This guide covers a complete Microsoft Defender for Endpoint deployment across five phases — from licensing through onboarding, security policy configuration, incident investigation, and advanced topics. Each section identifies the recommended tool for each task, explains the underlying behaviour, and includes the relevant scripts, KQL queries, and configuration steps.
Every topic follows the same pattern: concept explanation, prerequisites, step-by-step procedure, verification, and common issues. Scripts include inline comments explaining what each line does and why.
This guide covers all current onboarding and policy management paths: Intune (enrolled devices), Security Settings Management (non-enrolled devices via the Defender portal), Defender for Cloud (Azure and Arc-enabled servers), and Group Policy (legacy/hybrid Active Directory environments).
Reference definitions for the key terms and acronyms used throughout this guide.
Confirm licensing, operating system compatibility, network access, and deployment ring strategy before onboarding any devices. Gaps here cause silent onboarding failures — devices that appear to complete the process but never show up in the portal.
MDE is available as Plan 1 (NGAV, ASR, device control) or Plan 2 (adds full EDR, Threat & Vulnerability Management, Automated Investigation, and Live Response). Plan 2 is the standard for enterprise deployments and is included in Microsoft 365 E5.
License bundles that include MDE:
| License Bundle | MDE Plan | EDR | TVM | AIR | Notes |
|---|---|---|---|---|---|
| Microsoft 365 E3 / A3 / F3 | Plan 1 | No | Core only | No | ASR, NGAV, device control included |
| Microsoft 365 E5 / A5 / G5 | Plan 2 | Yes | Full | Yes | Full MDE P2 included |
| MDE Plan 1 (standalone) | Plan 1 | No | No | No | Can add-on to M365 E3 |
| MDE Plan 2 (standalone) | Plan 2 | Yes | Yes | Yes | Can add-on to any M365 |
| Defender for Servers P1 | Plan 1 | No | No | No | For Azure/Arc VMs via MDC |
| Defender for Servers P2 | Plan 2 | Yes | Yes | Yes | Full P2 for servers + file integrity |
Devices running unsupported OS versions may appear to onboard successfully but will not transmit telemetry — a silent gap in coverage. Verify version support for every platform in scope before deploying.
| Platform | Minimum Version | Key Notes |
|---|---|---|
| Windows 10 | Version 1709 (Fall Creators Update, build 16299) — KB4493441 required for version 1709 specifically | Full MDE Plan 2 capabilities |
| Windows 11 | All supported versions | Full MDE Plan 2 capabilities |
| Windows Server 2022 | All builds | Modern unified agent — no MMA needed |
| Windows Server 2019 | All builds | Modern unified agent — no MMA needed |
| Windows Server 2016 | All builds | KB5005292 required for periodic EDR sensor stack updates with the modern unified solution |
| Windows Server 2012 R2 | All builds — sensor version 10.8040.* (March 2022) or higher | Must use the modern unified agent; legacy MMA method is deprecated. Note: OS extended support ended October 2023 — plan migration to a supported OS. |
| macOS | Big Sur (11) or later | Deploy via Intune or JAMF profiles |
| Linux | RHEL 7.2+, Ubuntu 16.04+, SLES 12+ | Manual install or Ansible/Puppet |
| Android | Android 6.0+ | Deploy via Intune MDM/MAM |
| iOS / iPadOS | iOS 14.0+ | Deploy via Intune supervised or unsupervised |
MDE communicates with Microsoft's cloud services over HTTPS (port 443). Blocked URLs result in devices appearing as "inactive" in the portal after onboarding. Verify reachability on every network segment where endpoints live, including VPN-connected remote workers. Microsoft provides two connectivity models — use Streamlined for new deployments.
A single primary endpoint replaces many legacy domain-specific URLs. Supported on Windows 10 1809+, Windows 11, Windows Server 2019+, Linux, and macOS.
# ── Streamlined MDE URLs ── allow outbound on the ports listed ─────────────────
# Core MDE services — ALL telemetry, MAPS, C&C, sample submission
*.endpoint.security.microsoft.com port 443
# Web and network protection
*.smartscreen-prod.microsoft.com port 443
*.smartscreen.microsoft.com port 443
# Security intelligence and antivirus definition updates
go.microsoft.com port 443
definitionupdates.microsoft.com port 443
# Certificate revocation
crl.microsoft.com port 80
www.microsoft.com/pkiops/* port 80
www.microsoft.com/pki/* port 80
# Security Settings Management (SSM) — required if using non-enrolled device management
*.dm.microsoft.com port 443Required for Windows 10 versions prior to 1809, and for any tenant not yet migrated to streamlined. Add these in addition to the SmartScreen and CRL entries above.
# ── Standard MDE URLs — Command and Control (all regions, all platforms) ───────
# Add the group that matches your Microsoft 365 tenant region.
# United States
winatp-gw-cus.microsoft.com
winatp-gw-cus3.microsoft.com
winatp-gw-eus.microsoft.com
winatp-gw-eus3.microsoft.com
# Europe
winatp-gw-neu.microsoft.com
winatp-gw-neu3.microsoft.com
winatp-gw-weu.microsoft.com
winatp-gw-weu3.microsoft.com
# United Kingdom
winatp-gw-uks.microsoft.com
winatp-gw-ukw.microsoft.com
# Australia
winatp-gw-aue.microsoft.com
winatp-gw-aus.microsoft.com
# ── Additional standard connectivity URLs ──────────────────────────────────────
# Threat intelligence feeds
*.blob.core.windows.net port 443
# NOTE: *.ods.opinsights.azure.com and *.oms.opinsights.azure.com are only required
# when onboarding Windows Server 2012 R2 or 2016 using the legacy MMA-based method.
# They are NOT needed for the modern unified solution or any other platform.MDEClientAnalyzer.cmd as Administrator. It produces an HTML report showing exactly which URLs are reachable and which are blocked.
Deploying to a small pilot ring first limits the blast radius of misconfiguration. A policy that locks down every device simultaneously is significantly harder to recover from than one that affects five pilot machines.
Recommended ring structure for a typical enterprise deployment:
| Ring | Size | Who | When to Expand |
|---|---|---|---|
| Ring 0 — Pilot | 5–10 devices | IT team, security team, volunteers | After 72 hours with no critical issues |
| Ring 1 — Early Adopters | 50–200 devices | Power users, tech-savvy staff | After 1 week with no regressions |
| Ring 2 — Broad Deployment | Remaining devices | All users | After Ring 1 is stable |
MDE-Ring0, MDE-Ring1, and MDE-Ring2. Link your MDE onboarding GPO to each OU in sequence. This gives you precise control over which devices receive the onboarding package and when.
Onboarding registers a device with your MDE tenant and activates the SENSE sensor, which begins streaming telemetry to the Defender portal. Until a device is onboarded it is invisible — no alerts, no timeline, no policy enforcement. MDE supports multiple deployment paths; choose based on how your devices are managed.
| Method | Best For | Policy Management After |
|---|---|---|
| Intune (enrolled devices) | Entra ID-joined or hybrid-joined endpoints managed by Intune MDM | Intune Endpoint Security policies or Defender portal (same policies, dual UI) |
| Security Settings Management | Devices onboarded to MDE but not enrolled in Intune (e.g., domain-only, BYOD, Linux, macOS) | Defender portal → Configuration Management → Endpoint Security Policies |
| Defender for Cloud (Defender for Servers) | Azure VMs, Azure Arc-enabled on-premises servers | Defender for Cloud environment settings; MDE policy via Intune or Defender portal |
| Group Policy | Legacy Active Directory environments without Intune or modern management | GPO (registry-based) — not recommended for new deployments |
| Script / local deployment | Pilot testing, one-off machines, non-domain devices | Intune or Defender portal after onboarding |
Intune deploys an EDR (Endpoint Detection and Response) policy to enrolled devices. The policy configures the SENSE service and associates the device with your tenant. No package download is needed — the onboarding blob is embedded in the policy. After onboarding, the same Intune admin center or the Defender portal can manage all endpoint security policies.
Security Settings Management allows MDE-onboarded devices that are not enrolled in Intune to receive Intune endpoint security policies directly from the Defender portal. The device registers a synthetic Entra ID identity on onboarding, checks in with Intune every 90 minutes, and enforces assigned policies — no MDM enrollment required. This covers Windows (domain-joined or standalone), Windows Server, Linux, and macOS.
MDE-Management device tag. This limits the initial scope.deviceOSType (Windows, Windows Server, Linux, macOS) to target policies. Use managementType eq "MicrosoftSense" to target only Security Settings Management devices.managementType eq "MicrosoftSense" filter to scope policies to SSM-managed devices only.
When you enable the Defender for Servers plan in Microsoft Defender for Cloud, MDE integration is enabled by default and the MDE sensor is automatically deployed to supported Azure VMs and Azure Arc-enabled on-premises machines. No manual onboarding package is needed. Defender for Servers Plan 2 provides the full MDE Plan 2 feature set.
mdatp health on each Linux server after the extension deploys. The output should show healthy : true and licensed : true. In the Azure portal, confirm the MDE.Linux extension is present on the VM.
\\dc01\SYSVOL\domain\MDE-Onboarding\MDE-Ring0 OU.gpupdate /force. Onboarding completes in the background; device appears in the portal within 30 minutes.Go to security.microsoft.com → Assets → Devices. Devices appear within 5–20 minutes of onboarding. Devices managed via Security Settings Management show Managed by: MDE; Intune-enrolled devices show Managed by: Intune.
# Confirm the MDE sensor service is running
Get-Service -Name SENSE | Select-Object Name, Status, StartType
# Expected: Status = Running, StartType = Automatic// Devices that have checked in within the last hour
DeviceInfo
| where Timestamp > ago(1h)
| summarize LastSeen = max(Timestamp) by DeviceName, OSPlatform, ManagedBy
| order by LastSeen desc| Symptom | Likely Cause | Fix |
|---|---|---|
| Device not in portal after 1 hour | SENSE not started or network blocked | Check Get-Service SENSE; verify firewall allows required URLs (section 1.3) |
| SENSE service stopped | Onboarding script/policy did not complete | Re-run script as Administrator; check Event Log → Application |
| Device shows as Inactive | Sensor stopped reporting after onboarding | Check internet connectivity and proxy; run MDE Client Analyzer |
| Security Settings Mgmt: device not receiving policies | Enforcement scope not enabled for platform, or device not in scope | Check Settings → Endpoints → Enforcement Scope; verify device tag or "All devices" scope |
| Defender for Cloud: MDE extension not deployed | Defender for Servers plan not enabled, or unified solution not activated for legacy OS | Go to Environment settings → Monitoring coverage → Fix → enable unified solution |
| "Tenant already onboarded" error | Package from a different tenant present | Run offboarding script first, then re-run current tenant's onboarding |
Onboarding gets the sensor installed — but that alone does not give you strong protection. Phase 3 turns on and tunes the actual security controls: cloud protection, attack surface reduction rules, network protection, tamper protection, and device control. The recommended management path is the Defender portal (security.microsoft.com) or the Intune admin center — both surface the same Endpoint Security policy engine. GPO and direct registry are noted where applicable as the legacy alternative.
All protection settings in this phase can be managed from two equivalent interfaces that write to the same underlying policy engine:
| Interface | Path | Best for |
|---|---|---|
| Defender portal | security.microsoft.com → Endpoints → Configuration Management → Endpoint Security Policies | Security team managing policies directly from the SOC workspace |
| Intune admin center | intune.microsoft.com → Endpoint security | IT/endpoint management team or organizations with existing Intune workflows |
Available policy types in both interfaces:
When a file is about to execute, MDE sends its hash to Microsoft's cloud and receives a verdict in milliseconds — before the file can run. This real-time lookup catches novel malware that signature-based antivirus cannot detect. Without cloud protection enabled, MDE is dramatically less effective.
Configure via an Antivirus endpoint security policy:
Run on any onboarded device:
Get-MpComputerStatus | Select-Object `
RealTimeProtectionEnabled, # Should be True
IoavProtectionEnabled, # Should be True (scans downloaded files and email attachments)
AntispywareEnabled, # Should be True
AntivirusEnabled # Should be TrueComputer Configuration → Administrative Templates → Windows Components → Microsoft Defender Antivirus → MpEngine. Registry keys under HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: MAPSReporting = 2 (Advanced MAPS), CloudBlockLevel = 4 (Zero Tolerance — equivalent to High+), CloudExtendedTimeout = 50.
ASR rules block specific attack techniques — for example, blocking Office documents from launching PowerShell, or preventing scripts from executing code downloaded from the internet. Each rule supports three modes: Audit (log only), Warn (notify user and log), or Block (silently block and log). Always start in Audit mode for 7–14 days to catch false positives before switching to Block.
Configure via an Attack surface reduction endpoint security policy:
Read the current rule configuration from a device:
# Returns the rule GUIDs and their corresponding action values
Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids
Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Actions
# Action values: 0 = Disabled, 1 = Block, 2 = Audit, 6 = WarnAdd-MpPreference -AttackSurfaceReductionRules_Ids "<GUID>" -AttackSurfaceReductionRules_Actions 2, or via GPO at Computer Configuration → Administrative Templates → Windows Components → Microsoft Defender Exploit Guard → Attack Surface Reduction.
Network protection intercepts outbound connections at the kernel level and blocks destinations known to be malicious — phishing sites, C2 servers, malware distribution points. It also forces HTTPS inspection by blocking QUIC/HTTP3, which attackers use to bypass traditional proxies. Configure in Audit mode first, then switch to Enabled after reviewing events.
Network protection is configured in Intune via the Antivirus policy (Microsoft Defender Antivirus profile) or a Device configuration profile — not in the Attack surface reduction policy:
Get-MpPreference | Select-Object EnableNetworkProtection
# 0 = Disabled | 1 = Enabled | 2 = AuditModeTamper protection locks Defender's settings so they can only be changed through the Microsoft cloud portal — not through registry edits, local PowerShell, or third-party software. Even an attacker with SYSTEM privileges cannot disable Defender when tamper protection is active.
Enable from the Defender portal (tamper protection requires the cloud policy — it cannot be fully enforced via local PowerShell or GPO alone):
Get-MpComputerStatus | Select-Object IsTamperProtected — should return True.Device control defines what removable storage devices (USB drives, external drives, phones in file transfer mode) can do on company devices. You can block all removable storage, allow read-only access, or permit only approved devices — preventing both data exfiltration and malware introduction via USB.
Deploy device control via OMA-URI in an Intune configuration profile, or through the Attack surface reduction policy. The policy requires two XML files — one defining device groups, one defining access rules:
<!-- DeviceControlGroups.xml — Define which devices to target -->
<Groups>
<Group Id="{6b2e2ec9-8b73-4f34-a4a8-aeb7b3b0c95d}" Type="Device">
<Name>All Removable Storage</Name>
<MatchType>MatchAny</MatchType>
<DescriptorIdList>
<PrimaryId>RemovableMediaDevices</PrimaryId>
</DescriptorIdList>
</Group>
</Groups><!-- DeviceControlPolicyRules.xml — Define what to DO with matched devices -->
<PolicyRules>
<PolicyRule Id="{c544a991-5786-4402-949e-a032cb790d0e}">
<Name>Block All Removable Storage</Name>
<IncludedIdList>
<GroupId>{6b2e2ec9-8b73-4f34-a4a8-aeb7b3b0c95d}</GroupId>
</IncludedIdList>
<ExcludedIdList/>
<Entry Id="{1ecfde36-1a49-4d11-9ece-e8ee6e4e5b56}">
<Type>Deny</Type>
<AccessMask>63</AccessMask>
<Options>0</Options>
</Entry>
</PolicyRule>
</PolicyRules>Protection prevents most attacks, but no system blocks everything. Phase 4 teaches you how to investigate an incident when one occurs — how to read an alert, how to use Advanced Hunting to trace what happened, and how to contain and remediate a threat using Live Response and isolation. This phase also includes a full ransomware investigation walkthrough.
An alert is MDE's way of telling you it detected suspicious activity. Each alert has a severity (Informational, Low, Medium, High), a MITRE ATT&CK technique mapping (so you know what the attacker was trying to do), a device name, a timestamp, and an evidence tree showing exactly which process did what. Alerts are grouped into incidents when they appear related — multiple alerts from the same attack will be in a single incident so you can see the full picture.
Use this KQL query in Advanced Hunting to get a summary of recent alerts on your environment:
// Summary of all alerts in the past 7 days, grouped by severity
// Run this in: security.microsoft.com → Hunting → Advanced Hunting
AlertInfo
| where Timestamp > ago(7d) // Look at the last 7 days
| summarize AlertCount = count() // Count the number of alerts
by Severity, // Group by severity level (High, Medium, Low)
Category, // Group by attack category (e.g. Malware, Ransomware)
DetectionSource // Which engine generated the alert
| order by case( // Sort so High severity appears at top
Severity == "High", 1,
Severity == "Medium", 2,
Severity == "Low", 3,
4), AlertCount descAdvanced Hunting is a search interface in the Defender portal where you can query up to 30 days of raw security data using KQL. Every file creation, process launch, network connection, registry change, and login attempt on every onboarded device is stored here. This lets you answer questions like "has any device on our network ever connected to this suspicious IP address?" or "which computers ran this malicious file in the last month?"
Here are the most important hunting queries, with each line explained:
// HUNT 1: Find all devices that ran a specific suspicious file hash
// Replace the SHA256 hash below with the hash of the file you are investigating
DeviceFileEvents
| where Timestamp > ago(30d) // Search the last 30 days of data
| where SHA256 == "REPLACE_WITH_FILE_HASH_HERE" // Match this specific file
| project // Show only these columns (cleaner output)
Timestamp, // When the event happened
DeviceName, // Which computer
FileName, // What the file was named
FolderPath, // Where it was located
InitiatingProcessFileName, // What process created or accessed the file
InitiatingProcessCommandLine // The full command line that ran it// HUNT 2: Find PowerShell commands that look suspicious (encoded or download commands)
// Attackers often use -EncodedCommand or download cradles to hide malicious scripts
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe") // Match PowerShell (case-insensitive)
| where ProcessCommandLine has_any ( // Look for these suspicious patterns
"-EncodedCommand", // Base64-encoded command — common obfuscation technique
"-enc", // Short form of -EncodedCommand
"IEX", // Invoke-Expression — runs a string as code
"Invoke-Expression", // Same as above, spelled out
"DownloadString", // Downloads content from the internet and runs it
"WebClient" // Creates a web connection — often used to download malware
)
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc// HUNT 3: Network connections to unusual ports or IPs — signs of C2 communication
// Command-and-control (C2) traffic is how malware calls home to the attacker
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where ActionType == "ConnectionSuccess" // Only successful connections
| where RemotePort !in (80, 443, 53, 25, 587, 8080) // Filter out common legitimate ports
| where RemoteIPType != "Private" // Ignore internal network traffic
| summarize // Aggregate to find patterns
ConnectionCount = count(),
Devices = dcount(DeviceName) // How many unique devices connected
by RemoteIP, RemotePort, RemoteUrl
| where ConnectionCount > 5 // Focus on repeated connections
| order by ConnectionCount descWhen you confirm a device is compromised, the first response action is isolation: cutting the device off from all network communication so the attacker cannot issue new commands, exfiltrate data, or spread to other machines. An isolated device retains its connection to the MDE cloud portal only — so you can still investigate it and send Live Response commands — but it is completely cut off from the corporate network, the internet, and other devices.
Isolate a device via the Defender portal OR via the REST API (useful for automation):
# Isolate a device using the Microsoft Defender for Endpoint REST API
# Use this in a SOAR playbook or when you need to isolate many devices at once
# Step 1: Get an authentication token from Microsoft Entra ID
# Replace the values below with your actual tenant and app registration details
$TenantId = "YOUR-TENANT-ID" # Your Microsoft 365 tenant ID (GUID)
$ClientId = "YOUR-APP-CLIENT-ID" # App registration client ID from Entra ID
$ClientSecret = "YOUR-CLIENT-SECRET" # Client secret from the app registration
# Request an OAuth2 token from Microsoft identity platform
$TokenResponse = Invoke-RestMethod `
-Method POST `
-Uri "https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token" `
-Body @{
client_id = $ClientId
client_secret = $ClientSecret
scope = "https://api.securitycenter.microsoft.com/.default"
grant_type = "client_credentials" # Machine-to-machine auth (no user login)
}
$AccessToken = $TokenResponse.access_token # Extract the bearer token
# Step 2: Send the isolation request for the target device
$DeviceId = "DEVICE_ID_FROM_MDE_PORTAL" # Find this in: Assets → Devices → click device
Invoke-RestMethod `
-Method POST `
-Uri "https://api.securitycenter.microsoft.com/api/machines/$DeviceId/isolate" `
-Headers @{ Authorization = "Bearer $AccessToken"; "Content-Type" = "application/json" } `
-Body (@{
Comment = "Isolating suspected ransomware infection - incident 1234" # Required field
IsolationType = "Full" # Full = all traffic blocked except MDE portal
# Selective = allows Outlook and Microsoft Teams through
} | ConvertTo-Json)
Write-Host "Isolation request sent. Device will appear as Isolated in the portal within 2 minutes."Ransomware typically follows a predictable pattern: initial access (phishing or exploit), privilege escalation, credential theft, lateral movement to spread across the network, and finally the encryption payload. MDE detects activity at each stage. The queries below let you reconstruct the full attack timeline from the telemetry MDE collected.
// RANSOMWARE HUNT: Find mass file encryption activity
// Ransomware renames or overwrites thousands of files very quickly
// This query looks for processes that modified an unusually high number of files
DeviceFileEvents
| where Timestamp > ago(1h) // Focus on the last hour (active incident)
| where ActionType in ("FileCreated", "FileModified", "FileRenamed")
| summarize
FilesModified = count(), // Total files touched
UniqueExtensions = dcount(FileName), // How many different file types
SampleFiles = make_set(FileName, 5) // Show up to 5 example file names
by DeviceName, InitiatingProcessFileName, InitiatingProcessId
| where FilesModified > 100 // Flag processes that touched 100+ files
| order by FilesModified desc// RANSOMWARE HUNT: Look for shadow copy deletion (a ransomware signature)
// Ransomware deletes backup copies (shadow copies) to prevent recovery
// vssadmin.exe delete shadows is the most common command used
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (
"vssadmin delete shadows", // Most common shadow copy deletion command
"wmic shadowcopy delete", // Alternative WMI-based method
"bcdedit /set recoveryenabled no", // Disables Windows Recovery
"wbadmin delete catalog" // Deletes Windows backup catalog
)
| project Timestamp, DeviceName, ProcessCommandLine, AccountName, InitiatingProcessFileName
| order by Timestamp descLive Response gives you a command-line session on any onboarded device, even if the device is isolated and the user is not logged in. You can browse files, download forensic evidence, run scripts, kill processes, and remove malware — all without physically touching the machine. This is essential for incident response when the affected device is in a remote office or a datacenter.
To start a Live Response session: go to security.microsoft.com → Assets → Devices → click the device → Initiate Live Response Session. Then use these commands:
# Common Live Response commands
# These are run inside the Live Response terminal in the Defender portal
# List running processes — look for suspicious process names or unsigned binaries
processes
# List files in a directory
dir C:\Users\Public\
# Download a suspicious file for analysis (saves to your portal Files library)
getfile "C:\Users\Public\suspicious.exe"
# Run a script from your portal library on the remote device
run ForensicCollect.ps1
# Remove a malicious file from the device (use -auto to skip confirmation)
remediate file "C:\ProgramData\malware.exe" -autoMost organisations already have an antivirus product installed before deploying MDE. This phase explains how to handle that transition safely — and covers advanced topics including RBAC setup, automated investigation, and continuous vulnerability management.
When a third-party antivirus (like CrowdStrike, Symantec, or Sophos) is installed, Windows automatically puts Microsoft Defender Antivirus into Passive Mode. In passive mode, Defender does not scan files or block threats — but it still collects EDR telemetry. This is intentional: you get the investigation data without the two antivirus engines conflicting. The danger is that some teams disable Defender entirely rather than leaving it in passive mode, which eliminates the EDR visibility entirely.
| Defender Mode | Real-time Scanning | EDR Telemetry | When to Use |
|---|---|---|---|
| Active | Yes | Yes | MDE is the only AV — no third-party AV installed |
| Passive | No | Yes | Third-party AV installed — Defender provides EDR only |
| EDR Block Mode | No (reactive only) | Yes | Third-party AV installed but you still want Defender to block detected threats |
| Disabled | No | No | Never — this removes all protection and visibility |
# Check current Microsoft Defender operating mode
Get-MpComputerStatus | Select-Object AMRunningMode
# Possible values:
# Normal = Active mode (Defender is the primary AV)
# Passive = Passive mode (third-party AV detected)
# EDR Block = EDR Block mode (enabled manually)
# SxS Passive = Side-by-side passive (limited periodic scanning mode)
# Enable EDR Block mode when a third-party AV is installed
# This allows Defender to block threats it detects even in passive mode
# Note: third-party AV must still be the primary real-time scanner
Set-MpPreference -ForceDefenderPassiveMode $false # Must be false for EDR Block to work
# Then enable EDR Block via registry:
Set-ItemProperty `
-Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection" `
-Name "ForceDefenderPassiveMode" `
-Value 0 # 0 = allow EDR Block mode; 1 = force passive (no blocking)RBAC controls which analysts can see which alerts and take which actions. Without RBAC configured, every person with portal access can see everything and take any action — including isolating devices or deleting investigations. Proper RBAC means a Tier 1 analyst can view and triage alerts, a Tier 2 analyst can run Live Response and isolate devices, and only security administrators can change global settings.
| Role | View Alerts | Manage Alerts | Live Response | Isolate Devices | Change Settings |
|---|---|---|---|---|---|
| Tier 1 Analyst (Read-only) | Yes | No | No | No | No |
| Tier 2 Analyst | Yes | Yes | Yes (basic) | Yes | No |
| Tier 3 / Threat Hunter | Yes | Yes | Yes (advanced) | Yes | No |
| Security Administrator | Yes | Yes | Yes (advanced) | Yes | Yes |
Create custom roles in the portal: go to Settings → Endpoints → Roles → Add item. Assign roles to Entra ID security groups for easy management.
AIR is MDE's built-in automation engine. When an alert fires, AIR automatically investigates: it collects process trees, file data, network connections, and registry changes, then uses AI to determine if the activity is malicious. If it is confident, it automatically removes the threat (deletes files, kills processes, reverses registry changes). This can resolve incidents in minutes that would otherwise take an analyst hours to investigate. Requires MDE Plan 2.
| Automation Level | What it Does | When to Use |
|---|---|---|
| No automated response | Investigations run; no remediation actions taken | Initial testing phase |
| Semi — require approval for any remediation | Proposes all remediation actions; analyst must approve each | During transition; cautious environments |
| Semi — require approval for core folders remediation | Auto-remediates outside core OS folders; approval required for system/program files directories | Organisations with mature alert triage |
| Semi — require approval for non-temp folders remediation | Auto-remediates files in temp folders; approval required for all other locations | Most enterprises (recommended starting point) |
| Full — remediate threats automatically | Automatically remediates all confirmed threats without human approval | Mature SOCs with high confidence in MDE verdicts |
Set the automation level in the portal: Settings → Endpoints → Device groups → Edit device group → Automation level. Start with "Semi — require approval for all remediations" and move to Full automation after you have observed AIR's decisions for 4–8 weeks.
TVM continuously scans every onboarded device for missing patches, weak configurations, and known vulnerable software. Unlike traditional vulnerability scanners that run weekly scans, TVM uses the MDE sensor (which is already on every device) to provide real-time visibility. It prioritises vulnerabilities by combining the CVSS score with real-world data about whether attackers are actively exploiting the vulnerability — so you focus on what actually matters.
// Find the top 10 most critical vulnerabilities across your estate
// Prioritised by exploit availability and device exposure
DeviceTvmSoftwareVulnerabilities
| where VulnerabilitySeverityLevel == "Critical" // Only Critical CVEs
| summarize
ExposedDevices = dcount(DeviceId), // How many devices are affected
DeviceList = make_set(DeviceName, 5) // Sample affected device names
by CveId, // Group by CVE identifier
SoftwareName, // What software has the vulnerability
SoftwareVersion, // Specific version
RecommendedSecurityUpdate // What patch fixes it
| order by ExposedDevices desc // Prioritise by most affected devices
| take 10 // Show top 10Use this checklist to track your deployment progress. Work through each phase in order — each item corresponds to a section in this guide.
| Phase | Item | Section |
|---|---|---|
| Phase 1 | Confirmed MDE Plan 2 license is assigned to the tenant | 1.1 |
| Phase 1 | Verified all target OS versions are supported | 1.2 |
| Phase 1 | All required URLs are whitelisted in firewall/proxy | 1.3 |
| Phase 1 | MDE Client Analyzer run on pilot machine — all URLs reachable | 1.3 |
| Phase 1 | Deployment rings defined and AD OUs created | 1.4 |
| Phase 2 | Onboarding package downloaded from portal | 2.2 |
| Phase 2 | GPO created and linked to Ring 0 OU | 2.3 |
| Phase 2 | SENSE service confirmed running on Ring 0 devices | 2.4 |
| Phase 2 | Ring 0 devices visible in Defender portal | 2.4 |
| Phase 2 | GPO expanded to Ring 1 and Ring 2 | 2.3 |
| Phase 3 | Cloud protection (MAPS) enabled — CloudBlockLevel 6 | 3.1 |
| Phase 3 | ASR rules deployed in Audit mode | 3.2 |
| Phase 3 | ASR audit findings reviewed; rules promoted to Block | 3.2 |
| Phase 3 | Network protection enabled in Audit, then Block | 3.3 |
| Phase 3 | QUIC blocking firewall rule applied | 3.3 |
| Phase 3 | Tamper protection enabled from portal | 3.4 |
| Phase 3 | Device control policies deployed and tested | 3.5 |
| Phase 4 | Advanced Hunting baseline queries saved | 4.2 |
| Phase 4 | Incident response runbook tested (tabletop exercise) | 4.4 |
| Phase 5 | AV coexistence mode verified (Passive or EDR Block if needed) | 5.1 |
| Phase 5 | RBAC roles created and analyst accounts assigned | 5.2 |
| Phase 5 | AIR automation level configured | 5.3 |
| Phase 5 | TVM baseline exposure score reviewed | 5.4 |