How can I tell if my organization is licensed for Microsoft Defender for Endpoint?
The following Microsoft Volume Licensing products support Defender for Endpoint:
- Windows 11 Enterprise E5
- Windows 11 Education A5
- Windows 10 Enterprise E5
- Windows 10 Education A5
- Microsoft 365 E3 + E5 Security
- Microsoft 365 E5 (M365 E5) (this includes Windows 11 Enterprise E5)
- Microsoft 365 E5 Security
- Microsoft 365 A5 (M365 A5)
The easiest way to check current licensing information is to visit the Volume Licensing Service Center online: https://www.microsoft.com/Licensing/servicecenter/default.aspx
Accessing https://securitycenter.windows.com may produce a “No subscriptions found” warning message with the following text:
“No subscriptions found. Before you can start using Microsoft Defender for Endpoint, you need to subscribe to the service. See Microsoft Defender for Endpoint product site or contact your Microsoft account team for information.”
What operating systems are supported by Microsoft Defender for Endpoint?
Microsoft Defender for Endpoint supports a wide range of Windows, macOS, Linux, Android, and iOS operating systems. To learn more about operating systems supported by Microsoft Defender for Endpoint, check out Minimum requirements for Microsoft Defender for Endpoint.
Can I run Microsoft Defender for Endpoint with another endpoint security or antivirus program installed?
Defender for Endpoint relies on the Microsoft Defender AV to provide metadata to the sensor and service. Defender will enter “passive mode” when another AV tool is present, allowing these functions to operate normally. If your organization has fully disabled Defender via GPO or another method, you will need to re-enable Defender on machines that are scheduled for Defender for Endpoint enrollment. For more information, see Microsoft Defender Antivirus compatibility.
How is Microsoft Defender for Endpoint protected from tampering or disabling?
Disabling Microsoft Defender for Endpoint on Windows client operating systems (Win 10 / Win 11) is difficult for adversaries. Microsoft has hardened it in multiple ways so it’s highly unlikely that it could be disabled.
If you are deeply concerned about this risk, ensure that tamper protection is enabled for Windows Defender. Tamper protection is supported by the following Operating Systems:
- Windows 10 (1709, 1803, 1809, or later)
- Windows 11
- Windows Server 2012 R2*†
- Windows Server 2016†
- Windows Server 2019†
- Windows Server 2022†
- Windows Server, version 1803 or later†
* Requires that the server be onboarded with the Modern Unified Solution package.
† Requires Configuration Manager version 2006, with tenant attach.
Microsoft has an in-depth blog post on the various methods used to enable tamper protection here.
What other Microsoft solutions does Microsoft Defender for Endpoint currently integrate with?
Microsoft Defender for Endpoint directly integrates with various Microsoft solutions, including:
- Microsoft Intune
- Office 365 Threat Intelligence
- Defender for Azure
- Azure Security Center
- Skype for Business
- Defender for Cloud Apps
- Microsoft Sentinel
What happens when a Microsoft Defender-protected endpoint loses connectivity?
The Microsoft Defender for Endpoint agent will cache data locally for roughly three days. If a machine has not communicated (sending via “cyber data channel” but not command and control) for over two days, the machine is considered impaired.
What are the Networking requirements for Microsoft Defender?
When you deploy Microsoft Defender for Endpoint sensors, you want to know all of the associated network requirements so that your sensors will communicate properly and behave as expected.
If you proxy your outbound traffic, you need to be aware of important network requirements. The following documentation includes all the allowlist domains and IPs necessary to deliver telemetry to Red Canary:
You can also download a spreadsheet that lists the services and associated URLs that your network must be able to connect to. The spreadsheet also lists specific DNS records for service locations, geographic locations and operating systems. Download the spreadsheet here.