Endpoint Protection Strategy
Design an endpoint security architecture encompassing EDR, server protection, mobile device security, attack surface reduction, and Conditional Access integration.
Endpoint Protection Strategy
Endpoints Are the Frontline
Every major breach investigation tells the same story: the attacker got in through an endpoint. A phishing email opened on a laptop, a vulnerable server exposed to the internet, a contractor’s unmanaged phone. Endpoints are where human behaviour meets technical vulnerability, and that intersection is where most attacks begin.
A security architect doesn’t configure individual endpoints — they design the strategy that determines how every endpoint in the organisation is protected, monitored, and integrated into the broader security architecture.
Microsoft Defender for Endpoint
Defender for Endpoint (MDE) is Microsoft’s EDR platform. It runs on Windows, macOS, Linux, iOS, and Android. At the architecture level, what matters is understanding what each plan provides and when to use them.
Plan 1 vs Plan 2
Defender for Endpoint Plan 1 provides preventive capabilities:
- Next-generation antimalware protection
- Attack surface reduction (ASR) rules
- Device control (USB, removable media)
- Network protection (block connections to malicious domains)
- Web content filtering
- Centralised management through the Microsoft Defender portal
Defender for Endpoint Plan 2 adds detective and response capabilities:
- Everything in Plan 1
- Endpoint detection and response (EDR) — behavioural sensors that detect attacker activity
- Automated investigation and remediation (AIR)
- Threat and vulnerability management (TVM)
- Advanced hunting with KQL queries
- Sandbox (deep analysis of suspicious files)
- Endpoint Attack Notifications (managed threat hunting from Microsoft)
- Device timeline — forensic view of all activity on a device
Defender for Servers (in Defender for Cloud)
For server workloads in Azure, AWS, or on-premises (via Arc), Defender for Cloud offers Defender for Servers, which bundles MDE capabilities with server-specific protections:
Defender for Servers Plan 1:
- Defender for Endpoint Plan 2 licence included
- Provisioning of MDE agent to servers
- That’s essentially it — it’s a licensing vehicle for MDE on servers
Defender for Servers Plan 2:
- Everything in Plan 1
- Agentless vulnerability scanning
- File integrity monitoring (FIM)
- Just-in-time (JIT) VM access — close management ports, open on-demand with approval
- Adaptive application controls — ML-based allowlisting of applications
- Adaptive network hardening — tighten NSGs based on actual traffic patterns
- Docker host hardening
- Free data ingestion to Log Analytics (500 MB/day per node)
| Capability | MDE Plan 1 | MDE Plan 2 | Servers Plan 1 | Servers Plan 2 |
|---|---|---|---|---|
| Target | Client devices | Client devices | Server workloads | Server workloads |
| Antimalware | ✅ | ✅ | ✅ (via MDE P2) | ✅ (via MDE P2) |
| ASR rules | ✅ | ✅ | ✅ | ✅ |
| EDR (behavioural detection) | ❌ | ✅ | ✅ (includes MDE P2) | ✅ (includes MDE P2) |
| Automated investigation | ❌ | ✅ | ✅ | ✅ |
| Vulnerability management | ❌ | ✅ | ✅ | ✅ + agentless scanning |
| JIT VM access | N/A | N/A | ❌ | ✅ |
| File integrity monitoring | N/A | N/A | ❌ | ✅ |
| Adaptive application controls | N/A | N/A | ❌ | ✅ |
| 500 MB free log ingestion | N/A | N/A | ❌ | ✅ |
| Typical use case | Budget-constrained client protection | Full client EDR | MDE licence for servers | Full server protection suite |
Attack Surface Reduction
Attack surface reduction (ASR) is about eliminating attack techniques before they execute. Rather than detecting malware after it runs, ASR rules prevent the behaviours that malware depends on.
Key ASR rules an architect should know:
- Block Office applications from creating child processes — stops macro-based attacks
- Block credential theft from LSASS — prevents Mimikatz-style credential dumping
- Block executable content from email and webmail clients — prevents direct execution of email attachments
- Block untrusted and unsigned processes from USB — controls removable media execution
- Use advanced protection against ransomware — blocks suspicious file encryption patterns
The architect designs which rules to enable and in which mode:
- Audit mode — logs what would be blocked without actually blocking (use for testing)
- Block mode — actively prevents the behaviour
- Warn mode — shows user a warning but allows override (middle ground)
The strategic approach: deploy all rules in audit mode, analyse the data for two weeks, identify legitimate business processes that would be blocked, create exclusions for those, then switch to block mode.
Device Compliance and Conditional Access Integration
This is where endpoint security becomes part of the Zero Trust architecture. The concept is straightforward but powerful:
- Intune defines what “compliant” means — encryption enabled, OS version minimum, no jailbreak, Defender running with real-time protection, risk level below threshold
- Defender for Endpoint assesses device risk — based on active threats, vulnerabilities, misconfigurations
- Conditional Access enforces access decisions — “Only compliant devices with low risk can access corporate data”
The signal flow:
Defender for Endpoint detects risk on device
→ Risk level shared with Intune
→ Device marked non-compliant
→ Conditional Access blocks access to corporate resources
→ User sees remediation instructions
→ User resolves the issue
→ Device becomes compliant again
→ Access restoredThis is a self-healing loop. The architect doesn’t need SOC analysts manually responding to every device risk — the system automatically restricts access when risk is detected and restores it when risk is resolved.
Mobile Device Security
Mobile devices (iOS, Android) have their own protection layer:
Intune MDM (Mobile Device Management) — Full device management. Company controls device settings, can wipe remotely, enforces encryption, manages app deployment.
Intune MAM (Mobile Application Management) — App-level protection without device management. Protects corporate data within managed apps (Outlook, Teams, OneDrive) without controlling the personal device. Ideal for BYOD scenarios.
Defender for Endpoint on mobile — Provides:
- Web protection (phishing URL blocking)
- Jailbreak/root detection
- Network protection (rogue WiFi detection)
- Device risk assessment that feeds into Conditional Access
The architect’s decision: MDM for corporate-owned devices (full control), MAM for BYOD (data protection without device control), Defender for Endpoint on both for risk assessment.
Vulnerability Management
Microsoft Defender Vulnerability Management (part of MDE Plan 2) continuously assesses endpoint vulnerabilities:
- Software inventory — what’s installed and what version
- Known vulnerabilities (CVEs) mapped to installed software
- Security configuration assessment — OS and application misconfigurations
- Browser extension assessment
- Exposure score — a numerical risk measurement
The architect integrates vulnerability management into the posture improvement cycle: discover vulnerabilities → prioritise by exposure and business criticality → create remediation tickets → track through resolution → measure reduction over time.
☁️ Scenario: Rajan’s Cross-Platform Endpoint Strategy
Rajan Krishnamurthy is designing an endpoint strategy for a technology consulting firm with 3,000 employees. The device landscape is diverse: 1,800 Windows laptops, 600 macOS devices (design team), 200 Linux workstations (engineering), and everyone has a personal smartphone.
Priya Anand, his junior architect, asks: “Do we just deploy Defender for Endpoint Plan 2 on everything?”
“Not quite,” Rajan explains. “We design by use case.”
Windows laptops (1,800): MDE Plan 2 with full ASR rules. These are the highest-risk endpoints — they handle email, browse the web, and connect to corporate resources. Full EDR, vulnerability management, and automated investigation.
macOS devices (600): MDE Plan 2 with macOS-specific ASR rules. macOS has fewer attack vectors than Windows but is not immune. The design team accesses sensitive client files — they need full protection.
Linux workstations (200): MDE Plan 2 with Linux-specific capabilities. Engineering workstations have elevated privileges and access to source code repositories — EDR is essential.
Personal smartphones (all employees): Intune MAM (not MDM — employees won’t accept full device management on personal phones). Defender for Endpoint mobile for web protection and risk assessment. Conditional Access requires device risk to be low and app protection policy to be applied before accessing corporate email.
The integration layer: All device risk signals flow into Conditional Access. A compromised laptop can’t access SharePoint. A jailbroken phone can’t open Outlook. The system is self-healing — users see instructions to resolve the issue, and access restores automatically once the device is clean.
“The strategy isn’t just about deploying agents,” Rajan tells Deepak Malhotra, the client CTO. “It’s about creating a feedback loop where device health directly controls access. No healthy device? No access. It’s that simple.”
🌐 Scenario: Elena Integrates Device Risk into Conditional Access
Elena has been running Defender for Endpoint for six months at Meridian. The SOC team is overwhelmed — they’re getting 200 alerts per day across 15,000 devices, and they can’t investigate them all manually.
Her design shift: move from manual SOC triage to automated response through Conditional Access integration.
Step 1: She creates a Conditional Access policy: “Require compliant device for all cloud apps.” Compliance in Intune means: OS patched within 30 days, Defender real-time protection enabled, device risk level is not “high.”
Step 2: She enables Defender for Endpoint’s automated investigation and remediation (AIR). When malware is detected on a device, MDE automatically investigates, quarantines the malware, and resolves the alert — no analyst intervention needed for routine threats.
Step 3: For non-routine threats that MDE flags as “high risk,” the device risk signal flows to Conditional Access. The user’s access is restricted to a limited set of apps (they can still access the IT help desk portal) while the SOC investigates.
Result: SOC alert volume drops from 200 to 35 per day. The 165 routine alerts are handled automatically. The SOC focuses on the 35 alerts that actually need human investigation. Users on high-risk devices are automatically contained without SOC intervention.
“Before, a compromised device could access everything until an analyst got to the alert,” Elena tells Li Wei. “Now, Conditional Access restricts access within minutes of detection. We’ve turned endpoint security from a detection problem into an automated response system.”
Exam Strategy: Endpoint Protection Questions
SC-100 endpoint questions test architecture decisions, not configuration steps. Common patterns:
- “Minimise cost while protecting servers” → Defender for Servers Plan 1 (just MDE licence). Only upgrade to Plan 2 if JIT access, FIM, or adaptive controls are specifically mentioned.
- “BYOD scenario” → Intune MAM (not MDM). If the question mentions “employees refuse to enrol personal devices,” MAM is the answer.
- “Automated response to device threats” → Conditional Access + device compliance + MDE risk signals. This is the self-healing loop.
- “Reduce attack surface” → ASR rules. If the question mentions “without deploying additional agents,” ASR rules work within the existing MDE agent.
- “Protect servers in Azure” → Defender for Servers (through Defender for Cloud), not standalone MDE deployment.
- “Vulnerability management” → MDE Plan 2 includes TVM. If the question mentions “agentless vulnerability scanning,” that requires Defender for Servers Plan 2 or Defender CSPM.
- Watch for distractor answers that suggest manual processes (SOC triage, manual investigation) when automated alternatives exist.
A company has 5,000 Windows laptops managed by Intune and wants to reduce the impact of phishing attacks that deliver malicious Office documents. Many employees need to use macros for legitimate financial spreadsheets. What should the security architect recommend?
A financial services firm has office workers with corporate laptops and field consultants who use personal phones to access email. The CISO requires that no corporate data can be accessed from a device that poses high security risk. What architecture integrates endpoint security with access control?
🎬 Video coming soon
Next up: IoT, OT, and Industrial Security — design security for the devices that don’t run Windows or have traditional agents: manufacturing equipment, industrial control systems, and IoT sensors.