is there a way to deploy Defender for Endpoint to devices that aren't company domain joined automatically or easily without having to go through them one at at time?



7 Replies
Besides the manual onboarding using a script, I don’t see how this would work when a device is not domain joined. There needs to be some mechanism to push or pull the scripts, so in those cases a third party app and/or backend infrastructure may be needed. Would Endpoint Manager/Intune enrollment for such devices be an option?
Hey thanks for the response man. They do not have Intune yet but are considering it. Don't the devices have to have Intune to be in the MS Endpoint manager?
The devices would need to be enrolled into Intune, yes. This is basically built into Windows 10, so technically you don’t need to install anything yourself. When doing an Azure AD Join for such devices they can automatically register for MDM.

WSUS is also not really an option. You’d have to somehow push a package you create. WSUS isn’t built for that.
So to summarize, you would say enrolling the devices into Intune is the best option for the devices not in the domain. Do you mind elaborating on why WSUS is a bad option even though its not domain based? Again, thanks for the response.
There’s a third party tool called WPP which can be used to publish custom packages using WSUS. So technically with some extra work you could potentially do it with WSUS. I’d still recommend against it though. Looking at the future it’s clear Microsoft has a vision that Endpoint Manager is the tool used for this. It also offers direct integration with Defender for Endpoint so you can enroll devices and do fancy things.

So if you absolutely must and want to invest time into the WSUS route, then yes, it’s likely possible.
Thank you for the information. I will try to encourage them to use Intune in that case.