Microsoft Defender for Business is Microsoft’s endpoint detection and response (EDR) product built specifically for small and mid-sized businesses. It bundles next-generation antivirus, EDR, threat and vulnerability management, attack surface reduction and automated investigation into one licence — enterprise-grade endpoint security at a price an SME can actually justify.
It is not the same as the free Defender that ships with Windows
This is the confusion we untangle most often. Every Windows 10 and Windows 11 machine already includes Microsoft Defender Antivirus — the free, built-in scanner that replaced the old Windows Defender. It is genuinely good antivirus. It catches known malware, runs real-time scanning, and for a home PC it is fine.
Microsoft Defender for Business is a different product that sits on top of that engine. The free antivirus protects a single device and tells that device about a threat. Defender for Business adds the layer enterprises pay for: it collects telemetry from every endpoint into a central portal, correlates suspicious behaviour across your fleet, hunts for attacker activity that signature-based antivirus never sees, and gives someone a console to investigate and respond. Antivirus asks “is this file bad?”. EDR asks “is something bad happening on this network right now, and how did it get in?”.
A small construction firm in Ringwood we onboarded last year had Defender Antivirus on every laptop and assumed they were covered. They were covered against commodity malware. They had no visibility into lateral movement, no record of what a compromised account did after a phishing click, and no way to isolate an infected machine remotely. That gap is exactly what Defender for Business fills.
How you get it: Business Premium or standalone
There are two ways to licence it. The first, and the one most Melbourne SMEs land on, is Microsoft 365 Business Premium. Defender for Business is included in that plan at no extra cost, alongside the Office apps, Exchange Online, Intune device management and conditional access. If you are already paying for Business Premium, you own Defender for Business whether or not anyone has switched it on — which, frustratingly often, nobody has.
The second is the standalone Defender for Business licence, sold per user per month for organisations that do not want the full Business Premium stack. It is capped at 300 users, in line with Microsoft’s SMB licensing ceiling. Above that you move into the enterprise Defender for Endpoint Plan 1 or Plan 2 tiers.
For most businesses under 300 staff, Business Premium is the better value because you get the security plus Intune, conditional access and the rest of the productivity suite for not much more than the standalone security licence alone. We cover what that plan actually includes in our guide to Microsoft 365 support in Melbourne, and we deploy it through our Microsoft 365 service.
What it actually does
Defender for Business is not a single feature — it is five capabilities working together. Here is what each one buys you in practice.
Next-generation antivirus
The same cloud-delivered protection as the enterprise product: behaviour-based detection, machine-learning models and near-instant cloud lookups, rather than just a local signature file. It blocks fileless attacks and never-before-seen malware that traditional antivirus misses, and it updates protection across your fleet from the cloud in minutes.
Endpoint detection and response (EDR)
This is the heart of it. Every endpoint reports process activity, network connections and file changes back to the Microsoft 365 Defender portal. When something looks like an attack — credential dumping, suspicious PowerShell, a process spawning where it shouldn’t — it raises an alert with the full chain of what happened. You can remotely isolate a device from the network, collect an investigation package, or stop and quarantine a file across every machine at once.
Threat and vulnerability management
It continuously inventories the software on your devices and flags known vulnerabilities and misconfigurations, ranked by real-world risk. Instead of guessing which of 40 outstanding updates matters, you get a prioritised list: this unpatched browser is being actively exploited, fix it first. This feeds directly into Essential Eight patching discipline.
Attack surface reduction
A set of rules that close the doors attackers walk through — blocking Office apps from spawning child processes, stopping credential theft from the Windows credential store, controlling which USB devices can mount, and filtering web content. These map almost one-to-one to the application control and macro restrictions in the Essential Eight.
Automated investigation and remediation
When an alert fires, Defender can automatically investigate it the way a junior analyst would — examining the affected device, determining whether the threat is real, and remediating low-risk detections without a human touching it. For a small team with no overnight security staff, this quietly handles a lot of the noise so the genuine incidents are the ones that reach a person.
Onboarding devices: Windows, macOS and mobile
Coverage is not Windows-only, which matters because most Melbourne SMEs run a mix. Windows 10 and 11 onboard cleanly through Intune or a local script and need no extra agent — the sensor is already in the operating system. macOS is supported with a downloadable agent, so the designer’s MacBook in the same office gets EDR too. iOS and Android are covered through the Defender app via Intune, mainly for web protection and phishing defence on phones that touch company email.
In a typical rollout we push the Windows configuration through Intune policy, deploy the macOS agent to the handful of Macs, and enrol mobiles through the company portal. Servers are worth noting: Defender for Business includes a server add-on (Defender for Business servers) licensed per server per month, so the Windows Server running your file shares or line-of-business app gets the same EDR coverage. We handle this fleet-wide as part of managed cybersecurity and managed IT services.
How it maps to the Essential Eight
The Australian Cyber Security Centre (ACSC) Essential Eight is the baseline most Australian SMEs are measured against, especially for cyber-insurance and government-adjacent work. Defender for Business does not deliver all eight on its own, but it directly supports several and gives you the evidence to prove it.
| Essential Eight mitigation | How Defender for Business helps |
|---|---|
| Patch applications | Threat and vulnerability management inventories software and prioritises exploited vulnerabilities |
| Patch operating systems | Surfaces missing OS updates and known exploited flaws across the fleet |
| Application control | Attack surface reduction rules block untrusted executables and Office child processes |
| Configure macro settings | ASR rules restrict malicious Office macro behaviour |
| User application hardening | Web protection and ASR harden browsers and block credential theft |
It does not cover multi-factor authentication, restricting administrative privileges, application allow-listing in full, or regular backups — those need Entra ID conditional access, Intune policy and a separate backup platform. For the full picture, see our Essential Eight compliance work. Defender for Business is a strong contributor to maturity, not a one-click compliance button.
The honest question: is it enough, or do you still need a SOC?
Here is the part most vendors skip. Defender for Business is excellent technology. It is also only as good as the person reading the alerts. The product will detect the ransomware operator moving through your network at 2am on a Sunday — but if nobody is watching the portal at 2am on a Sunday, the alert sits unread until Monday, by which point the damage is done.
This is the difference between having an EDR tool and having managed detection and response. The licence gives you the sensor and the console. It does not give you a human who triages alerts around the clock, escalates the real ones, and actually responds. For a 15-person firm, expecting your one IT-savvy staff member to monitor a security console alongside their day job is wishful thinking.
You have three realistic options. Watch it yourself, which works only if you have someone genuinely capable and available. Accept that alerts get reviewed during business hours and live with the overnight gap — defensible for lower-risk businesses, not for anyone holding sensitive client data. Or put it under managed detection and response, where a team monitors the telemetry 24/7. We dig into the distinctions between SIEM, MDR and EDR in our piece on managed cybersecurity services, and our security operations centre is how we close that monitoring gap for clients who need eyes on the alerts at all hours.
The blunt version: buying Defender for Business and switching it on is the right move for almost every SME. Believing that alone means you are protected is the mistake. A smoke detector that nobody can hear is decoration.
Frequently asked questions
Do I need Defender for Business if I already have Microsoft Defender Antivirus?
Yes, if you want real endpoint detection and response. The built-in antivirus protects individual devices against malware but gives you no central visibility, no investigation tools, no vulnerability management and no way to respond across your fleet. Defender for Business adds all of that. They work together — the antivirus is the foundation, Defender for Business is the security operations layer on top.
Is Defender for Business included in Microsoft 365 Business Premium?
Yes, at no additional cost. If you pay for Business Premium you already own it, even if it has never been configured. It is also sold as a standalone per-user licence for businesses that do not want the full Business Premium suite, capped at 300 users.
Will Defender for Business make me Essential Eight compliant?
No single product does that. It strongly supports patching, application control, macro settings and user application hardening, and it produces evidence for assessments. But you still need multi-factor authentication, restricted admin privileges and tested backups from other tools to reach a defensible Essential Eight maturity level.
Can it protect Macs and phones, not just Windows?
Yes. macOS is supported with a dedicated agent, and iOS and Android are covered through the Defender mobile app deployed via Intune, mainly for web and phishing protection. There is also a per-server add-on for Windows Server. A mixed fleet can be fully covered under one approach.
Do I still need a managed SOC if I have Defender for Business?
It depends on who watches the alerts. The tool detects threats brilliantly but does nothing on its own about an alert raised overnight or on a weekend. If you do not have someone monitoring the console around the clock, managed detection and response fills that gap. For most SMEs with sensitive data, that monitoring is what turns the licence into actual protection.
The short version
Microsoft Defender for Business gives Melbourne SMEs the same class of endpoint security that large enterprises run — next-gen antivirus, EDR, vulnerability management, attack surface reduction and automated investigation — included free with Microsoft 365 Business Premium or available standalone. It is a genuinely strong product and an easy decision to deploy. The catch is that the technology only protects you if someone acts on what it finds. As a Melbourne-based MSP with 13 Australian-employed engineers and a 24/7 NOC in Tecoma, that is the half we handle. If you are paying for Business Premium and have never switched the security on, or you are not sure anyone is watching the alerts, get in touch and we will tell you straight where you stand.
