Protect your endpoints with Defender for Cloud's integrated EDR solution: Microsoft Defender for Endpoint
Azure Security Center and Azure Defender are now called Microsoft Defender for Cloud. We've also renamed Azure Defender plans to Microsoft Defender plans. For example, Azure Defender for Storage is now Microsoft Defender for Storage.
Microsoft Defender for Endpoint is a holistic, cloud delivered endpoint security solution. Its main features are:
- Risk-based vulnerability management and assessment
- Attack surface reduction
- Behavioral based and cloud-powered protection
- Endpoint detection and response (EDR)
- Automatic investigation and remediation
- Managed hunting services
Originally launched as Windows Defender ATP, this Endpoint Detection and Response (EDR) product was renamed in 2019 as Microsoft Defender ATP.
At Ignite 2020, we launched the Microsoft Defender for Cloud XDR suite and this EDR component was renamed Microsoft Defender for Endpoint.
|Release state:||• Integration with Defender for Endpoint for Windows - General availability (GA)
• Integration with Defender for Endpoint for Linux - General availability (GA)
|Pricing:||Requires Microsoft Defender for servers|
Azure Arc machines running Windows/Linux
Azure VMs running Linux (supported versions)
Azure VMs running Windows Server 2022, 2019, 2016, 2012 R2, 2008 R2 SP1, Windows Virtual Desktop (WVD), Windows 10 Enterprise multi-session (formerly Enterprise for Virtual Desktops (EVD)
Azure VMs running Windows 10 (other than EVD or WVD)
|Required roles and permissions:||• To enable/disable the integration: Security admin or Owner
• To view Defender for Endpoint alerts in Defender for Cloud: Security reader, Reader, Resource Group Contributor, Resource Group Owner, Security admin, Subscription owner, or Subscription Contributor
Azure China 21Vianet
Benefits of integrating Microsoft Defender for Endpoint with Defender for Cloud
Microsoft Defender for Endpoint provides:
Advanced post-breach detection sensors. Defender for Endpoint's sensors collect a vast array of behavioral signals from your machines.
Vulnerability assessment from the Microsoft threat and vulnerability management solution. With Microsoft Defender for Endpoint enabled, Defender for Cloud can show vulnerabilities discovered by the threat and vulnerability management module and also offer this module as a supported vulnerability assessment solution. Learn more in Investigate weaknesses with Microsoft Defender for Endpoint's threat and vulnerability management.
Analytics-based, cloud-powered, post-breach detection. Defender for Endpoint quickly adapts to changing threats. It uses advanced analytics and big data. It's amplified by the power of the Intelligent Security Graph with signals across Windows, Azure, and Office to detect unknown threats. It provides actionable alerts and enables you to respond quickly.
Threat intelligence. Defender for Endpoint generates alerts when it identifies attacker tools, techniques, and procedures. It uses data generated by Microsoft threat hunters and security teams, augmented by intelligence provided by partners.
By integrating Defender for Endpoint with Defender for Cloud, you'll benefit from the following extra capabilities:
Automated onboarding. Defender for Cloud automatically enables the Defender for Endpoint sensor on all supported machines connected to Defender for Cloud.
Single pane of glass. The Defender for Cloud portal pages display Defender for Endpoint alerts. To investigate further, use Microsoft Defender for Endpoint's own portal pages where you'll see additional information such as the alert process tree and the incident graph. You can also see a detailed machine timeline that shows every behavior for a historical period of up to six months.
What are the requirements for the Microsoft Defender for Endpoint tenant?
When you use Defender for Cloud to monitor your machines, a Defender for Endpoint tenant is automatically created.
- Location: Data collected by Defender for Endpoint is stored in the geo-location of the tenant as identified during provisioning. Customer data - in pseudonymized form - may also be stored in the central storage and processing systems in the United States. After you've configured the location, you can't change it. If you have your own license for Microsoft Defender for Endpoint and need to move your data to another location, contact Microsoft support to reset the tenant.
- Moving subscriptions: If you've moved your Azure subscription between Azure tenants, some manual preparatory steps are required before Defender for Cloud will deploy Defender for Endpoint. For full details, contact Microsoft support.
Enable the Microsoft Defender for Endpoint integration
Confirm that your machine meets the necessary requirements for Defender for Endpoint:
Ensure the machine is connected to Azure and the internet as required:
On-premises machines - Connect your target machines to Azure Arc as explained in Connect hybrid machines with Azure Arc-enabled servers.
Enable Microsoft Defender for servers. See Quickstart: Enable Defender for Cloud's enhanced security features.
Defender for Cloud’s integration with Microsoft Defender for Endpoint is enabled by default. So when you enable enhanced security features, you give consent for Microsoft Defender for servers to access the Microsoft Defender for Endpoint data related to vulnerabilities, installed software, and alerts for your endpoints.
If you've moved your subscription between Azure tenants, some manual preparatory steps are also required. For full details, contact Microsoft support.
Enable the integration
From Defender for Cloud's menu, select Environment settings and select the subscription with the Windows machines that you want to receive Defender for Endpoint.
Select Allow Microsoft Defender for Endpoint to access my data, and select Save.
Microsoft Defender for Cloud will automatically onboard your machines to Microsoft Defender for Endpoint. Onboarding might take up to 24 hours.
Access the Microsoft Defender for Endpoint portal
Ensure the user account has the necessary permissions. Learn more in Assign user access to Microsoft Defender Security Center.
Check whether you have a proxy or firewall that is blocking anonymous traffic. The Defender for Endpoint sensor connects from the system context, so anonymous traffic must be permitted. To ensure unhindered access to the Defender for Endpoint portal, follow the instructions in Enable access to service URLs in the proxy server.
Open the Defender for Endpoint Security Center portal. Learn more about the portal's features and icons, in Defender for Endpoint Security Center portal overview.
Send a test alert
To generate a benign test alert from Defender for Endpoint, select the tab for the relevant operating system of your endpoint:
For endpoints running Windows:
Create a folder 'C:\test-MDATP-test'.
Use Remote Desktop to access your machine.
Open a command-line window.
At the prompt, copy and run the following command. The command prompt window will close automatically.
powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-MDATP-test\\invoice.exe'); Start-Process 'C:\\test-MDATP-test\\invoice.exe'
If the command is successful, you'll see a new alert on the workload protection dashboard and the Microsoft Defender for Endpoint portal. This alert might take a few minutes to appear.
To review the alert in Defender for Cloud, go to Security alerts > Suspicious PowerShell CommandLine.
From the investigation window, select the link to go to the Microsoft Defender for Endpoint portal.
The alert is triggered with Informational severity.
FAQ - Microsoft Defender for Cloud integration with Microsoft Defender for Endpoint
- What's this "MDE.Windows" / "MDE.Linux" extension running on my machine?
- What are the licensing requirements for Microsoft Defender for Endpoint?
- If I already have a license for Microsoft Defender for Endpoint, can I get a discount for Microsoft Defender for servers?
- How do I switch from a third-party EDR tool?
What's this "MDE.Windows" / "MDE.Linux" extension running on my machine?
In the past, Microsoft Defender for Endpoint was provisioned by the Log Analytics agent. When we expanded support to include Windows Server 2019 and Linux, we also added an extension to perform the automatic onboarding.
Defender for Cloud automatically deploys the extension to machines running:
- Windows Server 2019.
- Windows 10 Virtual Desktop (WVD).
- Other versions of Windows Server if Defender for Cloud doesn't recognize the OS version (for example, when a custom VM image is used). In this case, Microsoft Defender for Endpoint is still provisioned by the Log Analytics agent.
If you delete the MDE.Windows extension, it will not remove Microsoft Defender for Endpoint. to 'offboard', see Offboard Windows servers..
What are the licensing requirements for Microsoft Defender for Endpoint?
Defender for Endpoint is included at no extra cost with Microsoft Defender for servers. Alternatively, it can be purchased separately for 50 machines or more.
If I already have a license for Microsoft Defender for Endpoint, can I get a discount for Microsoft Defender for servers?
If you've already got a license for Microsoft Defender for Endpoint for Servers (purchased through an Office E5 explicit "Defender for Endpoint Servers" license), you won't have to pay for that part of your Microsoft Defender for servers license. Learn more about this license.
To request your discount, contact Defender for Cloud's support team. You'll need to provide the relevant workspace ID, region, and number of Microsoft Defender for Endpoint licenses applied for machines in the given workspace.
The discount will be effective starting from the approval date, and won't take place retroactively.
How do I switch from a third-party EDR tool?
Full instructions for switching from a non-Microsoft endpoint solution are available in the Microsoft Defender for Endpoint documentation: Migration overview.