What's new in Microsoft Defender for Endpoint

Applies to:

Want to experience Defender for Endpoint? Sign up for a free trial.

The following features are in preview or generally available (GA) in the latest release of Microsoft Defender for Endpoint and security features in Windows 10 and Windows Server.

For more information on preview features, see Preview features.


RSS feed: Get notified when this page is updated by copying and pasting the following URL into your feed reader:


For more information on what's new with other Microsoft Defender security products see:

For more information on Microsoft Defender for Endpoint on other operating systems:

August 2021

  • (Preview) Microsoft Defender for Endpoint Plan 1
    Defender for Endpoint Plan 1 (preview) is an endpoint protection solution that includes next-generation protection, attack surface reduction, centralized management and reporting, and APIs. Defender for Endpoint Plan 1 (preview) is a new offering for customers who want to try our endpoint protection capabilities, have Microsoft 365 E3, and do not yet have Microsoft 365 E5.

    To learn more, see Microsoft Defender for Endpoint Plan 1 (preview). Existing Defender for Endpoint capabilities will be known as Defender for Endpoint Plan 2.

  • (Preview) Web Content Filtering
    Web content filtering is part of web protection capabilities in Microsoft Defender for Endpoint. It enables your organization to track and regulate access to websites based on their content categories. Many of these websites, while not malicious, might be problematic because of compliance regulations, bandwidth usage, or other concerns.

July 2021

June 2021

  • Delta export software vulnerabilities assessment API
    An addition to the Export assessments of vulnerabilities and secure configurations API collection.
    Unlike the full software vulnerabilities assessment (JSON response) - which is used to obtain an entire snapshot of the software vulnerabilities assessment of your organization by device - the delta export API call is used to fetch only the changes that have happened between a selected date and the current date (the "delta" API call). Instead of getting a full export with a large amount of data every time, you'll only get specific information on new, fixed, and updated vulnerabilities. Delta export API call can also be used to calculate different KPIs such as "how many vulnerabilities were fixed" or "how many new vulnerabilities were added to an organization."

  • Export assessments of vulnerabilities and secure configurations API
    Adds a collection of APIs that pull threat and vulnerability management data on a per-device basis. There are different API calls to get different types of data: secure configuration assessment, software inventory assessment, and software vulnerabilities assessment. Each API call contains the requisite data for devices in your organization.

  • Remediation activity API
    Adds a collection of APIs with responses that contain threat and vulnerability management remediation activities that have been created in your tenant. Response information types include one remediation activity by ID, all remediation activities, and exposed devices of one remediation activity.

  • Device discovery
    Helps you find unmanaged devices connected to your corporate network without the need for extra appliances or cumbersome process changes. Using onboarded devices, you can find unmanaged devices in your network and assess vulnerabilities and risks. You can then onboard discovered devices to reduce risks associated with having unmanaged endpoints in your network.


    Standard discovery will be the default mode for all customers starting July 19, 2021. You can choose to retain the basic mode through the settings page.

  • Device group definitions can now include multiple values for each condition. You can set multiple tags, device names, and domains to the definition of a single device group.

  • Mobile Application management support
    This enhancement enables Microsoft Defender for Endpoint protect an organization’s data within a managed application when Intune is being used to manage mobile applications. For more information about mobile application management, see this documentation.

  • Microsoft Tunnel VPN integration
    Microsoft Tunnel VPN capabilities is now integrated with Microsoft Defender for Endpoint app for Android. This unification enables organizations to offer a simplified end user experience with one security app – offering both mobile threat defense and the ability to access on-prem resources from their mobile device, while security and IT teams are able to maintain the same admin experiences they are familiar with.

  • Jailbreak detection on iOS
    Jailbreak detection capability in Microsoft Defender for Endpoint on iOS is now generally available. This adds to the phishing protection that already exists. For more information, see Setup Conditional Access Policy based on device risk signals.

March 2021

January 2021