Comparison MS Def v3
Uploaded by
seadevilfishComparison MS Def v3
Uploaded by
seadevilfishUltimate Comparison of Microsoft Defender for Endpoint Features by Operating System v3.
0 (29 March 2022)
Ru Campbell
campbell.scot/mdecomparison
twitter.com/rucam365
linkedin.com/in/rlcam
Windows Windows Windows Windows
Windows Windows Windows Android
Server Server Server Server macOS Linux iOS
Feature Description 7 SP1 8.1 10/11
2008 R2 2012 R2 2016 2019/2022
phones
Attack surface reduction
Attack surface reduction rules
Protect against vulnerable signed drivers that allow kernel access
Block abuse of exploited vulnerable signed drivers 1709+ ✓
and system compromise.
Block Adobe Reader from creating child processes Prevents payloads breaking out of Adobe Reader. 1709+ ✓ ✓ ✓
Block all Office applications from creating child Prevents Word, Excel, PowerPoint, OneNote, and Access creating
1709+ ✓
processes child processes.
Block credential stealing from LSASS Prevents untrusted processes accessing LSASS directly. 1709+ ✓ ✓ ✓
Prevents Outlook and popular webmail providers launching
Block executable content from email client and webmail 1709+ ✓ ✓ ✓
scripts or executable files.
Block executable files from running unless they meet a Using cloud-delivered protection, block executables depending
1709+ ✓
prevalence, age, or trusted list criterion on various reputational metrics.
Identifies and blocks script obfuscation with suspicious
Block execution of potentially obfuscated scripts 1709+ ✓ ✓ ✓
properties.
Block JavaScript or VBScript from launching downloaded Prevents JavaScript or VBScript fetching and launching
1709+ ✓ ✓
executable content executables.
Block Office applications from creating executable
Prevents the Office suite from saving executable content to disk. 1709+ ✓ ✓
content
Block Office applications from injecting code into other Prevent attempts to migrate code into another process in Word,
1709 ✓
processes Excel, and PowerPoint.
Block Office communication applications from creating
In Teams and Outlook, prevent child processes being created. 1809+ ✓
child processes
Block persistence through WMI event subscription Prevent C2 abuse of WMI to attain device persistence. 1903+
Prevents PSExec or WMI created processes from running, as is
Block process creations originating from PSExec and
common in lateral movement techniques. Not compatible with 1803+ ✓ ✓ ✓
WMI commands
ConfigMgr.
Block untrusted and unsigned processes that run from Executable files on USB drives or SD cards are prevented from
1803+ ✓
USB executing unless trusted or signed.
Protects against Office VBA Win32 API calls, mostly found in
Block Win32 API calls from Office macros 1709+ ✓
legacy macros.
Using cloud-delivered protection heuristics, if a lower reputation
Use advanced protection against ransomware file resembles ransomware and has not been signed, it is 1803+ ✓ ✓ ✓
blocked.
ASR rules in warn mode if supported by rule Allow users to override ASR blocked events. 1809+ ✓
Successor to Enhanced Mitigation Experience Toolkit (EMET) with
Exploit protection 1709+ ✓
protection against over twenty exploit types.
Comprised of web content filtering (access based on site
Web protection category) and web threat protection (phishing, exploit sites, low 1709+ ✓ ✓ ✓
rep sites).
Extends web protection to the entire OS and third-party
Network protection browsers, blocking outbound traffic to low-reputation or custom 1709+ ✓ ✓ ✓
indicators.
Ransomware protection where protected folders are specified,
Controlled folder access and only allow-listed applications may make modifications to 1709+ ✓ ✓ ✓
them.
10.15.4+
Block the use of unauthorised removable storage media based Not feature
Device control – removable storage protection ✓
on properties such as vendor ID, serial number, or device class. equal to
Windows
Audit and control read/write/execute operations on removable
Device control – removable storage access control storage media based on properties similar to removable storage ✓
protection.
Block the use of unauthorised print devices based on vendor ID
Device control – printer protection 1909+
and product ID.
Windows Windows Windows Windows
Windows Windows Windows Android
Server Server Server Server macOS Linux iOS
Feature Description 7 SP1 8.1 10/11
2008 R2 2012 R2 2016 2019/2022
phones
Endpoint protection platform
Core antimalware engine that provides behaviour-based,
Microsoft Defender Antivirus (MDAV) / heuristic, and real-time AV protection; powers “next-generation
✓ ✓ ✓ ✓
Next Generation Protection protection” features in addition to standard signature-based
detections.
“Down-level” operating systems do not have an antivirus engine
Only if
System Centre Endpoint Protection (SCEP) / built-in, however Microsoft’s antimalware platform is available
not using
Microsoft Antimalware for Azure (MAA) / through other channels such as SCEP (comes with ConfigMgr), ✓ ✓ ✓
unified
etc MAA (if managed with Azure), or Windows Defender (consumer-
agent
level).
“Traditional” antivirus approach to potential threats. May have
Preventative antivirus behavioural monitoring capabilities but is not the Next ✓ ✓ ✓ ✓ ✓
Generation Protection MDAV client seen in Windows.
Sends hash value of executables with mark of the web to cloud
Block at first sight to determine reputation; if unknown hash, upload file for more 1803+ ✓ ✓
analysis.
Sends metadata to the cloud protection service to determine if a
Cloud-delivered protection file is safe based on machine learning and Intelligent Security ✓ ✓ ✓ ✓ ✓
Graph.
On Windows, blocks certain changes to MDAV via registry,
Tamper protection PowerShell, and GPO. On mobiles, detect if out of protection for ✓ ✓ ✓ ✓ ✓ ✓
seven days and inform device compliance.
Blocks software that isn’t necessarily malicious but otherwise
Potentially unwanted app protection ✓ ✓ ✓ ✓ ✓ ✓
undesirable, such as advertising injectors and cryptominers.
If third-party endpoint protection is also running, antimalware
engine doesn’t provide preventative real-time protection ✓ ✓ ✓ ✓ ✓ ✓
Passive mode
(including ASR rules, etc) but can scan on-demand. Can be Automatic Manual Manual Manual Manual Manual
supplemented by EDR in block mode.
Endpoints passively or actively collect events and extract device
information (basic mode) or actively probe observed devices
Device discovery 1809+ ✓
(standard mode; default). This refers to OSs that can perform
discovery.
Custom block or allow controls on the endpoint based on hash
Respect indicators of compromise – files and certificates 1703+ ✓ ✓ ✓
value or CER/PEM files.
Custom block or allow controls based on public IP or FQDNs (or
Respect indicators of compromise – IPs, URLs, domains 1709+ ✓ ✓
full web paths for Microsoft web browsers).
Control the inbound and outbound network traffic allowed on
Windows Defender Firewall with Advanced Security (WFAS) the device based on the type of network connected, as well as ✓ ✓ ✓ ✓ ✓ ✓ ✓
other controls such as IPsec.
Dedicated reporting available in the Microsoft 365 Defender
Host firewall reporting portal about inbound + outbound connections and app ✓ ✓
connections.
Windows Windows Windows Windows
Windows Windows Windows Android
Server Server Server Server macOS Linux iOS
Feature Description 7 SP1 8.1 10/11
2008 R2 2012 R2 2016 2019/2022
phones
Investigation and response
Detected threats or potential malicious activity that should be
Alerts ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
reviewed, presented with a story, affected assets, and details.
Aggregation of alerts with the same attack techniques or
Incidents ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
attributed to the same attacker.
Control RBAC permissions to devices and alerts, auto-
Device groups remediation levels, and web content filtering. One device ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
belongs to one group.
Create logical group affliction for filtering, reporting, and
Device tags automatic device group membership. One device can have ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
many tags.
Kusto query language (KQL) based tool for exploration of raw
Advanced hunting data across Microsoft 365 Defender, including custom detection ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
rules.
Remediates malicious artifacts in post-breach detections,
EDR in block mode including if third party AV is in use and MDAV is in passive ✓ ✓ ✓ ✓
mode.
Uses inspection algorithms based on security analyst processes
Automated investigation and response (AIR) 1709+ ✓ ✓ ✓
to examine and take (configurable) remedial action.
File response actions
Stop any running processes and quarantine the file, unless
Stop and quarantine file 1703+ ✓ ✓ ✓
signed by Microsoft.
Executes the file in a cloud environment and report on
Automatically collect file for deep analysis behaviours such as contacted IPs, files created on disk, and ✓ ✓ ✓ ✓
registry modifications.
Download a zipped version of the file that has been quarantined
Download quarantined file by Microsoft Defender Antivirus if collected under your sample 1703+ ✓
submission policy.
Device response actions
Initiates a full or quick MDAV scan even if MDAV is in passive ✓ via Live ✓ via Live
Run antivirus scan 1709+ ✓ ✓ ✓
mode. response response
Implements a code integrity (Application Control) policy limiting
Restrict app execution 1709+ ✓ ✓
files to those signed by Microsoft.
Limits network connectivity on the endpoint to only the ✓ via Live ✓ via Live
Isolate from the network (full) 1703+ ✓ ✓ ✓
Defender for Endpoint service. response response
Limits network connectivity on the endpoint to Defender for
Isolate from the network (selective) Endpoint and Office 365 communication apps, such as Outlook 1709+ ✓ ✓ ✓
and Teams.
Establishes a remote shell connection to the endpoint to collect
Live response 1709+ ✓ ✓ ✓ ✓ ✓
forensics, run scripts, analyse threats, and threat hunt.
Builds a zip file with folders on files on forensic information such
✓ via Live ✓ via Live
Collect an investigation package as installed programs, autoruns, processes, SMB sessions, and 1703+ ✓ ✓ ✓
response response
system info.
Windows Windows Windows Windows
Windows Windows Windows Android
Server Server Server Server macOS Linux iOS
Feature Description 7 SP1 8.1 10/11
2008 R2 2012 R2 2016 2019/2022
phones
Threat and vulnerability management
Informs TVM recommendations and weaknesses based on
OS vulnerabilities ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
operating system vulnerabilities.
Informs TVM recommendations and weaknesses based on
Software product vulnerabilities ✓ 1709+ ✓ ✓ ✓ ✓ ✓ ✓ ✓
individual software vulnerabilities; not limited to Microsoft apps.
Informs TVM recommendations based on system settings for the
OS configuration assessment ✓ 1709+ ✓ ✓ ✓ ✓ ✓ ✓
OS itself.
Software product configuration assessment Informs TVM recommendations based on app configurations. ✓ 1709+ ✓ ✓ ✓ ✓ ✓ ✓
Windows Windows Windows Windows
Windows Windows Windows Android
Server Server Server Server macOS Linux iOS
Feature Description 7 SP1 8.1 10/11
2008 R2 2012 R2 2016 2019/2022
phones
Mobile OS support
A VPN gateway for Intune managed mobile devices that ✓ ✓
Microsoft Tunnel
leverages Azure AD for Conditional Access benefits. Unified Standalone
Raise alerts for potential defence evasion by reporting jailbroken
Jailbreak detection ✓
devices and mark them as high risk.
Requires device have MDE app and AAD registration but doesn’t
Mobile application management (MAM) support require full MDM enrolment. Then sends risk score to control ✓ ✓
access.
Uses both signatures and ML/heuristics to protect against unsafe
Potentially unwanted or malicious app scanning ✓
apps and files.
Using a loopback VPN, protects against potentially malicious
Phishing protection ✓ ✓
web traffic in browsers, email, app, and messaging apps.
Windows Windows Windows Windows
Windows Windows Windows Android
Server Server Server Server macOS Linux iOS
Feature Description 7 SP1 8.1 10/11
2008 R2 2012 R2 2016 2019/2022
phones
Onboarding and management
✓ ✓
Windows OSs without EDR capabilities built-in require MMA Only if Only if
Microsoft Monitoring Agent (MMA) required installed with a workspace ID and key specified (obtained from ✓ ✓ ✓ not using not using
portal). unified unified
agent agent
For down-level Windows Server OSs, the unified solution agent
(MSI installer) provides near parity with Windows Server 2019’s
‘Unified solution’ agent available ✓ Preview ✓ Preview
capabilities and removes the need for the Microsoft Monitoring
Agent.
Manage configuration using Endpoint Manager admin centre
just like Intune devices without enrolling device in MDM. Also
Security Management for MDE ✓ ✓ ✓ ✓
known as “MDE Attach”. So far only MDAV, firewall, and EDR
sensor settings supported. Device must already be onboarded.
MDE is included as part of the Microsoft Defender for Servers
Enterprise
Microsoft Defender for Cloud / licensing (a feature of Defender for Cloud). Using Azure Arc, can
Multi- ✓ ✓ ✓ ✓ ✓
Microsoft Defender for Servers be extended to systems not hosted in Azure (on-premises; third-
Session
party cloud).
Microsoft’s MDM service and can be used for onboarding
Microsoft Endpoint Manager Intune ✓ ✓ ✓ ✓
supported OSs.
Microsoft Endpoint Manager Configuration Manager On-premises based endpoint and server management solution. ✓ ✓ ✓ ✓ ✓
Jamf Pro Alternative MDM for macOS. ✓
Puppet / Ansible / Chef Scalable automation and orchestration platforms for Linux. ✓
