How can I tell if my organization is licensed for Microsoft Defender for Endpoint?
The following Microsoft Volume Licensing products support Defender for Endpoint:
- Windows 10 Enterprise E5
- Windows 10 Education A5
- Microsoft 365 E5 (M365 E5) (this includes Windows 10 Enterprise E5)
- Microsoft 365 E5 Security
- Microsoft 365 A5 (M365 A5)
The easiest way to check current licensing information is to visit the Volume Licensing Service Center online: https://www.microsoft.com/Licensing/servicecenter/default.aspx
Accessing https://securitycenter.windows.com may produce a “No subscriptions found” warning message with the following text:
“No subscriptions found. Before you can start using Microsoft Defender for Endpoint, you need to subscribe to the service. See Microsoft Defender for Endpoint product site or contact your Microsoft account team for information.”
What operating systems are supported by Microsoft Defender for Endpoint?
Microsoft Defender for Endpoint supports a wide range of Windows, macOS, and Linux operating systems. Learn more about operating systems supported by Microsoft Defender for Endpoint.
Can I run Microsoft Defender for Endpoint with another endpoint security or antivirus program installed?
Defender for Endpoint relies on the Microsoft Defender AV to provide metadata to the sensor and service. Defender will enter “passive mode” when another AV tool is present, allowing these functions to operate normally. If your organization has fully disabled Defender via GPO or another method, you will need to re-enable Defender on machines that are scheduled for Defender for Endpoint enrollment. For more information, see Microsoft Defender Antivirus compatibility.
How is Microsoft Defender for Endpoint protected from tampering or disabling?
Disabling Microsoft Defender for Endpoint on Win10 is difficult for adversaries. Microsoft has hardened it in multiple ways so it’s highly unlikely that it could be disabled.
If you are deeply concerned about this risk, ensure that tamper protection is enabled for Windows Defender. This feature is supported in Windows 10 OS 1709, 1803, 1809, or later, together with Microsoft Defender Advanced Threat Protection E5.
Microsoft has an in-depth blog post on the various methods used to enable this technology here.
What other Microsoft solutions does Microsoft Defender for Endpoint currently integrate with?
Microsoft Defender for Endpoint directly integrates with various Microsoft solutions, including:
- Office 365 Defender
- Defender for Azure
- Azure Security Center
- Skype for Business
- Microsoft Cloud App Security
- Azure Sentinel
What happens when a Microsoft Defender -protected endpoint loses connectivity?
The Microsoft Defender for Endpoint agent will cache data locally for roughly three days. If a machine has not communicated (sending via “cyber data channel” but not command and control) for over two days, the machine is considered impaired.
What are the Networking requirements for Microsoft Defender?
When you deploy Microsoft Defender for Endpoint sensors, you want to know all of the associated network requirements so that your sensors will communicate properly and behave as expected.
If you proxy your outbound traffic, you need to be aware of important network requirements. The following documentation includes all the allowlist domains and IPs necessary to deliver telemetry to Red Canary:
You can also download a spreadsheet that lists the services and associated URLs that your network must be able to connect to. The spreadsheet also lists specific DNS records for service locations, geographic locations and operating systems. Download the spreadsheet here.