STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 2 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to STIGs

Microsoft Defender for Endpoint Security Technical Implementation Guide

Version

V1R2

Release Date

Nov 25, 2025

SCAP Benchmark ID

MS_Defender_Endpoint_STIG

Total Checks

25

Tags

other
CAT I: 1CAT II: 24CAT III: 0

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKLExport CSVExport JSONDownload STIG ZIP

Checks (25)

V-272882MEDIUMMicrosoft Defender for Endpoint (MDE) must alert administrators on policy violations defined for endpoints.V-272886MEDIUMRoles for use with Microsoft Defender for Endpoint (MDE) must be configured within Entra ID.V-272887MEDIUMMicrosoft Defender for Endpoint (MDE) must be configured for a least privilege model by implementing Unified Role-Based Access Control (RBAC).V-272888MEDIUMMicrosoft Defender for Endpoint (MDE) must enable Endpoint Detection and Response (EDR) in block mode.V-272889HIGHMicrosoft Defender for Endpoint (MDE) must be connected to a central log server.V-275979MEDIUMMicrosoft Defender for Endpoint (MDE) must enable Automatically Resolve Alerts.V-275980MEDIUMMicrosoft Defender for Endpoint (MDE) must enable Allow or block file.V-275981MEDIUMMicrosoft Defender for Endpoint (MDE) must enable Hide potential duplicate device records.V-275982MEDIUMMicrosoft Defender for Endpoint (MDE) must enable Custom network indicators.V-275983MEDIUMMicrosoft Defender for Endpoint (MDE) must enable Tamper protection.V-275984MEDIUMMicrosoft Defender for Endpoint (MDE) must enable Show user details.V-275985MEDIUMMicrosoft Defender for Endpoint (MDE) must enable Microsoft Defender for Cloud Apps.V-275986MEDIUMMicrosoft Defender for Endpoint (MDE) must enable Web content filtering.V-275987MEDIUMMicrosoft Defender for Endpoint (MDE) must enable Device discovery.V-275988MEDIUMMicrosoft Defender for Endpoint (MDE) must enable Download quarantined files.V-275989MEDIUMMicrosoft Defender for Endpoint (MDE) must enable Live Response.V-275990MEDIUMMicrosoft Defender for Endpoint (MDE) must enable Live Response for Servers.V-275991MEDIUMMicrosoft Defender for Endpoint (MDE) must enable Share endpoint alerts with Microsoft Compliance Center.V-275992MEDIUMMicrosoft Defender for Endpoint (MDE) must enable Microsoft Intune connection.V-275993MEDIUMMicrosoft Defender for Endpoint (MDE) must enable Authenticated telemetry.V-275994MEDIUMMicrosoft Defender for Endpoint (MDE) must enable File Content Analysis.V-275995MEDIUMMicrosoft Defender for Endpoint (MDE) must enable Memory Content Analysis.V-275996MEDIUMMicrosoft Defender for Endpoint (MDE) Discovery Mode must enable Log4j2 detection.V-275997MEDIUMMicrosoft Defender for Endpoint (MDE) Discovery Mode must be set to All Devices.V-275998MEDIUMMicrosoft Defender for Endpoint (MDE) must enable Full remediation for Device groups.