Defender for Endpoint: Core Setup
Microsoft Defender for Endpoint is the eyes and ears on every device. Learn how to configure advanced features, rules settings, and custom data collection to get the most out of MDE.
What is Defender for Endpoint?
Think of Defender for Endpoint (MDE) as a bodyguard on every device.
Your laptop, your server, your phone β each one has a sensor watching for suspicious behaviour. A weird process running at 3 AM? The bodyguard notices. A script trying to download something from a known-bad website? Blocked.
But a bodyguard needs instructions. You configure advanced features (what the bodyguard is allowed to do), rules settings (when to escalate vs ignore), and custom data collection (what extra intelligence to gather).
MDE is one of the core products in the SC-200 exam. You will see it in detection, investigation, and response questions across all three domains.
Advanced features
Advanced features are platform-wide toggles in the Defender portal that enable or restrict MDE capabilities. Each toggle affects all onboarded devices.
| Feature | What It Does | Default |
|---|---|---|
| Automated investigation | Automatically investigates alerts and takes remediation actions | Enabled |
| Live response | Opens a remote shell to investigate devices in real-time | Disabled β must enable |
| Live response unsigned script execution | Allows running unsigned PowerShell scripts via live response | Disabled β security risk |
| Web content filtering | Blocks access to websites by category (adult, gambling, etc.) | Disabled |
| Device discovery | Finds unmanaged devices on the network | Enabled |
| Custom network indicators | Block/allow specific URLs, domains, and IP addresses | Disabled |
| Tamper protection | Prevents users and malware from disabling Defender | Enabled |
| Show user details | Displays Entra ID user info in alerts and investigations | Enabled |
| Endpoint DLP | Enables data loss prevention on endpoints | Disabled β requires Purview licence |
Exam tip: live response is OFF by default
The exam tests whether you know that live response must be explicitly enabled before analysts can use it. If a question describes an analyst unable to start a live response session, check whether the advanced feature is toggled on.
Unsigned script execution is a separate toggle and even more restrictive β it is only needed when running custom remediation scripts that are not signed.
Rules settings
Rules settings control how MDE handles specific indicators, web categories, and automation behaviours.
Indicators
Indicators are IOCs (indicators of compromise) that you define to block or allow specific:
- File hashes (SHA-256, SHA-1, MD5)
- IP addresses
- URLs and domains
- Certificates
When MDE encounters a matching indicator, it takes the configured action: Block, Allow, Alert, or Warn.
Scenario: Elena blocks a malicious domain
Elena at Atlas Bank receives threat intelligence that a domain evil-payments.com is being used in a phishing campaign targeting financial institutions.
She creates a URL indicator in MDE:
- Type: URL
- Value:
evil-payments.com - Action: Block and alert
- Scope: All devices
Any Atlas Bank device that tries to access this domain is immediately blocked, and an alert appears in Defender XDR. Elena also adds the domain as a threat indicator in Sentinel for cross-correlation.
Web content filtering
Web content filtering blocks access to websites by category rather than by specific URL. Categories include: Adult content, High bandwidth (streaming), Legal liability, Leisure, and Uncategorized.
This works alongside indicators β indicators are precise (specific URLs), while web content filtering is broad (entire categories).
Automation folder exclusions
Paths that automated investigation should skip during remediation. Used for:
- Temporary folders used by build systems
- Folders containing legitimate security tools that trigger false positives
- Paths used by line-of-business applications
Custom data collection
Beyond standard telemetry, MDE supports additional data collection for advanced scenarios:
- Custom detection rules β save Advanced Hunting queries as automated detections that generate alerts on schedule (covered in detail in Module 9)
- Device discovery β passive scanning finds unmanaged devices on your network
- Connected apps β third-party integrations can send data through the MDE API
For the exam, the key concept is that MDEβs telemetry can be extended beyond its defaults through configuration. The most exam-relevant extension is custom detection rules, which turn hunting queries into always-on monitoring.
Scenario: Tyler's custom telemetry
Tyler at CipherStack writes a custom detection that triggers when a developer machine connects to an IP address in a known-bad ASN. Standard MDE telemetry captures the connection, but Tyler wants additional context β which process initiated the connection and what command-line arguments it used.
He configures enhanced telemetry on the developer device group to capture extended process creation events, including full command-line logging. This data feeds into the DeviceProcessEvents table in Advanced Hunting.
Elena at Atlas Bank needs to prevent all devices from accessing a known phishing domain. She also wants an alert when any device attempts to reach it. What should she configure?
Tyler needs developers at CipherStack to see full command-line arguments in Advanced Hunting queries for process creation events. What should he configure?
Next up: MDE is configured. Now letβs harden your endpoints with Attack Surface Reduction rules and security policies β the proactive defense layer.