In July, I released v1 of The Big Comparison of Defender for Endpoint Features by Operating System (or, what I think is much catchier, TBCMDEFOS).  This was a “matrix” of the tons of features, services, and important components that make up Microsoft Defender for Endpoint.

Three months later, it’s overdue an update.  So here it is 🙂

The headline news is that, in preview anyway, there’s a bunch of additions to Windows Server 2012 R2 and 2016 thanks to a new agent-based deployment (“unified solution”) that replaces the need for the Microsoft Monitoring Agent and System Centre Endpoint Protection.  You now get almost feature parity with Windows Server 2019’s security features: ASR rules, next-generation protection, block at first sight, etc.  For a guide on how to get up and running with it, check out my writeup on Petri.

Other changes this time include some Windows 10 required feature version clarifications, updated Linux TVM capabilities, Windows 11 + Server 2022, and collecting quarantine files collected by Defender Antivirus.

One thing not yet included is info about Plan 1.  ICYMI, Defender for Endpoint is now available in two license plans: 1 and 2.  The short version is that plan 1 excludes EDR, AIR, TVM, and other advanced features outside of MDAV’s features.  What you do get is centralised reporting for MDAV on license SKUs that you never used to, such as Microsoft 365 E3.  It didn’t make this release of the comparison as it’s still in preview and it’s not been easy to find out for sure what’s available at as low a level as I’d like.  It might make v3 of the comparison, or I may leave licensing to the experts.

Next on the to-do list is improved management of this on GitHub, probably in markup format, and also Excel + CSV availability.

Lastly, Ignite is just around the corner so expect more updates then if there are announcements.

And the obligatory disclaimers…

  • This is provided without warranty and only my best effort.  This stuff isn’t always obvious in the documentation, so expect updates to refine accuracy over time.
  • Where I have used a green check to note support, this doesn’t mean all versions of that OS, but it does mean all MDE-supported versions of that OS.  For example, macOS is supported for the three latest versions, and Windows 10 from 1607.
  • For the most part, I have gone by what the docs say.  Why point this out?  For example, my friend Rudy Ooms has previously pointed out that some ASR rules apply on OSs that aren’t officially listed in Microsoft’s docs (this was before the unified solution became available).  The point is: the docs don’t always reflect what really works.  I’ve stuck to the docs because if you ever need support, that’s what you’ll have to help.  In some cases, the docs say nothing about the OS version required, so I’ve had to figure it out myself or make a presumption based on other information (for example, Server SAC versions response actions, by looking at the LTSC version supported).
  • If you notice any errors or have suggestions for improvement, let me know!

You can download it below.

Or check it out in this (probably compressed and squashed) image below.

Let me know any feedback you have!