Finally, it’s time for a refresh.  It’s been a while!  Due to personal circumstances, I haven’t been able to keep the Ultimate Comparison of MDE by OS updated.  I’ve had time to dive into the changes since v5 and it’s really been amazing to see MDE grow in scope. 

Table of Contents

What is MDE and why do we need an ‘ultimate comparison’?

Microsoft Defender for Endpoint (MDE) is a massive stack of endpoint protection and endpoint detection and response (EDR) capabilities.  It integrates with the broader Microsoft Defender XDR and is available for almost any OS you’ll find in an enterprise.  This cross-platform nature of MDE makes it difficult to understand and track what features and capabilities are available on each OS.  It’s not always intuitive, and you may be in for some surprises.  Hence by I began the Ultimate Comparison of Defender for Endpoint Features by OS up to date to keep you aware of what you’re getting and what you need to go start implementing if you haven’t already.

Change log for this release

February 2024’s release, version 6, has the following changes and updates:

  • Added the Block Webshell creation for Servers ASR rule
  • Added performance mode for Microsoft Defender Antivirus on Windows 11 Dev Drive
  • Added contain user and device from the network
  • Added forcibly release device from isolation (script)
  • Added Windows Subsystem for Linux (WSL) 2
  • Added privacy controls for iOS and Android
  • Added optional permissions and disable web protection for iOS and Android
  • Added troubleshooting mode for macOS
  • Added deception capabilities
  • Added contextual file and folder exclusions
  • Added tamper protection for exclusions
  • Updated antivirus scan and device isolation for macOS and Linux which are now supported directly from device actions; previously required live response
  • Renamed Security Management to Security settings management and added support for Linux and macOS
  • Clarified restrict app execution support (thanks 25004 on GitHub)
  • Clarified selective isolation support

MDE’s continued growth

Since starting the Ultimate Comparison of MDE Features by OS in summer 2021, over thirty new capabilities and features have been added!  That doesn’t even include the expansion of existing features from Windows to macOS and Linux.

A few other points

Always looking for feedback and things I’ve missed. Sometimes features get updated but don’t make the docs or change logs. If you find any, let me know! I am particularly interested in any Linux and macOS goodies. Specifically…

  • I hear Tamper protection for Linux is available but never seen this used in the wild and documentation is scarce so would love feedback from anyone who’s got more info!
  • Not mentioned in the comparison because I group all Linux into one category but ICYMI, MDE supports Mariner 2, Alma 9.2+, and Rocky 8.7+ as of 5 February 2024.

Obligatory disclaimers

  • This is provided without warranty and only my best effort.  This stuff isn’t always obvious in the documentation, so expect updates to refine accuracy over time.
  • Where I have used a green check to note support, this doesn’t mean all versions of that OS, but it does mean all MDE-supported versions of that OS or if Microsoft just hasn’t been clear about which version is needed.  For example, macOS is supported for the three latest versions, and Windows 10 from 1607.  Similarly, Linux is complicated.  In some cases, the learn.microsoft.com pages just say Windows 10 with no specific information about versions. You may also find some features are in preview mode. If in doubt, ask me or look up the docs.
  • I have gone by what the docs say. Mostly.  If there are conflicting docs, I go with the most conservative option (looking at you, Device Control, which has conflicting info about Windows Server support).  Why point this out?  For example, my friend Rudy Ooms has previously pointed out that some ASR rules apply on OSs that aren’t officially listed in Microsoft’s docs (this was before the unified solution became available).  The point is: the docs don’t always reflect what really works.  I’ve stuck to the docs because if you ever need support, that’s what you’ll have to help.  In some cases, the docs say nothing about the OS version required, so I’ve had to figure it out myself or make a presumption based on other information (the new MDVM capabilities are a good example of this).
  • If you notice any errors or have suggestions for improvement, let me know!

Download

You can download it below.

Or check it out in this (compressed and squashed) image below.

Tags:
Last updated on February 16, 2024