Blog
Microsoft Defender for Endpoint: features and plans
Microsoft Defender for Endpoint across Windows 365 and Azure Virtual Desktop: plans, licensing, deployment sequencing, and where Nerdio Manager fits.
Table of Contents
- What is Microsoft Defender for Endpoint?
- Capabilities across Plan 1 and Plan 2
- Defender for Endpoint across Cloud PCs and virtual desktops
- How deployment and onboarding work
- Strengths, limitations, and operational considerations
- How Nerdio Manager fits in the Microsoft-hosted desktop management layer
- Getting started with Microsoft Defender for Endpoint
- Conclusion
- Frequently asked questions about Microsoft Defender for Endpoint
Microsoft Defender for Endpoint is Microsoft's enterprise endpoint security platform for preventing, detecting, and responding to threats across physical devices, Cloud PCs, and virtual desktops. It comes in two plans. Plan 1 covers prevention and Plan 2 adds detection, investigation, and response. Defender for Endpoint is a core part of Microsoft Defender XDR.
Defender behaves differently on Cloud PCs than it does on Azure Virtual Desktop session hosts, and both behave differently from physical devices. That split shows up in how devices onboard, when tamper protection can be enabled, how session hosts appear in the portal, and how vulnerabilities surface across a mixed fleet. This guide covers each one alongside plans, licensing, and where Nerdio Manager fits.
What is Microsoft Defender for Endpoint?
Microsoft Defender for Endpoint is Microsoft's endpoint security stack for blocking, investigating, and responding to threats from one service. The platform uses device telemetry for investigation and analysis. The telemetry spans process information, network activity, user login events, registry changes, file system changes, and kernel- and memory-manager-level visibility. Plan 2 capabilities such as advanced hunting and endpoint detection and response depend on that telemetry.
Defender for Endpoint is a core part of Microsoft Defender XDR, Microsoft's extended detection and response platform that pulls together signals across endpoints, email, identity, and cloud apps. It's also available as a standalone licensed product. Forrester retired the EDR category in favor of XDR. The market now evaluates endpoint security as part of a broader detection and response stack instead of a siloed capability.
On Gartner Peer Insights, Defender for Endpoint holds a 4.4 out of 5 rating from 1,915 reviews.
Capabilities across Plan 1 and Plan 2
Defender for Endpoint is available as Plan 1 and Plan 2. Plan 1 provides core endpoint protection. Plan 2 adds advanced capabilities for detection, investigation, and response.
What both plans include
Both plans focus on reducing common attack paths and give IT and security teams a baseline set of protections across the endpoint fleet:
- Antivirus protection blocks malware, ransomware, and phishing threats before execution. It uses AI and machine learning to detect malicious activity and identifies apps considered unsafe even when they don't qualify as malware.
- Attack surface reduction (ASR) limits entry points for attackers by enforcing security policies. ASR rules fall into two categories: standard protection rules with minimal end-user impact, and additional rules that require a four-phase rollout of plan, test, enable, and operationalize. For large enterprises, Microsoft recommends deploying ASR rules in rings and reusing rings to simplify rollout.
Both plans also include device control, firewall protection, network protection, web content filtering, and four manual response actions in Plan 1: run antivirus scan, isolate device, stop and quarantine a file, and add an indicator. This baseline response surface is available regardless of which plan a team is licensed for.
What Plan 2 adds
If your team needs to investigate suspicious activity, retain telemetry for deeper analysis, and take more advanced response actions, Plan 2 becomes important. Plan 2 adds:
- Endpoint detection and response (EDR) delivers full behavioral monitoring with 180 days of data retention, alerts, and actionable insights for investigating suspicious activity across the fleet.
- Automated investigation and remediation (AIR) reduces repetitive response work without manual intervention. When an investigation runs, new alerts from the same device merge into it, and devices with the same threat may be added automatically. Microsoft's Automatic Attack Disruption contains compromised assets and limits lateral movement, while security teams retain control of the investigation.
- Advanced hunting lets security analysts query raw telemetry with KQL. Use cases include hunting for phishing chains by joining URL click events with email events, and detecting abnormal AI model usage patterns through the Defender XDR portal.
- Live Response gives responders remote shell access to endpoints for forensic data collection, script execution, and threat remediation. Unsigned scripts have to be explicitly enabled and aren't turned on by default.
- Microsoft Threat Experts delivers proactive threat hunting and targeted attack notifications directly from Microsoft's security team.
Together, these capabilities shift Defender for Endpoint from a prevention platform into a full detection and response stack.
Defender for Endpoint across Cloud PCs and virtual desktops
The security architecture for Windows 365, Intune, and Azure Virtual Desktop integrates Entra ID, Intune, Defender, and Windows 11 security features into a unified platform. All endpoints, whether physical devices or Cloud PCs, use a common set of tools. Three operational specifics differ across Microsoft-hosted desktops and most often catch teams off guard: non-persistent VDI onboarding, tamper protection sequencing, and multi-session portal visibility.
Non-persistent VDI onboarding
Non-persistent VDI instances reset or reprovision frequently, which creates an onboarding challenge. The key principle from Microsoft's implementation guide: stage the onboarding scripts in the golden image, but don't onboard the image itself. Microsoft Defender for Endpoint calculates a persistent device ID and onboards early in the boot process.
A few practices minimize onboarding delay on non-persistent VDI. Bake the latest Defender platform, engine, and definitions into the golden image before sysprep. Use the VDI mode onboarding package so each clone gets a clean device ID. Configure Intune's Enrollment Status Page to block user sessions until security profiles are applied. This is a common deployment pattern that ensures Defender policies are in place before first login. Assign policies using Intune's recommended targeting methods, such as All users/All devices with filters, as appropriate for the environment.
Tamper protection sequencing
Tamper protection has a sequencing dependency that can catch teams off guard. Devices have to be onboarded to Microsoft Defender for Endpoint before tamper protection can be enabled or managed. Getting the order wrong means the policy won't apply, even if the rest of the Intune configuration looks correct.
Portal visibility for multi-session hosts
Depending on the onboarding method used, Azure Virtual Desktop multi-session devices can appear as either a single entry or multiple entries in the Defender portal. SOC teams monitoring Azure Virtual Desktop environments need to account for this when investigating alerts and correlating incidents across volatile host pools.
Plan 1 vs. Plan 2: licensing and pricing
Licensing depends heavily on your Microsoft 365 tier. Plan 2 is included in Microsoft 365 E5 (no Teams). Plan 1 is included in Microsoft 365 E3. Separate licensing options are available for both plans, and server protection requires separate licensing through Defender for Servers.
Feature | Plan 1 | Plan 2 | Microsoft 365 E5 |
|---|---|---|---|
Antivirus protection | Included | Included | Included |
Attack surface reduction | Included | Included | Included |
Device control and firewall | Included | Included | Included |
Manual response actions (4 actions) | Included | Included | Included |
Endpoint detection and response (EDR) | Not included | Included | Included |
Automated investigation and remediation | Not included | Included | Included |
Advanced hunting (KQL) | Not included | Included | Included |
Live Response | Not included | Included | Included |
Threat and vulnerability management (full) | Not included | Included | Included |
Microsoft Threat Experts | Not included | Included | Included |
Centralized APIs and configuration | Included | Included | Included |
Data retention for investigation | Limited | 180 days (6 months) | 180 days (6 months) |
The licensing distinction matters for virtual desktop infrastructure environments. Microsoft 365 E3 is an eligible license for Azure Virtual Desktop access rights. Plan 2 features like Live Response, advanced hunting, and automated investigation require Microsoft Defender for Endpoint Plan 2 licensing, which comes via Microsoft 365 E5, Windows Enterprise E5, other qualifying suites, or as a standalone Defender for Endpoint Plan 2 license. Full ASR capabilities are commonly described as requiring Windows Enterprise E3 or E5 licensing.
How deployment and onboarding work
Deployment depends on what your environment already looks like. Microsoft supports four architecture options: cloud-native deployment managed through Microsoft Intune, co-management with Configuration Manager plus Intune, on-premises with Configuration Manager or Active Directory, and evaluation with local onboarding for SOC teams piloting without existing management infrastructure.
Deployment methods vary by environment and platform. Windows clients, server environments, and other supported platforms each have their own onboarding paths.
Mixed-environment deployments often hit a snag with Windows Server and Intune. Server onboarding requires a separate decision tree using Configuration Manager, local scripts, or Defender for Cloud. Microsoft acknowledges what many IT teams already know from experience: diverse OS fleets lead to more onboarding methods.
Strengths, limitations, and operational considerations
The same Microsoft-stack integration that simplifies deployment in homogenous environments also shapes Defender for Endpoint's competitive position. For organizations already running Microsoft 365, Entra ID, and Intune management, identity signals, device compliance data, and threat intelligence are correlated across the stack without third-party connectors.
Honest limitations to consider
Defender for Endpoint is at its best in Microsoft-centric IT environments. If your stack is heavily non-Microsoft, you'll feel the gaps. Advanced features like EDR, automated remediation, and advanced hunting are only available in Plan 2, which means organizations without Plan 2 licensing are limited to foundational prevention capabilities.
On the operational side, security teams should factor platform limitations and update processes into their planning instead of discovering them mid-incident. Tamper protection and strict admin privilege controls should be part of that planning.
Update reliability and safe deployment
Update reliability has become an active evaluation criterion for EDR vendors. Microsoft has published Safe Deployment Practices that address how Defender for Endpoint delivers security updates with graduated rollout controls.
How Nerdio Manager fits in the Microsoft-hosted desktop management layer
The operational work doesn't end when Defender for Endpoint is deployed. For teams managing endpoint security across physical devices, Cloud PCs, and virtual desktops alongside everything else that runs through Intune and Azure, the layer above Defender is where day-to-day time goes.
Nerdio Manager is a cloud desktop management platform for Windows 365, Intune, and Azure Virtual Desktop. It doesn't replace Microsoft Defender for Endpoint. It integrates with Microsoft Intune and Defender to centralize the operational workflows around them.
Centralized vulnerability visibility
Nerdio Manager surfaces vulnerabilities detected by Microsoft Defender for Endpoint in a centralized view across Windows 365 Cloud PCs, Intune-managed endpoints, and Azure Virtual Desktop environments. IT teams can search, sort, and filter vulnerabilities, view exposed devices and affected software, and prioritize remediation without switching between multiple portals. For teams running large Cloud PC and virtual desktop fleets that change frequently, consolidating vulnerability triage reduces the lag between detection and remediation.
Standardized security baselines
A curated policy library sits alongside the vulnerability view. Nerdio Manager provides CIS Hardened Images and policy templates aligned with security best practices across Windows 365, Intune, and Azure Virtual Desktop. Instead of manually creating and maintaining configurations across every tenant or environment, IT teams apply standardized baselines to Cloud PCs and virtual desktops and detect policy drift automatically. In Windows 365 environments specifically, the policy library extends to Intune policy backup and restore, a capability native Intune doesn't offer.
Unified management across Windows 365, Intune, and Azure Virtual Desktop
Defender management sits inside a broader operational workflow across Cloud PCs and virtual desktops. Nerdio Manager consolidates day-to-day operations in one end-user computing console. Instead of bouncing between separate admin portals for Windows 365, Intune, and Azure Virtual Desktop, IT teams centralize image lifecycle management, auto-scaling, Unified Application Management (UAM) across Cloud PCs and session hosts, and environment health recommendations from Nerdio Advisor.
The City of Corona strengthened endpoint security by centralizing Windows 365, Intune, and Azure Virtual Desktop management with Nerdio Manager, giving IT a consolidated approach to endpoint security operations.
Getting started with Microsoft Defender for Endpoint
A few prerequisites have to be in place before deployment. Skipping any of them is a reliable way to generate a support ticket on day one.
- Licensing. Verify your organization has the appropriate licenses. Plan 1 is included in Microsoft 365 E3. Plan 2 is included in Microsoft 365 E5. Licensing availability may vary by program and bundle.
- Network configuration. Allow required URLs and IP addresses for communication between endpoints and the Defender cloud service. Microsoft provides proxy guidance for disconnected and proxy-restricted environments.
- Operating system compatibility. Endpoints must meet minimum OS requirements.
- Role-based access control. Assign appropriate RBAC permissions to IT administrators. The RBAC model supports globally distributed teams, tiered SOC structures, and fully segregated divisions.
After deployment, configure ASR rules using the ring-based approach Microsoft recommends for enterprises. Enable automated investigation and remediation if you're on Plan 2. Set up integration with Microsoft Sentinel for SIEM-level alert correlation. Defender XDR alerts and incidents synchronize to Sentinel at no additional charge.
For virtual desktop environments, follow the golden image staging process for non-persistent VDI, apply tamper protection in the correct sequence, and map your Windows Autopatch strategy to your ASR rule deployment rings.
Conclusion
Plan selection and licensing bundle determine what Defender for Endpoint gives you in practice. Plan 2 unlocks EDR, advanced hunting, automated investigation, and Live Response. Microsoft 365 E5 covers Plan 2 response actions on AVD session hosts where E3 doesn't. Full ASR rule deployment requires Windows Enterprise E3 or E5.
For teams running endpoint security across physical devices, Cloud PCs, and virtual desktops, the operational work extends past deployment itself. Onboarding sequence, policy baselines, portal visibility, and vulnerability triage each behave differently across Microsoft-hosted desktops. Nerdio Manager gives IT teams one console for that management layer across Windows 365, Intune, and Azure Virtual Desktop.
To see how this works in your environment, request a Nerdio Manager demo.
Frequently asked questions about Microsoft Defender for Endpoint
Resources
Learn more about Nerdio Manager
