8.3 Defender for Endpoint
Key Takeaways
- Defender for Endpoint protects endpoint devices.
- Endpoint device wording is the core SC-900 cue for this product.
- Defender for Endpoint is not the same as Defender for Identity or Defender for Cloud Apps.
- Choose the specific Defender product based on the protected surface in the prompt.
Endpoint Device Protection
Defender for Endpoint protects endpoint devices. That is the key source brief fact for SC-900, and it is enough to answer many product-matching questions. The word endpoint should make you think of devices used in the environment rather than email, SaaS apps, on-premises Active Directory, compliance records, or network firewalls.
The Defender product names are intentionally specific. Defender for Office 365 maps to email and collaboration workloads. Defender for Cloud Apps maps to CASB and SaaS app discovery and control. Defender for Identity maps to on-premises Active Directory. Defender for Endpoint maps to endpoint devices. If you train yourself to identify the protected surface first, the answer is usually straightforward.
| Protected surface | Defender product | Common wrong answer |
|---|---|---|
| Endpoint devices | Defender for Endpoint | Defender for Office 365 |
| Email and collaboration workloads | Defender for Office 365 | Defender for Endpoint |
| SaaS app discovery and control | Defender for Cloud Apps | Defender for Cloud |
| On-premises Active Directory | Defender for Identity | Microsoft Entra ID Governance |
Do not confuse endpoint protection with Azure infrastructure security. Network security groups, Azure Firewall, Web Application Firewall, Azure Bastion, DDoS Protection, and Key Vault are Azure infrastructure controls from another chapter. Defender for Endpoint is part of the Microsoft Defender XDR services group listed in the security solutions boundary.
Also separate Defender for Endpoint from Defender Vulnerability Management. The names can appear close together because device security and vulnerability exposure are related topics in real security programs. For SC-900, keep the matching simple: endpoint device protection points to Defender for Endpoint, while identifying and prioritizing weaknesses points to Defender Vulnerability Management.
Use these exam cues:
-
Endpoint or device protection means Defender for Endpoint.
-
Email or collaboration means Defender for Office 365.
-
SaaS app discovery or CASB means Defender for Cloud Apps.
-
On-premises Active Directory means Defender for Identity.
-
SIEM, SOAR, hunting, or playbooks mean Microsoft Sentinel.
The exam is unlikely to reward a complicated answer when the product name already contains the cue. Read the protected area, eliminate products with a different protected surface, and choose Defender for Endpoint when the scenario is about endpoint devices.
Endpoint Decision Check
Endpoint questions usually become easy when you focus on the protected surface. Defender for Endpoint protects endpoint devices, while other Defender services protect other areas. If a question adds vulnerability wording, decide whether it is asking for device protection or for vulnerability management as a capability.
-
Endpoint device protection means Defender for Endpoint.
-
Weaknesses or exposure can point to Vulnerability Management.
-
Email, SaaS apps, and on-premises Active Directory use different Defender products.
Which Microsoft Defender service protects endpoint devices?
A prompt asks for protection of email and collaboration workloads. Which product should you choose instead of Defender for Endpoint?
Which phrase is the strongest clue for Defender for Endpoint?