Remote procedure call (RPC) is a protocol commonly abused by attackers that allows functions implemented in a separate process, and potentially on a remote machine, to be called as if they were local. Many core Windows and Active Directory capabilities are built on or make use of RPC, which makes it…
M
Microsoft Defender for Endpoint
Microsoft · Endpoint Security
Enterprise endpoint security included with Microsoft 365
Overview
Microsoft Defender for Endpoint is an enterprise EDR solution built into Windows and available for macOS, Linux, iOS, and Android. For organisations on M365 Business Premium or above, it's included at no extra cost, making it the default security baseline for UK SMBs.
UK Pricing
Included in M365 Business Premium (~£18.60/user/mo). Standalone Plan 1 from ~£2.30/user/mo, Plan 2 from ~£4.60/user/mo.
Target Size
Any size
Why Use It
For the majority of UK SMBs already on M365, Defender for Endpoint is the right starting point. It provides solid baseline protection, integrates natively with your existing stack, and adds no incremental cost if you're on Business Premium.
Why Not
If you operate in a high-risk sector or face sophisticated adversaries, Defender alone may not be sufficient. Many security teams layer CrowdStrike or SentinelOne on top of Defender for enhanced detection.
Pros & Cons
Pros
- Included in M365 Business Premium — excellent value
- Tight integration with Intune, Entra ID, and Sentinel
- Automatic attack disruption (ransomware containment)
- No additional agent required on Windows devices
- Microsoft Secure Score gives actionable security posture metrics
Cons
- Detection capabilities trail CrowdStrike and SentinelOne for sophisticated threats
- Alert noise can be high without tuning
- Portal (Defender XDR) has a steep learning curve
- macOS/Linux coverage is less mature than Windows
- Requires Plan 2 for full EDR features (often needs E5 licensing)
How to Get the Most Out of It
- Enable Attack Surface Reduction (ASR) rules progressively — start in audit mode to avoid breaking workflows
- Use Threat and Vulnerability Management (TVM) to prioritise patching by actual exploitability
- Configure automated investigation and remediation to reduce analyst workload on routine alerts
- Integrate with Microsoft Sentinel for SIEM correlation across your entire M365 estate
- Use Defender for Business (SMB-optimised) if you're under 300 seats for a simpler management experience
AI: What's New
Claude AI# What's New in Microsoft Defender for Endpoint
• **Enhanced Detection & Response Capabilities** – RPC activity monitoring gives you visibility into a common attack vector, while predictive shielding now proactively stops ransomware before it executes. Selective response actions let you isolate critical assets without disrupting your entire environment, reducing false positive overhead.
• **Improved Security Posture Visibility** – New "effective settings" show you exactly which security configurations are actually enforced on devices (not just intended), and Secure Boot status assessment helps you identify firmware-level vulnerabilities. This closes gaps between policy and reality on your endpoints.
• **Better Device Management & Onboarding** – Library management streamlines how you organize detection rules and playbooks, while transparent onboarding now handles both modern and legacy Windows devices with clearer setup workflows—reducing deployment friction across heterogeneous environments.
Latest News
All →Modern ransomware attacks are increasingly designed to blend in with normal IT operations, using trusted administrative tools to quietly weaken defenses and distribute malicious payloads at scale. In a recent real‑world incident, a human‑operated ransomware actor attempted to do exactly that by abus…
Deploying Microsoft Defender on high-value assets (HVAs) such as domain controllers, ADFS servers, and other Tier-0 systems, requires a thoughtful approach to balance strong protection with operational stability. Given the powerful response capabilities available, organizations often seek greater co…
Understanding the Secure Boot certificate challenge Secure Boot is a foundational security feature that validates the integrity of your device's boot process, ensuring only trusted software can run during system startup. This protection has been quietly defending enterprise devices since 2012, but t…
See exactly which security configurations are enforced on your device Security teams spend significant time defining policies for Microsoft Defender security settings. But when it comes to investigations or troubleshooting, the real question is often simple: what is currently being enforced on this …
Onboarding all devices in your estate is paramount for strong security posture. In fact, Microsoft Threat Intelligence research shows that in the majority of ransomware attacks, the spreader machine was a device that was not yet onboarded. But customers often struggle to follow complex steps that di…
In dynamic investigation environments, preparation and agility are key. Security analysts working with live response in Microsoft Defender often rely on scripts and tools to triage, investigate, and remediate threats. Until now, these assets had to be uploaded during active sessions, limiting manage…
This year at Microsoft Ignite, Microsoft Defender is announcing exciting innovations for endpoint protection that help security teams deploy faster, gain more visibility, and proactively block attackers during active attacks: Predictive shielding: Defender is the first security solution to not only …