Explore Microsoft Defender for Endpoint

Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.

Microsoft Defender for Endpoint uses the following combination of technology built into Windows 10 and later and Microsoft’s robust cloud service:

  • Endpoint behavioral sensors. Windows 10 and 11 embed these sensors. They begin by collecting and processing behavioral signals from the operating system. They then send this sensor data to an organization’s private, isolated, cloud instance of Microsoft Defender for Endpoint.
  • Cloud security analytics. Enterprise cloud products (such as Microsoft 365) and online assets apply big-data, device learning, and unique Microsoft optics across the Windows ecosystem. Microsoft Defender for Endpoint then translates behavioral signals into insights, detections, and recommended responses to advanced threats.
  • Threat intelligence. Microsoft threat hunters and security teams generate threat intelligence. Partners then augment this information with threat intelligence of their own. Threat intelligence enables Microsoft Defender for Endpoint to:
    • Identify attacker tools, techniques, and procedures.
    • Generate alerts when it observes them in collected sensor data.

Microsoft Defender for Endpoint architecture

Diagram showing the key services provided by Microsoft Defender for Endpoint, which is a service of Microsoft 365 Defender.

Additional viewing. Select the following link to watch a short video on the Microsoft Defender for Endpoint architecture.

Microsoft Defender for Endpoint is a service of Microsoft 365 Defender. Under the Microsoft 365 Defender umbrella are centralized configuration and administration APIs, followed by the Microsoft Defender for Endpoint services, which include:

  • Vulnerability Management. This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
  • Attack surface reduction. The attack surface reduction set of capabilities provides the first line of defense in the stack. To support this feature, organizations should ensure configuration settings are properly set and apply mitigation techniques. By doing so, the attack surface reduction capabilities can resist attacks and exploitation. The capabilities also include network protection and web protection. These features regulate access to malicious IP addresses, domains, and URLs.
  • Next-generation protection. To further reinforce the security perimeter of your network, Microsoft Defender for Endpoint uses next-generation protection designed to catch all types of emerging threats.
  • Endpoint detection and response. This feature detects, investigates, and responds to advanced threats that may have made it past the first two security pillars. Advanced hunting provides a query-based threat-hunting tool that lets you proactively find breaches and create custom detections.
  • Automated investigation and remediation. Microsoft Defender for Endpoint can quickly respond to advanced attacks. It also offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
  • Microsoft Secure Score for Devices. Microsoft Defender for Endpoint includes Microsoft Secure Score for Devices. This feature helps organizations:
    • dynamically assess the security state of their enterprise network.
    • identify unprotected systems.
    • take recommended actions to improve the overall security of the organization.
  • Microsoft Threat Experts. Microsoft Defender for Endpoint’s new managed threat hunting service provides proactive hunting, prioritization, and other context and insights. These features further empower Security operation centers (SOCs) to identify and respond to threats quickly and accurately.Microsoft Defender for Endpoint customers must apply for the Microsoft Threat Experts managed threat hunting service to get proactive Targeted Attack Notifications and to collaborate with experts on demand. This service is an add-on feature. After the Microsoft Threat Experts feature accepts you into its managed threat hunting service, it always includes Targeted Attack Notifications. For users who have yet to enroll in Microsoft Threat Experts but would like to experience its benefits, go to Settings, then General, then Advanced features, and then Microsoft Threat Experts to apply. Once accepted, you get the benefits of Targeted Attack Notifications. You also start a 90-day trial of Experts on Demand. Contact your Microsoft representative to get a full subscription of Experts on Demand.
  • Centralized configuration and administration, APIs. Integrate Microsoft Defender for Endpoint into your existing workflows.
  • Integration with Microsoft solutions. Microsoft Defender for Endpoint directly integrates with various Microsoft solutions, including:
    • Microsoft Defender for Cloud
    • Microsoft Sentinel
    • Microsoft Intune
    • Microsoft Defender for Cloud Apps
    • Microsoft Defender for Identity
    • Microsoft Defender for Office 365
    • Skype for Business
  • Microsoft 365 Defender. Microsoft Defender for Endpoint and other Microsoft security solutions (Defender for Identity, Defender for Office 365, and Defender for Cloud Apps), together with Microsoft 365 Defender, form a unified pre- and post-breach enterprise defense suite. It natively integrates across endpoint, identity, email, and applications. This design enables it to detect, prevent, investigate, and automatically respond to sophisticated attacks.

Compare Microsoft Defender for Endpoint plans

Microsoft Defender for Endpoint provides advanced threat protection. This feature includes antivirus, antimalware, ransomware mitigation, and more, together with centralized management and reporting.

Two plans are available. The following table lists the features provided in each plan at a high level.

Defender for Endpoint Plan 1Defender for Endpoint Plan 2
Next-generation protection

Attack surface reduction

Manual response actions

Centralized management

Security reports

Defender for Endpoint Plan 1


Device discovery

Vulnerability management

Threat Analytics

Automated investigation and response

Advanced hunting

Endpoint detection and response

Microsoft Threat Experts

Microsoft Defender for Endpoint licensing

The following list identifies the licensing options for Microsoft Defender for Endpoint:

  • Microsoft Defender for Endpoint Plan 1. Microsoft Defender for Endpoint Plan 1 is available as a standalone user subscription license for commercial and education customers. Microsoft 365 E3/A3 also includes it.
  • Microsoft Defender for Endpoint Plan 2. Microsoft Defender for Endpoint Plan 2 is available as a standalone license and as part of the following plans:
    • Windows 11 Enterprise E5/A5
    • Windows 10 Enterprise E5/A5
    • Microsoft 365 E5/A5/G5 (which includes Windows 10 or Windows 11 Enterprise E5)
    • Microsoft 365 E5/A5/G5/F5 Security
    • Microsoft 365 F5 Security & Compliance
  • Microsoft Defender for Endpoint Server. For server security, Microsoft offers Microsoft Defender for Cloud. It has the best and most appropriate capabilities for server and cloud protection. As of April 2022, Microsoft introduced Microsoft Defender for Servers Plan 1 and Plan 2.

Plan your Microsoft Defender for Endpoint deployment

Administrators should plan their Microsoft Defender for Endpoint deployment so they can maximize the security capabilities within the suite. In turn, they can better protect their companies from cyber threats.

Planning a Microsoft Defender for Endpoint deployment also provides organizations with guidance on how to:

  • Identify their environment architecture.
  • Select the type of deployment tool that best fits their needs.
  • Configure capabilities.
Diagram showing how to identify your environment architecture, select the deployment tool, and configure capabilities.