What's new in Microsoft Defender for Endpoint - Before 2023

Applies to:

• Microsoft Defender for Endpoint Plan 1
• Microsoft Defender for Endpoint Plan 2
• Microsoft Defender XDR
• Microsoft Defender for Endpoint
• Microsoft 365 Defender

The following features were in preview or generally available (GA) in Microsoft Defender for Endpoint prior to the calendar year 2023.

For more information on preview features, see Preview features.

For more information on what's new with Microsoft Defender for Endpoint on Windows, see: What's new in Microsoft Defender for Endpoint on Windows

For more information on what's new with other Microsoft Defender security products, see:

• What's new in Microsoft Defender XDR
• What's new in Microsoft Defender for Office 365
• What's new in Microsoft Defender for Identity
• What's new in Microsoft Defender for Cloud Apps

For more information on Microsoft Defender for Endpoint on specific operating systems and on other operating systems:

• What's new in Defender for Endpoint on Windows
• What's new in Defender for Endpoint on macOS
• What's new in Defender for Endpoint on Linux
• What's new in Defender for Endpoint on Android
• What's new in Defender for Endpoint on iOS

December 2022

• Microsoft Defender for Endpoint Device control removable storage access control updates:

  1. Microsoft Intune support for removable storage access control is now available. See Deploy and manage device control with Intune.

  2. The new default enforcement policy of removable storage access control is designed for all device control features. Printer Protection is now available for this policy. If you create a Default Deny policy, printers will be blocked in your organization.

     • Intune: ./Vendor/MSFT/Defender/Configuration/DefaultEnforcement
       See Deploy and manage device control using Intune

     • Group policy: Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Features > Device Control > Select Device Control Default Enforcement
       See Deploy and manage device control with Group Policy

• Microsoft Defender for Endpoint Device control New Printer Protection solution to manage printer is now available. For more information, see Device control policies.

November 2022

• Built-in protection is now generally available. Built-in protection helps protect your organization from ransomware and other threats with default settings that help ensure that your devices are protected.

October 2022

Network protection C2 detection and remediation is now generally available.
Attackers often compromise existing internet-connected servers to become their command and control servers. Attackers can use the compromised servers to hide malicious traffic and deploy malicious bots that are used to infect endpoints. Network protection detection and remediation helps improve the time it takes for the security operations (SecOps) teams to pinpoint and respond to malicious network threats that are looking to compromise endpoints.

September 2022

• Attack surface reduction rules report now available in the Microsoft Defender portal.
  The attack surface reduction rules report is now available in the Microsoft Defender portal. This ASR report provides information about the attack surface reduction rules that are applied to devices in your organization and helps you detect threats, block potential threats, and get visibility into ASR and device configuration.

• Built-in protection (preview) is rolling out. Built-in protection is a set of default settings, such as tamper protection turned on, to help protect devices from ransomware and other threats.

• Device health reporting is now generally available.
  The device health report provides information about the health and security of your endpoints. The report includes trending information showing the sensor health state, antivirus status, OS platforms, Windows 10 versions, and Microsoft Defender Antivirus update versions.

• Device health reporting is now available for US Government customers using Defender for Endpoint.
  Device health reporting is now available for GCC, GCC High, and DoD customers.

• Troubleshooting mode is now available for more Windows operating systems, including Windows Server 2012 R2 and higher. For more information about the required updates, see Troubleshooting mode.

August 2022

• Device health status
  The Device health status card shows a summarized health report for the specific device.

• Device health reporting (Preview)
  The devices status report provides high-level information about the devices in your organization. The report includes trending information showing the sensor health state, antivirus status, OS platforms, and Windows 10 versions.

• Tamper protection on macOS is now generally available
  This feature will be released with audit mode enabled by default, and you can decide whether to enforce (block) or turn off the capability. Later this year, we'll offer a gradual rollout mechanism that will automatically switch endpoints to "block" mode; this mechanism applies only if you haven't made a choice to either enable ("block" mode) or disable the capability.

• Network Protection and Web Protection for macOS and Linux is now in Public Preview!
  Network Protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. It's the foundation on which our Web Protection for Microsoft Defender for Endpoint is built. These capabilities include Web threat protection, Web content filtering, and IP/URL Custom indicators. Web protection enables you to secure your devices against web threats and helps to regulate unwanted content.

• Improved Microsoft Defender for Endpoint onboarding for Windows Server 2012 R2 and Windows Server 2016
  Configuration Manager version 2207 now supports automatic deployment of modern, unified Microsoft Defender for Endpoint for Windows Server 2012 R2 & 2016. Devices running Windows Server 2012 R2 or Windows Server 2016 that are targeted by the Defender for Endpoint onboarding policy now use the unified agent instead of the Microsoft Monitoring Agent-based solution, if configured through client settings.

July 2022

• Add domain controller devices - Evaluation lab enhancement
  Now generally available - Add a domain controller to run complex scenarios such as lateral movement and multistage attacks across multiple devices.

• Announcing File page enhancements in Microsoft Defender for Endpoint
  Have you ever investigated files in Microsoft Defender for Endpoint? We now make it even easier with our recent announcement of enhancements to the File page and side panel. Users can now streamline processes by having a more efficient navigation experience that hosts all this information in one place.

• Introducing the new alert suppression experience
  We're excited to share that the new and advanced alert suppression experience is now Generally Available. The new experience provides tighter granularity and control, allowing users to tune Microsoft Defender for Endpoint alerts.

• Prevent compromised unmanaged devices from moving laterally in your organization with "Contain
  Starting today, when a device that isn't enrolled in Microsoft Defender for Endpoint is suspected of being compromised, as an SOC analyst, you'll be able to "Contain" it. As a result, any device enrolled in Microsoft Defender for Endpoint will now block any incoming/outgoing communication with the suspected device.

• Mobile device support is now available for US Government Customers using Defender for Endpoint
  Microsoft Defender for Endpoint for US Government customers is built in the Azure US Government environment and uses the same underlying technologies as Defender in Azure Commercial. This offering is available to GCC, GCC High, and DoD customers, and it further extends our platform availability from Windows, macOS, and Linux, to Android and iOS devices.

June 2022

• Defender for Servers Plan 2 now integrates with MDE unified solution
  You can now start deploying the modern, unified solution for Windows Server 2012 R2 and 2016 to servers covered by Defender for Servers Plan 2, using a single button.

• Mobile Network Protection in Microsoft Defender for Endpoint on Android & iOS now in Public Preview
  Microsoft offers a mobile network protection feature in Defender for Endpoint that helps organizations identify, assess, and remediate endpoint weaknesses with the help of robust threat intelligence. We're delighted to announce that users can now benefit from this new feature on both Android and iOS platforms that have Microsoft Defender for Endpoint.

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.

October 2021

• Updated onboarding and feature parity for Windows Server 2012 R2 and Windows Server 2016 (preview)
  The new unified solution package makes it easier to onboard servers by removing dependencies and installation steps. In addition, this unified solution package comes with many new feature improvements.

• Windows 11 support added to Microsoft Defender for Endpoint and Microsoft 365 Defender.

September 2021

• Web content filtering . As part of web protection capabilities in Microsoft Defender for Endpoint, web content filtering enables your organization's security team to track and regulate access to websites based on their content categories. Categories include adult content, high bandwidth, legal liability, leisure, and uncategorized. Although many websites that fall into one or more of these categories might not be malicious, they could be problematic because of compliance regulations, bandwidth usage, or other concerns. Learn more about web content filtering.

August 2021

• Microsoft Defender for Endpoint Plan 1 (preview). Defender for Endpoint Plan 1 (preview) is an endpoint protection solution that includes next-generation protection, attack surface reduction, centralized management and reporting, and APIs. Defender for Endpoint Plan 1 (preview) is a new offering for customers who:

  • Want to try our endpoint protection capabilities
  • Have Microsoft 365 E3, and
  • Don't yet have Microsoft 365 E5

  For more information on Defender for Endpoint Plan 1 (preview), see Microsoft Defender for Endpoint Plan 1 (preview).

  Existing Defender for Endpoint capabilities will be known as Defender for Endpoint Plan 2.

• (Preview) Web Content Filtering
  Web content filtering is part of web protection capabilities in Microsoft Defender for Endpoint. It enables your organization to track and regulate access to websites based on their content categories. Many of these websites, while not malicious, might be problematic because of compliance regulations, bandwidth usage, or other concerns.

June 2021

• Delta export software vulnerabilities assessment API
  An addition to the Export assessments of vulnerabilities and secure configurations API collection.
  Unlike the full software vulnerabilities assessment (JSON response) - which is used to obtain an entire snapshot of the software vulnerabilities assessment of your organization by device - the delta export API call is used to fetch only the changes that have happened between a selected date and the current date (the "delta" API call). Instead of getting a full export with a large amount of data every time, you'll only get specific information on new, fixed, and updated vulnerabilities. Delta export API call can also be used to calculate different KPIs such as "how many vulnerabilities were fixed" or "how many new vulnerabilities were added to an organization."

• Export assessments of vulnerabilities and secure configurations API
  Adds a collection of APIs that pull threat and vulnerability management data on a per-device basis. There are different API calls to get different types of data: secure configuration assessment, software inventory assessment, and software vulnerabilities assessment. Each API call contains the requisite data for devices in your organization.

• Remediation activity API
  Adds a collection of APIs with responses that contain threat and vulnerability management remediation activities that have been created in your tenant. Response information types include one remediation activity by ID, all remediation activities, and exposed devices of one remediation activity.

• Device discovery
  Helps you find unmanaged devices connected to your corporate network without the need for extra appliances or cumbersome process changes. Using onboarded devices, you can find unmanaged devices in your network and assess vulnerabilities and risks. You can then onboard discovered devices to reduce risks associated with having unmanaged endpoints in your network.

  Important

  Standard discovery will be the default mode for all customers starting July 19, 2021. You can choose to retain the "basic mode" through the Settings page.

• Device group definitions can now include multiple values for each condition. You can set multiple tags, device names, and domains to the definition of a single device group.

• Mobile Application management support
  This enhancement enables Microsoft Defender for Endpoint protect an organization's data within a managed application when Intune is being used to manage mobile applications. For more information about mobile application management, see this documentation.

• Microsoft Tunnel VPN integration
  Microsoft Tunnel VPN capabilities are now integrated with Microsoft Defender for Endpoint app for Android. This unification enables organizations to offer a simplified end-user experience with one security app – offering both mobile threat defense and the ability to access on-prem resources from their mobile device – while security and IT teams are able to maintain the same admin experiences they are familiar with.

• Jailbreak detection on iOS
  Jailbreak detection capability in Microsoft Defender for Endpoint on iOS is now generally available. This adds to the phishing protection that already exists. For more information, see Setup Conditional Access Policy based on device risk signals.

March 2021

Manage tamper protection using the Microsoft Defender Security Center
You can manage tamper protection settings on Windows 10, Windows Server 2016, Windows Server 2019, and Windows Server 2022 by using a method called tenant attach.

January 2021

• Windows Virtual Desktop
  Microsoft Defender for Endpoint now adds support for Windows Virtual Desktop.

December 2020

• Microsoft Defender for Endpoint on iOS
  Microsoft Defender for Endpoint now adds support for iOS. Learn how to install, configure, update, and use Microsoft Defender for Endpoint for iOS.

September 2020

• Microsoft Defender for Endpoint on Android
  Microsoft Defender for Endpoint now adds support for Android. In addition to the provisions for you to install, configure, and use Microsoft Defender for Endpoint for Android (introduced in the previous sprint in August 2020), the provision to "update" Microsoft Defender for Endpoint for Android has been introduced in this sprint.

• Threat and vulnerability management macOS support
  Threat and vulnerability management for macOS is now in public preview, and will continuously detect vulnerabilities on your macOS devices to help you prioritize remediation by focusing on risk. For more information, see Microsoft Tech Community blog post.

August 2020

• Microsoft Defender for Endpoint on Android
  Microsoft Defender for Endpoint now adds support for Android. The article Microsoft Defender for Endpoint on Android enables you learn how to install, configure, and use Microsoft Defender for Endpoint for Android.

July 2020

• Create indicators for certificates
  Create indicators to allow or block certificates.

June 2020

• Microsoft Defender for Endpoint on Linux
  Microsoft Defender for Endpoint now adds support for Linux. This article Microsoft Defender for Endpoint on Linux enables you learn how to install, configure, update, and use Microsoft Defender for Endpoint for Linux.

• Attack simulators in the evaluation lab
  Microsoft Defender for Endpoint has partnered with various threat simulation platforms to give you convenient access to test the capabilities of the platform right from within the portal.

April 2020

• Threat & Vulnerability Management API support
  Run Threat & Vulnerability Management-related API calls such as get your organization's threat exposure score or device secure score, software and device vulnerability inventory, software version distribution, device vulnerability information, and security recommendation information. For more information, see Microsoft Tech Community blog post.

November-December 2019

• Microsoft Defender for Endpoint on Mac
  Microsoft Defender for Endpoint for Mac brings the next-generation protection to Mac devices. Core components of the unified endpoint security platform will now be available for Mac devices, including endpoint detection and response.

• Threat & Vulnerability Management application and application version end-of-life information
  Applications and application versions which have reached their end of life (EOL) are tagged or labeled as such; so, you are aware that they will no longer be supported, and can take action to either uninstall or replace. Doing so will help lessen the risks related to various vulnerability exposures due to unpatched applications.

• Threat & Vulnerability Management Advanced Hunting Schemas
  Use the Threat & Vulnerability Management tables in the Advanced hunting schema to query about software inventory, vulnerability knowledgebase, security configuration assessment, and security configuration knowledgebase.

• Threat & Vulnerability Management role-based access controls
  Use the new permissions to allow maximum flexibility to create SecOps-oriented roles, Threat & Vulnerability Management-oriented roles, or hybrid roles so that only authorized users are accessing specific data to do their task. You can also achieve even further granularity by specifying whether a Threat & Vulnerability Management role can only view vulnerability-related data, or can create and manage remediation and exceptions.

October 2019

• Indicators for IP addresses, URLs/Domains
  You can now allow or block URLs/domains using your own threat intelligence.

• Microsoft Threat Experts - Experts on Demand
  You now have the option to consult with Microsoft Threat Experts from several places in the portal to help you in the context of your investigation.

• Connected Azure AD applications
  The Connected applications page provides information about the Azure AD applications connected to Microsoft Defender for Endpoint in your organization.

• API Explorer
  The API explorer makes it easy to construct and execute API queries, and to test and send requests for any available Microsoft Defender for Endpoint API endpoint.

September 2019

• Tamper Protection settings using Intune
  You can now turn on Tamper Protection (or turn off) for your organization in the Microsoft 365 Device Management Portal (Intune).

• Live response
  Get instantaneous access to a device using a remote shell connection. Do in-depth investigative work and take immediate response actions to promptly contain identified threats - real time.

• Evaluation lab
  The Microsoft Defender for Endpoint evaluation lab is designed to eliminate the complexities of device and environment configuration so that you can focus on evaluating the capabilities of the platform; running simulations; and seeing the prevention, detection, and remediation features in action.

• Windows Server 2008 R2 SP1
  You can now onboard Windows Server 2008 R2 SP1.

June 2019

• Threat & Vulnerability Management
  A new built-in capability that uses a risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.

• Device health and compliance report The device health and compliance report provides high-level information about the devices in your organization.

May 2019

• Threat protection reports
  The threat protection report provides high-level information about alerts generated in your organization.

• Microsoft Threat Experts
  Microsoft Threat Experts is the new managed threat hunting service in Microsoft Defender for Endpoint that provides proactive hunting, prioritization, and additional context and insights that further empower security operations centers (SOCs) to identify and respond to threats quickly and accurately. It provides an additional layer of expertise and optics that Microsoft customers can utilize to augment security operation capabilities as part of Microsoft 365.

• Indicators
  APIs for indicators are now generally available.

• Interoperability
  Microsoft Defender for Endpoint supports third-party applications to help enhance the detection, investigation, and threat intelligence capabilities of the platform.

April 2019

• Microsoft Threat Experts Targeted Attack Notification capability
  Microsoft Threat Experts' Targeted Attack Notification alerts are tailored for organizations to provide as much information as can be quickly delivered, including the timeline, scope of breach, and the methods of intrusion, thus bringing attention to critical threats in their network.

• Microsoft Defender for Endpoint API
  Microsoft Defender for Endpoint exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Microsoft Defender for Endpoint capabilities.

February 2019

• Incidents
  Incident is a new entity in Microsoft Defender for Endpoint that brings together all relevant alerts and related entities to narrate the broader-attack story, giving analysts better perspective on the purview of complex threats.

• Onboard previous versions of Windows
  Onboard supported versions of Windows devices so that they can send sensor data to the Microsoft Defender for Endpoint sensor.

October 2018

• Attack surface reduction rules
  All Attack surface reduction rules are now supported on Windows Server 2019.

• Controlled folder access
  Controlled folder access is now supported on Windows Server 2019.

• Custom detection
  With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of advanced hunting through the creation of custom detection rules.

• Integration with Azure Security Center
  Microsoft Defender for Endpoint integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration, Azure Security Center can leverage the power of Microsoft Defender for Endpoint to provide improved threat detection for Windows Servers.

• Managed security service provider (MSSP) support
  Microsoft Defender for Endpoint adds support for this scenario by providing MSSP integration. The integration allows MSSPs to take the following actions: Get access to MSSP customer's Microsoft Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools.

• Removable device control
  Microsoft Defender for Endpoint provides multiple monitoring and control features to help prevent threats from removable devices, including new settings to allow or block specific hardware IDs.

• Support for iOS and Android devices
  iOS and Android devices are now supported and can be onboarded to the service.

• Threat analytics
  Threat Analytics is a set of interactive reports published by the Microsoft Defender for Endpoint research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provide recommended actions to contain the impact, increase organizational resilience, and prevent specific threats.

• There are two new attack surface reduction rules in Windows 10 version 1809:

  • Block Adobe Reader from creating child processes

  • Block Office communication application from creating child processes

• Microsoft Defender Antivirus

• Antimalware Scan Interface (AMSI) was extended to cover Office VBA macros as well. Office VBA + AMSI: Parting the veil on malicious macros.

  • Microsoft Defender Antivirus, new in Windows 10 version 1809, can now run within a sandbox (preview), increasing its security.

  • Configure CPU priority settings for Microsoft Defender Antivirus scans.

March 2018

• Advanced Hunting
  Query data using advanced hunting in Microsoft Defender for Endpoint.

• Attack surface reduction rules
  The newly introduced attack surface reduction rules are:

  • Use advanced protection against ransomware

  • Block credential stealing from the Windows local security authority subsystem (lsass.exe)

  • Block process creations originating from PSExec and WMI commands

  • Block untrusted and unsigned processes that run from USB

  • Block executable content from email client and webmail

• Automated investigation and remediation
  Use Automated investigations to investigate and remediate threats.

  Note

  Available from Windows 10, version 1803 or later.

• Conditional Access
  Enable conditional access to better protect users, devices, and data.

• Microsoft Defender for Endpoint Community center
  The Microsoft Defender for Endpoint Community Center is a place where community members can learn, collaborate, and share experiences about the product.

• Controlled folder access
  You can now block untrusted processes from writing to disk sectors using Controlled Folder Access.

• Onboard non-Windows devices
  Microsoft Defender for Endpoint provides a centralized security operations experience for Windows and non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Microsoft Defender Security Center and better protect your organization's network.

• Role-based access control (RBAC)
  Using role-based access control (RBAC), you can create roles and groups within your security operations team to grant appropriate access to the portal.

• Microsoft Defender Antivirus
  Microsoft Defender Antivirus now shares detection status between M365 services and interoperates with Microsoft Defender for Endpoint. For more information, see Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection.

• Block at first sight can now block non-portable executable files (such as JS, VBS, or macros) and executable files. For more information, see Enable block at first sight.