Protect your endpoints with Defender for Cloud's integrated EDR solution: Microsoft Defender for Endpoint

With Microsoft Defender for Servers, you can deploy Microsoft Defender for Endpoint Plan 2 to your server resources. Microsoft Defender for Endpoint is a holistic, cloud-delivered, endpoint security solution. Its main features are:

  • Risk-based vulnerability management and assessment
  • Attack surface reduction
  • Behavioral based and cloud-powered protection
  • Endpoint detection and response (EDR)
  • Automatic investigation and remediation
  • Managed hunting services

Tip

Originally launched as Windows Defender ATP, in 2019, this EDR product was renamed Microsoft Defender ATP.

At Ignite 2020, we launched the Microsoft Defender for Cloud XDR suite, and this EDR component was renamed Microsoft Defender for Endpoint (MDE).

Availability

Aspect Details
Release state: General availability (GA)
Pricing: Requires Microsoft Defender for Servers Plan 1 or Plan 2
Supported environments: Azure Arc-enabled machines running Windows/Linux
Azure VMs running Linux (supported versions)
Azure VMs running Windows Server 2022, 2019, 2016, 2012 R2, 2008 R2 SP1, Azure Virtual Desktop (formerly Windows Virtual Desktop), Windows 10 Enterprise multi-session (formerly Enterprise for Virtual Desktops)
Azure VMs running Windows 11 or Windows 10 (except if running Azure Virtual Desktop or Windows 10 Enterprise multi-session)
Required roles and permissions: * To enable/disable the integration: Security admin or Owner
* To view Defender for Endpoint alerts in Defender for Cloud: Security reader, Reader, Resource Group Contributor, Resource Group Owner, Security admin, Subscription owner, or Subscription Contributor
Clouds: Commercial clouds
Azure Government (Windows only)
Azure China 21Vianet
Connected AWS accounts

Benefits of integrating Microsoft Defender for Endpoint with Defender for Cloud

Microsoft Defender for Endpoint Plan 2 protects your Windows and Linux machines whether they're hosted in Azure, hybrid clouds (on-premises), or AWS. Protections include:

  • Advanced post-breach detection sensors. Defender for Endpoint's sensors collect a vast array of behavioral signals from your machines.

  • Vulnerability assessment from the Microsoft threat and vulnerability management solution. With Microsoft Defender for Endpoint installed, Defender for Cloud can show vulnerabilities discovered by the threat and vulnerability management module and also offer this module as a supported vulnerability assessment solution. Learn more in Investigate weaknesses with Microsoft Defender for Endpoint's threat and vulnerability management.

    This module also brings the software inventory features described in Access a software inventory and can be automatically enabled for supported machines with the auto deploy settings.

  • Analytics-based, cloud-powered, post-breach detection. Defender for Endpoint quickly adapts to changing threats. It uses advanced analytics and big data. It's amplified by the power of the Intelligent Security Graph with signals across Windows, Azure, and Office to detect unknown threats. It provides actionable alerts and enables you to respond quickly.

  • Threat intelligence. Defender for Endpoint generates alerts when it identifies attacker tools, techniques, and procedures. It uses data generated by Microsoft threat hunters and security teams, augmented by intelligence provided by partners.

By integrating Defender for Endpoint with Defender for Cloud, you'll benefit from the following extra capabilities:

  • Automated onboarding. Defender for Cloud automatically enables the Defender for Endpoint sensor on all supported machines connected to Defender for Cloud.

  • Single pane of glass. The Defender for Cloud portal pages display Defender for Endpoint alerts. To investigate further, use Microsoft Defender for Endpoint's own portal pages where you'll see additional information such as the alert process tree and the incident graph. You can also see a detailed machine timeline that shows every behavior for a historical period of up to six months.

    Microsoft Defender for Endpoint's own Security Center

What are the requirements for the Microsoft Defender for Endpoint tenant?

When you use Defender for Cloud to monitor your machines, a Defender for Endpoint tenant is automatically created.

  • Location: Data collected by Defender for Endpoint is stored in the geo-location of the tenant as identified during provisioning. Customer data - in pseudonymized form - may also be stored in the central storage and processing systems in the United States. After you've configured the location, you can't change it. If you have your own license for Microsoft Defender for Endpoint and need to move your data to another location, contact Microsoft support to reset the tenant.
  • Moving subscriptions: If you've moved your Azure subscription between Azure tenants, some manual preparatory steps are required before Defender for Cloud will deploy Defender for Endpoint. For full details, contact Microsoft support.

Enable the Microsoft Defender for Endpoint integration

Prerequisites

Confirm that your machine meets the necessary requirements for Defender for Endpoint:

  1. Ensure the machine is connected to Azure and the internet as required:

  2. Enable Microsoft Defender for Servers. See Quickstart: Enable Defender for Cloud's enhanced security features.

    Important

    Defender for Cloud's integration with Microsoft Defender for Endpoint is enabled by default. So when you enable enhanced security features, you give consent for Microsoft Defender for Servers to access the Microsoft Defender for Endpoint data related to vulnerabilities, installed software, and alerts for your endpoints.

  3. For Windows servers, make sure that your servers meet the requirements for onboarding Microsoft Defender for Endpoint

  4. If you've moved your subscription between Azure tenants, some manual preparatory steps are also required. For full details, contact Microsoft support.

Enable the integration

The new MDE unified solution doesn't use or require installation of the Log Analytics agent. The unified solution is automatically deployed for all Windows servers connected through Azure Arc and multicloud servers connected through the multicloud connectors, except for Windows 2012 R2 and 2016 servers on Azure that are protected by Defender for Servers Plan 2. You can choose to deploy the MDE unified solution to those machines.

You'll deploy Defender for Endpoint to your Windows machines in one of two ways - depending on whether you've already deployed it to your Windows machines:

Users with Defender for Servers enabled and Microsoft Defender for Endpoint deployed

If you've already enabled the integration with Defender for Endpoint, you have complete control over when and whether to deploy the MDE unified solution to your Windows machines.

  1. From Defender for Cloud's menu, select Environment settings and select the subscription with the Windows machines that you want to receive Defender for Endpoint.

  2. Select Integrations. You'll know that the integration is enabled if the checkbox for Allow Microsoft Defender for Endpoint to access my data is selected as shown:

    The integration between Microsoft Defender for Cloud and Microsoft's EDR solution, Microsoft Defender for Endpoint, is enabled.

  3. To deploy the MDE unified solution to your Windows Server 2012 R2 and 2016 machines:

    1. Select Enable unified solution.
    2. Select Save.
    3. In the confirmation prompt, verify the information and select Enable to continue.

    Confirming the use of the MDE unified solution for Windows Server 2012 R2 and 2016 machines

    Microsoft Defender for Cloud will:

    • Stop the existing MDE process in the Log Analytics agent that collects data for Defender for Servers.
    • Install the MDE unified solution for all existing and new Windows Server 2012 R2 and 2016 machines.
    • Remove the Enable unified solution from the Integrations options.

    Microsoft Defender for Cloud will automatically onboard your machines to Microsoft Defender for Endpoint. Onboarding might take up to 12 hours. For new machines created after the integration has been enabled, onboarding takes up to an hour.

    Note

    If you choose not to deploy the MDE unified solution to your Windows 2012 R2 and 2016 servers in Defender for Servers Plan 2 and then downgrade Defender for Servers to Plan 1, the MDE unified solution is not deployed to those servers so that your existing deployment is not changed without your explicit consent.

Users who never enabled the integration with Microsoft Defender for Endpoint for Windows

If you've never enabled the integration for Windows, the Allow Microsoft Defender for Endpoint to access my data option will enable Defender for Cloud to deploy Defender for Endpoint to both your Windows and Linux machines.

  1. From Defender for Cloud's menu, select Environment settings and select the subscription with the machines that you want to receive Defender for Endpoint.

  2. Select Integrations.

  3. Select Allow Microsoft Defender for Endpoint to access my data, and select Save.

The MDE agent unified solution is deployed to all of the machines in the selected subscription.

Access the Microsoft Defender for Endpoint portal

  1. Ensure the user account has the necessary permissions. Learn more in Assign user access to Microsoft Defender Security Center.

  2. Check whether you have a proxy or firewall that is blocking anonymous traffic. The Defender for Endpoint sensor connects from the system context, so anonymous traffic must be permitted. To ensure unhindered access to the Defender for Endpoint portal, follow the instructions in Enable access to service URLs in the proxy server.

  3. Open the Defender for Endpoint Security Center portal. Learn more about the portal's features and icons, in Defender for Endpoint Security Center portal overview.

Send a test alert

To generate a benign test alert from Defender for Endpoint, select the tab for the relevant operating system of your endpoint:

For endpoints running Windows:

  1. Create a folder 'C:\test-MDATP-test'.

  2. Use Remote Desktop to access your machine.

  3. Open a command-line window.

  4. At the prompt, copy and run the following command. The command prompt window will close automatically.

    powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-MDATP-test\\invoice.exe'); Start-Process 'C:\\test-MDATP-test\\invoice.exe'
    

    A command prompt window with the command to generate a test alert.

    If the command is successful, you'll see a new alert on the workload protection dashboard and the Microsoft Defender for Endpoint portal. This alert might take a few minutes to appear.

  5. To review the alert in Defender for Cloud, go to Security alerts > Suspicious PowerShell CommandLine.

  6. From the investigation window, select the link to go to the Microsoft Defender for Endpoint portal.

    Tip

    The alert is triggered with Informational severity.

Remove Defender for Endpoint from a machine

To remove the Defender for Endpoint solution from your machines:

  1. Disable the integration:

    1. From Defender for Cloud's menu, select Environment settings and select the subscription with the relevant machines.
    2. Open Integrations and clear the checkbox for Allow Microsoft Defender for Endpoint to access my data.
    3. Select Save.
  2. Remove the MDE.Windows/MDE.Linux extension from the machine.

  3. Follow the steps in Offboard devices from the Microsoft Defender for Endpoint service from the Defender for Endpoint documentation.

FAQ - Microsoft Defender for Cloud integration with Microsoft Defender for Endpoint

What's this "MDE.Windows" / "MDE.Linux" extension running on my machine?

In the past, Microsoft Defender for Endpoint was provisioned by the Log Analytics agent. When we expanded support to include Windows Server 2019 and Linux, we also added an extension to perform the automatic onboarding.

Defender for Cloud automatically deploys the extension to machines running:

  • Windows Server 2019 and Windows Server 2022.
  • Windows 10 on Azure Virtual Desktop.
  • Other versions of Windows Server if Defender for Cloud doesn't recognize the OS version (for example, when a custom VM image is used). In this case, Microsoft Defender for Endpoint is still provisioned by the Log Analytics agent.
  • Linux.

Important

If you delete the MDE.Windows/MDE.Linux extension, it will not remove Microsoft Defender for Endpoint. to 'offboard', see Offboard Windows servers..

I enabled the solution but the "MDE.Windows" / "MDE.Linux" extension isn't showing on my machine

If you enabled the integration, but still don't see the extension running on your machines:

  1. If 12 hours didn't pass since you enabled the solution, you'll need to wait until the end of this period to be sure there's an issue to investigate.
  2. After 12 hours pass, if you still don't see the extension running on your machines, check that you've met Prerequisites for the integration.
  3. Ensure you've enabled the Microsoft Defender for Servers plan for the subscriptions related to the machines you're investigating.
  4. If you've moved your Azure subscription between Azure tenants, some manual preparatory steps are required before Defender for Cloud will deploy Defender for Endpoint. For full details, contact Microsoft support.

What are the licensing requirements for Microsoft Defender for Endpoint?

Defender for Endpoint is included at no extra cost with Microsoft Defender for Servers. Alternatively, it can be purchased separately for 50 machines or more.

If I already have a license for Microsoft Defender for Endpoint, can I get a discount for Microsoft Defender for Servers?

If you already have a license for Microsoft Defender for Endpoint for Servers , you won't pay for that part of your Microsoft Defender for Servers Plan 2 license. Learn more about the Microsoft 365 license.

To request your discount, contact Defender for Cloud's support team. You'll need to provide the relevant workspace ID, region, and number of Microsoft Defender for Endpoint for servers licenses applied for machines in the given workspace.

The discount will be effective starting from the approval date, and won't take place retroactively.

How do I switch from a third-party EDR tool?

Full instructions for switching from a non-Microsoft endpoint solution are available in the Microsoft Defender for Endpoint documentation: Migration overview.

Which Microsoft Defender for Endpoint plan is supported in Defender for Servers?

Defender for Servers Plan 1 and Plan 2 provides the capabilities of Microsoft Defender for Endpoint Plan 2. -->

Next steps