This chapter covers Microsoft Defender for Endpoint, a key component of Microsoft 365's security portfolio. For the MS-900 exam, approximately 10-15% of questions touch on security topics, with Defender for Endpoint being a frequent subject. Understanding its capabilities, deployment models, and integration with other Microsoft 365 security tools is essential. By the end of this chapter, you will be able to explain how Defender for Endpoint protects endpoints, describe its core features, and identify the correct scenarios for its use.
Jump to a section
Imagine a large office building with multiple floors, each floor having dozens of rooms (endpoints). The building has a centralized security team (Microsoft Defender for Endpoint) that monitors every door, window, and hallway. Every time someone enters or exits a room, a sensor logs the event. The security team uses cameras (behavioral sensors), badge readers (antivirus), and motion detectors (EDR) to watch for suspicious activity. If a person tries to enter a restricted area using a copied badge, the system immediately alerts the team, locks all doors on that floor, and begins recording every move that person makes—this is automated investigation and response. The team also has a list of known troublemakers (threat intelligence) and can block anyone matching that description before they even enter the building. If an incident occurs, the team can replay the exact path the intruder took through the building (attack timeline) and identify which rooms were compromised. The building also has a rule that any door left open for more than 5 minutes triggers a lockdown (automated response). This entire system is managed from a single dashboard (Microsoft 365 Defender portal) where the security team can see the health of every floor, review alerts, and take action—all without leaving their desk.
What is Microsoft Defender for Endpoint?
Microsoft Defender for Endpoint (MDE) is an enterprise-grade endpoint security platform designed to prevent, detect, investigate, and respond to advanced threats. It is part of the Microsoft 365 Defender suite and integrates deeply with Microsoft 365, Azure, and other security tools. MDE provides a combination of next-generation antivirus (Microsoft Defender Antivirus), endpoint detection and response (EDR), and automated investigation and remediation capabilities. The platform is available as a standalone product or bundled with Microsoft 365 E5 and Microsoft 365 Security E5 licenses.
Why Does It Exist?
Traditional antivirus solutions rely on signature-based detection, which fails against zero-day exploits and fileless malware. MDE addresses this by using multiple detection mechanisms: - Behavioral monitoring: Observes process behaviors, file system changes, registry modifications, and network connections. - Machine learning: Analyzes patterns to identify malicious activity without requiring signatures. - Cloud-powered protection: Uses Microsoft's vast threat intelligence network (trillions of signals daily) to block emerging threats in near real-time. - EDR: Continuously records endpoint activity and provides security teams with rich telemetry to investigate incidents.
How It Works Internally
MDE operates through a sensor installed on endpoints (Windows, macOS, Linux, Android, iOS). The sensor collects and sends data to the Microsoft 365 Defender cloud service. The core components include:
Sensor: A kernel-mode driver that monitors system calls, processes, file operations, and network activity. On Windows, this is built into the operating system starting with Windows 10 version 1703.
Cloud service: Analyzes the telemetry using machine learning models and threat intelligence. It correlates events across multiple endpoints to detect coordinated attacks.
Management portal: The Microsoft 365 Defender portal (security.microsoft.com) provides a unified interface for alerts, investigations, and configuration.
Automated investigation and response (AIR): Uses playbooks to automatically investigate alerts and take remediation actions (e.g., isolating a device, deleting a malicious file).
Key Components, Values, and Defaults
Microsoft Defender Antivirus: Real-time protection enabled by default. It uses cloud-delivered protection (MAPS) with a default timeout of 30 seconds for cloud lookups.
Attack surface reduction (ASR) rules: 15+ rules that block common attack techniques. Example: Block Office applications from creating child processes (GUID: 26190899-1602-49e8-8b27-eb1d0a1ce869).
Network protection: Blocks outbound connections to malicious IPs/domains. Enabled via Group Policy or Intune.
Controlled folder access: Protects sensitive folders from ransomware by allowing only trusted apps. Default protected folders include Documents, Pictures, Desktop.
Exploit protection: Applies mitigations (e.g., DEP, ASLR) at the system and application level.
Tamper protection: Prevents security settings from being modified by malware or unauthorized users. Enabled by default for enterprise tenants.
Device discovery: Discovers unmanaged devices in the network using passive network scanning. Default scan interval: every 2 hours.
Endpoint detection and response (EDR): Retains data for up to 180 days (default 30 days for some plans).
Configuration and Verification
MDE can be deployed via Microsoft Intune, Group Policy, or Microsoft Endpoint Configuration Manager. Common PowerShell cmdlets for management:
# Check antimalware status
Get-MpComputerStatus
# Check real-time protection enabled
Get-MpPreference | Select-Object DisableRealtimeMonitoring
# Trigger a manual update
Update-MpSignature
# Start a quick scan
Start-MpScan -ScanType QuickScanTo verify EDR sensor connectivity, use:
# Windows: Check service status
Get-Service -Name Sense
# Check event logs for MDE events
Get-WinEvent -FilterHashtable @{ProviderName='Microsoft-Windows-Windows Defender'; Id=5007}Integration with Related Technologies
MDE integrates with: - Microsoft 365 Defender: Provides cross-domain correlation across email, identity, and endpoints. - Microsoft Defender for Identity: Shares alerts for lateral movement detection. - Microsoft Defender for Office 365: Correlates email-based threats with endpoint behavior. - Azure Sentinel: Ingests MDE alerts for SIEM and SOAR capabilities. - Microsoft Intune: Manages MDE configuration and compliance policies. - Microsoft Defender for Cloud: Extends protection to cloud workloads (VMs, containers).
Licensing and Deployment
MDE is available in two plans: - Plan 1: Includes next-generation protection, attack surface reduction, and basic EDR. Available with Microsoft 365 Business Premium, E3, and standalone. - Plan 2: Adds advanced EDR, automated investigation and response, threat analytics, and hunting capabilities. Available with Microsoft 365 E5, Microsoft 365 Security E5, and standalone.
Deployment prerequisites:
Windows 10/11 (version 1703+), Windows Server 2012 R2+, macOS (10.13+), Linux (various distros), Android (6.0+), iOS (11.0+).
Minimum 4 GB RAM, 2 GB free disk space.
Internet connectivity (direct or via proxy).
Attack Timeline and Hunting
The EDR component maintains an attack timeline that records up to 6 months of activity (depending on license). Security analysts can use the timeline to reconstruct the exact sequence of events leading to an incident. Advanced hunting (Kusto Query Language) allows custom queries across endpoint data, email, identity, and cloud app activities.
Sensor Enrollment and Data Collection
The MDE sensor is installed on the endpoint. On Windows, it runs as a kernel-mode driver that hooks system calls for process creation, file writes, registry changes, and network connections. The sensor collects events and sends them to the cloud service via HTTPS (port 443) using a certificate-based authentication. The initial enrollment registers the device with the Microsoft 365 Defender tenant. Data is batched and sent every 30-60 seconds in normal operation, but critical alerts are sent immediately. The sensor also downloads threat intelligence updates from the cloud every 4 hours by default.
Cloud Analysis and Alert Generation
The cloud service receives telemetry from millions of endpoints. Machine learning models analyze the data in real-time, comparing behaviors against known malicious patterns and baselines. When a suspicious event is detected (e.g., a process spawning from an Office application with a network connection), an alert is generated. The alert includes severity (informational, low, medium, high, critical), MITRE ATT&CK technique mapping, and a link to the related attack timeline. The cloud also correlates events across multiple devices to identify multi-stage attacks. For example, if one device downloads a malicious script and another device runs it, the cloud links those alerts.
Automated Investigation and Remediation
When an alert is generated, automated investigation begins. The system runs a series of playbooks that check the affected device(s) for related artifacts: running processes, scheduled tasks, startup items, and network connections. It uses file reputation (cloud lookup) and behavioral analysis to determine if a file is malicious. If confirmed, remediation actions are taken automatically (based on the automation level setting). Possible actions include: quarantining a file, killing a process, removing a registry key, or isolating the device from the network. The automation level can be set to 'Full - remediate threats automatically' or 'Semi - require approval for remediation'. The default for new tenants is 'Semi'.
Analyst Investigation and Response
Security analysts in the Microsoft 365 Defender portal can view the attack timeline for each device. The timeline shows every event from the past 30 days (up to 180 with extended retention). Analysts can filter by time, process, or alert. They can also use advanced hunting to write KQL queries. For example, to find processes that made outbound connections to suspicious IPs: `DeviceNetworkEvents | where RemoteIPType == 'Public' and Timestamp > ago(1d)`. Analysts can take manual actions like isolating a device, collecting a forensic package, or running a live response session (PowerShell over WinRM).
Reporting and Threat Analytics
MDE provides built-in reports on threat protection, device health, and vulnerabilities. The threat analytics dashboard shows active threats, their impact, and recommended actions. Reports can be exported to CSV or integrated with Power BI. The security team can also generate custom reports using the advanced hunting queries. The system automatically generates a weekly summary email for administrators highlighting new detections and devices at risk.
Enterprise Scenario 1: Ransomware Attack on a Financial Services Firm
A financial services firm with 5,000 endpoints deployed Microsoft Defender for Endpoint Plan 2. One morning, a user opened a malicious Excel attachment that executed a PowerShell script to download ransomware. Within seconds, the MDE sensor detected the anomalous process behavior—Excel spawning PowerShell, which then made an outbound connection to a known malicious IP. An alert was generated at severity 'High'. Automated investigation began immediately: the system isolated the compromised device from the network, killed the PowerShell process, and quarantined the downloaded file. The entire response took under 90 seconds. The security team later used the attack timeline to trace the initial infection vector and block the sender email domain via Defender for Office 365. The firm avoided a full-scale ransomware outbreak because the automated response contained the threat before it could spread.
Enterprise Scenario 2: Lateral Movement Detection in a Healthcare Organization
A healthcare organization with 10,000 endpoints uses MDE for EDR. An attacker compromised a low-privilege user account and used it to move laterally to a server. MDE detected the attacker using PsExec to execute commands on multiple machines—a classic lateral movement technique. The system alerted on 'Remote Service Creation' and 'Pass-the-Hash' events. The security team used advanced hunting to identify all devices the attacker accessed and isolated them via a single action in the portal. The investigation revealed that the attacker had been in the network for 3 days, but MDE's historical timeline allowed full reconstruction. The team then patched the vulnerability used for initial access and implemented ASR rules to block PsExec usage.
Performance and Scale Considerations
MDE is designed for large-scale deployments. The sensor has minimal performance impact—typically less than 5% CPU overhead on modern hardware. Network bandwidth usage averages 5-10 MB per device per day for telemetry. Organizations with strict proxy environments must ensure the sensor can reach the following endpoints: *.endpoint.microsoft.com, *.events.data.microsoft.com, and *.settings-win.data.microsoft.com (full list available in Microsoft docs). Misconfiguration of proxy settings or firewalls is the most common cause of sensor disconnection. When a sensor loses connectivity for more than 7 days, the device is marked as 'inactive' and may need re-enrollment.
MS-900 Objective Coverage
This topic maps to objective M365 Security: Describe threat protection with Microsoft 365 Defender. Specifically, you need to:
Describe the capabilities of Microsoft Defender for Endpoint (Plan 1 vs Plan 2).
Understand how it integrates with Microsoft 365 Defender.
Identify scenarios where MDE is used (e.g., endpoint protection, EDR, automated response).
Common Wrong Answers and Why
'MDE only works on Windows' – WRONG. MDE supports Windows, macOS, Linux, Android, and iOS. Candidates often assume it's Windows-only because it originated on Windows.
'MDE is the same as Microsoft Defender Antivirus' – WRONG. Defender Antivirus is a component of MDE, but MDE includes EDR, ASR, and automated response. The exam tests the distinction.
'MDE requires an on-premises server' – WRONG. MDE is cloud-delivered. No on-premises infrastructure is required beyond the endpoints.
'MDE can block all threats automatically' – WRONG. Automated response depends on the automation level setting. Default is 'Semi' which requires approval for remediation.
Specific Terms and Numbers on the Exam
Plan 1 vs Plan 2 capabilities: Plan 1 = next-gen protection + ASR; Plan 2 = adds EDR, AIR, threat analytics.
Microsoft 365 E5 includes MDE Plan 2; Microsoft 365 Business Premium includes Plan 1.
Attack surface reduction rules: 15+ rules; exam may ask which rule blocks a specific attack (e.g., 'Block Office applications from creating child processes').
Tamper protection: Enabled by default for enterprise tenants.
Automated investigation: Default automation level is 'Semi'.
Data retention: EDR data retained for 30 days (default) or up to 180 days with additional licensing.
Edge Cases and Exceptions
Unmanaged devices: MDE can discover unmanaged devices via passive scanning, but it cannot protect them unless they are onboarded.
Linux/macOS: EDR features are available but some ASR rules are Windows-only.
Server support: Windows Server 2012 R2 requires Microsoft Monitoring Agent for full EDR; newer versions have native sensor.
Network protection: Requires Windows 10/11 or Windows Server 2019+.
How to Eliminate Wrong Answers
If a question asks about 'automatically remediating threats', check if the automation level is mentioned. If not, assume 'Semi' (requires approval). If a question says 'MDE is included in Microsoft 365 E3', that is false (E3 includes only Defender Antivirus, not MDE). Look for keywords: 'Plan 2' implies EDR and AIR; 'Plan 1' implies only next-gen protection. Always consider the integration with Microsoft 365 Defender—MDE is one piece of the broader security suite.
Microsoft Defender for Endpoint (MDE) is a cloud-delivered endpoint security solution with next-gen antivirus, EDR, and automated response.
MDE Plan 1 includes antivirus and ASR; Plan 2 adds full EDR, AIR, and threat analytics.
MDE integrates with Microsoft 365 Defender for cross-domain threat correlation.
Tamper protection is enabled by default to prevent security setting changes.
Automated investigation default level is 'Semi' (requires approval for remediation).
EDR data is retained for 30 days (default) or up to 180 days with extended retention.
MDE supports Windows, macOS, Linux, Android, and iOS.
The sensor communicates via HTTPS (port 443) to the Microsoft cloud.
These come up on the exam all the time. Here's how to tell them apart.
Microsoft Defender for Endpoint Plan 1
Next-generation antivirus (Microsoft Defender Antivirus)
Attack surface reduction rules
Limited EDR capabilities (basic alerts)
No automated investigation and response
Included with Microsoft 365 E3, Business Premium
Microsoft Defender for Endpoint Plan 2
All Plan 1 features
Full endpoint detection and response (EDR)
Automated investigation and remediation (AIR)
Threat analytics and advanced hunting
Included with Microsoft 365 E5, Security E5
Mistake
Microsoft Defender for Endpoint is just an antivirus.
Correct
MDE is a comprehensive endpoint security platform that includes next-generation antivirus, EDR, automated investigation and response, attack surface reduction, and threat hunting. Antivirus is only one component.
Mistake
MDE only protects Windows devices.
Correct
MDE supports Windows, macOS, Linux, Android, and iOS. While Windows has the most features, cross-platform support is a key capability.
Mistake
MDE requires an on-premises server to operate.
Correct
MDE is a cloud-native service. No on-premises infrastructure is needed. The sensor communicates directly with the Microsoft cloud.
Mistake
MDE automatically blocks all threats without any user intervention.
Correct
Automated remediation depends on the automation level setting. The default is 'Semi', which requires analyst approval for remediation actions. Full automation is an option but must be explicitly configured.
Mistake
MDE can protect unmanaged devices discovered on the network.
Correct
MDE can discover unmanaged devices, but it cannot protect them unless they are onboarded to the service. Discovery is for visibility, not protection.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Plan 1 provides next-generation antivirus, attack surface reduction rules, and basic EDR capabilities. Plan 2 includes everything in Plan 1 plus full EDR, automated investigation and response, threat analytics, and advanced hunting. Plan 2 is included with Microsoft 365 E5, while Plan 1 is included with E3 and Business Premium.
Yes, MDE supports macOS (10.13+) and Linux (various distributions). The features are not as extensive as on Windows—for example, some attack surface reduction rules are Windows-only—but core antivirus, EDR, and automated response are available.
When an alert is generated, the system runs automated playbooks that examine the affected device(s) for related artifacts. It checks processes, files, registry keys, and network connections. If malicious activity is confirmed, remediation actions are taken based on the automation level (default 'Semi' requires approval).
Tamper protection prevents malware or unauthorized users from disabling security features like real-time protection, cloud-delivered protection, and security intelligence updates. It is enabled by default for enterprise tenants and can be managed via Intune or Group Policy.
Yes, MDE uses behavioral monitoring, machine learning, and cloud-powered protection to detect and block zero-day exploits. It does not rely solely on signature-based detection, so it can identify novel threats based on suspicious behavior.
Devices can be onboarded using Group Policy, Microsoft Intune, Microsoft Endpoint Configuration Manager, or a local script. The onboarding package contains a script that installs the sensor and configures it to communicate with the tenant. For Windows 10/11, the sensor is built-in and only needs activation.
The default retention period for EDR data is 30 days. With an additional license (Microsoft 365 E5 or add-on), retention can be extended to 180 days. Advanced hunting queries can access data within the retention window.
You've just covered Microsoft Defender for Endpoint in M365 — now see how well it sticks with free MS-900 practice questions. Full explanations included, no account needed.
Done with this chapter?