Listen to this Post
Introduction:
Microsoft Defender for Endpoint (MDE) capabilities vary significantly across Windows, macOS, Linux, iOS, and Android, creating confusion for security teams trying to standardize protection. Ru Campbell’s newly updated, AI‑friendly comparison (moved from Excel to a live .md file) finally clarifies feature parity, licensing gaps, and deployment nuances—while also revealing how to modernize security documentation using Hugo, Azure Static Web Apps, and GitHub Copilot.
Learning Objectives:
- Compare MDE features side‑by‑side across all supported operating systems, including attack surface reduction, endpoint detection and response (EDR), and threat analytics.
- Differentiate licensing requirements for MDE Plan 1 (P1), Plan 2 (P2), and Defender for Business.
- Deploy the official Defender deployment tool and migrate technical documentation from spreadsheets to a version‑controlled static site with AI assistance.
You Should Know:
1. Decoding Defender for Endpoint Features Per OS
The updated comparison (available at `https://campbell.scot/updated-may-2026-mde-feature-comparison-by-os`) breaks down over 60 capabilities into a markdown table, making it searchable and AI‑parseable. Unlike Microsoft’s fragmented documentation, this resource flags where Linux lacks live response or where macOS misses device control.
Step‑by‑step guide to validate your own MDE posture:
– Windows – Run PowerShell as admin to list enabled MDE sensors:
Get-MpPreference | Select-Object -Property EnableNetworkProtection, EnableControlledFolderAccess, RealTimeScanDirection
Check EDR onboarding status:
Get-MPComputerStatus | Select-Object AntivirusEnabled, AMServiceEnabled, OnboardingState
– Linux – Verify installation and feature set:
sudo mdatp health --field real_time_protection_enabled sudo mdatp configuration --list
– macOS – Use the MDATP CLI:
sudo mdatp health --field edr_early_preview sudo mdatp threat list
Cross‑reference the output with Campbell’s table to identify missing capabilities. For example, Linux lacks live response shell; confirm with `sudo mdatp live_response –help` (returns unavailable on P1).
- Licensing Breakdown: MDE P1 vs P2 vs Defender for Business
Many assume all MDE features are equal. P1 (included with Microsoft 365 E3) offers next‑generation antivirus, firewall, and basic attack surface reduction. P2 (E5) adds EDR, automated investigation, and threat hunting. Defender for Business (for small/medium businesses) is a subset of P2 but lacks advanced hunting and API access.
How to verify your license programmatically:
- Microsoft Graph PowerShell (Windows):
Connect-MgGraph -Scopes "Organization.Read.All" Get-MgSubscribedSku | Select SkuPartNumber, ConsumedUnits -ExpandProperty PrepaidUnits | FT
Look for `MDE_P2`, `DEFENDER_FOR_BUSINESS`, or `M365_E3`.
- Windows Registry (onboarded device):
reg query "HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection" /v Version
- Linux/macOS – Check the license tier via MDE CLI:
sudo mdatp health --field license_type
Output `E3` (P1), `E5` (P2), or `Business`.
- Deploying Defender for Endpoint Using the Deployment Tool
Ru mentions the Defender deployment tool (“it’s awesome”). This is the official onboarding script that detects OS, downloads the correct agent, and applies tenant‑specific configuration.
Step‑by‑step deployment across environments:
- Download the tool from the Microsoft 365 Defender portal (Settings → Endpoints → Onboarding).
- Run on Windows (local or via RMM):
Using the onboarding script .\WindowsDefenderATPOnboardingScript.cmd Verify sensor health Get-MPComputerStatus | Select AntivirusEnabled, OnboardingState, AdditionalEventsSet
- Linux deployment (Ubuntu 20.04+):
wget -O mde_installer.sh https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/linux/installation/install_mdatp.sh sudo bash mde_installer.sh --org-id "YOUR_TENANT_ID" --onboarding-token "YOUR_TOKEN" sudo mdatp health --field connected_to_service
- macOS using Intune or manual:
sudo installer -pkg MDE.pkg -target / sudo mdatp health --field licensed --field real_time_protection_enabled
After installation, use the deployment tool’s validation mode: `sudo mdatp diagnostic create –level full` to generate logs.
- Migrating Technical Documentation from Excel to Markdown with GitHub Copilot
Campbell moved from WordPress/Excel to Hugo + Azure Static Web Apps, accelerated by GitHub Copilot. This workflow ensures version control, community contributions, and AI‑friendly formatting.
Step‑by‑step to replicate his migration:
- Convert Excel to Markdown – Use Pandoc or Copilot prompt:
“Convert this CSV export of endpoint features into a markdown table, aligning headers OS, ASR, EDR, Live Response.” - Set up Hugo:
Linux/macOS brew install hugo hugo new site defender-comparison cd defender-comparison git init
- Add theme and content:
hugo new docs/mde-comparison.md Copy converted table into content/docs/mde-comparison.md
- Deploy to Azure Static Web Apps:
Install Azure CLI az login az staticwebapp create --name mde-compare --resource-group rg-docs --source https://github.com/yourrepo/defender-comparison --branch main --app-location "/"
GitHub Copilot can generate the YAML workflow file automatically using the prompt: “Create GitHub Actions workflow to deploy Hugo site to Azure Static Web Apps on push to main.”
- Leveraging GitHub for Community Corrections and Version Control
One key advantage of the static site approach is that readers can report or fix errors natively via GitHub pull requests—no more email ping‑pong.
Workflow for collaborators:
- Fork the repository and clone locally:
git clone https://github.com/YOUR_USERNAME/defender-comparison.git git checkout -b fix-linux-edr
- Edit the .md file with corrections.
- Preview locally:
hugo server -D
Visit `http://localhost:1313` to verify.
- Commit and push:
git add content/docs/mde-comparison.md git commit -m "fix: Linux live response not available in P1" git push origin fix-linux-edr
- Open pull request on GitHub. Owners can merge, and Azure Static Web Apps automatically rebuilds the site.
For administrators, set branch protection rules requiring signed commits or status checks using Copilot‑assisted GitHub CLI:
gh api repos/owner/repo/branches/main/protection --method PUT --field required_status_checks='{"strict":true,"contexts":["continuous-integration"]}'
- AI-Assisted Documentation Maintenance – Copilot Prompts & Best Practices
Campbell notes that GitHub Copilot made the migration “straight forward.” Extend this to ongoing maintenance: use AI to compare Microsoft’s scattered docs against your comparison table.
Example prompts for Copilot Chat:
- “Scan the MDE documentation at https://learn.microsoft.com/en-us/defender-endpoint/linux-edr-capabilities and update the linux column in this table (pasted) for any missing features.”
- “Generate a PowerShell script that checks if the local MDE P2 license supports automated investigation, and output ‘supported’ or ‘not supported’.”
- “Create a GitHub issue template for users to report discrepancies, with checkboxes for OS, feature name, and Microsoft doc link.”
Automated validation script (run weekly in CI):
!/bin/bash Verify that each claimed feature exists in official MSFT docs FEATURES_FILE="features.csv" while IFS=',' read -r os feature; do curl -s "https://learn.microsoft.com/en-us/defender-endpoint/$os-$feature" | grep -qi "supported" || echo "MISSING: $os - $feature" done < $FEATURES_FILE
What Undercode Say:
- Documentation as code is inevitable – Excel and PDFs cannot keep pace with rapidly evolving security products. The move to markdown + static sites + Git enables accuracy, community validation, and AI integration.
- Defender’s cross‑OS parity is a myth – Without a clear comparison, organizations over‑deploy (expecting Linux to behave like Windows) or under‑secure (missing macOS EDR). This open‑source style comparison should be a prerequisite for any MDE rollout.
- AI tools reduce the friction of technical writing – Copilot doesn’t replace domain expertise but excels at transforming bulky spreadsheets into accessible, machine‑readable formats. Security teams must embrace this to keep internal runbooks alive.
Prediction:
Within 18 months, most security product documentation will be hosted as static sites with native AI‑assisted correction workflows. Microsoft will likely release an official “Defender Capabilities Explorer” based on this open‑source pattern, but community‑maintained comparisons will remain more accurate due to real‑world deployment feedback. The role of the security architect will shift from memorizing feature matrices to designing automated validation pipelines that test documentation against live cloud APIs.
▶️ Related Video (76% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Rlcam Microsoftdefender – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
