Overview
Microsoft Defender for Endpoint (MDE) is an enterprise endpoint detection and response (EDR) platform that provides preventative protection, post-breach detection, automated investigation, and response capabilities. The CLI tools allow administrators to manage real-time protection, run scans, configure exclusions, collect diagnostic data, and interact with the EDR sensor from the command line. On Windows, management is primarily through PowerShell cmdlets and MpCmdRun.exe; on macOS and Linux, the mdatp command-line tool provides equivalent functionality.
MDE integrates with Microsoft 365 Defender portal for centralized management, threat analytics, and automated investigation and remediation (AIR). The endpoint sensor collects behavioral signals, process telemetry, network connections, file operations, and registry changes, forwarding them to the cloud for analysis. Advanced hunting with KQL (Kusto Query Language) enables proactive threat hunting across the entire endpoint fleet. The CLI tools are essential for troubleshooting sensor connectivity, managing local policies, and performing incident response actions on individual endpoints.
Installation
Windows (Built-in with Windows 10/11)
# Check Defender status
Get-MpComputerStatus
# Update definitions
Update-MpSignature
# MpCmdRun.exe location
# C:\Program Files\Windows Defender\MpCmdRun.exe
# Onboard to MDE (requires onboarding package from Security Center)
# Download onboarding script from security.microsoft.com
.\WindowsDefenderATPLocalOnboardingScript.cmd
Linux
# RHEL/CentOS 8+
sudo yum install -y https://packages.microsoft.com/config/rhel/8/prod.repo
sudo yum install -y mdatp
# Ubuntu/Debian
curl -o microsoft.list https://packages.microsoft.com/config/ubuntu/22.04/prod.list
sudo mv microsoft.list /etc/apt/sources.list.d/
sudo apt update
sudo apt install mdatp
# Onboard
sudo mdatp health --field org_id
sudo python3 MicrosoftDefenderATPOnboardingLinuxServer.py
macOS
# Install via Homebrew (or deploy .pkg from Microsoft)
brew install --cask microsoft-defender-atp
# Or download from Microsoft 365 admin portal
# Run onboarding package
sudo /usr/local/bin/mdatp health --field org_id
Core Commands — Windows
PowerShell Cmdlets
| Command | Description |
|---|
Get-MpComputerStatus | Show Defender status and configuration |
Get-MpThreat | List detected threats |
Get-MpThreatDetection | Show threat detection history |
Update-MpSignature | Update malware definitions |
Start-MpScan -ScanType QuickScan | Run quick scan |
Start-MpScan -ScanType FullScan | Run full system scan |
Start-MpScan -ScanPath "C:\Users" | Scan specific path |
Set-MpPreference -DisableRealtimeMonitoring $false | Enable real-time protection |
Add-MpPreference -ExclusionPath "C:\Dev" | Add path exclusion |
Remove-MpPreference -ExclusionPath "C:\Dev" | Remove path exclusion |
# Full status check
Get-MpComputerStatus | Select-Object AntivirusEnabled, AMServiceEnabled,
AntispywareEnabled, BehaviorMonitorEnabled, IoavProtectionEnabled,
NISEnabled, OnAccessProtectionEnabled, RealTimeProtectionEnabled
# Check definitions age
Get-MpComputerStatus | Select-Object AntivirusSignatureAge,
AntivirusSignatureLastUpdated, AntivirusSignatureVersion
# List all exclusions
Get-MpPreference | Select-Object -ExpandProperty ExclusionPath
Get-MpPreference | Select-Object -ExpandProperty ExclusionExtension
Get-MpPreference | Select-Object -ExpandProperty ExclusionProcess
# Scan specific file
Start-MpScan -ScanPath "C:\Users\Public\Downloads\suspicious.exe"
# Review threat history
Get-MpThreatDetection | Sort-Object InitialDetectionTime -Descending | Select-Object -First 20
MpCmdRun.exe
# Quick scan
& "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 1
# Full scan
& "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 2
# Custom scan
& "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "C:\Suspect\"
# Update signatures
& "C:\Program Files\Windows Defender\MpCmdRun.exe" -SignatureUpdate
# Remove definitions and revert
& "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
# Collect diagnostic data
& "C:\Program Files\Windows Defender\MpCmdRun.exe" -GetFiles
# Check cloud connectivity
& "C:\Program Files\Windows Defender\MpCmdRun.exe" -ValidateMapsConnection
# Submit file for analysis
& "C:\Program Files\Windows Defender\MpCmdRun.exe" -SubmitSamples -Path "C:\suspect\malware.exe"
Core Commands — Linux / macOS (mdatp)
Health and Status
| Command | Description |
|---|
mdatp health | Show full health status |
mdatp health --field real_time_protection_enabled | Check specific field |
mdatp health --field org_id | Show organization ID |
mdatp health --field definitions_status | Check definition status |
mdatp version | Show version information |
mdatp connectivity test | Test cloud connectivity |
# Full health check
sudo mdatp health
# Check specific health fields
sudo mdatp health --field healthy
sudo mdatp health --field licensed
sudo mdatp health --field engine_version
sudo mdatp health --field definitions_updated
Scanning
# Quick scan
sudo mdatp scan quick
# Full scan
sudo mdatp scan full
# Custom path scan
sudo mdatp scan custom --path /home/user/downloads/
# Check scan status
sudo mdatp scan list
Threat Management
# List detected threats
sudo mdatp threat list
# Get threat details
sudo mdatp threat get --id <threat-id>
# Quarantine threat
sudo mdatp threat quarantine --id <threat-id>
# Restore quarantined file
sudo mdatp threat restore --id <threat-id> --path /original/path
# List quarantined items
sudo mdatp threat quarantine list
Exclusions
# Add path exclusion
sudo mdatp exclusion folder add --path /var/lib/docker/
# Add file exclusion
sudo mdatp exclusion file add --path /opt/app/data.db
# Add extension exclusion
sudo mdatp exclusion extension add --name .log
# Add process exclusion
sudo mdatp exclusion process add --name nginx
# List exclusions
sudo mdatp exclusion list
# Remove exclusion
sudo mdatp exclusion folder remove --path /var/lib/docker/
Configuration
Real-Time Protection
# Enable/disable real-time protection (Linux/macOS)
sudo mdatp config real-time-protection --value enabled
sudo mdatp config real-time-protection --value disabled
# Configure cloud protection level
sudo mdatp config cloud --value enabled
sudo mdatp config cloud-block-level --value normal # normal, moderate, high, high_plus, zero_tolerance
# Enable network protection
sudo mdatp config network-protection --value audit # disabled, audit, block
# Enable PUA protection
sudo mdatp config potentially-unwanted-application --value block
EDR Configuration
# Windows: Configure EDR in block mode
Set-MpPreference -EnableEDRInBlockMode $true
# Configure sample submission
Set-MpPreference -SubmitSamplesConsent 1 # 0=AlwaysPrompt, 1=Safe, 2=Never, 3=All
# Enable network protection
Set-MpPreference -EnableNetworkProtection Enabled # Disabled, Enabled, AuditMode
# Configure attack surface reduction rules
Add-MpPreference -AttackSurfaceReductionRules_Ids "BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550" `
-AttackSurfaceReductionRules_Actions Enabled
# Enable controlled folder access
Set-MpPreference -EnableControlledFolderAccess Enabled
Advanced Usage
Diagnostic Collection
# Linux/macOS: Create diagnostic bundle
sudo mdatp diagnostic create --path /tmp/mde-diag
# Windows: Collect client analyzer data
& "C:\Program Files\Windows Defender\MpCmdRun.exe" -GetFiles
# Output: C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab
# Check sensor connectivity
sudo mdatp connectivity test
Live Response (via Security Portal)
# Isolate machine
# Done via API or Security Center portal
# Collect investigation package
& "C:\Program Files\Windows Defender\MpCmdRun.exe" -GetFiles
# Run investigation script
# Live Response commands in portal:
# getfile <path>
# putfile <source> <destination>
# run <script>
# processes
# connections
# registry
Advanced Hunting KQL Examples
// Find suspicious PowerShell execution
DeviceProcessEvents
| where FileName == "powershell.exe"
| where ProcessCommandLine has_any ("-enc", "-encoded", "bypass", "hidden")
| project Timestamp, DeviceName, ProcessCommandLine
| order by Timestamp desc
// Detect lateral movement attempts
DeviceNetworkEvents
| where RemotePort in (445, 135, 5985, 5986)
| where ActionType == "ConnectionSuccess"
| summarize ConnectionCount = count() by DeviceName, RemoteIP
| where ConnectionCount > 10
Troubleshooting
| Issue | Solution |
|---|
| Sensor not onboarded | Verify onboarding script ran successfully, check mdatp health --field org_id |
| Definitions out of date | Run mdatp definitions update or Update-MpSignature |
| Real-time protection disabled | Re-enable with mdatp config real-time-protection --value enabled |
| Cloud connectivity failure | Run mdatp connectivity test, check proxy and firewall rules |
| High CPU usage | Add exclusions for known-safe paths, check mdatp diagnostic create |
| Service not starting (Linux) | Check systemctl status mdatp, verify license with mdatp health --field licensed |
| Scan stuck or not completing | Cancel with mdatp scan cancel and retry, check disk space |
| False positive detections | Submit to Microsoft via portal, add temporary exclusion |
