This chapter covers Microsoft Defender for Endpoint (MDE), a critical component of Microsoft's security portfolio for protecting endpoints against advanced threats. For the SC-900 exam, this topic falls under domain 'Security Solutions' objective 3.3: 'Describe the capabilities of Microsoft Defender for Endpoint.' Approximately 15-20% of exam questions relate to Defender for Endpoint, either directly or within broader scenarios. You will need to understand its core features, how it integrates with other Microsoft security solutions, and how it detects and responds to threats. This chapter provides the depth required for the exam and real-world deployment.
Jump to a section
Microsoft Defender for Endpoint is like a comprehensive security system for a corporate office building. The building has multiple entry points (devices), and each entry point is monitored by a combination of sensors (cameras, motion detectors, door alarms) that continuously watch for suspicious activity. These sensors send data to a central security operations center (SOC), where security analysts (automated and human) analyze the data using a unified console (Microsoft 365 Defender portal). When a potential threat is detected—for example, an unknown person trying to enter through a locked door (malware execution)—the system can automatically trigger a response: locking the door (blocking the process), alerting guards (generating an alert), and even isolating the affected area (device isolation) to prevent the threat from spreading to other parts of the building. The system also learns from past incidents: if a similar threat has been seen before (threat intelligence), the sensors are updated to recognize it immediately. This is exactly how Defender for Endpoint works: endpoint sensors collect behavioral telemetry, cloud backend analyzes it using machine learning and threat intelligence, and automated actions are taken to contain and remediate threats in real time.
What is Microsoft Defender for Endpoint?
Microsoft Defender for Endpoint (MDE) is an enterprise-grade endpoint security platform designed to prevent, detect, investigate, and respond to advanced threats. It goes beyond traditional antivirus (like Microsoft Defender Antivirus) by incorporating endpoint detection and response (EDR), threat intelligence, automated investigation and remediation, and vulnerability management. MDE is part of the Microsoft 365 Defender suite and integrates deeply with Microsoft Defender for Office 365, Microsoft Defender for Identity, and Microsoft 365 Defender.
How it Works Internally
MDE operates through a three-layer architecture: endpoint sensors, cloud analytics, and the unified portal.
Endpoint Sensors: On each managed device (Windows, macOS, Linux, iOS, Android), a lightweight sensor collects behavioral signals from the operating system and applications. This includes process creation, file system changes, network connections, registry modifications, and memory access. The sensor runs as a kernel-mode driver on Windows (MsSense.exe) and is installed as part of the Defender for Endpoint agent. It does not replace the antivirus engine but complements it by providing behavioral telemetry that can detect fileless attacks and living-off-the-land techniques.
Cloud Analytics: The telemetry is sent to the Microsoft cloud backend, where it is correlated with threat intelligence from billions of signals across the Microsoft ecosystem. Machine learning models analyze the data in near real-time to identify suspicious patterns. Known malicious artifacts are blocked immediately via cloud-delivered protection (MAPS). Unknown or suspicious behaviors trigger alerts, which are enriched with context (e.g., process tree, file hash, network destination).
Unified Portal: Security analysts interact with MDE through the Microsoft 365 Defender portal (https://security.microsoft.com). Here, they can view the incident queue, investigate alerts, run advanced hunting queries using Kusto Query Language (KQL), and initiate response actions like isolating a device, collecting a forensic package, or running a live response session.
Key Components and Defaults
Microsoft Defender for Endpoint Plan 1 and Plan 2: Plan 1 includes next-generation protection (antivirus), attack surface reduction rules, and basic EDR. Plan 2 adds full EDR, automated investigation and remediation, threat analytics, and advanced hunting. SC-900 focuses on Plan 2 capabilities.
Attack Surface Reduction (ASR) Rules: These are configurable rules that block common malware techniques. For example, rule GUID '9e6c4e1f-7d60-472f-b1a2-9a4e4b3b2c1d' blocks Office applications from creating child processes. Default state is 'Audit' for many rules; they can be set to 'Block' or 'Warn'.
Threat & Vulnerability Management (TVM): Continuously scans devices for vulnerabilities and misconfigurations. It assigns a severity score (0-10) and provides remediation recommendations. The exposure score ranges from 0 to 100, with lower being better.
Microsoft Defender Antivirus (MDAV): The built-in antivirus engine that provides real-time protection. It uses cloud-delivered protection (MAPS) with a 5-second timeout for unknown files. If the cloud cannot respond in time, the file is allowed but monitored.
Automated Investigation and Remediation (AIR): When an alert is triggered, MDE can automatically investigate the incident, determine the scope, and take remediation actions (e.g., quarantine a file, kill a process, block an IP). The investigation runs with a default timeout of 48 hours. If no verdict is reached, the incident escalates to an analyst.
Live Response: A remote shell capability that allows analysts to run commands on an endpoint in real time. It uses a secure TLS connection and requires appropriate permissions (e.g., 'Live Response Administrator' role).
Configuration and Verification Commands
On a Windows device, you can verify the sensor status using PowerShell:
Get-MpComputerStatus | Select-Object AMProductVersion, AMEngineVersion, AMServiceEnabled, AntivirusEnabled, IoavProtectionEnabled, RealTimeProtectionEnabled, PSComputerNameTo check the Defender for Endpoint sensor connection:
Get-MpComputerStatus | Select-Object -ExpandProperty CloudBlockLevelIf the cloud block level is 'High' or 'Normal', cloud-delivered protection is active. The sensor heartbeat interval is typically 5 minutes. If no heartbeat is received for 30 minutes, the device appears as 'Inactive' in the portal.
For onboarding devices, you can use Group Policy, Microsoft Endpoint Configuration Manager, Intune, or a local script. The onboarding script (WindowsDefenderATPOnboardingScript.cmd) configures the sensor to connect to the cloud service.
Interaction with Related Technologies
Microsoft 365 Defender: MDE is the endpoint pillar. Alerts from MDE are correlated with alerts from Defender for Office 365 (email), Defender for Identity (on-premises AD), and Defender for Cloud Apps (SaaS apps) to form a single incident in the Microsoft 365 Defender portal.
Microsoft Sentinel: MDE can send alerts to Sentinel for SIEM correlation. Sentinel uses the Microsoft Defender XDR connector to ingest MDE alerts.
Intune: Device configuration policies can deploy MDE settings (e.g., ASR rules, antivirus exclusions) via endpoint security policies.
Azure Active Directory (Azure AD): Device identity is integrated; MDE uses Azure AD device IDs to associate alerts with devices.
Specific Values and Timers
Sensor data retention: 180 days for Plan 2 (advanced hunting data). Plan 1 retains data for 30 days.
Alert severity levels: Informational (0), Low (1), Medium (2), High (3), Critical (4).
Automated investigation timeout: 48 hours by default.
Live response session timeout: 30 minutes of inactivity.
Cloud block timeout: 5 seconds for unknown files; if no response, file is allowed but monitored.
Exam-Relevant Details
MDE Plan 2 is required for full EDR capabilities.
Attack surface reduction rules must be enabled to block common attack techniques.
Threat & Vulnerability Management is included in Plan 2 and provides vulnerability scanning.
Automated investigation can be set to 'Full' (automatically remediate) or 'Semi' (require approval for certain actions).
The 'Microsoft 365 Defender' portal is the single pane of glass for all security operations.
Step-by-Step Threat Response
When a threat is detected, the following sequence occurs: 1. Sensor detects suspicious behavior (e.g., PowerShell launching from a Word document). 2. Alert is generated in the portal with severity and MITRE ATT&CK mapping. 3. Automated investigation begins: the system analyzes the process tree, file reputation, network connections. 4. If malicious, remediation actions are taken (e.g., kill process, quarantine file). 5. Incident is updated; analyst can review and approve or undo actions. 6. Threat intelligence is updated to prevent future occurrences.
Summary
Microsoft Defender for Endpoint is a comprehensive endpoint security solution that combines next-generation protection, EDR, threat intelligence, and automated response. For the SC-900 exam, focus on understanding its capabilities, the difference between Plan 1 and Plan 2, and how it integrates with the broader Microsoft security ecosystem.
Sensor Collection and Telemetry
The Defender for Endpoint sensor on each device collects over 100 different types of events from the operating system and applications. This includes process creation (with command line arguments), network connections (source/destination IP, port), file creation/modification, registry changes, and memory allocation. On Windows, the sensor uses Event Tracing for Windows (ETW) and kernel callbacks. The telemetry is batched and sent to the cloud every few seconds (default upload interval is 5 seconds). The sensor also maintains a local cache of recent events to ensure no data loss if connectivity is interrupted. The total data volume per device is typically 1-5 MB per day, depending on activity.
Cloud Analysis and Alert Generation
The cloud backend receives telemetry and processes it through multiple analytical engines: machine learning models trained on billions of signals, behavioral detection heuristics, and threat intelligence feeds (e.g., known malicious IPs, file hashes). If a behavior matches a known attack pattern (e.g., WMI persistence), an alert is generated. The alert includes a severity level (based on impact and confidence), MITRE ATT&CK technique mapping, and a link to the affected device. The alert is enriched with contextual information: the full process tree, file details, and user account. Alerts are grouped into incidents if they are related to the same attack. The default alert generation threshold is 'Medium' and above; informational alerts are not shown by default but can be viewed.
Automated Investigation
When an alert is triggered, automated investigation begins immediately if enabled. The investigation runs a series of playbooks that examine the scope of the threat. For example, it checks if the malicious file has been executed on other devices, if it has created persistence mechanisms, and if it has communicated with command-and-control servers. The investigation uses live response to collect additional data if needed. The default timeout for an automated investigation is 48 hours. If the investigation cannot reach a verdict (malicious or benign), it escalates to a human analyst. The investigation status is displayed in the portal as 'Pending', 'Running', 'Terminated', or 'Completed'.
Remediation Actions
Based on the investigation verdict, automated remediation actions are taken. These can include: quarantining a file (moving it to a secure location), killing a process, blocking an IP address or URL, removing a scheduled task or registry key, or isolating the device from the network (except to the cloud service). Remediation actions are logged in the action center. For semi-automated investigations, actions require analyst approval. The remediation is applied to all affected devices. If a remediation action fails (e.g., file is in use), the system retries up to 3 times. After successful remediation, the incident is resolved automatically.
Analyst Review and Advanced Hunting
Security analysts can review the incident in the Microsoft 365 Defender portal. They can see the full timeline of events, the investigation graph, and any pending actions. They can also use advanced hunting to query raw telemetry data using KQL. For example, to find all devices that executed a specific file, they run: `DeviceProcessEvents | where FileName == 'malware.exe'`. Advanced hunting data is retained for 180 days in Plan 2. Analysts can also initiate live response sessions to run commands on endpoints in real time. The analyst can then decide to approve, reject, or modify the automated actions. After finalizing, the incident is closed.
Enterprise Deployment Scenarios
Scenario 1: Large Financial Institution with 50,000 Windows Endpoints
This organization needed to replace a legacy antivirus solution with a modern EDR platform. They deployed Microsoft Defender for Endpoint Plan 2 across all endpoints using Microsoft Endpoint Configuration Manager (MECM) for onboarding. The deployment was phased: first pilot on 500 devices, then full rollout over 4 weeks. Key configuration: ASR rules were set to 'Audit' mode initially to measure impact, then gradually switched to 'Block' for rules with low false-positive rates. The security operations center (SOC) used the Microsoft 365 Defender portal as their primary console. Within the first month, they detected a ransomware attack that was automatically contained by device isolation, preventing spread to 200 endpoints. The automated investigation identified the initial entry point (a phishing email) and blocked the malicious IP. The SOC team used advanced hunting to trace the lateral movement and confirm no other devices were compromised. Performance impact was minimal: CPU usage increased by 2-5% during scans, which was acceptable. The exposure score decreased from 45 to 22 over 6 months.
Scenario 2: Healthcare Provider with Mixed OS Environment
A hospital had 10,000 endpoints: 8,000 Windows, 1,500 macOS, and 500 Linux servers. They needed unified endpoint security across all platforms. Defender for Endpoint supports macOS and Linux (server and desktop). Onboarding was done via Intune for mobile devices and a script for Linux servers. The challenge was that Linux servers ran critical patient data applications; the SOC had to carefully configure exclusions to avoid false positives. They used threat and vulnerability management to prioritize patching of critical vulnerabilities. During a vulnerability scan, they discovered that 30% of devices had a known critical vulnerability (CVE-2023-1234). The remediation recommendation was to apply the vendor patch within 7 days. The SOC used automated investigation rules to automatically isolate any device that exhibited behavior matching the vulnerability's exploit pattern. They also integrated MDE alerts with Microsoft Sentinel for SIEM correlation. A common issue was that some Linux servers had outdated sensors causing heartbeat failures; the fix was to update the sensor via a cron job.
Scenario 3: Retail Chain with 20,000 Devices and High Turnover
A retail company with many point-of-sale (POS) systems and frequent device reimaging needed a lightweight security solution. They used Defender for Endpoint Plan 1 for basic protection on POS devices (since they don't need full EDR) and Plan 2 for corporate laptops. Onboarding was automated via a provisioning package that included the sensor. They configured ASR rules to block Office apps from creating child processes (GUID: 9e6c4e1f-7d60-472f-b1a2-9a4e4b3b2c1d) to prevent macro-based attacks. They also enabled network protection to block outbound connections to malicious IPs. A problem they encountered was that some POS software required specific network connectivity; network protection initially blocked legitimate traffic. They resolved this by adding IP exclusions. The SOC monitored the action center for failed remediations and manually cleared stale alerts. The average time to detect a threat dropped from 2 hours to 5 minutes after deployment.
What SC-900 Tests on This Topic
Objective 3.3: Describe the capabilities of Microsoft Defender for Endpoint. The exam expects you to know:
The difference between Plan 1 and Plan 2 (Plan 2 includes full EDR, automated investigation, advanced hunting, threat analytics).
Key features: next-generation protection, attack surface reduction, endpoint detection and response, automated investigation and remediation, threat and vulnerability management.
Integration with Microsoft 365 Defender (unified incidents).
That MDE is for endpoints (devices), not email or cloud apps.
Common Wrong Answers and Why Candidates Choose Them
'Defender for Endpoint replaces Microsoft Defender Antivirus.' This is wrong because MDE includes Microsoft Defender Antivirus as one component but also adds EDR, threat intelligence, etc. They coexist; MDE Plan 1 includes next-generation protection (antivirus).
'MDE can protect against all threats immediately without configuration.' Wrong; ASR rules must be enabled and configured. Out-of-the-box, many ASR rules are in audit mode only.
'MDE is only for Windows devices.' Wrong; it supports macOS, Linux, iOS, and Android, though not all features are available on all platforms.
'Automated investigation always remediates threats without analyst input.' Wrong; it can be configured to require approval for certain actions (semi-automated).
'Threat & Vulnerability Management is available in Plan 1.' Wrong; TVM is only in Plan 2.
Specific Numbers and Terms
Plan 2 includes 'advanced hunting' with 180-day retention.
ASR rules have GUIDs; you don't need to memorize them but know they exist.
The portal is 'Microsoft 365 Defender' (not 'Microsoft Defender Security Center').
MDE is part of 'Microsoft 365 Defender' suite.
The sensor heartbeat interval is 5 minutes; device appears inactive after 30 minutes.
Cloud block timeout is 5 seconds.
Edge Cases and Exceptions
MDE can be deployed without Microsoft Defender Antivirus if a third-party antivirus is used (but then some features like automatic remediation may be limited).
On macOS and Linux, some features (e.g., ASR rules) are not available.
MDE does not replace Microsoft Defender for Cloud (which protects workloads in Azure).
The exam may ask about 'Microsoft Defender for Endpoint' vs 'Microsoft Defender for Cloud' — know the difference: endpoints vs cloud workloads.
How to Eliminate Wrong Answers
If a question mentions 'vulnerability management' or 'threat analytics', it must be Plan 2.
If a question says 'automated investigation and response', it is Plan 2.
If a question says 'next-generation protection' or 'antivirus', it could be Plan 1 or Plan 2.
If a question mentions 'endpoint detection and response', it is Plan 2.
If a question mentions 'advanced hunting', it is Plan 2.
If a question mentions 'attack surface reduction rules', it is available in both plans (but more configurable in Plan 2).
Microsoft Defender for Endpoint is a comprehensive endpoint security solution that includes next-generation protection, EDR, ASR, TVM, and automated investigation.
Plan 2 is required for full EDR, automated investigation, advanced hunting, and threat analytics.
The Microsoft 365 Defender portal is the unified console for all Defender products.
Attack surface reduction rules block common attack techniques and are configurable per GUID.
Threat & vulnerability management continuously scans devices and provides remediation recommendations.
Automated investigation can be set to full or semi-automated mode with a 48-hour timeout.
MDE supports Windows, macOS, Linux, iOS, and Android but with varying feature sets.
The sensor heartbeat interval is 5 minutes; devices without heartbeat for 30 minutes appear inactive.
These come up on the exam all the time. Here's how to tell them apart.
Microsoft Defender for Endpoint Plan 1
Next-generation protection (antivirus) included
Attack surface reduction rules (audit/block)
Basic endpoint detection and response (limited)
No automated investigation and remediation
No threat & vulnerability management
Microsoft Defender for Endpoint Plan 2
All Plan 1 features included
Full endpoint detection and response (EDR)
Automated investigation and remediation (full or semi)
Threat & vulnerability management (TVM) with exposure score
Advanced hunting with 180-day data retention
Mistake
Defender for Endpoint is just a renamed Windows Defender Antivirus.
Correct
Windows Defender Antivirus is the built-in antivirus in Windows. Defender for Endpoint is a separate, more advanced product that includes antivirus, EDR, threat intelligence, automated investigation, and vulnerability management. It is licensed separately (Plan 1 or Plan 2).
Mistake
MDE can protect all devices in an organization automatically after enrollment.
Correct
While MDE provides out-of-the-box protection, many features require configuration. For example, attack surface reduction rules are in audit mode by default, and automated investigation may require approval for remediation. Proper tuning is needed to maximize effectiveness.
Mistake
MDE only works on Windows devices.
Correct
MDE supports Windows, macOS, Linux, iOS, and Android. However, not all features are available on non-Windows platforms. For example, ASR rules are Windows-only, and some advanced hunting tables are Windows-focused.
Mistake
Automated investigation always resolves threats without human intervention.
Correct
Automated investigation can be configured in 'Full' mode (auto-remediate) or 'Semi' mode (require approval for certain actions). Even in Full mode, some complex investigations may escalate to an analyst if no verdict is reached within the timeout (48 hours).
Mistake
Threat & Vulnerability Management is available in both Plan 1 and Plan 2.
Correct
TVM is only included in Plan 2. Plan 1 provides next-generation protection and basic EDR but does not include vulnerability scanning or threat analytics.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Plan 1 includes next-generation protection (antivirus), attack surface reduction rules, and basic endpoint detection and response. Plan 2 adds full EDR, automated investigation and remediation, threat analytics, advanced hunting (180-day retention), and threat & vulnerability management. For SC-900, remember that Plan 2 is the complete solution with all advanced features.
No. Defender for Endpoint includes Microsoft Defender Antivirus as one of its components (next-generation protection). They work together; you cannot have Defender for Endpoint without the antivirus engine. However, you can use a third-party antivirus with Defender for Endpoint, but some features like automatic remediation may be limited.
When an alert is triggered, automated investigation begins if enabled. It runs playbooks to analyze the threat scope (e.g., file reputation, process tree, network connections). It can take actions like quarantining files, killing processes, or isolating devices. The investigation has a 48-hour timeout; if no verdict is reached, it escalates to an analyst. The mode can be 'Full' (auto-remediate) or 'Semi' (require approval for certain actions).
Defender for Endpoint supports Windows 7 SP1, 8.1, 10, 11, Windows Server 2008 R2 SP1 and later, macOS (10.15 Catalina and later), Linux (Ubuntu, RHEL, CentOS, etc.), iOS, and Android. However, not all features are available on all platforms. For example, ASR rules are Windows-only, and advanced hunting tables for macOS/Linux are limited.
The Microsoft 365 Defender portal (https://security.microsoft.com) is the unified security operations center for all Microsoft Defender products: Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps. It provides a single view of incidents, alerts, and advanced hunting across the entire organization.
Defender for Endpoint can send alerts to Microsoft Sentinel via the 'Microsoft Defender XDR' connector. This allows security teams to correlate endpoint alerts with other data sources (e.g., firewall logs, Azure AD logs) in Sentinel for advanced SIEM capabilities. Sentinel can also trigger automated responses using playbooks.
ASR rules are designed to block common attack techniques used by malware, such as Office apps creating child processes, scripting engines executing downloaded content, or USB devices running suspicious code. They reduce the attack surface by preventing these behaviors. Rules can be set to 'Audit' (log only), 'Block' (prevent), or 'Warn' (prompt user). Default is audit for many rules.
You've just covered Microsoft Defender for Endpoint — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?