Root detection is a critical security control that identifies whether an Android device has been compromised to gain elevated privileges or unrestricted access to the operating system. When a device is rooted, built-in security boundaries are broken, allowing attackers or malicious applications to bypass security controls, disable protections, and manipulate sensitive system files. This permits the installation of unauthorized applications and increases the likelihood of unauthorized access to corporate data. Such devices can raise the overall risk level for an organization.
That’s why we’re pleased to share that Microsoft Defender now includes built-in root detection on Android devices. This enables proactive detection of rooted devices without requiring Intune policies, ensuring stronger security and validating that Defender is running on an uncompromised device, ensuring more reliable telemetry that is not vulnerable to attacker manipulation.
What’s new?
- Enhanced SOC visibility – See rooted devices in your environment in the Defender portal.
- Onboarding protection – Prevents users from onboarding Defender on rooted devices so that it can’t be manipulated by attackers.
- Streamlined feedback process – Allows users to directly submit feedback logs on rooted devices from the Defender app for investigation.
- Improved user experience – Provides clear visibility into whether root detection is active or turned off and what actions are required to activate the root detection.
What protection does it bring to the customer?
Previously, root detection alerts were not displayed in the security portal. With this update, Defender now detects rooted Android devices, whether they are managed or unmanaged. When a device is identified as rooted, a high severity alert appears in the Defender portal. The device is then classified as high risk and its risk score is communicated to device compliance policies. This allows organizations to block such devices from accessing corporate resources if compliance policies have been configured in the Intune portal. Additionally, analysts can investigate further to determine the scope of the issue and ensure no broader impact has occurred within the organization.
Prerequisite
Company portal (Intune app) must be installed, and version must be 5.0.6688.0 or higher. Root detection is on by default
Admin experience
- High Severity Root detection alerts appear in the Incidents and Alerts sections. Click on an alert to view detailed information for investigation.
- Use the Devices tab under Assets to investigate impacted devices. Admins can search for specific devices and review details in Incidents, Alerts, and Device Timeline for deeper analysis.
User experience
If a device is detected as rooted:
- Defender notifies the user with a “Device is Rooted” notification.
- Tapping the notification or opening the app takes the user to a page stating, “Your device is rooted.”
To run root detection on Defender, Company portal must be installed and version must be 5.0.6688.0 or higher
User Experience when Intune Company Portal version is less than 5.0.6688.0:
- Defender notifies on app to update the company portal app to version 5.0.6688.0.
- On Dashboard screen if user clicks on device protection tile Defender will mark ‘Protection off’ for root detection, all other cases it marked as active.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.
Security is a core focus at Microsoft Ignite this year, with the Security Forum on November 17, deep dive technical sessions, theater talks, and hands-on labs designed for security leaders and practitioners. Join us in San Francisco, November 17–21, or online, November 18–20, for deep dives and practical labs to help you maximize your Microsoft Defender investments ad to get more from the Microsoft capabilities you already use.
Featured sessions:
- BRK240: Endpoint security in the AI era: What's new in Defender
Discover how Microsoft Defender’s AI-powered endpoint security empowers you to do more, better, faster. - BRK246: Blueprint for Building the SOC of the Future
The future of security operations is autonomous, adaptive, and deeply integrated—and Microsoft is delivering the blueprint. In this session, you'll learn how to turn that vision into reality using Microsoft Sentinel and Defender. - THR747: Disrupt ransomware attacks before harm occurs with Microsoft Defender
The future of automatic attack disruption is to head off attackers before they make their moves and block their ability to pivot without disrupting the flow of business. Learn how we're making it happen today.
Explore and filter the full security catalog by topic, format, and role: aka.ms/SessionCatalogSecurity.
Why Attend:
Ignite is the place to learn about the latest Defender capabilities, including new agentic AI integrations and unified threat protection. We will also share future-facing innovations in Defender, as part of our ongoing commitment to autonomous defense.
Security Forum—Make day 0 count (November 17)
Kick off with an immersive, in‑person pre‑day focused on strategic security discussions and real‑world guidance from Microsoft leaders and industry experts. Select Security Forum during registration.
Microsoft