Skip to main content

What Is Microsoft Defender for Endpoint?

Media The Importance of Cloud Computing for Business Growth

How Can It Protect Your Business Computers from Modern Cyber Attacks?

Every business computer is a possible entry point for a cyber attack.

Employees use laptops and desktops to access email, customer records, financial information, cloud applications and shared business files. If one of those devices is compromised, an attacker may be able to steal passwords, access sensitive information or move further through the organisation.

Traditional antivirus remains important, but modern attacks do not always begin with an easily identifiable virus.

An attacker may use:

  • A stolen Microsoft 365 password
  • A malicious PowerShell command
  • An unsafe browser download
  • An unpatched application
  • A compromised administrator account
  • Legitimate Windows tools used maliciously
  • A convincing phishing email
  • A harmful script hidden inside a document

Microsoft Defender for Endpoint is designed to provide more than traditional antivirus protection.

It helps businesses prevent attacks, monitor activity across their devices, identify suspicious behaviour and respond when a possible compromise is detected.

Microsoft describes Defender for Endpoint as an enterprise endpoint security platform that helps organisations prevent, detect, investigate and respond to advanced threats.

What is an endpoint?

An endpoint is a device that connects to and accesses business systems or information.

Endpoints can include:

  • Desktop computers
  • Laptops
  • Apple Macs
  • Mobile phones
  • Tablets
  • Servers
  • Linux devices

These devices are regularly used outside the office and may connect through home broadband, hotel Wi-Fi, customer networks and mobile hotspots.

This makes them difficult to protect using only an office firewall.

Endpoint security places protection directly on the device so it can continue monitoring and responding even when the employee is working remotely.

What is Microsoft Defender for Endpoint?

Microsoft Defender for Endpoint is Microsoft’s endpoint security platform for business and enterprise environments.

It brings together several layers of protection, including:

  • Next-generation antivirus
  • Endpoint detection and response
  • Attack surface reduction
  • Vulnerability management
  • Security alerts and investigations
  • Manual response actions
  • Automated investigation and remediation
  • Device security reporting
  • Integration with Microsoft Defender XDR

The exact features available depend on the licence and plan being used.

Microsoft currently offers Defender for Endpoint Plan 1 and Plan 2, alongside Microsoft Defender for Business for eligible small and medium-sized organisations.

Is Microsoft Defender for Endpoint just antivirus?

No.

Microsoft Defender Antivirus is the antimalware engine built into supported versions of Windows. It scans files, processes and activity for viruses, ransomware and other threats.

Microsoft Defender for Endpoint uses antivirus protection as one part of a wider security platform.

The difference can be explained simply:

Microsoft Defender Antivirus tries to identify and block malicious software. Microsoft Defender for Endpoint also monitors what happens before, during and after a suspected attack.

Defender for Endpoint can provide the security team with information about:

  • Which device generated the alert
  • Which employee was signed in
  • Which process was involved
  • Which files were created or changed
  • Which internet addresses were contacted
  • Whether similar activity occurred elsewhere
  • Which response actions are available

Microsoft recommends using Defender Antivirus with Defender for Endpoint because the products can share signals and coordinate protection, investigation and response.

What is next-generation protection?

Traditional antivirus products relied heavily on signatures.

A signature is a known pattern that identifies a particular malicious file. Signature-based detection remains useful, but attackers regularly change their malware to avoid being recognised.

Next-generation protection can also analyse:

  • File behaviour
  • Cloud threat intelligence
  • Machine-learning results
  • Suspicious processes
  • Script activity
  • Application reputation
  • Network communication
  • Previously unseen files

Microsoft states that Defender for Endpoint’s next-generation protection is designed to identify emerging and changing threats, including malware that continually mutates to avoid detection.

Cloud-delivered protection can allow the device to send relevant information to Microsoft’s security service for rapid analysis.

This can improve protection against recently created threats that may not yet have a traditional antivirus signature.

What is endpoint detection and response?

Endpoint detection and response, normally shortened to EDR, monitors activity across protected devices for signs of a cyber attack.

It looks beyond individual files and considers the behaviour occurring on the device.

For example, EDR may identify:

  • A suspicious PowerShell command
  • An application attempting to access stored credentials
  • Security controls being disabled
  • Unusual communication with an external server
  • A process changing large numbers of files
  • Malware attempting to spread
  • Activity associated with ransomware
  • An attacker creating persistence on the device

Microsoft describes its EDR capabilities as providing near-real-time, actionable detections that allow security analysts to understand the scope of a breach and take response actions.

This is important because an attacker may use legitimate tools rather than installing an obvious malicious application.

EDR can help identify that the way a trusted tool is being used is suspicious.

What happens when suspicious activity is detected?

When Defender for Endpoint detects possible malicious activity, it can create an alert in the Microsoft Defender portal.

Related alerts may be combined into an incident so the security team can investigate the wider sequence of events rather than reviewing every alert in isolation.

The incident may show:

  • A timeline of suspicious activity
  • Affected users
  • Compromised devices
  • Related files and processes
  • Internet connections
  • Evidence collected from the endpoint
  • Recommended actions
  • Investigation status

The Microsoft Defender portal correlates alerts and related evidence so analysts can review the breadth of an attack through one incident.

This can make it easier to establish whether the alert relates to:

  • A harmless administrative action
  • One compromised computer
  • A stolen employee account
  • A wider attack affecting several devices
  • Can Defender isolate a compromised computer?

Yes.

An authorised security administrator may be able to isolate a device from the network through the Microsoft Defender portal.

Isolation restricts the device’s ability to communicate with other computers and internet services while allowing the security team to continue investigating it through Defender.

This can be valuable during incidents involving:

Microsoft states that device isolation can help reduce further impact, limit attacker movement and prevent outcomes such as data theft or ransomware spreading across the organisation.

Isolation is a powerful action and should be used carefully.

Disconnecting a critical server or employee device may interrupt business operations. The person taking the action should understand the impact and follow the organisation’s incident-response process.

What is automated investigation and remediation?

Microsoft Defender for Endpoint Plan 2 and Microsoft Defender for Business include automated investigation and remediation capabilities.

When a suitable alert is generated, Defender can investigate related files, processes and devices using automated processes based on security investigation techniques.

Depending on the configuration and findings, it may recommend or complete actions such as:

  • Quarantining a file
  • Stopping a malicious process
  • Removing persistence
  • Restricting suspicious activity
  • Remediating detected threats

Microsoft states that automated investigation and response can examine alerts and take immediate action to help resolve breaches. Actions are recorded in the Defender Action centre so they can be reviewed.

In Defender for Endpoint, businesses can configure how much automation is permitted.

Some organisations may allow suitable remediation actions to happen automatically. Others may require the security team to review and approve actions before they are completed.

Automation can reduce the time a threat remains active, but serious incidents should still be reviewed by a security professional.

The business may need to understand:

  • How the attacker gained access
  • Which accounts were compromised
  • Whether information was stolen
  • Whether other devices are affected
  • Whether the threat has been completely removed
  • What is attack surface reduction?

The attack surface is made up of the different routes an attacker could use to compromise a device or organisation.

Attack surface reduction aims to remove or restrict risky behaviour before an attack succeeds.

Microsoft Defender for Endpoint includes attack surface reduction capabilities such as:

  • Attack surface reduction rules
  • Network protection
  • Controlled folder access
  • Exploit protection
  • Web protection
  • Device control
  • Application control

Microsoft explains that these capabilities are intended to stop risky software behaviour, prevent connections to malicious websites and reduce opportunities for attackers to gain an initial foothold.

What are attack surface reduction rules?

Attack surface reduction rules, often called ASR rules, can block or audit activities that are commonly used during cyber attacks.

Depending on the policy, they can help restrict behaviour such as:

  • Office applications creating unexpected child processes
  • Executable files launching from email content
  • Suspicious or obfuscated scripts
  • Credential theft
  • Untrusted applications running from USB devices
  • Applications using unusual methods to download files
  • Processes associated with ransomware techniques

These rules can provide valuable protection even when the file itself has not yet been identified as malware.

However, ASR rules must be introduced carefully.

An older or specialist business application may rely on behaviour that a rule considers risky.

Microsoft provides an audit mode that allows organisations to assess the likely impact of ASR rules and other controls before they begin actively blocking behaviour.

A sensible rollout may involve:

  • Enabling suitable rules in audit mode.
  • Reviewing the recorded activity.
  • Testing with selected employees.
  • Creating narrowly defined exceptions where genuinely required.
  • Moving suitable rules into block mode.

Large, undocumented exclusions can weaken protection and should be avoided.

How does Defender help prevent ransomware?

Defender for Endpoint includes several capabilities that can help reduce ransomware risk:

  • Antivirus and cloud-delivered protection
  • Behaviour monitoring
  • Endpoint detection and response
  • Attack surface reduction rules
  • Controlled folder access
  • Network protection
  • Automated investigation
  • Device isolation
  • Vulnerability management

For example, controlled folder access can restrict untrusted applications from changing information in protected folders.

EDR may detect behaviour associated with mass encryption or attempts to disable security controls.

Attack surface reduction rules may prevent the malicious script or attachment from running in the first place.

No endpoint security product can guarantee that ransomware will never succeed.

The business still needs:

  • Protected and tested backups
  • Multifactor authentication
  • Prompt software updates
  • Restricted administrator access
  • Email security
  • Employee training
  • Network segmentation
  • Security monitoring
  • An incident-response plan

Defender for Endpoint should be treated as one important layer within a broader ransomware strategy.

What is Defender Vulnerability Management?

A vulnerability is a security weakness in a device, operating system or application.

Attackers may exploit vulnerabilities to gain access, execute code or increase their permissions.

Microsoft Defender Vulnerability Management can help organisations identify:

  • Missing security updates
  • Vulnerable software
  • Unsupported applications
  • Weak security configurations
  • Exposed devices
  • Recommended security improvements

Microsoft states that Defender Vulnerability Management combines device visibility, continuous assessment and security recommendations to help organisations prioritise weaknesses on their most important assets.

This can be more useful than receiving a long unprioritised list of every available update.

The security and IT teams can consider:

  • Whether the vulnerability is actively being exploited
  • Which devices are affected
  • How important those devices are
  • Whether the device is exposed to the internet
  • Whether a security control already reduces the risk

The exact vulnerability-management features available depend on the Microsoft Defender plan and any additional licensing.

Identifying vulnerabilities also does not automatically correct them. The business still needs a process for testing, deploying and confirming the necessary updates.

Can Defender identify unmanaged devices?

Defender for Endpoint Plan 2 includes device-discovery capabilities that can help identify unmanaged assets visible on the network.

These may include:

  • Computers not yet onboarded
  • Servers
  • Printers
  • Switches
  • Routers
  • Cameras
  • Other connected equipment

Microsoft explains that device discovery uses onboarded endpoints to observe network traffic and identify devices that may otherwise remain outside the organisation’s normal security management.

This can help uncover situations such as:

  • An old server that everyone had forgotten
  • A laptop without endpoint protection
  • An unsupported printer
  • A personal device connected to the company network
  • Network equipment using an insecure configuration

Finding the device is only the first step.

The organisation must then decide whether it should be onboarded, updated, isolated, replaced or removed.

Does Defender protect Apple Macs and Linux devices?

Microsoft Defender for Endpoint supports more than Windows computers.

Microsoft provides Defender for Endpoint capabilities across platforms including:

  • Windows
  • macOS
  • Linux
  • Android
  • iOS

The exact protection and response capabilities vary by operating system. Microsoft publishes separate deployment and platform guidance for each supported system.

This can help organisations maintain one endpoint security platform across a mixed environment.

However, businesses should not assume that a policy configured for Windows will behave identically on a Mac, Linux server or mobile device.

Each platform requires appropriate:

  • Onboarding
  • Permissions
  • Security policies
  • Testing
  • Updates
  • Monitoring


How does Microsoft Intune work with Defender for Endpoint?

Microsoft Intune manages devices and security policies, while Defender for Endpoint provides threat protection, detection and response.

The two services can be connected.

Intune can be used to:

  • Onboard devices
  • Apply antivirus policies
  • Configure firewalls
  • Deploy attack surface reduction rules
  • Manage security settings
  • Check device compliance

Defender can provide Intune with device-risk information.

Conditional Access may then use that risk or compliance status when deciding whether a device should be allowed to access Microsoft 365 and other business resources.

For cloud-managed and Intune-managed environments, Microsoft recommends Intune as an onboarding approach for Defender for Endpoint.

For example, a business could create a process where:

  • Defender identifies serious malicious activity.
  • The device’s risk level increases.
  • Intune reports that the device no longer meets the company’s requirements.
  • Conditional Access blocks it from accessing sensitive company resources.
  • The security team investigates and remediates the device.
  • Access is restored when the device is considered safe.

This creates a link between security detection and access control.

How does Defender for Endpoint work with Microsoft Defender XDR?

Microsoft Defender XDR can bring together alerts and information from several Microsoft security services.

Depending on licensing and deployment, this may include signals involving:

  • Endpoint
  • Microsoft 365 email
  • User identities
  • Cloud applications
  • Business data

An attacker rarely stays within one product.

A phishing email may steal an employee’s password. The attacker may then sign in to Microsoft 365, download information and attempt to compromise the employee’s computer.

When relevant Microsoft security services are connected, Defender XDR can correlate related alerts into a broader incident.

Microsoft states that Defender XDR shares and orchestrates security signals across identities, endpoints, email, data, applications and infrastructure.

This can provide a more complete picture than viewing the endpoint alert alone.

Does Defender for Endpoint protect email?

Defender for Endpoint protects devices.

It should not be confused with Microsoft Defender for Office 365, which helps protect email and collaboration services against threats such as phishing, malicious links and harmful attachments.

A business may require both:

Defender for Endpoint to protect computers, phones and other devices.
Defender for Office 365 to protect Exchange Online, Teams, SharePoint and related communication services.

Microsoft Defender for Office 365 Plan 1 provides protection against threats including phishing, zero-day malware and business email compromise.

Endpoint protection may detect a malicious attachment after it reaches the computer.

Email security aims to identify and block the message before the employee interacts with it.

Using both creates stronger layered protection.

What is the difference between Plan 1 and Plan 2?

Microsoft Defender for Endpoint is available through different plans, and the exact licence should be checked before deployment.

Microsoft Defender for Endpoint Plan 1

Plan 1 focuses on preventative protection and manual response.

Microsoft lists capabilities including:

Next-generation antivirus
Attack surface reduction
Central security management
Manual response actions
Security alerts and reports

 


Microsoft Defender for Endpoint Plan 2

Plan 2 provides a broader endpoint detection and response service and supports additional capabilities such as automated investigation and remediation, advanced investigation and core vulnerability-management features.

Features and licensing can change, so businesses should review Microsoft’s current licensing terms rather than relying on an old comparison document.

Microsoft Defender for Business

Microsoft Defender for Business is designed for small and medium-sized organisations.

It includes endpoint security capabilities intended for businesses with up to 300 users and is included with Microsoft 365 Business Premium.

For many SMEs, Defender for Business may be more appropriate than separately purchasing Defender for Endpoint Plan 1 or Plan 2.

The correct option depends on:

  • Number of users
  • Existing Microsoft 365 licences
  • Required investigation features
  • Device types
  • Server requirements
  • Monitoring requirements
  • Wider Microsoft security services
  • Are servers automatically included?

No.

Businesses should not assume that employee Defender for Endpoint licences automatically cover Windows or Linux servers.

Microsoft states that Defender for Endpoint Plan 1 and Plan 2 do not include server licences. Servers require an appropriate option such as Defender for Servers, Defender for Endpoint Server or Defender for Business Servers for eligible SMEs.

This is important because servers may contain:

  • Business applications
  • Databases
  • Shared files
  • Authentication services
  • Backups
  • Confidential records

Protecting employee laptops while leaving important servers outside the platform can create a significant gap.

Can Defender work alongside another antivirus product?

In some configurations, Defender for Endpoint can operate alongside a non-Microsoft antivirus solution.

Microsoft Defender Antivirus may enter passive mode while Defender for Endpoint continues providing supported detection and response capabilities.

EDR in block mode can provide an additional layer by allowing Microsoft Defender Antivirus to respond to certain post-breach behavioural detections even when another antivirus product is active.

Running several security products together must be carefully planned.

Incorrect exclusions or overlapping controls can create:

Performance problems

  • Duplicate alerts
  • Conflicting actions
  • Reduced visibility
  • Unclear responsibility

The business should define which product provides each protection and how alerts will be managed during any migration or long-term side-by-side deployment.

Does purchasing Defender mean the business is protected?

No.

Purchasing the licence does not automatically mean every device is correctly protected.

Defender for Endpoint needs to be:

  • Provisioned
  • Configured
  • Onboarded
  • Monitored
  • Tested
  • Maintained

Common deployment gaps include:

  • Devices not onboarded
  • Servers not licensed
  • Cloud protection disabled
  • Tamper protection not enabled
  • Attack surface reduction rules left unconfigured
  • Antivirus exclusions that are too broad
  • Alerts being sent to an unmonitored mailbox
  • Devices that have stopped reportingMacs and Linux systems being overlooked
  • Security incidents being detected but never investigated

A security platform is only effective when the business knows which devices are covered and somebody responds to what the system reports.

Who monitors the alerts?

This is one of the most important questions.

Defender for Endpoint may identify suspicious behaviour at:

  • 2am
  • During a weekend
  • On a bank holiday
  • While the internal IT employee is away
  • When the affected employee is travelling

If nobody is monitoring the alerts, an attacker may have time to:

  • Steal information
  • Compromise more accounts
  • Disable security controls
  • Access additional devices
  • Delete backups
  • Deploy ransomware

A business should decide:

  • Who receives critical alerts
  • Which alerts require immediate investigation
  • Whether monitoring is available outside normal hours
  • What actions the security team can tak
  • Who must be contacted
  • How the incident will be escalated

Microsoft Defender XDR can send notifications for security alerts based on criteria such as severity, but email notification alone is not the same as a monitored security service.

A managed detection and response provider can review alerts, investigate suspicious activity and take agreed containment actions on behalf of the business.

How should Defender for Endpoint be introduced?

A sensible deployment could include the following stages.

1. Review licensing

Confirm which employees, devices and servers require protection and which Microsoft licences are already available.

2. Create a device inventory

Identify:

  • Windows computers
  • Macs
  • Linux devices
  • Mobile devices
  • Servers
  • Unsupported systems
  • Devices already using another security product
     

3. Plan the security policies

Decide how the organisation will configure:

  • Antivirus
  • Cloud protection
  • Tamper protection
  • Firewalls
  • Attack surface reduction
  • Network protection
  • Device control
  • Automated remediation
  • Security notifications
     

4. Start with a pilot group

Select a small number of representative devices and employees.

Include users of important applications so potential compatibility issues can be identified.

5. Onboard devices

Microsoft supports several onboarding methods, including Intune and other deployment tools. The correct method depends on the operating system and existing management environment.

6. Review alerts and performance

Check:

  • Whether devices are reporting
  • Whether legitimate applications are being blocked
  • Whether duplicate antivirus products are conflicting
  • Whether the correct alerts are being generated
  • Whether the security team can take response actions
     

7. Introduce attack surface reduction carefully

Use audit and staged enforcement where appropriate rather than enabling every blocking rule across the whole business at once.

8. Expand the deployment

Roll out the service to the remaining supported devices and confirm that no employees, sites or servers have been missed.

9. Test incident response

Use authorised test scenarios or tabletop exercises to confirm:

  • Alerts reach the right people
  • Devices can be isolated
  • Investigation information is available
  • Escalation procedures work
  • Business owners know who will contact them


10. Review the service regularly

New employees, devices, applications and sites should be added to the security process.

The deployment should not be treated as a one-off project.

Is Microsoft Defender for Endpoint good enough for business?

Microsoft Defender for Endpoint can provide a strong endpoint security platform when it is properly licensed, configured and monitored.

Its benefits can include:

  • Integrated antivirus and EDR
  • Central device visibility
  • Attack surface reduction
  • Vulnerability information
  • Manual and automated response
  • Cross-platform support
  • Integration with Intune
  • Integration with wider Microsoft security services
  • Remote device isolation
  • Central security reporting

However, it should not be treated as a complete cyber security strategy.

Businesses still require:

  • Microsoft 365 identity protection
  • Email security
  • Multifactor authentication
  • Conditional Access
  • Secure backups
  • Security updates
  • Restricted administrator access
  • Employee awareness
  • Incident-response planning
  • Active monitoring

The product can identify and respond to threats, but somebody must still deploy it correctly and take responsibility for the security incidents it discovers.

How can Hamilton Group help?

At Hamilton Group, we help businesses deploy, configure and monitor Microsoft endpoint security.

We can assist with:

  • Microsoft Defender for Endpoint
  • Microsoft Defender for Business
  • Microsoft Defender for Office 365
  • Microsoft Intune
  • Device onboarding
  • Antivirus and firewall policies
  • Attack surface reduction rules
  • Endpoint detection and response
  • Automated investigation and remediation
  • Vulnerability management
  • Windows, Mac and mobile protection
  • Server security
  • Microsoft 365 security reviews
  • Managed detection and response
  • 24/7 cyber security monitoring
  • Incident-response planning
  • Microsoft licensing reviews

We can review your current environment and answer important questions such as:

  • Are all business devices onboarded?
  • Are servers properly licensed and protected?
  • Is Defender running in the correct mode?
  • Are security alerts being monitored?
  • Can an affected computer be isolated remotely?
  • Are attack surface reduction rules configured?
  • Are antivirus exclusions creating unnecessary risk?
  • Are Macs and remote devices included?
  • Who would investigate an alert outside normal working hours?
  • Is Defender integrated with Intune and Conditional Access?

At Hamilton Group, we aim to make first contact on IT support requests within 15 minutes. Serious security alerts can also be escalated through an agreed monitoring and incident-response process.

Microsoft Defender for Endpoint can provide powerful protection, but the licence alone is not enough.

The service must be correctly deployed, continually monitored and supported by a wider cyber security strategy.

Contact Hamilton Group to discuss Microsoft Defender for Endpoint, Microsoft Defender for Business or a review of your current endpoint protection.

Call us on 0330 043 0069 or book an appointment with one of our experts.