Protect your endpoints with Defender for Cloud's integrated EDR solution: Microsoft Defender for Endpoint
Microsoft Defender for Endpoint is a holistic, cloud-delivered, endpoint security solution. Its main features are:
- Risk-based vulnerability management and assessment
- Attack surface reduction
- Behavioral based and cloud-powered protection
- Endpoint detection and response (EDR)
- Automatic investigation and remediation
- Managed hunting services
Originally launched as Windows Defender ATP, in 2019, this EDR product was renamed Microsoft Defender ATP.
At Ignite 2020, we launched the Microsoft Defender for Cloud XDR suite, and this EDR component was renamed Microsoft Defender for Endpoint.
|Release state:||General availability (GA)|
|Pricing:||Requires Microsoft Defender for Servers Plan 1 or Plan 2|
Azure Arc-enabled machines running Windows/Linux
Azure VMs running Linux (supported versions)
Azure VMs running Windows Server 2022, 2019, 2016, 2012 R2, 2008 R2 SP1, Azure Virtual Desktop (formerly Windows Virtual Desktop), Windows 10 Enterprise multi-session (formerly Enterprise for Virtual Desktops)
Azure VMs running Windows 11 or Windows 10 (except if running Azure Virtual Desktop or Windows 10 Enterprise multi-session)
|Required roles and permissions:||* To enable/disable the integration: Security admin or Owner
* To view Defender for Endpoint alerts in Defender for Cloud: Security reader, Reader, Resource Group Contributor, Resource Group Owner, Security admin, Subscription owner, or Subscription Contributor
Azure Government (Windows only)
Azure China 21Vianet
Connected AWS accounts
Benefits of integrating Microsoft Defender for Endpoint with Defender for Cloud
Microsoft Defender for Endpoint protects your Windows and Linux machines whether they're hosted in Azure, hybrid clouds (on-premises), or AWS. Protections include:
Advanced post-breach detection sensors. Defender for Endpoint's sensors collect a vast array of behavioral signals from your machines.
Vulnerability assessment from the Microsoft threat and vulnerability management solution. With Microsoft Defender for Endpoint enabled, Defender for Cloud can show vulnerabilities discovered by the threat and vulnerability management module and also offer this module as a supported vulnerability assessment solution. Learn more in Investigate weaknesses with Microsoft Defender for Endpoint's threat and vulnerability management.
Analytics-based, cloud-powered, post-breach detection. Defender for Endpoint quickly adapts to changing threats. It uses advanced analytics and big data. It's amplified by the power of the Intelligent Security Graph with signals across Windows, Azure, and Office to detect unknown threats. It provides actionable alerts and enables you to respond quickly.
Threat intelligence. Defender for Endpoint generates alerts when it identifies attacker tools, techniques, and procedures. It uses data generated by Microsoft threat hunters and security teams, augmented by intelligence provided by partners.
By integrating Defender for Endpoint with Defender for Cloud, you'll benefit from the following extra capabilities:
Automated onboarding. Defender for Cloud automatically enables the Defender for Endpoint sensor on all supported machines connected to Defender for Cloud.
Single pane of glass. The Defender for Cloud portal pages display Defender for Endpoint alerts. To investigate further, use Microsoft Defender for Endpoint's own portal pages where you'll see additional information such as the alert process tree and the incident graph. You can also see a detailed machine timeline that shows every behavior for a historical period of up to six months.
What are the requirements for the Microsoft Defender for Endpoint tenant?
When you use Defender for Cloud to monitor your machines, a Defender for Endpoint tenant is automatically created.
- Location: Data collected by Defender for Endpoint is stored in the geo-location of the tenant as identified during provisioning. Customer data - in pseudonymized form - may also be stored in the central storage and processing systems in the United States. After you've configured the location, you can't change it. If you have your own license for Microsoft Defender for Endpoint and need to move your data to another location, contact Microsoft support to reset the tenant.
- Moving subscriptions: If you've moved your Azure subscription between Azure tenants, some manual preparatory steps are required before Defender for Cloud will deploy Defender for Endpoint. For full details, contact Microsoft support.
Enable the Microsoft Defender for Endpoint integration
Confirm that your machine meets the necessary requirements for Defender for Endpoint:
Ensure the machine is connected to Azure and the internet as required:
On-premises machines - Connect your target machines to Azure Arc as explained in Connect hybrid machines with Azure Arc-enabled servers.
Enable Microsoft Defender for Servers. See Quickstart: Enable Defender for Cloud's enhanced security features.
Defender for Cloud's integration with Microsoft Defender for Endpoint is enabled by default. So when you enable enhanced security features, you give consent for Microsoft Defender for Servers to access the Microsoft Defender for Endpoint data related to vulnerabilities, installed software, and alerts for your endpoints.
If you've moved your subscription between Azure tenants, some manual preparatory steps are also required. For full details, contact Microsoft support.
Enable the integration
From Defender for Cloud's menu, select Environment settings and select the subscription with the Windows machines that you want to receive Defender for Endpoint.
Select Allow Microsoft Defender for Endpoint to access my data, and select Save.
Microsoft Defender for Cloud will automatically onboard your machines to Microsoft Defender for Endpoint. Onboarding might take up to 12 hours. For new machines created after the integration has been enabled, onboarding takes up to an hour.
Access the Microsoft Defender for Endpoint portal
Ensure the user account has the necessary permissions. Learn more in Assign user access to Microsoft Defender Security Center.
Check whether you have a proxy or firewall that is blocking anonymous traffic. The Defender for Endpoint sensor connects from the system context, so anonymous traffic must be permitted. To ensure unhindered access to the Defender for Endpoint portal, follow the instructions in Enable access to service URLs in the proxy server.
Open the Defender for Endpoint Security Center portal. Learn more about the portal's features and icons, in Defender for Endpoint Security Center portal overview.
Send a test alert
To generate a benign test alert from Defender for Endpoint, select the tab for the relevant operating system of your endpoint:
For endpoints running Windows:
Create a folder 'C:\test-MDATP-test'.
Use Remote Desktop to access your machine.
Open a command-line window.
At the prompt, copy and run the following command. The command prompt window will close automatically.
powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-MDATP-test\\invoice.exe'); Start-Process 'C:\\test-MDATP-test\\invoice.exe'
If the command is successful, you'll see a new alert on the workload protection dashboard and the Microsoft Defender for Endpoint portal. This alert might take a few minutes to appear.
To review the alert in Defender for Cloud, go to Security alerts > Suspicious PowerShell CommandLine.
From the investigation window, select the link to go to the Microsoft Defender for Endpoint portal.
The alert is triggered with Informational severity.
Remove Defender for Endpoint from a machine
To remove the Defender for Endpoint solution from your machines:
Disable the integration:
- From Defender for Cloud's menu, select Environment settings and select the subscription with the relevant machines.
- Open Integrations and clear the checkbox for Allow Microsoft Defender for Endpoint to access my data.
- Select Save.
Remove the MDE.Windows/MDE.Linux extension from the machine.
Follow the steps in Offboard devices from the Microsoft Defender for Endpoint service from the Defender for Endpoint documentation.
FAQ - Microsoft Defender for Cloud integration with Microsoft Defender for Endpoint
- What's this "MDE.Windows" / "MDE.Linux" extension running on my machine?
- What are the licensing requirements for Microsoft Defender for Endpoint?
- If I already have a license for Microsoft Defender for Endpoint, can I get a discount for Microsoft Defender for Servers?
- How do I switch from a third-party EDR tool?
What's this "MDE.Windows" / "MDE.Linux" extension running on my machine?
In the past, Microsoft Defender for Endpoint was provisioned by the Log Analytics agent. When we expanded support to include Windows Server 2019 and Linux, we also added an extension to perform the automatic onboarding.
Defender for Cloud automatically deploys the extension to machines running:
- Windows Server 2019 and Windows Server 2022.
- Windows 10 on Azure Virtual Desktop.
- Other versions of Windows Server if Defender for Cloud doesn't recognize the OS version (for example, when a custom VM image is used). In this case, Microsoft Defender for Endpoint is still provisioned by the Log Analytics agent.
If you delete the MDE.Windows/MDE.Linux extension, it will not remove Microsoft Defender for Endpoint. to 'offboard', see Offboard Windows servers..
I've enabled the solution but the "MDE.Windows" / "MDE.Linux" extension isn't showing on my machine
If you've enabled the integration, but still don't see the extension running on your machines, check the following:
- If 12 hours hasn't passed since you enabled the solution, you'll need to wait until the end of this period to be sure there's an issue to investigate.
- After 12 hours have passed, if you still don't see the extension running on your machines, check that you've met Prerequisites for the integration.
- Ensure you've enabled the Microsoft Defender for Servers plan for the subscriptions related to the machines you're investigating.
- If you've moved your Azure subscription between Azure tenants, some manual preparatory steps are required before Defender for Cloud will deploy Defender for Endpoint. For full details, contact Microsoft support.
What are the licensing requirements for Microsoft Defender for Endpoint?
Defender for Endpoint is included at no extra cost with Microsoft Defender for Servers. Alternatively, it can be purchased separately for 50 machines or more.
If I already have a license for Microsoft Defender for Endpoint, can I get a discount for Microsoft Defender for Servers?
If you've already got a license for Microsoft Defender for Endpoint for Servers , you won't have to pay for that part of your Microsoft Defender for Servers Plan 2 license. Learn more about this license.
To request your discount, contact Defender for Cloud's support team. You'll need to provide the relevant workspace ID, region, and number of Microsoft Defender for Endpoint for servers licenses applied for machines in the given workspace.
The discount will be effective starting from the approval date, and won't take place retroactively.
Does Microsoft Defender for Servers support the new unified Microsoft Defender for Endpoint agent for Windows Server 2012 R2 and 2016?
Defender for Servers Plan 1 deploys the new Microsoft Defender for Endpoint solution stack for Windows Server 2012 R2 and 2016, which does not use or require installation of the Microsoft Monitoring Agent (MMA).
How do I switch from a third-party EDR tool?
Full instructions for switching from a non-Microsoft endpoint solution are available in the Microsoft Defender for Endpoint documentation: Migration overview.
Submit and view feedback for