Microsoft Defender

for Endpoint
Speaker name
Title
Navigating a shifting world
Conventional security
tools have not kept pace

The nature of business Cost of breaches and

and work have changed regulations are increasing
Today’s threats: criminal groups follow opportunities

Malware encounters align with news headlines

COVID-themed attacks: United States

Source: Microsoft Digital Defense Report 2020

Why we’re different
Agentless, cloud powered
No additional deployment
or infrastructure. No delays
or update compatibility
issues. Always up to date.
Unparalleled optics Automated security
Built on the industry’s Take your security to a
deepest insight into new level by going from
threats and shared signals alert to remediation in
across devices, identities, minutes—at scale.
and information.
An industry leader in endpoint security
Gartner names Microsoft a Leader in
2021 Endpoint Protection Platforms
Magic Quadrant.
Forrester names Microsoft a Leader
in 2021 Endpoint Security Software as a
Service Wave.
Forrester names Microsoft a Leader
in 2020 Enterprise Detection and
Response Wave.
Our antimalware capabilities
consistently achieve high scores
in independent tests.
Microsoft leads in real-world detection in
MITRE ATT&CK evaluation.
Microsoft Defender for Endpoint
awarded a perfect 5-star rating by SC
Media in 2020 Endpoint Security Review
Microsoft won six security awards with
Cyber Defense Magazine at RSAC 2021:
Best Product Hardware Security
Market Leader Endpoint Security
Editor's Choice Extended Detection and Response (XDR)
Most Innovative Malware Detection
Cutting Edge Email Security
Industry leading endpoint security across platforms

Cisco
Juniper Networks

Endpoints and Servers Mobile device OS Network Devices

HP Enterprise
Palo Alto Networks
 Microsoft Defender
for Endpoint
Threats are no match.

THREAT & VULNERABILITY ATTACK SURFACE NEXT GENERATION ENDPOINT DETECTION AUTO INVESTIGATION MICROSOFT
MANAGEMENT REDUCTION PROTECTION & RESPONSE & REMEDIATION THREAT EXPERTS

CENTRALIZED CONFIGURATION AND ADMINISTRATION

APIS AND INTEGRATION

 Microsoft Defender
for Endpoint
Threats are no match.

THREAT & VULNERABILITY ATTACK SURFACE NEXT GENERATION ENDPOINT DETECTION AUTO INVESTIGATION MICROSOFT
MANAGEMENT REDUCTION PROTECTION & RESPONSE & REMEDIATION THREAT EXPERTS

CENTRALIZED CONFIGURATION AND ADMINISTRATION

APIS AND INTEGRATION

Key customer pain points

Discover Prioritize Compensate

Periodic scanning Based on severity Waiting for a patch
Blind spots Missing org context No IT/Security bridge
No run-time info No threat view Manual process
“Static snapshot” Large threat reports No validation

Bottom line: Organizations remain highly vulnerable, despite high maintenance costs
Threat & Vulnerability Management

A risk-based approach to mature your

vulnerability management program

1 Continuous real-time discovery

2 Context-aware prioritization

3 Built-in end-to-end remediation process

1 Continuous Discovery
Extensive vulnerability assessment across the entire stack
Easiest to exploit

Application extension vulnerabilities

Application-specific vulnerabilities that relate to component within the application.
For example: Grammarly Chrome Extension (CVE-2018-6654)

Application run-time libraries vulnerabilities

Reside in a run-time libraries which is loaded by an application (dependency).
For example: Electron JS framework vulnerability (CVE-2018-1000136)

Application vulnerabilities (1st and 3rd party)

Discovered and exploited on a daily basis.
For example: 7-zip code execution (CVE-2018-10115)

OS kernel vulnerabilities
Becoming more and more popular in recent years due to OS exploit mitigation controls.
For example: Win32 elevation of privilege (CVE-2018-8233)

Hardware vulnerabilities (firmware)

Extremely hard to exploit, but can affect the root trust of the system.
For example: Spectre/Meltdown vulnerabilities (CVE-2017-5715)

Hardest to discover
1 Continuous Discovery
Broad secure configuration assessment

Operation system misconfiguration Application misconfiguration

File Share Analysis Least-privilege principle
Security Stack configuration Client/Server/Web application analysis
OS baseline SSL/TLS Certificate assessment

Account misconfiguration Network misconfiguration

Password Policy Open ports analysis
Permission Analysis Network services analysis
2 Threat & Business Prioritization (“TLV”)
Helping customers focus on the right things at the right time

Threat Landscape

T Vulnerability characteristics (CVSS score, days vulnerable)

Exploit characteristics (public exploit & difficulty, bundle)
EDR security alerts (Active alerts, breach history)
Threat analytics (live campaigns, threat actors)

Breach Likelihood
10 L Current security posture
Internet facing
Exploit attempts in the org

Business Value

V HVA analysis (WIP, HVU, critical process)

Run-time & Dependency analysis
3 Automated Compensation
Bridging between the IT and Security admins

Game changing bridge between IT and Security teams

1-click remediation requests via Intune/SCCM

Automated task monitoring via run-time analysis

Tracking Mean-time-to-mitigate KPIs

Rich exception experience to mitigate/accept risk

Ticket management integration (Intune, Planner, Service Now, JIRA)

 Microsoft Defender
for Endpoint
Threats are no match.

THREAT & VULNERABILITY ATTACK SURFACE NEXT GENERATION ENDPOINT DETECTION AUTO INVESTIGATION MICROSOFT
MANAGEMENT REDUCTION PROTECTION & RESPONSE & REMEDIATION THREAT EXPERTS

CENTRALIZED CONFIGURATION AND ADMINISTRATION

APIS AND INTEGRATION

Key customer pain points

Zero days Network boundaries Cross-platform

Zero days continue to Perimeters are eroding, Heterogeneous
plague the industry unique solutions are environments make
required to harden it challenging

Bottom line: Organizations struggle to proactively adjust their security posture

Attack Surface Reduction

Eliminate risks by reducing the

surface area of attack

System hardening without disruption

Customization that fits your organization

Visualize the impact and simply turn it on

Attack Surface Reduction
Resist attacks and exploitations

HW based isolation

Application control
Isolate access to untrusted sites
Exploit protection Isolate access to untrusted Office files

Host intrusion prevention

Network protection
Exploit mitigation

Ransomware protection for your files

Controlled folder access
Block traffic to low reputation destinations

Protect your legacy applications

Device control
Only allow trusted applications to run

Web protection

Ransomware protection
Attack Surface Reduction (ASR) Rules
Minimize the attack surface
Signature-less, control entry vectors, based on cloud intelligence. Attack surface reduction (ASR) controls, such as
behavior of Office macros.
Productivity apps rules
• Block Office apps from creating executable content
• Block Office apps from creating child processes
• Block Office apps from injecting code into other processes
• Block Win32 API calls from Office macros
• Block Adobe Reader from creating child processes
Email rule
• Block executable content from email client and webmail
• Block only Office communication applications from creating
child processes
Script rules
• Block obfuscated JS/VBS/PS/macro code
• Block JS/VBS from launching downloaded executable content
Polymorphic threats
• Block executable files from running unless they meet a
prevalence (1000 machines), age (24hrs), or trusted list criteria
• Block untrusted and unsigned processes that run from USB
• Use advanced protection against ransomware
Lateral movement & credential theft
• Block process creations originating from PSExec and
WMI commands
• Block credential stealing from the Windows local security
authority subsystem (lsass.exe)
• Block persistence through WMI event subscription
Easy button: turn on block

Get script to implement Submit Intune ticket

Network protection
Allow, audit and block

Perimeter-less network protection

(“SmartScreen in the box”) preventing users
from accessing malicious or suspicious
network destinations, using any app on the
device and not just Microsoft Edge.

Customers can add their own TI in additional

to trusting our rich reputation database.

Microsoft
Web Threat Alerts
Web Threat Reports
Web content filtering configuration
Web Content Filtering reporting
 Microsoft Defender
for Endpoint
Threats are no match.

THREAT & VULNERABILITY ATTACK SURFACE NEXT GENERATION ENDPOINT DETECTION AUTO INVESTIGATION MICROSOFT
MANAGEMENT REDUCTION PROTECTION & RESPONSE & REMEDIATION THREAT EXPERTS

CENTRALIZED CONFIGURATION AND ADMINISTRATION

APIS AND INTEGRATION

Key customer pain points

Solutions that depend on regular updates can not protect against the 7 million
unique threats that emerge per hour

The game has shifted from blocking recognizable executable files to malware
that uses sophisticated exploit techniques (e.g: fileless)

While Attack Surface Reduction can dramatically increase your security posture
you still need detection for the surfaces that remain

We live in a world of hyper polymorphic threats with 5 billion unique instances

per month
Static vs Dynamic

Static signatures: Dynamic heuristics:

focus on a file focus on run-time behaviors
Hashes Behavior monitoring
Strings Memory scanning
Emulators AMSI
Command-line scanning

Ineffective Effective
Next Generation Protection

Blocks and tackles sophisticated

threats and malware

Behavioral based real-time protection

Blocks file-based and fileless malware

Stops malicious activity from trusted and

untrusted applications
“Aced protection tests 12 months in a
row.” Proven protection in the field,
backed up by consistent top rankings on
industry comparison tests (AV-TEST, SE
Labs).
Microsoft Defender for Endpoint next generation protection engines

Metadata-based ML Behavior-based ML AMSI-paired ML File classification ML Detonation-based ML Reputation ML Smart rules

Stops new threats Identifies new threats Detects fileless and Detects new malware by Catches new malware Catches threats Blocks threats using
quickly by analyzing with process trees and in-memory attacks running multi-class, deep by detonating with bad reputation, expert-written rules
metadata suspicious behavior using paired client neural network classifiers unknown files whether direct or
sequences and cloud ML models by association

Cloud

Client

ML Behavior monitoring Memory scanning AMSI integration Heuristics Emulation Network

Spots new and Identifies malicious Detects malicious code Detects fileless and Catches malware Evaluates files based monitoring
unknown threats behavior, including running in memory in-memory attacks variants or new strains on how they would Catches malicious
using client-based suspicious runtime with similar behave when run network activities
ML models sequence characteristics
Innovations in Fileless Protection
Type III
Files required to achieve LNK,
fileless persistence Docs Scheduled
Task, Exe
Dynamic and in context URL Java Docs

analysis to block call to

malicious URL Flash
MBR
VBR

AMSI-paired machine learning uses

pairs of client-side and cloud-side Exe Service

models that integrate with

Antimalware Scan Interface (AMSI)
Taxonomy of
to perform advanced analysis
Remote
attacker
fileless threats Registry
WMI Repo

of scripting behavior
Network
Type II
DNS exfiltration analysis card,
Hard disk
Shell
No file written
on disk, but some
Circuitry
Deep memory analysis backdoors Hypervisor files used indirectly
IME Mother-
Type I BadUSB board
No file activity firmware
performed
Microsoft Defender for Endpoint’s NGP protection pipeline

Malware Highly stealthy threats

encounter

MALWARE

Big data
Detonation
Automatically
Sample Suspicious files classify threats
are executed in based on signals
Cloud Suspicious files a sandbox for across Microsoft
metadata uploaded for dynamic analysis
Client inspection by
ML-powered multiclass, deep
Heuristics, cloud rules neural network
behavior, and
classifier
local ML models
Dynamic: behavior monitoring

Monitors activity on: Heuristics can:

Files Detect sequences of events
E.g. a file named “malware.exe” is created
Registry keys
Inspect event data
Processes E.g. an AutoRun key is created and contains “malware.exe”

Network (basic HTTP inspection) Correlate with other static signals

E.g. “malware.exe” has an attribute indicating it is a
… and few other specific activities DotNet executable

Perform some basic remediation

E.g. delete “malware.exe” if the BM event reported infection

Request memory scan of running processes

 Sandboxing of the antivirus engine

Then Now

Read the blog for more details

Tamper Protection – Password-less, secure, e2e

Seamless, secure and Threat & vulnerability management – Tampering alert based on System
password less configuration Security recommendation Guard and EDR signals

Advanced Hunting

Read the blog for more details

Firmware & hardware protections
Scanning and detection
UEFI scanner reads firmware file system at runtime by
interacting with the motherboard chipset, performing
dynamic analysis using multiple solution components:
• UEFI anti-rootkit, which reaches the firmware through Serial
Peripheral Interface (SPI)

• Full filesystem scanner, which analyzes content inside the firmware

• Detection engine, which identifies exploits and malicious

behaviors

Microsoft Defender Security Center

Read the blog for more details

Behavioral Blocking and Containment

Immediately stops threat before it can progress

Microsoft has the unique ability to scan signals across kill

chains and payloads (endpoints, Office, Identity, etc.)

Some highlights:
• Pre and Post breach AI- and ML- based behavioral blocking
and containment
• Detect malware after first sight and block it on other endpoints
within minutes (1 – 5 minutes)
• Microsoft Defender for Endpoint provides an additional
protection layer by blocking/preventing malicious behavior
even if we are not the primary AV

Read the blog for more details

 Microsoft Defender
for Endpoint
Threats are no match.

THREAT & VULNERABILITY ATTACK SURFACE NEXT GENERATION ENDPOINT DETECTION AUTO INVESTIGATION MICROSOFT
MANAGEMENT REDUCTION PROTECTION & RESPONSE & REMEDIATION THREAT EXPERTS

CENTRALIZED CONFIGURATION AND ADMINISTRATION

APIS AND INTEGRATION

Key customer pain points 46% of compromised systems
had no malware on them

Following an advanced
As attacks become more complex and multi-staged, attack across the network
it’s difficult to make sense of the threats detected and different sensors can
be challenging

Click on a URL Installation Persistency Reconnaissance

Collecting evidence and

alerts, even from 1 infected
device, can be a long
time-consuming process
Exploitation C&C channel Privilege escalation Lateral movement

Living off the land - Attackers

use evasion-techniques
Endpoint Detection & Response

Detect and investigate advanced

persistent attacks

Correlated behavioral alerts

Investigation & hunting over 6 months of data

Rich set of response actions

Demonstrated industry-leading
optics and detection capabilities in
MITRE ATT&CK-based evaluation.
Endpoint Detection & Response

Correlated post-breach detection

Investigation experience

Incident

Advanced hunting

Response actions (+EDR blocks)

Deep file analysis

Live response

Threat analytics
Triage & Investigation

Understand what was alerted

Alert investigation experience provides
detailed description, rich context, full
process execution tree.

Investigate device activity

Full machine timeline to drill into
activities, filter and search.

Rich supporting data & tools

Supporting profiles for files, IPs, URLs
including org & world prevalence, deep
analysis sandbox.

Expand scope of breach

In-context pivoting to other affected
machines/users.
Incident
Narrates the end-to-end attack story

Reconstructing the story

The broader attack story is better described
when relevant alerts and related entities are
brought together.

Incident scope
Analysts receive better perspective on the
purview of complex threats containing
multiple entities.

Higher fidelity, lower noise

Effectively reduces the load and effort required
to investigate and respond to attacks.

Announcement blog
Advanced hunting with custom detection and custom response
Live Response

Real-time live connection to a remote system

Leverage Microsoft Defender for Endpoint

Auto IR library (memory dump, MFT analysis,
raw filesystem access, etc.)
• Extended remediation command + easy undo

Full audit

Extendable (write your own command, build

your own tool)

RBAC+ Permissions

Git-Repo (share your tools)

Threat Analytics
See how you do against major threats

Threat to posture view

See how you score against significant and
emerging campaigns with interactive reports.

Identify unprotected systems

Get real-time insights to assess the impact
of the threat on your environment.

Get guidance
Provides recommended actions to increase security
resilience, to prevention, or contain the threat.
 Microsoft Defender
for Endpoint
Threats are no match.

THREAT & VULNERABILITY ATTACK SURFACE NEXT GENERATION ENDPOINT DETECTION AUTO INVESTIGATION MICROSOFT
MANAGEMENT REDUCTION PROTECTION & RESPONSE & REMEDIATION THREAT EXPERTS

CENTRALIZED CONFIGURATION AND ADMINISTRATION

APIS AND INTEGRATION

Key customer pain points

More threats, more alerts

leads to analyst fatigue

Analysts overwhelmed by manual alert

Alert investigation investigation & remediation
is time-consuming Alert queue

Expertise is expensive

Manual remediation Analyst 1 Analyst 2

requires time

Talent shortage in
cybersecurity
What Is Microsoft Defender for Endpoint Auto IR?

Security automation is… Security automation is not…

mimicking the ideal steps a human would take if machine has alert  auto-isolate
to investigate and remediate a cyber threat

When we look at the steps an analyst is taking as when investigating

and remediating threats we can identify the following high-level steps:

1 2 3 4

Determining Performing Deciding what Repeating this as many

whether the threat necessary additional investigations times as necessary
requires action remediation actions should be next for every alert 
Auto Investigation & Remediation

Automatically investigates alerts and

remediates complex threats in minutes

Mimics the ideal steps analysts would take

Tackles file or memory-based attacks

Works 24x7, with unlimited capacity

Auto investigation queue
Investigation graph
 Microsoft Defender
for Endpoint
Threats are no match.

THREAT & VULNERABILITY ATTACK SURFACE NEXT GENERATION ENDPOINT DETECTION AUTO INVESTIGATION MICROSOFT
MANAGEMENT REDUCTION PROTECTION & RESPONSE & REMEDIATION THREAT EXPERTS

CENTRALIZED CONFIGURATION AND ADMINISTRATION

APIS AND INTEGRATION

Key customer pain points Need for additional
threat context

No threat expert to
contact when needed

As threats are becoming complex,

I could need additional context and
Missing guidance
guidance on alert handling on alert handling

Lateral

?
Click on C&C channel Persistency Reconnaissance
Installation Exploitation movement
a URL
Important alerts
might get missed

Does this alert or event

really matter to my
org?
Microsoft Threat Experts

Bring deep knowledge and proactive

threat hunting to your SOC

Expert level threat monitoring and analysis

Environment-specific context via alerts

Direct access to world-class hunters

Microsoft Threat Experts
An additional layer of oversight and analysis to help ensure that threats don’t get missed

Targeted attack notifications

Threat hunters have your back.
Microsoft Threat Experts proactively hunt to
spot anomalies or known malicious behavior
in your unique environment.

Experts on demand
World-class expertise at your fingertips.
Got questions about alert, malware, or
threat context? Ask a seasoned Microsoft
Threat Expert.
 Microsoft Defender
for Endpoint
Threats are no match.

THREAT & VULNERABILITY ATTACK SURFACE NEXT GENERATION ENDPOINT DETECTION AUTO INVESTIGATION MICROSOFT
MANAGEMENT REDUCTION PROTECTION & RESPONSE & REMEDIATION THREAT EXPERTS

CENTRALIZED CONFIGURATION AND ADMINISTRATION

APIS AND INTEGRATION

Historical roles & friction
Security Team
Responsible for security
monitoring and reducing risk
Analyze threats, security
incidents, exposure and identify
mitigations
Define security policies
Priority is on quick remediation
on impacted devices/users
IT Team
Responsible for policy
configuration including security
policies
Analyzes change impact and stages
rollout of global policies
Priority is a stable IT environment
and low costs
Customer needs

Simple, cross-platform, Intuitive, advanced Security controls Continuous assessment

unified endpoint security policy management granularity and and reporting of
management console capabilities completeness endpoint state

Seamless and frictionless

Security Management

Assess, configure and respond to

changes in your environment

Centrally assess & configure your security

Variety of reports and dashboards for detailed

monitoring and visibility

x
Seamless integration between policy assessment
and policy enforcement
Endpoint Security Management

All Sec Admin Security Security

devices experiences baselines tasks

Target security policy to any device across Windows, Mac, Linux, Android, or iOS
Seamless integration

Microsoft Defender for Endpoint Microsoft Endpoint Manager

Policy Assessment Policy Enforcement
Easily access management controls from the console
Set security controls and baselines in Microsoft Endpoint Manager
Get rich reporting in Microsoft Defender for Endpoint
 Microsoft Defender
for Endpoint
Threats are no match.

THREAT & VULNERABILITY ATTACK SURFACE NEXT GENERATION ENDPOINT DETECTION AUTO INVESTIGATION MICROSOFT
MANAGEMENT REDUCTION PROTECTION & RESPONSE & REMEDIATION THREAT EXPERTS

CENTRALIZED CONFIGURATION AND ADMINISTRATION

APIS AND INTEGRATION

Connecting with the platform

THREAT & VULNERABILITY

MANAGEMENT

DEVICES

ATTACK SURFACE
REDUCTION

REPORTING

NEXT GENERATION
PROTECTION

Microsoft Defender APIS AND

APPS
for Endpoint ENDPOINT DETECTION INTEGRATION
& RESPONSE
Threats are no match.

SIEM DATA
AUTO INVESTIGATION
& REMEDIATION

TOOLS
MICROSOFT
THREAT EXPERTS
Microsoft Defender for Endpoint through ecosystem & API
Enable managed service provider offerings
Service
providers on top of Microsoft Defender for Endpoint
(MSSP,
Security analytics MDR)
& operations

SOAR
SDK
ITSM

Threat intelligence
APIs
Endpoint security
solutions

Attack simulation Custom reporting

& analytics
MTD Technology Customer
partners apps Orchestration
Network Apps & automation

Query API Threat intel API, Vulnerability API AAD authentication & authorization Developer kit
Streaming API Application connectors (PBI, Flow, SNOW) RBAC controls Partner integration kit
Actions API Microsoft Security Graph connector Developer License
Microsoft Defender for Endpoint APIs & partners
Easy development & tracking of connected solutions

API Explorer Data Export API

Explore various Microsoft Defender for Endpoint APIs interactively Configure Microsoft Defender for Endpoint to stream
Advanced Hunting events to your storage account
Integrated compliance assessment
Track apps that integrates with Microsoft Defender for Endpoint
platform in your organization.
Cross-platform
Microsoft Defender for Endpoint (Mac)
The first step in our cross-platform journey
Threat prevention
• Realtime MW protection for
Mac OS
• Malware detection alerts visible
in the Microsoft Defender for
Endpoint console
Enterprise Grade
• Lightweight deployment &
onboarding process
• Performant, none intrusive
• Aligned with compliance,
privacy & data sovereignty
requirements
Rich cyber data enabling attack
detection and investigation
• Monitors relevant activities including files,
processes, network activities
• Reports verbose data with full-scope of
relationships between entities
• Provides a complete picture of what’s
happening on the device
Seamlessly integrated with Microsoft
Defender for Endpoint capabilities
• Detection dictionary across the kill chain
• 6 months of raw data on all machines inc Mac OS
• Reputation data for all entities being logged
• Single pane of glass across all endpoints Mac OS
• Advanced hunting on all raw data including Mac OS
• Custom TI
• API access to the entire data model inc Mac OS
• SIEM integration
• Compliance & Privacy
• RBAC
Microsoft Defender for Endpoint (Linux)

On the client: In the Microsoft Defender Security Center,

• AV prevention you'll see basic alerts and machine information.
• Full command
line experience EDR functionality will be gradually lit up in upcoming waves.
(scanning, configuring,
agent health) Antivirus alerts: Device information:
Severity Machine identifier
Scan type Tenant identifier
Device information App version
(hostname, machine
Hostname
identifier, tenant identifier,
app version, and OS type) OS type
File information OS version
(name, path, size, and
Computer model
hash)
Processor architecture
Threat information
(name, type, and state) Whether the device is a
virtual machine
Microsoft Defender for Endpoint (Android) current offering

Web Malware Single Pane of Conditional Supported Licensed by

Protection Scan Glass Reporting Access Configurations Microsoft

Anti-phishing Alerts for malware, Alerts for phishing Block risky devices Device Administrator Included in per user
PUA licenses that offer
Block unsafe Alerts for Mark devices Android Enterprise
Microsoft Defender
network connections Files scan malicious apps non-compliant (Work Profile)
for Endpoint
Custom indicators: Storage and Auto-connection for Part of the 5
allow/block URLs memory peripheral reporting in qualified devices
scans Microsoft Defender for eligible
Security Center licensed users
Reach out to your
account team or CSP
Microsoft Defender for Endpoint (iOS) current offering​

Web Single Pane of Supported Licensed by

Protection Glass Reporting Configurations Microsoft
Anti-Phishing Alerts for phishing Supervised Included in per user
Block unsafe Auto connection for Unsupervised licenses that offer
network connections reporting in Microsoft Microsoft Defender
Defender Security for Endpoint
Custom Indicators:
allow/block URLs Center Part of the 5 qualified
devices for eligible
licensed users
Reach out to your
account team or CSP
How to get started
Evaluation Lab & Tutorials

• Latest OS version
• Pre-configured to security baseline
• Onboarded to Microsoft Defender for Endpoint
Setup • Full Audit mode across the stack.
• Pre-populated with evaluation tools
• Multiple interconnected devices (lateral movement)

• Microsoft Defender for Endpoint pre-made simulations

“Do it yourself” scenarios
• Wizard based experience (walk customers through
Simulation product capabilities)
• Full flexibility (real-machine RDP accessible)
• Training & education is a critical part of successful PoC

• Guided experience
• Report is generated in real-time
• Results are self-contained (separate customer tenant data)
Reports • Summary report
• Highlighting additional Microsoft Defender for Endpoint relevant
features
Using Microsoft Defender for Endpoint?
Turn on Public Preview features

Sign up for a trial: https://aka.ms/DefenderEndpoint

Check our blog: https://aka.ms/MSDEBlog
THANK YOU!