It’s been about 5 months since I last updated my comparison of Defender for Endpoint features by OS. This is a “matrix” of the tons of features, services, and important components that make up Microsoft Defender for Endpoint.
Three months later, it’s overdue an update. So here it is 🙂 I’ve also decided to rename it to The Ultimate Comparison of MDE Features by OS… because renaming’s what we do, right?
Changes include but aren’t limited to…
- Added passive mode for Windows Server 2012 R2/2016 (unified agent), macOS, and Linux.
- Removed qualifiers for Windows Server 2012 R2/2016 features that need the unified agent. You should be deploying this anyway. If in doubt, if it’s a Windows 10 or Server 2019 feature, it needs the unified agent.
- Similarly, removed a number of mentions that things are in preview.
- Renamed Azure Defender for Microsoft Defender for Cloud + Microsoft Defender for servers
- Defender for Cloud replaces Azure Defender
- Defender for servers is a feature of Defender for Cloud that includes Defender for Endpoint for servers plus loads more like JIT access to VMs
- Chef for Linux added
- Cloud delivered protection for macOS. Who knew!?
- Security Management added. This lets you manage config in Endpoint Manager, just like Intune, but without needing to Intune enrol. It’s the future!
- Debian, iOS, and Android TVM support added.
- macOS and Linux live response capabilities added, including isolation, investigation packages, and scan initiation
- Tamper protection for iOS and Android was added. Not really the same as TP for Windows, but it’s the name that’s been chosen. This informs device compliance if the app hasn’t protected the device in a week.
- Removed Windows Server SAC from the comparison because… did anyone really care? Trying to simplify things.
- Clarified device discovery can be standard (active) or basic (passive) and added Windows Server 2019+
- Added host firewall reporting
I have had requests to include the distinctions between license SKUs: Defender for Business, Plan 1, and Plan 2. I thought about this and did draft a version with it but, frankly, I want to stay away from licensing. That’s not the intent of this project. Might have another similar comparison in the future but it’s not as simple as features by OS as some features don’t care about OS e.g. P2’s threat analytics.
Still on the to-do list is improved management of this on GitHub with markup format and Excel + CSV. I’ve been occupied with the upcoming book every spare minute that isn’t family life. I’ll get to it. If anyone can talk me through making a markup table in GitHub, hit me up to speed things up!
And the obligatory disclaimers…
- This is provided without warranty and only my best effort. This stuff isn’t always obvious in the documentation, so expect updates to refine accuracy over time.
- Where I have used a green check ✓ to note support, this doesn’t mean all versions of that OS, but it does mean all MDE-supported versions of that OS. For example, macOS is supported for the three latest versions, and Windows 10 from 1607. Similarly, Linux is complicated. If in doubt, ask me or look up the docs.
- For the most part, I have gone by what the docs say. Why point this out? For example, my friend Rudy Ooms has previously pointed out that some ASR rules apply on OSs that aren’t officially listed in Microsoft’s docs (this was before the unified solution became available). The point is: the docs don’t always reflect what really works. I’ve stuck to the docs because if you ever need support, that’s what you’ll have to help. In some cases, the docs say nothing about the OS version required, so I’ve had to figure it out myself or make a presumption based on other information (for example, Server SAC versions response actions, by looking at the LTSC version supported).
- If you notice any errors or have suggestions for improvement, let me know!
You can download it below.
Or check it out in this (probably compressed and squashed) image below.
Let me know any feedback you have!