Validate and Pilot Defender for Endpoint Local AI Agent Discovery and Runtime Protection

Microsoft Defender for Endpoint has preview capabilities for local AI agent discovery and runtime protection. Discovery automatically surfaces supported local AI agents and MCP server configurations from eligible onboarded endpoints in the Microsoft Defender portal and advanced hunting. Runtime protection is a Windows preview capability that can audit or block prompt injection and unsafe agent actions for supported local AI agents before those actions execute. Use this KB to validate visibility, pilot runtime protection safely, and decide whether to move from audit to block mode.

In this article, you will learn:

Affected Systems
Prerequisites
Symptoms / Observable Behavior
Root Cause / What Changed
Resolution / Recommended Action
Step-by-Step Deployment or Validation Steps
Workarounds
Administrator Notes

Affected Systems

  • Microsoft Defender for Endpoint environments using qualifying licenses listed by Microsoft: Microsoft Defender for Endpoint Plan 2, Microsoft 365 E5, Microsoft Agent 365, or Microsoft 365 E7.
  • Windows endpoints onboarded to Microsoft Defender for Endpoint are affected by discovery and are the supported platform for runtime protection in the setup documentation.
  • macOS endpoints onboarded to Microsoft Defender for Endpoint are supported for local AI agent discovery, but not for runtime protection in the cited setup documentation.
  • Devices must run Microsoft Defender Antivirus in active mode with current monthly platform and engine updates. Runtime protection preview validation also requires Beta platform and engine updates.
  • Discovery supports a wider set of CLI agents, desktop apps, agentic IDEs, VS Code extensions, Claw-based local agents, and MCP server configurations. Official runtime protection documentation lists Claude Code and GitHub Copilot CLI as supported runtime protection agents at the time of review.
  • Unmanaged Bring Your Own Devices (BYOD) devices are not in scope unless they are onboarded to Microsoft Defender for Endpoint and meet prerequisites. This should be verified against the district or institution's device-management model.

Prerequisites

  • Confirm the tenant has Microsoft Defender for Endpoint Plan 2, Microsoft 365 E5, Microsoft Agent 365, or Microsoft 365 E7 as listed in the Microsoft Learn feature prerequisites.
  • Confirm the endpoint is onboarded to Microsoft Defender for Endpoint.
  • Confirm the endpoint runs a supported version of Windows or macOS for discovery; runtime protection setup currently documents supported Windows only.
  • Confirm Microsoft Defender Antivirus is current and running in active mode.
  • For runtime protection preview validation, configure the Windows pilot device to receive Beta platform and engine updates, run Update-MpSignature three times, and verify AntivirusSignatureVersion 1.451.224.0 or later.
  • For runtime protection, confirm that a supported local AI agent is installed and that the agent natively supports hooks.
  • Discovery documentation states the environment must be in the commercial cloud; sovereign and national clouds are not supported for discovery.

Symptoms / Observable Behavior

  • Security admins may see a Local agents view under Microsoft Defender portal > Assets > AI Agents.
  • Agent details may include agent name, version, related process, associated device and user, first seen and last updated timestamps, integrity level, auto-approve status, trust indicator, and configured MCP servers when detected.
  • Advanced hunting can show local AI agent relationships through ExposureGraphNodes and ExposureGraphEdges.
  • If runtime protection is enabled and a prompt injection is detected, Defender raises a Suspicious AI prompt injection alert. In audit mode, the alert is Informational; in block mode, the severity is Critical, High, Medium, or Low based on assessed risk.
  • When a runtime protection event is blocked, users see a message in the agent terminal and a Windows toast notification. Users can also review detections in Windows Security protection history.

Root Cause / What Changed

The change is a new Microsoft Defender for Endpoint preview capability to identify and protect local AI agents. Microsoft states that local AI agents run with user-level permissions and can access files, tools, and services on the devices where they operate. Because prompt injection can cause an agent to act on malicious instructions from files, web pages, repositories, or tool output, Defender now provides discovery for visibility and runtime protection to inspect key points in the agent loop.

Resolution / Recommended Action

  • Treat discovery as a visibility and inventory control. Review discovered local agents and MCP server configurations before enabling block mode for runtime protection.
  • Pilot runtime protection in Audit mode first on a small group of Windows devices where supported agents are actively used. Microsoft recommends monitoring alerts for 1-2 weeks and submitting false positives to Microsoft for analysis.
  • Move to Block mode only for device groups where alerts have been validated as accurate and actionable.
  • For K-12, start with IT, developer, cybersecurity, CTE, and computer science lab devices before considering broader staff endpoints.
  • For higher education, prioritize developer workstations, research computing support devices, source-code environments, privileged IT admin devices, and labs that use local AI coding agents.
  • Do not communicate the broad availability of EDU licensing beyond what is confirmed. The feature pages list MDE P2, M365 E5, Agent 365, or M365 E7. Microsoft Defender service documentation states MDE P2 is available in Microsoft 365 E5/A5/G5, and Microsoft Education documentation describes MDE P2 as included in Microsoft 365 A5, but the local AI agent feature pages do not explicitly list A5/A3/A1.

Step-by-Step Deployment or Validation Steps

Phase 1 - Confirm scope and licensing

  1. Identify managed Windows and macOS endpoints that are onboarded to Microsoft Defender for Endpoint and likely to have local AI agents installed.
  2. Confirm the tenant has a qualifying license listed in the Microsoft Learn prerequisites: MDE P2, Microsoft 365 E5, Microsoft Agent 365, or Microsoft 365 E7. For EDU tenants, verify A5 or other entitlement in the Microsoft admin center or with Microsoft before making customer-facing licensing claims.
  3. Confirm devices are in the commercial cloud and that Microsoft Defender Antivirus is current and active on devices in scope.

Phase 2 - Validate Local AI Agent Discovery

  1. Sign in to the Microsoft Defender portal.
  2. Go to Assets > AI Agents > Local agents.
  3. Review agent details, including associated device and user, process, timestamps, integrity level, auto-approve status, trust indicator, and MCP server configuration where available.
  4. Use advanced hunting to inventory local AI agents across endpoints:
    ExposureGraphEdges
    | where SourceNodeLabel == "endpointAiAgent"
    | where EdgeLabel =~ "runs on"
    | summarize Devices = make_set(TargetNodeName), 
    DeviceCount = dcount(TargetNodeName) 
    by AIAgent = SourceNodeName
    | sort by DeviceCount desc
  5. Prioritize review of agents on devices used by privileged admins, developers, research teams, or users with broad access to code, data, or cloud resources.

Phase 3 - Pilot Runtime Protection on a Single Windows Device

  1. Select a Windows pilot device with a supported runtime-protection agent such as Claude Code or GitHub Copilot CLI.
  2. Open an elevated PowerShell session.
  3. Configure the device for preview platform and engine updates and update signatures. Microsoft says running Update-MpSignature three times is required for preview validation.
    Set-MpPreference -PlatformUpdatesChannel Beta
    Set-MpPreference -EngineUpdatesChannel Beta
    Update-MpSignature
    Update-MpSignature
    Update-MpSignature
  4. Verify AntivirusSignatureVersion is 1.451.224.0 or later.
    Get-MpComputerStatus | Select-Object AntivirusSignatureVersion
  5. Enable Audit mode first.
    Set-MpPreference -AiAgentProtection Audit
  6. Verify the setting.
    Get-MpPreference | Select-Object AiAgentProtection
  7. Monitor Microsoft Defender alerts for 1-2 weeks. Validate whether detections are accurate and whether any expected education workflows are affected.

Phase 4 - Expand with Intune after validation

  1. Create device groups for the pilot, expansion, and enforcement phases. Avoid applying Block mode to all faculty, student, lab, or developer devices without a measured pilot.
  2. Use Intune PowerShell scripts to deploy the setting. Microsoft states native Intune policy support is not included for AI agent runtime protection.
    Set-MpPreference -AiAgentProtection Audit
  3. After audit findings are validated and change communication is complete, move selected device groups to Block mode.
    Set-MpPreference -AiAgentProtection Block
  4. Continue monitoring Suspicious AI prompt injection alerts, device timelines, incidents, and user reports after moving to Block mode.

Workarounds

  • If Block mode causes disruption or suspected false positives, use Audit mode while collecting evidence and submitting false positives to Microsoft. This is an officially recommended deployment phase, not a permanent mitigation.
  • If runtime protection must be turned off for a pilot group, use Disabled mode. Microsoft documents Disabled, Audit, and Block as valid modes.
  • For unsupported agents, rely on discovery, endpoint controls, application governance, least privilege, software inventory, and standard Defender investigation workflows. Runtime blocking is only documented for supported agents with hooks.
  • Native Intune policy settings and per-agent exclusion mechanisms were not confirmed in the available sources. Use documented PowerShell script deployment and scoped device groups instead.

Administrator Notes

  • Discovery starts automatically when prerequisites are met, but discovery is not the same as enforcement. It provides visibility and investigation data only and does not include posture assessment or alerts for endpoint agents by itself.
  • Runtime protection is in preview. Microsoft prerelease documentation may change before commercial release.
  • Because runtime protection preview validation uses Beta platform and engine updates, do not enable it first on high-stakes classroom, testing, registrar, finance, or production research devices.
  • For schools, review student privacy, acceptable-use, and software approval policies before acting on agent inventory, because discovery may associate agents with users and devices.
  • For higher education, coordinate with research computing, central IT, faculty governance where appropriate, and developer teams before applying Block mode on devices used for research or software development.
  • No recurring community-reported deployment issues were confirmed from available sources at the time of this review. Treat this as limited visibility, not proof that no issues exist.

References

Comments

0 comments

Please sign in to leave a comment.

Articles in this section