Microsoft Defender for Endpoint is an endpoint security platform designed to help customers prevent, detect, investigate, and respond to advanced threats. Microsoft Defender for Endpoint contains many components, licensing differences, and additional protection. Some years ago Defender for Endpoint was only available for Windows. Nowadays, the complete Defender for Endpoint stack contains; macOS, Android, iOS, Linux, and Windows. Unmanaged network devices are now also part of the product. With the announcement of the new unified agent more features are available across all versions including Server 2012R2, Server 2016, and higher.
Introduction blog series
This ultimate blog series will contain as much information as possible based on my Defender experience in the past years. Not a copy of Microsoft Docs, but an addition based on practical experience combined with informational details – including the most frequent questions asked by customers, focusing on the complete Windows platform. When it’s a success, other platforms like iOS, Android, Linux, and macOS will follow,
Specific question or content idea part of Defender for Endpoint? Use the contact submission form and share the post ideas.
It leverages endpoint behavioral sensors that are built into Windows 10, Windows 11, and Server 2019+ to collect and process behavioral signals from the OS. For other OS versions, all the technical information will be explained in the blog series.
Defender for Endpoint also leverages cloud security analytics to turn behavioral signals into insights, detections, and responses.
Defender products
Microsoft Defender for Endpoint is available in two purchase options. P1 is the foundation set of capabilities focusing on the prevention area. Microsoft Defender for Endpoint P2 offers a complete set of capabilities, including endpoint detection and response (EDR), Automation investigation (AIR), Incident Response, and Threat and Vulnerability Management (TVM). Compare Defender for Endpoint Plans | Microsoft Docs
Microsoft Defender for Endpoint is part of the Microsoft 365 Defender suite of products and shares a lot of its infrastructure, data schemas, and user experience. More detailed information will be explained in the first part.
Defender for Endpoint directly integrates with various Microsoft solutions, including:
- Microsoft Defender for Cloud
- Microsoft Sentinel
- Intune/ Microsoft Endpoint Manager
- Microsoft Defender for Cloud Apps
- Microsoft Defender for Identity
- Microsoft Defender for Office
- And more….
Defender for Endpoint and related component
Microsoft Defender for Endpoint is part of the Microsoft 365 Defender suite of products. Defender for Endpoint contains a couple of major components including;
- Asset discovery
- Threat & Vulnerability Management (TVM)
- Attack Surface Reduction (ASR)
- Next-Generation Protection (NGP)
- Endpoint Detection & Response (EDR)
- Automated Self-healing/ Automation investigation and remediation (AIR)
- Microsoft Threat Experts
Defender for Endpoint includes many components that can be used to expand the overall security posture. Next-generation protection and Attack Surface reduction are getting more critical in protecting against current and future threats.
- Microsoft Defender Antivirus / Next-generation protection
- Microsoft Defender SmartScreen
- Attack Surface Reduction
- HW-based isolation, Exploit protection, Network protection, Controlled folder access, Device control, Web protection, Ransomware protection
- Attack Surface Reduction rules
- Application control
- Windows Defender Credential Guard
- Tamper Protection
- Microsoft Defender for Endpoint
- And more….
More information: Part 1: What is Defender for Endpoint and how works the product?
Keeping up with Defender for Endpoint updates?
Keeping up with Defender for Endpoint is essential; Microsoft ships frequent feature updates, security intelligence changes, and platform improvements. Here are the most valuable and trustworthy sources:
Official Microsoft Sources (Primary & Must-Follow)
- Best for: admin-impacting updates (must monitor regularly)
- Microsoft Defender for Endpoint Documentation (Microsoft Learn)
- Deep technical docs, feature updates, and deployment guidance
- Best for: step-by-step configuration and release notes
- https://learn.microsoft.com/microsoft-365/security/defender-endpoint/
Microsoft Security Blog
- Official announcements, threat research, and feature rollouts
- Best for: strategic updates and real-world threat insights
- https://www.microsoft.com/security/blog
Microsoft Tech Community – Defender for Endpoint
- Product team posts, roadmap updates, and community discussions
- Best for: upcoming features and practical guidance
- https://techcommunity.microsoft.com
Microsoft’s new features page
Microsoft maintains centralized, continuously updated release notes for Defender for Endpoint across all platforms (Windows, macOS, Linux, iOS, Android). These notes include build numbers, bug fixes, performance improvements, and feature rollouts. Primary release notes page: https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-endpoint-releases
Defender for Endpoint, more than just antivirus
When people hear “Defender,” they often think of the built-in antivirus in Windows. But Microsoft Defender for Endpoint is much more than that; it’s a full endpoint security platform that combines multiple layers of protection into a single, integrated solution. More information about all the components in this blog series.
Parts of the MDE blog series
View all the published parts of the MDE blog series:
- Part 0: Microsoft Defender for Endpoint – The ultimate blog series (Intro)
- Part 1: What is Defender for Endpoint and how works the product?
- Part 2: Configuring Defender for Endpoint Portal
- Part 3: Onboarding methods
- Part 3A: Onboard using MEM
- Part 3B: Onboarding using Defender for Cloud
- Part 3C: Onboard using Azure Arc or direct onboarding
- Part 3D: Onboard using MECM/ GPO
- Part 4: Configuration of Defender for Endpoint/ NGP/ AV
- part 4A: Define the AV policy baseline
- Part 4B: Attack Surface reduction and additional protection
- Part 5: Threat Vulnerability Management
- Part 6: Troubleshooting and reporting
- Part 7: Integrations with other “Microsoft” products
- Part 8: Advanced hunting and custom detections
- Part 9: Automation via Logic Apps and Sentinel
- Part 10: Tips and tricks/ common mistakes
Other platforms:
Contribute
Is there something missing? Use the contact submission form and share the post ideas, or contact using Linkedin or Twitter. I will take all suggestions into the Defender for Endpoint series and help the community as far as possible.
5 Comments
Leave a Reply
Thank Jeffrey, for sharing great contents of MDE. Can you share MDE configuration from GPO and from MDE security setting management with MEM?
Good to hear.
MDE security management with MEM: https://jeffreyappel.nl/managing-microsoft-defender-for-endpoint-with-the-new-security-management-feature-in-mem/
Hi Jeffrey,
I was a bit puzzled on how Intune / Defender for Endpoint and the other products interacted but after going through your blog series really learned a lot ! Thanks, amazing overview !
have some problems onboarindg windows 10 pro pc,s , in powershell Mpcomputertstatus it say,s MDE is running , but in the control center it say,s it is still not onboarded , what i,m doing wrong ?
Is the SENSE service running on the machine?
Expect Defender AV is running al the Defender ATP/ MDE service is not onboarded. When SENSE is stopped – try to onboard using the onboarding methods in MDE itself.