What's new in Microsoft Defender for Endpoint on Mac

Applies to:

Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.

For more information on Microsoft Defender for Endpoint on other operating systems:

Known issues

  • Apple fixed an issue on macOS Ventura upgrade and macOS Sonoma upgrade with the latest OS update. The issue impacts Microsoft Defender for Endpoint security extensions, and might result in losing Full Disk Access Authorization, impacting its ability to function properly.

  • In macOS Sonoma 14.3.1, Apple made a change to the handling of Bluetooth devices that impacts Defender for Endpoint device control's ability to intercept and block access to Bluetooth devices. At this time, the recommended mitigation is to use a version of macOS earlier than 14.3.1.

  • In macOS Sequoia (version 15.0), if you have Network Protection enabled, you might see crashes of the network extension (NetExt). This issue results in intermittent network connectivity issues for end users. Please upgrade to macOS Sequoia version 15.1 or newer.

  • On macOS Sequoia (Version 15.0 - 15.1.1), users may encounter prompts about incoming network connections from applications when the native firewall is active.

    Screenshot showing prompts about incoming network connections

If an end user encounters a prompt for Defender for Endpoint on macOS processes such as wdavdaemon_enterprise or Microsoft Defender Helper, the end user can safely choose the Deny option. This selection doesn't impact Defender for Endpoint's functionality. Enterprises can also add Microsoft Defender to allow incoming connections. This issue is fixed in macOS Sequoia 15.2.

Sequoia support

  • Microsoft Defender for Endpoint supports version 15.0.1 or newer.

macOS Deprecation

  • Microsoft Defender for Endpoint no longer supports Big Sur (11).
  • macOS 12 (Monterey) will not be supported starting December 2024.

Releases for Defender for Endpoint on Mac

Behavior Monitoring for macOS is now in public preview

Behavior monitoring monitors process behavior to detect and analyze potential threats based on the behavior of the applications, daemons, and files within the system. As behavior monitoring observes how the software behaves in real-time, it can adapt quickly to new and evolving threats and block them. To learn more, see Behavior Monitoring in Microsoft Defender for Endpoint on macOS.

Oct-2024 (Build: 101.24092.0004 | Release version: 20.124092.4.0)

Build: 101.24092.0004
Release version: 20.124092.4.0
Engine version: 1.1.24080.11
Signature version: 1.421.14.0
What's new
  • Bug and performance fixes

Oct-2024 (Build: 101.24082.0009 | Release version: 20.124082.9.0)

Build: 101.24082.0009
Release version: 20.124082.9.0
Engine version: 1.1.24080.9
Signature version: 1.411.410.0
What's new
  • Product improvements and performance fixes

Sep-2024 (Build: 101.24072.0007 | Release version: 20.124072.7)

Build: 101.24072.0007
Release version: 20.124072.7
Engine version: 1.1.24080.9
Signature version: 1.411.410.0
What's new
  • Resolved the issue causing outdated vulnerability assessments impacting some MAC OSs devices

Aug-2024 (Build: 101.24072.0006 | Release version: 20.124072.6.0)

Build: 101.24072.0006
Release version: 20.124072.6.0
Engine version: 1.1.24060.7
Signature version: 1.417.325.0
What's new
  • Product improvements and performance fixes

Jul-2024 (Build: 101.24062.0009 | Release version: 20.124062.9.0)

Build: 101.24062.0009
Release version: 20.124062.9.0
Engine version: 1.1.24050.7
Signature version: 1.411.410.0
What's new
  • Product improvements and performance fixes

Jun-2024 (Build: 101.24052.0013 | Release version: 20.124052.13.0)

Build: 101.24052.0013
Release version: 20.124052.13.0
Engine version: 1.1.24040.2
Signature version: 1.411.153.0
What's new
  • [device control] Secure Digital cards aren't recognized on newer macOS
  • Product improvements and performance fixes

May-2024 (Build: 101.24042.0008 | Release version: 20.124042.8.0)

Build: 101.24042.0008
Release version: 20.124042.8.0
Engine version: 1.1.24040.1
Signature version: 1.413.13.0

What's new

  • Product improvements and performance fixes

Apr-2024 (Build: 101.24032.0006 | Release version: 20.124032.06.0)

Build: 101.24032.0006
Release version: 20.124012.10.0
Engine version: 1.1.24030.4
Signature version: 1.407.521.0

What's new

  • Improvements to mdatp threat command

  • Remove Big Sur from supported versions of macOS

  • [device control] Fix Bluetooth support on Sonoma (see the note later in this section)

  • Product improvements and performance fixes

  • (GA) Troubleshooting mode for macOS. Troubleshooting mode helps you identify instances where antivirus might be causing issues with your applications or system resources. To learn more, see Troubleshooting mode in Microsoft Defender for Endpoint on macOS.

    Note

    You need to deploy a new MDM configuration profile for Defender to access Bluetooth. See details for JAMF and Intune

Mar-2024 (Build: 101.24012.0010 | Release version: 20.124012.10.0)

Build: 101.24012.0010
Release version: 20.124012.10.0
Engine version: 1.1.24020.3
Signature version: 1.405.788.0

What's new

Jan-2024 (Build: 101.23122.0005 | Release version: 20.123122.5.0)

Build: 101.23122.0005
Release version: 20.123122.5.0
Engine version: 1.1.23100.2010
Signature version: 1.403.3022.0

What's new

  • [device control] Fixes for Bluetooth devices support
  • Product improvements and performance fixes

Dec-2023 (Build: 101.23102.0020 | Release version: 20.123102.20.0)

Build: 101.23102.0020
Release version: 20.123102.20.0
Engine version: 1.1.23090.2005
Signature version: 1.401.1729.0

What's new

  • Product improvements and performance fixes

Nov-2023 (Build: 101.23092.0007 | Release version: 20.123092.7.0)

Build: 101.23092.0007
Release version: 20.123092.7.0
Engine version: 1.1.23090.2005
Signature version: 1.399.1196.0

What's new

  • [device control] set policy for DCv2 via 'mdatp config'
  • Configuration loading - error logged to /Library/Logs/Microsoft/mdatp/microsoft_defender_core_err.log includes bad property name in JSON

Note

If you use Device Control v1, consider migrating to v2 (that includes all v1 functionality and more). Device Control v1 will be considered deprecated in the nearest future. To check, run the [mdatp health --details device_control](mac-device-control-overview.md#status) command, and inspect the active property, it should not contain "v1".

Oct-2023 (Build: 101.23082.0018 | Release version: 20.123082.18.0)

Build: 101.23082.0018
Release version: 20.123082.18.0
Engine version: 1.1.23070.1002
Signature version: 1.399.384.0

What's new

  • [device control] Detailed status with mdatp health --details device_control
  • [device control] mdatp config device-control policy to set policy on a nonmanaged machine
  • Product improvements and performance fixes

Sep-2023 (Build: 101.23072.0025 | Release version: 20.123072.25.0)

Build: 101.23072.0025
Release version: 20.123072.25.0
Engine version: 1.1.23050.3
Signature version: 1.397.911.0

What's new

  • Product improvements and performance fixes
  • Fix: Security Portal events might have missed ancestors details for short lived processes
  • Fix: Major performance issues on macOS when Network Protection is set to Audit mode
  • (GA) Mac devices receive built-in protection. Tamper protection is turned on in block mode by default. This setting helps secure your Mac against threats. To learn more, see Protect macOS security settings with tamper protection.

Aug-2023 (Build: 101.23062.0016 | Release version: 20.123062.16.0)

Build: 101.23062.0016
Release version: 20.123062.16.0
Engine version: 1.1.23050.3
Signature version: 1.395.436.0

What's new

  • Product improvements and performance fixes
  • Fix: macOS complains that uninstall background task is from unidentified developer

Jul-2023 (Build: 101.23052.0004 | Release version: 20.123052.4.0)

Build: 101.23052.0004
Release version: 20.123052.4.0
Engine version: 1.1.20100.7
Signature version: 1.391.2163.0

What's new

  • Client version schema change
  • Fix: Defender doesn't start on a machine with certain versions of Microsoft Edge due to directory permission issue
  • Product improvements and performance fixes

Jun-2023 (Build: 101.98.84 | Release version: 20.123042.19884.0)

Build: 101.98.84
Release version: 20.123042.19884.0
Engine version: 1.1.20300.4
Signature version: 1.391.221.0

What's new

  • System Extensions health command mdatp health --details system_extensions
  • Product improvements and performance fixes
  • (GA) Network protection available for macOS

Network protection for macOS is now available for all Mac devices onboarded to Defender for Endpoint. Devices must meet the minimum requirements. To learn more, see Use network protection to help prevent macOS connections to bad sites.

May-2023 (Build: 101.98.71 | Release version: 20.123032.19871.0)

Build: 101.98.71
Release version: 20.123032.19871.0
Engine version: 1.1.20300.4
Signature version: 1.389.1872.0

What's new

  • Tamper Protection health command mdatp health --details tamper_protection
  • Tamper Protection - MDM processes exclusions
  • Fix: Remove Codesigned Artifact from App Bundle
  • Product improvements and performance fixes

May-2023 (Build: 101.98.70 | Release version: 20.123022.19870.0)

Build: 101.98.70
Release version: 20.123022.19870.0
Engine version: 1.1.20300.4
Signature version: 1.389.1396.0

What's new

  • Product improvements and performance fixes

Mar-2023 (Build: 101.98.30 | Release version: 20.123012.19830.0)

Build: 101.98.30
Release version: 20.123012.19830.0
Engine version: 1.1.20100.6
Signature version: 1.385.924.0

What's new

  • Product improvements and performance fixes

Feb-2023 (Build: 101.97.94 | Release version: 20.123011.19794.0)

Build: 101.97.94
Release version: 20.123011.19794.0
Engine version: 1.1.20000.2
Signature version: 1.383.104.0

What's new

  • Improved performance, stability, and security
  • Product improvements
  • Discontinued support macOS Catalina [10.15]

 Build: 101.96.85
 Release version: 20.122112.19413.0
 Engine version: 1.1.19900.2
 Signature version: 1.381.2029.0

What's new

  • Product improvements and performance fixes

 Build: 101.90.97
 Release version: 20.122102.19097.0
 Engine version: 1.1.19900.2
 Signature version: 1.381.202.0

What's new

  • Scanning optimization for move file operations
  • Adding exclusions from command line now requires admin privileges
  • Decrease sysextd noise from Tamper Protection in Advanced Hunting
  • Product improvements and performance fixes

Jan-2023

What's new

  • (GA) Live Response available for macOS

Live Response for macOS is now available for all Mac devices onboarded to Defender for Endpoint. Devices must meet the minimum requirements. To learn more, see Investigate entities on devices using live response

Nov-2022 (Build: 101.87.30 | Release version: 20.122082.18681.0)

 Released: Nov 5, 2022
 Published: Nov 5, 2022
 Build: 101.87.30
 Release version: 20.122082.18681.0
 Engine version: 1.1.19700.3
 Signature version: 1.379.17.0

What's new

  • Fix for some users experiencing performance issues and temporary system hangs
  • Product improvements and performance fixes

Oct-2022 (Build: 101.86.81 | Release version: 20.122082.18681.0)

 Released: Oct 25, 2022
 Published: Oct 25, 2022
 Build: 101.86.81
 Release version: 20.122082.18681.0
 Engine version: 1.1.19700.3
 Signature version: 1.377.636.0

What's new

  • Issue resolution: Upgrade fails if \_mdatp user a member of \_lpadmin group

Important

This is a minimal recommended MDE version for macOS Ventura.

Oct-2022 (Build: 101.82.21 | Release version: 20.122082.18221.0)

 Build: 101.82.21
 Release version: 20.122082.18221.0
 Engine version: 1.1.19400.3
 Signature version: 1.369.962.0

What's new

  • Fix - Mac TP in Block mode causing device hang on shutdown/crashes on reboot
  • Add a mdatp command-line switch to view the on-demand scan history
  • Improve Performance of Device Owner on macOS
  • Ready for macOS Ventura (13.0)
  • Fixes for product and performance issues

 Build: 101.78.13
 Release version: 20.122072.17813.0
 Engine version: 1.1.19500.2
 Signature version: 1.373.556.0

What's new

  • Fix for uninstaller to properly delete Application Support folder
  • Fix for Network Protection not filtering Safari when Firewall or iCloud Private Relay is on
  • Fix for osqueryui zombie processes
  • Fix for UI crash on Ventura
  • Fix for definitions not getting downloaded right after install
  • Other Product improvements

Aug-2022 (Build: 101.75.90 | Release version: 20.122071.17590.0)

 Released: Aug 3, 2022
 Published: Aug 3, 2022
 Build: 101.75.90
 Release version: 20.122071.17590.0
 Engine version: 1.1.19300.3
 Signature version: 1.369.395.0

What's new

  • Added a new field in the output of mdatp health that can be used to query the enforcement level of the network protection feature. The new field is called network_protection_enforcement_level and can take one of the following values: audit, block, or disabled.
  • Addressed a product issue where multiple detections of the same content could lead to duplicate entries in the threat history.
  • Other product improvements.

Jul-2022 (Build: 101.73.77 | Release version: 20.122062.17377.0)

 Released: Jul 21, 2022
 Published: Jul 21, 2022
 Build: 101.73.77
 Release version: 20.122062.17377.0
 Engine version: 1.1.19200.3
 Signature version: 1.367.1011.0

What's new

  • Addressed an issue where printing couldn't be completed successfully due to the network extension
  • Added an option to configure file hash computation
  • From this build onwards, the product has the new anti-malware engine by default
  • Performance improvements for file copy operations
  • Product improvements

Jul-2022 (Build: 101.71.18 | Release version: 20.122052.17118.0)

 Released: Jul 7, 2022
 Published: Jul 7, 2022
 Build: 101.71.18
 Release version: 20.122052.17118.0

What's new

  • mdatp connectivity test added an extra URL. The new URL is https://go.microsoft.com/fwlink/?linkid=2144709.
  • Up until now, the product log level didn't persist between product restarts. Beginning in this version, there's a new command-line tool switch that persists the log level. The new command is mdatp log level persist --level <level>.
  • Resolved an issue in the product installation package that in rare cases could lead a loss of product state during updates
  • Performance improvements for file copy operations and built-in macOS applications
  • Product improvements

Jun-2022 (Build: 101.70.19 | Release version: 20.122051.17019.0)

 Released: Jun 14, 2022
 Published: Jun 14, 2022
 Build: 101.70.19
 Release version: 20.122051.17019.0

What's new

  • Resolved an issue where threat-related notifications weren't always presented to the end user.
  • Performance improvements & other updates.

Jun-2022 (Build: 101.70.18 | Release version: 20.122042.17018.0)

 Released: Jun 2, 2022
 Published: Jun 2, 2022
 Build: 101.70.18
 Release version: 20.122042.17018.0

What's new

  • Resolved an issue where the installation package was sometimes hanging indefinitely during product updates
  • Resolved an issue where the product sometimes was incorrectly detecting files inside the quarantine folder
  • Performance improvements & other product improvements

May-2022 (Build: 101.66.54 | Release version: 20.122041.16654.0)

 Released: May 11, 2022
 Published: May 11, 2022
 Build: 101.66.54
 Release version: 20.122041.16654.0

What's new

  • Addressed an issue where mdatp diagnostic real-time-protection-statistics wasn't printing the correct process path in some cases.
  • Product improvements

Apr-2022 (Build: 101.64.15 | Release version: 20.122032.16415.0)

 Released: Apr 26, 2022
 Published: Apr 26, 2022
 Build: 101.64.15
 Release version: 20.122032.16415.0

What's new

  • Fixed a regression introduced in version 101.61.69 where the status menu icon was sometimes showing an error icon, even though no action was required from the end user
  • Improved the conflicting_applications field in mdatp health to show only the most recent 10 processes and also to include the process names. This improvement makes it easier to identify which processes are potentially conflicting with Microsoft Defender for Endpoint for Mac.
  • Resolved an issue in mdatp device-control removable-media policy list where vendor ID and product ID were displayed as decimal instead of hexadecimal
  • Performance improvements & other product improvements

Mar-2022 (Build: 101.61.69 | Release version: 20.122022.16169.0)

 Released: Mar 25, 2022
 Published: Mar 25, 2022
 Build: 101.61.69
 Release version: 20.122022.16169.0

What's new

  • Product improvements

Mar-2022 (Build: 101.60.91 | Release version: 20.122021.16091.0)

 Released: Mar 8, 2022
 Published: Mar 8, 2022
 Build: 101.60.91
 Release version: 20.122021.16091.0

What's new

Feb-2022 (Build: 101.59.50 | Release version: 20.122021.15950.0)

 Released: Feb 28, 2022
 Published: Feb 28, 2022
 Build: 101.59.50
 Release version: 20.122021.15950.0

What's new

  • This version adds support for macOS 12.3. Starting with macOS 12.3, Apple is removing Python 2.7. There's no Python version preinstalled on macOS by default. ACTION NEEDED:
    • Users must update Microsoft Defender for Endpoint for Mac to version 101.59.50 (or newer) before updating their devices to macOS Monterey 12.3 (or newer). This minimal version 101.59.50 is a prerequisite to eliminating Python-related issues with Microsoft Defender for Endpoint for Mac on macOS Monterey.
    • For remote deployments, existing MDM setups must be updated to Microsoft Defender for Endpoint for Mac version 101.59.50 (or newer). Pushing via MDM an older Microsoft Defender for Endpoint for Mac version to macOS Monterey 12.3 (or newer) results in an installation failure.

Feb-2022 (Build: 101.59.10 | Release version: 20.122012.15910.0)

 Released: Feb 22, 2022
 Published: Feb 22, 2022
 Build: 101.59.10
 Release version: 20.122012.15910.0

What's new

  • The command-line tool now supports restoring quarantined files to a location other than the one where the file was originally detected. Restoration can be done through mdatp threat quarantine restore --id [threat-id] --path [destination-folder].
  • Extended device control to handle devices connected over Thunderbolt 3
  • Improved the handling of device control policies containing invalid vendor IDs and product IDs. Before this version, if the policy contained one or more invalid IDs, the entire policy was ignored. Beginning with this version, only the invalid portions of the policy are ignored. Issues with the policy are surfaced through mdatp device-control removable-media policy list.
  • Product improvements

Feb-2022 (Build: 101.56.62 | Release version: 20.121122.15662.0)

 Released: Feb 7, 2022
 Published: Feb 7, 2022
 Build: 101.56.62
 Release version: 20.121122.15662.0

What's new

  • Product improvements

Jan-2022 (Build: 101.56.35 | Release version: 20.121121.15635.0)

 Released: Jan 30, 2022
 Published: Jan 30, 2022
 Build: 101.56.35
 Release version: 20.121121.15635.0

What's new

  • The application is renamed from Microsoft Defender ATP to Microsoft Defender. End users observe the following changes:
    • The application installation path changed from /Application/Microsoft Defender ATP.app to /Applications/Microsoft Defender.app.
    • Within the user experience, occurrences of Microsoft Defender ATP are replaced by Microsoft Defender
  • Resolved an issue where some VPN applications couldn't connect due to the network content filter that is distributed with Microsoft Defender for Endpoint for Mac
  • Addressed an issue discovered in macOS 12.2 preview 2 where the installation package couldn't be opened due to a change in the operating system (OS) that prevents installation of packages with certain characteristics. While it appears that this OS change isn't included in the final release of macOS 12.2, it's likely that it will be reintroduced in a future macOS version. As such, we encourage all enterprise administrators to refresh the Microsoft Defender for Endpoint package in their management console to this product version (or a newer version).
  • Addressed an issue seen on some M1 devices where the product was stuck with invalid anti-malware definitions and couldn't successfully update to a working set of definitions.
  • mdatp health output has been extended with a more attribute called full_disk_access_enabled that can be used to determine whether Full Disk Access has been granted to all components of Microsoft Defender for Endpoint for Mac.
  • Performance improvements & Product improvements

Jan-2022 (Build: 101.54.16 | Release version: 20.121111.15416.0)

 Released: Jan 12, 2022
 Published: Jan 12, 2022
 Build: 101.54.16
 Release version: 20.121111.15416.0

What's new

  • macOS 10.14 (Mojave) is no longer supported
  • After a product setting stops being managed by the administrator through MDM, it now reverts to the value it had before it was managed (the value configured locally by the end user or, if no such local value was explicitly provided, the default value used by the product). Prior to this change, after a setting stopped being managed, its managed value persisted and was still used by the product.
  • Performance improvements & Product improvements

 Build: 101.49.25
 Release version: 20.121092.14925.0

What's new

  • Added a new switch to the command-line tool to control whether archives are scanned during on-demand scans. This can be configured through mdatp config scan-archives --value [enabled/disabled]. By default, this is set to enabled.
  • Product improvements

 Build: 101.47.27
 Release version: 20.121082.14727.0

What's new

  • Fix for a system freeze occurring on shutdown on macOS Mojave and macOS Catalina.

 Build: 101.43.84
 Release version: 20.121082.14384.0

What's new

  • Candidate build for macOS 12 (Monterey)
  • Product improvements

 Build: 101.41.10
 Release version: 20.121072.14110.0

What's new

  • Added new switches to the command-line tool:
    • Control degree of parallelism for on-demand scans. This can be configured through mdatp config maximum-on-demand-scan-threads --value [number-between-1-and-64]. By default, a degree of parallelism of 2 is used.
    • Control whether scans after security intelligence updates are enabled or disabled. This can be configured through mdatp config scan-after-definition-update --value [enabled/disabled]. By default, this is set to enabled.
  • Changing the product log level now requires elevation.
  • Performance improvements & Product improvements

 Build: 101.40.84
 Release version: 20.121071.14084.0

What's new

  • M1 chip native support
  • Performance improvements & Product improvements

 Build: 101.37.97
 Release version: 20.121062.13797.0

What's new

  • Performance improvements & Product improvements

 Build: 101.34.28
 Release version: 20.121061.13428.0

What's new

  • Product improvements

 Build: 101.34.27
 Release version: 20.121052.13427.0

What's new

  • Product improvements

 Build: 101.34.20
 Release version: 20.121051.13420.0

What's new

  • Device control for macOS is now in general availability.
  • Addressed an issue where a quick scan couldn't be started from the status menu on macOS 11 (Big Sur).
  • Other Product improvements

 Build: 101.32.69
 Release version: 20.121042.13269.0

What's new

  • Addressed an issue where concurrent access to the keychain from Microsoft Defender for Endpoint and other applications can lead to keychain corruption.

 Build: 101.29.64
 Release version: 20.121042.12964.0

What's new

  • Starting with this version, threats detected during on-demand antivirus scans triggered through the command-line client are automatically remediated. Threats detected during scans triggered through the user interface still require manual action.
  • mdatp diagnostic real-time-protection-statistics now supports two other switches:
    • --sort: sorts the output descending by total number of files scanned
    • --top N: displays the top N results (only works if --sort is also specified)
  • Performance improvements (specifically for when YARN is used) & Product improvements

 Build: 101.27.50
 Release version: 20.121022.12750.0

What's new

  • Fix to accommodate for Apple certificate expiration for macOS Catalina and earlier. This fix restores Microsoft Defender Vulnerability Management (MDVM) functionality.

 Build: 101.25.69
 Release version: 20.121022.12569.0

What's new

  • Microsoft Defender for Endpoint on macOS is now available in preview for US Government customers. For more information, see Microsoft Defender for Endpoint for US Government customers.
  • Performance improvements (specifically for the situation when the XCode Simulator app is used) & Product improvements.

 Build: 101.23.64
 Release version: 20.121021.12364.0

What's new

  • Added a new option to the command-line tool to view information about the last on-demand scan. To view information about the last on-demand scan, run mdatp health --details antivirus.
  • Performance improvements & Product improvements

 Build: 101.22.79
 Release version: 20.121012.12279.0

What's new

  • Performance improvements & Product improvements

 Build: 101.19.88
 Release version: 20.121011.11988.0

What's new

  • Performance improvements & Product improvements

 Build: 101.19.48
 Release version: 20.120121.11948.0

What's new

Note

The old command-line tool syntax has been deprecated with this release. For information on the new syntax, see Resources.

  • Added a new command-line switch to disable the network extension: mdatp system-extension network-filter disable. This command can be useful to troubleshoot networking issues that could be related to Microsoft Defender for Endpoint on Mac.
  • Performance improvements & Product improvements

 Build: 101.19.21
 Release version: 20.120101.11921.0

What's new

  • Product improvements

 Build: 101.15.26
 Release version: 20.120102.11526.0

What's new

  • Improved the reliability of the agent when running on macOS 11 Big Sur.
  • Added a new command-line switch (--ignore-exclusions) to ignore AV exclusions during custom scans (mdatp scan custom).
  • Performance improvements & Product improvements

 Build: 101.13.75
 Release version: 20.120101.11375.0

What's new

  • Removed conditions when Microsoft Defender for Endpoint was triggering a macOS 11 (Big Sur) issue that manifests into a kernel panic.
  • Fixed a memory leak in the Endpoint Security system extension when running on mac 11 (Big Sur).
  • Product improvements

 Build: 101.10.72

What's new

  • Product improvements

 Build: 101.09.61

What's new

  • Added a new managed preference for disabling the option to send feedback.
  • Status menu icon now shows a healthy state when the product settings are managed. Previously, the status menu icon was displaying a warning or error state, even though the product settings were managed by the administrator.
  • Performance improvements & Product improvements

 Build: 101.09.50

What's new

Note

The old command-line tool syntax will be removed from the product on January 1st, 2021.

  • Extended mdatp diagnostic create with a new parameter (--path [directory]) that allows the diagnostic logs to be saved to a different directory.
  • Performance improvements & Product improvements

 Build: 101.09.49

What's new

  • User interface improvements to differentiate exclusions that are managed by the IT administrator versus exclusions defined by the local user.
  • Improved CPU utilization during on-demand scans.
  • Performance improvements & Product improvements

 Build: 101.07.23

What's new

 Build: 101.06.63

What's new

  • Addressed a performance regression introduced in version 101.05.17. The regression was introduced with the fix to eliminate the kernel panics some customers have observed when accessing SMB shares. We have reverted this code change and are investigating alternative ways to eliminate the kernel panics.

 Build: 101.05.17

What's new

Important

We are working on a new and enhanced syntax for the mdatp command-line tool. The new syntax is currently the default in the Insider Fast and Insider Slow update channels. We encourage you to familiarize yourself with this new syntax. We will continue supporting the old syntax in parallel with the new syntax and will provide more communication around the deprecation plan for the old syntax in the upcoming months.

  • Addressed a kernel panic that occurred sometimes when accessing SMB file shares.
  • Performance improvements & Product improvements

 Build: 101.05.16

What's new

  • Improvements to quick scan logic to significantly reduce the number of scanned files.
  • Added autocompletion support for the command-line tool.
  • Product improvements

 Build: 101.03.12

What's new

  • Performance improvements & Product improvements

 Build: 101.01.54

What's new

  • Improvements around compatibility with Time Machine
  • Accessibility improvements
  • Performance improvements & Product improvements

 Build: 101.00.31

What's new

  • Improved product onboarding experience for Intune users
  • Antivirus exclusions now support wildcards
  • Added the ability to trigger antivirus scans from the macOS contextual menu. You can now right-click a file or a folder in Finder and select Scan with Microsoft Defender for Endpoint.
  • In-place product downgrades are now explicitly disallowed by the installer. If you need to downgrade, first uninstall the existing version and reconfigure your device.
  • Other performance improvements & Product improvements

 Build: 100.90.27

What's new

  • You can now set an update channel for Microsoft Defender for Endpoint on macOS that is different from the system-wide update channel.
  • New product icon
  • Other user experience improvements
  • Product improvements

 Build: 100.86.92

What's new

  • Improvements around compatibility with Time Machine
  • Addressed an issue where the product was sometimes not cleaning all files under /Library/Application Support/Microsoft/Defender during uninstallation.
  • Reduced the CPU utilization of the product when Microsoft products are updated through Microsoft AutoUpdate.
  • Other performance improvements & Product improvements

 Build: 100.86.91

What's new

Caution

To ensure the most complete protection for your macOS devices and in alignment with Apple stopping delivery of macOS native security updates to OS versions older than [current - 2], MDATP for Mac deployment and updates will no longer be supported on macOS Sierra [10.12]. MDATP for Mac updates and enhancements will be delivered to devices running versions Catalina [10.15], Mojave [10.14], and High Sierra [10.13].

If you already have MDATP for Mac deployed to your Sierra [10.12] devices, please upgrade to the latest macOS version to eliminate risks of losing protection.

  • Performance improvements & Product improvements

 Build: 100.83.73

What's new

 Build: 100.82.60

What's new

  • Addressed an issue where the product fails to start following a definition update.

 Build: 100.80.42

What's new

  • Product improvements

 Build: 100.79.42

What's new

  • Fixed an issue where Microsoft Defender for Endpoint on Mac was sometimes interfering with Time Machine.

  • Added a new switch to the command-line utility for testing the connectivity with the backend service

    mdatp connectivity test
    
  • Added ability to view the full threat history in the user interface (can be accessed from the Protection history view).

  • Performance improvements & Product improvements

 Build: 100.72.15

What's new

  • Product improvements

 Build: 100.70.99

What's new

  • Addressed an issue that impacts the ability of some users to upgrade to macOS Catalina when real-time protection is enabled. This sporadic issue was caused by Microsoft Defender for Endpoint locking files within Catalina upgrade package while scanning them for threats, which led to failures in the upgrade sequence.

 Build: 100.68.99

What's new

  • Added the ability to configure the antivirus functionality to run in passive mode.
  • Performance improvements & Product improvements

 Build: 100.65.28

What's new

  • Added support for macOS Catalina.

Caution

macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default, applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without explicit consent. In the absence of this consent, Microsoft Defender for Endpoint is not able to fully protect your device.

The mechanism for granting this consent depends on how you deployed Microsoft Defender for Endpoint:

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.