8.3 Defender for Endpoint
Key Takeaways
- Defender for Endpoint (formerly Microsoft Defender ATP) is Microsoft's endpoint security platform for Windows, macOS, Linux, iOS, and Android.
- Its pillars include next-generation antimalware protection, endpoint detection and response (EDR), attack surface reduction (ASR), and threat and vulnerability management.
- ASR rules block risky behaviors (like Office apps spawning child processes) to shrink the attack surface before exploitation.
- EDR provides near-real-time behavioral detection, automated investigation and remediation, and advanced hunting on devices.
- It ships in Plan 1 (preventive/ASR/next-gen AV) and Plan 2 (full EDR, automated investigation, threat & vulnerability management).
Endpoint Detection and Response Platform
Microsoft Defender for Endpoint (formerly Microsoft Defender ATP / Advanced Threat Protection) is Microsoft's enterprise endpoint security platform. "Endpoint" means the devices users work on — and Defender for Endpoint is cross-platform, covering Windows, macOS, Linux, iOS, and Android. When an SC-900 scenario describes protecting, detecting threats on, or investigating devices, this is the product.
Defender for Endpoint is more than antivirus. It combines several capability pillars into one platform:
| Pillar | What it does |
|---|---|
| Next-generation protection | Behavior-based, heuristic, real-time antimalware/antivirus (the evolution of Microsoft Defender Antivirus) |
| Attack surface reduction (ASR) | Reduces the ways attackers can get in: ASR rules, application control, network protection, exploit protection, controlled folder access |
| Endpoint detection and response (EDR) | Near-real-time behavioral detection of advanced attacks, with alerts surfaced as incidents |
| Automated investigation and remediation (AIR) | Automatically investigates alerts and remediates threats, reducing analyst load |
| Threat & vulnerability management (TVM) | Discovers, prioritizes, and helps remediate device vulnerabilities and misconfigurations |
| Microsoft Threat Experts | Managed threat hunting / expert assistance |
Attack Surface Reduction (ASR)
Attack surface reduction is about closing off the avenues an attacker can exploit before an attack succeeds. ASR rules block or audit risky behaviors that legitimate software rarely needs — for example, blocking Office applications from creating child processes, blocking executable content from email, or blocking credential theft from LSASS. Other ASR-family controls include network protection (blocks connections to malicious domains/IPs), controlled folder access (anti-ransomware folder guarding), and exploit protection. The theme: shrink the attack surface so there is less to defend.
EDR and Automated Response
Endpoint detection and response (EDR) continuously monitors device behavior and detects advanced, post-breach activity in near real time. Detections become alerts that roll into Defender XDR incidents. Automated investigation and remediation can then triage and fix many threats without an analyst, and advanced hunting lets analysts query raw device telemetry with KQL. 6).
Plan 1 vs. Plan 2
Defender for Endpoint comes in two plans:
| Plan 1 | Plan 2 (adds) |
|---|---|
| Next-generation antimalware protection | Everything in Plan 1, plus: |
| Attack surface reduction rules | Endpoint detection and response (EDR) |
| Device-based Conditional Access controls | Automated investigation and remediation |
| Manual response actions | Threat & vulnerability management |
| Centralized management | Advanced hunting, Threat Experts, sandbox/deep analysis |
Memory hook: Plan 1 = prevent (next-gen AV + ASR); Plan 2 = full EDR + automation + vulnerability management.
Where Endpoint Fits — and Common Traps
Defender for Endpoint is one of the four Defender XDR workloads; its alerts correlate with Office 365, Identity, and Cloud Apps signals into unified incidents. Keep these distinctions straight:
- Endpoint device protection → Defender for Endpoint. Do not pick Defender for Office 365 (email) or Defender for Identity (on-prem AD).
- Network controls like NSGs, Azure Firewall, WAF, Bastion, DDoS Protection are Azure infrastructure security from another chapter — not Defender for Endpoint.
- Identifying/prioritizing device weaknesses → threat & vulnerability management within Defender for Endpoint, the engine behind Defender Vulnerability Management.
Quick cues
- "Protect/detect threats on laptops, servers, mobile devices" → Defender for Endpoint.
- "Block Office apps from spawning child processes" → ASR rule.
- "Near-real-time behavioral detection and automated remediation on devices" → EDR (Plan 2).
How Onboarding and Detection Flow
Defender for Endpoint protects a device once that device is onboarded — typically via Microsoft Intune, Group Policy, Configuration Manager, or a local script. Onboarded devices stream behavioral telemetry to the Defender for Endpoint cloud service, which scores risk, raises alerts, and exposes the device in the inventory. Each device gets a risk level and an exposure level so security teams can prioritize. Alerts then roll into Microsoft Defender XDR incidents, correlating with email, identity, and SaaS signals.
A worked scenario shows the pillars in action: a user opens a malicious macro-enabled document. Next-generation protection may block the known-bad payload outright. An attack surface reduction rule that blocks Office applications from creating child processes stops the macro from launching a script even if the file itself is unknown. If something still executes, EDR detects the anomalous process chain in near real time and raises an alert, and automated investigation and remediation can quarantine the file and isolate the device without waiting for a human.
Meanwhile threat & vulnerability management had already flagged that the device was running an outdated, exploitable application — context that helps the analyst understand how the attack was possible and what to patch.
Endpoint vs. Network vs. Identity — Keep Lanes Clear
A frequent SC-900 mistake is sending network or identity scenarios to Defender for Endpoint. Defender for Endpoint secures the device itself — the operating system, processes, files, and local configuration. It does not replace Azure network security (NSGs, Azure Firewall, Web Application Firewall, Azure Bastion, DDoS Protection), and it is not Defender for Identity (which watches on-prem Active Directory). When the protected object is a laptop, server, or phone, choose Defender for Endpoint; when it is a network boundary or an AD identity, choose the product for that surface. 6.
Which Microsoft Defender service protects endpoint devices such as Windows, macOS, Linux, and mobile?
Which Defender for Endpoint capability uses rules to block risky behaviors — like an Office app launching a child process — to shrink what attackers can exploit?
What does the EDR capability in Defender for Endpoint primarily provide?
A scenario describes protecting a network boundary with a firewall and segmenting subnets. Which is the correct product family — NOT Defender for Endpoint?