Browse all topics
All guidesGlossary
Microsoft Defender (Security)

Microsoft Defender for Business

Defender for Business is the SMB-targeted EDR product bundled with Microsoft 365 Business Premium.

Microsoft Defender for Business (MDB) is the small-to-mid-business (SMB) flavour of Microsoft Defender for Endpoint, designed to be simpler to deploy and operate while still providing genuine endpoint detection and response (EDR). It's bundled with Microsoft 365 Business Premium and sold standalone for tenants under 300 seats.

What MDB provides

MDB covers the same core endpoint protection capabilities as Defender for Endpoint:

  • Microsoft Defender Antivirus with cloud-delivered protection.
  • Endpoint Detection and Response — behavioural detections, alerts, automated investigation.
  • Attack Surface Reduction (ASR) rules with simplified configuration.
  • Web protection — URL filtering and SmartScreen.
  • Network protection.
  • Device control — USB and removable media.
  • Tamper protection.
  • Automated investigation and response — alerts triaged and (where appropriate) remediated automatically.

It supports the same platforms as Defender for Endpoint: Windows 10/11, macOS, iOS, Android, and Windows Server (via the related Defender for Business Servers SKU).

What MDB doesn't include

Compared to Defender for Endpoint Plan 2, MDB lacks:

  • Advanced hunting with full KQL.
  • Custom detection rules.
  • Vulnerability management (TVM) — full version is in Plan 2.
  • Live Response for remote shell into endpoints.
  • Integration with Microsoft Sentinel at the same fidelity.
  • Cross-tenant management for MSP scenarios (use Lighthouse + Plan 2 for that).

For SMBs, these omissions are usually fine. For organisations needing the full EDR analyst surface, step up to Defender for Endpoint Plan 2.

Simplified configuration

A specific design choice in MDB is opinionated defaults:

  • Pre-configured security policies that work out of the box.
  • Simpler UI for the admin who isn't a full security analyst.
  • Reduced configurability — less to get wrong.

The result: a small business can deploy MDB in hours, get genuine endpoint protection, and not need a full-time security person to operate it. Microsoft has clearly designed the SMB experience around "good defaults" rather than "everything configurable."

Integration with Microsoft 365 Business Premium

For Microsoft 365 Business Premium customers, MDB integrates with the rest of the bundle:

  • Conditional Access — MDB device risk feeds CA policies.
  • Intune — MDB onboarding via Intune for managed Windows / Mac.
  • Microsoft Defender for Office 365 (Plan 1 included) — email-side protection correlates with endpoint alerts.
  • Microsoft Defender XDR — unified incident view across endpoint and email signals.

It's a coherent SMB security stack.

Deployment

Onboarding endpoints to MDB:

  • Windows via Intune — Configuration Manager-style deployment without the on-prem infrastructure.
  • Windows via group policy or local script — for non-Intune scenarios.
  • macOS via Intune or local install.
  • iOS / Android via Intune.

Each onboarded device appears in the Defender portal at security.microsoft.com.

When MDB is right

  • Organisations under 300 seats — the upper limit for MDB licensing.
  • Companies on Microsoft 365 Business Premium — already included.
  • Limited security operations — defaults work, no analyst team needed.
  • First serious endpoint security investment — for organisations graduating from consumer-grade AV.

When to step up

Step up to Defender for Endpoint Plan 2 when:

  • Seat count grows beyond 300.
  • You hire a SOC and want advanced hunting, custom detections.
  • You need deeper TVM (vulnerability management).
  • You want Sentinel integration at full fidelity.

For SMBs, MDB is one of the most underrated parts of Microsoft 365 Business Premium. The product is mature, the operational burden is low, and the protection is genuinely strong — significantly better than most third-party consumer AV in this market segment.