Skip to main content

Microsoft Defender for Endpoint

Until 31 March 2028, NHS trusts, integrated care boards, commissioning support units, NHS arms-length bodies and the Department for Health and Social Care (DHSC) are eligible for a range of centrally funded licences including Microsoft Defender For Endpoint (MDE). This allows organisations to save money, reduce potential vulnerabilities and increase cyber resilience. 

Microsoft Defender for Endpoint (MDE)

Microsoft Defender for Endpoint (MDE) is an EDR solution, enterprise endpoint security platform  designed to prevent, detect, investigate, and respond to advanced threats. It gives local NHS organisations improved cyber security capabilities. NHS organisations who utilise MDE will benefit from enhanced Cyber Security Operations Centre (CSOC) services, which further improves cyber security protection for the NHS.

MDE relies on network telemetry to be received from endpoints such as laptops, PCs, servers, phones and other MDE supported platforms. This is then fed to Microsoft Cloud Services to assist with the identification and detection of potential indicators of cyber security comprise or attack. It can then take action to address the threat before it can propagate across the IT network.

MDE alerts local system managers and the CSOC to potential security incidents. These alerts provide an NHS wide holistic view of cyber security posture down to an individual device level, in real time. This enables the CSOC to quickly and effectively coordinate the overall NHS response to cyber threats as they emerge minimising disruption to clinical services.

MDE is a matured service deployed to 2.1 million devices (Oct 2023). With new additional capability we are able to identify an additional 305,000 endpoints across the MDE NHS enabled estate. The new capabilities will enable CSOC to monitor shared tenant collaboration workloads for additional protection to the onboarded organisations.

Further reading and learning material for example webinar recordings, documents, guides are hosted on the NHS Futures Platform collaboration site for organisations to access.

To obtain access, please contact [email protected].


Data security and governance

The data generated by MDE is designed to be Role Base Access Controlled (RBAC) and as such, is only available to be viewed by locally appointed selected individuals at the organisations that are responsible for the management of the devices, and to ensure that they remain visible to the CSOC.

MDE records cyber security events at an individual endpoint level and the core product is not designed to exfiltrate the contents of files or documents such as patient sensitive records.


Joining the MDE service

As per the 2023 participation agreement, organisations are mandated to onboard all eligible and supported endpoints onto MDE on the NHSmail Shared Tenant. Failure to comply may result in the provision of centrally procured licences and your licensing agreement being reviewed. Please review the participation agreement your organisation signed or alternatively contact [email protected].

NHS England provides local MDE enabled organisations with support to assist with deployment and ongoing specialist maintenance of the environment. This includes delivery of new features, knowledge sharing, guidance specific to the NHS, and full break fix support with the purpose of minimising workload for local organisations who can then benefit from prioritising cyber security initiatives whilst using the MDE service.

Joining the MDE service is mandatory, funding for centrally provided Microsoft licensing is only available to your organisation if you join. The deadline for eligible NHS organisations to agree to participate has now passed. Please contact [email protected] if you wish to check your organisation’s status. 


MDE user group workspace

The MDE user group workspace located on the NHS Futures Platform is for specialist owners, managers and technicians responsible for delivery of the MDE application in organisations across the NHS.

Members can access key resources from NHS England, share peer-to-peer expertise and experience as well as viewing the latest news and updates on the MDE service.

To join the MDE user group, please contact [email protected].


Contact us

For further information regarding Microsoft licensing queries please contact [email protected].

For further information regarding MDE onboarding guidance queries please contact [email protected].

For further information regarding cyber security queries please contact [email protected].


How this service aligns with the Cyber Assessment Framework

Open the expanders below to find out how this service aligns to the principles and outcomes of the Cyber Assessment Framework (CAF).

Objective A: Managing security risk

A1.b Your organisation has established roles and responsibilities for the security of networks and information systems at all levels, with clear and well-understood channels for communicating and escalating risks.

A2.a Your organisation has effective internal processes for managing risks to the security of network and information systems related to the operation of essential functions and communicating associated activities.

A3.a Everything required to deliver, maintain or support networks and information systems necessary for the operation of essential functions is determined and understood. This includes data, people and systems, as well as any supporting infrastructure (such as power or cooling).

Objective B: Defending systems against cyber attack

B1.b You have successfully implemented your security policies and processes and can demonstrate the security benefits achieved.

B2.d You closely manage and maintain identity and access control for users, devices and systems accessing the networks and information systems supporting the essential function.

B4.b You securely configure the network and information systems that support the operation of essential functions.

B4.d You manage known vulnerabilities in your network and information systems to prevent adverse impact on the essential function.

Objective C: Detecting cyber security events

C1.a The data sources that you include in your monitoring allow for timely identification of security events which might affect the operation of your essential function.

C1.b You hold logging data securely and grant read access only to accounts with business need. No employee should ever need to modify or delete logging data within an agreed retention period, after which it should be deleted.

C1.c Evidence of potential security incidents contained in your monitoring data is reliably identified and triggers alerts.

C1.d You contextualise alerts with knowledge of the threat and your systems, to identify those security incidents that require some form of response.

C2.a You define examples of abnormalities in system behaviour that provide practical ways of detecting malicious activity that is otherwise hard to identify.

C2.b You use an informed understanding of more sophisticated attack methods and of normal system behaviour to monitor proactively for malicious activity.

Objective D: Minimising the impact of cyber security incidents

D2.a When an incident occurs, steps must be taken to understand its root causes and ensure appropriate remediating action is taken.

Last edited: 30 November 2023 5:13 pm