Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft Defender for Endpoint on Windows provides preventative protection, post-breach detection, automated investigation, and response for Windows endpoints. The following table describes capabilities in Defender for Endpoint on Windows:
| Category | Description |
|---|---|
| Autonomous protection | Automatic attack disruption identifies and contains active attacks in real time by automatically isolating compromised devices and disabling compromised user accounts, stopping lateral movement before human intervention is needed. Predictive shielding uses AI to anticipate threats and proactively shield high-value assets before an attack reaches them. |
| Next-generation protection | Defender for Endpoint on Windows includes next-generation antivirus protection that uses behavior-based, cloud-delivered, and machine-learning techniques. Behavioral blocking and containment detects and blocks malicious behaviors and helps contain compromised devices. Web protection guards against malicious websites, phishing attempts, and web-based threats. Network protection blocks connections to malicious network destinations. Attack surface reduction capabilities, including attack surface reduction rules and device control, reduce exposure to common attack techniques such as credential theft, malware execution, and unauthorized use of removable storage. Tamper protection safeguards critical security settings from unauthorized changes. Firewall configuration enables Defender for Endpoint service connectivity. |
| Endpoint detection and response (EDR) | Defender for Endpoint on Windows uses AI and advanced analytics to detect and respond to threats close to real time. The Microsoft Defender portal at https://security.microsoft.com provides a central location to view detections and manage your organization's devices. You can use advanced hunting to query raw event data and gain deeper insight into your network events. Threat analytics provides curated intelligence reports about active and emerging threats. EDR in block mode enables Defender for Endpoint to block and remediate threats even when Microsoft Defender Antivirus runs in passive mode. Response actions include running antivirus scans, isolating devices, collecting investigation packages, and collecting files for deep analysis. You can also use live response for remote shell connections to perform in-depth investigations. Endpoint Attack Notifications provide proactive hunting and prioritization to help identify and respond to the most critical threats. |
| Vulnerability management | Defender for Endpoint on Windows offers risk-based vulnerability management with intelligent prioritization, remediation, and tracking. These features help you manage and secure your Windows devices. Your security team gets a comprehensive view of your organization's exposure score, security recommendations, remediation activities, software inventory, and Microsoft Secure Score for Devices. |
| Automated investigation and response | Automated investigation and response (AIR) automatically investigates alerts and remediates threats, reducing the burden on security teams. |
| Streamlined management and operations | Defender for Endpoint on Windows integrates with your existing management tools, including Microsoft Intune and Group Policy. Security settings management lets you manage security policies directly from the Microsoft Defender portal. Defender for Endpoint provides a comprehensive set of management APIs for programmatic access to device management, vulnerability management, and threat intelligence. Partner integrations enable integration with Microsoft and non-Microsoft security solutions. |
| Seamless integration and extensibility | Microsoft Defender for Endpoint on Windows ensures stable and durable performance with a lightweight behavioral sensor built into the operating system. Defender for Endpoint integrates seamlessly with the broader Microsoft Defender suite, offering extensibility through API integration, SIEM connectors, Power BI support, and role-based access control (RBAC). |
| Device and network discovery | Endpoint and network device discovery discovers unmanaged endpoints, network devices, and IoT devices on the corporate network, helping you maintain visibility and protection. |
Tip
For a detailed comparison of supported features for all Defender for Endpoint platforms (Windows, macOS, and Linux), see Defender for Endpoint capabilities.
Core security features
The following table summarizes the core security features available on Windows:
| Feature | Description |
|---|---|
| Next-generation protection | Antivirus and antimalware protection that uses behavior-based, cloud-delivered, and machine-learning techniques. |
| Behavioral blocking and containment | Detects and blocks malicious behaviors and helps contain compromised devices. |
| Web protection | Protects devices from malicious websites, phishing attempts, and web-based threats. |
| Firewall | Configure firewall and proxy settings to enable Defender for Endpoint service connectivity. |
| Tamper protection | Prevents unauthorized changes to critical security settings on endpoints. |
| Passive mode | Runs Microsoft Defender Antivirus in monitoring mode alongside a non-Microsoft antivirus. |
Attack surface reduction
Attack surface reduction capabilities help you reduce exposure to common attack techniques:
| Feature | Description |
|---|---|
| Attack surface reduction rules | Block common attack techniques, such as credential theft and malware execution. |
| Device control | Manage and audit the use of removable storage and peripheral devices. |
| Network protection | Block connections to malicious network destinations. |
Threat and vulnerability management
These capabilities help you identify, assess, and remediate vulnerabilities and misconfigurations to reduce risk:
| Feature | Description |
|---|---|
| Vulnerability assessment | Identifies software vulnerabilities and misconfigurations on devices. |
| Security recommendations | Actionable guidance to reduce endpoint risk. |
| Remediation tracking | Tracks remediation activities and exposure reduction. |
| Microsoft Secure Score for Devices | Assesses the security state of your network, identifies unprotected systems, and provides actions to improve your organization's overall security. |
Device and network discovery
| Feature | Description |
|---|---|
| Endpoint and network device discovery | Discovers unmanaged endpoints, network devices, and IoT devices on the corporate network. |
Endpoint detection and response (EDR)
These capabilities help you detect, investigate, and respond to advanced threats that might bypass preventative defenses:
| Feature | Description |
|---|---|
| Endpoint detection and response | Detects advanced threats and suspicious activity on endpoints and provides investigation capabilities. |
| Advanced hunting | Query-based threat hunting for endpoint telemetry. |
| Threat analytics | Curated intelligence reports about active and emerging threats. |
| EDR in block mode | Enables Defender for Endpoint to block and remediate threats even when Microsoft Defender Antivirus runs in passive mode. |
| Live response | Provides a secure remote shell to investigate and remediate compromised devices in real time. |
| Endpoint Attack Notifications | Proactive hunting and prioritization that helps identify and respond to the most critical threats. |
Autonomous protection
These AI-driven capabilities proactively identify, contain, and prevent attacks at machine speed without requiring human intervention:
| Feature | Description |
|---|---|
| Automatic attack disruption | Identifies and contains active attacks in real time by automatically isolating compromised devices and disabling compromised user accounts, stopping lateral movement without requiring human intervention. |
| Predictive shielding | Uses AI to anticipate threats and proactively shield high-value assets before an attack reaches them. |
Automated investigation and response
| Feature | Description |
|---|---|
| Automated investigation and response (AIR) | Automatically investigates alerts and remediates threats. |
Investigation and response actions
| Feature | Description |
|---|---|
| Device isolation | Isolates compromised devices to prevent lateral movement. Device isolation is also triggered automatically by attack disruption when an active attack is detected. |
| Collect investigation package | Collects forensic data from a device for offline analysis. |
| Run antivirus scan | Initiates on-demand antivirus scans on a device. |
| Collect file and deep analysis | Collects files from devices and submits them to a secure cloud sandbox for deep analysis. |
| Block, stop, and quarantine files | Stops malicious processes and quarantines files in the environment. |
Indicators and custom detections
| Feature | Description |
|---|---|
| Custom file indicators | Create allow or block rules based on file hashes. |
| Custom network indicators | Allow or block IP addresses, URLs, or domains based on custom threat intelligence. |
APIs and integrations
| Feature | Description |
|---|---|
| Management and automation APIs | Automate workflows and integrate Defender for Endpoint into your existing processes. |
| Partner integrations | Integration with Microsoft and non-Microsoft security solutions. |
Antivirus solution compatibility
The Microsoft Defender for Endpoint agent depends on Microsoft Defender Antivirus for some capabilities, such as file scanning.
| Feature | Description |
|---|---|
| Microsoft Defender Antivirus dependency | Defender for Endpoint relies on Microsoft Defender Antivirus for selected capabilities, including file scanning. |
| Security intelligence updates | Keep security intelligence and the scan engine up to date on onboarded devices. |
| Platform updates | Keep the Microsoft Defender Antivirus platform current on onboarded devices. |
| Passive mode with non-Microsoft antimalware | When a non-Microsoft antimalware client is active, Microsoft Defender Antivirus runs in passive mode, continues to receive updates, and msmpeng.exe remains running. |
Important
Endpoint detection and response (EDR) in Microsoft Defender for Endpoint doesn't adhere to the Microsoft Defender Antivirus Exclusions settings.
For optimal protection, configure security intelligence updates and platform updates for onboarded devices, whether Microsoft Defender Antivirus is the active antimalware solution or not.
When an onboarded device uses a non-Microsoft antimalware client and Microsoft Defender Antivirus is in passive mode, Microsoft Defender Antivirus doesn't perform real-time protection scans, scheduled scans, or on-demand scans, and it doesn't replace the non-Microsoft antimalware client. In addition, the Microsoft Defender Antivirus user interface is disabled, and users can't run on-demand scans or configure most options (for example, Attack Surface Reduction (ASR) rules, Network Protection, Indicators - File/IP address/URL/Certificates allow/block, Web Content Filtering, and Controlled Folder Access).
For more information, see Manage Microsoft Defender Antivirus updates and apply baselines and Microsoft Defender Antivirus and Microsoft Defender for Endpoint compatibility topic.