Overview of Microsoft Defender for Endpoint Plan 1 (preview)


If you have Microsoft 365 E3 or A3 but not Microsoft 365 E5 or A5, visit https://aka.ms/mdep1trial to sign up for the preview program!

Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help organizations like yours to prevent, detect, investigate, and respond to advanced threats. We are pleased to announce that Defender for Endpoint is now available in two plans:

The following image depicts what's included in Defender for Endpoint Plan 1 (preview):

Defender for Endpoint Plan 1 diagram

Use this guide to:

Defender for Endpoint Plan 1 capabilities

Defender for Endpoint Plan 1 (preview) includes the following capabilities:

The following sections provide more details about these capabilities.


Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here. This guide includes links to online content that might describe or depict some features that are not included in Defender for Endpoint Plan 1 (preview).

Next-generation protection

Next-generation protection includes robust antivirus and antimalware protection. With next-generation protection, you get:

  • Behavior-based, heuristic, and real-time antivirus protection
  • Cloud-delivered protection, which includes near-instant detection and blocking of new and emerging threats
  • Dedicated protection and product updates, including updates related to Microsoft Defender Antivirus

To learn more, see Next-generation protection overview.

Manual response actions

Manual response actions are actions that your security team can take when threats are detected on endpoints or in files. Defender for Endpoint includes certain manual response actions that can be taken on a device that is detected as potentially compromised or has suspicious content. You can also run response actions on files that are detected as threats. The following table summarizes the manual response actions that are available in Defender for Endpoint Plan 1.

File/Device Action Description
Device Run antivirus scan Starts an antivirus scan. If any threats are detected on the device, those threats are often addressed during an antivirus scan.
Device Isolate device Disconnects a device from your organization’s network while retaining connectivity to Defender for Endpoint. This action enables you to monitor the device and take further action if needed.
File Stop and quarantine Stops processes from running and quarantines associated files.
File Add an indicator to block or allow a file Block indicators prevent portable executable files from being read, written, or executed on devices.

Allow indicators prevent files from being blocked or remediated.

To learn more, see the following articles:

Attack surface reduction

Your organization’s attack surfaces are all the places where you’re vulnerable to cyberattacks. With Defender for Endpoint Plan 1 (preview), you can reduce your attack surfaces by protecting the devices and applications that your organization uses. The attack surface reduction capabilities that are included in Defender for Endpoint Plan 1 (preview) are described in the following sections.

To learn more about attack surface reduction capabilities in Defender for Endpoint, see Overview of attack surface reduction.

Attack surface reduction rules

Attack surface reduction rules target certain software behaviors that are considered risky. Such behaviors include:

  • Launching executable files and scripts that attempt to download or run other files
  • Running obfuscated or otherwise suspicious scripts
  • Initiating behaviors that apps don't usually initiate during normal work

Legitimate business applications can exhibit such software behaviors; however, these behaviors are often considered risky because they are commonly abused by attackers through malware. Attack surface reduction rules can constrain risky behaviors and help keep your organization safe.

To learn more, see Use attack surface reduction rules to prevent malware infection.

Ransomware mitigation

With controlled folder access, you get ransomware mitigation. Controlled folder access allows only trusted apps to access protected folders on your endpoints. Apps are added to the trusted apps list based on their prevalence and reputation. Your security operations team can add or remove apps from the trusted apps list, too.

To learn more, see Protect important folders with controlled folder access.

Device control

Sometimes threats to your organization’s devices come in the form of files on removable drives, such as USB drives. Defender for Endpoint includes capabilities to help prevent threats from unauthorized peripherals from compromising your devices. You can configure Defender for Endpoint to block or allow removable devices and files on removable devices.

To learn more, see Control USB devices and removable media.

Web protection

With web protection, you can protect your organization’s devices from web threats and unwanted content. Web protection includes web threat protection and web content filtering.

  • Web threat protection prevents access to phishing sites, malware vectors, exploit sites, untrusted or low-reputation sites, and sites that you explicitly block.
  • Web content filtering (preview) prevents access to certain sites based on their category. Categories can include adult content, leisure sites, legal liability sites, and more.

To learn more, see web protection.

Network protection

With network protection, you can prevent your organization from accessing dangerous domains that might host phishing scams, exploits, and other malicious content on the Internet.

To learn more, see Protect your network.

Network firewall

With network firewall protection, you can set rules that determine which network traffic is permitted to flow to or from your organization’s devices. With your network firewall and advanced security that you get with Defender for Endpoint, you can:

  • Reduce the risk of network security threats
  • Safeguard sensitive data and intellectual property
  • Extend your security investment

To learn more, see Windows Defender Firewall with advanced security.

Application control

Application control protects your Windows endpoints by running only trusted applications and code in the system core (kernel). Your security team can define application control rules that consider an application's attributes, such as its codesigning certificates, reputation, launching process, and more. Application control is available in Windows 10 or later.

To learn more, see Application control for Windows.

Centralized management

Defender for Endpoint Plan 1 (preview) includes the Microsoft 365 Defender portal, which enables your security team to view current information about detected threats, take appropriate actions to mitigate threats, and centrally manage your organization's threat protection settings.

To learn more, see Microsoft 365 Defender portal overview.

Role-based access control

Using role-based access control (RBAC), your security administrator can create roles and groups to grant appropriate access to the Microsoft 365 Defender portal (https://security.microsoft.com). With RBAC, you have fine-grained control over who can access the security center, and what they can see and do.

To learn more, see Manage portal access using role-based access control.


The Microsoft 365 Defender portal (https://security.microsoft.com) provides easy access to information about detected threats and actions to address those threats.

  • The Home page includes cards to show at a glance which users or devices are at risk, how many threats were detected, and what alerts/incidents were created.
  • The Incidents & alerts section lists any incidents that were created as a result of triggered alerts. Alerts and incidents are generated as threats are detected across devices.
  • The Action center lists remediation actions that were taken. For example, if a file is sent to quarantine, or a URL is blocked, each action is listed in the Action center on the History tab.
  • The Reports section includes reports that show threats detected and their status.

To learn more, see Get started with Microsoft Defender for Endpoint Plan 1 (preview).


With the Defender for Endpoint APIs, you can automate workflows and integrate with your organization’s custom solutions.

To learn more, see Defender for Endpoint APIs.

Cross-platform support

Most organizations use various devices and operating systems. Currently, Defender for Endpoint Plan 1 (preview) supports the following operating systems:

  • Windows 10, version 1709, or later
  • macOS: 11.5 (Big Sur), 10.15.7 (Catalina), or 10.14.6 (Mojave)
  • iOS
  • Android OS

Next steps