Redaguoti

Bendrinti naudojant

What's new in Microsoft Defender for Endpoint on Windows

Applies to:

Want to experience Defender for Endpoint? Sign up for a free trial.

This page covers the Microsoft Defender for Endpoint EDR MsSense.exe versions. You can also check the file information section in the monthly cumulative rollup updates in the following articles:

For the latest updates to Microsoft Defender for Endpoint all up, see What's new in Defender for Endpoint.

For the latest updates to Microsoft Defender for Endpoint Next-Generation Protection/Microsoft Defender Antivirus, see Microsoft Defender Antivirus security intelligence and product updates.

All updates contain:

  • Performance improvements
  • Serviceability improvements
  • Integration improvements (Cloud, Microsoft Defender XDR)

May-2025 (Release version: 10.8797.25857.1000)

OS KB
Windows 11 24H2 KB5058499
Windows 11 23H2 KB5058502
Windows 10 22/H2 KB5058481

What's new

Data Loss Prevention (DLP)

  • On-Demand Scan: Improved the functionality, performance, and reliability of the Cold Data Scan feature. This enhancement enables deeper, more consistent scanning of archived or infrequently accessed data, helping organizations uncover potential data risks hidden in long-term storage.
  • General Stability and Performance Improvements: Additional under-the-hood optimizations to improve overall system performance, reliability, and stability.

Identity

  • Entity sync enrichment: Expanded the capabilities of the SenseIdentity client to enhance Active Directory (AD) entity synchronization. This update introduces support for syncing new entity types including Group Policy Objects, Authentication Silos, and Domain Controller computer accounts for all Domain Controllers within trusted domains. Additionally, the update enriches existing synced entities (Domain, Account, and Group) with a broader set of attributes, enabling more comprehensive visibility and detection capabilities.

Threat protection

  • User contaminant improvements

Network Detection and Response (NDR)

  • Improved data telemetry providing better visibility and insights

SOC experience

  • Improved Data Completeness and Detection: Enhancements have been made to improve the completeness of data collected and reduce the time it takes to detect potential data loss incidents. These improvements enable faster and more accurate identification of data exfiltration attempts across monitored endpoints.
  • Improved Handling for Offline Network Environments: Refined the handling of scenarios where devices operate in offline or restricted network environments. Specifically addresses cases where result uploads to blob storage fail due to offline Certificate Revocation List (CRL) checks, ensuring better reliability and continuity in data collection.

July-2024 (Release version: 10.8760.27617.1006)

OS KB
Windows 11 24H2 KB5041865
Windows 11 23H2
Windows 11 22H		 KB5041587
Windows 11 21H2 KB5043067
Windows 10 22H2 KB5041582
Windows Server 2022 and later KB5042881
Windows Server 2019 KB5043050
Windows Server 2016
Windows Server 2012 R2		 KB5005292

What's new

Data Loss Prevention (DLP)

  • Scoped classification (Know Your Data policy): Scope classification and activity events across workloads.
  • Device group discovery and scoping: Scope Endpoint DLP custom policy based on the device or device group.
  • OCR URL Caching: Performance improvement for already classified images by having client side caching.

May-2024 (Release version: 10.8750.27558.1004)

OS KB Release version
Windows Server 2012 R2, 2016 KB5005292 10.8750.27558.1004

What's new

Configuration Management

  • Fixed an issue that caused empty policies to appear in the UI.
  • Configured Windows Defender Application Control (WDAC) policies to block undesired applications from running on the device.

Feb-2024 (Release version: 10.8735.26020.1009)

OS KB Release version
Windows Server 2012 R2, 2016 KB5005292 10.8735.26020.1009

What's new

Endpoint Detection and Response

  • Enabled support for IPV6 connections in Live Response connection commands.
  • Fixed an issue in Downlevel Unified Agent that caused ServerRoles not to be populated.

Threat Vulnerability Management

  • An issue related to the agent's monitoring of deleted registry keys no longer occurs.
  • Added a new capability to enable/disable registry monitoring through configuration settings.

Network Detection and Response (NDR) Performance Enhancements

  • Introduced performance enhancements to minimize the CPU and memory footprint of the agent.
  • Enhanced the accuracy of network detections.

Data Loss Prevention (DLP)

  • Introduced multiple performance and stability fixes.

Security Configuration Management

  • Policies that include special characters are now supported.

Dec-2023 (Release version: 10.8672.25926.1019)

OS KB Release version
Windows Server 2012 R2, 2016 KB5005292 10.8672.25926.1019

What's new

  • Supports Expanded User Contain capabilities

Sept-2023 (Release version: 10.8560.25364.1036)

OS KB Release version
Windows Server 2012 R2, 2016 KB5005292 10.8560.25364.1036

What's new

  • Supports User Contain availability

May-2023 (Release version: 10.8295.22621.1023)

OS KB Release version
Windows Server 2012 R2, 2016 KB5005292 10.8295.22621.1023

What's new

  • Supports new security settings management capabilities

Jan/Feb-2023 (Release version: 10.8295.22621.1019)

OS KB Release version
Windows Server 2012 R2, 2016 KB5005292 10.8295.22621.1019

What's new

  • Improved command and control security, quality fixes

Dec-2022 (Release version: 10.8210.22621.1016)

OS KB Release version
Windows Server 2012 R2, 2016 KB5005292 10.8210.22621.1016

What's new

  • Bug fixes and stability improvements

Aug-2022 (Release version: 10.8210.*)

OS KB Release version
Windows Server 2012 R2, 2016 KB5005292 10.8210.22621.1011
Windows 11 21H2 (Cobalt)
(Windows 11 SV 21H2)		 KB5016691 10.8210.22000.918
Server 2022 (Iron) KB5016693 10.8210.20348.946
Windows 10 20H2/21H1/21H2
Windows Server 20H2 (Vibranium)		 KB5016688 10.8210.19041.1949
Windows Server 2019 (RS5) KB5016690 10.8210.17763.3346

What's new

  • Added a fix to resolve a missing intermediate certificate issue with the use of "TelemetryProxyServer" on Windows Server 2012 R2 running the unified agent.
  • Enhanced Endpoint DLP with ability to protect password protected and encrypted files and not label files.
  • Enhanced Endpoint DLP with support for context data in audit telemetry (short evidence).
  • Improved Microsoft Defender for Endpoint client authentication support for VDI devices.
  • Enhanced Microsoft Defender for Endpoint's ability to identify and intercept ransomware and advanced attacks.
  • The Contain feature now supports more desktop and server versions to perform contain actions and block discovered devices when such devices are contained.
  • Expanded the troubleshooting mode feature to more desktop and server versions. For a complete list of supported OS versions and more information about prerequisites, see Get started with troubleshooting mode in Microsoft Defender for Endpoint.
  • Live Response improvements include reduced session creation latency when using proxies, an undo remediation manual command, support for OneDrive shares in FindFile action, and improved isolation and stability.
  • Security Management for Microsoft Defender for Endpoint now provides the ability to sync the device configuration on demand instead of waiting for a specific cadence.

Note

Update package KB5005292 is on a gradual rollout schedule through Windows Update. Towards the end of this schedule, the package will be published completely, including to the update catalog for manual download. For the current release, this will be in the second half of October. If you want to test the package sooner, you can use gradual rollout controls for platform updates to select the Preview channel.

See also

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.