What's new in Microsoft Defender for Endpoint

Applies to:

• Microsoft Defender for Endpoint Plan 1
• Microsoft Defender for Endpoint Plan 2
• Microsoft 365 Defender

Want to experience Defender for Endpoint? Sign up for a free trial.

The following features are in preview or generally available (GA) in the latest release of Microsoft Defender for Endpoint.

For more information on preview features, see Preview features.

Tip

RSS feed: Get notified when this page is updated by copying and pasting the following URL into your feed reader:

https://learn.microsoft.com/api/search/rss?search=%22features+are+generally+available+%28GA%29+in+the+latest+release+of+Microsoft+Defender+for+Endpoint%22&locale=en-us&facet=

For more information on what's new with Microsoft Defender for Endpoint on Windows, see: What's new in Microsoft Defender for Endpoint on Windows

For more information on what's new with other Microsoft Defender security products, see:

• What's new in Microsoft 365 Defender
• What's new in Microsoft Defender for Office 365
• What's new in Microsoft Defender for Identity
• What's new in Microsoft Defender for Cloud Apps

For more information on Microsoft Defender for Endpoint on specific operating systems:

• What's new in Defender for Endpoint on Windows
• What's new in Defender for Endpoint on macOS
• What's new in Defender for Endpoint on iOS
• What's new in Defender for Endpoint on Linux

January 2023

• Tamper protection can now protect exclusions when deployed with Microsoft Intune. See What about exclusions?

• Live Response is now generally available for macOS and Linux. For more information, see, Investigate entities on devices using live response.

• Live response API and library API for Linux and macos is now generally available
  You can now run live response API commands on Linux and macos.

December 2022

• Microsoft Defender for Endpoint Device control removable storage access control updates:

  1. Microsoft Endpoint Manager support for removable storage access control is now available in Intune. See Deploy Removable Storage Access Control by using Intune user interface
  2. The new default enforcement policy of removable storage access control is designed for all device control features. Printer Protection is now available for this policy. If you create a Default Deny policy, printers will be blocked in your organization.
     • Intune:./Vendor/MSFT/Defender/Configuration/DefaultEnforcement
       See Deploy and manage Removable Storage Access Control using Intune
     • Group policy: Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Features > Device Control > Select Device Control Default Enforcement
       See Deploy and manage Removable Storage Access Control using group policy

• Microsoft Defender for Endpoint Device control New Printer Protection solution to manage printer is now available. For more information, see Printer Protection Overview

November 2022

• Built-in protection is now generally available. Built-in protection helps protect your organization from ransomware and other threats with default settings that help ensure your devices are protected.

• Zeek is now generally available as a component of Microsoft Defender for Endpoint.

  Microsoft has partnered with Corelight, a leader in open source Network Detection and Response (NDR), to provide a new open-source integration with Zeek for Defender for Endpoint. With this integration, organizations can super-charge their investigation efforts with rich network signals and reduce the time it takes to detect network-based threats by having unprecedented visibility into network traffic from the endpoints' perspective.

  The new Zeek integration is available in the latest version of the Defender for Endpoint agent via the following knowledge base articles:

  • KB5016691
  • KB5016693
  • KB5016688
  • KB5016690

  Note

  This integration doesn’t currently support the use of custom scripts to gain visibility into extra signals.

October 2022

• Network protection C2 detection and remediation is now generally available.
  Attackers often compromise existing internet-connected servers to become their command and control servers. Attackers can use the compromised servers to hide malicious traffic and deploy malicious bots that are used to infect endpoints. Network protection detection and remediation will help improve the time it takes security operations (SecOps) teams to pinpoint and respond to malicious network threats that are looking to compromise endpoints.

September 2022

• Attack surface reduction (ASR) rules report now available in the Microsoft 365 Defender portal.
  The attack surface reduction (ASR) rules report is now available in the Microsoft 365 Defender portal. This ASR report provides information about the attack surface reduction rules that are applied to devices in your organization and helps you detect threats, block potential threats, and get visibility into ASR and device configuration.

• Built-in protection (preview) is rolling out. Built-in protection is a set of default settings, such as tamper protection turned on, to help protect devices from ransomware and other threats.

• Device health reporting is now generally available.
  The device health report provides information about the health and security of your endpoints. The report includes trending information showing the sensor health state, antivirus status, OS platforms, Windows 10 versions, and Microsoft Defender Antivirus update versions.

• Device health reporting is now available for US Government customers using Defender for Endpoint.
  Device health reporting is now available for GCC, GCC High and DoD customers.

• Troubleshooting mode is now available for more Windows operating systems, including Windows Server 2012 R2 and above. See the article for more information about the required updates.

August 2022

• Device health status
  The Device health status card shows a summarized health report for the specific device.

• Device health reporting (Preview)
  The devices status report provides high-level information about the devices in your organization. The report includes trending information showing the sensor health state, antivirus status, OS platforms, and Windows 10 versions.

• Tamper protection on macOS is now generally available
  This feature will be released with audit mode enabled by default, and you can decide whether to enforce (block) or turn off the capability. Later this year, we'll offer a gradual rollout mechanism that will automatically switch endpoints to block mode; note this will only apply if you have not made a choice to either enable (block mode) or disable the capability.

• Network Protection and Web Protection for macOS and Linux is now in Public Preview!
  Network Protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. It's the foundation on which our Web Protection for Microsoft Defender for Endpoint is built. These capabilities include Web threat protection, Web content filtering, and IP/URL Custom indicators. Web protection enables you to secure your devices against web threats and helps to regulate unwanted content.

• Improved Microsoft Defender for Endpoint (MDE) onboarding for Windows Server 2012 R2 and Windows Server 2016
  Configuration Manager version 2207 now supports automatic deployment of modern, unified Microsoft Defender for Endpoint for Windows Server 2012 R2 & 2016. Windows Server 2012 and 2016 devices that are targeted with Microsoft Defender for Endpoint onboarding policy will use the unified agent versus the existing Microsoft Monitoring Agent based solution, if configured through Client Settings.

July 2022

• Add domain controller devices - Evaluation lab enhancement
  Now generally available - Add a domain controller to run complex scenarios such as lateral movement and multistage attacks across multiple devices.

• Announcing File page enhancements in Microsoft Defender for Endpoint
  Have you ever investigated files in Microsoft Defender for Endpoint? We now make it even easier with our recent announcement of enhancements to the File page and side panel. Users can now streamline processes by having a more efficient navigation experience that hosts all this information in one place.

• Introducing the new alert suppression experience
  We're excited to share the new and advanced alert suppression experience is now Generally Available. The new experience provides tighter granularity and control, allowing users to tune Microsoft Defender for Endpoint alerts.

• Prevent compromised unmanaged devices from moving laterally in your organization with “Contain
  Starting today, when a device that isn't enrolled in Microsoft Defender for Endpoint is suspected of being compromised, as a SOC analyst, you'll be able to “Contain” it. As a result, any device enrolled in Microsoft Defender for Endpoint will now block any incoming/outgoing communication with the suspected device.

• Mobile device support is now available for US Government Customers using Defender for Endpoint
  Microsoft Defender for Endpoint for US Government customers is built in the Azure US Government environment and uses the same underlying technologies as Defender in Azure Commercial. This offering is available to GCC, GCC High and DoD customers and further extends our platform availability from Windows, macOS, and Linux, to Android and iOS devices as well.

June 2022

• Defender for Servers Plan 2 now integrates with MDE unified solution
  You can now start deploying the modern, unified solution for Windows Server 2012 R2 and 2016 to servers covered by Defender for Servers Plan 2 using a single button.

• Mobile Network Protection in Microsoft Defender for Endpoint on Android & iOS now in Public Preview
  Microsoft offers a mobile network protection feature in Defender for Endpoint that helps organizations identify, assess, and remediate endpoint weaknesses with the help of robust threat intelligence. We're delighted to announce that users can now benefit from this new feature on both Android and iOS platforms with Microsoft Defender for Endpoint.

May 2022

• Tamper protection for macOS (preview)
  Tamper protection helps prevent unauthorized removal of Microsoft Defender for Endpoint on macOS.

• Add domain controller devices - Evaluation lab enhancement (preview)
  Add a domain controller to run complex scenarios such as lateral movement and multistage attacks across multiple devices.

• Troubleshooting mode for Microsoft Defender for Endpoint now Generally Available
  Introducing troubleshooting mode, a unique, innovative, and secure way to investigate and adjust configurations on your devices. This mode will enable the local admin on the device to override Microsoft Defender Antivirus security policy configurations on the device, including tamper protection.

• Announcing the public preview of Defender for Endpoint personal profile for Android Enterprise
  We're happy to announce that users who wish to enroll their own devices in their workplace’s BYOD program can now benefit from the protection provided by Microsoft Defender for Endpoint in their personal profile as well.

• Security Settings Management in Microsoft Defender for Endpoint is now generally available
  In late 2021, we announced that Microsoft Defender for Endpoint expanded its configuration management capabilities. This release empowered security teams to configure devices with their desired security settings without needing to deploy and implement other tools or infrastructure. Made possible with Microsoft Endpoint Manager, organizations have been able to manage antivirus (AV), endpoint detection and response (EDR), and firewall (FW) policies from a single view for all enlisted devices. Today, we're announcing that this capability is now generally available for Windows client and Windows server, supporting Windows 10, Windows 11, and Windows Server 2012 R2 or later.

April 2022

• Updated onboarding and feature parity for Windows Server 2012 R2 and Windows Server 2016)
  The new unified solution package is now generally available and makes it easier to onboard servers by removing dependencies and installation steps. In addition, this unified solution package comes with many new feature improvements.

• Integration with Tunnel for iOS. Microsoft Defender for Endpoint on iOS can now integrate with Microsoft Tunnel, a VPN gateway solution to enable security and connectivity in a single app. This feature was earlier available only on Android.

• Enhanced Antimalware Protection in Microsoft Defender for Endpoint Android
  We're excited to share major updates to the Malware protection capabilities of Microsoft Defender for Endpoint on Android. These new capabilities form a major component of your next-generation protection in Microsoft Defender for Endpoint. This protection brings together machine learning, big-data analysis, in-depth threat research, and the Microsoft cloud infrastructure to protect Android devices (or endpoints) in your organization.

• Enhanced antimalware engine capabilities for Linux and macOS
  We're announcing a significant upgrade to our next-generation protection on Linux and macOS with a new, enhanced engine. The Microsoft Defender Antivirus antimalware engine is a key component of next-generation protection. This protection brings machine learning, big-data analysis, in-depth threat research, and the Microsoft cloud infrastructure, to protect devices (or endpoints) in your organization. The main benefits of this major update include performance and prevention improvements, as well as adding support for custom file indicators on macOS and Linux.

• New Reporting Functionality for Device Control and Windows Defender Firewall
  We're excited to announce the new Endpoint reporting capabilities within the Microsoft 365 Defender portal. This work brings new endpoint reports together so you can see what is happening in your environment with just a couple clicks. Our reports are designed to provide insight into device behavior and activity while allowing you to take full advantage of the integrated experiences within Microsoft 365 Defender portal, such as device timeline and advanced hunting.

• Unified submissions in Microsoft 365 Defender now Generally Available!
  Your security team now has a “one-stop shop” for submitting emails, URLs, email attachments, and files in one, easy-to-use submission experience. To simplify the submission process, we're excited to announce a new unified submissions experience in the Microsoft 365 Defender portal (https://security.microsoft.com). With unified submissions, you can submit files to Microsoft 365 Defender for review from within the portal. We're also adding the ability to submit a file directly from a Microsoft Defender for Endpoint Alert page.

• Announcing expanded support and functionality for Live Response APIs
  We're happy to share that we continue to expand support of existing APIs across all of our supported platforms in Microsoft Defender for Endpoint, alongside announcing new ones that will help simplify and augment organization's response automation and orchestration.

February 2022

• The Splunk Add-on for Microsoft Security is now available
  We're happy to share that the Splunk-supported Splunk Add-on for Microsoft Security is now available. This add-on builds on the Microsoft 365 Defender Add-on for Splunk 1.3.0 and maps the Microsoft Defender for Endpoint Alerts API properties or the Microsoft 365 Defender Incidents API properties onto Splunk's Common Information Model (CIM).

• Deprecating the legacy SIEM API - Postponed
  We previously announced the SIEM REST API would be deprecated on 4/1/2022. We've listened to customer feedback and the API deprecation has been postponed for now, more details expected in Q3, 2022. We look forward to sharing exciting details about the ​Microsoft 365 Defender APIs in Microsoft Graph in Q3 2022.

January 2022

• Vulnerability management for Android and iOS is now generally available
  With this new cross-platform coverage, threat and vulnerability management capabilities now support all major device platforms across the organization - spanning workstations, servers, and mobile devices.

• Microsoft Defender for Endpoint Plan 1 Now Included in Microsoft 365 E3/A3 Licenses
  Starting January 14, Microsoft Defender for Endpoint Plan 1 (P1) will be automatically included in Microsoft 365 E3/A3 licenses.

• Zero-touch onboarding of Microsoft Defender for Endpoint on iOS now in public preview
  With this new capability, enterprises can now deploy Microsoft Defender for Endpoint on iOS devices that are enrolled with Microsoft Endpoint Manager automatically, without needing end-users to interact with the app. This eases the deployment frictions and significantly reduces the time needed to deploy the app across all devices as Microsoft Defender for Endpoint gets silently activated on targeted devices and starts protecting your iOS estate.