-
Notifications
You must be signed in to change notification settings - Fork 0
Features
Every task in the tool has a "How to comply" section that explains exactly what to do to satisfy the control. This is the most important feature for anyone who is new to Microsoft Defender for Endpoint or to compliance audits.
Rather than telling you what a control requires in abstract terms, the How to Comply guidance tells you specifically which product to use, where to find the relevant setting, what to configure, and in many cases how to verify that the configuration is correct.
Each task card has a button near the bottom labelled "How to comply". Click or tap this button to expand the guidance panel. The panel is collapsed by default so it does not clutter the view when you are scanning through tasks.
Clicking the button again collapses the panel. Each task's panel operates independently — you can have multiple panels open at the same time across different tasks.
The guidance panel has up to three sections.
The first line shows a coloured badge identifying which Microsoft portal or tool you need to use, followed by the exact menu path to navigate to the relevant setting.
The portals used across the tool are:
Defender Portal — the Microsoft Defender XDR portal at security.microsoft.com. This is where you manage alerts, incidents, device inventory, threat intelligence, and advanced hunting queries. Most detection and response tasks are configured here.
Microsoft Intune — the device management portal at intune.microsoft.com. This is where you create and deploy policies that control how devices are configured. Most protection tasks — antivirus settings, firewall rules, attack surface reduction rules, BitLocker encryption — are configured here.
Entra ID — the identity management portal at entra.microsoft.com. This is where you manage users, roles, Conditional Access policies, and Privileged Identity Management. Access control tasks are configured here.
Microsoft Sentinel — the security information and event management (SIEM) platform. This is where logs are collected, analytics rules are run, and incidents are correlated across multiple sources. Detection and monitoring tasks involving Sentinel are done here.
PowerShell — a command-line tool built into Windows. Some tasks use PowerShell commands to verify that a setting is correctly applied on a device. You do not need to know how to write PowerShell — the commands are provided for you to copy and run.
M365 Admin — the Microsoft 365 Admin Centre at admin.microsoft.com. Licensing and tenant-level configuration tasks are done here.
Azure Portal — the Azure management portal at portal.azure.com. Tasks involving Key Vault, Power Automate, and some monitoring configurations are done here.
Internal Process — this badge appears when the task requires creating a document, following an internal procedure, or obtaining sign-off from a person rather than configuring a software setting.
This is the main body of the guidance. It describes in plain English exactly what to do to satisfy the control. It explains:
- What setting to look for
- What value to set it to
- What to check after making the change
- Any important caveats or warnings (for example, that a rule should be tested in audit mode before being set to block mode)
Read this section in full before making changes. Some tasks require a preparation step or a period of monitoring before the final configuration can be applied safely.
Approximately 63 tasks include a code block containing either a PowerShell command or a KQL (Kusto Query Language) query. These are used to verify that a setting has been applied correctly or to analyse data.
You do not need to understand how to write PowerShell or KQL to use these. Copy the command or query exactly as shown and run it in the appropriate tool. The step-by-step action text above the code block explains what the output should look like and what it means.
PowerShell commands are run in Windows PowerShell or PowerShell 7 on a device that is enrolled in MDE. Open PowerShell, paste the command, and press Enter.
KQL queries are run in the Advanced Hunting section of the Microsoft Defender portal (security.microsoft.com > Hunting > Advanced hunting) or in Microsoft Sentinel (Logs section). Paste the query, press Run, and review the results.
Read the action text before going to the portal. Understanding what you are trying to achieve makes it much easier to navigate to the right setting and confirm you have done it correctly.
If a portal path in the guidance does not match what you see in your portal, it may be because Microsoft has updated the portal interface since the guidance was written. In most cases the setting still exists in the same product — use the portal's search function to find it.
If a task involves deploying a policy through Intune, test the policy on a small group of devices before deploying it to all devices. Most Intune policies allow you to assign them to a specific device group, so you can apply them to a test group first.
Mark the task as In Progress when you start working on it, even if it takes several days to complete. This prevents the task from appearing as Not Started and helps other team members understand the current state.
Use the notes field to record the date you made the change, the name of the policy or rule you created, and any observations. This creates a useful record for audits and for troubleshooting if something stops working later.
The Gap Analysis feature lets you compare two snapshots of your compliance progress: a baseline (a saved state from a previous point in time) and your current state. The comparison shows you exactly what has changed between the two — what has been completed, what has regressed, what is blocked, and what was never started.
This is useful for tracking progress over time, for identifying controls that were working but have since broken or been disabled, and for producing a structured gap report before an audit.
A baseline is a JSON file exported from this tool at a previous point in time. It contains all the task statuses and notes from that point. When you import that file into the current tool, the Gap Analysis compares each task's status in the baseline against each task's current status.
You do not need to have created the baseline yourself. Any valid JSON export from this tool can be used as a baseline, including one created by a colleague or from a different engagement.
If you want to track progress over time, the first step is to export your current state as a JSON file. Open the Actions dropdown and choose Export, then select JSON Config. Save the file somewhere you can find it later — a date-stamped folder works well.
You do not need a baseline to use the tool. If you are doing a gap analysis against a client's existing deployment, the baseline would be an export of their current state, which they provide to you.
When you are ready to run a gap analysis, open the Actions dropdown and choose Import Config. A dialogue box will appear with a file upload area. Either click the area to browse for the JSON file, or drag and drop the file directly onto the upload area.
The tool validates the file automatically. If the file is not a valid export from this tool, an error message will explain the problem. If the file is valid, the gap analysis runs immediately and you are taken to the Gap Analysis view.
The Gap Analysis view shows a summary at the top with counts for each type of finding, the date the baseline was created, and an overall compliance score.
Below the summary is a filter bar and a list of all tasks organised by framework. Each task shows its baseline status, its current status, and a delta badge.
Use the filter buttons above the task list to focus on specific types of findings. For example, clicking "Regressions" shows only the tasks that were previously marked Complete but are no longer — these represent controls that have degraded and need immediate attention.
The Gap Analysis view has its own export buttons: Export CSV and Export Report. These produce outputs that include the baseline status, current status, and delta classification for every task. These are suitable for sharing with clients, managers, or auditors.
Each task in the gap analysis is assigned one of seven delta labels.
Compliant The task was complete in the baseline and is still complete now. The control is in place and has been maintained. This is the ideal state.
Improved The task was not complete in the baseline but is complete now. Progress has been made since the baseline was taken. This is a positive finding.
Regression The task was complete in the baseline but is no longer complete now. Something has changed — the configuration may have been accidentally removed, a policy may have been edited, or a system may have changed. Regressions require investigation and remediation. This is the most important finding type for operational security.
Gap The task was not complete in the baseline and is still not complete now. This represents a control that has not been addressed in either the baseline or the current state. These are straightforward gaps that require work.
Blocked The task is currently marked as Blocked in the current tracker. Something is preventing completion — a missing licence, a pending decision, or a dependency on another project.
In Progress The task is currently being worked on but is not yet complete. This is not a gap — it is work underway.
New Control The task exists in the current tool but was not present in the baseline file. This typically happens when the tool has been updated with new tasks since the baseline was created.
At the top of the Gap Analysis view, an overall compliance score is shown as a percentage. This score is calculated as the number of tasks that are either Compliant or Improved divided by the total number of tasks. It represents the proportion of controls that are in a positive state relative to the baseline.
A score of 100% means every task is either Compliant (was complete and still is) or Improved (is now complete when it was not before). A score below 100% means there are gaps, regressions, or blocked tasks that need attention.
To remove the gap analysis and return to the normal view, open the Gap Analysis view and click the Clear button. This removes the baseline and the comparison results. Your current task statuses and notes are not affected — only the comparison is cleared.
Tracking progress over time on a long engagement Export a JSON config at the end of each month. At the next monthly review, import the previous month's export as the baseline. The gap analysis shows exactly what changed — tasks completed, tasks that regressed, new blockers.
Before an audit or assessment A few weeks before the assessment date, export the current state as a baseline. Complete as much remediation work as possible. Then import the pre-remediation export as the baseline to show the auditor how much was achieved in the lead-up period.
Handing over a client to another engineer Export the current JSON config and pass it to the receiving engineer. They import it as their baseline and can immediately see the starting state of the engagement.
After a significant system change After a major platform update, policy change, or incident, export the current state and compare it to a pre-change export. Any regressions surface immediately.
The Stakeholder Report is a plain-language summary of the compliance posture for a specific framework, designed to be understood by people who are not technical and have no background in cybersecurity or compliance.
It is intended for use in client briefings, management reviews, board presentations, and quarterly business reviews — situations where the audience needs to understand the security status without being buried in technical detail.
The report is generated from the current state of your tracker in real time. It takes the task statuses and notes you have entered and turns them into a narrative summary with clear headings, plain language, and specific recommendations.
The Stakeholder Report is available on each individual framework page. It is not available on the Overview page.
To generate a report:
- Switch to a framework using the framework switcher in the header
- Look for the Stakeholder Report button in the top-right corner of the framework header
- Click it
The report modal opens immediately with the report already built from your current data. There is no loading time and no internet connection is required.
The report has four sections.
This is a one or two paragraph plain-language description of the current security posture for the chosen framework. It covers:
- What percentage of controls are complete
- How many controls are in progress, blocked, or not started
- Whether any high-priority controls remain incomplete
- An overall characterisation of the posture (for example, "strong", "progressing", or "in early stages")
The language is deliberately non-technical. Terms like "attack surface reduction rules" do not appear — instead the summary describes the outcomes and the state of progress in terms a business person can understand.
This section shows a card for each framework being reported. Each card shows:
- The framework name
- A progress bar
- The completion percentage
- The number of controls complete out of the total
- A plain status label: On Track (75% or above), In Progress (40% to 74%), or Getting Started (below 40%)
When reporting on a single framework, only one card is shown.
This section lists specific risks that the current data suggests need attention. The risk indicators are generated automatically from the tracker state and include:
- Any blocked controls (controls where something is preventing completion)
- Any high-priority controls that remain incomplete
- Any frameworks that have not been started at all
- Any frameworks with very low completion rates
Each risk indicator includes a badge that categorises its urgency: Action Required, Priority, Not Started, or Low Coverage. If no risk indicators are found — for example if all high-priority controls are complete and nothing is blocked — a single "Low Risk" indicator is shown.
This section identifies the three lowest-progress areas and names a specific, actionable next step for each. Rather than vague guidance like "improve your patch management", the recommendations name the specific next high-priority task — for example, "Enable Threat and Vulnerability Management scanning for all in-scope devices".
This makes the report directly actionable. The person reading it knows exactly what needs to happen next, even without technical background.
At the bottom of the report modal is a button labelled "Export as PDF". Clicking this opens the report in a new browser tab and immediately triggers the browser's print dialog.
In the print dialog:
- Look for a destination or printer selection
- Choose "Save as PDF" from the list of available options
- Choose where to save the file
- Click Save
The report is formatted specifically for PDF output. It uses an A4 page size, appropriate margins, section breaks to avoid splitting content awkwardly across pages, and colour rendering that remains accurate when printed to PDF.
If the browser blocks the pop-up, a notification will appear in the bottom-right corner of the screen saying "Allow pop-ups to generate PDF". You will need to allow pop-ups from the file origin (this will be shown in your browser's address bar area) and then click the Export as PDF button again.
Pop-up blocking is a browser security feature. Most browsers show a small icon in the address bar when a pop-up is blocked — look for it and click it to manage the setting.
The Stakeholder Report is designed for:
- Clients who need a progress update but do not have a technical background
- Senior management and CISOs who need a summary for decision-making
- Board members who need to be aware of the security posture without the detail
- Project managers who are tracking delivery milestones
- Non-technical executives attending a quarterly business review
The report intentionally does not include specific portal settings, configuration details, or technical task names. If you need to share technical detail, use the CSV or HTML export from the Export menu instead.
Generate the report before the meeting, not during. Review the content in advance to make sure the automatically generated text accurately reflects the situation. If a key piece of context is missing, add notes to the relevant tasks before generating the report — the notes themselves do not appear in the report, but they contribute to more accurate risk indicator generation.
Export the report as a PDF and attach it to the meeting agenda or calendar invite. This gives stakeholders time to read it before the meeting and come prepared with questions.
If the overall compliance score is lower than expected, generate the report anyway. The Risk Indicators and Recommended Next Steps sections provide the framing needed to explain the situation constructively — the report is designed to present the facts clearly and propose a path forward, not to make progress look better than it is.
The tool provides six export formats across three export functions. Exports are generated entirely within your browser — no data is sent to any server and no internet connection is required.
Standard exports (CSV, HTML Report, JSON Config) are available from the Actions dropdown in the header. Click Actions, then click Export. A dialogue box opens with three options.
JSON Config preview is available directly from Actions > JSON Config. This opens a preview of the JSON file before you download it, with a copy button to copy it to your clipboard.
Gap Analysis exports (Gap CSV and Gap HTML Report) are available from within the Gap Analysis view, which appears after importing a baseline file. The export buttons are at the top of the Gap Analysis page.
Stakeholder Report PDF is available from within any individual framework page. Click the Stakeholder Report button in the framework header, then click Export as PDF.
A spreadsheet-compatible file with one row per task across all nine frameworks. Each row includes:
- Framework name and short identifier
- Category identifier
- Task ID and task name
- Control reference code (the specific control in the framework the task satisfies)
- Priority level (High, Medium, or Low)
- Current status (Not Started, In Progress, Complete, or Blocked)
- Notes (the text entered in the notes field)
Use CSV exports when you need to work with the data in a spreadsheet tool like Excel or Google Sheets. This is useful for creating custom views, pivot tables, charts, or for sharing data with people who do not have the tool.
CSV exports are also useful for records management — a date-stamped CSV export at the end of each month creates a flat-file audit trail of your compliance progress.
Open the downloaded CSV file in Excel, Google Sheets, Numbers, or any other spreadsheet application. If the text appears in a single column rather than separate columns, the file needs to be delimited. In Excel, use the Text to Columns feature and select Comma as the delimiter.
A standalone HTML file that contains a complete formatted report covering all nine frameworks. The report includes:
- A summary section with completion statistics for each framework
- A section for each framework with all tasks listed in a table including status, notes, and priority
- Colour coding that matches the framework colours in the tool
Use HTML Report exports for client deliverables, audit submissions, and project close-out documentation. The HTML file can be opened in any browser and printed to PDF using the browser's print function.
The HTML report is suitable for showing to auditors, compliance managers, and project stakeholders who want detailed task-level information rather than the high-level executive summary provided by the Stakeholder Report.
The HTML file is self-contained — all styling is embedded in the file. You can email it, attach it to a ticket, or share it via a file sharing service. The recipient only needs a browser to open it.
A structured data file in JSON format that contains:
- Metadata including the export date, tool version, and frameworks included
- Summary statistics for each framework
- A complete record of every task across all frameworks including status and notes
Use JSON Config exports for:
- Version control — commit JSON exports to a git repository to maintain a history of compliance progress over time
- Gap analysis baseline — import a previous JSON export to run a gap analysis comparing the old state to the current state
- State portability — share your progress with a colleague who opens the file using the Import option
- GRC platform integration — the structured JSON format can be processed by governance, risk, and compliance tools
JSON is a plain-text format. You can open it in any text editor (Notepad, Visual Studio Code, TextEdit). It is structured with curly braces, square brackets, and labels, which makes it easy for software to process. You do not need to read or edit it manually to use it — just treat it as a file you import and export.
Similar to the standard CSV but includes two additional columns: Baseline Status (the task status from the imported baseline) and Delta (the delta classification — Compliant, Improved, Regression, Gap, Blocked, In Progress, or New Control).
Use Gap CSV exports to share gap analysis results with colleagues or clients in a format they can open in a spreadsheet. This is useful for creating a remediation plan where each row represents a gap or regression that needs to be addressed.
A standalone HTML report showing the gap analysis results in a formatted, human-readable layout. It includes the compliance score, summary counts per delta type, and a table of all tasks with baseline status, current status, and delta classification.
Use Gap HTML Report exports for client-facing gap reports and pre-assessment remediation plans. It is suitable for sharing with auditors, clients, and project managers.
A print-formatted PDF (generated via the browser's print dialog) containing the four sections of the Stakeholder Report: Executive Summary, Framework Status, Risk Indicators, and Recommended Next Steps.
The report is formatted for A4 paper with appropriate margins and section breaks. It uses white background and standard fonts for maximum readability when printed or viewed as a PDF.
Use Stakeholder Report PDFs for management briefings, quarterly business reviews, board presentations, and client status meetings. The language is plain English with no technical terminology. See the Stakeholder Reporting page for more detail on generating this report.
| Situation | Recommended export |
|---|---|
| Sharing progress with a technical colleague | JSON Config |
| Creating a monthly compliance record | CSV or JSON Config |
| Submitting evidence to an auditor | HTML Report |
| Briefing a client's management team | Stakeholder Report PDF |
| Tracking what changed since last month | Gap CSV or Gap HTML Report |
| Working with data in a spreadsheet | CSV |
| Handing over to another engineer | JSON Config |
Task tracking is the core function of the tool. Every compliance control that needs to be addressed is represented as a task, and the tool lets you record the current state of each task, add notes, and monitor progress across the entire deployment.
This page explains every part of a task card and how to use the tracking features effectively.
Each task is displayed as a card. Reading from left to right:
Checkbox — a tick box on the left edge. Ticking this immediately marks the task Complete. Unticking it returns it to Not Started.
Task name — a short, descriptive title for the task. This tells you at a glance what the configuration or action involves.
Reference code — a small box containing the control reference code from the compliance framework. For example, in NIST CSF 2.0 a task might show "PR.PS-01", which is the specific subcategory in the Protect function that the task satisfies. This code is useful when discussing the task with an auditor or when linking the task to a formal risk register.
Priority badge — a coloured label showing High, Medium, or Low. This is the priority assigned to the task in the context of the compliance framework. High-priority tasks are the ones that assessors focus on most closely and that have the greatest impact if missing.
Description — a brief plain-English explanation of what the task involves and why it matters.
How to comply button — expands the detailed step-by-step guidance for completing the task. See the How to Comply page for full details.
Status dropdown — the most important tracking control on the card. Use this to record the current state of the task. See the section below on status options.
Notes field — a free-text area where you can record any relevant information. See the section below on using notes effectively.
Each task can be set to one of four statuses.
Not Started The default status for all tasks. This means the configuration has not been addressed yet. Tasks in this state appear with a white status box.
Use Not Started when you have not yet looked at a task or begun any related work.
In Progress The task has been started but is not yet complete. This might mean a policy has been partially configured, a test is underway, or the work is split across multiple sessions.
Use In Progress when you have taken some action on the task but cannot yet mark it complete. Marking tasks as In Progress as you work on them gives other team members visibility into what is actively being worked on.
Complete The configuration is fully in place and has been verified. When a task is marked Complete, the task card is dimmed and the task name has a line through it, making it easy to visually scan for what remains.
Use Complete only when you have done the work and checked that it is working correctly. The "How to comply" guidance often includes a verification step — for example, a PowerShell command that confirms the setting is applied. Complete that verification step before marking the task done.
Blocked The task cannot currently be completed because of an external dependency or obstacle. This might be a missing licence, a decision that needs to be made by someone else, a dependency on another project, or an organisational policy that prevents the configuration.
Use Blocked when you have identified the obstacle and cannot proceed without it being resolved. Always add a note explaining what the blocker is.
The notes field is a free-text area on the right side of each task card. You can type anything you want here. Notes are included in CSV and JSON exports.
For completed tasks:
- The date the configuration was applied
- The name of the policy, rule, or setting that was created (for example, "Deployed via Intune policy named CDE-ASR-Rules-Production")
- A ticket number from your change management system
- Any deviations from the guidance — for example, if the guidance recommends a specific setting but you used a slightly different value for a legitimate reason
For in-progress tasks:
- What has been done so far
- What remains to be done
- Any relevant observations from testing or piloting
For blocked tasks:
- The reason the task is blocked (be specific)
- Who needs to make the decision or take the action to unblock it
- The expected date it will be unblocked
For any task:
- Links to relevant documentation or evidence stored elsewhere
- The name of the person who completed the work (useful on team engagements)
- The output of any verification commands you ran
The tool calculates progress as the number of tasks marked Complete divided by the total number of tasks in a framework (or category). This percentage is shown in the framework header, in the overview cards, and in the comparison table.
Tasks marked In Progress or Blocked do not count towards the completion percentage. Only tasks marked Complete are counted. This is intentional — a task that is in progress or blocked has not yet met the compliance requirement.
The high-priority counter in the framework header shows the number of High-priority tasks that are not yet marked Complete. This is a useful indicator of how much critical work remains regardless of overall completion percentage.
All changes save automatically as you make them. There is no save button. When you tick a checkbox, change a status, or type in the notes field, the change is saved to your browser's local storage within milliseconds.
If you close the browser tab or shut down your computer, your progress is preserved. The next time you open the tool in the same browser on the same device, everything will be exactly as you left it.
Your data is stored in a single browser storage key called mde-multi-state-v2. This means the data is tied to the specific browser on the specific computer you are using. If you switch to a different browser or a different computer, you will not see your saved progress unless you export and re-import the JSON configuration.
The tool does not have built-in multi-user synchronisation. To collaborate with colleagues:
- One person works on the tool and exports the JSON config regularly (daily or at the end of each session)
- They share the JSON file with the team (via email, a shared folder, or a version control repository)
- Colleagues import the JSON to load the latest state before starting their session
- At the end of each session, the person who made changes exports a new JSON and shares it
For a more structured approach, commit the JSON exports to a git repository. This creates a full history of who changed what and when, and allows the gap analysis feature to be used to review progress between sessions.
Within each framework, you can use the category dropdown to show only the tasks in a specific control area. This is helpful when you are focused on one area of work — for example, working through all the access control tasks for PCI DSS without seeing the network or logging tasks at the same time.
The category dropdown defaults to "All Controls" every time you open a framework. Your category selection within the current session is remembered if you switch to another framework and come back, but it resets to "All Controls" when you close and reopen the tool.