What's new in Microsoft Defender for Endpoint
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft 365 Defender
Want to experience Defender for Endpoint? Sign up for a free trial.
The following features are in preview or generally available (GA) in the latest release of Microsoft Defender for Endpoint.
For more information on preview features, see Preview features.
RSS feed: Get notified when this page is updated by copying and pasting the following URL into your feed reader:
For more information on what's new with Microsoft Defender for Endpoint on Windows, see: What's new in Microsoft Defender for Endpoint on Windows
For more information on what's new with other Microsoft Defender security products, see:
- What's new in Microsoft 365 Defender
- What's new in Microsoft Defender for Office 365
- What's new in Microsoft Defender for Identity
- What's new in Microsoft Defender for Cloud Apps
For more information on Microsoft Defender for Endpoint on specific operating systems:
- What's new in Defender for Endpoint on Windows
- What's new in Defender for Endpoint on macOS
- What's new in Defender for Endpoint on iOS
- What's new in Defender for Endpoint on Linux
Live Response is now generally available for macOS and Linux. For more information, see, Investigate entities on devices using live response.
Live response API and library API for Linux and macos is now generally available
You can now run live response API commands on Linux and macos.
Microsoft Defender for Endpoint Device control removable storage access control updates:
- Microsoft Endpoint Manager support for removable storage access control is now available in Intune. See Deploy Removable Storage Access Control by using Intune user interface
- The new default enforcement policy of removable storage access control is designed for all device control features. Printer Protection is now available for this policy. If you create a Default Deny policy, printers will be blocked in your organization.
See Deploy and manage Removable Storage Access Control using Intune
- Group policy: Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Features > Device Control > Select Device Control Default Enforcement
See Deploy and manage Removable Storage Access Control using group policy
Microsoft Defender for Endpoint Device control New Printer Protection solution to manage printer is now available. For more information, see Printer Protection Overview
Built-in protection is now generally available. Built-in protection helps protect your organization from ransomware and other threats with default settings that help ensure your devices are protected.
Zeek is now generally available as a component of Microsoft Defender for Endpoint.
Microsoft has partnered with Corelight, a leader in open source Network Detection and Response (NDR), to provide a new open-source integration with Zeek for Defender for Endpoint. With this integration, organizations can super-charge their investigation efforts with rich network signals and reduce the time it takes to detect network-based threats by having unprecedented visibility into network traffic from the endpoints' perspective.
The new Zeek integration is available in the latest version of the Defender for Endpoint agent via the following knowledge base articles:
This integration doesn’t currently support the use of custom scripts to gain visibility into extra signals.
- Network protection C2 detection and remediation is now generally available.
Attackers often compromise existing internet-connected servers to become their command and control servers. Attackers can use the compromised servers to hide malicious traffic and deploy malicious bots that are used to infect endpoints. Network protection detection and remediation will help improve the time it takes security operations (SecOps) teams to pinpoint and respond to malicious network threats that are looking to compromise endpoints.
Attack surface reduction (ASR) rules report now available in the Microsoft 365 Defender portal.
The attack surface reduction (ASR) rules report is now available in the Microsoft 365 Defender portal. This ASR report provides information about the attack surface reduction rules that are applied to devices in your organization and helps you detect threats, block potential threats, and get visibility into ASR and device configuration.
Built-in protection (preview) is rolling out. Built-in protection is a set of default settings, such as tamper protection turned on, to help protect devices from ransomware and other threats.
Device health reporting is now generally available.
The device health report provides information about the health and security of your endpoints. The report includes trending information showing the sensor health state, antivirus status, OS platforms, Windows 10 versions, and Microsoft Defender Antivirus update versions.
Device health reporting is now available for US Government customers using Defender for Endpoint.
Device health reporting is now available for GCC, GCC High and DoD customers.
Troubleshooting mode is now available for more Windows operating systems, including Windows Server 2012 R2 and above. See the article for more information about the required updates.
Device health status
The Device health status card shows a summarized health report for the specific device.
Device health reporting (Preview)
The devices status report provides high-level information about the devices in your organization. The report includes trending information showing the sensor health state, antivirus status, OS platforms, and Windows 10 versions.
Tamper protection on macOS is now generally available
This feature will be released with audit mode enabled by default, and you can decide whether to enforce (block) or turn off the capability. Later this year, we'll offer a gradual rollout mechanism that will automatically switch endpoints to block mode; note this will only apply if you have not made a choice to either enable (block mode) or disable the capability.
Network Protection and Web Protection for macOS and Linux is now in Public Preview!
Network Protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. It's the foundation on which our Web Protection for Microsoft Defender for Endpoint is built. These capabilities include Web threat protection, Web content filtering, and IP/URL Custom indicators. Web protection enables you to secure your devices against web threats and helps to regulate unwanted content.
Improved Microsoft Defender for Endpoint (MDE) onboarding for Windows Server 2012 R2 and Windows Server 2016
Configuration Manager version 2207 now supports automatic deployment of modern, unified Microsoft Defender for Endpoint for Windows Server 2012 R2 & 2016. Windows Server 2012 and 2016 devices that are targeted with Microsoft Defender for Endpoint onboarding policy will use the unified agent versus the existing Microsoft Monitoring Agent based solution, if configured through Client Settings.
Add domain controller devices - Evaluation lab enhancement
Now generally available - Add a domain controller to run complex scenarios such as lateral movement and multistage attacks across multiple devices.
Announcing File page enhancements in Microsoft Defender for Endpoint
Have you ever investigated files in Microsoft Defender for Endpoint? We now make it even easier with our recent announcement of enhancements to the File page and side panel. Users can now streamline processes by having a more efficient navigation experience that hosts all this information in one place.
Introducing the new alert suppression experience
We're excited to share the new and advanced alert suppression experience is now Generally Available. The new experience provides tighter granularity and control, allowing users to tune Microsoft Defender for Endpoint alerts.
Prevent compromised unmanaged devices from moving laterally in your organization with “Contain
Starting today, when a device that isn't enrolled in Microsoft Defender for Endpoint is suspected of being compromised, as a SOC analyst, you'll be able to “Contain” it. As a result, any device enrolled in Microsoft Defender for Endpoint will now block any incoming/outgoing communication with the suspected device.
Mobile device support is now available for US Government Customers using Defender for Endpoint
Microsoft Defender for Endpoint for US Government customers is built in the Azure US Government environment and uses the same underlying technologies as Defender in Azure Commercial. This offering is available to GCC, GCC High and DoD customers and further extends our platform availability from Windows, macOS, and Linux, to Android and iOS devices as well.
Defender for Servers Plan 2 now integrates with MDE unified solution
You can now start deploying the modern, unified solution for Windows Server 2012 R2 and 2016 to servers covered by Defender for Servers Plan 2 using a single button.
Mobile Network Protection in Microsoft Defender for Endpoint on Android & iOS now in Public Preview
Microsoft offers a mobile network protection feature in Defender for Endpoint that helps organizations identify, assess, and remediate endpoint weaknesses with the help of robust threat intelligence. We're delighted to announce that users can now benefit from this new feature on both Android and iOS platforms with Microsoft Defender for Endpoint.
Tamper protection for macOS (preview)
Tamper protection helps prevent unauthorized removal of Microsoft Defender for Endpoint on macOS.
Add domain controller devices - Evaluation lab enhancement (preview)
Add a domain controller to run complex scenarios such as lateral movement and multistage attacks across multiple devices.
Troubleshooting mode for Microsoft Defender for Endpoint now Generally Available
Introducing troubleshooting mode, a unique, innovative, and secure way to investigate and adjust configurations on your devices. This mode will enable the local admin on the device to override Microsoft Defender Antivirus security policy configurations on the device, including tamper protection.
Announcing the public preview of Defender for Endpoint personal profile for Android Enterprise
We're happy to announce that users who wish to enroll their own devices in their workplace’s BYOD program can now benefit from the protection provided by Microsoft Defender for Endpoint in their personal profile as well.
Security Settings Management in Microsoft Defender for Endpoint is now generally available
In late 2021, we announced that Microsoft Defender for Endpoint expanded its configuration management capabilities. This release empowered security teams to configure devices with their desired security settings without needing to deploy and implement other tools or infrastructure. Made possible with Microsoft Endpoint Manager, organizations have been able to manage antivirus (AV), endpoint detection and response (EDR), and firewall (FW) policies from a single view for all enlisted devices. Today, we're announcing that this capability is now generally available for Windows client and Windows server, supporting Windows 10, Windows 11, and Windows Server 2012 R2 or later.
Updated onboarding and feature parity for Windows Server 2012 R2 and Windows Server 2016)
The new unified solution package is now generally available and makes it easier to onboard servers by removing dependencies and installation steps. In addition, this unified solution package comes with many new feature improvements.
Integration with Tunnel for iOS. Microsoft Defender for Endpoint on iOS can now integrate with Microsoft Tunnel, a VPN gateway solution to enable security and connectivity in a single app. This feature was earlier available only on Android.
Enhanced Antimalware Protection in Microsoft Defender for Endpoint Android
We're excited to share major updates to the Malware protection capabilities of Microsoft Defender for Endpoint on Android. These new capabilities form a major component of your next-generation protection in Microsoft Defender for Endpoint. This protection brings together machine learning, big-data analysis, in-depth threat research, and the Microsoft cloud infrastructure to protect Android devices (or endpoints) in your organization.
Enhanced antimalware engine capabilities for Linux and macOS
We're announcing a significant upgrade to our next-generation protection on Linux and macOS with a new, enhanced engine. The Microsoft Defender Antivirus antimalware engine is a key component of next-generation protection. This protection brings machine learning, big-data analysis, in-depth threat research, and the Microsoft cloud infrastructure, to protect devices (or endpoints) in your organization. The main benefits of this major update include performance and prevention improvements, as well as adding support for custom file indicators on macOS and Linux.
New Reporting Functionality for Device Control and Windows Defender Firewall
We're excited to announce the new Endpoint reporting capabilities within the Microsoft 365 Defender portal. This work brings new endpoint reports together so you can see what is happening in your environment with just a couple clicks. Our reports are designed to provide insight into device behavior and activity while allowing you to take full advantage of the integrated experiences within Microsoft 365 Defender portal, such as device timeline and advanced hunting.
Unified submissions in Microsoft 365 Defender now Generally Available!
Your security team now has a “one-stop shop” for submitting emails, URLs, email attachments, and files in one, easy-to-use submission experience. To simplify the submission process, we're excited to announce a new unified submissions experience in the Microsoft 365 Defender portal (https://security.microsoft.com). With unified submissions, you can submit files to Microsoft 365 Defender for review from within the portal. We're also adding the ability to submit a file directly from a Microsoft Defender for Endpoint Alert page.
Announcing expanded support and functionality for Live Response APIs
We're happy to share that we continue to expand support of existing APIs across all of our supported platforms in Microsoft Defender for Endpoint, alongside announcing new ones that will help simplify and augment organization's response automation and orchestration.
The Splunk Add-on for Microsoft Security is now available
We're happy to share that the Splunk-supported Splunk Add-on for Microsoft Security is now available. This add-on builds on the Microsoft 365 Defender Add-on for Splunk 1.3.0 and maps the Microsoft Defender for Endpoint Alerts API properties or the Microsoft 365 Defender Incidents API properties onto Splunk's Common Information Model (CIM).
Deprecating the legacy SIEM API - Postponed
We previously announced the SIEM REST API would be deprecated on 4/1/2022. We've listened to customer feedback and the API deprecation has been postponed for now, more details expected in Q3, 2022. We look forward to sharing exciting details about the Microsoft 365 Defender APIs in Microsoft Graph in Q3 2022.
Vulnerability management for Android and iOS is now generally available
With this new cross-platform coverage, threat and vulnerability management capabilities now support all major device platforms across the organization - spanning workstations, servers, and mobile devices.
Microsoft Defender for Endpoint Plan 1 Now Included in Microsoft 365 E3/A3 Licenses
Starting January 14, Microsoft Defender for Endpoint Plan 1 (P1) will be automatically included in Microsoft 365 E3/A3 licenses.
Zero-touch onboarding of Microsoft Defender for Endpoint on iOS now in public preview
With this new capability, enterprises can now deploy Microsoft Defender for Endpoint on iOS devices that are enrolled with Microsoft Endpoint Manager automatically, without needing end-users to interact with the app. This eases the deployment frictions and significantly reduces the time needed to deploy the app across all devices as Microsoft Defender for Endpoint gets silently activated on targeted devices and starts protecting your iOS estate.