Defender for Endpoint (MDE)

Overview

What is MDE?

Microsoft Defender for Endpoint (MDE) is an enterprise endpoint security platform designed to help networks prevent, detect, investigate, and respond to advanced threats. It provides next-generation protection, endpoint detection and response (EDR), automated investigation, and threat & vulnerability management across Windows, macOS, Linux, Android, and iOS.

Capabilities

Core Capabilities

Threat & Vulnerability Management

Discover, assess, and remediate endpoint vulnerabilities and misconfigurations in real time. Prioritize based on threat context and business criticality.

Attack Surface Reduction

Reduce the attack surface with ASR rules, hardware-based isolation, application control, exploit protection, and network protection.

Next-Generation Protection

Cloud-delivered protection with Microsoft Defender Antivirus. behavioral monitoring, heuristics, and real-time threat intelligence powered by AI/ML.

Endpoint Detection & Response

Advanced hunting, incident visualization, alert correlation, and deep forensic analysis. Investigate and respond to threats across your endpoint fleet.

Automated Investigation & Remediation

AIR examines alerts and takes immediate remediation actions to resolve breaches, reducing alert volume and allowing SOC teams to focus on advanced threats.

Device Discovery & Onboarding

Discover unmanaged devices on your network and seamlessly onboard them. Support for GPO, Intune, SCCM, local scripts, and VDI environments.

Hunting

Advanced Hunting with KQL

Use Kusto Query Language (KQL) to proactively search for threats across endpoint telemetry, process events, network connections, and file activities.

// Find suspicious PowerShell execution
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any ("-enc", "-encodedcommand", "bypass", "hidden", "downloadstring")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine
| order by Timestamp desc
| take 50

// Detect lateral movement attempts
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort in (445, 135, 5985, 5986)
| where ActionType == "ConnectionSuccess"
| summarize ConnectionCount = count(), TargetDevices = dcount(RemoteIP) by DeviceName
| where TargetDevices > 5
| order by TargetDevices desc

Hands-on Labs

Defender for Endpoint Labs

Real-world endpoint security labs. onboard devices, configure protection policies, investigate attacks, and master the MDE platform end-to-end.

01

Beginner⏱ 75 min · 10 steps

Onboard a Windows Server Fleet to MDE

Plan deployment rings, create onboarding packages via Group Policy and Intune, deploy to Windows Server 2022 machines, verify device health in the security portal, and troubleshoot common onboarding failures across an enterprise domain.

02

Intermediate⏱ 90 min · 12 steps

Configure Attack Surface Reduction Rules

Audit your current attack surface, deploy ASR rules in audit mode via Intune, analyze the impact report for business-critical applications, transition to block mode, and configure targeted exclusions for line-of-business apps.

03

Intermediate⏱ 120 min · 15 steps

Investigate a Simulated Ransomware Attack

Trigger a safe ransomware simulation on a test endpoint, trace the full attack chain in the device timeline, analyze process trees and file modifications, collect an investigation package, perform live response remediation, and document the incident.

04

Advanced⏱ 150 min · 18 steps

Deploy & Tune Endpoint Detection Policies

Configure next-generation protection policies with Intune, enable EDR in block mode, create custom indicators (file hash, IP, URL, certificate), set up device groups with RBAC, build automated investigation playbooks, and create a custom security reporting dashboard.

Scripts

MDE Scripts

Ready-to-run PowerShell scripts for lab simulations. View all scripts →

Script	Description	Level	Parameters
Invoke-MDEDetectionTest.ps1	5-test detection validation: sensor check, EICAR, network protection, encoded PowerShell	Beginner	`No params`
Invoke-RansomwareSimulation.ps1	6-phase safe ransomware simulation with staging, credential access, and data collection	Advanced	`-CleanupOnly`

Learn

MDE Resources

📘

MDE Documentation

Complete official documentation for Defender for Endpoint

🎓

MDE Training Path

Microsoft Learn training for endpoint protection

🔍

Advanced Hunting

KQL-based hunting across endpoint data

⚙️

Onboarding Guide

Step-by-step device onboarding instructions

FAQ

Defender for Endpoint FAQ

What licensing is required for MDE?

MDE is available in two plans with different capability sets:

MDE Plan 1 (included in M365 E3): Next-generation antimalware, attack surface reduction rules, device control, and centralised management via the Defender portal
MDE Plan 2 (included in M365 E5 / E5 Security): Everything in P1 plus endpoint detection and response (EDR), automated investigation, advanced hunting, threat analytics, Microsoft Threat Experts, and live response for remote remediation
Standalone licensing: MDE P2 can be purchased as a standalone licence for organisations not on Microsoft 365
Server licensing: Windows Server protection requires either Microsoft Defender for Servers (via Defender for Cloud) or standalone MDE server licences

For full investigation and response capabilities, Plan 2 is required. Plan 1 provides strong prevention but limited post-breach visibility.

MDE licensing requirements

Which operating systems does MDE support?

MDE provides cross-platform protection across all major operating systems:

Windows: Windows 10, Windows 11, and Windows Server 2012 R2, 2016, 2019, 2022, and 2025. The unified agent is required for Server 2012 R2 and 2016.
macOS: macOS 12 (Monterey) and later. Deployed via Intune, JAMF, or manual installation. Supports real-time protection, EDR, and network protection.
Linux: RHEL 7.2+, CentOS 7.2+, Ubuntu 16.04+, Debian 9+, SLES 12+, Oracle Linux 7.2+, Amazon Linux 2, and Fedora 33+. Supports auditd-based monitoring and EDR.
Mobile: Android 8.0+ and iOS 15.0+ via Microsoft Defender app (Intune MAM/MDM required). Provides web protection, phishing detection, and vulnerability assessment.

All platforms report into the single Defender portal at security.microsoft.com with unified alerting, device inventory, and threat analytics.

MDE platform support

What is the difference between EDR and next-gen protection?

These are complementary capabilities that address different phases of the attack lifecycle:

Next-gen protection (prevention): Real-time antimalware that blocks threats before they execute. Includes cloud-delivered protection (checking file reputation in real time), behaviour monitoring (detecting suspicious process activity), and exploit protection (blocking memory manipulation techniques). This is your first line of defence.
EDR (detection and response): Provides post-breach visibility when threats bypass prevention. EDR continuously records endpoint telemetry (process creation, file modifications, network connections, registry changes) and uses behavioural analytics to detect suspicious patterns. Key capabilities include device timeline investigation, process tree analysis, live response for remote forensics, and automated investigation and remediation.

In a properly secured environment, next-gen protection stops ~99% of threats. EDR catches the 1% that evade prevention and provides the investigation tools to understand what happened, how far it spread, and how to contain it.

EDR overview

How do Attack Surface Reduction (ASR) rules work?

ASR rules are a set of configurable security controls that block specific behaviours commonly exploited by malware and attackers. Each rule targets a specific attack technique:

Office-based attacks: Block executable content from Office macros, block Office apps from creating child processes, block Win32 API calls from Office macros
Script-based attacks: Block obfuscated scripts, block JavaScript/VBScript launching downloaded content
Credential theft: Block credential stealing from LSASS (the Windows process that stores login credentials in memory)
Email threats: Block executable content from email clients, block executable files from running unless they meet prevalence/age criteria
Ransomware: Use advanced protection against ransomware (monitors for ransomware-like behaviour patterns)

Deployment strategy: Always deploy in Audit mode first (logs what would be blocked without enforcing). Run for 2–4 weeks, review the audit logs to identify legitimate applications that would be affected, create exclusions, then switch to Block mode.

ASR rules are configured via Intune, Group Policy, or PowerShell and report results in the Defender portal's ASR report.

ASR rules reference

Can MDE integrate with non-Microsoft security tools?

Yes. MDE provides extensive integration options for heterogeneous security environments:

SIEM integration: Native connector for Microsoft Sentinel. For third-party SIEMs (Splunk, QRadar, ArcSight), use the Streaming API to forward raw events or the Defender API for alert/incident data.
SOAR platforms: REST API supports integration with Palo Alto XSOAR, Swimlane, ServiceNow SecOps, and other SOAR platforms for automated response workflows
Threat intelligence: Import custom IOCs (file hashes, IPs, domains, URLs, certificates) via API or the portal. Integrate with MISP, ThreatConnect, or any TI platform via TAXII/STIX.
Ticketing systems: API-driven integration with ServiceNow, Jira, and other ITSM platforms for alert-to-ticket workflows
Network security: Integrate with network firewalls and web proxies to block IOCs at the network perimeter based on MDE detections

The MDE API provides full programmatic access to devices, alerts, investigations, machine actions, and advanced hunting. enabling any custom integration.

SIEM and API integration

← Back to Defender XDR