What's new in Microsoft Defender for Endpoint

Applies to:

Want to experience Defender for Endpoint? Sign up for a free trial.

The following features are in preview or generally available (GA) in the latest release of Microsoft Defender for Endpoint.

For more information on preview features, see Preview features.

For more information on what's new with Microsoft Defender for Endpoint on Windows, see: What's new in Microsoft Defender for Endpoint on Windows

For more information on what's new with other Microsoft Defender security products, see:

For more information on Microsoft Defender for Endpoint on specific operating systems:

January 2024

  • Defender Boxed is available for a limited period of time. Defender Boxed highlights your organization's security successes, improvements, and response actions during 2023. Take a moment to celebrate your organization's improvements in security posture, overall response to detected threats (manual and automatic), blocked emails, and more.

    • Defender Boxed opens automatically when you go to the Incidents page in the Microsoft Defender portal.
    • If you close Defender Boxed and you want to reopen it, in the Microsoft Defender portal, go to Incidents, and then select Your Defender Boxed.
    • Act quickly! Defender Boxed is available only for a short period of time.

November 2023

October 2023

  • (GA) The device isolation and run AV scan responses in macOS and Linux are now generally available. You can now remotely run an AV scan or isolate devices when responding to attacks.
  • (Public Preview) Streamlined device connectivity for Defender for Endpoint is available in public preview for Windows, macOS, and Linux. This experience makes it easier to configure and manage Defender for Endpoint services by reducing the number of URLs required for connectivity, providing IP & Azure service tag support, and simplifying post-deployment network management.
  • (Public Preview) User Contain can now contain compromised users automatically stopping Human Operated Ransomware in its track using Automatic Attack Disruption.

September 2023

(GA) The Protecting Dev Drive using performance mode is now generally available. The goal of Performance mode is to improve functional performance for developers who use Windows 11. Performance mode which reduces the performance impact of Microsoft Defender Antivirus scans for files stored on designated Dev Drive.

August 2023

  • (GA) The Monthly security summary report is now generally available. The report helps organizations get a visual summary of key findings and overall preventative actions taken to enhance the organization's overall security posture completed in the last month.

July 2023

June 2023

  • Microsoft Defender Antivirus scan response action is supported for macOS and Linux for client version 101.98.84 and above. It is in preview. See Run Microsoft Defender Antivirus scan on devices.
  • Isolating devices from the network is supported for macOS for client version 101.98.84 and above. It is in preview. See Isolate devices from the network.
  • Forcibly releasing devices from isolation is now available for public preview. This new capability allows you to forcibly release devices from isolation, when isolated devices become unresponsive. For more information, see Forcibly release device from isolation.

May 2023

  • Performance mode for Microsoft Defender Antivirus is now available for public preview. This new capability provides asynchronous scanning on a Dev Drive, and doesn't change the security posture of your system drive or other drives. For more information, see Protecting Dev Drive using performance mode.

March 2023

February 2023

  • The Microsoft Defender for Identity integration toggle is now removed from the Microsoft Defender for Endpoint Settings > Advanced features page. Because Defender for Identity is now integrated with Microsoft Defender XDR, this toggle is no longer required. You don't need to manually configure integration between services. See What's new - Microsoft Defender for Identity.

January 2023

December 2022

  • Microsoft Defender for Endpoint Device control removable storage access control updates:

    1. Microsoft Intune support for removable storage access control is now available. See Deploy and manage device control with Intune.
    2. The new default enforcement policy of removable storage access control is designed for all device control features. Printer Protection is now available for this policy. If you create a Default Deny policy, printers will be blocked in your organization.
  • Microsoft Defender for Endpoint Device control New Printer Protection solution to manage printer is now available. For more information, see Device control policies.

November 2022

  • Built-in protection is now generally available. Built-in protection helps protect your organization from ransomware and other threats with default settings that help ensure your devices are protected.

October 2022

  • Network protection C2 detection and remediation is now generally available.
    Attackers often compromise existing internet-connected servers to become their command and control servers. Attackers can use the compromised servers to hide malicious traffic and deploy malicious bots that are used to infect endpoints. Network protection detection and remediation will help improve the time it takes security operations (SecOps) teams to pinpoint and respond to malicious network threats that are looking to compromise endpoints.

September 2022

August 2022

  • Device health status
    The Device health status card shows a summarized health report for the specific device.

  • Device health reporting (Preview)
    The devices status report provides high-level information about the devices in your organization. The report includes trending information showing the sensor health state, antivirus status, OS platforms, and Windows 10 versions.

  • Tamper protection on macOS is now generally available
    This feature will be released with audit mode enabled by default, and you can decide whether to enforce (block) or turn off the capability. Later this year, we'll offer a gradual rollout mechanism that will automatically switch endpoints to block mode; note this will only apply if you have not made a choice to either enable (block mode) or disable the capability.

  • Network Protection and Web Protection for macOS and Linux is now in Public Preview!
    Network Protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. It's the foundation on which our Web Protection for Microsoft Defender for Endpoint is built. These capabilities include Web threat protection, Web content filtering, and IP/URL Custom indicators. Web protection enables you to secure your devices against web threats and helps to regulate unwanted content.

  • Improved Microsoft Defender for Endpoint onboarding for Windows Server 2012 R2 and Windows Server 2016
    Configuration Manager version 2207 now supports automatic deployment of modern, unified Microsoft Defender for Endpoint for Windows Server 2012 R2 & 2016. Windows Server 2012 and 2016 devices that are targeted with Microsoft Defender for Endpoint onboarding policy will use the unified agent versus the existing Microsoft Monitoring Agent based solution, if configured through Client Settings.

July 2022

June 2022


Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.