Browse all topics
All guidesGlossary
Microsoft Defender (Security)

Microsoft Defender for Endpoint explained

Defender for Endpoint is Microsoft's EDR/XDR platform for laptops, servers, and mobile. Here's what it does.

Microsoft Defender for Endpoint (MDE) is Microsoft's endpoint detection and response (EDR) platform, layered with attack surface reduction, threat and vulnerability management, and (on the right plans) advanced hunting. It runs on Windows, macOS, Linux, iOS, and Android, with a single cloud-managed console.

What MDE does

  • Antivirus and antimalware via Microsoft Defender Antivirus (the built-in Windows AV).
  • Endpoint detection and response — behavioural detections, alerts, automated investigation.
  • Threat and Vulnerability Management (TVM) — software inventory, vulnerability findings (CVE), and recommendations prioritised by exposure.
  • Attack Surface Reduction (ASR) rules — granular policies that block common attack techniques (macro abuse, credential theft, lateral movement scripts).
  • Web protection — URL filtering and Microsoft Defender SmartScreen integration.
  • Network protection — block connections to malicious IPs and domains.
  • Device control — control USB devices and removable media.
  • Tamper protection — prevent attackers from disabling defences.
  • Live Response — remote shell into a compromised endpoint for investigation.

Plans

  • MDE Plan 1 — protection only: antivirus, ASR rules, web/network protection, device control.
  • MDE Plan 2 — adds full EDR, TVM, advanced hunting, Live Response, AIR.
  • MDE for Servers — covers Windows Server and Linux workloads; integrates with Defender for Cloud for Azure-hosted workloads.
  • MDE for Business — the SMB-targeted SKU bundled with Microsoft 365 Business Premium.

Plan 2 is included with Microsoft 365 E5, Microsoft 365 E5 Security, and as a standalone SKU.

Onboarding

Devices are onboarded to MDE through one of several methods:

  • Intune for managed Windows, Mac, iOS, Android.
  • Group Policy or Configuration Manager for traditional Windows fleets.
  • Local script for one-offs.
  • Defender for Cloud auto-provisioning for Azure VMs.

Once onboarded, the device appears in the Defender XDR portal at security.microsoft.com.

Integration with the rest of Defender

MDE's real power emerges when it feeds Microsoft Defender XDR. Alerts from MDE correlate with Defender for Office 365 (phishing detection), Defender for Identity (lateral movement on AD), and Defender for Cloud Apps (anomalous SaaS access) into unified incidents. AIR can automatically isolate a device, soft-delete malicious emails, and disable the compromised user — all from one investigation.

What good looks like

  • Every Windows, Mac, Linux endpoint onboarded.
  • ASR rules deployed in audit mode first, then block for confirmed-safe rules.
  • Tamper protection on, with monitoring for any device that turns it off.
  • TVM remediation findings driving the patching backlog.
  • Conditional Access using device compliance to gate cloud apps.

MDE is one of the strongest EDR products on the market and the natural choice for Microsoft 365 customers — no extra agent, integrated identity, unified telemetry.