Microsoft Defender for Endpoint (MDE) is a massive platform.  It’s not a single product, and it’s more than just a service.  It’s a platform of tons of security features, portals, services, and controls.  The more you dig in, the more elements of general Microsoft security have been included in the MDE “branding”.  It’s not only endpoint detection and response (EDR), but also Windows 10 security settings.  It’s not just the security software on the device, it’s also ongoing threat and vulnerability management.

As the platform has grown to protect not only Windows clients, but also servers, mobile operating systems, and Linux, what I always struggled to keep in mind is what specifically do you get for each?  For example, EDR capabilities are now available across Windows, macOS, and Linux – so you’ll see alerts and investigations about potentially malicious activity – but how you respond to these isn’t universal: you don’t get all the response actions or automated investigations for all the OSs, including older Windows systems.  Additionally, actually getting devices into MDE – what it calls onboarding, is going to differ from OS to OS.

Scattered across tons of official documentation, you can piece all this together.  Credit where it’s due: the Microsoft Docs website is amazing: constantly updating, Wiki-style, and a great level of detail.  Where I think it struggles, and this is not just for MDE, is immediately presenting high-level overviews.  Being a visually-led person, when I start working with new tech, I like diagrams and tables that kind of immediately illustrate to me “hey, here’s what this is, here are the different approaches, and here are some gotchas”.

Inspired in large part by Aaron Dinnage‘s m365maps.com which does this for Microsoft 365 licensing, and Joe Stocker‘s blog on MDE for Windows Server, I’ve put together a table/chart/diagram/matrix/thing on all parts of Microsoft Defender for Endpoint, then supportability by OS.  I’m calling it The Big Comparison of Defender for Endpoint Features by Operating System, or TBCMDEFOS.  That part’s inspired by the dude at Microsoft who names stuff.

In this, you’ll find the name of the feature/service, a brief description of it, then OS support.  Some gotchas of my own now:

  • This is my first attempt at this, so it’s “v1” and provided without warranty and only my best effort.  This stuff isn’t always obvious in the documentation, so expect updates to refine accuracy over time.
  • Where I have used a green check to note support, this doesn’t mean all versions of that OS, but it does mean all MDE-supported versions of that OS.  For example, macOS is supported for the three latest versions, and Windows 10 from 1607.
  • For the most part, I have gone by what the docs say.  My friend Rudy Ooms has pointed out that some ASR rules apply on OSs that aren’t officially listed in Microsoft’s docs.  I’ve stuck to the docs because if you ever need support, that’s what you’ll have to help.  In some cases, the docs say nothing about the OS version required, so I’ve had to figure it out myself or make a presumption based on other information (for example, Server SAC versions response actions, by looking at the LTSC version supported).
  • If you notice any errors or have suggestions for improvement, let me know!

You can download it below.  PDF is the best quality.

Or check it out in this (probably compressed and squashed) image below.

Let me know any feedback you have!