What's new in Microsoft Defender for Endpoint - Before 2023

Applies to:

The following features were in preview or generally available (GA) in Microsoft Defender for Endpoint prior to the calendar year 2023.

For more information on preview features, see Preview features.

For more information on what's new with Microsoft Defender for Endpoint on Windows, see: What's new in Microsoft Defender for Endpoint on Windows

For more information on what's new with other Microsoft Defender security products, see:

For more information on Microsoft Defender for Endpoint on specific operating systems and on other operating systems:

December 2022

  • Microsoft Defender for Endpoint Device control removable storage access control updates:

    1. Microsoft Intune support for removable storage access control is now available. See Deploy and manage device control with Intune.

    2. The new default enforcement policy of removable storage access control is designed for all device control features. Printer Protection is now available for this policy. If you create a Default Deny policy, printers will be blocked in your organization.

  • Microsoft Defender for Endpoint Device control New Printer Protection solution to manage printer is now available. For more information, see Device control policies.

November 2022

  • Built-in protection is now generally available. Built-in protection helps protect your organization from ransomware and other threats with default settings that help ensure that your devices are protected.

October 2022

Network protection C2 detection and remediation is now generally available.
Attackers often compromise existing internet-connected servers to become their command and control servers. Attackers can use the compromised servers to hide malicious traffic and deploy malicious bots that are used to infect endpoints. Network protection detection and remediation helps improve the time it takes for the security operations (SecOps) teams to pinpoint and respond to malicious network threats that are looking to compromise endpoints.

September 2022

August 2022

  • Device health status
    The Device health status card shows a summarized health report for the specific device.

  • Device health reporting (Preview)
    The devices status report provides high-level information about the devices in your organization. The report includes trending information showing the sensor health state, antivirus status, OS platforms, and Windows 10 versions.

  • Tamper protection on macOS is now generally available
    This feature will be released with audit mode enabled by default, and you can decide whether to enforce (block) or turn off the capability. Later this year, we'll offer a gradual rollout mechanism that will automatically switch endpoints to "block" mode; this mechanism applies only if you haven't made a choice to either enable ("block" mode) or disable the capability.

  • Network Protection and Web Protection for macOS and Linux is now in Public Preview!
    Network Protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. It's the foundation on which our Web Protection for Microsoft Defender for Endpoint is built. These capabilities include Web threat protection, Web content filtering, and IP/URL Custom indicators. Web protection enables you to secure your devices against web threats and helps to regulate unwanted content.

  • Improved Microsoft Defender for Endpoint onboarding for Windows Server 2012 R2 and Windows Server 2016
    Configuration Manager version 2207 now supports automatic deployment of modern, unified Microsoft Defender for Endpoint for Windows Server 2012 R2 & 2016. Devices running Windows Server 2012 R2 or Windows Server 2016 that are targeted by the Defender for Endpoint onboarding policy now use the unified agent instead of the Microsoft Monitoring Agent-based solution, if configured through client settings.

July 2022

June 2022

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.

October 2021

September 2021

  • Web content filtering . As part of web protection capabilities in Microsoft Defender for Endpoint, web content filtering enables your organization's security team to track and regulate access to websites based on their content categories. Categories include adult content, high bandwidth, legal liability, leisure, and uncategorized. Although many websites that fall into one or more of these categories might not be malicious, they could be problematic because of compliance regulations, bandwidth usage, or other concerns. Learn more about web content filtering.

August 2021

  • Microsoft Defender for Endpoint Plan 1 (preview). Defender for Endpoint Plan 1 (preview) is an endpoint protection solution that includes next-generation protection, attack surface reduction, centralized management and reporting, and APIs. Defender for Endpoint Plan 1 (preview) is a new offering for customers who:

    • Want to try our endpoint protection capabilities
    • Have Microsoft 365 E3, and
    • Don't yet have Microsoft 365 E5

    For more information on Defender for Endpoint Plan 1 (preview), see Microsoft Defender for Endpoint Plan 1 (preview).

    Existing Defender for Endpoint capabilities will be known as Defender for Endpoint Plan 2.

  • (Preview) Web Content Filtering
    Web content filtering is part of web protection capabilities in Microsoft Defender for Endpoint. It enables your organization to track and regulate access to websites based on their content categories. Many of these websites, while not malicious, might be problematic because of compliance regulations, bandwidth usage, or other concerns.

June 2021

  • Delta export software vulnerabilities assessment API
    An addition to the Export assessments of vulnerabilities and secure configurations API collection.
    Unlike the full software vulnerabilities assessment (JSON response) - which is used to obtain an entire snapshot of the software vulnerabilities assessment of your organization by device - the delta export API call is used to fetch only the changes that have happened between a selected date and the current date (the "delta" API call). Instead of getting a full export with a large amount of data every time, you'll only get specific information on new, fixed, and updated vulnerabilities. Delta export API call can also be used to calculate different KPIs such as "how many vulnerabilities were fixed" or "how many new vulnerabilities were added to an organization."

  • Export assessments of vulnerabilities and secure configurations API
    Adds a collection of APIs that pull threat and vulnerability management data on a per-device basis. There are different API calls to get different types of data: secure configuration assessment, software inventory assessment, and software vulnerabilities assessment. Each API call contains the requisite data for devices in your organization.

  • Remediation activity API
    Adds a collection of APIs with responses that contain threat and vulnerability management remediation activities that have been created in your tenant. Response information types include one remediation activity by ID, all remediation activities, and exposed devices of one remediation activity.

  • Device discovery
    Helps you find unmanaged devices connected to your corporate network without the need for extra appliances or cumbersome process changes. Using onboarded devices, you can find unmanaged devices in your network and assess vulnerabilities and risks. You can then onboard discovered devices to reduce risks associated with having unmanaged endpoints in your network.

    Important

    Standard discovery will be the default mode for all customers starting July 19, 2021. You can choose to retain the "basic mode" through the Settings page.

  • Device group definitions can now include multiple values for each condition. You can set multiple tags, device names, and domains to the definition of a single device group.

  • Mobile Application management support
    This enhancement enables Microsoft Defender for Endpoint protect an organization's data within a managed application when Intune is being used to manage mobile applications. For more information about mobile application management, see this documentation.

  • Microsoft Tunnel VPN integration
    Microsoft Tunnel VPN capabilities are now integrated with Microsoft Defender for Endpoint app for Android. This unification enables organizations to offer a simplified end-user experience with one security app – offering both mobile threat defense and the ability to access on-prem resources from their mobile device – while security and IT teams are able to maintain the same admin experiences they are familiar with.

  • Jailbreak detection on iOS
    Jailbreak detection capability in Microsoft Defender for Endpoint on iOS is now generally available. This adds to the phishing protection that already exists. For more information, see Setup Conditional Access Policy based on device risk signals.

March 2021

Manage tamper protection using the Microsoft Defender Security Center
You can manage tamper protection settings on Windows 10, Windows Server 2016, Windows Server 2019, and Windows Server 2022 by using a method called tenant attach.

January 2021

December 2020

September 2020

  • Microsoft Defender for Endpoint on Android
    Microsoft Defender for Endpoint now adds support for Android. In addition to the provisions for you to install, configure, and use Microsoft Defender for Endpoint for Android (introduced in the previous sprint in August 2020), the provision to "update" Microsoft Defender for Endpoint for Android has been introduced in this sprint.

  • Threat and vulnerability management macOS support
    Threat and vulnerability management for macOS is now in public preview, and will continuously detect vulnerabilities on your macOS devices to help you prioritize remediation by focusing on risk. For more information, see Microsoft Tech Community blog post.

August 2020

July 2020

June 2020

April 2020

November-December 2019

  • Microsoft Defender for Endpoint on Mac
    Microsoft Defender for Endpoint for Mac brings the next-generation protection to Mac devices. Core components of the unified endpoint security platform will now be available for Mac devices, including endpoint detection and response.

  • Threat & Vulnerability Management application and application version end-of-life information
    Applications and application versions which have reached their end of life (EOL) are tagged or labeled as such; so, you are aware that they will no longer be supported, and can take action to either uninstall or replace. Doing so will help lessen the risks related to various vulnerability exposures due to unpatched applications.

  • Threat & Vulnerability Management Advanced Hunting Schemas
    Use the Threat & Vulnerability Management tables in the Advanced hunting schema to query about software inventory, vulnerability knowledgebase, security configuration assessment, and security configuration knowledgebase.

  • Threat & Vulnerability Management role-based access controls
    Use the new permissions to allow maximum flexibility to create SecOps-oriented roles, Threat & Vulnerability Management-oriented roles, or hybrid roles so that only authorized users are accessing specific data to do their task. You can also achieve even further granularity by specifying whether a Threat & Vulnerability Management role can only view vulnerability-related data, or can create and manage remediation and exceptions.

October 2019

  • Indicators for IP addresses, URLs/Domains
    You can now allow or block URLs/domains using your own threat intelligence.

  • Microsoft Threat Experts - Experts on Demand
    You now have the option to consult with Microsoft Threat Experts from several places in the portal to help you in the context of your investigation.

  • Connected Azure AD applications
    The Connected applications page provides information about the Azure AD applications connected to Microsoft Defender for Endpoint in your organization.

  • API Explorer
    The API explorer makes it easy to construct and execute API queries, and to test and send requests for any available Microsoft Defender for Endpoint API endpoint.

September 2019

  • Tamper Protection settings using Intune
    You can now turn on Tamper Protection (or turn off) for your organization in the Microsoft 365 Device Management Portal (Intune).

  • Live response
    Get instantaneous access to a device using a remote shell connection. Do in-depth investigative work and take immediate response actions to promptly contain identified threats - real time.

  • Evaluation lab
    The Microsoft Defender for Endpoint evaluation lab is designed to eliminate the complexities of device and environment configuration so that you can focus on evaluating the capabilities of the platform; running simulations; and seeing the prevention, detection, and remediation features in action.

  • Windows Server 2008 R2 SP1
    You can now onboard Windows Server 2008 R2 SP1.

June 2019

  • Threat & Vulnerability Management
    A new built-in capability that uses a risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.

  • Device health and compliance report The device health and compliance report provides high-level information about the devices in your organization.

May 2019

  • Threat protection reports
    The threat protection report provides high-level information about alerts generated in your organization.

  • Microsoft Threat Experts
    Microsoft Threat Experts is the new managed threat hunting service in Microsoft Defender for Endpoint that provides proactive hunting, prioritization, and additional context and insights that further empower security operations centers (SOCs) to identify and respond to threats quickly and accurately. It provides an additional layer of expertise and optics that Microsoft customers can utilize to augment security operation capabilities as part of Microsoft 365.

  • Indicators
    APIs for indicators are now generally available.

  • Interoperability
    Microsoft Defender for Endpoint supports third-party applications to help enhance the detection, investigation, and threat intelligence capabilities of the platform.

April 2019

  • Microsoft Threat Experts Targeted Attack Notification capability
    Microsoft Threat Experts' Targeted Attack Notification alerts are tailored for organizations to provide as much information as can be quickly delivered, including the timeline, scope of breach, and the methods of intrusion, thus bringing attention to critical threats in their network.

  • Microsoft Defender for Endpoint API
    Microsoft Defender for Endpoint exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Microsoft Defender for Endpoint capabilities.

February 2019

  • Incidents
    Incident is a new entity in Microsoft Defender for Endpoint that brings together all relevant alerts and related entities to narrate the broader-attack story, giving analysts better perspective on the purview of complex threats.

  • Onboard previous versions of Windows
    Onboard supported versions of Windows devices so that they can send sensor data to the Microsoft Defender for Endpoint sensor.

October 2018

  • Attack surface reduction rules
    All Attack surface reduction rules are now supported on Windows Server 2019.

  • Controlled folder access
    Controlled folder access is now supported on Windows Server 2019.

  • Custom detection
    With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of advanced hunting through the creation of custom detection rules.

  • Integration with Azure Security Center
    Microsoft Defender for Endpoint integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration, Azure Security Center can leverage the power of Microsoft Defender for Endpoint to provide improved threat detection for Windows Servers.

  • Managed security service provider (MSSP) support
    Microsoft Defender for Endpoint adds support for this scenario by providing MSSP integration. The integration allows MSSPs to take the following actions: Get access to MSSP customer's Microsoft Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools.

  • Removable device control
    Microsoft Defender for Endpoint provides multiple monitoring and control features to help prevent threats from removable devices, including new settings to allow or block specific hardware IDs.

  • Support for iOS and Android devices
    iOS and Android devices are now supported and can be onboarded to the service.

  • Threat analytics
    Threat Analytics is a set of interactive reports published by the Microsoft Defender for Endpoint research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provide recommended actions to contain the impact, increase organizational resilience, and prevent specific threats.

  • There are two new attack surface reduction rules in Windows 10 version 1809:

    • Block Adobe Reader from creating child processes

    • Block Office communication application from creating child processes

  • Microsoft Defender Antivirus

  • Antimalware Scan Interface (AMSI) was extended to cover Office VBA macros as well. Office VBA + AMSI: Parting the veil on malicious macros.

March 2018

  • Advanced Hunting
    Query data using advanced hunting in Microsoft Defender for Endpoint.

  • Attack surface reduction rules
    The newly introduced attack surface reduction rules are:

    • Use advanced protection against ransomware

    • Block credential stealing from the Windows local security authority subsystem (lsass.exe)

    • Block process creations originating from PSExec and WMI commands

    • Block untrusted and unsigned processes that run from USB

    • Block executable content from email client and webmail

  • Automated investigation and remediation
    Use Automated investigations to investigate and remediate threats.

    Note

    Available from Windows 10, version 1803 or later.

  • Conditional Access
    Enable conditional access to better protect users, devices, and data.

  • Microsoft Defender for Endpoint Community center
    The Microsoft Defender for Endpoint Community Center is a place where community members can learn, collaborate, and share experiences about the product.

  • Controlled folder access
    You can now block untrusted processes from writing to disk sectors using Controlled Folder Access.

  • Onboard non-Windows devices
    Microsoft Defender for Endpoint provides a centralized security operations experience for Windows and non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Microsoft Defender Security Center and better protect your organization's network.

  • Role-based access control (RBAC)
    Using role-based access control (RBAC), you can create roles and groups within your security operations team to grant appropriate access to the portal.

  • Microsoft Defender Antivirus
    Microsoft Defender Antivirus now shares detection status between M365 services and interoperates with Microsoft Defender for Endpoint. For more information, see Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection.

  • Block at first sight can now block non-portable executable files (such as JS, VBS, or macros) and executable files. For more information, see Enable block at first sight.