Note
Access to this page requires authorization. You can try signing in or .
Access to this page requires authorization. You can try .
Microsoft Defender for Endpoint on Windows
Microsoft Defender for Endpoint on Windows provides preventative protection, post-breach detection, automated investigation, and response for Windows endpoints.
Security capabilities for Windows environments
The following table describes the core security capabilities offered by Microsoft Defender for Endpoint on Windows.
| Capability | Description |
|---|---|
| Autonomous protection | Uses AI-driven automation to disrupt active attacks and proactively shield high-value assets. |
| Next-generation protection | Provides behavior-based, cloud-delivered, and machine-learning-powered antivirus protection with attack surface reduction. |
| Endpoint detection and response (EDR) | Delivers deep visibility into endpoint activity and enables rapid investigation and response to advanced attacks. |
| Vulnerability management | Identifies security gaps and prioritizes remediation actions to continuously reduce risk exposure. |
| Automated investigation and response | Uses automated playbooks to investigate alerts and apply remediation actions without manual intervention. |
| Streamlined management and operations | Simplifies deployment, configuration, and management through existing tools and the Defender portal. |
| Seamless integration and extensibility | Connects with SIEM solutions, Power BI, and the broader Defender suite for unified visibility. |
| Device and network discovery | Finds unmanaged endpoints and network devices to close visibility gaps. |
Autonomous protection
The following capabilities use AI to detect and stop attacks without waiting for analyst action.
| Capability | Description |
|---|---|
| Automatic attack disruption | Identifies and contains active attacks in real time by automatically isolating compromised devices and disabling compromised user accounts, stopping lateral movement before human intervention is needed. |
| Predictive shielding | Uses AI to anticipate threats and proactively shield high-value assets before an attack reaches them. |
Next-generation protection
Protect Windows endpoints from malware and advanced threats using real-time, behavior-based, and cloud-powered protection capabilities.
| Capability | Description |
|---|---|
| Next-generation antivirus | Uses behavior-based, cloud-delivered, and machine-learning techniques to detect and block threats. |
| Behavioral blocking and containment | Detects and blocks malicious behaviors and helps contain compromised devices. |
| Web protection | Guards against malicious websites, phishing attempts, and web-based threats. |
| Network protection | Blocks connections to malicious network destinations. |
| Attack surface reduction | Reduces exposure to common attack techniques such as credential theft, malware execution, and unauthorized use of removable storage, including ASR rules and device control. |
| Tamper protection | Safeguards critical security settings from unauthorized changes. |
| Firewall | Configuration enables Defender for Endpoint service connectivity. |
Endpoint detection and response (EDR)
Detect, investigate, and respond to sophisticated attacks powered by AI-driven analytics, behavioral detections, and Microsoft Threat Intelligence.
| Capability | Description |
|---|---|
| AI-driven detection | Uses AI and advanced analytics to detect and respond to threats close to real time. |
| Centralized management | The Microsoft Defender portal at https://security.microsoft.com provides a central location to view detections and manage your organization's devices. |
| Advanced hunting | Enables proactive threat hunting by querying raw event data for deeper insight into network events. |
| Threat analytics | Provides curated intelligence reports about active and emerging threats. |
| EDR in block mode | Enables Defender for Endpoint to block and remediate threats even when Microsoft Defender Antivirus runs in passive mode. |
| Response actions | Includes running antivirus scans, isolating devices, collecting investigation packages, and collecting files for deep analysis. |
| Live response | Provides remote shell connections to perform in-depth investigations. |
| Endpoint Attack Notifications | Provides proactive hunting and prioritization to help identify and respond to the most critical threats. |
Vulnerability management
Continuously assess vulnerabilities, misconfigurations, and security posture to reduce risk exposure and prioritize remediation.
| Capability | Description |
|---|---|
| Vulnerability management | Offers risk-based vulnerability management with intelligent prioritization, remediation, and tracking to help you manage and secure your Windows devices. |
| Exposure score | Provides a comprehensive view of your organization's risk exposure. |
| Security recommendations | Provides actionable guidance to reduce endpoint risk. |
| Remediation tracking | Tracks remediation activities and exposure reduction. |
| Software inventory | Provides visibility into installed software on your Windows devices. |
| Microsoft Secure Score for Devices | Assesses security posture and provides actions to improve overall security. |
Automated investigation and response
When alerts fire, automated investigation and response (AIR) runs automated playbooks to determine scope, collect evidence, and apply remediation actions.
| Capability | Description |
|---|---|
| Automated investigation and response (AIR) | Correlates alerts into incidents, runs investigation playbooks, and applies remediation actions such as quarantining files or isolating devices. |
Device and network discovery
Unmanaged devices represent blind spots that attackers can exploit. Discovery helps you identify them and bring them under management.
| Capability | Description |
|---|---|
| Endpoint and network device discovery | Uses passive network monitoring and active probes to identify unmanaged endpoints, network devices, and IoT devices on the corporate network. |
Streamlined management and operations
Microsoft Defender for Endpoint on Windows provides flexible deployment and centralized management capabilities designed to simplify configuration, monitoring, and integration with other security tools in Windows environments.
| Capability | Description |
|---|---|
| Microsoft Intune integration | Integrates with your existing management tools, including Intune and Group Policy. |
| Security settings management | Lets you manage security policies directly from the Microsoft Defender portal. |
| Management APIs | Provides programmatic access to manage devices, configure policies, query vulnerability data, and retrieve threat intelligence at scale. |
| Partner integrations | Enables integration with Microsoft and non-Microsoft security solutions. |
Seamless integration and extensibility
Microsoft Defender for Endpoint on Windows integrates with existing security tools and workflows, extending into the broader Microsoft Defender ecosystem for unified visibility and coordinated security operations.
| Capability | Description |
|---|---|
| Lightweight behavioral sensor | Built into the operating system, ensuring stable and durable performance. |
| API integration | Enables custom integrations, automation workflows, and third-party tool connectivity through the Defender APIs. |
| SIEM connectors | Enables connectivity with SIEM solutions for centralized monitoring and automated response. |
| Power BI support | Extends visibility through Power BI reporting and role-based access control (RBAC). |
Tip
For a detailed comparison of supported features for all Defender for Endpoint platforms (Windows, macOS, and Linux), see Defender for Endpoint capabilities.
Antivirus solution compatibility
The Microsoft Defender for Endpoint agent depends on Microsoft Defender Antivirus for some capabilities, such as file scanning. For optimal protection, configure security intelligence updates and platform updates for onboarded devices, whether Microsoft Defender Antivirus is the active antimalware solution or not.
Important
Endpoint detection and response (EDR) in Microsoft Defender for Endpoint doesn't adhere to the Microsoft Defender Antivirus Exclusions settings.
When an onboarded device uses a non-Microsoft antimalware client, Microsoft Defender Antivirus runs in passive mode, continues to receive updates, and msmpeng.exe remains running. In passive mode, Microsoft Defender Antivirus doesn't perform real-time protection scans, scheduled scans, or on-demand scans, and it doesn't replace the non-Microsoft antimalware client. The Microsoft Defender Antivirus user interface is disabled, and users can't run on-demand scans or configure most options (for example, Attack Surface Reduction (ASR) rules, Network Protection, Indicators, Web Content Filtering, and Controlled Folder Access).
For more information, see Manage Microsoft Defender Antivirus updates and apply baselines and Microsoft Defender Antivirus compatibility.
What's new in the latest release
To learn what’s new in endpoint security, see the latest updates in What's new in Microsoft Defender for Endpoint.
To learn about the latest Windows updates, see What's new in Microsoft Defender for Endpoint on Windows.
Related content
Feedback
Was this page helpful?