This chapter covers Microsoft Defender for Endpoint (MDE), a cornerstone of the SC-200 exam's Defender XDR domain. MDE is an enterprise-grade endpoint detection and response (EDR) solution that protects Windows, macOS, Linux, Android, and iOS devices. Expect 15-20% of exam questions to touch MDE concepts, including deployment, configuration, threat hunting, and incident response. Mastering MDE is critical for passing the SC-200 and for real-world security operations.
Jump to a section
Think of Microsoft Defender for Endpoint (MDE) as the immune system for your organization's devices. Just as your body has white blood cells that patrol for pathogens, MDE deploys sensors on every endpoint that continuously monitor for suspicious activity. When a white blood cell detects a threat, it sends chemical signals to recruit other cells; similarly, MDE sensors send telemetry to the cloud backend for analysis. The cloud backend acts like the lymph node, where signals are correlated and a response is orchestrated. If a pathogen is identified, the immune system triggers inflammation to contain the infection; MDE uses automated investigation and remediation to isolate the machine or kill a process. Just as your immune system learns from past infections to respond faster next time, MDE uses machine learning models trained on billions of signals to detect new variants of malware. And like memory B cells that remember a pathogen for years, MDE's threat intelligence retains indicators of compromise (IOCs) to block known threats instantly. The analogy holds even at the failure mode: an overactive immune system causes autoimmune disease, just as overly aggressive MDE policies can cause false positives that disrupt legitimate work. An underactive immune system leaves you vulnerable; similarly, unmonitored endpoints or delayed updates create blind spots. MDE's automated response is like a reflex arc — it acts faster than conscious thought, isolating a machine before the user even knows there's a problem.
What is Microsoft Defender for Endpoint?
Microsoft Defender for Endpoint (MDE) is a cloud-delivered endpoint security solution that provides preventative protection, post-breach detection, automated investigation, and response. It evolved from Windows Defender ATP and now forms part of the Microsoft 365 Defender stack. Unlike traditional antivirus, MDE is an EDR (Endpoint Detection and Response) platform that collects telemetry from endpoints, analyzes it in the cloud, and enables security teams to investigate and remediate threats.
Architecture and Core Components
MDE has three main tiers: - Endpoint sensors: Installed on each device, these collect behavioral signals such as process creation, network connections, file modifications, registry changes, and kernel-level events. On Windows, the sensor uses the Microsoft Defender Antivirus engine and the Microsoft Defender for Endpoint agent (MsSense.exe). On Linux and macOS, a similar agent runs. - Cloud backend: The Microsoft Defender for Endpoint cloud service aggregates telemetry from all enrolled devices, applies machine learning models, threat intelligence, and behavioral analytics to detect suspicious activities. It also hosts the Microsoft 365 Defender portal (security.microsoft.com) where analysts interact with alerts, incidents, and investigations. - Management plane: Administrators configure policies via Microsoft Intune, Group Policy, or the Microsoft 365 Defender portal. Policies define detection rules, automated response actions, and indicator settings.
How Detection Works: The Mechanism
MDE detection is multi-layered: 1. Prevention: Microsoft Defender Antivirus (built-in) uses real-time protection to block known malware via signature-based detection and heuristics. This is the first line of defense. 2. Post-breach detection: If malware evades prevention, the sensor captures behavioral anomalies. For example, if a process attempts to modify the Windows Registry run keys, the sensor flags this as persistence behavior. 3. Cloud-based analysis: The sensor sends anonymized telemetry to the cloud. Machine learning models analyze the behavior in context. For instance, a PowerShell script that downloads an executable from a suspicious IP might be flagged as a download cradle. 4. Alert generation: If the cloud determines malicious intent, it creates an alert. Alerts are grouped into incidents for efficient triage.
Key Features and Defaults
Automated Investigation and Remediation (AIR): When an alert fires, MDE can automatically investigate the affected device, check related processes, files, and network connections, and take remediation actions like quarantining a file or killing a process. The default automation level is Full - remediate threats automatically, but you can set it to Semi or Manual.
Threat & Vulnerability Management (TVM): MDE includes vulnerability scanning. It inventories software, identifies missing patches, and provides risk scores. The default scan frequency is every 4 hours for Windows devices.
Attack Surface Reduction (ASR) rules: These are policies that block common attack techniques. For example, rule Block executable files from running unless they meet a prevalence, age, or trusted list criterion (GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25) blocks executables that are not widespread. ASR rules are off by default and must be enabled via Intune or GPO.
Network Protection: Blocks outbound connections to malicious IPs/domains using the Microsoft Intelligent Security Graph. Enabled via ASR rules.
Controlled Folder Access: Protects critical folders from ransomware by allowing only trusted apps. Off by default.
Configuration and Verification Commands
To check the MDE sensor status on a Windows device:
Get-MpComputerStatus | Select-Object AMServiceEnabled, AntispywareEnabled, AntivirusEnabled, BehaviorMonitorEnabled, IoavProtectionEnabled, NISEnabled, OnAccessProtectionEnabled, RealTimeProtectionEnabledTo verify the sensor is connected to the cloud:
Get-MpComputerStatus | Select-Object CloudBlockLevel, CloudServiceEnabled, CloudServiceTimeoutExpected: CloudServiceEnabled: True, CloudBlockLevel: High.
To view the last full scan time:
Get-MpComputerStatus | Select-Object FullScanAge, QuickScanAgeIntegration with Microsoft 365 Defender
MDE is the endpoint pillar of Microsoft 365 Defender (M365D). Alerts from MDE are correlated with signals from Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Azure AD. This creates cross-domain incidents. For example, a phishing email (Office 365) that leads to credential theft (Identity) and then lateral movement (Endpoint) produces a single incident in M365D. The SC-200 exam heavily tests this integration.
Deployment Methods
Microsoft Intune: For modern managed devices. Create a profile that enables MDE onboarding via a configuration profile.
Group Policy: For on-premises Active Directory joined devices. Use the ADMX templates to configure MDE.
Local script: For testing or non-domain devices. Run the onboarding script from the MDE portal.
Microsoft Configuration Manager: Co-management scenarios.
Licensing
MDE is available in two plans: - Plan 1: Includes antivirus, attack surface reduction, and basic EDR. Suitable for SMB. - Plan 2: Full EDR, automated investigation, threat hunting, and advanced threat analytics. Required for SC-200 scenarios.
Key Timers and Thresholds
Alert suppression window: Alerts can be suppressed for up to 30 days.
Indicator expiration: Custom indicators (IOCs) can have an expiration date up to 30 days.
Automated investigation timeout: An investigation runs for a maximum of 24 hours before timing out.
Device isolation duration: When you isolate a device, it remains isolated until you manually release it.
Threat Hunting with Advanced Hunting
MDE exposes telemetry via Advanced Hunting in the Microsoft 365 Defender portal. The schema includes tables like:
- DeviceProcessEvents: Process creation events.
- DeviceNetworkEvents: Network connections.
- DeviceFileEvents: File creation and modification.
- DeviceRegistryEvents: Registry modifications.
- DeviceLogonEvents: Logon attempts.
Example query to find PowerShell downloads:
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName == "powershell.exe"
| where ProcessCommandLine contains "-enc" or ProcessCommandLine contains "DownloadString"
| project Timestamp, DeviceName, AccountName, ProcessCommandLineCommon Exam Scenarios
The SC-200 expects you to know:
How to onboard devices to MDE (Intune vs GPO vs script).
How to configure ASR rules and Controlled Folder Access.
How to use the MDE portal to investigate alerts and incidents.
How to perform live response on a device.
How to interpret Advanced Hunting queries.
How MDE integrates with Microsoft 365 Defender.
Onboard a Windows Device
To onboard a Windows 10/11 device to MDE, navigate to the Microsoft 365 Defender portal at security.microsoft.com, go to Settings > Endpoints > Onboarding. Choose the appropriate deployment method: for Intune, select 'Mobile Device Management / Microsoft Intune' and download the onboarding package. The package is a .zip file containing a PowerShell script (WindowsDefenderATPOnboardingScript.cmd) and a configuration file. Deploy the script via Intune as a PowerShell script profile. The script installs the MDE sensor and registers the device with the cloud. Verify success by running `Get-MpComputerStatus` and checking `AMRunningMode` is 'Normal' and `CloudServiceEnabled` is True.
Configure Attack Surface Reduction Rules
ASR rules are configured via Intune (Endpoint security > Attack surface reduction) or Group Policy. Each rule has a GUID and can be set to Block, Audit, or Warn. For example, to block Office applications from creating child processes, enable rule `26190899-1602-49e8-8b27-eb1d0a1ce869`. In Intune, create a profile for Windows 10 and later, select the rules, and assign to groups. After applying, verify on a device by checking registry keys under `HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules`. The value should be 1 (block) or 2 (audit).
Investigate an Alert in MDE Portal
When an alert appears in the Microsoft 365 Defender portal, click on it to open the alert page. The page shows the alert title, severity (Informational, Low, Medium, High), status (New, In Progress, Resolved), and the affected device. Scroll down to see the alert story, which is a timeline of events leading to the alert. Use the 'Open incident' button to see the full incident, which may contain multiple alerts. From the incident, you can view the device timeline, run antivirus scan, isolate the device, or initiate automated investigation. The 'Take action' menu includes options like 'Run antivirus scan', 'Isolate device', 'Collect investigation package', and 'Initiate live response session'.
Perform Live Response on a Device
Live response allows a security analyst to remotely execute commands on a device in real-time. To start, go to the device page in the MDE portal (Devices > select device > Actions > Initiate Live Response Session). You need appropriate permissions (e.g., 'Live response' role). Once the session is established, you can run commands like `Get-Process`, `Get-Service`, `Get-FileHash`, or `RunScript` to execute a PowerShell script. Commands are logged for auditing. Live response is useful for collecting forensic evidence or killing malicious processes without physically accessing the device. The session has a timeout of 30 minutes of inactivity.
Create a Custom Detection Rule
Custom detection rules allow you to detect specific behaviors using Advanced Hunting queries. In the MDE portal, go to Hunting > Custom detection rules > Create. Write a KQL query, for example: `DeviceProcessEvents | where FileName == 'whoami.exe' | where ProcessCommandLine contains '/all'`. Set the frequency (e.g., every hour), alert title, severity, and actions (e.g., run antivirus scan). The rule runs on a schedule and creates an alert if the query returns results. Custom rules are powerful for detecting custom indicators of compromise that built-in detections might miss. They are evaluated against the last 30 days of data.
Scenario 1: Ransomware Outbreak Response
A large financial institution with 10,000 endpoints detects a ransomware outbreak via MDE. The alert shows multiple devices executing a known ransomware variant. The security team uses MDE's automated investigation to contain the threat: they initiate 'Isolate device' on affected machines, which blocks all network communication except to the MDE cloud. Then they run 'Antivirus scan' on isolated devices to remove the malware. Using Advanced Hunting, they query DeviceProcessEvents for the ransomware hash to identify all affected devices. They also use 'Live response' to collect memory dumps for forensic analysis. Post-incident, they create a custom detection rule to alert on the ransomware's behavior (e.g., rapid file encryption). The key challenge is network isolation: if the device is on a VPN, isolation must be configured to allow VPN connectivity. Misconfiguration can leave devices vulnerable or disrupt operations.
Scenario 2: Vulnerability Management with TVM
A healthcare organization uses MDE's Threat & Vulnerability Management (TVM) to prioritize patching. TVM scans all endpoints every 4 hours and produces a vulnerability score. The security team uses the 'Security recommendations' dashboard to see which devices have critical vulnerabilities. For example, a remote code execution vulnerability in Windows Server 2019 (CVE-2024-12345) is flagged. The team exports the affected device list and uses Intune to deploy the patch. They also configure ASR rules to block exploitation techniques (e.g., block Office from creating child processes). Common pitfalls: ignoring 'Exploitability level' in TVM, which indicates if an exploit exists in the wild; and not customizing the 'Vulnerability score' calculation to prioritize based on asset criticality.
Scenario 3: Cross-Domain Incident Investigation
A user receives a phishing email (detected by Defender for Office 365) that contains a link to a credential harvesting site. The user clicks the link and enters credentials, which are then used to log into the corporate VPN (detected by Defender for Identity). The attacker then uses stolen credentials to access a file server and execute ransomware (detected by MDE). In Microsoft 365 Defender, all these alerts merge into a single incident. The analyst uses the incident timeline to see the full attack chain. MDE provides the endpoint perspective: process creation, network connections, and file modifications. The analyst uses Advanced Hunting across all data sources: EmailEvents, IdentityLogonEvents, and DeviceProcessEvents. This cross-domain view is essential for understanding the full scope. Misconfiguration occurs when the different Defender components are not properly licensed or connected, leading to fragmented incidents.
What SC-200 Tests on MDE
The SC-200 exam objective 1.1 covers 'Manage Microsoft Defender for Endpoint'. Specifically, you must know:
Deploy and configure MDE (onboard devices, configure ASR rules, controlled folder access, network protection).
Manage alerts and incidents (triage, investigation, remediation).
Perform threat hunting using Advanced Hunting.
Configure and manage automated investigation and remediation.
Manage indicators of compromise (IOCs) and custom detection rules.
Understand integration with Microsoft 365 Defender.
Common Wrong Answers and Why
'MDE can be deployed without Microsoft Defender Antivirus.' Wrong. MDE requires Microsoft Defender Antivirus as the primary antivirus engine. If another antivirus is installed, Defender Antivirus goes into passive mode. The exam expects you to know that MDE depends on Defender AV for real-time protection.
'ASR rules are enabled by default.' Wrong. Most ASR rules are off by default. Only a few like 'Block executable files from running unless they meet a prevalence, age, or trusted list criterion' are on in some configurations. Candidates often assume all security features are on by default.
'Live response can be used without any permissions.' Wrong. Live response requires the 'Live response' role in Microsoft 365 Defender RBAC. Many candidates overlook the permission requirement.
'Custom detection rules can run in real-time.' Wrong. Custom detection rules run on a schedule (e.g., every hour, every 24 hours). They are not real-time. Real-time detection is handled by built-in sensors and machine learning.
Specific Numbers and Values
Default cloud block level: High.
ASR rule GUIDs: Be able to identify common ones, e.g., 01443614-cd74-433a-b99e-2ecdc07bfc25 (block untrusted executables).
Automation levels: Full, Semi, Manual.
Device isolation: blocks all network traffic except to MDE cloud (IP ranges: 13.107.0.0/16, 40.126.0.0/16, etc.).
Advanced Hunting data retention: 30 days.
Indicator expiration: maximum 30 days.
Edge Cases and Exam Traps
Linux onboarding: MDE supports Linux (Red Hat, Ubuntu, etc.). Onboarding uses a Python script. The exam may test that Linux does NOT support ASR rules or Controlled Folder Access.
macOS onboarding: Similar to Linux, uses a script. macOS also supports limited ASR rules.
Mobile devices: MDE for Android and iOS provides web protection and phishing detection, but not full EDR. The exam may ask what features are available on mobile.
Passive mode: When a third-party antivirus is installed, Defender AV goes into passive mode. MDE sensor still works for detection, but not prevention. The exam tests that MDE can still provide EDR capabilities even without active antivirus.
How to Eliminate Wrong Answers
If a question mentions 'real-time blocking', think of Defender AV, not MDE's post-breach detection.
If a question asks about 'investigating a file across multiple devices', use Advanced Hunting with DeviceFileEvents.
If a question asks about 'automatically remediating a threat', think of AIR (automated investigation) with Full automation level.
If a question involves 'blocking a specific IP', use custom indicators (IOCs) in MDE, not ASR rules.
MDE requires Microsoft Defender Antivirus as the primary AV; other AVs force passive mode.
ASR rules are off by default; must be enabled via Intune or GPO.
Automated investigation levels: Full, Semi, Manual. Full is default.
Device isolation blocks all network traffic except to MDE cloud (IP ranges: 13.107.0.0/16, 40.126.0.0/16).
Advanced Hunting data retention is 30 days.
Custom indicators (IOCs) can expire up to 30 days.
Live response requires the 'Live response' RBAC role.
Linux and macOS support MDE but with limited features (no ASR rules on Linux).
These come up on the exam all the time. Here's how to tell them apart.
MDE Plan 1
Includes next-gen antivirus (Microsoft Defender Antivirus).
Provides attack surface reduction rules.
Basic EDR capabilities (limited detection).
No automated investigation and remediation.
No threat hunting or advanced hunting.
MDE Plan 2
All Plan 1 features plus full EDR.
Automated investigation and remediation (AIR).
Advanced hunting with KQL queries.
Threat & vulnerability management (TVM).
Live response and custom detection rules.
Mistake
Microsoft Defender for Endpoint is just an antivirus.
Correct
MDE is an EDR solution that goes beyond antivirus. It includes behavioral detection, automated investigation, threat hunting, and vulnerability management. Antivirus is only one component (Microsoft Defender Antivirus).
Mistake
ASR rules are enabled by default and block everything.
Correct
Most ASR rules are off by default. Only a few are enabled in certain configurations. They must be explicitly configured via Intune or Group Policy.
Mistake
MDE can run on devices without Defender Antivirus.
Correct
MDE requires Defender Antivirus to be installed. If another antivirus is present, Defender AV goes into passive mode, but MDE sensor still works for detection.
Mistake
Custom detection rules provide real-time alerts.
Correct
Custom detection rules run on a schedule (e.g., every hour). They are not real-time. Real-time detection is done by built-in sensors and ML models.
Mistake
Live response can be initiated by any user with basic permissions.
Correct
Live response requires the 'Live response' role in Microsoft 365 Defender RBAC. Not all users have this permission by default.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Use the Microsoft 365 Defender portal: Settings > Endpoints > Onboarding. Choose your deployment method (Intune, GPO, or local script). Download the onboarding package and deploy it. For Intune, create a PowerShell script profile that runs the onboarding script. Verify with `Get-MpComputerStatus` ensuring `AMRunningMode` is 'Normal' and `CloudServiceEnabled` is True.
Plan 1 includes next-gen antivirus, ASR rules, and basic EDR. Plan 2 adds full EDR with automated investigation, advanced hunting, threat & vulnerability management, live response, and custom detection rules. For SC-200, focus on Plan 2 features.
Yes, MDE supports Linux (Red Hat, Ubuntu, etc.) and macOS. Onboarding uses a Python script for Linux and a shell script for macOS. However, features like ASR rules and Controlled Folder Access are not available on Linux. Mobile devices (Android/iOS) support web protection and phishing detection only.
In the Microsoft 365 Defender portal, go to Hunting > Custom detection rules > Create. Write an Advanced Hunting KQL query, set the frequency (e.g., every hour), alert details, and remediation actions. The rule runs on a schedule and generates alerts based on query results.
Automated Investigation and Remediation (AIR) automatically responds to alerts. Configure it in the MDE portal under Settings > Endpoints > Automated investigation. Choose automation level: Full (remediate automatically), Semi (require approval for remediation), or Manual (no automation). Default is Full.
When you isolate a device, it can only communicate with MDE cloud services. The allowed IP ranges are 13.107.0.0/16, 40.126.0.0/16, and others. For a full list, see Microsoft documentation. These ranges ensure the device can still send telemetry and receive commands.
Live response allows remote command execution on a device. From the device page, select Actions > Initiate Live Response Session. You need the 'Live response' RBAC role. Once connected, run commands like `Get-Process`, `Get-Service`, or `RunScript` to execute PowerShell. Session times out after 30 minutes of inactivity.
You've just covered Microsoft Defender for Endpoint — now see how well it sticks with free SC-200 practice questions. Full explanations included, no account needed.
Done with this chapter?