Understanding Microsoft's Defender for Endpoint


This article describes

  • What is Microsoft's Defender for Endpoint (MDE) service
  • How to get started with the service
  • How to get additional training on the service



Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help organizational unit (OU) admins prevent, detect, investigate, and respond to advanced threats. The MDE service supports macOS, Linux, and Windows devices. iOS and Android devices are not supported at this time. Below are some key elements of the service.

  • Enables OU admins to identify vulnerable systems
  • Prioritizes and provides remediation of endpoint vulnerabilities and misconfigurations
  • Centralizes and automates monitoring and management
  • Provides zero-day response to threats

This service allows departments to register up to five university devices (macOS, Linux, and Windows) for each departmental user with a Microsoft 365 (M365) A5 faculty-use license. A5 student-use licenses are not sufficient for this service. OU Admins can visit the Microsoft Defender for Endpoint Service Catalog entry to enroll their departments in the MDE service.

Getting Started Guide

If your hosts are sending Windows logs to the Virginia Tech Central Log Service (CLS), note that the Information Technology Security Office (ITSO) has approved dropping select Microsoft Defender for Endpoint internal debug logs. These logs will remain on the originating hosts but will be filtered from the outgoing logs by the configuration provided by the CLS. 

  1. Register: Sign up for the service at the Microsoft Defender for Endpoint Service Catalog entry. It is required that your department completes this step before continuing.
  2. Verify: After registration is complete
    1. Verify that two security groups have been created within your OU, "Defender OU NAME Admins" and "Defender OU NAME View-Only Admins". "OU-NAME" refers to the OU name that you entered in the form when requesting the service.
    2. Verify that you are a member of the "Defender OU-NAME Admins" security group that was created during registration. If you are not a member, make sure you and other designated OU admins are added to this group. It is required that you have a minimum of two admins in this group.
  3. Deploy software: There are various paths to deploy MDE on devices: Intune (Windows), BigFix (Windows, Linux, and macOS), Jamf (macOS), and scripts for individual device installation.
  4. Tag devices: The mechanism to provide an OU-like structure and permissions within the service portal will be via device tagging.
  5. Read overview: Before heading to the portal to manage the devices, we recommend reading this overview: Microsoft Defender for Endpoint.
  6. Explore enrolled devices: Individual devices can be explored at the portal: Windows Security Center - specifically within the Devices section

Additional Training

There is a lot of information available within the MDE portal. Below are links to additional training available to guide you through the options.