Ignite 2025: Microsoft Defender now prevents threats on endpoints during an attack

This year at Microsoft Ignite, Microsoft Defender is announcing exciting innovations for endpoint protection that help security teams deploy faster, gain more visibility, and proactively block attackers during active attacks:

• Predictive shielding: Defender is the first security solution to not only respond instantly during an attack but also jump ahead of attackers, predicting and preventing the next move before it happens with just-in-time hardening controls that block specific attacker techniques to protect critical assets.
• Custom data collection: Defender is now the only endpoint protection solution that allows data-hungry security teams to meet specific telemetry needs by optimizing their data collection right within the Defender portal, without the need to rely on fragmented and siloed solutions.
• Expanded Defender support for legacy Windows devices: Better protect vulnerable legacy devices with consistent OS support of Microsoft Defender capabilities across Windows 7 & Windows 2008 R2 and higher.
• Defender deployment tool: Streamline the onboarding process with a lightweight tool that dynamically adapts to the operating system, delivering healthy endpoint security to a diverse estate of Windows and Linux devices.

Jump ahead of attackers: autonomous defense, real results

Automatic attack disruption is a capability unique to Microsoft Defender that contains attacks wherever they appear in your environment. It automatically detects and disrupts in-progress attacks with over 99% confidence, disrupting ransomware in an average of 3 minutes. In recent months, it disabled nearly half a million compromised accounts while saving over 270,000 devices.

But today’s landscape is relentless: over 80% of advanced attacks are multi-stage and persistent, forcing defenders to be perfect over and over again. Even in the face of this incessant threat, the industry-wide approach of reactively responding to attacks is accepted as the best we can do. Until now.

Today we are thrilled to move the bounds of endpoint protection by introducing predictive shielding, a groundbreaking, proactive capability of attack disruption.

It acts in two steps:

1. As soon as a compromised asset is contained, Defender predicts the attack paths and tactics the adversary will use next, in many cases narrowing down tens of thousands of possible pathways to just a few with the highest likelihood.

Image 1: Defender predicts the path and tactics an attacker will use

2. Then, it jumps ahead of the attacker and shields those pathways by using just-in-time hardening methods, giving the attacker nowhere to go.

Image 2: Defender shields the path with just-in-time hardening tactics

So how can Defender do this when no one else can? It comes down to a combination of our unique visibility, leading threat intelligence, and AI-powered innovation. Defender uses AI technology to analyze the attack as it’s happening, identifying patterns of known attackers based on Microsoft’s deep threat intelligence, and then applies that to our unique understanding of the organization’s environment based on graph insights and integration as part of the Microsoft platform. With all this context, Defender can identify common attack techniques, which assets they’re trying to get to, and how they’ll try to get there.

Based on these insights, Defender deploys innovative hardening capabilities that block specific attacker tactics and turn on as the attack is underway, just before an attacker attempts to use those tactics. Today we are starting with hardening capabilities seen in sophisticated ransomware campaigns, including group policy objects (GPO), safe mode reboot for tampering, and domain account compromise.

While the precision of predictive shielding allows us to block operations surgically, security teams remain in command, with full visibility and control. All collected data and predictive shielding actions are available for investigation in the Defender portal, with controls that allow security teams to turn off hardening tactics with one click.

Image 3: The Defender portal provides full visibility into predictive shielding actions, with the option to turn them off

Ready to see the future of autonomous defense? Join us online or in person for our Microsoft Ignite session on November 20^th.

See the data you want to see, right in Defender

Security teams today are data savvy and are always looking for full visibility into their telemetry. Defender has long provided over 200 types of raw event types, each enriched with numerous properties and accessible through the threat hunting experience in the Defender portal. But each organization has unique data requirements, so many security teams use complex add-on products to collect and analyze additional data, contributing to the already overwhelming number of solutions they’re using.

That’s why today we’re announcing the ability to collect and hunt across custom data right within the Defender portal. You can now easily build custom data collection rules based on your organization’s specific needs using natural language; no PhD required! We are releasing several new data types that can be collected, for example the highly requested AMSI for hunting over script content, and Kerberos for hunting auth-based and network attacks.

Image 4: Easily create custom data collection rules in the Defender portal

This truly integrated custom data offering is possible thanks to Microsoft’s platform approach, as the additional telemetry can be collected and analyzed via Defender and stored via Microsoft Sentinel. This expansion puts you in complete control of any customized, add-on data, including exactly which data types are collected and how long they are stored. No other security solution has fully integrated and customizable telemetry collection and analysis.

Expanded support for Windows 7 and 2008 R2

Upgrading to the latest versions of each operating system as soon as possible is critical to optimize your security, but we understand that this is simply not realistic for many organizations. Our data shows that more than 90% of enterprises continue to have at least some legacy devices in their environment. Attackers know they present gaps in even the tightest security posture.  

That’s why today we are improving Defender’s coverage with expanded support for Windows 7 and Windows 2008 R2 to help you keep your legacy systems protected. We know that many organizations have Windows 7 and 2008 R2 in their environments, and it’s a critical milestone for us to support customers in bringing a consistent endpoint protection capability set across OS versions with Microsoft Defender.

Image 5: Operating system coverage with Microsoft Defender

This new release further expands Defender support to the broad set of Windows, macOS, iOs, Android, and Linux versions listed in image 5. We’re committed to meeting you where you are to help you protect the most vulnerable points in your environment, so we are always evaluating demand and will continue to expand our coverage moving forward.

Simplified deployment for Windows and Linux

Organizations are faced with the challenge of securing diverse device fleets spanning multiple operating systems, hardware configurations, and user scenarios. Historically, the more diverse your operating system estate, the more complex your onboarding process, because it often requires a combination of endpoint management solutions like Microsoft Intune, but also scripts, downloads, and multiple manual installations to ensure coverage.

To help security teams onboard simply and securely, we’ve built new Defender deployment tools for Windows and Linux, which handle the entire process for you. Just download a single package and it will dynamically adapt to the operating system, take care of prerequisites, and install the latest version of Defender available as needed for older devices that don’t have it already built in. The Defender deployment tools eliminate friction, automate tricky steps, and provide predictability throughout the onboarding journey.

They also have several controls built in that allow you to test for issues before onboarding and can accommodate complex scenarios like virtual desktop infrastructure.

For customers of Microsoft Intune and Microsoft Defender for Cloud, the Defender deployment tools work in tandem, available to use for legacy systems or complex scenarios. If you don’t have a dedicated endpoint management solution, you can use them to cover your entire Windows and Linux estates.

This release is the latest step in our journey to secure diverse device environments and sets the foundation for a unified and intuitive deployment experience—one that meets the demands of modern IT and security teams across organizations of all sizes.

 

We hope you’ll join us online or in San Francisco for our Microsoft Ignite session on November 20^th to learn more about these and other exciting announcements in Defender’s industry-leading endpoint protection.

Featured sessions:

• BRK240: Endpoint security in the AI era: What's new in Defender; November 20^th 9:45am PT
• THR747: Disrupt ransomware attacks before harm occurs with Microsoft Defender; November 21^st 9:30am PT
• BRK241: Microsoft Defender: Building the agentic SOC with guest Allie Mellen; November 19^th 9:00am PT
• BRK246: Blueprint for building the SOC of the future; November 19^th 4:00pm PT

Related resources:

• Learn more about predictive shielding
• Learn more about custom data collection
• Learn more about Defender endpoint security for Windows 7 SP1 and Windows Server 2008 R2 SP1 devices
• Deploy Microsoft Defender on Windows devices using the Defender deployment tool
• Deploy Microsoft Defender on Linux devices using the Defender deployment tool

 

To learn more about Defender’s endpoint protection, visit our website. Bookmark our blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.