Microsoft Defender for Endpoint
Defender for Endpoint protects devices — Windows, Mac, Linux, iOS, and Android — with EDR, next-gen antivirus, and attack surface reduction. Learn the P1 vs P2 difference and how it feeds Defender XDR.
What does Defender for Endpoint protect?
Think of Defender for Endpoint as a bodyguard that follows every device in your organisation.
Your laptop, your phone, even the Linux servers in the back room — each one gets a bodyguard. The bodyguard watches everything that happens on the device: what programs run, what files are downloaded, what network connections are made.
If something suspicious happens — a program tries to encrypt all your files, or a script tries to steal passwords — the bodyguard steps in, stops it, and radios the security team.
Key capabilities
Defender for Endpoint is built around several core pillars. You don’t need to memorise every technical detail, but you should understand what each capability does.
Next-generation antivirus
This is the modern replacement for traditional signature-based antivirus:
- Uses machine learning and behavioural analysis — not just virus signatures
- Cloud-delivered protection means new threat intelligence is applied in near real-time
- Blocks malware, ransomware, and fileless attacks (scripts that run in memory without dropping a file)
Attack surface reduction (ASR)
ASR rules reduce the ways an attacker can get a foothold on a device:
- Block Office apps from creating child processes (stops macro-based malware)
- Block executable content from email and webmail
- Block credential stealing from the Windows LSASS process
- Controlled folder access — protects important folders from ransomware
Think of ASR as locking doors and windows that attackers commonly use to break in.
Endpoint detection and response (EDR)
EDR is the “investigation engine” of Defender for Endpoint:
- Detects threats on devices using behavioural sensors
- Records a timeline of everything that happened on the device — processes, files, network connections, registry changes
- Enables investigation — Alex can look at the exact sequence of events that led to an alert
- Provides response actions — isolate a compromised device from the network, collect an investigation package, run a live response session
Scenario: Alex investigates a compromised laptop at SecureBank
Alex gets an alert: a laptop in the mortgage department triggered a suspicious PowerShell command.
Using EDR in the Defender portal, Alex:
- Views the device timeline — sees the user opened an email attachment at 9:14 AM, which spawned a PowerShell script
- Traces the attack chain — the script downloaded a second payload from an external server and attempted to dump credentials
- Isolates the device — with one click, Alex cuts the laptop off from the network while keeping its connection to the Defender service (so Alex can still investigate)
- Collects an investigation package — a bundle of logs and forensic data for deeper analysis
- Checks lateral movement — EDR shows the stolen credentials weren’t used anywhere else
Total investigation time: 12 minutes. Without EDR, this would take hours of manual log collection across multiple tools.
Automated investigation and response
When Defender for Endpoint detects a threat, it can automatically:
- Investigate the alert (check related files, processes, and persistence mechanisms)
- Determine if it’s a true threat or a false positive
- Take remediation actions — quarantine a file, stop a process, remove a registry key
This reduces the workload on security teams like Alex’s. Instead of investigating every alert manually, the automation handles routine cases and surfaces only the complex ones.
Threat and vulnerability management
Defender for Endpoint includes built-in vulnerability scanning — no separate tool needed:
- Discovers software installed on every device
- Identifies vulnerabilities — outdated software, missing patches, misconfigurations
- Prioritises by risk — not just the CVSS severity score, but also whether the vulnerability is being actively exploited and how exposed your organisation is
- Recommends remediation and tracks whether fixes have been applied
This is important for the exam: core vulnerability management capabilities are built into Defender for Endpoint Plan 2. An add-on and standalone version provide additional premium features for organisations that need deeper vulnerability assessment.
Plan 1 vs Plan 2
| Feature | Plan 1 (P1) | Plan 2 (P2) |
|---|---|---|
| Next-gen antivirus | Yes | Yes |
| Attack surface reduction | Yes | Yes |
| Device control | Yes | Yes |
| Endpoint firewall | Yes | Yes |
| Network protection | Yes | Yes |
| Endpoint detection and response (EDR) | No | Yes — full device timeline and investigation |
| Automated investigation and response | No | Yes — auto-investigate and remediate |
| Threat and vulnerability management | No | Yes — built-in vulnerability scanning |
| Threat analytics | No | Yes — reports on emerging threats |
Simple way to remember: P1 = prevention (block threats before they execute). P2 = P1 + detection, investigation, and response (find what got through, understand it, and fix it).
Supported platforms
| Platform | Coverage |
|---|---|
| Windows | Full support (all features) |
| macOS | Next-gen AV, EDR, vulnerability management |
| Linux | Next-gen AV, EDR |
| iOS | Web protection, jailbreak detection |
| Android | Web protection, malware scanning |
The exam may test that Defender for Endpoint is cross-platform — it’s not Windows-only.
How it feeds signals into Defender XDR
Defender for Endpoint is a core signal source for Defender XDR:
- Device alerts from Defender for Endpoint are automatically correlated with email alerts (Defender for Office 365), identity alerts (Defender for Identity), and cloud app alerts (Defender for Cloud Apps)
- If a phishing email leads to malware on a device, XDR connects both alerts into one incident
- Response actions from XDR can trigger Defender for Endpoint actions — like automatically isolating a device when part of a multi-stage attack
🎬 Video walkthrough
🎬 Video coming soon
Defender for Endpoint — SC-900 Module 7
Defender for Endpoint — SC-900 Module 7
~8 minFlashcards
Knowledge Check
A ransomware attack encrypts files on a SecureBank employee's laptop. Alex needs to immediately prevent the malware from spreading to other devices on the network while continuing to investigate the infected laptop. What should Alex do?
SecureBank wants to prevent employees from running potentially malicious macros in Office documents and protect key folders from ransomware encryption. They do NOT need full investigation and response capabilities. Which Defender for Endpoint plan and feature addresses this?
Next up: Microsoft Defender for Cloud Apps and Defender for Identity — protecting your cloud applications and on-premises Active Directory.