(Preview) Aggregated reporting in Microsoft Defender for Endpoint: Aggregated reporting extends signal reporting intervals to significantly reduce the size of reported events while preserving essential event properties. This feature is available for Microsoft Defender for Endpoint Plan 2. For more information, see Aggregated reporting in Microsoft Defender for Endpoint.
August 2024
Network Protection feature is enabled by default in Microsoft Defender for Endpoint on Android. As a result, users will be able to see a network protection card in the Defender for Endpoint app, along with App Protection and Web Protection. Users are also required to provide location permission to complete the setup process. Admins can change the default value for network protection if they decide not to use it via the Intune App Configuration policies. This feature was already enabled by default earlier on Microsoft Defender for Endpoint on iOS. For more information, see network protection.
July 2024
(Preview) Monitor OT devices in the device inventory: You can now monitor OT devices in addition to IoT devices in the device inventory, as part of the integration with Microsoft Defender for IoT in the Defender portal. As part of this integration:
We've added the All devices tab and renamed the IoT devices tab to IoT/OT devices.
We've added the Device type, Device subtype, Vendor, Model, and Site filters and columns to the device inventory. Some of these filters are only visible on specific tabs, and only for customers with a Defender for IoT license. Learn more.
We've added the ability to search Mac devices and Mac addresses.
We've added a system tag that shows the production site name (read only), used for the Defender for IoT site security feature, as part of the device group.
(GA) Learning hub resources have moved from the Microsoft Defender portal to learn.microsoft.com. Access Microsoft Defender XDR Ninja training, learning paths, training modules and more. Browse the list of learning paths, and filter by product, role, level, and subject.
(Preview) Turn preview options on in the main Microsoft 365 Defender settings together with other Microsoft 365 Defender preview features. Customers who aren't using preview features yet continue to see the legacy settings under Settings > Endpoints > Advanced features > Preview features. For more information, see Microsoft 365 Defender preview features.
(GA) Streamlined device connectivity for Defender for Endpoint is now generally available for Windows, macOS, and Linux. This experience makes it easier to configure and manage Defender for Endpoint services by reducing the number of URLs required for connectivity, providing IP & Azure service tag support, and simplifying post-deployment network management.
(GA) Microsoft Defender Core service is now generally available on Windows clients. Helps with the stability and performance of Microsoft Defender Antivirus.
April 2024
Microsoft Defender for Endpoint on macOS feature now in GA:
Block use of copied or impersonated system tools (preview): This rule blocks the use of executable files that are identified as copies of Windows system tools. These files are either duplicates or impostors of the original system tools.
Microsoft Defender for Endpoint on macOS features are in public preview:
Troubleshooting mode for macOS (preview): Troubleshooting mode for macOS is now available in public preview. Troubleshooting mode helps you identify instances where antivirus might be causing issues with your applications or system resources. To learn more, see Troubleshooting mode in Microsoft Defender for Endpoint on macOS.
January 2024
Defender Boxed is available for a limited period of time. Defender Boxed highlights your organization's security successes, improvements, and response actions during 2023. Take a moment to celebrate your organization's improvements in security posture, overall response to detected threats (manual and automatic), blocked emails, and more.
Defender Boxed opens automatically when you go to the Incidents page in the Microsoft Defender portal.
If you close Defender Boxed and you want to reopen it, in the Microsoft Defender portal, go to Incidents, and then select Your Defender Boxed.
Act quickly! Defender Boxed is available only for a short period of time.
(GA) The device isolation and run antivirus scan responses in macOS and Linux are now generally available. You can now remotely run an AV scan or isolate devices when responding to attacks.
(Public Preview) Streamlined device connectivity for Defender for Endpoint is available in public preview for Windows, macOS, and Linux. This experience makes it easier to configure and manage Defender for Endpoint services by reducing the number of URLs required for connectivity, providing IP & Azure service tag support, and simplifying post-deployment network management.
(Public Preview) User Contain can now contain compromised users automatically stopping Human Operated Ransomware in its track using Automatic Attack Disruption.
September 2023
(GA) Protecting Dev Drive using performance mode is now generally available. The goal of Performance mode is to improve functional performance for developers who use Windows 11. Performance mode reduces the performance impact of Microsoft Defender Antivirus scans for files stored on designated Dev Drive.
August 2023
(GA) The Monthly security summary report is now generally available. The report helps organizations get a visual summary of key findings and overall preventative actions taken to enhance the organization's overall security posture completed in the last month.
A new file page is now available in Defender for Endpoint. The file page now includes information like file details and file content and capabilities. For more information, see Investigate files.
June 2023
Microsoft Defender Antivirus scan response action is supported for macOS and Linux for client version 101.98.84 and above. It is in preview. See Run Microsoft Defender Antivirus scan on devices.
Isolating devices from the network is supported for macOS for client version 101.98.84 and above. It is in preview. See Isolate devices from the network.
Forcibly releasing devices from isolation is now available for public preview. This new capability allows you to forcibly release devices from isolation, when isolated devices become unresponsive. For more information, see Forcibly release device from isolation.
May 2023
Performance mode for Microsoft Defender Antivirus is now available for public preview. This new capability provides asynchronous scanning on a Dev Drive, and doesn't change the security posture of your system drive or other drives. For more information, see Protecting Dev Drive using performance mode.
The Microsoft Defender for Identity integration toggle is now removed from the Microsoft Defender for Endpoint Settings > Advanced features page. Because Defender for Identity is now integrated with Microsoft Defender XDR, this toggle is no longer required. You don't need to manually configure integration between services. See What's new - Microsoft Defender for Identity.
To earn this Microsoft Applied Skills credential, learners demonstrate the ability to use Microsoft Defender XDR to detect and respond to cyberthreats. Candidates for this credential should be familiar with investigating and gathering evidence about attacks on endpoints. They should also have experience using Microsoft Defender for Endpoint and Kusto Query Language (KQL).
Plan and execute an endpoint deployment strategy, using essential elements of modern management, co-management approaches, and Microsoft Intune integration.