What's new in Microsoft Defender for Endpoint

Applies to:

• Microsoft Defender for Endpoint Plan 1
• Microsoft Defender for Endpoint Plan 2
• Microsoft Defender XDR

Want to experience Defender for Endpoint? Sign up for a free trial.

The following features are in preview or generally available (GA) in the latest release of Microsoft Defender for Endpoint.

For more information on preview features, see Preview features.

For more information on what's new with Microsoft Defender for Endpoint on Windows, see: What's new in Microsoft Defender for Endpoint on Windows

For more information on what's new with other Microsoft Defender security products, see:

• What's new in Microsoft Defender XDR
• What's new in Microsoft Defender for Office 365
• What's new in Microsoft Defender for Identity
• What's new in Microsoft Defender for Cloud Apps

For more information on Microsoft Defender for Endpoint on specific operating systems:

• What's new in Defender for Endpoint on Windows
• What's new in Defender for Endpoint on macOS
• What's new in Defender for Endpoint on Linux
• What's new in Defender for Endpoint on Android
• What's new in Defender for Endpoint on iOS

April 2024

Microsoft Defender for Endpoint on macOS feature now in GA:

• Troubleshooting mode for macOS : Troubleshooting mode helps you identify instances where antivirus might be causing issues with your applications or system resources. To learn more, see Troubleshooting mode in Microsoft Defender for Endpoint on macOS.

(GA) March 2024

Built-in Scheduled scan for macOS: For information on Scheduled Scan built-in for Microsoft Defender for Endpoint on macOS, see How to schedule scans with Microsoft Defender for Endpoint on macOS

February 2024

Attack Surface Reduction (ASR) Rules

Two new ASR rules are now in public preview:

• Block rebooting machine in Safe Mode (preview): This rule prevents the execution of commands to restart machines in Safe Mode.
• Block use of copied or impersonated system tools (preview): This rule blocks the use of executable files that are identified as copies of Windows system tools. These files are either duplicates or impostors of the original system tools.

Microsoft Defender for Endpoint on macOS features are in public preview:

• Built-in Scheduled Scan for macOS (preview): Scheduled Scan built-in for Microsoft Defender for Endpoint on macOS is now available in public preview. To learn more, see How to schedule scans with Microsoft Defender for Endpoint on macOS.

• Troubleshooting mode for macOS (preview): Troubleshooting mode for macOS is now available in public preview. Troubleshooting mode helps you identify instances where antivirus might be causing issues with your applications or system resources. To learn more, see Troubleshooting mode in Microsoft Defender for Endpoint on macOS.

January 2024

• Defender Boxed is available for a limited period of time. Defender Boxed highlights your organization's security successes, improvements, and response actions during 2023. Take a moment to celebrate your organization's improvements in security posture, overall response to detected threats (manual and automatic), blocked emails, and more.

  • Defender Boxed opens automatically when you go to the Incidents page in the Microsoft Defender portal.
  • If you close Defender Boxed and you want to reopen it, in the Microsoft Defender portal, go to Incidents, and then select Your Defender Boxed.
  • Act quickly! Defender Boxed is available only for a short period of time.

• (GA) User Contain can now contain compromised users automatically stopping Human Operated Ransomware in its track using Automatic Attack Disruption.

November 2023

• Microsoft Defender Core service is now available for consumers and is planned to begin rolling out to enterprise customers in early 2024.
• The Microsoft Defender for Endpoint plug-in for Windows Subsystem for Linux (WSL) is now available in public preview.
• Support for mixed-license scenarios is now generally available in Defender for Endpoint.

October 2023

• (GA) The device isolation and run AV scan responses in macOS and Linux are now generally available. You can now remotely run an AV scan or isolate devices when responding to attacks.
• (Public Preview) Streamlined device connectivity for Defender for Endpoint is available in public preview for Windows, macOS, and Linux. This experience makes it easier to configure and manage Defender for Endpoint services by reducing the number of URLs required for connectivity, providing IP & Azure service tag support, and simplifying post-deployment network management.
• (Public Preview) User Contain can now contain compromised users automatically stopping Human Operated Ransomware in its track using Automatic Attack Disruption.

September 2023

(GA) The Protecting Dev Drive using performance mode is now generally available. The goal of Performance mode is to improve functional performance for developers who use Windows 11. Performance mode which reduces the performance impact of Microsoft Defender Antivirus scans for files stored on designated Dev Drive.

August 2023

• (GA) The Monthly security summary report is now generally available. The report helps organizations get a visual summary of key findings and overall preventative actions taken to enhance the organization's overall security posture completed in the last month.

July 2023

• The eBPF-based sensor for Microsoft Defender for Endpoint on Linux is available for public preview on all supported Linux devices. For more information, see Use eBPF-based sensor for Microsoft Defender for Endpoint on Linux.
• Manage endpoint security policies in Defender for Endpoint is now in public preview
  You can now configure security settings directly in Microsoft Defender XDR.
• A new file page is now available in Defender for Endpoint. The file page now includes information like file details and file content and capabilities. For more information, see Investigate files.

June 2023

• Microsoft Defender Antivirus scan response action is supported for macOS and Linux for client version 101.98.84 and above. It is in preview. See Run Microsoft Defender Antivirus scan on devices.
• Isolating devices from the network is supported for macOS for client version 101.98.84 and above. It is in preview. See Isolate devices from the network.
• Forcibly releasing devices from isolation is now available for public preview. This new capability allows you to forcibly release devices from isolation, when isolated devices become unresponsive. For more information, see Forcibly release device from isolation.

May 2023

• Performance mode for Microsoft Defender Antivirus is now available for public preview. This new capability provides asynchronous scanning on a Dev Drive, and doesn't change the security posture of your system drive or other drives. For more information, see Protecting Dev Drive using performance mode.

March 2023

• Support for mixed-licensing scenarios is now in preview! With these capabilities, you can Manage Microsoft Defender for Endpoint subscription settings across client devices (preview!).

February 2023

• The Microsoft Defender for Identity integration toggle is now removed from the Microsoft Defender for Endpoint Settings > Advanced features page. Because Defender for Identity is now integrated with Microsoft Defender XDR, this toggle is no longer required. You don't need to manually configure integration between services. See What's new - Microsoft Defender for Identity.

January 2023

• Tamper protection can now protect exclusions when deployed with Microsoft Intune. See Protect Microsoft Defender Antivirus exclusions from tampering

• Live Response is now generally available for macOS and Linux. For more information, see Investigate entities on devices using live response.

• Live response API and library API for Linux and macOS is now generally available
  You can now run live response API commands on Linux and macOS.

Prior to 2023

For information about features released prior to 2023, see Archive - What's new in Defender for Endpoint, December 2022 and earlier