Microsoft Defender for Endpoint

Microsoft Defender for Endpoint (MDE) is an EDR solution, enterprise endpoint security platform  designed to prevent, detect, investigate, and respond to advanced threats. It gives local NHS organisations improved cyber security capabilities. NHS organisations who utilise MDE will benefit from enhanced Cyber Security Operations Centre (CSOC) services, which further improves cyber security protection for the NHS.

MDE relies on network telemetry to be received from endpoints such as laptops, PCs, servers, phones and other MDE supported platforms. This is then fed to Microsoft Cloud Services to assist with the identification and detection of potential indicators of cyber security comprise or attack. It can then take action to address the threat before it can propagate across the IT network.

MDE alerts local system managers and the CSOC to potential security incidents. These alerts provide an NHS wide holistic view of cyber security posture down to an individual device level, in real time. This enables the CSOC to quickly and effectively coordinate the overall NHS response to cyber threats as they emerge minimising disruption to clinical services.

MDE is a matured service deployed to 2.1 million devices (Oct 2023). With new additional capability we are able to identify an additional 305,000 endpoints across the MDE NHS enabled estate. The new capabilities will enable CSOC to monitor shared tenant collaboration workloads for additional protection to the onboarded organisations.

Further reading and learning material for example webinar recordings, documents, guides are hosted on the NHS Futures Platform collaboration site for organisations to access.

To obtain access, please contact [email protected].

The data generated by MDE is designed to be Role Base Access Controlled (RBAC) and as such, is only available to be viewed by locally appointed selected individuals at the organisations that are responsible for the management of the devices, and to ensure that they remain visible to the CSOC.

MDE records cyber security events at an individual endpoint level and the core product is not designed to exfiltrate the contents of files or documents such as patient sensitive records.

As per the 2023 participation agreement, organisations are mandated to onboard all eligible and supported endpoints onto MDE on the NHSmail Shared Tenant. Failure to comply may result in the provision of centrally procured licences and your licensing agreement being reviewed. Please review the participation agreement your organisation signed or alternatively contact [email protected].

NHS England provides local MDE enabled organisations with support to assist with deployment and ongoing specialist maintenance of the environment. This includes delivery of new features, knowledge sharing, guidance specific to the NHS, and full break fix support with the purpose of minimising workload for local organisations who can then benefit from prioritising cyber security initiatives whilst using the MDE service.

Joining the MDE service is mandatory, funding for centrally provided Microsoft licensing is only available to your organisation if you join. The deadline for eligible NHS organisations to agree to participate has now passed. Please contact [email protected] if you wish to check your organisation’s status. 

The MDE user group workspace located on the NHS Futures Platform is for specialist owners, managers and technicians responsible for delivery of the MDE application in organisations across the NHS.

Members can access key resources from NHS England, share peer-to-peer expertise and experience as well as viewing the latest news and updates on the MDE service.

To join the MDE user group, please contact [email protected].

Open the expanders below to find out how this service aligns to the principles and outcomes of the Cyber Assessment Framework (CAF).