Last Updated on June 2, 2025 by Arnav Sharma
Microsoft Defender for Endpoint (MDE) is a powerful, cloud-native security platform designed to protect, detect, and respond to modern threats across all major operating systems. While many organisations deploy MDE with default settings, a significant portion of its protection potential remains untapped until certain features are explicitly enabled and configured.
In this post, weโll cover the top five high-impact MDE features every security-conscious organisation should prioritise to strengthen their endpoint defence strategy.
1. Specific Attack Surface Reduction (ASR) Rules
What It Does:
ASR rules block behaviours commonly used by attackers โ such as credential theft, malicious scripts, and abuse of Office macros โ without relying solely on file-based detection.
Why It Matters:
These rules prevent ransomware, living-off-the-land attacks, and persistence techniques before they even begin to execute. Enabling ASR rules like “Block credential stealing from LSASS” or “Block abuse of exploited signed drivers” can stop threats early in the kill chain.
How to Enable:
Deploy via Microsoft Intune (Endpoint Security > Attack Surface Reduction) or Group Policy. Begin in Audit mode, assess impact, and then shift to Block mode for enforcement.
2. EDR in Block Mode
What It Does:
This feature allows Microsoft Defender for Endpoint to actively block post-breach activity, even if another antivirus product is running as the primary AV.
Why It Matters:
It ensures behavioural detections donโt just raise alerts โ they stop threats cold. Especially useful in mixed AV environments or during AV migration.
How to Enable:
Enable it from Defender Portal > Settings > Endpoints > Advanced Features. Requires Defender Antivirus present (even in passive mode) and Plan 2 licencing.
3. Network Protection
What It Does:
Blocks connections to known malicious domains, IPs, and URLs by acting at the network level โ effectively cutting off C2 servers and phishing sites.
Why It Matters:
It adds a critical network-layer shield, making it harder for malware to exfiltrate data or download additional payloads. It also unlocks other features like Web Content Filtering and Custom Network Indicators.
How to Enable:
Manage via Intune (ASR policy or Endpoint Protection template), Group Policy, or PowerShell. Be sure to set it to Block mode for full effectiveness.
4. Controlled Folder Access (CFA)
What It Does:
Protects critical folders from unauthorised changes by unknown applications โ particularly useful against ransomware.
Why It Matters:
Even if malware manages to run, CFA stops it from encrypting or deleting your most important data. It’s your last line of defence against ransomware targeting user documents.
How to Enable:
Start in Audit mode to discover which apps need to be allowed, then roll out in Block mode. Deploy through Intune, Group Policy, or PowerShell.
5. Web Content Filtering (WCF)
What It Does:
Regulates which web content employees can access by category โ such as adult sites, gambling, or social media โ directly through the MDE platform.
Why It Matters:
Reduces risk exposure, boosts productivity, and helps with compliance โ all without additional web proxy tools. Works across major browsers.
How to Enable:
Enable it from Defender Portal > Advanced Features, then configure category-based policies under Web Content Filtering settings. Note: Network Protection must be in block mode first.