Best efforts have been taken to keep this accurate, but Microsoft’s documentation is imperfect and the information is spread across multiple doc sets.
Legend
| Symbol | Meaning |
|---|---|
| ✓ | Supported on all currently supported versions of that OS in the current Microsoft documentation (unless otherwise noted) |
| 1709+ (version value) | Minimum OS version/build explicitly called out in the current Microsoft documentation |
| Preview | Documented by Microsoft as preview support, not general availability |
| (blank) | Not supported or not documented as supported |
| License | Meaning |
|---|---|
| P1+P2+MDB | Available in Microsoft Defender for Endpoint Plan 1, Plan 2, and Microsoft Defender for Business |
| P2+MDB | Available in Microsoft Defender for Endpoint Plan 2 and Microsoft Defender for Business |
| P1+P2 | Available in Microsoft Defender for Endpoint Plan 1 and Plan 2, but not Microsoft Defender for Business |
| P2 | Requires Microsoft Defender for Endpoint Plan 2 and isn’t currently documented for Microsoft Defender for Business |
| Add-on | Requires the Microsoft Defender Vulnerability Management add-on or Microsoft Defender for Servers license |
Current support notes
- Windows 7 SP1 and Windows Server 2008 R2 require 64-bit (x64) architecture.
- Windows Server 2012 R2 and Windows Server 2016 support shown here depends on the modern unified solution where Microsoft documents that requirement.
- macOS support is limited to the three most recent major releases; as of April 2026 that means macOS 26 (Tahoe), macOS 15 (Sequoia), and macOS 14 (Sonoma).
- Mobile support currently requires Android 11.0+ and iOS/iPadOS 16.0+.
- In Defender for Business, Windows Server and Linux support assumes the relevant server entitlement where Microsoft requires it (for example Defender for Business servers or Defender for Servers).
- Some Defender for Business capabilities rely on Intune or Jamf for policy delivery even when the feature itself is included.
- Advanced hunting in this matrix means the built-in Microsoft Defender portal experience. Defender for Business can export raw data by using the streaming API, but that isn’t the same entitlement.
- Blank cells are intentional and reflect unsupported or not-currently-documented support at this matrix granularity.
Feature Comparison
Attack surface reduction
| Feature | Description | License | Win 7 SP1 | Win 8.1 | Win 10/11 | Win Svr 2008 R2 | Win Svr 2012 R2 | Win Svr 2016 | Win Svr 2019/2022 | Win Svr 2025 | macOS | Linux | Android | iOS |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ASR rules | ||||||||||||||
| Block abuse of exploited vulnerable signed drivers | Protect against vulnerable signed drivers that allow kernel access and system compromise. | P1+P2+MDB | 1709+ | ✓ | ✓ | ✓ | ✓ | |||||||
| Block Adobe Reader from creating child processes | Prevents payloads breaking out of Adobe Reader. | P1+P2+MDB | 1809+ | ✓ | ✓ | ✓ | ✓ | |||||||
| Block all Office applications from creating child processes | Prevents Word, Excel, PowerPoint, OneNote, and Access creating child processes. | P1+P2+MDB | 1709+ | ✓ | ✓ | ✓ | ✓ | |||||||
| Block credential stealing from LSASS | Prevents untrusted processes accessing LSASS directly. | P1+P2+MDB | 1803+ | ✓ | ✓ | ✓ | ✓ | |||||||
| Block executable content from email client and webmail | Prevents Outlook and popular webmail providers launching scripts or executable files. | P1+P2+MDB | 1709+ | ✓ | ✓ | ✓ | ✓ | |||||||
| Block executable files from running unless they meet a prevalence, age, or trusted list criterion | Using cloud-delivered protection, block executables depending on various reputational metrics. | P1+P2+MDB | 1803+ | ✓ | ✓ | ✓ | ✓ | |||||||
| Block execution of potentially obfuscated scripts | Identifies and blocks script obfuscation with suspicious properties. | P1+P2+MDB | 1709+ | ✓ | ✓ | ✓ | ✓ | |||||||
| Block JavaScript or VBScript from launching downloaded executable content | Prevents JavaScript or VBScript fetching and launching executables. | P1+P2+MDB | 1709+ | ✓ | ✓ | |||||||||
| Block Office applications from creating executable content | Prevents the Office suite from saving executable content to disk. | P1+P2+MDB | 1709+ | ✓ | ✓ | ✓ | ✓ | |||||||
| Block Office applications from injecting code into other processes | Prevent attempts to migrate code into another process in Word, Excel, and PowerPoint. | P1+P2+MDB | 1709+ | ✓ | ✓ | ✓ | ✓ | |||||||
| Block Office communication applications from creating child processes | In Outlook and other supported Office communication apps, prevent child processes being created. | P1+P2+MDB | 1809+ | ✓ | ✓ | ✓ | ✓ | |||||||
| Block persistence through WMI event subscription | Prevent C2 abuse of WMI to attain device persistence. | P1+P2+MDB | 1903+ | ✓ | ✓ | |||||||||
| Block process creations originating from PSExec and WMI commands | Prevents PSExec or WMI created processes from running, as is common in lateral movement techniques. Not compatible with Configuration Manager. | P1+P2+MDB | 1803+ | ✓ | ✓ | ✓ | ✓ | |||||||
| Block rebooting machine in Safe Mode | Prevents commands such as bcdedit and bootcfg from restarting a device into Safe Mode. | P1+P2+MDB | ✓ | ✓ | ✓ | ✓ | ✓ | |||||||
| Block untrusted and unsigned processes that run from USB | Executable files on USB drives or SD cards are prevented from executing unless trusted or signed. | P1+P2+MDB | 1803+ | ✓ | ✓ | ✓ | ✓ | |||||||
| Block use of copied or impersonated system tools | Blocks executable files identified as copies or impostors of Windows system tools. | P1+P2+MDB | ✓ | ✓ | ✓ | ✓ | ✓ | |||||||
| Block Webshell creation for Servers | For the Exchange server role only, block web shell script creation. | P1+P2+MDB | ✓ | ✓ | ✓ | |||||||||
| Block Win32 API calls from Office macros | Protects against Office VBA Win32 API calls, mostly found in legacy macros. | P1+P2+MDB | 1709+ | ✓ | ✓ | |||||||||
| Use advanced protection against ransomware | Using cloud-delivered protection heuristics, if a lower reputation file resembles ransomware and has not been signed, it is blocked. | P1+P2+MDB | 1803+ | ✓ | ✓ | ✓ | ✓ | |||||||
| ASR rules in warn mode if supported by rule | Allow users to override ASR blocked events. Microsoft currently documents warn mode support on Windows 10 version 1809 or later. | P1+P2+MDB | 1809+ | |||||||||||
| Exploit protection | Successor to Enhanced Mitigation Experience Toolkit (EMET) with protection against over twenty exploit types. | P1+P2 | 1709+ | ✓ | ✓ | |||||||||
| Web protection | Web threat protection and web content filtering. Linux support is currently documented as preview. | P1+P2+MDB | 1709+ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ AMD64 | |||||
| Network protection | Extends web threat and custom network indicator enforcement beyond Microsoft browsers to OS traffic and supported third-party browsers. Linux support is currently documented as preview. | P1+P2+MDB | 1709+ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ AMD64 | |||||
| Controlled folder access | Ransomware protection where protected folders are specified, and only allow-listed applications may make modifications to them. | P1+P2+MDB | 1709+ | ✓ | ✓ | ✓ | ✓ | |||||||
| Device control – removable storage protection | Block the use of unauthorised removable storage media based on properties such as vendor ID, serial number, or device class. | P1+P2+MDB | ✓ | ✓ | ||||||||||
| Device control – removable storage access control | Audit and control read/write/execute operations on removable storage media based on properties similar to removable storage protection. | P1+P2+MDB | ✓ | ✓ | ||||||||||
| Device control – device installation | Control the installation of specific devices, e.g. block all except allowed or vice-versa. | P1+P2+MDB | ✓ | ✓ | ||||||||||
| Device control – printer protection | Block the use of unauthorised print devices based on vendor ID and product ID. | P1+P2+MDB | 1809+ |
Endpoint protection platform
| Feature | Description | License | Win 7 SP1 | Win 8.1 | Win 10/11 | Win Svr 2008 R2 | Win Svr 2012 R2 | Win Svr 2016 | Win Svr 2019/2022 | Win Svr 2025 | macOS | Linux | Android | iOS |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Microsoft Defender Antivirus (MDAV) / Next-Generation Protection | Core antimalware engine that provides behaviour-based, heuristic, and real-time AV protection; powers next-generation protection features in addition to standard signature-based detections. | P1+P2+MDB | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||||
| System Centre Endpoint Protection (SCEP) / Microsoft Antimalware for Azure (MAA) | Down-level operating systems do not have the modern built-in antivirus platform, however Microsoft’s antimalware platform is still available through channels such as SCEP and MAA. | P1+P2+MDB | ✓ | ✓ | ✓ | Only if not using unified agent | ||||||||
| Preventative antivirus (not “next-generation protection”) | Traditional antivirus protection on down-level platforms that do not run the modern MDAV next-generation client. | P1+P2+MDB | ✓ | ✓ | ✓ | |||||||||
| Block at first sight | Block execution for up to 60 seconds while cloud reputation is checked for executables carrying mark-of-the-web metadata. | P1+P2+MDB | ✓ | ✓ | ✓ | ✓ | ✓ | |||||||
| Cloud-delivered protection | Sends metadata to the cloud protection service to determine if a file is safe based on machine learning and Intelligent Security Graph. | P1+P2+MDB | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||||
| Tamper protection | Blocks uninstallation and other defense-evasion techniques on supported desktop and server platforms. | P1+P2+MDB | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||||||
| Tamper protection for exclusions | Extends tamper protection to MDAV exclusions but only if DisableLocalAdminMerge is enabled, the device is Intune/ConfigMgr managed, and exclusions are managed by Intune. | P1+P2+MDB | ✓ | ✓ | ✓ | ✓ | ✓ | |||||||
| Contextual file and folder exclusions | Refine the scope of exclusions by controlling how they apply based on scan type, trigger, process, and/or file/folder. | P1+P2+MDB | ✓ | ✓ | ✓ | ✓ | ✓ | |||||||
| Potentially unwanted app protection | Blocks software that isn’t necessarily malicious but is otherwise undesirable, such as advertising injectors and cryptominers. | P1+P2+MDB | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||||
| Passive mode | If third-party endpoint protection is also running, the antimalware engine doesn’t provide preventative real-time protection but can still scan on-demand and be supplemented by EDR in block mode. | P1+P2+MDB | ✓ Automatic | ✓ Manual | ✓ Manual | ✓ Manual | ✓ Manual | ✓ Manual | ||||||
| Custom file indicators | Custom block or allow controls on the endpoint based on file hashes and supported certificate/file indicators. | P1+P2+MDB | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||||
| Custom network indicators | Custom block or allow controls based on public IPs, URLs, and domains. On mobile, Microsoft currently documents URL/domain indicators only. | P1+P2+MDB | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ AMD64 | URL/domain only | URL/domain only | |||
| Windows Defender Firewall with Advanced Security (WFAS) | Control the inbound and outbound network traffic allowed on the device based on the type of network connected, as well as other controls such as IPsec. | P1+P2+MDB | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||||
| Troubleshooting mode | Instead of excluding a device from tamper protection to test problems, troubleshooting mode allows temporary local admin overrides and diagnostic collection. | P1+P2 | 21H2+ | ✓ | ✓ | ✓ | ✓ | ✓ | ||||||
| Performance mode | For Dev Drive, reduce the performance hit real-time protection has by performing scans asynchronously rather than synchronously. | P1+P2+MDB | Win 11 | |||||||||||
| Host firewall reporting | Dedicated reporting available in the Microsoft Defender portal about inbound, outbound, and app-based connections. | P1+P2+MDB | ✓ | ✓ | ✓ | ✓ | ✓ | |||||||
| Custom data collection | Expand the default telemetry collection scope to support specialised threat hunting and security monitoring needs. | P2 | Preview | Preview | Preview | Preview | Preview |
Investigation and response
| Feature | Description | License | Win 7 SP1 | Win 8.1 | Win 10/11 | Win Svr 2008 R2 | Win Svr 2012 R2 | Win Svr 2016 | Win Svr 2019/2022 | Win Svr 2025 | macOS | Linux | Android | iOS |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Alerts | Detected threats or potential malicious activity that should be reviewed, presented with a story, affected assets, and details. | P1+P2+MDB | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Incidents | Aggregation of alerts with the same attack techniques or attributed to the same attacker. | P1+P2+MDB | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Device groups | Control RBAC permissions to devices and alerts, auto-remediation levels, and web content filtering. One device belongs to one group. | P1+P2+MDB | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Device tags | Create logical group affiliation for filtering, reporting, and automatic device group membership. One device can have many tags. | P1+P2+MDB | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Advanced hunting | Kusto query language (KQL) based tool for exploration of raw data across Microsoft Defender, including custom detection rules. Data collection is supported on all platforms below except Android and iOS. | P2 | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| EDR in block mode | Remediates malicious artifacts in post-breach detections, including if third-party AV is in use and MDAV is in passive mode. | P2+MDB | ✓ | ✓ | ✓ | ✓ | ✓ | |||||||
| Automated investigation and response (AIR) | Uses inspection algorithms based on security analyst processes to examine and take configurable remedial action. | P2+MDB | 1709+ | ✓ | ✓ | ✓ | ✓ |
File response actions
| Feature | Description | License | Win 7 SP1 | Win 8.1 | Win 10/11 | Win Svr 2008 R2 | Win Svr 2012 R2 | Win Svr 2016 | Win Svr 2019/2022 | Win Svr 2025 | macOS | Linux | Android | iOS |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Stop and quarantine file | Stop any running processes and quarantine the file, unless signed by Microsoft. | P1+P2 | 1703+ | ✓ | ✓ | ✓ | ✓ | |||||||
| Automatically collect file for deep analysis | Executes the file in a cloud environment and reports on behaviours such as contacted IPs, files created on disk, and registry modifications. | P2 | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||||
| Download quarantined file | Download a zipped version of a file quarantined by Microsoft Defender Antivirus if it was collected under your sample submission policy. | P2 | 1703+ |
Device response actions
| Feature | Description | License | Win 7 SP1 | Win 8.1 | Win 10/11 | Win Svr 2008 R2 | Win Svr 2012 R2 | Win Svr 2016 | Win Svr 2019/2022 | Win Svr 2025 | macOS | Linux | Android | iOS |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Run antivirus scan | Initiates a full or quick scan even if the device is in passive mode. | P1+P2+MDB | 1709+ | ✓ | ✓ | ✓ | ✓ | 101.98.84+ | 101.98.84+ | |||||
| Restrict app execution | Implements a code-integrity policy limiting files to those signed by Microsoft. | P2 | 1709+ | ✓ | ✓ | |||||||||
| Isolate from the network (full) | Limits network connectivity on the endpoint to only the Defender for Endpoint service. | P1+P2+MDB | 1703+ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||||
| Isolate from the network (selective) | Limits network connectivity on the endpoint to Defender for Endpoint and selected Microsoft 365 communication apps. | P1+P2+MDB | 1703+ | ✓ | ✓ | ✓ | ✓ | 101.98.84+ | ||||||
| Forcibly release from isolation | Download a device-unique release script from the portal to end device isolation locally, for devices that have become unresponsive while isolated. Requires Windows 10 21H2 or Windows 11 21H2 with specific KBs. | P2+MDB | 21H2+ | |||||||||||
| Isolation exclusions | Designate applications or processes that maintain network connectivity while the device is isolated. Package Family Name (PFN) exclusion type requires Win 10 22H2+, Win 11 22H2+, or Win Svr 2025. | P1+P2 | 1703+ | ✓ | ✓ | ✓ | ✓ | ✓ | ||||||
| Contain device from the network | Block inbound and outbound communication with an unmanaged MDE-discovered device; enforcement is applied by onboarded devices running Windows 10 or Windows Server 2019+. | P2 | ✓ | ✓ | ✓ | |||||||||
| Contain IP addresses | Automatically block inbound and outbound communications with an IP address associated with an undiscovered or non-onboarded device via automatic attack disruption. Enforcement is documented on onboarded devices running Windows 10, Windows 11, WS2012 R2, or WS2016. Currently in preview. | P2 | Preview | Preview | Preview | |||||||||
| Contain user from the network | Blocks an identity on onboarded devices from inbound risky traffic such as RPC, SMB, and RDP. Currently triggered automatically only, via automatic attack disruption or predictive shielding. | P2+MDB | Sense 8740+ | ✓ | ✓ | ✓ | ✓ | |||||||
| GPO hardening | Temporarily prevents new Group Policy Objects from being applied to a high-risk device as part of predictive shielding. Currently in preview. | P2 | Preview | Preview | Preview | |||||||||
| Safeboot hardening | Enforces stricter boot settings on a high-risk device as part of predictive shielding. Currently in preview. | P2 | Preview | Preview | Preview | |||||||||
| Live response | Establishes a remote shell connection to the endpoint to collect forensics, run scripts, analyse threats, and threat hunt. | P2+MDB | 1709+ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||||
| Live response library management | Centralised view to upload, manage, and review the scripts and files available for use in live response sessions. | P2+MDB | 1709+ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||||
| Collect an investigation package | Builds a zip file with forensic information such as installed programs, autoruns, processes, SMB sessions, and system info. | P2 | 1703+ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
Microsoft Defender Vulnerability Management
Features in this section are now accessible via Exposure Management in the Microsoft Defender portal.
| Feature | Description | License | Win 7 SP1 | Win 8.1 | Win 10/11 | Win Svr 2008 R2 | Win Svr 2012 R2 | Win Svr 2016 | Win Svr 2019/2022 | Win Svr 2025 | macOS | Linux | Android | iOS |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| OS vulnerabilities | Informs MDVM recommendations and weaknesses based on operating system vulnerabilities. | P2+MDB | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Software product vulnerabilities | Informs MDVM recommendations and weaknesses based on individual software vulnerabilities; not limited to Microsoft apps. | P2+MDB | ✓ | ✓ | 1709+ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| OS configuration assessment | Informs MDVM recommendations based on system settings for the OS itself. | P2+MDB | ✓ | 1709+ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||
| Software controls configuration assessment | Informs MDVM recommendations based on alignment with control standards. | P2+MDB | ✓ | 1709+ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||
| Software product configuration assessment | Informs MDVM recommendations based on app configurations. | P2+MDB | ✓ | 1709+ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||
| Device discovery | Endpoints passively or actively collect events and extract device information (basic mode) or actively probe observed devices (standard mode; default). This refers to OSs that can perform discovery. | P2+MDB | 1809+ | ✓ | ✓ | |||||||||
| Software usage insights | In the software inventory, find software usage statistics such as median usage over 30 days. | P2+MDB | ✓ | |||||||||||
| Security baseline assessments (add-on license) | Assess devices against security benchmarks such as CIS and STIG. | Add-on | ✓ | ✓ | ✓ | ✓ | ✓ | |||||||
| Firmware assessments (add-on license) | Informs MDVM recommendations based on hardware and firmware vulnerabilities. Firmware (BIOS) vulnerability assessment is Windows-only; hardware inventory data is collected cross-platform. Note: processor and BIOS data is not reported on macOS devices with M1 or M2 processors. | Add-on | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||||
| Block vulnerable applications (add-on license) | Temporarily block or warn on launch all known vulnerable versions of an application until the remediation request is completed. | Add-on | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||||||
| Browser extensions (add-on license) | Report installed browser extensions and their permission risk in the Microsoft Defender inventory page. | Add-on | ✓ | ✓ | ✓ | ✓ | ✓ | |||||||
| Certificate inventory (add-on license) | Report certificates in the local machine store in the Microsoft Defender inventory page. Windows-only (reads from the local machine certificate store). | Add-on | ✓ | ✓ | ✓ | ✓ | ✓ |
Mobile Threat Defense
Mobile support currently requires Android 11.0+ and iOS/iPadOS 16.0+.
| Feature | Description | License | Win 7 SP1 | Win 8.1 | Win 10/11 | Win Svr 2008 R2 | Win Svr 2012 R2 | Win Svr 2016 | Win Svr 2019/2022 | Win Svr 2025 | macOS | Linux | Android | iOS |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Microsoft Tunnel | Integration with Microsoft Tunnel, a VPN gateway solution to enable security and connectivity in a single app. | P1+P2 | ✓ | ✓ | ||||||||||
| Jailbreak / root detection | Detects jailbroken iOS/iPadOS devices and rooted Android devices. Android root detection is currently documented as preview. Defender for Business currently documents jailbreak detection on iOS only. | P1+P2+MDB | Preview | ✓ | ||||||||||
| Mobile application management (MAM) support | Supports Conditional Access and app protection policy risk signals without requiring full MDM enrollment. | P1+P2 | ✓ | ✓ | ||||||||||
| Potentially unwanted or malicious app scanning | Uses signatures and machine learning heuristics to protect against unsafe apps and files. Microsoft currently documents this capability on Android. | P1+P2+MDB | ✓ | |||||||||||
| Phishing protection | Protects against potentially malicious web traffic in browsers, email, apps, and messaging apps. | P1+P2+MDB | ✓ | ✓ | ||||||||||
| Privacy controls | Lets admins and end users configure what threat-report data is shared from enrolled or unenrolled devices. | P1+P2 | ✓ | ✓ | ||||||||||
| Optional permissions and disable web protection | Allows reduced mobile permissions and optional disabling of web protection at the cost of protection coverage. | P1+P2 | ✓ | ✓ | ||||||||||
| Mobile network protection | Protection against rogue Wi-Fi and certificate-related network threats on supported mobile platforms. | P1+P2+MDB | ✓ | ✓ |
Onboarding and management
| Feature | Description | License | Win 7 SP1 | Win 8.1 | Win 10/11 | Win Svr 2008 R2 | Win Svr 2012 R2 | Win Svr 2016 | Win Svr 2019/2022 | Win Svr 2025 | macOS | Linux | Android | iOS |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Microsoft Monitoring Agent (MMA) required | Windows OSs without EDR capabilities built in require MMA installed with a workspace ID and key specified from the portal. | P1+P2 | ✓ | ✓ | ✓ | Only if not using unified agent | Only if not using unified agent | |||||||
| ‘Unified solution’ agent available | The modern unified solution is available for Windows Server 2012 R2 and 2016, providing the full MDE client stack including EDR on these operating systems. | P1+P2+MDB | ✓ | ✓ | ||||||||||
| Defender deployment tool | Lightweight self-updating onboarding tool that bundles the onboarding package, handles prerequisites, and automates migrations. Windows 7 SP1 and WS2008 R2 receive a limited Defender endpoint security solution (Preview), not full MDE parity. Defender for Business is currently documented for the Linux Server preview only. | P1+P2+MDB | Preview | 1809+ | Preview | ✓ | ✓ | ✓ | ✓ | Preview | ||||
| Security Management for MDE | Manage configuration using Endpoint Manager admin centre without enrolling the device in MDM. Also known as MDE Attach. | P1+P2+MDB | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||||
| Windows Subsystem for Linux (WSL) 2 | Using a plug-in, WSL 2.0.7+ is available in Defender inventory as a Linux device separate from the Windows host. | P2 | Win 10 2004+ / Win 11 | |||||||||||
| Microsoft Defender for Cloud (Microsoft Defender for Servers) | MDE is included as part of the Microsoft Defender for Servers licensing in Defender for Cloud. Using Azure Arc, it can be extended to systems not hosted in Azure. | Add-on | Enterprise Multi-Session | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||||
| Microsoft Intune | Microsoft’s MDM service and can be used for onboarding supported OSs. | P1+P2+MDB | ✓ | ✓ | ✓ | ✓ | ||||||||
| Microsoft Configuration Manager | On-premises endpoint and server management solution. | P1+P2 | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||||||
| Jamf Pro | Alternative MDM for macOS. | P1+P2+MDB | ✓ | |||||||||||
| Puppet / Ansible / Chef | Scalable automation and orchestration platforms for Linux. | P1+P2+MDB | ✓ |