Microsoft Defender for Endpoint (MDE) is a massive stack of endpoint protection and endpoint detection and response (EDR) capabilities. It integrates with Microsoft 365 Defender (the broader XDR platform) and is available for almost any OS you’ll find in an enterprise. This cross-platform nature of MDE makes it difficult to understand and track what features and capabilities are available on each OS. It’s not always intuitive, and you may be in for some surprises. I try to keep this Ultimate Comparison of Defender for Endpoint Features by OS up to date to keep you aware of what you’re getting and what you need to go start implementing if you haven’t already.
February 2023’s release, version 5, follows up on my August 2022 release of the comparison.
What’s new?
- Clarified a few points about Device Control (see below disclaimers for more info)
- Clarified network protection on mobile support
- Added macOS and Linux support for file indicators
- Added Windows Server 2012 R2 and 2016 support for troubleshooting mode (thanks Stefan Schörling MVP)
- Added Windows Server 2016 support for downloading quarantined files (thanks Stefan Schörling MVP)
- Added firmware assessments in Microsoft Defender Vulnerability Management (add-on license needed)
- Added security baseline assessments in Microsoft Defender Vulnerability Management (add-on license needed)
- Added software usage insights in Microsoft Defender Vulnerability Management
- Added software product vulnerabilities for iOS in Microsoft Defender Vulnerability Management
- Removed references for Microsoft Endpoint Manager, which has been renamed Intune
- Updated supported capabilities of Security Management for MDE to include ASR rules
- Updated wording of Microsoft Defender for Servers to clarify Linux onboards in passive mode by default
Obligatory disclaimers:
- This is provided without warranty and only my best effort. This stuff isn’t always obvious in the documentation, so expect updates to refine accuracy over time.
- Where I have used a green check ✓ to note support, this doesn’t mean all versions of that OS, but it does mean all MDE-supported versions of that OS or if Microsoft just hasn’t been clear about which version is needed. For example, macOS is supported for the three latest versions, and Windows 10 from 1607. Similarly, Linux is complicated. In some cases, the learn.microsoft.com pages just say Windows 10 with no specific information about versions. You may also find some features are in preview mode. If in doubt, ask me or look up the docs.
- For the most part, I have gone by what the docs say. If there are conflicting docs, I go with the most conservative option (looking at you, Device Control, which has conflicting info about Windows Server support). Why point this out? For example, my friend Rudy Ooms has previously pointed out that some ASR rules apply on OSs that aren’t officially listed in Microsoft’s docs (this was before the unified solution became available). The point is: the docs don’t always reflect what really works. I’ve stuck to the docs because if you ever need support, that’s what you’ll have to help. In some cases, the docs say nothing about the OS version required, so I’ve had to figure it out myself or make a presumption based on other information (the new MDVM capabilities are a good example of this).
- If you notice any errors or have suggestions for improvement, let me know!
You can download it below.
Or check it out in this (probably compressed and squashed) image below.