This chapter covers Microsoft Defender for Business, a comprehensive security solution designed specifically for small and medium-sized businesses (SMBs) with up to 300 users. As part of the MS-900 exam objective 3.1 (M365 Security), understanding Defender for Business is critical because it represents Microsoft's strategy to deliver enterprise-grade security to SMBs. Approximately 10-15% of exam questions touch on Microsoft Defender products, with Defender for Business being a key differentiator for the Business Premium licensing tier.
Jump to a section
Microsoft Defender for Business works like a dedicated security guard stationed at the entrance of a small office building. Unlike a large corporate campus with a full security team (Microsoft 365 Defender's enterprise version), this guard handles all security tasks: checking IDs, monitoring cameras, scanning packages, and responding to alarms. When a visitor (email or file) arrives, the guard checks a real-time threat database (cloud-based threat intelligence) and decides access. If the visitor looks suspicious, the guard isolates them in a holding room (sandbox) for further inspection. The guard also patrols the building (device scanning) and can instantly lock down a room (isolate a device) if a threat is detected. All actions are logged and reported to the building manager (IT admin) via a simple dashboard. The key mechanic is that this guard is not just local—they communicate with a network of other guards (Microsoft's global threat intelligence) to recognize new threats that have been seen elsewhere. This centralized, automated approach gives small businesses enterprise-grade protection without needing a full-time IT security team.
What is Microsoft Defender for Business?
Microsoft Defender for Business is a fully integrated security solution that combines endpoint protection, email security, and threat and vulnerability management into a single, cloud-managed service. It is designed for organizations with up to 300 users and is included in Microsoft 365 Business Premium. Unlike the enterprise-grade Microsoft 365 Defender, which requires dedicated security operations teams, Defender for Business simplifies security management through a unified dashboard and automated responses.
Why It Exists
Small and medium-sized businesses face the same cyber threats as large enterprises but lack the budget and expertise to deploy and manage multiple security tools. Defender for Business addresses this gap by providing: - Unified protection: Combines antivirus, antimalware, endpoint detection and response (EDR), email security, and threat intelligence. - Automated remediation: Uses machine learning and automation to respond to threats without manual intervention. - Simplified management: A single dashboard in the Microsoft 365 Defender portal (https://security.microsoft.com) for all security operations.
How It Works Internally
Defender for Business operates on a cloud-native architecture that leverages Microsoft's vast threat intelligence network. The core components include:
Endpoint Protection: Uses Microsoft Defender Antivirus (built into Windows 10/11) with real-time protection, cloud-delivered protection, and behavior monitoring. Cloud-delivered protection sends metadata about suspicious files to the cloud for analysis, with a typical response time of under 1 second.
Endpoint Detection and Response (EDR): Monitors endpoint activities using sensors that collect and analyze behavioral signals. These sensors are lightweight kernel-mode drivers that capture events like process creation, file modifications, registry changes, and network connections. Data is sent to the cloud where Microsoft's AI models correlate events across devices to detect advanced threats.
Threat and Vulnerability Management (TVM): Continuously scans endpoints for software vulnerabilities, misconfigurations, and weak security settings. It uses the Common Vulnerabilities and Exposures (CVE) database and assigns a severity score based on exploitability and potential impact.
Email Protection: Integrates with Exchange Online Protection (EOP) and Microsoft Defender for Office 365 to filter malicious emails. It uses machine learning models trained on billions of emails to detect phishing, malware, and spam.
Automated Investigation and Response (AIR): When an alert is triggered, Defender for Business can automatically investigate the scope and impact. It uses playbooks that define remediation actions like quarantining files, blocking IP addresses, or isolating devices. The automation level can be configured to full automation (recommended) or semi-automation with manual approval.
Key Components, Values, and Defaults
Device onboarding: Devices are enrolled via Group Policy, Microsoft Endpoint Manager (Intune), or a local script. The default onboarding method for Business Premium is automatic via Intune when the user signs in with their work account.
Real-time protection: Enabled by default. It scans files when they are accessed, downloaded, or executed.
Cloud-delivered protection: Enabled by default. It sends file metadata to the cloud for analysis. Block timeout is 10 seconds by default.
Sample submission: Automatically submits suspicious files to Microsoft for analysis. The default is to submit all samples automatically.
Tamper protection: Prevents unauthorized changes to security settings. Enabled by default.
Attack surface reduction rules: A set of 14 rules that block common attack techniques. Examples: Block Office applications from creating child processes, Block credential stealing from the Windows local security authority subsystem (lsass.exe).
Scheduled scans: By default, a quick scan runs daily at 2 AM (local time). Full scans are not scheduled by default.
Alert severity levels: Informational, Low, Medium, High. High severity alerts trigger automated investigation.
Device isolation: Can isolate a device from the network while allowing communication with the Defender cloud. The default isolation duration is 24 hours.
Configuration and Verification Commands
For devices running Windows 10/11, you can verify Defender for Business status using PowerShell:
# Check Defender Antivirus status
Get-MpComputerStatus
# Check if real-time protection is enabled
Get-MpPreference | Select-Object -Property DisableRealtimeMonitoring
# Check cloud-delivered protection
Get-MpPreference | Select-Object -Property MAPSReporting
# Check tamper protection status
Get-MpComputerStatus | Select-Object -Property TamperProtectionSourceFor email protection, use the Microsoft 365 Defender portal or Exchange Online PowerShell:
# Get anti-phish policy
Get-AntiphishPolicy | Select-Object Name, Enabled, PhishThresholdLevel
# Get anti-spam policy
Get-HostedContentFilterPolicy | Select-Object Name, HighConfidenceSpamAction, SpamActionInteraction with Related Technologies
Defender for Business integrates with: - Microsoft 365 Business Premium: Provides the licensing and management foundation. - Microsoft Intune: Used for device enrollment, configuration, and compliance policies. - Microsoft Entra ID (formerly Azure AD): Provides identity-based access controls and conditional access policies. - Microsoft Purview Compliance Portal: For data loss prevention (DLP) and retention policies. - Microsoft Defender for Cloud Apps: Extends protection to cloud applications (SaaS).
When a device is non-compliant (e.g., missing critical updates), Intune can trigger a conditional access policy that blocks access to corporate resources until the issue is resolved.
Limitations and Considerations
User limit: 300 users. For larger organizations, Microsoft 365 E3/E5 with enterprise Defender is required.
Device support: Windows 10/11, macOS, iOS, and Android. Linux is not supported.
Email protection: Only covers Exchange Online; on-premises Exchange requires additional licensing.
Advanced hunting: Not available in Defender for Business; it is an enterprise feature.
Custom detection rules: Not supported; only built-in detections are available.
Exam-Relevant Details
Defender for Business is included in Microsoft 365 Business Premium (not Business Basic or Business Standard).
It provides enterprise-grade security tailored for SMBs.
Key capabilities: endpoint protection, EDR, threat and vulnerability management, email protection, and automated investigation and response.
The management interface is the Microsoft 365 Defender portal (security.microsoft.com).
Tamper protection is enabled by default and prevents unauthorized changes to security settings.
Device isolation can be initiated manually or automatically during an investigation.
Attack surface reduction rules can be configured to block specific behaviors.
Cloud-delivered protection sends file metadata to the cloud for analysis.
Automated investigation can be set to full automation or require manual approval.
Common Exam Traps
Trap: Defender for Business is the same as Microsoft 365 Defender. Reality: Defender for Business is a subset designed for SMBs; Microsoft 365 Defender is the enterprise version with additional features like advanced hunting and custom detections.
Trap: Defender for Business requires a separate subscription. Reality: It is included in Microsoft 365 Business Premium; no additional license is needed.
Trap: Defender for Business only protects Windows devices. Reality: It also supports macOS, iOS, and Android.
Trap: Email protection is provided by Defender for Business alone. Reality: It uses Exchange Online Protection and Defender for Office 365; these are integrated but separate services.
Trap: Automated investigation always takes action without approval. Reality: The automation level can be configured; by default, it may require approval for certain actions.
Onboard devices into Defender for Business
Devices are enrolled into Defender for Business to begin protection. The primary method for Windows 10/11 devices is automatic enrollment via Microsoft Intune when the user signs in with their Microsoft 365 Business Premium account. Alternatively, administrators can use Group Policy or a local onboarding script downloaded from the Microsoft 365 Defender portal. During onboarding, a configuration package is applied that enables Defender Antivirus, real-time protection, and cloud-delivered protection. The device appears in the Devices list within 1-2 minutes after successful enrollment. For macOS, a separate profile is installed. iOS and Android devices are enrolled via Microsoft Edge or the Company Portal app.
Configure security policies and settings
Admins define security policies in the Microsoft 365 Defender portal. This includes configuring attack surface reduction rules, setting up automated investigation and response (AIR) levels, and defining alert notification rules. Policies can be assigned to specific device groups (e.g., all devices, test devices). Default policies are provided for common scenarios. For example, the 'Standard' preset applies recommended settings for most businesses. Admins can customize settings like sample submission (automatic or manual), cloud-delivered protection level (high, moderate, low), and scheduled scan timing. Tamper protection is enabled by default and prevents malware from disabling security features.
Monitor alerts and incidents in the dashboard
The Microsoft 365 Defender portal displays a unified dashboard showing the security posture, active alerts, and incidents. Alerts are generated when suspicious activities are detected, such as malware infections, phishing attempts, or unusual login patterns. Incidents group related alerts to provide a full attack story. Admins can filter by severity (High, Medium, Low, Informational), status (New, In Progress, Resolved), and time range. The dashboard also shows device health, threat exposure score, and vulnerability findings. Real-time updates occur within seconds of detection.
Investigate and respond to threats automatically
When a high-severity alert is triggered, Defender for Business initiates automated investigation. The system analyzes the scope of the threat, including affected devices, user accounts, and files. Based on built-in playbooks, it may automatically quarantine malicious files, block IP addresses, or isolate devices. The investigation results are presented as a graph showing the attack chain. Admins can review the actions taken and approve or reject them if the automation level is set to semi-automated. Full automation is recommended for faster response. The entire process typically completes within 5-10 minutes.
Remediate vulnerabilities and improve posture
Threat and Vulnerability Management (TVM) continuously scans devices for missing security updates, weak configurations, and exposed vulnerabilities. The dashboard shows a threat exposure score (0-100) and a list of recommended actions prioritized by severity. Admins can create remediation tasks that are pushed via Intune, such as deploying missing patches or changing registry keys. For example, if a critical CVE is detected, a task can be created to update the affected software. TVM also provides a software inventory and security baseline assessment. Regular remediation reduces the attack surface and improves the overall security posture.
Scenario 1: Law Firm with 50 Employees
A small law firm using Microsoft 365 Business Premium needs to protect sensitive client data from ransomware and phishing attacks. They deploy Defender for Business to all 50 Windows 10 laptops and 20 iOS devices. The IT admin configures attack surface reduction rules to block Office applications from creating child processes and to block executable content from email. A phishing email containing a malicious macro is sent to a lawyer. Defender for Business blocks the attachment at the email gateway (Exchange Online Protection) and also quarantines the file on the lawyer's device if it was downloaded. The admin receives an alert and reviews the incident in the dashboard, seeing that no data was exfiltrated. The automated investigation confirms the device is clean. The firm's security posture is maintained without dedicated security staff.
Scenario 2: Retail Chain with 200 Point-of-Sale Systems
A retail chain with 200 Windows 10 point-of-sale (POS) systems uses Defender for Business to protect against malware that targets credit card data. The POS systems are enrolled via Intune with a custom policy that disables PowerShell and restricts USB devices. The TVM module identifies that several POS systems are missing a critical patch for a known vulnerability in the payment processing software. The admin creates a remediation task in Defender for Business, which pushes the update via Intune to all affected devices. Later, an alert is triggered when a suspicious process attempts to access memory of a POS application. Defender for Business automatically isolates the device from the network, preventing any data exfiltration. The incident is investigated and the device is restored after scanning.
Common Pitfalls in Production
Over-blocking by attack surface reduction rules: Some rules may block legitimate business applications. For example, the rule 'Block Office applications from creating child processes' can block Excel from launching a legitimate automation tool. Admins should test rules in audit mode before enabling them.
Incomplete onboarding: Devices not properly enrolled will lack protection. Common causes include outdated Windows versions, incorrect Group Policy, or firewall blocking communication with Defender cloud endpoints.
Misconfigured automation levels: Setting automation to manual approval can delay response times during a fast-moving attack. Full automation is recommended for most scenarios.
Ignoring TVM recommendations: Failing to remediate vulnerabilities leaves the environment exposed. Many breaches exploit known vulnerabilities that have patches available.
Performance Considerations
Defender for Business has minimal performance impact on modern hardware (less than 5% CPU overhead during scans).
Cloud-delivered protection requires internet connectivity; offline devices rely on local signatures that are updated every 4 hours.
For POS systems with limited resources, consider excluding certain processes from scanning to avoid latency.
What MS-900 Tests on Defender for Business
Objective 3.1: Describe the capabilities of Microsoft 365 security. The exam expects you to:
Identify Defender for Business as the SMB security solution included in Microsoft 365 Business Premium.
List its core capabilities: endpoint protection, EDR, threat and vulnerability management, email security, and automated investigation and response.
Understand that it is managed from the Microsoft 365 Defender portal.
Know that tamper protection is enabled by default.
Recognize that device isolation is a key response action.
Common Wrong Answers and Why Candidates Choose Them
'Defender for Business is the same as Microsoft Defender for Endpoint Plan 1.' Reality: Defender for Business includes EDR and TVM, which are not in Defender for Endpoint Plan 1. Candidates confuse the two because both are endpoint security products.
'Defender for Business requires Azure AD Premium P1.' Reality: It is included in Business Premium, which includes Azure AD Premium P1, but the security features do not require additional licensing beyond Business Premium.
'Defender for Business cannot isolate devices.' Reality: Device isolation is a core feature. Candidates may think isolation is only available in enterprise versions.
'Defender for Business protects on-premises Exchange.' Reality: It only protects Exchange Online. On-premises Exchange requires additional licensing.
'Automated investigation always requires admin approval.' Reality: Automation level can be set to full automation, which takes actions automatically.
Specific Numbers and Terms Tested
300 users: Maximum for Defender for Business.
Microsoft 365 Business Premium: The license that includes Defender for Business.
Microsoft 365 Defender portal: The management interface.
Tamper protection: Enabled by default.
Attack surface reduction rules: 14 built-in rules.
Device isolation: Isolates device from network; default 24 hours.
Cloud-delivered protection: Sends metadata to cloud; block timeout 10 seconds.
Edge Cases and Exceptions
If a device is offline: Defender for Business uses local signature updates (every 4 hours) and behavior monitoring. Cloud features are unavailable.
If a user has multiple devices: Each device is protected individually; policies can be applied per device group.
If an admin disables tamper protection: Malware could disable security features. The exam stresses that tamper protection should remain enabled.
How to Eliminate Wrong Answers
If the question mentions 'SMB' or 'up to 300 users', the answer is likely Defender for Business.
If the question lists features like EDR, TVM, and automated response, and the organization is small, choose Defender for Business.
If the question mentions 'advanced hunting' or 'custom detections', it is NOT Defender for Business (those are enterprise features).
If the question asks about licensing for Defender for Business, look for 'Microsoft 365 Business Premium'.
If the question asks about management portal, the answer is 'Microsoft 365 Defender portal'.
Defender for Business is included in Microsoft 365 Business Premium for organizations with up to 300 users.
It provides endpoint protection, EDR, threat and vulnerability management, email security, and automated investigation and response.
Management is done through the Microsoft 365 Defender portal (security.microsoft.com).
Tamper protection is enabled by default to prevent unauthorized changes.
Device isolation can be initiated manually or automatically to contain threats.
Attack surface reduction rules block common attack techniques; there are 14 built-in rules.
Cloud-delivered protection sends file metadata to the cloud for analysis with a default block timeout of 10 seconds.
Defender for Business supports Windows, macOS, iOS, and Android devices.
Automated investigation can be set to full automation or semi-automation with manual approval.
Threat and Vulnerability Management (TVM) continuously scans for missing patches and misconfigurations.
These come up on the exam all the time. Here's how to tell them apart.
Defender for Business
Designed for up to 300 users
Included in Microsoft 365 Business Premium
Simplified dashboard with limited customization
No advanced hunting or custom detections
Automated investigation with preset playbooks
Microsoft 365 Defender (Enterprise)
Designed for any number of users (enterprise)
Requires Microsoft 365 E5 or separate licenses
Full-featured portal with advanced analytics
Includes advanced hunting, custom detections, and threat analytics
Fully customizable automated investigation and response
Mistake
Defender for Business is only for Windows devices.
Correct
It supports Windows, macOS, iOS, and Android. Linux is not supported.
Mistake
Defender for Business requires a separate subscription from Microsoft 365 Business Premium.
Correct
It is included in Microsoft 365 Business Premium at no additional cost.
Mistake
Defender for Business includes advanced hunting capabilities.
Correct
Advanced hunting is only available in the enterprise Microsoft 365 Defender (E5).
Mistake
Automated investigation in Defender for Business always requires manual approval.
Correct
The automation level can be set to full automation, which takes actions automatically.
Mistake
Defender for Business protects on-premises Exchange servers.
Correct
Email protection is for Exchange Online only. On-premises Exchange requires additional licensing like Exchange Online Protection or Defender for Office 365.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Microsoft Defender for Business is included in Microsoft 365 Business Premium. It is also available as a standalone subscription for organizations with up to 300 users. It is not included in Business Basic or Business Standard. The exam often tests this association, so remember: Business Premium = Defender for Business.
Yes. Defender for Business supports Windows 10/11, macOS (10.14 or later), iOS (14.0 or later), and Android (8.0 or later). Linux is not supported. For macOS, a separate installation package is required. For iOS and Android, protection is provided through the Microsoft Edge browser and the Company Portal app.
Microsoft Defender for Endpoint (MDE) is an enterprise-grade endpoint security solution available in two plans: Plan 1 and Plan 2. Defender for Business is a simplified version designed for SMBs. Key differences: Defender for Business includes email protection and automated investigation out of the box, while MDE Plan 1 does not include EDR or TVM. MDE Plan 2 includes advanced hunting and custom detections, which Defender for Business lacks.
When a high-severity alert is triggered, Defender for Business automatically investigates the scope of the threat. It examines affected devices, user accounts, and files. Based on built-in playbooks, it may automatically quarantine malicious files, block IP addresses, or isolate devices. Admins can configure the automation level: full automation (actions taken without approval) or semi-automation (requires admin approval). The investigation results are displayed in the Microsoft 365 Defender portal.
Tamper protection prevents unauthorized changes to security settings, such as disabling real-time protection or cloud-delivered protection. It is enabled by default in Defender for Business. If tamper protection is disabled, malware could disable security features. The exam emphasizes that tamper protection should remain enabled to ensure security settings cannot be altered by attackers.
Yes, but with limitations. Devices can be onboarded using Group Policy or a local script. However, without Intune, policy management and compliance enforcement are not available. Microsoft recommends using Intune for full functionality, including conditional access and device compliance policies.
Defender for Business supports up to 300 users. For organizations with more than 300 users, Microsoft recommends using Microsoft 365 E3 or E5 with the enterprise version of Microsoft Defender for Endpoint.
You've just covered Microsoft Defender for Business — now see how well it sticks with free MS-900 practice questions. Full explanations included, no account needed.
Done with this chapter?