<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>rss.livelink.threads-in-node</title>
    <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/ct-p/microsoft-defender-for-endpoint</link>
    <description>rss.livelink.threads-in-node</description>
    <pubDate>Wed, 01 Jul 2026 18:45:41 GMT</pubDate>
    <dc:creator>microsoft-defender-for-endpoint</dc:creator>
    <dc:date>2026-07-01T18:45:41Z</dc:date>
    <item>
      <title>Microsoft Defender false positive and WDSI submission details page bug</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/microsoft-defender-false-positive-and-wdsi-submission-details/m-p/4530787#M6892</link>
      <description>&lt;P&gt;Hello,&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;I am the developer and publisher of Pulse Launcher, a legitimate signed Windows application / Minecraft mod launcher.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;I already submitted this through Microsoft Security Intelligence and also opened a Microsoft Q&amp;amp;A thread, but I am posting here because the WDSI submission portal itself appears to be broken for these submissions.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Related Microsoft Q&amp;amp;A thread:&lt;/P&gt;&lt;P&gt;https://learn.microsoft.com/en-us/answers/questions/5929545/microsoft-defender-false-positive-and-wdsi-submiss&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;There are two related issues:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;1. Microsoft Defender cloud ML false positives keep appearing on public multi-engine scan results for the same signed application/product family. The Microsoft detection name changes across rescans and equivalent builds, including:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;- PUA:Win32/Puwaders.C!ml&lt;/P&gt;&lt;P&gt;- Program:Win32/Wacapew.C!ml&lt;/P&gt;&lt;P&gt;- Trojan:Win32/Wacatac.B!ml&lt;/P&gt;&lt;P&gt;- Trojan:Win32/Wacatac.C!ml&lt;/P&gt;&lt;P&gt;- Trojan:Win32/Sabsik.EN.A!ml&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;2. Microsoft Security Intelligence submissions are visible in Submission history and show status "In progress", but opening the submission details page returns:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;"The details for the submission were not found or the submission has expired."&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Affected submission IDs:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;- dd476efa-fc04-4f13-82cf-631bbfd145a6&lt;/P&gt;&lt;P&gt;- efc6514c-d700-4d6a-a7e2-67a9a83334a2&lt;/P&gt;&lt;P&gt;- ff8d04b7-c5fc-4a05-bd53-ee7ac5981284&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;File details:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;- File name: pulse_launcher.exe&lt;/P&gt;&lt;P&gt;- SHA-256: def6059c07c3e1f4a8c5649a1bbf190d4f355ee8e8b88c55c5b404edee99ecc8&lt;/P&gt;&lt;P&gt;- Signer: FOP Haponiuk Mykola Viktorovych&lt;/P&gt;&lt;P&gt;- Certificate: GlobalSign EV Code Signing certificate&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;The executable is not VMProtect-packed or obfuscated. It is EV-signed. A previous Microsoft analyst response stated that the file did not meet Microsoft criteria for malware or PUA, but Microsoft cloud detections continue to appear.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Could someone route this to Microsoft Defender Security Intelligence / malware analysis, or advise how to escalate WDSI submissions that exist in history but whose details endpoint returns "not found or expired"?&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Thank you.&lt;/P&gt;</description>
      <pubDate>Thu, 25 Jun 2026 02:56:05 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/microsoft-defender-false-positive-and-wdsi-submission-details/m-p/4530787#M6892</guid>
      <dc:creator>MykolaHaponiuk</dc:creator>
      <dc:date>2026-06-25T02:56:05Z</dc:date>
    </item>
    <item>
      <title>Microsoft Defender for Endpoint and WDAC audit logs not include kernel audit/blocks</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/microsoft-defender-for-endpoint-and-wdac-audit-logs-not-include/m-p/4527862#M6885</link>
      <description>&lt;P&gt;While testing WDAC on a fully patched Win11 pro machine - I noticed that kernel audit/block events do not get collected by MDE in the advanced hunting portal, only user mode audit/blocks are collected. Can anyone confirm they see this too and is this by design?&lt;/P&gt;&lt;P&gt;My test case is to use a Strict Kernel Mode WDAC policy (as per:&lt;/P&gt;&lt;P&gt;https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDAC-policy-for-BYOVD-Kernel-mode-only-protection) which is active, using the global secure access client as my test, when the machine boots, the below event is generated locally on the machine:&amp;nbsp;&lt;/P&gt;&lt;img /&gt;&lt;img /&gt;&lt;img /&gt;&lt;P&gt;This event is never shown on the MDE advanced hunting portal, though user events do show. Examples of events that are coming through:&lt;/P&gt;&lt;img /&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Not receiving these events centrally for auditing would make deploying a kernel mode wdac control impossible. Would be amazing if Microsoft product team could look into this and resolve as these alerts should be captured as well please to facilitate deployment of more secure controls.&lt;/P&gt;</description>
      <pubDate>Fri, 12 Jun 2026 13:35:02 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/microsoft-defender-for-endpoint-and-wdac-audit-logs-not-include/m-p/4527862#M6885</guid>
      <dc:creator>Warren212</dc:creator>
      <dc:date>2026-06-12T13:35:02Z</dc:date>
    </item>
    <item>
      <title>Reduce unnecessary internet exposure with Microsoft Defender</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/reduce-unnecessary-internet-exposure-with-microsoft-defender/ba-p/4525654</link>
      <description>&lt;P&gt;In today’s threat landscape, &lt;STRONG&gt;internet exposure&lt;/STRONG&gt;, i.e. devices that allow inbound connectivity from the public internet, continues to be a major vector for initial access and compromise. Devices that are exposed to the public internet can significantly increase an organization’s attack surface, making them prime targets for initial access, exploitation, and lateral movement.&lt;/P&gt;
&lt;P&gt;However, not all internet-facing devices represent a security issue. Many are intentionally exposed to support business-critical scenarios such as hosting web applications, enabling remote access, or supporting communication services. The challenge for security teams is not just detecting internet-facing devices, but understanding why a device is exposed, whether that exposure is expected, and what action should be taken. That’s why we’re introducing a&amp;nbsp;&lt;STRONG&gt;new security recommendation in Microsoft Defender that helps organizations&lt;/STRONG&gt; &lt;STRONG&gt;identify, review, and reduce unnecessary internet exposure across their environment.&lt;/STRONG&gt;&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;Understand your internet-facing exposure&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;This recommendation focuses specifically on devices that are &lt;STRONG&gt;accessible from the public internet&lt;/STRONG&gt;, meaning they can receive &lt;STRONG&gt;inbound connections initiated from external sources, &lt;/STRONG&gt;not devices that only use the internet for outbound communication.&lt;/P&gt;
&lt;P&gt;Externally reachable assets are often the first point of entry for attackers, making this a critical signal for security prioritization.&lt;/P&gt;
&lt;P&gt;Microsoft Defender identifies internet-facing devices based on signals that indicate &lt;STRONG&gt;external inbound reachability&lt;/STRONG&gt;, including:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;External scan telemetry identifying devices reachable from the public internet&lt;/LI&gt;
&lt;LI&gt;Network telemetry showing inbound connections from external sources&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;By correlating these signals, Defender surfaces devices that are externally reachable.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt; &lt;/STRONG&gt;&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;Introducing internet-facing exposure assessment&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;A new recommendation in Microsoft Defender provides a centralized view of devices that are externally reachable from the public internet, helping you understand and manage exposure across your environment.&lt;/P&gt;
&lt;P&gt;This assessment categorizes devices based on their exposure state:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Exposed devices: Devices that are reachable from the public internet and require review&lt;/LI&gt;
&lt;LI&gt;Compliant devices: Devices that are not externally reachable, or where the internet exposure has been explicitly validated and accepted by the organization’s security team as intended&lt;/LI&gt;
&lt;LI&gt;Not applicable devices: Devices that do not exhibit inbound internet exposure&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;From the recommendation view, you can:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Drill down into exposed devices and understand why they are reachable&lt;/LI&gt;
&lt;LI&gt;Review context such as exposed services and connectivity&lt;/LI&gt;
&lt;LI&gt;Explore device-level details to support investigation&lt;/LI&gt;
&lt;LI&gt;Track exposure posture across your environment over time&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4&gt;&lt;STRONG&gt;Take action on your internet exposure&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;To access this recommendation in the Defender portal, navigate to &lt;STRONG&gt;Exposure management → Recommendations → Devices → Misconfigurations&lt;/STRONG&gt;. Once Defender identifies internet-facing devices, it provides the context needed to review and take action.&lt;/P&gt;
&lt;H5&gt;Your action plan&lt;/H5&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;&lt;STRONG&gt;1. Assess your exposure&lt;/STRONG&gt;&lt;BR /&gt;Review the recommendation to understand which devices in your environment are externally reachable from the public internet and why they were classified as internet-facing.&lt;/P&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;&lt;STRONG&gt;2. Validate whether exposure is required&lt;/STRONG&gt;&lt;BR /&gt;Determine if the inbound connectivity is expected for each device. Confirm business need and ownership before taking action.&lt;/P&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;&lt;STRONG&gt;3. Prioritize high-risk assets&lt;/STRONG&gt;&lt;BR /&gt;Focus on critical servers or sensitive environments that are exposed to the internet, as they present the highest risk for initial access.&lt;/P&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;&lt;STRONG&gt;4. Reduce unnecessary exposure&lt;/STRONG&gt;&lt;BR /&gt;Restrict or remove inbound connectivity where it is not required by closing exposed ports, removing public access, or moving services behind controlled access layers.&lt;/P&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;&lt;STRONG&gt;5. Track and maintain posture over time&lt;/STRONG&gt;&lt;BR /&gt;Continuously monitor internet-facing devices to ensure unnecessary exposure is reduced and new exposure is validated as environments evolve.&lt;/P&gt;
&lt;H5&gt;FAQ&lt;/H5&gt;
&lt;P&gt;&lt;STRONG&gt;1. Which devices are currently supported?&lt;/STRONG&gt;&lt;/P&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;This recommendation applies to supported Windows client and Windows Server devices. Supported versions include Windows 10, version 1607 and earlier; Windows 10, version 1809 and later; and Windows 11.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;2. Why might there be differences between this recommendation and the Internet-facing filter in device inventory?&lt;/STRONG&gt;&lt;/P&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;This recommendation reflects devices observed as internet-facing during the recommendation assessment window. Device exposure can change over time, and different Microsoft Defender experiences may refresh at different times.&lt;/P&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;As a result, temporary differences may occur between this recommendation and the Internet-facing filter in device inventory.&lt;/P&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;For the most current device-level view, use the Internet-facing filter in device inventory. If a device was recently remediated or its exposure recently changed, allow time for the recommendation status to refresh.&lt;BR /&gt;&lt;BR /&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;3. Could regular employee laptops or personal devices appear as internet-facing?&lt;/STRONG&gt;&lt;/P&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;This recommendation evaluates supported devices onboarded to Microsoft Defender for Endpoint and focuses specifically on inbound internet reachability.&lt;/P&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;Typical internet usage, such as web browsing, generates outbound traffic and does not by itself classify a device as internet-facing.&lt;/P&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;Devices are identified as internet-facing only when they are externally reachable from the public internet.&lt;/P&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;As a result:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;
&lt;UL&gt;
&lt;LI&gt;Personal devices that are not onboarded to Microsoft Defender for Endpoint are not included in this assessment.&lt;/LI&gt;
&lt;LI&gt;Corporate laptops may appear as internet-facing if they are directly reachable from the internet, which may indicate an unintended network exposure or configuration issue.&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4&gt;&lt;STRONG&gt;Learn more&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;For additional guidance on investigating and managing internet-facing devices, see:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Learn how Defender identifies and maps externally reachable devices across your environment &lt;A href="https://techcommunity.microsoft.com/blog/microsoftdefenderatpblog/discovering-internet-facing-devices-using-microsoft-defender-for-endpoint/3778975" target="_blank" rel="noopener"&gt;Discovering internet-facing devices using Microsoft Defender&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;Learn how to review and investigate internet-facing device exposure &lt;A href="https://learn.microsoft.com/en-us/defender-endpoint/investigate-machines" target="_blank" rel="noopener"&gt;Investigate devices in Microsoft Defender&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;Learn more about&amp;nbsp;&lt;A href="https://learn.microsoft.com/en-us/defender-vulnerability-management/tvm-microsoft-secure-score-devices?tabs=preview-customers" target="_blank" rel="noopener"&gt;Microsoft Secure Score for Devices in Microsoft Defender&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;To learn more about endpoint protection with Microsoft Defender, check out our&amp;nbsp;&lt;A href="https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-endpoint" target="_blank" rel="noopener"&gt;website&lt;/A&gt;.&lt;/LI&gt;
&lt;LI&gt;To learn more about Microsoft Security solutions, visit our&amp;nbsp;&lt;A href="https://www.microsoft.com/en-us/security/business" target="_blank" rel="noopener"&gt;website.&lt;/A&gt;&amp;nbsp;Bookmark the&amp;nbsp;&lt;A href="https://www.microsoft.com/security/blog/" target="_blank" rel="noopener"&gt;Security blog&lt;/A&gt;&amp;nbsp;to keep up with our expert coverage on security matters. Follow us on LinkedIn (&lt;A href="https://www.linkedin.com/showcase/microsoft-security/" target="_blank" rel="noopener"&gt;Microsoft Security&lt;/A&gt;) and X (&lt;A href="https://twitter.com/@MSFTSecurity" target="_blank" rel="noopener"&gt;@MSFTSecurity&lt;/A&gt;)&amp;nbsp;for the latest news and updates on cybersecurity.&lt;/LI&gt;
&lt;/UL&gt;</description>
      <pubDate>Thu, 11 Jun 2026 16:00:00 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/reduce-unnecessary-internet-exposure-with-microsoft-defender/ba-p/4525654</guid>
      <dc:creator>hadarshindler</dc:creator>
      <dc:date>2026-06-11T16:00:00Z</dc:date>
    </item>
    <item>
      <title>Introducing scheduled antivirus scans on Microsoft Defender Linux</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/introducing-scheduled-antivirus-scans-on-microsoft-defender/ba-p/4524578</link>
      <description>&lt;P&gt;Security teams rely on scheduled scans to ensure consistent coverage across devices, detect dormant or missed threats, and meet compliance requirements. However, managing scans on Linux has traditionally required custom scripts and cron-based setups, which can be hard to scale and maintain. That’s why we’re excited to introduce &lt;STRONG&gt;centrally managed scheduled antivirus scans for Linux in Microsoft Defender&lt;/STRONG&gt;, now available in &lt;STRONG&gt;public preview&lt;/STRONG&gt;. With this release, we are bringing built-in, flexible scheduling capabilities directly into Defender - making it easier to manage and standardize scan behaviour across Linux environments.&lt;/P&gt;
&lt;H4&gt;What’s new&lt;/H4&gt;
&lt;P&gt;With this capability, customers can now configure scheduled antivirus scans on Linux using &lt;STRONG&gt;security settings management policies in the Microsoft Defender portal&lt;/STRONG&gt; for centralized policy enforcement or &lt;STRONG&gt;local Managed JSON configuration&lt;/STRONG&gt; that can be deployed via configuration management tools like ansible, puppet and chef.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;The feature supports a flexible set of scheduling options, including &lt;STRONG&gt;hourly quick scans&lt;/STRONG&gt; (interval-based scheduling), &lt;STRONG&gt;daily quick scans&lt;/STRONG&gt; at a defined time, and &lt;STRONG&gt;weekly scans&lt;/STRONG&gt; with configurable scan type (quick or full). In addition, customers can control how scans run with advanced options such as:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Running scans only when the device is idle&lt;/LI&gt;
&lt;LI&gt;Reducing CPU impact using low CPU priority&lt;/LI&gt;
&lt;LI&gt;Checking for definition updates before scanning&lt;/LI&gt;
&lt;LI&gt;Randomizing scans start times&lt;/LI&gt;
&lt;LI&gt;Ignoring exclusions during scheduled scans&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;These capabilities allow security teams to balance &lt;STRONG&gt;coverage, performance, and operational needs&lt;/STRONG&gt; across large Linux environments.&lt;/P&gt;
&lt;H4&gt;Why this matters&lt;/H4&gt;
&lt;P&gt;From a security perspective, scheduled scans play a critical role in detecting &lt;STRONG&gt;dormant threats, missed detections, and malicious artifacts&lt;/STRONG&gt; that may not be caught through real-time protection alone. Without consistent and centrally enforced scheduling, these gaps can increase risk across the environment.&lt;/P&gt;
&lt;P&gt;With this release, scheduled scans are now:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Centrally managed&lt;/STRONG&gt; through Defender policies&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Consistently enforced&lt;/STRONG&gt; across devices&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Aligned with security best practices&lt;/STRONG&gt; for regular scanning&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Integrated into the broader Defender security posture&lt;/STRONG&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;This helps organizations strengthen their overall security posture while reducing operational complexity.&lt;/P&gt;
&lt;H4&gt;Get started&lt;/H4&gt;
&lt;P&gt;To get started, ensure devices are running &lt;STRONG&gt;agent version 101.26032.0000 or later (production ring)&lt;/STRONG&gt;, and configure scheduled scans using managed JSON or Defender portal policies.&lt;/P&gt;
&lt;H4&gt;Learn more&lt;/H4&gt;
&lt;UL&gt;
&lt;LI&gt;Learn more about how to &lt;A href="https://learn.microsoft.com/en-us/defender-endpoint/schedule-antivirus-scans-linux" target="_blank" rel="noopener"&gt;schedule antivirus scans on Linux&lt;/A&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI&gt;To learn more about endpoint protection with Microsoft Defender, check out our&amp;nbsp;&lt;A href="https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-endpoint" target="_blank" rel="noopener"&gt;website&lt;/A&gt;.&lt;/LI&gt;
&lt;LI&gt;To learn more about Microsoft Security solutions, visit our &lt;A href="https://www.microsoft.com/en-us/security/business" target="_blank" rel="noopener"&gt;website.&lt;/A&gt; Bookmark the &lt;A href="https://www.microsoft.com/security/blog/" target="_blank" rel="noopener"&gt;Security blog&lt;/A&gt; to keep up with our expert coverage on security matters. Follow us on LinkedIn (&lt;A href="https://www.linkedin.com/showcase/microsoft-security/" target="_blank" rel="noopener"&gt;Microsoft Security&lt;/A&gt;) and X (&lt;A href="https://twitter.com/@MSFTSecurity" target="_blank" rel="noopener"&gt;@MSFTSecurity&lt;/A&gt;) for the latest news and updates on cybersecurity.&lt;/LI&gt;
&lt;/UL&gt;</description>
      <pubDate>Wed, 10 Jun 2026 16:00:00 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/introducing-scheduled-antivirus-scans-on-microsoft-defender/ba-p/4524578</guid>
      <dc:creator>Rutuja_dange</dc:creator>
      <dc:date>2026-06-10T16:00:00Z</dc:date>
    </item>
    <item>
      <title>Elevate your telemetry using custom data collection in Microsoft Defender</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/elevate-your-telemetry-using-custom-data-collection-in-microsoft/ba-p/4512530</link>
      <description>&lt;P&gt;At Ignite in November, we announced that Microsoft Defender is now the only endpoint protection solution that allows data-hungry security teams to meet specific telemetry needs by optimizing their data collection right within the Defender portal, without the need to rely on fragmented and siloed solutions. Since then, we've heard from customers that this tool has been a game changer, enabling them to hunt through new data types as well as richer data on events already reported. The release of custom data collection was a key milestone in our ongoing journey to make Defender easy to manage and customize.&lt;/P&gt;
&lt;P&gt;Security teams have been asking for guidance and examples of how to get the most out of the tool, so today we're sharing how some organizations can use custom data collection and dynamic tagging to detect command and control (C2) communications, giving defenders elevated visibility and deeper telemetry into attacker activity across the environment.&lt;/P&gt;
&lt;H4&gt;See the data you want to see&lt;/H4&gt;
&lt;P&gt;Defender's default telemetry is tuned to balance performance and signal-to-noise across millions of devices, so it focuses on the events most useful for high-fidelity detection at fleet scale, but many organizations want richer, more granular signals for deeper hunting, compliance, or auditing purposes. Custom data collection lets you go beyond what Defender already captures without ever leaving the Defender portal. Easily build custom collection rules based on your organization’s specific needs using natural language; no PhD required! It includes several highly requested data types, including AMSI for hunting over script content, and Kerberos for hunting auth-based and network attacks.&lt;/P&gt;
&lt;P&gt;This truly integrated custom data offering is possible thanks to Microsoft’s platform approach, as the additional telemetry can be collected and analyzed via Defender and stored via Microsoft Sentinel. It puts you in complete control of any customized, add-on data, including exactly which data types are collected and how long they are stored. No other security solution has fully integrated and customizable telemetry collection and analysis.&lt;/P&gt;
&lt;H4&gt;Example custom telemetry scenario: detecting C2 communications&lt;/H4&gt;
&lt;P&gt;Many organizations have a set of assets that require special attention, like internet-facing servers, domain controllers, and other high-value endpoints where deeper telemetry can make the difference between catching an intrusion early and discovering it after the damage is done.&lt;/P&gt;
&lt;P&gt;Imagine your organization has received threat intelligence on attacks using stealthy C2 frameworks: HTTPS beacons with jittered intervals, DNS-based data exchange, and persistence via scheduled tasks and registry modifications. You want richer visibility into those internet-facing servers and high-value endpoints so you can hunt for these patterns proactively, instead of reconstructing them after the fact.&lt;/P&gt;
&lt;P&gt;Dynamic tags scope these high-value devices into a targeted group, and custom data collection captures the extra process, network, and registry events from them, giving analysts the telemetry they need to hunt for beaconing, suspicious DNS patterns, and persistence before attackers establish a foothold.&lt;/P&gt;
&lt;P&gt;To detect C2 communications using dynamic tagging, follow these steps:&lt;/P&gt;
&lt;H4&gt;&lt;U&gt;&lt;STRONG&gt;Step 1: Tag your devices&lt;/STRONG&gt;&lt;/U&gt;&lt;/H4&gt;
&lt;P&gt;Custom Data Collection rules are scoped to&amp;nbsp;&lt;STRONG&gt;dynamic tags; &lt;/STRONG&gt;once set,&lt;STRONG&gt; &lt;/STRONG&gt;those tags are automatically applied and removed based on conditions you define. Configure them in&amp;nbsp;&lt;STRONG&gt;Settings &amp;gt; Microsoft Defender XDR &amp;gt; Asset Rule Management&lt;/STRONG&gt;.&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Tag&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Rule name&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Conditions&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Tag to apply&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Internet-facing servers&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;InternetFacing-Servers&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Internet facing = true AND OS platform equals&amp;nbsp;Windows Server 2022&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;C2-Watchlist&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Devices under active investigation&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;HighSev-Investigation&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Manual tag equals&amp;nbsp;UnderInvestigation&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;HighSev-Verbose&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 25.00%" /&gt;&lt;col style="width: 25.00%" /&gt;&lt;col style="width: 25.00%" /&gt;&lt;col style="width: 25.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;&lt;img /&gt;&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H5&gt;&lt;STRONG&gt;Bringing manual tags into the dynamic model&lt;/STRONG&gt;&lt;/H5&gt;
&lt;P&gt;Custom data collection is built around&amp;nbsp;&lt;STRONG&gt;dynamic tags&lt;/STRONG&gt;&amp;nbsp;by design: one leading, unified tagging experience that's more flexible and customizable. Dynamic tags can be driven by device properties, group membership, OS,&amp;nbsp;&lt;EM&gt;or&lt;/EM&gt;&amp;nbsp;by existing manual tags, so anything your team already tags manually flows naturally into custom data collection through a simple Asset Rule Management rule, exactly as Tag 2 above does.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;In this example, analysts manually tag a device&amp;nbsp;UnderInvestigation&amp;nbsp;during incident response. The dynamic rule picks up that manual tag and applies&amp;nbsp;HighSev-Verbose, which custom data collection rules can target. The analyst doesn't need to know about dynamic tags they tag the device the way they always have, and custom data collection activates &lt;STRONG&gt;automatically&lt;/STRONG&gt;.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;H4&gt;&lt;U&gt;&lt;STRONG&gt;Step 2: Build your collection rules&lt;/STRONG&gt;&lt;/U&gt;&lt;/H4&gt;
&lt;P&gt;Navigate to&amp;nbsp;&lt;STRONG&gt;Settings &amp;gt; Endpoints &amp;gt; Rules &amp;gt; Custom Data Collection&lt;/STRONG&gt;. Select your Microsoft Sentinel workspace in the top-right corner.&lt;/P&gt;
&lt;P&gt;Before creating rules, confirm you meet every prerequisite in the&amp;nbsp;&lt;A href="https://learn.microsoft.com/en-us/defender-endpoint/create-custom-data-collection-rules" target="_blank" rel="noopener"&gt;custom data collection documentation&lt;/A&gt;&amp;nbsp;, in particular, your tenant must be onboarded to the&amp;nbsp;&lt;STRONG&gt;Unified Security Operations Platform (USOP)&lt;/STRONG&gt;.&lt;/P&gt;
&lt;H5&gt;&lt;STRONG&gt;Rule 1: Outbound network connections from high-risk processes&lt;/STRONG&gt;&lt;/H5&gt;
&lt;P&gt;Capture connections from processes commonly abused by C2 frameworks living-off-the-land binaries and scripting engines.&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Setting&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Value&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Rule name&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;C2-OutboundConnections&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Table&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;DeviceCustomNetworkEvents&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Action&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Connection Success&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Condition&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;InitiatingProcessFileName Equals: powershell.exe,&amp;nbsp;rundll32.exe,&amp;nbsp;regsvr32.exe,&amp;nbsp;mshta.exe,&amp;nbsp;certutil.exe,&amp;nbsp;msiexec.exe&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Scope&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Devices tagged&amp;nbsp;C2-Watchlist&amp;nbsp;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 50.00%" /&gt;&lt;col style="width: 50.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&lt;STRONG&gt;&amp;nbsp;&lt;/STRONG&gt;&lt;/P&gt;
&lt;img /&gt;
&lt;H5&gt;&lt;STRONG&gt;Rule 2: DNS query activity&lt;/STRONG&gt;&lt;/H5&gt;
&lt;P&gt;Many C2 frameworks use DNS for beaconing or data exchange. Default telemetry captures limited DNS data. This rule collects all DNS queries from monitored devices.&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Setting&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Value&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Rule name&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;C2-DNSActivity&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Table&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;DeviceCustomNetworkEvents&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Action&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Connection Success&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Condition&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;RemotePort equals&amp;nbsp;53&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Scope&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Devices tagged&amp;nbsp;C2-Watchlist&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 50.00%" /&gt;&lt;col style="width: 50.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;H5&gt;&lt;STRONG&gt;Rule 3: Persistence mechanisms&lt;/STRONG&gt;&lt;/H5&gt;
&lt;P&gt;C2 implants establish persistence via scheduled tasks, registry run keys, or services. Capture process creation events for common persistence tools.&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Setting&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Value&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Rule name&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;C2-Persistence&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Table&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;DeviceCustomProcessEvents&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Action&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Process Created&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Condition&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;FileName in (schtasks.exe,&amp;nbsp;reg.exe,&amp;nbsp;sc.exe,&amp;nbsp;at.exe)&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Scope&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Devices tagged&amp;nbsp;C2-Watchlist&amp;nbsp;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 50.00%" /&gt;&lt;col style="width: 50.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;H5&gt;&lt;STRONG&gt;Rule 4: Full process and script telemetry during investigations&lt;/STRONG&gt;&lt;/H5&gt;
&lt;P&gt;When a device gets the&amp;nbsp;HighSev-Verbose&amp;nbsp;tag, collect everything.&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Setting&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Value&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Rule name&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;HighSev-AllProcesses&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Table&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;DeviceCustomProcessEvents&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Action&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Process Created&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Condition&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Broad (all process creation events)&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Scope&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Devices tagged&amp;nbsp;HighSev-Verbose&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 50.00%" /&gt;&lt;col style="width: 50.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Setting&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Value&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Rule name&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;HighSev-ScriptCapture&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Table&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;DeviceCustomScriptEvents&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Action&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Script execution&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Condition&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Broad (all script events) – add a condition which is always true such as&lt;/P&gt;
&lt;P&gt;FileName not equals “”&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Scope&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Devices tagged&amp;nbsp;HighSev-Verbose&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 50.00%" /&gt;&lt;col style="width: 50.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H5&gt;&lt;STRONG&gt;Collection profiles summary&lt;/STRONG&gt;&lt;/H5&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Tag&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Rules active&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;What gets collected&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Use case&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;C2-Watch&amp;nbsp;list&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;OutboundConnections, DNSActivity, Persistence&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Network connections from, DNS queries, persistence tool usage, DLL sideloading&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Persistent C2 monitoring&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;HighSev-Verbose&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;AllProcesses, ScriptCapture&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Every process creation, all script execution&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Full-depth incident response&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 25.00%" /&gt;&lt;col style="width: 25.00%" /&gt;&lt;col style="width: 25.00%" /&gt;&lt;col style="width: 25.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;&lt;STRONG&gt;Important:&lt;/STRONG&gt;&amp;nbsp;when you remove the&amp;nbsp;HighSev-Verbose&amp;nbsp;tag after closing an incident, collection automatically drops back to baseline, no manual rule cleanup needed. This is what makes verbose collection safe to leave configured: it's only active while the tag is.&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;H4&gt;&lt;U&gt;&lt;STRONG&gt;Step 3: Hunt&lt;/STRONG&gt;&lt;/U&gt;&lt;/H4&gt;
&lt;P&gt;Rules deploy within 20 minutes to an hour. Query the data in AH directly.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Detect beaconing patterns processes making regular-interval outbound connections:&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&lt;STRONG&gt;Find DNS queries to high-entropy domains (potential DGA):&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Spot persistence being established:&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Leverage the telemetry from your new collection rule into a Custom Detection so high-value findings raise alerts automatically, instead of waiting for the next manual hunt.&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Custom data collection effectively extends your endpoint protection into a targeted, general-purpose log collector, one that's now ready to serve advanced hunting, custom detections,&amp;nbsp;&lt;EM&gt;and&lt;/EM&gt; auditing or regulatory use cases, while default fleet-wide telemetry stays tuned for performance and signal-to-noise. By combining dynamic tagging with purpose-built collection rules, your highest-risk devices are always streaming the signals that matter most, ready for detection and investigation before and during an incident.&lt;/P&gt;
&lt;H4&gt;Learn more&lt;/H4&gt;
&lt;UL&gt;
&lt;LI&gt;To learn more about endpoint protection with Microsoft Defender, check out our&amp;nbsp;&lt;A href="https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-endpoint" target="_blank" rel="noopener"&gt;website&lt;/A&gt;.&lt;/LI&gt;
&lt;LI&gt;To learn more about Microsoft Security solutions, visit our &lt;A href="https://www.microsoft.com/en-us/security/business" target="_blank" rel="noopener"&gt;website.&lt;/A&gt; Bookmark the &lt;A href="https://www.microsoft.com/security/blog/" target="_blank" rel="noopener"&gt;Security blog&lt;/A&gt; to keep up with our expert coverage on security matters. Follow us on LinkedIn (&lt;A href="https://www.linkedin.com/showcase/microsoft-security/" target="_blank" rel="noopener"&gt;Microsoft Security&lt;/A&gt;) and X (&lt;A href="https://twitter.com/@MSFTSecurity" target="_blank" rel="noopener"&gt;@MSFTSecurity&lt;/A&gt;) for the latest news and updates on cybersecurity.&lt;/LI&gt;
&lt;LI&gt;To learn more about custom data collection and how to get started, see our &lt;A href="https://learn.microsoft.com/en-us/defender-endpoint/create-custom-data-collection-rules" target="_blank" rel="noopener"&gt;documentation&lt;/A&gt;.&lt;/LI&gt;
&lt;/UL&gt;</description>
      <pubDate>Tue, 09 Jun 2026 16:00:00 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/elevate-your-telemetry-using-custom-data-collection-in-microsoft/ba-p/4512530</guid>
      <dc:creator>Theo_Cohen</dc:creator>
      <dc:date>2026-06-09T16:00:00Z</dc:date>
    </item>
    <item>
      <title>Ways to fetch quarantine files</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/ways-to-fetch-quarantine-files/m-p/4526637#M6884</link>
      <description>&lt;P&gt;We are working with quarantine files and have a few questions:&lt;/P&gt;&lt;P&gt;1. Is there a public API available to retrieve quarantined files from Microsoft Defender for Endpoint?&lt;/P&gt;&lt;P&gt;2. Is there a documented method to map an alert or a file SHA-1/SHA-256 hash to the corresponding object in the Defender quarantine store?&lt;/P&gt;&lt;P&gt;3. Is there a way to retrieve quarantined files other than using a PowerShell script through the Live Response API?&lt;/P&gt;</description>
      <pubDate>Tue, 09 Jun 2026 05:36:57 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/ways-to-fetch-quarantine-files/m-p/4526637#M6884</guid>
      <dc:creator>Dhwani_Shah</dc:creator>
      <dc:date>2026-06-09T05:36:57Z</dc:date>
    </item>
    <item>
      <title>Microsoft Defender now monitors RPC activity</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/microsoft-defender-now-monitors-rpc-activity/ba-p/4523368</link>
      <description>&lt;P&gt;Remote procedure call (RPC) is a protocol commonly abused by attackers that allows functions implemented in a separate process, and potentially on a remote machine, to be called as if they were local. Many core Windows and Active Directory capabilities are built on or make use of RPC, which makes it an attractive target. To help protect against remote RPC-based attacks, Microsoft Defender now monitors remote RPC calls, disrupts malicious activity that leverages them, and surfaces relevant telemetry in advanced hunting.&lt;/P&gt;
&lt;H5&gt;&lt;STRONG&gt;RPC basics&lt;/STRONG&gt;&lt;/H5&gt;
&lt;P&gt;While &lt;A href="https://learn.microsoft.com/en-us/windows/win32/rpc/rpc-start-page" target="_blank" rel="noopener"&gt;RPC is a rich and complicated protocol&lt;/A&gt;, the main components that are relevant for security monitoring purposes are:&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;U&gt;Interface&lt;/U&gt;: A logical grouping of functionality exposed by an RPC server. Interfaces are identified by UUID. Example interfaces include Task Scheduler, Remote Registry, and the Service Control Manager, each exposing functionality related to a different Windows OS component.&lt;/LI&gt;
&lt;LI&gt;&lt;U&gt;OpNum&lt;/U&gt;: Stands for Operation Number, an ordinal that denotes a specific function exposed by an RPC interface. Examples include RCreateServiceW (OpNum 12, Service Control Manager interface) and BaseRegQueryValue (OpNum 17, Remote Registry interface).&lt;/LI&gt;
&lt;/OL&gt;
&lt;H5&gt;&lt;STRONG&gt;Many remote attack techniques and tactics are based on RPC, for example:&lt;/STRONG&gt;&lt;/H5&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;U&gt;Lateral movement&lt;/U&gt;: often abuses RPC functionality for remotely creating tasks, services or invoking WMI.&lt;/LI&gt;
&lt;LI&gt;&lt;U&gt;Credential theft&lt;/U&gt;: DCsync attacks, which abuse privileged compromised accounts to remotely extract credential material from Active Directory, are based on RPC functionality for directory replication. SecretsDump and similar attacks, which remotely extract SAM or LSA secrets, are based on querying a device’s registry remotely, using RPC.&lt;/LI&gt;
&lt;LI&gt;&lt;U&gt;Privilege escalation&lt;/U&gt;: Multiple authentication coercion attacks abuse benign RPC interfaces to coerce servers to authenticate an attacker.&lt;/LI&gt;
&lt;LI&gt;&lt;U&gt;Discovery&lt;/U&gt;: Tools such as SharpHound leverage RPC calls to enumerate users, sessions and shares.&lt;/LI&gt;
&lt;/OL&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;For a more comprehensive mapping of RPC interfaces to attack techniques, see&amp;nbsp;&lt;A href="https://github.com/jonny-jhnson/MSRPC-to-ATTACK" target="_blank" rel="noopener"&gt;work&lt;/A&gt; by Jonathan Johnson.&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;H5&gt;&lt;STRONG&gt;RPC auditing in Defender&lt;/STRONG&gt;&lt;/H5&gt;
&lt;P&gt;Since RPC is so heavily used on Windows systems and in Active Directory domains, monitoring remote RPC traffic using network monitors is often expensive and infeasible. Additionally, if the underlying transport protocol is encrypted (such as SMB3), it might be impossible to observe RPC traffic.&lt;/P&gt;
&lt;P&gt;To enable efficient auditing of remote RPC activity regardless of transport-layer protection, Defender research and engineering expanded the existing RPC integration with the Windows Filtering Platform (WFP) to support OpNum-level granularity. This makes it possible to identify and audit the specific RPC function being invoked, rather than only the RPC interface.&lt;/P&gt;
&lt;P&gt;This capability is designed to help detect remote RPC-based attack techniques, where an attacker interacts with RPC interfaces exposed by a target device. For that reason, Defender focuses this monitoring on inbound remote RPC calls observed on the RPC server host. The telemetry is collected using audit-only WFP filters, which do not interfere with normal traffic, while still providing visibility into suspicious remote activity targeting the device. This approach does not require visibility into the source device.&lt;/P&gt;
&lt;P&gt;Local RPC calls, such as inter-process communication on the same device over local transport, and outbound RPC client calls are outside the scope of this monitoring mechanism.&lt;/P&gt;
&lt;P&gt;Using this capability, Defender monitors selected RPC calls, leverages the resulting telemetry to detect malicious activity, and exposes monitored calls in advanced hunting. Defender dynamically monitors selected remote operations from interfaces including, but not limited to: Remote Registry, Service Control Manager, Task Scheduler, and Windows Management Instrumentation (WMI). RPC monitoring for workstations is generally available, while server monitoring is currently in gradual rollout.&lt;/P&gt;
&lt;P&gt;RPC-based detections and disruption triggers are already available in Defender and include detections such as:&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;Ongoing hands-on-keyboard attack via Impacket toolkit&lt;/LI&gt;
&lt;LI&gt;Suspicious service creation initiated remotely&lt;/LI&gt;
&lt;LI&gt;Indication of local security authority secrets theft&lt;/LI&gt;
&lt;LI&gt;Unusual RPC user and session discovery&lt;/LI&gt;
&lt;LI&gt;Authentication coercion attack&lt;/LI&gt;
&lt;/OL&gt;
&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;H5&gt;&lt;STRONG&gt;Example Advanced Hunting queries&lt;/STRONG&gt;&lt;/H5&gt;
&lt;P&gt;1. Remote registry key save events, abused for remote credential dumping.&lt;/P&gt;
&lt;LI-CODE lang=""&gt;let remoteRegistryInterface = '338cd001-2244-31f1-aaaa-900038001003'; 
let registrySaveOpnums = dynamic([20, 31]); // BaseRegSaveKey, BaseRegSaveKeyEx 
DeviceEvents 
| where ActionType == 'InboundRemoteRpcCall' 
| extend AdditionalFields = parse_json(AdditionalFields) 
| extend RpcInterface = tostring(AdditionalFields.RpcInterfaceUuid), OpNum = toint(AdditionalFields.RpcOpNum) 
| where RpcInterface == remoteRegistryInterface and OpNum in(registrySaveOpnums) &lt;/LI-CODE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;2. Remote Service Creation events, could indicate lateral movement:&lt;/P&gt;
&lt;LI-CODE lang=""&gt;let remoteServicesInterface = '367abb81-9844-35f1-ad32-98f038001003'; 
let serviceCreationOpnums = dynamic([12, 24, 44, 45, 60]); // RCreateServiceW, RCreateServiceA, RCreateServiceWOW64A, RCreateServiceWOW64W, RCreateWowService 
DeviceEvents 
| where ActionType == 'InboundRemoteRpcCall' 
| extend AdditionalFields = parse_json(AdditionalFields) 
| extend RpcInterface = tostring(AdditionalFields.RpcInterfaceUuid), OpNum = toint(AdditionalFields.RpcOpNum) 
| where RpcInterface == remoteServicesInterface and OpNum in(serviceCreationOpnums) &lt;/LI-CODE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;3. Session discovery events, could indicate account discovery:&lt;/P&gt;
&lt;LI-CODE lang=""&gt;let srvsvcInterface = '4b324fc8-1670-01d3-1278-5a47bf6ee188'; 
let netrSessionEnumOpnum = 12; 
DeviceEvents 
| where ActionType == 'InboundRemoteRpcCall' 
| extend AdditionalFields = parse_json(AdditionalFields) 
| extend RpcInterface = tostring(AdditionalFields.RpcInterfaceUuid), OpNum = toint(AdditionalFields.RpcOpNum) 
| where RpcInterface == srvsvcInterface and OpNum == netrSessionEnumOpnum 
| summarize dcount(DeviceId) by AccountName, AccountDomain, AccountSid &lt;/LI-CODE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Check out the advanced hunting tab to see monitored RPC activity in your environment and stay tuned for more updates from Defender.&lt;/P&gt;
&lt;H5&gt;&lt;STRONG&gt;Learn more&lt;/STRONG&gt;&lt;/H5&gt;
&lt;UL&gt;
&lt;LI&gt;To learn more about endpoint protection with Microsoft Defender, check out our&amp;nbsp;&lt;A href="https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-endpoint" target="_blank" rel="noopener"&gt;website&lt;/A&gt;.&lt;/LI&gt;
&lt;LI&gt;To learn more about Microsoft Security solutions, visit our &lt;A href="https://www.microsoft.com/en-us/security/business" target="_blank" rel="noopener"&gt;website.&lt;/A&gt; Bookmark the &lt;A href="https://www.microsoft.com/security/blog/" target="_blank" rel="noopener"&gt;Security blog&lt;/A&gt; to keep up with our expert coverage on security matters. Follow us on LinkedIn (&lt;A href="https://www.linkedin.com/showcase/microsoft-security/" target="_blank" rel="noopener"&gt;Microsoft Security&lt;/A&gt;) and X (&lt;A href="https://twitter.com/@MSFTSecurity" target="_blank" rel="noopener"&gt;@MSFTSecurity&lt;/A&gt;) for the latest news and updates on cybersecurity.&lt;/LI&gt;
&lt;/UL&gt;</description>
      <pubDate>Tue, 09 Jun 2026 16:55:28 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/microsoft-defender-now-monitors-rpc-activity/ba-p/4523368</guid>
      <dc:creator>EdanZwick</dc:creator>
      <dc:date>2026-06-09T16:55:28Z</dc:date>
    </item>
    <item>
      <title>Understanding AI workloads on Linux</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/understanding-ai-workloads-on-linux/m-p/4524856#M6883</link>
      <description>&lt;P&gt;Hi everyone,&lt;/P&gt;
&lt;P&gt;I’m a PM working on security for Linux environments and trying to better understand how AI workloads are actually showing up in production today.&lt;/P&gt;
&lt;P&gt;Would appreciate hearing from folks here:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Are you running any AI workloads on Linux today? Or actively exploring?&lt;/LI&gt;
&lt;LI&gt;What does your deployment/setup look like — e.g., model training/inference, agents, MCP servers, data pipelines, etc.?&lt;/LI&gt;
&lt;LI&gt;How are you thinking about securing this stack, if at all?&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;If you’re open to a quick &lt;STRONG&gt;30-min chat&lt;/STRONG&gt;, I’d love to learn more from your experience as well.&lt;/P&gt;
&lt;P&gt;Thanks in advance — this will directly help shape where we invest next.&lt;/P&gt;</description>
      <pubDate>Tue, 02 Jun 2026 15:01:12 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/understanding-ai-workloads-on-linux/m-p/4524856#M6883</guid>
      <dc:creator>tejaskashyap</dc:creator>
      <dc:date>2026-06-02T15:01:12Z</dc:date>
    </item>
    <item>
      <title>How Microsoft Defender used predictive shielding to proactively disrupt a ransomware attack</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/how-microsoft-defender-used-predictive-shielding-to-proactively/ba-p/4519498</link>
      <description>&lt;P&gt;Modern ransomware attacks are increasingly designed to blend in with normal IT operations, using trusted administrative tools to quietly weaken defenses and distribute malicious payloads at scale.&lt;/P&gt;
&lt;P&gt;In a recent real‑world incident, a human‑operated ransomware actor attempted to do exactly that by abusing &lt;STRONG&gt;Group Policy Objects (GPOs) to target hundreds of devices, but Microsoft Defender detected the attack and proactively hardened those devices before GPOs were deployed.&lt;/STRONG&gt;&lt;/P&gt;
&lt;H4&gt;The attacker’s plan&lt;/H4&gt;
&lt;P&gt;The target organization, a large educational institution with more than a couple of thousand devices onboarded to Microsoft Defender, had already experienced a compromise of a domain admin account from an unmanaged device before the ransomware deployment attempt began.&lt;/P&gt;
&lt;P&gt;Because GPOs are a trusted mechanism for pushing configuration changes across devices, they present an attractive path for attackers looking to disable security tools or deploy ransomware broadly without needing to access each machine individually. This attacker’s plan involved weaponizing GPOs to:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Push tampering configurations that could disable Defender protections across the environment&lt;/LI&gt;
&lt;LI&gt;Distribute and execute ransomware via scheduled tasks&lt;/LI&gt;
&lt;LI&gt;Leverage built‑in enterprise infrastructure to scale the attack&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;This approach allowed the attacker to attempt ransomware deployment through standard administrative channels, minimizing the need for direct interaction with individual devices and increasing the potential for widespread impact.&lt;/P&gt;
&lt;H4&gt;How Defender thwarted the attack&lt;/H4&gt;
&lt;P&gt;First, Defender quickly detected the attack and contained the domain admin account that the attacker had compromised. Then, since the attacker had created a malicious GPO that disabled key Defender protections, a Defender tampering alert was triggered. In response, predictive shielding activated GPO hardening, temporarily pausing the propagation of new GPO policies across all MDE onboarded devices reachable from the attacker’s standpoint and achieved protection of ~85% of devices against the tampering policy before ransomware was deployed.&lt;/P&gt;
&lt;P&gt;Ten minutes later, the attacker attempted to distribute ransomware, but because GPO hardening had already been applied, GPO propagation was already disabled on the targeted devices and the attacker was unsuccessful. Defender recognized that GPO tampering is a precursor to ransomware distribution and acted preemptively. It didn’t wait for ransomware to appear; it acted on what the attacker was&amp;nbsp;&lt;EM&gt;about&lt;/EM&gt; to do, preventing downstream impact such as recovery costs and operational downtime.&lt;/P&gt;
&lt;H4&gt;The results&lt;/H4&gt;
&lt;UL&gt;
&lt;LI&gt;Zero machines were encrypted via the GPO path.&lt;/LI&gt;
&lt;LI&gt;Roughly 97% of devices the attacker attempted to encrypt were fully protected by Defender. A limited number of devices&amp;nbsp;experienced encryption during concurrent ransomware activity over SMB; however, attack disruption successfully contained the incident and stopped further impact.&lt;/LI&gt;
&lt;LI&gt;700 devices applied the predictive shielding GPO hardening policy, reflecting the attacker’s broad targeting scope, and blocking the propagation of the malicious policy set by the attacker within approximately 3 hours.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Attackers are getting more sophisticated, finding ways to evade detection by abusing legitimate IT tools that organizations rely on and can’t simply turn off. Security teams can’t restrict these mechanisms without impacting daily operations. By detecting ransomware staging and predicting the attacker’s next move, Defender can apply targeted restrictions just in time, shifting from reactive response to proactive prevention, stopping only what matters when it matters while maintaining full business productivity. With average ransom demands now ranging from $2–5M, the downstream recovery and remediation savings from preventing these attacks can be massive.&lt;/P&gt;
&lt;H4&gt;Learn more&lt;/H4&gt;
&lt;UL&gt;
&lt;LI&gt;To learn more about this specific attack, check out the full case study: &lt;A href="https://www.microsoft.com/en-us/security/blog/2026/03/23/case-study-predictive-shielding-defender-stopped-gpo-based-ransomware-before-started/" target="_blank" rel="noopener"&gt;Case study: How predictive shielding in Defender stopped GPO-based ransomware before it started&lt;/A&gt; &lt;A href="https://www.microsoft.com/en-us/security/blog/2026/03/23/case-study-predictive-shielding-defender-stopped-gpo-based-ransomware-before-started/" target="_blank" rel="noopener"&gt;[microsoft.com]&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;To learn more about endpoint protection with Microsoft Defender, check out our&amp;nbsp;&lt;A href="https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-endpoint" target="_blank" rel="noopener"&gt;website&lt;/A&gt;.&lt;/LI&gt;
&lt;LI&gt;To learn more about Microsoft Security solutions, visit our &lt;A href="https://www.microsoft.com/en-us/security/business" target="_blank" rel="noopener"&gt;website.&lt;/A&gt; Bookmark the &lt;A href="https://www.microsoft.com/security/blog/" target="_blank" rel="noopener"&gt;Security blog&lt;/A&gt; to keep up with our expert coverage on security matters. Follow us on LinkedIn (&lt;A href="https://www.linkedin.com/showcase/microsoft-security/" target="_blank" rel="noopener"&gt;Microsoft Security&lt;/A&gt;) and X (&lt;A href="https://twitter.com/@MSFTSecurity" target="_blank" rel="noopener"&gt;@MSFTSecurity&lt;/A&gt;) for the latest news and updates on cybersecurity.&lt;/LI&gt;
&lt;/UL&gt;</description>
      <pubDate>Mon, 01 Jun 2026 17:16:47 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/how-microsoft-defender-used-predictive-shielding-to-proactively/ba-p/4519498</guid>
      <dc:creator>AvivSharon</dc:creator>
      <dc:date>2026-06-01T17:16:47Z</dc:date>
    </item>
    <item>
      <title>Larac2shell: Turning MDE Live Response into a near real-time shell We are the EDR!</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/larac2shell-turning-mde-live-response-into-a-near-real-time/m-p/4517733#M6878</link>
      <description>&lt;P&gt;&lt;A class="lia-external-url" href="https://github.com/akefallonitis/larac2shell" target="_blank"&gt;https://github.com/akefallonitis/larac2shell&lt;/A&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Turning MDE live response into a near real time interactive shell beta version out&lt;/P&gt;&lt;P&gt;Features:&lt;/P&gt;&lt;P&gt;- Internal (Thanks to&amp;nbsp;&lt;A href="https://www.linkedin.com/in/fabianbader/" target="_blank"&gt;Fabian Bader&lt;/A&gt;&amp;nbsp;-&amp;nbsp;&lt;A href="https://www.linkedin.com/in/nathanmcnulty/" target="_blank"&gt;Nathan McNulty&lt;/A&gt;&amp;nbsp;and xdrinternals research ) vs External api authentication&lt;BR /&gt;- Arbitrary command execution via pre-uploaded base64 wrapper script&lt;BR /&gt;- Cross-OS support&lt;/P&gt;&lt;P&gt;PS Two MSRC bugs reported for direct command execution bypass waiting for Microsoft Response in order to publish them&lt;/P&gt;&lt;P&gt;Coming SOON TM&lt;/P&gt;&lt;P&gt;Full LaraC2 Post Exploitation OST framework over MDE as C2/C3 Channel - We are the EDR / No external Infra / Onboarding to your controlled tenant silencing MDE&lt;/P&gt;&lt;P&gt;Happy testing 🥳 🎉&lt;/P&gt;</description>
      <pubDate>Fri, 08 May 2026 08:25:12 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/larac2shell-turning-mde-live-response-into-a-near-real-time/m-p/4517733#M6878</guid>
      <dc:creator>alkefallonitis</dc:creator>
      <dc:date>2026-05-08T08:25:12Z</dc:date>
    </item>
    <item>
      <title>Introducing selective response actions for high-value assets in Microsoft Defender</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/introducing-selective-response-actions-for-high-value-assets-in/ba-p/4512175</link>
      <description>&lt;P&gt;Deploying Microsoft Defender on high-value assets (HVAs) such as domain controllers, ADFS servers, and other Tier-0 systems, requires a thoughtful approach to balance strong protection with operational stability. Given the powerful response capabilities available, organizations often seek greater control over how these actions are applied in sensitive environments. Many organizations, especially those with strict privileged access management policies, also prefer to limit cloud-initiated administrative actions on Tier-0 systems to align with their security and compliance requirements.&lt;/P&gt;
&lt;P&gt;We introduced simplified onboarding in late 2025 with the release of the Defender deployment tool, and now we’re excited to announce that &lt;STRONG&gt;selective response actions for high-value assets&lt;/STRONG&gt; are now available in public preview to afford security teams greater flexibility within the onboarding process. This new capability provides a more controlled and flexible approach, enabling organizations to define exactly which response actions are allowed on critical assets. Security teams can maintain operational continuity while still benefiting from the full visibility and protection of Defender.&lt;/P&gt;
&lt;H4&gt;How it works&lt;/H4&gt;
&lt;P&gt;Deploying Defender on high-value assets requires additional safeguards. This capability introduces a controlled onboarding experience that enforces strict boundaries from the start.&lt;/P&gt;
&lt;P&gt;Security teams can:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Generate a custom onboarding package&lt;/STRONG&gt; tailored specifically for Tier-0 and High-Value Assets&lt;/LI&gt;
&lt;LI&gt;Use the &lt;STRONG&gt;Defender deployment tool&lt;/STRONG&gt;, a lightweight, dynamic tool that simplifies onboarding and removes the need for complex scripts&lt;/LI&gt;
&lt;LI&gt;Leverage &lt;STRONG&gt;secure key validation and package expiry&lt;/STRONG&gt;, ensuring controlled and secure deployment&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Explicitly define which remote response actions are permitted&lt;/STRONG&gt; on sensitive systems&lt;/LI&gt;
&lt;LI&gt;Onboard both &lt;STRONG&gt;Windows workstations and Windows Server environments&lt;/STRONG&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;This approach ensures that security controls are applied consistently and cannot be altered post-deployment, reducing the risk of misconfiguration or misuse.&lt;/P&gt;
&lt;img&gt;&lt;EM&gt;Image 1: selective response actions in the Defender deployment tool&lt;/EM&gt;&lt;EM&gt; package settings&lt;/EM&gt;&lt;/img&gt;
&lt;H4&gt;Key benefits&lt;/H4&gt;
&lt;P&gt;Selective response actions for high-value assets provide a safer and more controlled way to protect critical systems:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Reduce operational risk&lt;/STRONG&gt; by limiting powerful security actions on Tier-0 assets&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Prevent accidental or malicious disruptions&lt;/STRONG&gt; caused by overprivileged or compromised accounts&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Align with privileged access management (PAM) policies&lt;/STRONG&gt; by restricting cloud-initiated administrative actions&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Support compliance and regulatory requirements&lt;/STRONG&gt; with stricter enforcement of security controls&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Maintain full Defender visibility and protection&lt;/STRONG&gt; without overexposing sensitive systems&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Provide explicit and granular control&lt;/STRONG&gt; over remote response capabilities&lt;/LI&gt;
&lt;/UL&gt;
&lt;img&gt;&lt;EM&gt;Image 2: view of the available response actions for a particular device in the Defender portal&lt;/EM&gt;&lt;/img&gt;
&lt;H4&gt;Secure your most critical assets with confidence&lt;/H4&gt;
&lt;P&gt;You can now extend Defender for Endpoint protection to your most critical Windows systems, while maintaining strict control over how those systems are accessed and managed. This capability empowers security teams to protect what matters most with confidence and precision.&lt;/P&gt;
&lt;H4&gt;Learn more&lt;/H4&gt;
&lt;UL&gt;
&lt;LI&gt;Learn more about how to set up &lt;A href="https://learn.microsoft.com/en-us/defender-endpoint/restrict-response-actions-high-value-assets" target="_blank" rel="noopener"&gt;selective response actions for high value assets&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;To learn more about endpoint protection with Microsoft Defender, check out our&amp;nbsp;&lt;A href="https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-endpoint" target="_blank" rel="noopener"&gt;website&lt;/A&gt;.&lt;/LI&gt;
&lt;LI&gt;To learn more about Microsoft Security solutions, visit our &lt;A href="https://www.microsoft.com/en-us/security/business" target="_blank" rel="noopener"&gt;website.&lt;/A&gt; Bookmark the &lt;A href="https://www.microsoft.com/security/blog/" target="_blank" rel="noopener"&gt;Security blog&lt;/A&gt; to keep up with our expert coverage on security matters. Follow us on LinkedIn (&lt;A href="https://www.linkedin.com/showcase/microsoft-security/" target="_blank" rel="noopener"&gt;Microsoft Security&lt;/A&gt;) and X (&lt;A href="https://twitter.com/@MSFTSecurity" target="_blank" rel="noopener"&gt;@MSFTSecurity&lt;/A&gt;) for the latest news and updates on cybersecurity.&lt;/LI&gt;
&lt;/UL&gt;</description>
      <pubDate>Mon, 18 May 2026 15:50:40 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/introducing-selective-response-actions-for-high-value-assets-in/ba-p/4512175</guid>
      <dc:creator>amibarayev</dc:creator>
      <dc:date>2026-05-18T15:50:40Z</dc:date>
    </item>
    <item>
      <title>runHuntingQuery API and 'evaluate pivot'</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/runhuntingquery-api-and-evaluate-pivot/m-p/4516423#M6876</link>
      <description>&lt;P&gt;Seem to have a problem where any request to the&amp;nbsp; runHuntingQuery API with 'evaluate pivot' fails with&amp;nbsp;&lt;/P&gt;&lt;P&gt;error": {&lt;/P&gt;&lt;P&gt;&amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; "code": "UnknownError",&lt;/P&gt;&lt;P&gt;&amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; "message": "",&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Is this just a 'feature' ?&amp;nbsp; The query happily runs trough the website/XDR portal. :-(&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Is there a way to simulate a pivot (easily) in powerapps ?&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Fri, 01 May 2026 09:26:00 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/runhuntingquery-api-and-evaluate-pivot/m-p/4516423#M6876</guid>
      <dc:creator>Tim4</dc:creator>
      <dc:date>2026-05-01T09:26:00Z</dc:date>
    </item>
    <item>
      <title>Assess Secure Boot status with Microsoft Defender</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/assess-secure-boot-status-with-microsoft-defender/ba-p/4510356</link>
      <description>&lt;H4&gt;&lt;STRONG&gt;Understanding the Secure Boot certificate challenge&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;Secure Boot is a foundational security feature that validates the integrity of your device's boot process, ensuring only trusted software can run during system startup. This protection has been quietly defending enterprise devices since 2012, but the original 2011 certificates that enable this trust are approaching their expiration date.&lt;/P&gt;
&lt;P&gt;When certificates expire in June 2026, devices that haven't transitioned to the new Windows UEFI CA 2023 certificates will no longer be able to receive new security protections for the early boot process. While these devices will continue to boot, they may no longer be able to receive or enforce new protections at the earliest stages of system startup. Over time, this can weaken the device’s root of trust and expose it to classes of attacks that operate before the operating system and security controls are fully loaded:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Malicious or tampered boot components may no longer be reliably blocked if they are not signed with trusted certificates&amp;nbsp;&lt;/LI&gt;
&lt;LI&gt;Devices may be unable to adopt future Secure Boot policy updates designed to mitigate newly discovered boot-level threats&amp;nbsp;&lt;/LI&gt;
&lt;LI&gt;Attackers may attempt to leverage boot-level persistence techniques that operate below the visibility of traditional security controls&amp;nbsp;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;As new vulnerabilities and protections are introduced, devices that are not updated will gradually fall behind in their ability to enforce trust at boot, but the challenge isn’t just knowing that this transition needs to happen, it’s understanding which devices in your fleet have successfully completed the update and which still require attention.&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;Introducing Secure Boot 2023 certificate assessment&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;A new recommendation in Defender allows you to ensure that devices are updated to Secure Boot 2023 certificates and boot manager, providing a centralized, at-scale view of Secure Boot certificate readiness across your environment.&lt;/P&gt;
&lt;P&gt;This assessment automatically categorizes your devices into:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Exposed devices&lt;/STRONG&gt;: Still trusting older Secure Boot certificates without trust for newer Secure Boot certificates&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Compliant devices&lt;/STRONG&gt;: Successfully relying on the 2023 certificates and signed boot manager&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Not applicable devices&lt;/STRONG&gt;: Systems where Secure Boot is disabled or not supported&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;From the recommendation view, you can:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Drill down into exposed devices and identify exactly which systems require attention&lt;/LI&gt;
&lt;LI&gt;Filter by OS platform and device context to prioritize remediation efforts&lt;/LI&gt;
&lt;LI&gt;Export device data to share with infrastructure and platform teams&lt;/LI&gt;
&lt;LI&gt;Track rollout progress across your organization&lt;/LI&gt;
&lt;LI&gt;Integrate findings into existing security posture workflows&lt;/LI&gt;
&lt;/UL&gt;
&lt;img&gt;[Secure Boot 2023 recommendation in MDE portal showing deployment status across the fleet]&lt;/img&gt;
&lt;H4&gt;&lt;STRONG&gt;Take action on your Secure Boot readiness&lt;BR /&gt;&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;To access this tool in the Defender portal, navigate to Exposure Management → Recommendations → Devices → Misconfigurations. Once Defender identifies exposed devices, it provides remediation guidance.&lt;/P&gt;
&lt;P&gt;For detailed deployment guidance, including enterprise rollout strategies and validation practices, see: &lt;A href="https://aka.ms/GetSecureBoot" target="_blank" rel="noopener"&gt;https://aka.ms/GetSecureBoot&lt;/A&gt;&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;Your action plan&lt;/STRONG&gt;&lt;/H4&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;STRONG&gt;Assess your exposure&lt;/STRONG&gt;&lt;BR /&gt;Navigate to the tool to understand how many devices in your environment require updates.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Engage the right teams&lt;/STRONG&gt;&lt;BR /&gt;Secure Boot certificate deployment is typically owned by infrastructure and platform teams, so coordinate across your organization.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Prioritize high-value assets&lt;/STRONG&gt;&lt;BR /&gt;Focus remediation efforts on critical devices and sensitive environments first.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Track progress over time&lt;/STRONG&gt;&lt;BR /&gt;Monitor rollout progress and ensure coverage improves ahead of the June 2026 deadline.&lt;/LI&gt;
&lt;/OL&gt;
&lt;H4&gt;&lt;STRONG&gt;Learn more&lt;/STRONG&gt;&lt;/H4&gt;
&lt;UL&gt;
&lt;LI&gt;Visit the comprehensive Secure Boot guidance at&amp;nbsp;&lt;A href="https://aka.ms/GetSecureBoot" target="_blank" rel="noopener"&gt;https://aka.ms/GetSecureBoot&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;Learn more about&amp;nbsp;&lt;A href="https://learn.microsoft.com/en-us/defender-vulnerability-management/tvm-microsoft-secure-score-devices?tabs=preview-customers" target="_blank" rel="noopener"&gt;Microsoft Secure Score for Devices in Microsoft Defender for Endpoint&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;To learn more about endpoint protection with Microsoft Defender, check out our&amp;nbsp;&lt;A href="https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-endpoint" target="_blank" rel="noopener"&gt;website&lt;/A&gt;.&lt;/LI&gt;
&lt;LI&gt;To learn more about Microsoft Security solutions, visit our &lt;A href="https://www.microsoft.com/en-us/security/business" target="_blank" rel="noopener"&gt;website.&lt;/A&gt; Bookmark the &lt;A href="https://www.microsoft.com/security/blog/" target="_blank" rel="noopener"&gt;Security blog&lt;/A&gt; to keep up with our expert coverage on security matters. Follow us on LinkedIn (&lt;A href="https://www.linkedin.com/showcase/microsoft-security/" target="_blank" rel="noopener"&gt;Microsoft Security&lt;/A&gt;) and X (&lt;A href="https://twitter.com/@MSFTSecurity" target="_blank" rel="noopener"&gt;@MSFTSecurity&lt;/A&gt;) for the latest news and updates on cybersecurity.&lt;/LI&gt;
&lt;/UL&gt;</description>
      <pubDate>Mon, 27 Apr 2026 16:38:22 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/assess-secure-boot-status-with-microsoft-defender/ba-p/4510356</guid>
      <dc:creator>amitcohen</dc:creator>
      <dc:date>2026-04-27T16:38:22Z</dc:date>
    </item>
    <item>
      <title>Introducing effective settings: See security configurations enforced on your device</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/introducing-effective-settings-see-security-configurations/ba-p/4499551</link>
      <description>&lt;H4&gt;See exactly which security configurations are enforced on your device&lt;/H4&gt;
&lt;P&gt;Security teams spend significant time defining policies for Microsoft Defender security settings. But when it comes to investigations or troubleshooting, the real question is often simple: &lt;EM&gt;what is currently being enforced on this device?&lt;/EM&gt; Today, we’re excited to share that the &lt;A class="lia-external-url" href="https://learn.microsoft.com/en-us/defender-endpoint/investigate-machines?wt.mc_id=MVP_452337#configuration-management---effective-settings" target="_blank" rel="noopener"&gt;settings experience&lt;/A&gt; is now generally available in Defender to provide this critical visibility.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img&gt;&lt;EM&gt;Figure #1: Effective settings tab on the device page&lt;/EM&gt;&lt;/img&gt;
&lt;H4&gt;From intended policy to real-world enforcement&lt;/H4&gt;
&lt;P&gt;Understanding device security posture sometimes means correlating policy intent across multiple management sources, including Intune, Group Policy Object (GPO), and local admin configurations. With effective settings, administrators can see the &lt;EM&gt;effective value&lt;/EM&gt; of each security setting on a specific device—along with the configuration source—and quickly identify configuration attempts that didn’t take effect. This helps eliminate silent gaps where intended protections are not actually enforced, reducing the risk of unnoticed exposure during incidents or active attacks. And this shift from intent to reality helps teams move faster when validating posture, investigating incidents, or resolving conflicts between management tools.&lt;/P&gt;
&lt;H4&gt;A new view on the device page&lt;/H4&gt;
&lt;P&gt;The effective settings tab is available as a new tab under the &lt;STRONG&gt;configuration management&lt;/STRONG&gt; tab on the device page. From this single location, you can:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;View the &lt;STRONG&gt;actual value&lt;/STRONG&gt; enforced for each security setting&lt;/LI&gt;
&lt;LI&gt;Identify the &lt;STRONG&gt;configuring source&lt;/STRONG&gt; responsible for that value&lt;/LI&gt;
&lt;LI&gt;See &lt;STRONG&gt;additional configuration attempts&lt;/STRONG&gt; from other sources that were evaluated but not applied&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;For complex or layered scenarios such as Microsoft Defender Antivirus exclusions and Attack Surface Reduction (ASR) rules, all configured rules are shown together with their effective value, configuring source, and additional configuration attempts&lt;STRONG&gt;.&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;This makes it far simpler to understand why a device behaves the way it does, without jumping between consoles or guessing which policy “won.”&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img&gt;&lt;EM&gt;Figure #2: Simple settings side panel&lt;/EM&gt;&lt;/img&gt;&lt;img&gt;&lt;EM&gt;Figure #3: Complex settings side panel&lt;/EM&gt;&lt;/img&gt;
&lt;H4&gt;Practical use cases&lt;/H4&gt;
&lt;P&gt;Security admins and analysts can use &lt;STRONG&gt;effective settings&lt;/STRONG&gt; for use cases like:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Validating enforcement&lt;/STRONG&gt; – Confirm that intended security configurations are truly applied on devices&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Troubleshooting conflicts&lt;/STRONG&gt; – Quickly spot competing policies or management sources that prevented a configuration from being enforced&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Improving operational confidence&lt;/STRONG&gt; – Reduce uncertainty by relying on an authoritative, device-level view of security settings&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4&gt;Platform support and what’s next&lt;/H4&gt;
&lt;P&gt;The current release focuses on &lt;STRONG&gt;Windows platform antivirus security settings&lt;/STRONG&gt;, including ASR rules and exclusions. This is just the beginning. Our roadmap includes expanding coverage across additional platforms, and a broader set of security settings configured through the Microsoft 365 Defender and Intune portals.&lt;/P&gt;
&lt;H4&gt;Getting started&lt;/H4&gt;
&lt;P&gt;If you’re using Microsoft Defender for Endpoint, head to a device page and open the &lt;STRONG&gt;configuration management → effective settings&lt;/STRONG&gt; tab to explore the experience firsthand.&lt;/P&gt;
&lt;P&gt;Supported versions:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Microsoft Defender for Endpoint Sense client: 10.8735.26018.1000 or later&lt;/LI&gt;
&lt;LI&gt;Microsoft Defender Antivirus platform: 4.18.25010.11 (January 2025 release) or later&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4&gt;Learn more&lt;/H4&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;A href="https://learn.microsoft.com/en-us/defender-endpoint/investigate-machines?wt.mc_id=MVP_452337#configuration-management---effective-settings" target="_blank" rel="noopener"&gt;Learn more about investigating devices in Defender&lt;/A&gt;. To get started, navigate to a device page and open the &lt;STRONG&gt;configuration management → effective settings&lt;/STRONG&gt; tab.&lt;/LI&gt;
&lt;LI&gt;To learn more about Microsoft Defender endpoint protection, check out our&amp;nbsp;&lt;A href="https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-endpoint" target="_blank" rel="noopener"&gt;website&lt;/A&gt;.&lt;/LI&gt;
&lt;LI&gt;To learn more about Microsoft Security solutions, visit our &lt;A href="https://www.microsoft.com/en-us/security/business" target="_blank" rel="noopener"&gt;website.&lt;/A&gt; Bookmark the &lt;A href="https://www.microsoft.com/security/blog/" target="_blank" rel="noopener"&gt;Security blog&lt;/A&gt; to keep up with our expert coverage on security matters. Follow us on LinkedIn (&lt;A href="https://www.linkedin.com/showcase/microsoft-security/" target="_blank" rel="noopener"&gt;Microsoft Security&lt;/A&gt;) and X (&lt;A href="https://twitter.com/@MSFTSecurity" target="_blank" rel="noopener"&gt;@MSFTSecurity&lt;/A&gt;) for the latest news and updates on cybersecurity.&lt;/LI&gt;
&lt;/UL&gt;</description>
      <pubDate>Mon, 09 Mar 2026 16:00:00 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/introducing-effective-settings-see-security-configurations/ba-p/4499551</guid>
      <dc:creator>ArielMichaeli1</dc:creator>
      <dc:date>2026-03-09T16:00:00Z</dc:date>
    </item>
    <item>
      <title>Transparent and customizable onboarding for modern and legacy Windows devices</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/transparent-and-customizable-onboarding-for-modern-and-legacy/ba-p/4498827</link>
      <description>&lt;P&gt;Onboarding all devices in your estate is paramount for strong security posture. In fact, Microsoft Threat Intelligence research shows that in the majority of ransomware attacks, the spreader machine was a device that was not yet onboarded. But customers often struggle to follow complex steps that differ by OS, accidentally duplicate devices because they can’t tell whether onboarding is in progress or failed, or have incorrect initial configuration settings causing system incompatibility. That’s why we’re introducing an updated onboarding experience via the Defender deployment tool for Windows that improves progress visibility and adds controls—like package naming and configurable expiry—to help administrators manage onboarding securely at scale.&lt;/P&gt;
&lt;H3 aria-level="3"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 3"&gt;What’s&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 3"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 3"&gt;new&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P aria-level="3"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 3"&gt;The&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 3"&gt;&amp;nbsp;Defender deployment tool streamlines&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 3"&gt;the onboarding process&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 3"&gt;by&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 3"&gt;&amp;nbsp;dynamically adapt&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 3"&gt;ing&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 3"&gt;&amp;nbsp;to the operating system, delivering healthy endpoint security to a diverse&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 3"&gt;estate&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 3"&gt;&amp;nbsp;of Windows devices.&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 3"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 3"&gt;It&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 3"&gt;&amp;nbsp;is the preferred automated solution&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 3"&gt;that works on&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 3"&gt;&amp;nbsp;modern and legacy devices&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 3"&gt;&amp;nbsp;and&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 3"&gt;&amp;nbsp;removes the need for a&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 3"&gt;separate onboarding&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 3"&gt;&amp;nbsp;file by embed&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 3"&gt;ding the onboarding&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 3"&gt;package and all related information within a downloadable&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 3"&gt;.&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 3"&gt;exe&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 3"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 3"&gt;that&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 3"&gt;&amp;nbsp;can be run to onboard devices.&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 3"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 3"&gt;This &lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 3"&gt;updated experience&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 3"&gt;makes&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 3"&gt;&amp;nbsp;onboarding more predictable and transparent, while adding administrative controls that help reduce exposure if onboarding packages are accidentally shared beyond your organization&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 3"&gt;:&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134245418&amp;quot;:true,&amp;quot;134245529&amp;quot;:true,&amp;quot;201341983&amp;quot;:0,&amp;quot;335559738&amp;quot;:160,&amp;quot;335559739&amp;quot;:80,&amp;quot;335559740&amp;quot;:279}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="2" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="1" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;A&amp;nbsp;single, runnable&amp;nbsp;.exe&amp;nbsp;for onboarding&amp;nbsp;with&amp;nbsp;the onboarding information&amp;nbsp;embedded&amp;nbsp;(no separate onboarding file&amp;nbsp;required)&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134233117&amp;quot;:true,&amp;quot;134233118&amp;quot;:true,&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:279}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="2" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="2" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Silent and non-interactive onboarding&amp;nbsp;options&amp;nbsp;to support large-scale deployments with tools like Group Policy or Configuration Manager&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134233117&amp;quot;:true,&amp;quot;134233118&amp;quot;:true,&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:279}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="2" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="3" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Custom package identifiers&amp;nbsp;to&amp;nbsp;help track and manage onboarding packages across your organization&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134233117&amp;quot;:true,&amp;quot;134233118&amp;quot;:true,&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:279}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="2" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="4" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Configurable onboarding package expiry (up to one year)&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134233117&amp;quot;:true,&amp;quot;134233118&amp;quot;:true,&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:279}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="2" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="5" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Customizable name identifiers and keys for increased control and visibility&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134233117&amp;quot;:true,&amp;quot;134233118&amp;quot;:true,&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:279}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="2" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="6" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;New portal entry points and guidance to make it easier to find the right onboarding and offboarding method for Windows, including&amp;nbsp;directly from the device inventory page&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134233117&amp;quot;:true,&amp;quot;134233118&amp;quot;:true,&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:279}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img&gt;The new, streamlined onboarding tab in the Defender portal&lt;/img&gt;
&lt;H3&gt;&lt;SPAN data-contrast="auto"&gt;Customize your deployment package&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;This experience moves away from using scripts and loose blobs, making it more difficult for onboarding to take place at the hands of unauthorized users and significantly decreasing security issues related to blobs in the wild that don't expire. &lt;/SPAN&gt;&lt;SPAN data-contrast="none"&gt;And&amp;nbsp;for the first time, you can set custom expiry&amp;nbsp;dates&amp;nbsp;on onboarding packages&amp;nbsp;for 1 day, 7 days, or a custom amount up to a year.&amp;nbsp;Expiry for onboarding packages protects customers from unwanted onboarding and compliance issues, limiting packages from getting misused if&amp;nbsp;they’re&amp;nbsp;found in a public place. Expiry reduces the likelihood of unauthorized package usage, together with the new portal-provided key that you must input to complete the onboarding process.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:279}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img&gt;Customize your deployment package with a name and expiry date&lt;/img&gt;
&lt;H3&gt;&lt;SPAN data-contrast="none"&gt;See your onboarding telemetry in detail&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P&gt;&lt;SPAN data-contrast="none"&gt;Deployment tool events are available in the device timeline and advanced hunting tabs for increased transparency into onboarding progress and errors, so you can quickly address any issues.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:278}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="none"&gt;On&amp;nbsp;the new deployment packages page, you can see your organization's onboarding packages&amp;nbsp;at a glance&amp;nbsp;and&amp;nbsp;click to see more package properties, increasing visibility and traceability within the onboarding process. This is&amp;nbsp;a great foundation for adding even more onboarding-related telemetry to view per device in the future. You can even&amp;nbsp;filter by&amp;nbsp;active or expired packages and hide packages you no longer&amp;nbsp;wish&amp;nbsp;to see.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:279}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;img&gt;The new deployment packages page in the Defender portal&lt;/img&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;To experience this next iteration of the Defender deployment tool for Windows, navigate to&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;Settings &amp;gt; Endpoints &amp;gt; Onboarding &amp;gt; Windows&lt;/STRONG&gt;,&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;or jump there directly from the device inventory page. There you'll see the newly designed onboarding page in the Defender portal, complete with on/offboarding guides. Select the Defender deployment tool from the options shown.&amp;nbsp; &lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:279}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img&gt;New onboarding and offboarding buttons on the device inventory page&lt;/img&gt;
&lt;P&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:279}"&gt;&amp;nbsp;The Defender deployment tool is also available for Linux. We look forward continuing to share ways we're making it easier to onboard devices to Defender.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P aria-level="3"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 3"&gt;Learn more&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134245418&amp;quot;:true,&amp;quot;134245529&amp;quot;:true,&amp;quot;201341983&amp;quot;:0,&amp;quot;335559738&amp;quot;:160,&amp;quot;335559739&amp;quot;:80,&amp;quot;335559740&amp;quot;:279}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="1" data-aria-level="1"&gt;&lt;A href="https://learn.microsoft.com/en-us/defender-endpoint/defender-deployment-tool-windows" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="auto"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Deploy Microsoft Defender endpoint security to Windows devices using the Defender deployment tool (preview) - Microsoft Defender for Endpoint | Microsoft Learn&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:279}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="2" data-aria-level="1"&gt;&lt;A href="https://learn.microsoft.com/en-us/defender-endpoint/linux-install-with-defender-deployment-tool" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="auto"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Deploy Microsoft Defender endpoint security to Linux devices using the Defender deployment tool (preview) - Microsoft Defender for Endpoint | Microsoft Learn&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:279}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="3" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="1" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;To learn more about Microsoft Defender's endpoint protection, check out&amp;nbsp;our &lt;/SPAN&gt;&lt;A href="https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-endpoint" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="auto"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;website&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:278}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="3" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="2" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;To learn more about Microsoft Security solutions, visit our&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt; &lt;/SPAN&gt;&lt;A href="https://www.microsoft.com/en-us/security/business" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="auto"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;website.&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt; &lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Bookmark the&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt; &lt;/SPAN&gt;&lt;A href="https://www.microsoft.com/security/blog/" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="auto"&gt;https://www.microsoft.com/security/blog/&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt; &lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;to keep up with our expert coverage on security matters. Follow us on LinkedIn (&lt;/SPAN&gt;&lt;A href="https://www.linkedin.com/showcase/microsoft-security/" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="auto"&gt;https://www.linkedin.com/showcase/microsoft-security/&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;) and X (&lt;/SPAN&gt;&lt;A href="https://twitter.com/@MSFTSecurity" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="auto"&gt;https://twitter.com/@MSFTSecurity&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;)&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt; &lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;for the latest news and updates on cybersecurity.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:278}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;</description>
      <pubDate>Tue, 03 Mar 2026 03:25:40 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/transparent-and-customizable-onboarding-for-modern-and-legacy/ba-p/4498827</guid>
      <dc:creator>Sinclaire_Hamilton</dc:creator>
      <dc:date>2026-03-03T03:25:40Z</dc:date>
    </item>
    <item>
      <title>Introducing library management in Microsoft Defender</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/introducing-library-management-in-microsoft-defender/ba-p/4494434</link>
      <description>&lt;P&gt;In dynamic investigation environments, preparation and agility are key. Security analysts working with live response in Microsoft Defender often rely on scripts and tools to triage, investigate, and remediate threats. Until now, these assets had to be uploaded during active sessions, limiting manageability and increasing time to action.&lt;/P&gt;
&lt;P&gt;Recognizing the need for better readiness and control, Defender now introduces a more proactive and efficient way to manage these assets: &lt;STRONG&gt;library management&lt;/STRONG&gt;.&lt;/P&gt;
&lt;P&gt;The new library management experience in Defender brings powerful enhancements to how security teams manage scripts and files used in live response. With this centralized and streamlined interface, analysts no longer need to wait for an active session to organize their investigation tools everything can now be managed proactively, directly from the portal. This enhancement in Defender’s live response tooling improves operational readiness, enhances visibility and control, and helps streamline response workflows across SOC teams.&lt;/P&gt;
&lt;H4&gt;What’s new in library management?&lt;/H4&gt;
&lt;P&gt;&lt;STRONG&gt;Centralized script and file management – &lt;/STRONG&gt;Security teams can now upload, manage, and clean up their entire collection of Live Response scripts and files outside of an active investigation. This proactive approach allows better preparation and alignment across analysts.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Upload in advance – &lt;/STRONG&gt;Easily upload PowerShell scripts, batch files, or other response tools ahead of time, so they're immediately accessible when needed during an investigation.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;View script contents in the portal – &lt;/STRONG&gt;No need to switch tools, analysts can review script contents directly within the Defender UI to validate logic and confirm functionality before execution.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Clean and organize – &lt;/STRONG&gt;Outdated or redundant scripts can be deleted with a click, keeping your library lean, relevant, and audit-friendly.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Boost analyst understanding with Copilot – &lt;/STRONG&gt;Understanding unfamiliar scripts can slow down investigations. That’s where &lt;STRONG&gt;Microsoft &lt;/STRONG&gt;&lt;STRONG&gt;Security Copilot &lt;/STRONG&gt;comes in.&lt;/P&gt;
&lt;P&gt;Copilot automatically analyzes scripts in the library and provides:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Summarized behavior descriptions&lt;/LI&gt;
&lt;LI&gt;Security-relevant insights&lt;/LI&gt;
&lt;LI&gt;Execution risk context&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;This makes it easier for analysts—especially those new to a team or handling inherited tools—to assess what a script does before running it, reducing errors and increasing confidence.&lt;/P&gt;
&lt;H4&gt;Get started today&lt;/H4&gt;
&lt;P&gt;You can access the Library Management experience from the &lt;STRONG&gt;live response &lt;/STRONG&gt;&lt;STRONG&gt;page&lt;/STRONG&gt; in the Microsoft Defender portal. Start uploading your investigation tools, explore script previews, and let Copilot assist in surfacing the intent and behavior of your scripts.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;&lt;img /&gt;&lt;img /&gt;</description>
      <pubDate>Tue, 17 Feb 2026 17:52:18 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/introducing-library-management-in-microsoft-defender/ba-p/4494434</guid>
      <dc:creator>amibarayev</dc:creator>
      <dc:date>2026-02-17T17:52:18Z</dc:date>
    </item>
    <item>
      <title>Defender for Business - No alert after process lock out ?</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/defender-for-business-no-alert-after-process-lock-out/m-p/4489725#M6859</link>
      <description>&lt;P&gt;Hello all,&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;A few days ago, I have setup Defender for business server on a Windows Server 2019.&lt;/P&gt;&lt;P&gt;I can see that server in the Microsoft security portail devices list.&lt;/P&gt;&lt;P&gt;I have also tested the "suspicious" powershell command provided by Microsoft and it went all good. Powershell blocked, alert escaladed as incident in the security portal, email received, ...&lt;/P&gt;&lt;P&gt;But the next day, I tried to install a service on that server that got blocked by Virus &amp;amp; Thread Protection because it was attempting to modify a lot of files. That was a good point for Defender (it was not a real thread and was later added as exception).&lt;/P&gt;&lt;P&gt;My worry is that it was never escaladed to the security portal, I didn't received a alert email, .. The system blocked that "thread" multiple times during my attempt to deploy it and no incident were throw.&lt;BR /&gt;&lt;BR /&gt;What could be wrong ?&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Thank you.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Tue, 27 Jan 2026 11:43:15 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/defender-for-business-no-alert-after-process-lock-out/m-p/4489725#M6859</guid>
      <dc:creator>karnalta</dc:creator>
      <dc:date>2026-01-27T11:43:15Z</dc:date>
    </item>
    <item>
      <title>Save the date - January 26, 2026 - AMA: Secure your endpoints with policy and Microsoft Defender</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/save-the-date-january-26-2026-ama-secure-your-endpoints-with/m-p/4487926#M6855</link>
      <description>&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Save the date for &lt;A class="lia-internal-link lia-internal-url lia-internal-url-content-type-occasion" href="https://techcommunity.microsoft.com/event/microsoftintuneevents/ama-secure-your-endpoints-with-policy-and-microsoft-defender/4485786" target="_blank" rel="noopener" data-lia-auto-title="January 26 at 8:00 AM PT" data-lia-auto-title-active="0"&gt;January 26 at 8:00 AM PT&lt;/A&gt;! Have questions about using Microsoft Intune to enforce device compliance? Curious how to configure devices to help prevent security breaches and limit the impact of threats? Ask Microsoft Anything (AMA) about integrating Microsoft Defender for Endpoint with Microsoft Intune at Tech Community Live! &lt;BR /&gt;&lt;BR /&gt;Product teams will be answering your questions live and in chat. Get tips using policy to onboard devices, define risk level, block non-compliant devices from accessing corporate resources, and more.&lt;BR /&gt;&lt;BR /&gt;Go to&amp;nbsp;&lt;A href="https://aka.ms/AMA/SecureEndpoints" target="_blank" rel="noopener"&gt;aka.ms/AMA/SecureEndpoints&lt;/A&gt; to save the date and add this event to your calendar!&lt;/P&gt;</description>
      <pubDate>Tue, 20 Jan 2026 22:13:25 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/save-the-date-january-26-2026-ama-secure-your-endpoints-with/m-p/4487926#M6855</guid>
      <dc:creator>Pearl-Angeles</dc:creator>
      <dc:date>2026-01-20T22:13:25Z</dc:date>
    </item>
    <item>
      <title>Defender for Identity health issues</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/defender-for-identity-health-issues/m-p/4487106#M6851</link>
      <description>&lt;P&gt;When will the issues/alerts from defender for identity sensors be available to view via advanced hunting instead of the Graph API and "/security/identities/healthIssues"&lt;/P&gt;</description>
      <pubDate>Mon, 19 Jan 2026 11:31:19 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/defender-for-identity-health-issues/m-p/4487106#M6851</guid>
      <dc:creator>zlate81</dc:creator>
      <dc:date>2026-01-19T11:31:19Z</dc:date>
    </item>
    <item>
      <title>Using MDE (Passive Mode) with Palo Alto Cortex XDR to enable Defender for IoT (Enterprise IoT)</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/using-mde-passive-mode-with-palo-alto-cortex-xdr-to-enable/m-p/4485625#M6850</link>
      <description>&lt;P&gt;Hi everyone!&lt;BR /&gt;I’m working with a customer that uses &lt;STRONG&gt;Palo Alto Cortex XDR&lt;/STRONG&gt; as their primary EDR. We want to leverage &lt;STRONG&gt;Microsoft Defender for IoT&lt;/STRONG&gt; specifically for &lt;STRONG&gt;Enterprise IoT&lt;/STRONG&gt; (not OT/ICS). I have a few questions:&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;STRONG&gt;MDE in Passive Mode as a sensor:&lt;/STRONG&gt;&lt;BR /&gt;Can &lt;STRONG&gt;Microsoft Defender for Endpoint (MDE)&lt;/STRONG&gt; running in &lt;STRONG&gt;Passive mode&lt;/STRONG&gt; act as a sensor to enable Enterprise IoT discovery/monitoring for Defender for IoT? Are there any &lt;STRONG&gt;feature limitations&lt;/STRONG&gt; when MDE is not the primary EDR?&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Appliance sensor in Enterprise IT:&lt;/STRONG&gt;&lt;BR /&gt;If we cannot use the MDE agent, is it &lt;STRONG&gt;supported&lt;/STRONG&gt; to deploy the &lt;STRONG&gt;Defender for IoT appliance sensor&lt;/STRONG&gt; in an &lt;STRONG&gt;enterprise IT network&lt;/STRONG&gt; (e.g., offices/campuses) to cover &lt;STRONG&gt;Enterprise IoT&lt;/STRONG&gt; use cases?&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Coexistence / Complementary sensors:&lt;/STRONG&gt;&lt;BR /&gt;Is it possible (and recommended) to run the &lt;STRONG&gt;appliance sensor alongside MDE (sensor)&lt;/STRONG&gt; to &lt;STRONG&gt;complement coverage/features&lt;/STRONG&gt;? Any guidance on &lt;STRONG&gt;architecture&lt;/STRONG&gt;, &lt;STRONG&gt;data overlap/deduplication&lt;/STRONG&gt;, or &lt;STRONG&gt;licensing implications&lt;/STRONG&gt;?&lt;/LI&gt;
&lt;/OL&gt;</description>
      <pubDate>Wed, 14 Jan 2026 13:56:04 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/using-mde-passive-mode-with-palo-alto-cortex-xdr-to-enable/m-p/4485625#M6850</guid>
      <dc:creator>gabpereira</dc:creator>
      <dc:date>2026-01-14T13:56:04Z</dc:date>
    </item>
  </channel>
</rss>

