Overview
Microsoft Defender for Endpoint (MDE) is an enterprise endpoint security platform that prevents, detects, investigates, and responds to advanced threats. It integrates with Microsoft 365 Defender to provide unified XDR capabilities across endpoints, identity, email, and cloud apps.
Who Should Use This Guide:
- Security engineers deploying endpoint protection
- IT administrators managing Windows devices
- SOC analysts configuring detection capabilities
- Organizations replacing third-party EDR solutions
Defender for Endpoint Capabilities:
| Capability | Description |
|---|---|
| Threat & Vulnerability Management | Discover vulnerabilities and misconfigurations |
| Attack Surface Reduction | Block attack techniques with ASR rules |
| Next-Generation Protection | Cloud-delivered AV protection |
| Endpoint Detection & Response | Behavioral detection and investigation |
| Automated Investigation | Auto-remediate threats |
| Microsoft Threat Experts | Managed threat hunting service |
Plan Comparison:
| Feature | Plan 1 | Plan 2 |
|---|---|---|
| Next-gen protection | ✓ | ✓ |
| Attack surface reduction | ✓ | ✓ |
| Device control | ✓ | ✓ |
| Endpoint firewall | ✓ | ✓ |
| Network protection | ✓ | ✓ |
| EDR | Limited | ✓ |
| TVM | - | ✓ |
| Automated investigation | - | ✓ |
| Threat analytics | - | ✓ |
| Sandbox | - | ✓ |
Requirements
Licensing:
| License | Includes MDE |
|---|---|
| Microsoft 365 E5 | Plan 2 |
| Microsoft 365 E5 Security | Plan 2 |
| Microsoft Defender for Endpoint P2 | Plan 2 |
| Microsoft 365 E3 | Plan 1 (add-on) |
| Microsoft Defender for Endpoint P1 | Plan 1 |
System Requirements:
| Platform | Minimum Version |
|---|---|
| Windows 10 | 1709 (RS3) or later |
| Windows 11 | All versions |
| Windows Server | 2016, 2019, 2022 |
| macOS | 11 (Big Sur) or later |
| Linux | See supported distros |
| iOS/Android | Latest versions |
Network Requirements:
| Endpoint | Purpose |
|---|---|
| *.securitycenter.windows.com | Security Center |
| *.wdcp.microsoft.com | Cloud protection |
| *.wd.microsoft.com | Defender updates |
| *.smartscreen.microsoft.com | SmartScreen |
| *.events.data.microsoft.com | Telemetry |
Architecture
┌─────────────────────────────────────────────────────────────────┐
│ Microsoft Defender for Endpoint │
├─────────────────────────────────────────────────────────────────┤
│ │
│ ┌──────────────┐ ┌───────────────────────┐ │
│ │ Endpoints │ │ Microsoft 365 Defender│ │
│ │ │ │ Portal │ │
│ │ ┌────────┐ │ │ ┌───────────────────┐ │ │
│ │ │Windows │ │ ┌─────────┐ │ │ Incidents & Alerts│ │ │
│ │ │ 10/11 │──┼───▶│ Cloud │────▶│ ├───────────────────┤ │ │
│ │ └────────┘ │ │ Service │ │ │ Device List │ │ │
│ │ ┌────────┐ │ └─────────┘ │ ├───────────────────┤ │ │
│ │ │ macOS │──┤ │ │ Threat & Vuln │ │ │
│ │ └────────┘ │ │ ├───────────────────┤ │ │
│ │ ┌────────┐ │ │ │ Advanced Hunting │ │ │
│ │ │ Linux │──┤ │ └───────────────────┘ │ │
│ │ └────────┘ │ └───────────────────────┘ │
│ │ ┌────────┐ │ │
│ │ │Server │──┘ ┌───────────────────────┐ │
│ │ │2016+ │ │ Intune MDM │ │
│ │ └────────┘ │ Configuration │ │
│ └──────────────┘ └───────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────┘Process
Step 1: Enable Defender for Endpoint Service
Activate MDE in your Microsoft 365 tenant.
Navigate to: Microsoft 365 Defender portal (security.microsoft.com)
Initial Setup:
- Go to Settings → Endpoints → Onboarding
- Accept the Microsoft Defender for Endpoint license terms
- Select data storage location (cannot be changed later):
- US
- EU
- UK
- Click Continue to provision the service
Configure General Settings:
Navigate to: Settings → Endpoints → General
| Setting | Recommended Value |
|---|---|
| Preview features | On (for latest protection) |
| Automated investigation | Semi-automated (recommended) |
| Share endpoint alerts with Microsoft Compliance Center | On |
Verification: Service status shows "Active" in Settings → Endpoints.
Step 2: Configure Onboarding via Intune
Deploy MDE sensor to Windows devices using Microsoft Intune.
Create Onboarding Configuration Profile:
- Navigate to Microsoft Intune admin center
- Go to Endpoint security → Endpoint detection and response
- Click Create policy
- Select:
- Platform: Windows 10 and later
- Profile type: Endpoint detection and response
Configure Settings:
| Setting | Value |
|---|---|
| Microsoft Defender for Endpoint client configuration package type | Auto from connector |
| Sample sharing | All (recommended) or None |
| Expedite telemetry reporting frequency | Enable |
Assignments:
- Assign to All devices or target security groups
- Exclude any devices that shouldn't be onboarded
Alternative: Manual Onboarding Package:
- Navigate to security.microsoft.com → Settings → Endpoints → Onboarding
- Select deployment method:
- Group Policy
- Microsoft Endpoint Configuration Manager
- Local script
- VDI onboarding scripts
- Download the package
- Deploy via your chosen method
PowerShell Onboarding (Local Script):
# Download onboarding script from portal, then run:
.\WindowsDefenderATPLocalOnboardingScript.cmd
# Verify onboarding
Get-MpComputerStatus | Select-Object AMRunningMode, OnboardingStateStep 3: Configure Attack Surface Reduction Rules
ASR rules block common attack techniques at the endpoint level.
Navigate to: Intune → Endpoint security → Attack surface reduction
Create ASR Policy:
- Click Create policy
- Select:
- Platform: Windows 10 and later
- Profile: Attack Surface Reduction Rules
Recommended ASR Rules (Audit First):
| Rule | GUID | Description |
|---|---|---|
| Block executable content from email | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 | Block attachments from running |
| Block Office apps from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A | Prevent Office from spawning cmd/PowerShell |
| Block Office apps from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899 | Prevent macros from dropping files |
| Block JavaScript or VBScript from launching downloaded content | D3E037E1-3EB8-44C8-A917-57927947596D | Block script-based downloads |
| Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC | Block encoded PowerShell |
| Block Win32 API calls from Office macros | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B | Block macro-based exploitation |
| Block credential stealing from LSASS | 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2 | Protect credentials |
| Block untrusted/unsigned processes from USB | B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4 | Block USB-based attacks |
| Block process creations from PSExec/WMI | D1E49AAC-8F56-4280-B9BA-993A6D77406C | Block lateral movement tools |
Implementation Strategy:
| Phase | Mode | Duration |
|---|---|---|
| 1 | Audit | 2 weeks |
| 2 | Warn | 1 week |
| 3 | Block | Ongoing |
PowerShell Configuration:
# Set ASR rules to Audit mode
$rules = @{
"BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550" = 2 # Audit
"D4F940AB-401B-4EFC-AADC-AD5F3C50688A" = 2
"3B576869-A4EC-4529-8536-B80A7769E899" = 2
"D3E037E1-3EB8-44C8-A917-57927947596D" = 2
}
foreach ($rule in $rules.GetEnumerator()) {
Add-MpPreference -AttackSurfaceReductionRules_Ids $rule.Key -AttackSurfaceReductionRules_Actions $rule.Value
}
# View current ASR configuration
Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_IdsStep 4: Configure Network Protection
Block connections to malicious domains and IP addresses.
Navigate to: Intune → Endpoint security → Attack surface reduction
Create Network Protection Policy:
- Click Create policy
- Select profile: Device control or use Settings Catalog
- Configure:
- Enable network protection: Enabled (Block mode)
Settings Catalog Configuration:
- Go to Devices → Configuration profiles → Create profile
- Select Settings catalog
- Add: Defender → Enable Network Protection
- Set to: Enabled (block mode) or Audit mode
Group Policy Alternative:
Computer Configuration → Administrative Templates →
Windows Components → Microsoft Defender Antivirus →
Microsoft Defender Exploit Guard → Network Protection
Enable Network Protection: Enabled
Mode: Block (or Audit)PowerShell Configuration:
# Enable Network Protection in Block mode
Set-MpPreference -EnableNetworkProtection Enabled
# Enable in Audit mode first
Set-MpPreference -EnableNetworkProtection AuditMode
# Verify status
Get-MpPreference | Select-Object EnableNetworkProtectionStep 5: Configure Web Content Filtering
Block access to malicious or inappropriate web categories.
Navigate to: security.microsoft.com → Settings → Endpoints → Web content filtering
Create Web Content Filtering Policy:
- Click + Add policy
- Configure:
- Policy name:
Block-Malicious-Categories - Categories to block:
- Policy name:
| Category | Block Reason |
|---|---|
| Malware | Active threats |
| Phishing | Credential theft |
| Newly registered domains | Potential threats |
| Spam | Low-quality content |
| Illegal activities | Compliance |
| High-risk categories | Risk reduction |
Assign to Device Groups:
- Select target device groups
- Or apply to all devices
PowerShell Alternative:
# Web Content Filtering requires Defender for Endpoint Plan 2
# Configuration is done through the security portal
# Verify SmartScreen is enabled
Get-MpPreference | Select-Object *SmartScreen*Step 6: Enable EDR in Block Mode
EDR in Block Mode provides post-breach protection even when Microsoft Defender AV isn't the primary AV.
Requirements:
- Defender for Endpoint Plan 2
- Windows 10 1903+ or Windows Server 2016+
- Defender AV in passive mode (non-primary AV) or active mode
Enable via Settings:
- Navigate to security.microsoft.com → Settings → Endpoints
- Go to General → Advanced features
- Enable: EDR in block mode
What EDR Block Mode Does:
| Detection | Without Block Mode | With Block Mode |
|---|---|---|
| Malicious file detected | Alert only | Alert + Block |
| Suspicious behavior | Alert only | Alert + Block |
| Living-off-the-land attack | Alert only | Alert + Block |
Verify EDR Block Mode:
# Check if EDR block mode is active
Get-MpComputerStatus | Select-Object AMRunningMode, IsTamperProtected
# Review blocked threats
Get-MpThreat | Where-Object {$_.ThreatStatusID -eq 1}Step 7: Configure Automated Investigation and Response
Enable automated remediation for detected threats.
Navigate to: security.microsoft.com → Settings → Endpoints → General
Configure Automation Settings:
| Setting | Recommended Value |
|---|---|
| Automated Investigation | On |
| Automation level | Semi-automated |
| Auto-resolve alerts | For low-medium severity |
Automation Levels:
| Level | Description |
|---|---|
| No automation | Manual investigation only |
| Semi-automated (default) | Requires approval for remediation |
| Full automation | Auto-remediate without approval |
Create Device Groups with Automation:
- Go to Settings → Endpoints → Device groups
- Create group with automation level:
Group name: High-Value-Servers
Automation level: Semi-automated
Matching rules:
- Tag: HighValue
- OR Device name contains: SRVReview Automated Investigations:
Navigate to: Incidents & alerts → Automated investigations
Step 8: Configure Custom Detection Rules
Create custom detection rules using KQL queries.
Navigate to: security.microsoft.com → Hunting → Custom detection rules
Create Custom Detection:
- Click + New detection rule
- Write KQL query:
// Detect PowerShell with encoded commands
DeviceProcessEvents
| where FileName =~ "powershell.exe"
| where ProcessCommandLine has_any ("-enc", "-encodedcommand", "-e ", "-ec ")
| project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLineConfigure Rule Settings:
| Setting | Value |
|---|---|
| Alert title | Encoded PowerShell Execution Detected |
| Severity | Medium |
| Category | Execution |
| MITRE technique | T1059.001 |
| Recommended actions | Investigate process tree |
| Frequency | Every hour |
Example Detection Queries:
// Detect LSASS credential access
DeviceProcessEvents
| where FileName in~ ("procdump.exe", "mimikatz.exe", "comsvcs.dll")
or ProcessCommandLine has "sekurlsa"
or ProcessCommandLine has "lsass"
// Detect suspicious WMI activity
DeviceProcessEvents
| where InitiatingProcessFileName =~ "wmiprvse.exe"
| where FileName in~ ("powershell.exe", "cmd.exe")
| project Timestamp, DeviceName, ProcessCommandLineStep 9: Configure Exclusions
Add necessary exclusions for business applications.
Navigate to: Intune → Endpoint security → Antivirus
Create Antivirus Exclusion Policy:
- Click Create policy
- Select Microsoft Defender Antivirus exclusions
Common Exclusions:
| Application | Exclusion Type | Path/Process |
|---|---|---|
| SQL Server | Path | %ProgramFiles%\Microsoft SQL Server\ |
| Exchange | Path/Process | Multiple paths - see MS docs |
| SharePoint | Path | %ProgramFiles%\Microsoft Office Servers\ |
| Backup software | Process | BackupExec.exe, veeam*.exe |
| Dev tools | Path | %LocalAppData%\Packages\ |
Important: Minimize exclusions to reduce attack surface.
PowerShell Exclusion Management:
# Add path exclusion
Add-MpPreference -ExclusionPath "C:\CustomApp\Data"
# Add process exclusion
Add-MpPreference -ExclusionProcess "CustomApp.exe"
# Add extension exclusion (use sparingly)
Add-MpPreference -ExclusionExtension ".log"
# View current exclusions
Get-MpPreference | Select-Object Exclusion*Step 10: Verify Onboarding and Test Detection
Confirm devices are properly protected and detections work.
Verify Device Onboarding:
# Check MDE sensor status
Get-MpComputerStatus | Select-Object AMServiceEnabled, AntispywareEnabled,
OnboardingState, RealTimeProtectionEnabled
# Verify connectivity
Test-NetConnection -ComputerName wdcp.microsoft.com -Port 443
Test-NetConnection -ComputerName events.data.microsoft.com -Port 443Run EICAR Test File:
# Download EICAR test file (will be detected and blocked)
Invoke-WebRequest -Uri "https://www.eicar.org/download/eicar.com.txt" -OutFile "C:\Test\eicar.com"
# This should trigger a detection in the portalRun MDE Detection Test:
# Official MDE detection test command
# This generates a benign alert in the portal
powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference= 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-WDATP-test\\invoice.exe');Start-Process 'C:\\test-WDATP-test\\invoice.exe'Portal Verification:
- Navigate to security.microsoft.com → Assets → Devices
- Find test device
- Verify:
- Onboarding status: Onboarded
- Sensor health: Active
- Risk level: Low (after test)
Troubleshooting
Common Issues:
| Symptom | Possible Cause | Solution |
|---|---|---|
| Device not onboarded | Connectivity issues | Verify network requirements; check proxy |
| Sensor not running | Service disabled | Start "Sense" service; check WD state |
| No alerts generating | Detection disabled | Verify cloud protection enabled |
| ASR causing app issues | Rule blocking legitimate app | Add exclusion for specific app/path |
| High resource usage | Scan settings too aggressive | Adjust scan schedule; add exclusions |
Diagnostic Commands:
# Check Defender service status
Get-Service WinDefend, Sense
# Run Defender connectivity test
& "C:\Program Files\Windows Defender\MpCmdRun.exe" -ValidateMapsConnection
# Check cloud protection status
Get-MpComputerStatus | Select-Object *Cloud*, *Map*
# View recent Defender events
Get-WinEvent -LogName "Microsoft-Windows-Windows Defender/Operational" -MaxEvents 20
# Generate MDE client analyzer report
& "C:\Program Files\Windows Defender\MpCmdRun.exe" -GetFilesCollect Diagnostic Package:
# Create diagnostic package for support
& "C:\Program Files\Windows Defender\MpCmdRun.exe" -GetFiles
# Output: C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cabSecurity Considerations
Tamper Protection:
Enable tamper protection to prevent unauthorized changes:
- Navigate to security.microsoft.com → Settings → Endpoints
- Enable: Tamper protection
Cloud Protection Level:
| Level | Description |
|---|---|
| Default | Standard cloud lookup |
| High | Aggressive blocking; may impact performance |
| High+ | High + additional protection measures |
| Zero tolerance | Block all suspicious files |
Recommended Baseline:
# Set cloud protection to High
Set-MpPreference -CloudBlockLevel High
# Set cloud extended timeout
Set-MpPreference -CloudExtendedTimeout 50
# Enable all protection features
Set-MpPreference -DisableRealtimeMonitoring $false
Set-MpPreference -DisableBehaviorMonitoring $false
Set-MpPreference -DisableIOAVProtection $false
Set-MpPreference -DisableScriptScanning $falseVerification Checklist
Onboarding:
- MDE service activated in tenant
- Onboarding policy deployed via Intune
- Test device shows as onboarded
- Sensor health shows "Active"
Protection Configuration:
- Real-time protection enabled
- Cloud protection enabled (High level)
- ASR rules configured (audit mode initially)
- Network protection enabled
- EDR in Block mode enabled
Detection Testing:
- EICAR test file detected
- MDE test alert generated
- Custom detection rules created
- Automated investigation configured
Operations:
- Device groups configured
- Alert notifications configured
- Exclusions documented and minimal
- SOC team trained on portal
Next Steps
After deploying Defender for Endpoint:
- Integrate with Microsoft Sentinel - Centralized SIEM analysis
- Enable Threat Analytics - Threat intelligence reports
- Configure Attack Simulations - Test detection capabilities
- Deploy to macOS/Linux - Cross-platform protection
References
- Microsoft Defender for Endpoint Documentation
- Attack Surface Reduction Rules Reference
- Advanced Hunting Queries
- Network Requirements
Last Updated: February 2026