What's new in Microsoft Defender for Endpoint

Applies to:

Want to experience Defender for Endpoint? Sign up for a free trial.

The following features are in preview or generally available (GA) in the latest release of Microsoft Defender for Endpoint.

For more information on preview features, see Preview features.


RSS feed: Get notified when this page is updated by copying and pasting the following URL into your feed reader:


For more information on what's new with other Microsoft Defender security products, see:

For more information on Microsoft Defender for Endpoint on other operating systems:

June 2022

May 2022

April 2022

  • Updated onboarding and feature parity for Windows Server 2012 R2 and Windows Server 2016)
    The new unified solution package is now generally available and makes it easier to onboard servers by removing dependencies and installation steps. In addition, this unified solution package comes with many new feature improvements.
  • Integration with Tunnel. Microsoft Defender for Endpoint on iOS can now integrate with Microsoft Tunnel, a VPN gateway solution to enable security and connectivity in a single app.This feature was earlier available only on Android. Learn more

January 2022

  • Evaluation lab enhancements: You can now add Windows 11 and Linux devices to the lab.

  • Threat and vulnerability management for Android and iOS is now generally available. Learn more.

December 2021

  • Threat and vulnerability management can help identify Log4j vulnerabilities in applications and components. Learn more.

  • Discover IoT devices (preview): Device discovery now has the ability to help you find unmanaged IoT devices connected to your corporate network. This gives you a single unified view of your IoT inventory alongside the rest of your IT devices (workstations, servers, and mobile).

  • Microsoft Defender for IoT integration (preview): This integration enhances your device discovery capabilities with the agentless monitoring capabilities provided by Microsoft Defender for IoT. This provides increased visibility to help locate, identify, and secure the IoT devices in your network.

November 2021

  • Security configuration management
    A capability for devices that aren't managed by a Microsoft Endpoint Manager, either Microsoft Intune or Microsoft Endpoint Configuration Manager, to receive security configurations for Microsoft Defender directly from Endpoint Manager.

  • Enhancements to cross-platform support.

October 2021

September 2021

  • Web content filtering
    As part of web protection capabilities in Microsoft Defender for Endpoint, web content filtering enables your organization's security team to track and regulate access to websites based on their content categories. Categories include adult content, high bandwidth, legal liability, leisure, and uncategorized. Although many websites that fall into one or more of these categories might not be malicious, they could be problematic because of compliance regulations, bandwidth usage, or other concerns. Learn more about web content filtering.

August 2021

  • (Preview) Microsoft Defender for Endpoint Plan 1
    Defender for Endpoint Plan 1 (preview) is an endpoint protection solution that includes next-generation protection, attack surface reduction, centralized management and reporting, and APIs. Defender for Endpoint Plan 1 (preview) is a new offering for customers who want to try our endpoint protection capabilities, have Microsoft 365 E3, and do not yet have Microsoft 365 E5.

    To learn more, see Microsoft Defender for Endpoint Plan 1 (preview). Existing Defender for Endpoint capabilities will be known as Defender for Endpoint Plan 2.

  • (Preview) Web Content Filtering
    Web content filtering is part of web protection capabilities in Microsoft Defender for Endpoint. It enables your organization to track and regulate access to websites based on their content categories. Many of these websites, while not malicious, might be problematic because of compliance regulations, bandwidth usage, or other concerns.

July 2021

June 2021

  • Delta export software vulnerabilities assessment API
    An addition to the Export assessments of vulnerabilities and secure configurations API collection.
    Unlike the full software vulnerabilities assessment (JSON response) - which is used to obtain an entire snapshot of the software vulnerabilities assessment of your organization by device - the delta export API call is used to fetch only the changes that have happened between a selected date and the current date (the "delta" API call). Instead of getting a full export with a large amount of data every time, you'll only get specific information on new, fixed, and updated vulnerabilities. Delta export API call can also be used to calculate different KPIs such as "how many vulnerabilities were fixed" or "how many new vulnerabilities were added to an organization."

  • Export assessments of vulnerabilities and secure configurations API
    Adds a collection of APIs that pull threat and vulnerability management data on a per-device basis. There are different API calls to get different types of data: secure configuration assessment, software inventory assessment, and software vulnerabilities assessment. Each API call contains the requisite data for devices in your organization.

  • Remediation activity API
    Adds a collection of APIs with responses that contain threat and vulnerability management remediation activities that have been created in your tenant. Response information types include one remediation activity by ID, all remediation activities, and exposed devices of one remediation activity.

  • Device discovery
    Helps you find unmanaged devices connected to your corporate network without the need for extra appliances or cumbersome process changes. Using onboarded devices, you can find unmanaged devices in your network and assess vulnerabilities and risks. You can then onboard discovered devices to reduce risks associated with having unmanaged endpoints in your network.


    Standard discovery will be the default mode for all customers starting July 19, 2021. You can choose to retain the basic mode through the settings page.

  • Device group definitions can now include multiple values for each condition. You can set multiple tags, device names, and domains to the definition of a single device group.

  • Mobile Application management support
    This enhancement enables Microsoft Defender for Endpoint protect an organization's data within a managed application when Intune is being used to manage mobile applications. For more information about mobile application management, see this documentation.

  • Microsoft Tunnel VPN integration
    Microsoft Tunnel VPN capabilities is now integrated with Microsoft Defender for Endpoint app for Android. This unification enables organizations to offer a simplified end user experience with one security app – offering both mobile threat defense and the ability to access on-prem resources from their mobile device, while security and IT teams are able to maintain the same admin experiences they are familiar with.

  • Jailbreak detection on iOS
    Jailbreak detection capability in Microsoft Defender for Endpoint on iOS is now generally available. This adds to the phishing protection that already exists. For more information, see Setup Conditional Access Policy based on device risk signals.

March 2021

January 2021