- Best efforts have been taken to keep this accurate, but Microsoft’s documentation is imperfect and the information is spread across multiple doc sets.
- Would love feedback and currently looking at ways to make this work over GitHub to submit changes
Legend
| Symbol | Meaning |
|---|---|
| ✓ | Supported on all currently supported versions of that OS in the current Microsoft documentation (unless otherwise noted) |
| 1709+ (version value) | Minimum OS version/build explicitly called out in the current Microsoft documentation |
| Preview | Documented by Microsoft as preview support, not general availability |
| (blank) | Not supported or not documented as supported |
| License | Meaning |
|---|---|
| P1 | MDE Plan 1, generally licensed using Microsoft 365 E3, and lacks the EDR components |
| P2 | MDE Plan 2, generally licensed using Microsoft 365 E5, Defender Suite, or standalone |
| MDB | Defender for Business, licensed using Microsoft 365 Business Premium |
| Add-on | Requires additional licensing such as the Microsoft Defender Vulnerability Management add-on |
Current support notes
- Windows 7 SP1 and Windows Server 2008 R2 require 64-bit (x64) architecture.
- Windows Server 2012 R2 and Windows Server 2016 support shown here depends on the modern unified solution where Microsoft documents that requirement.
- macOS support is limited to the three most recent major releases; as of April 2026 that means macOS 26 (Tahoe), macOS 15 (Sequoia), and macOS 14 (Sonoma).
- Mobile support currently requires Android 11.0+ and iOS/iPadOS 16.0+.
- In Defender for Business, Windows Server and Linux support assumes the relevant server entitlement where Microsoft requires it (for example Defender for Business servers or Defender for Servers).
Feature Comparison
Attack surface reduction
| Feature | Description | License | Win 7 SP1 | Win 8.1 | Win 10/11 | Win Svr 2008 R2 | Win Svr 2012 R2 | Win Svr 2016 | Win Svr 2019/2022 | Win Svr 2025 | macOS | Linux | Android | iOS |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ASR rules | ||||||||||||||
| Block abuse of exploited vulnerable signed drivers | Protect against vulnerable signed drivers that allow kernel access and system compromise. | P1+P2+MDB | 1709+ | ✓ | ✓ | ✓ | ✓ | |||||||
| Block Adobe Reader from creating child processes | Prevents payloads breaking out of Adobe Reader. | P1+P2+MDB | 1809+ | ✓ | ✓ | ✓ | ✓ | |||||||
| Block all Office applications from creating child processes | Prevents Word, Excel, PowerPoint, OneNote, and Access creating child processes. | P1+P2+MDB | 1709+ | ✓ | ✓ | ✓ | ✓ | |||||||
| Block credential stealing from LSASS | Prevents untrusted processes accessing LSASS directly. | P1+P2+MDB | 1803+ | ✓ | ✓ | ✓ | ✓ | |||||||
| Block executable content from email client and webmail | Prevents Outlook and popular webmail providers launching scripts or executable files. | P1+P2+MDB | 1709+ | ✓ | ✓ | ✓ | ✓ | |||||||
| Block executable files from running unless they meet a prevalence, age, or trusted list criterion | Using cloud-delivered protection, block executables depending on various reputational metrics. | P1+P2+MDB | 1803+ | ✓ | ✓ | ✓ | ✓ | |||||||
| Block execution of potentially obfuscated scripts | Identifies and blocks script obfuscation with suspicious properties. | P1+P2+MDB | 1709+ | ✓ | ✓ | ✓ | ✓ | |||||||
| Block JavaScript or VBScript from launching downloaded executable content | Prevents JavaScript or VBScript fetching and launching executables. | P1+P2+MDB | 1709+ | ✓ | ✓ | |||||||||
| Block Office applications from creating executable content | Prevents the Office suite from saving executable content to disk. | P1+P2+MDB | 1709+ | ✓ | ✓ | ✓ | ✓ | |||||||
| Block Office applications from injecting code into other processes | Prevent attempts to migrate code into another process in Word, Excel, and PowerPoint. | P1+P2+MDB | 1709+ | ✓ | ✓ | ✓ | ✓ | |||||||
| Block Office communication applications from creating child processes | In Outlook and other supported Office communication apps, prevent child processes being created. | P1+P2+MDB | 1809+ | ✓ | ✓ | ✓ | ✓ | |||||||
| Block persistence through WMI event subscription | Prevent C2 abuse of WMI to attain device persistence. | P1+P2+MDB | 1903+ | ✓ | ✓ | |||||||||
| Block process creations originating from PSExec and WMI commands | Prevents PSExec or WMI created processes from running, as is common in lateral movement techniques. Not compatible with Configuration Manager. | P1+P2+MDB | 1803+ | ✓ | ✓ | ✓ | ✓ | |||||||
| Block rebooting machine in Safe Mode | Prevents commands such as bcdedit and bootcfg from restarting a device into Safe Mode. | P1+P2+MDB | ✓ | ✓ | ✓ | ✓ | ✓ | |||||||
| Block untrusted and unsigned processes that run from USB | Executable files on USB drives or SD cards are prevented from executing unless trusted or signed. | P1+P2+MDB | 1803+ | ✓ | ✓ | ✓ | ✓ | |||||||
| Block use of copied or impersonated system tools | Blocks executable files identified as copies or impostors of Windows system tools. | P1+P2+MDB | ✓ | ✓ | ✓ | ✓ | ✓ | |||||||
| Block Webshell creation for Servers | For the Exchange server role only, block web shell script creation. | P1+P2+MDB | ✓ | ✓ | ✓ | |||||||||
| Block Win32 API calls from Office macros | Protects against Office VBA Win32 API calls, mostly found in legacy macros. | P1+P2+MDB | 1709+ | |||||||||||
| Use advanced protection against ransomware | Using cloud-delivered protection heuristics, if a lower reputation file resembles ransomware and has not been signed, it is blocked. | P1+P2+MDB | 1803+ | ✓ | ✓ | ✓ | ✓ | |||||||
| ASR rules in warn mode if supported by rule | Allow users to override ASR blocked events. Microsoft currently documents warn mode support on Windows 10 version 1809 or later and Windows Server version 1809 or later. | P1+P2+MDB | 1809+ | ✓ | ✓ | |||||||||
| Exploit protection | Successor to Enhanced Mitigation Experience Toolkit (EMET) with protection against over twenty exploit types. | P1+P2 | 1709+ | ✓ | ✓ | |||||||||
| Web protection | Web threat protection and web content filtering. Linux support is currently documented as preview. | P1+P2+MDB | 1709+ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ AMD64 | |||||
| Network protection | Extends web threat and custom network indicator enforcement beyond Microsoft browsers to OS traffic and supported third-party browsers. Linux support is currently documented as preview. | P1+P2+MDB | 1709+ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ AMD64 | |||||
| Controlled folder access | Ransomware protection where protected folders are specified, and only allow-listed applications may make modifications to them. | P1+P2+MDB | 1709+ | ✓ | ✓ | ✓ | ✓ | |||||||
| Device control – removable storage protection | Block the use of unauthorised removable storage media based on properties such as vendor ID, serial number, or device class. | P1+P2+MDB | ✓ | ✓ | ||||||||||
| Device control – removable storage access control | Audit and control read/write/execute operations on removable storage media based on properties similar to removable storage protection. | P1+P2+MDB | ✓ | ✓ | ||||||||||
| Device control – device installation | Control the installation of specific devices, e.g. block all except allowed or vice-versa. | P1+P2+MDB | ✓ | ✓ | ||||||||||
| Device control – printer protection | Block the use of unauthorised print devices based on vendor ID and product ID. | P1+P2+MDB | 1809+ |
Endpoint protection platform
| Feature | Description | License | Win 7 SP1 | Win 8.1 | Win 10/11 | Win Svr 2008 R2 | Win Svr 2012 R2 | Win Svr 2016 | Win Svr 2019/2022 | Win Svr 2025 | macOS | Linux | Android | iOS |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Microsoft Defender Antivirus (MDAV) / Next-Generation Protection | Core antimalware engine that provides behaviour-based, heuristic, and real-time AV protection; powers next-generation protection features in addition to standard signature-based detections. | P1+P2+MDB | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||||
| System Centre Endpoint Protection (SCEP) / Microsoft Antimalware for Azure (MAA) | Down-level operating systems do not have the modern built-in antivirus platform, however Microsoft’s antimalware platform is still available through channels such as SCEP and MAA. | P1+P2+MDB | ✓ | ✓ | ✓ | Only if not using unified agent | ||||||||
| Preventative antivirus (not “next-generation protection”) | Traditional antivirus protection on down-level platforms that do not run the modern MDAV next-generation client. | P1+P2+MDB | ✓ | ✓ | ✓ | |||||||||
| Block at first sight | Block execution for up to 60 seconds while cloud reputation is checked for executables carrying mark-of-the-web metadata. | P1+P2+MDB | ✓ | ✓ | ✓ | ✓ | ✓ | |||||||
| Cloud-delivered protection | Sends metadata to the cloud protection service to determine if a file is safe based on machine learning and Intelligent Security Graph. | P1+P2+MDB | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||||
| Tamper protection | Blocks uninstallation and other defense-evasion techniques on supported desktop and server platforms. | P1+P2+MDB | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||||||
| Tamper protection for exclusions | Extends tamper protection to MDAV exclusions when Defender platform 4.18.2211.5+ is installed, DisableLocalAdminMerge is enabled, Sense is enabled, the device is Intune-only or Configuration Manager-only managed (not co-managed), and exclusions are managed by Intune or Configuration Manager. | P1+P2+MDB | ✓ | ✓ | ✓ | ✓ | ✓ | |||||||
| Contextual file and folder exclusions | Refine the scope of exclusions by controlling how they apply based on scan type, trigger, process, and/or file/folder. | P1+P2+MDB | ✓ | ✓ | ✓ | ✓ | ✓ | |||||||
| Potentially unwanted app protection | Blocks software that isn’t necessarily malicious but is otherwise undesirable, such as advertising injectors and cryptominers. | P1+P2+MDB | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||||
| Passive mode | If third-party endpoint protection is also running, the antimalware engine doesn’t provide preventative real-time protection but can still scan on-demand and be supplemented by EDR in block mode. On Windows client, this is entered automatically when a Microsoft Virus Initiative-eligible antimalware product is installed, registered with Windows Security Center through private APIs, and reported as the primary antivirus/antimalware solution. | P1+P2+MDB | ✓ Automatic | ✓ Manual | ✓ Manual | ✓ Manual | ✓ Manual | ✓ Manual | ✓ Manual | |||||
| Custom file indicators | Custom block or allow controls on the endpoint based on file hashes and supported certificate/file indicators. | P1+P2+MDB | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||||
| Custom network indicators | Custom block or allow controls based on public IPs, URLs, and domains. On mobile, Microsoft currently documents URL/domain indicators only. Linux support is currently documented as preview. | P1+P2+MDB | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | Preview AMD64 | URL/domain only | URL/domain only | |||
| Windows Defender Firewall with Advanced Security (WFAS) | Control the inbound and outbound network traffic allowed on the device based on the type of network connected, as well as other controls such as IPsec. | P1+P2+MDB | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||||
| Troubleshooting mode | Instead of excluding a device from tamper protection to test problems, troubleshooting mode allows temporary local admin overrides and diagnostic collection. | P1+P2 | 21H2+ | ✓ | ✓ | ✓ | ✓ | ✓ | ||||||
| Performance mode | For Dev Drive, reduce the performance hit real-time protection has by performing scans asynchronously rather than synchronously. | P1+P2+MDB | Win 11 | |||||||||||
| Host firewall reporting | Dedicated reporting available in the Microsoft Defender portal about inbound, outbound, and app-based connections. | P1+P2+MDB | ✓ | ✓ | ✓ | ✓ | ✓ | |||||||
| Defender app/platform update channels | Control Defender platform, engine, app, or package update rollout using supported update rings or channels. Windows supports platform and engine channels; macOS uses Microsoft AutoUpdate Beta/Preview/Current; Linux uses insiders-fast/insiders-slow/prod repositories and production package rollout is gradual. | P1+P2+MDB | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||||
| Security intelligence update channels | Control daily security intelligence update rollout on Windows using Staged, Broad, or default channels. This is separate from app/platform update channels. | P1+P2+MDB | ✓ | ✓ | ✓ | ✓ | ✓ | |||||||
| Offline security intelligence updates | Update security intelligence from a local network source or mirror for devices with limited or no internet access. Windows uses update source/fallback order such as WSUS, Configuration Manager, UNC share, Microsoft Update, or MMPC; macOS and Linux use a mirror server and managed offlineDefinitionUpdate configuration. | P1+P2+MDB | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||||
| Custom data collection | Expand the default telemetry collection scope to support specialised threat hunting and security monitoring needs. | P2 | Preview | Preview | Preview |
Investigation and response
| Feature | Description | License | Win 7 SP1 | Win 8.1 | Win 10/11 | Win Svr 2008 R2 | Win Svr 2012 R2 | Win Svr 2016 | Win Svr 2019/2022 | Win Svr 2025 | macOS | Linux | Android | iOS |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Alerts | Detected threats or potential malicious activity that should be reviewed, presented with a story, affected assets, and details. | P1+P2+MDB | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Incidents | Aggregation of alerts with the same attack techniques or attributed to the same attacker. | P1+P2+MDB | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Device groups | Control RBAC permissions to devices and alerts, auto-remediation levels, and web content filtering. One device belongs to one group. | P1+P2+MDB | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Device tags | Create logical group affiliation for filtering, reporting, and automatic device group membership. One device can have many tags. | P1+P2+MDB | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Advanced hunting | Kusto query language (KQL) based tool for exploration of raw data across Microsoft Defender, including custom detection rules. Advanced hunting in this matrix means the built-in Microsoft Defender portal experience. Defender for Business can export raw data by using the streaming API, but that isn’t the same entitlement. | P2 | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| EDR in block mode | Remediates malicious artifacts in post-breach detections, including if third-party AV is in use and MDAV is in passive mode. | P2+MDB | ✓ | ✓ | ✓ | ✓ | ✓ | |||||||
| Automated investigation and response (AIR) | Uses inspection algorithms based on security analyst processes to examine and take configurable remedial action. Windows Server 2012 R2 and Windows Server 2016 are currently documented as preview and require the unified agent. | P2+MDB | 1709+ | Preview | Preview | ✓ | ✓ |
File response actions
| Feature | Description | License | Win 7 SP1 | Win 8.1 | Win 10/11 | Win Svr 2008 R2 | Win Svr 2012 R2 | Win Svr 2016 | Win Svr 2019/2022 | Win Svr 2025 | macOS | Linux | Android | iOS |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Stop and quarantine file | Stop any running processes and quarantine the file, unless signed by Microsoft. | P1+P2 | 1703+ | ✓ | ✓ | ✓ | ✓ | |||||||
| Automatically collect file for deep analysis | Executes the file in a cloud environment and reports on behaviours such as contacted IPs, files created on disk, and registry modifications. | P2 | ✓ | ✓ | ✓ | ✓ | ✓ | |||||||
| Download quarantined file | Download a zipped version of a file quarantined by Microsoft Defender Antivirus if it was collected under your sample submission policy. | P2 | 1703+ | ✓ | ✓ | ✓ |
Device response actions
| Feature | Description | License | Win 7 SP1 | Win 8.1 | Win 10/11 | Win Svr 2008 R2 | Win Svr 2012 R2 | Win Svr 2016 | Win Svr 2019/2022 | Win Svr 2025 | macOS | Linux | Android | iOS |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Run antivirus scan | Initiates a full or quick scan even if the device is in passive mode. | P1+P2+MDB | 1709+ | ✓ | ✓ | ✓ | ✓ | 101.98.84+ | 101.98.84+ | |||||
| Restrict app execution | Implements a code-integrity policy limiting files to those signed by Microsoft. | P2 | 1709+ | ✓ | ✓ | |||||||||
| Isolate from the network (full) | Limits network connectivity on the endpoint to only the Defender for Endpoint service. | P1+P2+MDB | 1703+ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||||
| Isolate from the network (selective) | Limits network connectivity on the endpoint to Defender for Endpoint and selected Microsoft 365 communication apps. | P1+P2+MDB | 1703+ | ✓ | ✓ | ✓ | ✓ | 101.98.84+ | ||||||
| Forcibly release from isolation | Download a device-unique release script from the portal to end device isolation locally, for devices that have become unresponsive while isolated. Requires Windows 10 21H2 or Windows 11 21H2 with specific KBs. | P2+MDB | 21H2+ | |||||||||||
| Isolation exclusions | Designate applications or processes that maintain network connectivity while the device is isolated. Package Family Name (PFN) exclusion type requires Win 10 22H2+, Win 11 22H2+, or Win Svr 2025. | P1+P2 | 1703+ | ✓ | ✓ | ✓ | ✓ | ✓ | ||||||
| Contain device from the network | Block inbound and outbound communication with an unmanaged MDE-discovered device; enforcement is applied by onboarded devices running Windows 10 or Windows Server 2019+. | P2 | ✓ | ✓ | ✓ | |||||||||
| Contain IP addresses | Automatically block inbound and outbound communications with an IP address associated with an undiscovered or non-onboarded device via automatic attack disruption. Enforcement is documented on onboarded devices running Windows 10, Windows 11, WS2012 R2, or WS2016. Currently in preview. | P2 | Preview | Preview | Preview | |||||||||
| Contain user from the network | Blocks an identity on onboarded devices from inbound risky traffic such as RPC, SMB, and RDP. Currently triggered automatically only, via automatic attack disruption or predictive shielding. | P2+MDB | Sense 8740+ | ✓ | ✓ | ✓ | ✓ | |||||||
| GPO hardening | Temporarily prevents new Group Policy Objects from being applied to a high-risk device as part of predictive shielding. Currently in preview. | P2 | Preview | Preview | Preview | |||||||||
| Safeboot hardening | Enforces stricter boot settings on a high-risk device as part of predictive shielding. Currently in preview. | P2 | Preview | Preview | Preview | |||||||||
| Live response | Establishes a remote shell connection to the endpoint to collect forensics, run scripts, analyse threats, and threat hunt. | P2+MDB | 1709+ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||||
| Live response library management | Centralised view to upload, manage, and review the scripts and files available for use in live response sessions. | P2+MDB | 1709+ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||||
| Collect an investigation package | Builds a zip file with forensic information such as installed programs, autoruns, processes, SMB sessions, and system info. | P2 | 1703+ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
Microsoft Defender Vulnerability Management
Features in this section are now accessible via Exposure Management in the Microsoft Defender portal.
| Feature | Description | License | Win 7 SP1 | Win 8.1 | Win 10/11 | Win Svr 2008 R2 | Win Svr 2012 R2 | Win Svr 2016 | Win Svr 2019/2022 | Win Svr 2025 | macOS | Linux | Android | iOS |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| OS vulnerabilities | Informs MDVM recommendations and weaknesses based on operating system vulnerabilities. | P2+MDB | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Software product vulnerabilities | Informs MDVM recommendations and weaknesses based on individual software vulnerabilities; not limited to Microsoft apps. | P2+MDB | ✓ | ✓ | 1709+ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| OS configuration assessment | Informs MDVM recommendations based on system settings for the OS itself. | P2+MDB | ✓ | 1709+ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||
| Software controls configuration assessment | Informs MDVM recommendations based on alignment with control standards. | P2+MDB | ✓ | 1709+ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||
| Software product configuration assessment | Informs MDVM recommendations based on app configurations. | P2+MDB | ✓ | 1709+ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||
| Device discovery | Endpoints passively or actively collect events and extract device information (basic mode) or actively probe observed devices (standard mode; default). This refers to OSs that can perform discovery. | P2+MDB | 1809+ | ✓ | ✓ | |||||||||
| Software usage insights | In the software inventory, find software usage statistics such as median usage over 30 days. | P2+MDB | ✓ | |||||||||||
| Security baseline assessments (add-on license) | Assess devices against security benchmarks such as CIS and STIG. CIS benchmarks are documented for Windows Server 2008 R2 and above, while STIG benchmarks are documented for Windows 10 and Windows Server 2019. | Add-on | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||||||
| Firmware assessments (add-on license) | Informs MDVM recommendations based on hardware and firmware vulnerabilities. Firmware (BIOS) vulnerability assessment is Windows-only; hardware inventory data is collected cross-platform. Note: processor and BIOS data is not reported on macOS devices with M1 or M2 processors. | Add-on | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||||
| Block vulnerable applications (add-on license) | Temporarily block or warn on launch all known vulnerable versions of an application until the remediation request is completed. | Add-on | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||||||
| Browser extensions (add-on license) | Report installed browser extensions and their permission risk in the Microsoft Defender inventory page. | Add-on | ✓ | ✓ | ✓ | ✓ | ✓ | |||||||
| Certificate inventory (add-on license) | Report certificates in the local machine store in the Microsoft Defender inventory page. Windows-only (reads from the local machine certificate store). | Add-on | ✓ | ✓ | ✓ | ✓ | ✓ |
Mobile Threat Defense
Mobile support currently requires Android 11.0+ and iOS/iPadOS 16.0+.
| Feature | Description | License | Win 7 SP1 | Win 8.1 | Win 10/11 | Win Svr 2008 R2 | Win Svr 2012 R2 | Win Svr 2016 | Win Svr 2019/2022 | Win Svr 2025 | macOS | Linux | Android | iOS |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Microsoft Tunnel | Integration with Microsoft Tunnel, a VPN gateway solution to enable security and connectivity in a single app. | P1+P2 | ✓ | ✓ | ||||||||||
| Jailbreak / root detection | Detects jailbroken iOS/iPadOS devices and rooted Android devices. Android root detection is currently documented as preview. Defender for Business currently documents jailbreak detection on iOS only. | P1+P2+MDB | Preview | ✓ | ||||||||||
| Mobile application management (MAM) support | Supports Conditional Access and app protection policy risk signals without requiring full MDM enrollment. | P1+P2 | ✓ | ✓ | ||||||||||
| Potentially unwanted or malicious app scanning | Uses signatures and machine learning heuristics to protect against unsafe apps and files. Microsoft currently documents this capability on Android. | P1+P2+MDB | ✓ | |||||||||||
| Phishing protection | Protects against potentially malicious web traffic in browsers, email, apps, and messaging apps. | P1+P2+MDB | ✓ | ✓ | ||||||||||
| Privacy controls | Lets admins and end users configure what threat-report data is shared from enrolled or unenrolled devices. | P1+P2 | ✓ | ✓ | ||||||||||
| Optional permissions and disable web protection | Allows reduced mobile permissions and optional disabling of web protection at the cost of protection coverage. | P1+P2 | ✓ | ✓ | ||||||||||
| Mobile network protection | Protection against rogue Wi-Fi and certificate-related network threats on supported mobile platforms. | P1+P2+MDB | ✓ | ✓ |
Onboarding and management
| Feature | Description | License | Win 7 SP1 | Win 8.1 | Win 10/11 | Win Svr 2008 R2 | Win Svr 2012 R2 | Win Svr 2016 | Win Svr 2019/2022 | Win Svr 2025 | macOS | Linux | Android | iOS |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Microsoft Monitoring Agent (MMA) required | Windows OSs without EDR capabilities built in require MMA installed with a workspace ID and key specified from the portal. | P1+P2 | ✓ | ✓ | ✓ | Only if not using unified agent | Only if not using unified agent | |||||||
| ‘Unified solution’ agent available | The modern unified solution is available for Windows Server 2012 R2 and 2016, providing the full MDE client stack including EDR on these operating systems. | P1+P2+MDB | ✓ | ✓ | ||||||||||
| Defender deployment tool | Lightweight self-updating onboarding tool that bundles the onboarding package, handles prerequisites, and automates migrations. Windows 7 SP1 and WS2008 R2 receive a limited Defender endpoint security solution (Preview), not full MDE parity. | P1+P2+MDB | Preview | 1809+ | Preview | ✓ | ✓ | ✓ | ✓ | Preview | ||||
| Security Management for MDE | Manage configuration using Endpoint Manager admin centre without enrolling the device in MDM. Also known as MDE Attach. | P1+P2+MDB | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||||
| Effective settings | In the device page, view the actual AV security settings, ASR rules, and exclusions enforced on a device, including effective value, source, last report time, and configuration attempts that did not take effect. Currently documented for Windows platform AV settings. | P2 | ✓ | ✓ | ✓ | ✓ | ✓ | |||||||
| Windows Subsystem for Linux (WSL) 2 | Using a plug-in, WSL 2.0.7+ is available in Defender inventory as a Linux device separate from the Windows host. | P2 | Win 10 2004+ / Win 11 | |||||||||||
| Microsoft Defender for Cloud (Microsoft Defender for Servers) | MDE is included as part of the Microsoft Defender for Servers licensing in Defender for Cloud. Using Azure Arc, it can be extended to systems not hosted in Azure. | Add-on | Enterprise Multi-Session | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||||
| Microsoft Intune | Microsoft’s MDM service and can be used for onboarding supported OSs. | P1+P2+MDB | ✓ | ✓ | ✓ | ✓ | ||||||||
| Microsoft Configuration Manager | On-premises endpoint and server management solution. | P1+P2 | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||||||
| Jamf Pro | Alternative MDM for macOS. | P1+P2+MDB | ✓ | |||||||||||
| Puppet / Ansible / Chef | Scalable automation and orchestration platforms for Linux. | P1+P2+MDB | ✓ |