Microsoft Defender for Endpoint Blog articles

Reduce unnecessary internet exposure with Microsoft Defender

hadarshindler — Thu, 11 Jun 2026 16:00:00 GMT

In today’s threat landscape, internet exposure, i.e. devices that allow inbound connectivity from the public internet, continues to be a major vector for initial access and compromise. Devices that are exposed to the public internet can significantly increase an organization’s attack surface, making them prime targets for initial access, exploitation, and lateral movement.

However, not all internet-facing devices represent a security issue. Many are intentionally exposed to support business-critical scenarios such as hosting web applications, enabling remote access, or supporting communication services. The challenge for security teams is not just detecting internet-facing devices, but understanding why a device is exposed, whether that exposure is expected, and what action should be taken. That’s why we’re introducing a new security recommendation in Microsoft Defender that helps organizations identify, review, and reduce unnecessary internet exposure across their environment.

Understand your internet-facing exposure

This recommendation focuses specifically on devices that are accessible from the public internet, meaning they can receive inbound connections initiated from external sources, not devices that only use the internet for outbound communication.

Externally reachable assets are often the first point of entry for attackers, making this a critical signal for security prioritization.

Microsoft Defender identifies internet-facing devices based on signals that indicate external inbound reachability, including:

External scan telemetry identifying devices reachable from the public internet
Network telemetry showing inbound connections from external sources

By correlating these signals, Defender surfaces devices that are externally reachable.

Introducing internet-facing exposure assessment

A new recommendation in Microsoft Defender provides a centralized view of devices that are externally reachable from the public internet, helping you understand and manage exposure across your environment.

This assessment categorizes devices based on their exposure state:

Exposed devices: Devices that are reachable from the public internet and require review
Compliant devices: Devices that are not externally reachable, or where the internet exposure has been explicitly validated and accepted by the organization’s security team as intended
Not applicable devices: Devices that do not exhibit inbound internet exposure

From the recommendation view, you can:

Drill down into exposed devices and understand why they are reachable
Review context such as exposed services and connectivity
Explore device-level details to support investigation
Track exposure posture across your environment over time

Take action on your internet exposure

To access this recommendation in the Defender portal, navigate to Exposure management → Recommendations → Devices → Misconfigurations. Once Defender identifies internet-facing devices, it provides the context needed to review and take action.

Your action plan

1. Assess your exposure
Review the recommendation to understand which devices in your environment are externally reachable from the public internet and why they were classified as internet-facing.

2. Validate whether exposure is required
Determine if the inbound connectivity is expected for each device. Confirm business need and ownership before taking action.

3. Prioritize high-risk assets
Focus on critical servers or sensitive environments that are exposed to the internet, as they present the highest risk for initial access.

4. Reduce unnecessary exposure
Restrict or remove inbound connectivity where it is not required by closing exposed ports, removing public access, or moving services behind controlled access layers.

5. Track and maintain posture over time
Continuously monitor internet-facing devices to ensure unnecessary exposure is reduced and new exposure is validated as environments evolve.

FAQ

1. Which devices are currently supported?

This recommendation applies to supported Windows client and Windows Server devices. Supported versions include Windows 10, version 1607 and earlier; Windows 10, version 1809 and later; and Windows 11.

2. Why might there be differences between this recommendation and the Internet-facing filter in device inventory?

This recommendation reflects devices observed as internet-facing during the recommendation assessment window. Device exposure can change over time, and different Microsoft Defender experiences may refresh at different times.

As a result, temporary differences may occur between this recommendation and the Internet-facing filter in device inventory.

For the most current device-level view, use the Internet-facing filter in device inventory. If a device was recently remediated or its exposure recently changed, allow time for the recommendation status to refresh.

3. Could regular employee laptops or personal devices appear as internet-facing?

This recommendation evaluates supported devices onboarded to Microsoft Defender for Endpoint and focuses specifically on inbound internet reachability.

Typical internet usage, such as web browsing, generates outbound traffic and does not by itself classify a device as internet-facing.

Devices are identified as internet-facing only when they are externally reachable from the public internet.

As a result:

- Personal devices that are not onboarded to Microsoft Defender for Endpoint are not included in this assessment.
- Corporate laptops may appear as internet-facing if they are directly reachable from the internet, which may indicate an unintended network exposure or configuration issue.

Learn more

For additional guidance on investigating and managing internet-facing devices, see:

Learn how Defender identifies and maps externally reachable devices across your environment Discovering internet-facing devices using Microsoft Defender
Learn how to review and investigate internet-facing device exposure Investigate devices in Microsoft Defender
Learn more about Microsoft Secure Score for Devices in Microsoft Defender
To learn more about endpoint protection with Microsoft Defender, check out our website.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

Introducing scheduled antivirus scans on Microsoft Defender Linux

Rutuja_dange — Wed, 10 Jun 2026 16:00:00 GMT

Security teams rely on scheduled scans to ensure consistent coverage across devices, detect dormant or missed threats, and meet compliance requirements. However, managing scans on Linux has traditionally required custom scripts and cron-based setups, which can be hard to scale and maintain. That’s why we’re excited to introduce centrally managed scheduled antivirus scans for Linux in Microsoft Defender, now available in public preview. With this release, we are bringing built-in, flexible scheduling capabilities directly into Defender - making it easier to manage and standardize scan behaviour across Linux environments.

What’s new

With this capability, customers can now configure scheduled antivirus scans on Linux using security settings management policies in the Microsoft Defender portal for centralized policy enforcement or local Managed JSON configuration that can be deployed via configuration management tools like ansible, puppet and chef.

The feature supports a flexible set of scheduling options, including hourly quick scans (interval-based scheduling), daily quick scans at a defined time, and weekly scans with configurable scan type (quick or full). In addition, customers can control how scans run with advanced options such as:

Running scans only when the device is idle
Reducing CPU impact using low CPU priority
Checking for definition updates before scanning
Randomizing scans start times
Ignoring exclusions during scheduled scans

These capabilities allow security teams to balance coverage, performance, and operational needs across large Linux environments.

Why this matters

From a security perspective, scheduled scans play a critical role in detecting dormant threats, missed detections, and malicious artifacts that may not be caught through real-time protection alone. Without consistent and centrally enforced scheduling, these gaps can increase risk across the environment.

With this release, scheduled scans are now:

Centrally managed through Defender policies
Consistently enforced across devices
Aligned with security best practices for regular scanning
Integrated into the broader Defender security posture

This helps organizations strengthen their overall security posture while reducing operational complexity.

Get started

To get started, ensure devices are running agent version 101.26032.0000 or later (production ring), and configure scheduled scans using managed JSON or Defender portal policies.

Learn more

Learn more about how to schedule antivirus scans on Linux

To learn more about endpoint protection with Microsoft Defender, check out our website.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

Elevate your telemetry using custom data collection in Microsoft Defender

Theo_Cohen — Tue, 09 Jun 2026 16:00:00 GMT

At Ignite in November, we announced that Microsoft Defender is now the only endpoint protection solution that allows data-hungry security teams to meet specific telemetry needs by optimizing their data collection right within the Defender portal, without the need to rely on fragmented and siloed solutions. Since then, we've heard from customers that this tool has been a game changer, enabling them to hunt through new data types as well as richer data on events already reported. The release of custom data collection was a key milestone in our ongoing journey to make Defender easy to manage and customize.

Security teams have been asking for guidance and examples of how to get the most out of the tool, so today we're sharing how some organizations can use custom data collection and dynamic tagging to detect command and control (C2) communications, giving defenders elevated visibility and deeper telemetry into attacker activity across the environment.

See the data you want to see

Defender's default telemetry is tuned to balance performance and signal-to-noise across millions of devices, so it focuses on the events most useful for high-fidelity detection at fleet scale, but many organizations want richer, more granular signals for deeper hunting, compliance, or auditing purposes. Custom data collection lets you go beyond what Defender already captures without ever leaving the Defender portal. Easily build custom collection rules based on your organization’s specific needs using natural language; no PhD required! It includes several highly requested data types, including AMSI for hunting over script content, and Kerberos for hunting auth-based and network attacks.

This truly integrated custom data offering is possible thanks to Microsoft’s platform approach, as the additional telemetry can be collected and analyzed via Defender and stored via Microsoft Sentinel. It puts you in complete control of any customized, add-on data, including exactly which data types are collected and how long they are stored. No other security solution has fully integrated and customizable telemetry collection and analysis.

Example custom telemetry scenario: detecting C2 communications

Many organizations have a set of assets that require special attention, like internet-facing servers, domain controllers, and other high-value endpoints where deeper telemetry can make the difference between catching an intrusion early and discovering it after the damage is done.

Imagine your organization has received threat intelligence on attacks using stealthy C2 frameworks: HTTPS beacons with jittered intervals, DNS-based data exchange, and persistence via scheduled tasks and registry modifications. You want richer visibility into those internet-facing servers and high-value endpoints so you can hunt for these patterns proactively, instead of reconstructing them after the fact.

Dynamic tags scope these high-value devices into a targeted group, and custom data collection captures the extra process, network, and registry events from them, giving analysts the telemetry they need to hunt for beaconing, suspicious DNS patterns, and persistence before attackers establish a foothold.

To detect C2 communications using dynamic tagging, follow these steps:

Step 1: Tag your devices

Custom Data Collection rules are scoped to dynamic tags; once set, those tags are automatically applied and removed based on conditions you define. Configure them in Settings > Microsoft Defender XDR > Asset Rule Management.

Tag	Rule name	Conditions	Tag to apply
Internet-facing servers	InternetFacing-Servers	Internet facing = true AND OS platform equals Windows Server 2022	C2-Watchlist
Devices under active investigation	HighSev-Investigation	Manual tag equals UnderInvestigation	HighSev-Verbose

Bringing manual tags into the dynamic model

Custom data collection is built around dynamic tags by design: one leading, unified tagging experience that's more flexible and customizable. Dynamic tags can be driven by device properties, group membership, OS, or by existing manual tags, so anything your team already tags manually flows naturally into custom data collection through a simple Asset Rule Management rule, exactly as Tag 2 above does.

In this example, analysts manually tag a device UnderInvestigation during incident response. The dynamic rule picks up that manual tag and applies HighSev-Verbose, which custom data collection rules can target. The analyst doesn't need to know about dynamic tags they tag the device the way they always have, and custom data collection activates automatically.

Step 2: Build your collection rules

Navigate to Settings > Endpoints > Rules > Custom Data Collection. Select your Microsoft Sentinel workspace in the top-right corner.

Before creating rules, confirm you meet every prerequisite in the custom data collection documentation , in particular, your tenant must be onboarded to the Unified Security Operations Platform (USOP).

Rule 1: Outbound network connections from high-risk processes

Capture connections from processes commonly abused by C2 frameworks living-off-the-land binaries and scripting engines.

Setting	Value
Rule name	C2-OutboundConnections
Table	DeviceCustomNetworkEvents
Action	Connection Success
Condition	InitiatingProcessFileName Equals: powershell.exe, rundll32.exe, regsvr32.exe, mshta.exe, certutil.exe, msiexec.exe
Scope	Devices tagged C2-Watchlist

Rule 2: DNS query activity

Many C2 frameworks use DNS for beaconing or data exchange. Default telemetry captures limited DNS data. This rule collects all DNS queries from monitored devices.

Setting	Value
Rule name	C2-DNSActivity
Table	DeviceCustomNetworkEvents
Action	Connection Success
Condition	RemotePort equals 53
Scope	Devices tagged C2-Watchlist

Rule 3: Persistence mechanisms

C2 implants establish persistence via scheduled tasks, registry run keys, or services. Capture process creation events for common persistence tools.

Setting	Value
Rule name	C2-Persistence
Table	DeviceCustomProcessEvents
Action	Process Created
Condition	FileName in (schtasks.exe, reg.exe, sc.exe, at.exe)
Scope	Devices tagged C2-Watchlist

Rule 4: Full process and script telemetry during investigations

When a device gets the HighSev-Verbose tag, collect everything.

Setting	Value
Rule name	HighSev-AllProcesses
Table	DeviceCustomProcessEvents
Action	Process Created
Condition	Broad (all process creation events)
Scope	Devices tagged HighSev-Verbose

Setting	Value
Rule name	HighSev-ScriptCapture
Table	DeviceCustomScriptEvents
Action	Script execution
Condition	Broad (all script events) – add a condition which is always true such as FileName not equals “”
Scope	Devices tagged HighSev-Verbose

Collection profiles summary

Tag	Rules active	What gets collected	Use case
C2-Watch list	OutboundConnections, DNSActivity, Persistence	Network connections from, DNS queries, persistence tool usage, DLL sideloading	Persistent C2 monitoring
HighSev-Verbose	AllProcesses, ScriptCapture	Every process creation, all script execution	Full-depth incident response

Important: when you remove the HighSev-Verbose tag after closing an incident, collection automatically drops back to baseline, no manual rule cleanup needed. This is what makes verbose collection safe to leave configured: it's only active while the tag is.

Step 3: Hunt

Rules deploy within 20 minutes to an hour. Query the data in AH directly.

Detect beaconing patterns processes making regular-interval outbound connections:

Find DNS queries to high-entropy domains (potential DGA):

Spot persistence being established:

Leverage the telemetry from your new collection rule into a Custom Detection so high-value findings raise alerts automatically, instead of waiting for the next manual hunt.

Custom data collection effectively extends your endpoint protection into a targeted, general-purpose log collector, one that's now ready to serve advanced hunting, custom detections, and auditing or regulatory use cases, while default fleet-wide telemetry stays tuned for performance and signal-to-noise. By combining dynamic tagging with purpose-built collection rules, your highest-risk devices are always streaming the signals that matter most, ready for detection and investigation before and during an incident.

Learn more

To learn more about endpoint protection with Microsoft Defender, check out our website.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.
To learn more about custom data collection and how to get started, see our documentation.

Microsoft Defender now monitors RPC activity

EdanZwick — Tue, 09 Jun 2026 16:55:28 GMT

Remote procedure call (RPC) is a protocol commonly abused by attackers that allows functions implemented in a separate process, and potentially on a remote machine, to be called as if they were local. Many core Windows and Active Directory capabilities are built on or make use of RPC, which makes it an attractive target. To help protect against remote RPC-based attacks, Microsoft Defender now monitors remote RPC calls, disrupts malicious activity that leverages them, and surfaces relevant telemetry in advanced hunting.

RPC basics

While RPC is a rich and complicated protocol, the main components that are relevant for security monitoring purposes are:

Interface: A logical grouping of functionality exposed by an RPC server. Interfaces are identified by UUID. Example interfaces include Task Scheduler, Remote Registry, and the Service Control Manager, each exposing functionality related to a different Windows OS component.
OpNum: Stands for Operation Number, an ordinal that denotes a specific function exposed by an RPC interface. Examples include RCreateServiceW (OpNum 12, Service Control Manager interface) and BaseRegQueryValue (OpNum 17, Remote Registry interface).

Many remote attack techniques and tactics are based on RPC, for example:

Lateral movement: often abuses RPC functionality for remotely creating tasks, services or invoking WMI.
Credential theft: DCsync attacks, which abuse privileged compromised accounts to remotely extract credential material from Active Directory, are based on RPC functionality for directory replication. SecretsDump and similar attacks, which remotely extract SAM or LSA secrets, are based on querying a device’s registry remotely, using RPC.
Privilege escalation: Multiple authentication coercion attacks abuse benign RPC interfaces to coerce servers to authenticate an attacker.
Discovery: Tools such as SharpHound leverage RPC calls to enumerate users, sessions and shares.

For a more comprehensive mapping of RPC interfaces to attack techniques, see work by Jonathan Johnson.

RPC auditing in Defender

Since RPC is so heavily used on Windows systems and in Active Directory domains, monitoring remote RPC traffic using network monitors is often expensive and infeasible. Additionally, if the underlying transport protocol is encrypted (such as SMB3), it might be impossible to observe RPC traffic.

To enable efficient auditing of remote RPC activity regardless of transport-layer protection, Defender research and engineering expanded the existing RPC integration with the Windows Filtering Platform (WFP) to support OpNum-level granularity. This makes it possible to identify and audit the specific RPC function being invoked, rather than only the RPC interface.

This capability is designed to help detect remote RPC-based attack techniques, where an attacker interacts with RPC interfaces exposed by a target device. For that reason, Defender focuses this monitoring on inbound remote RPC calls observed on the RPC server host. The telemetry is collected using audit-only WFP filters, which do not interfere with normal traffic, while still providing visibility into suspicious remote activity targeting the device. This approach does not require visibility into the source device.

Local RPC calls, such as inter-process communication on the same device over local transport, and outbound RPC client calls are outside the scope of this monitoring mechanism.

Using this capability, Defender monitors selected RPC calls, leverages the resulting telemetry to detect malicious activity, and exposes monitored calls in advanced hunting. Defender dynamically monitors selected remote operations from interfaces including, but not limited to: Remote Registry, Service Control Manager, Task Scheduler, and Windows Management Instrumentation (WMI). RPC monitoring for workstations is generally available, while server monitoring is currently in gradual rollout.

RPC-based detections and disruption triggers are already available in Defender and include detections such as:

Ongoing hands-on-keyboard attack via Impacket toolkit
Suspicious service creation initiated remotely
Indication of local security authority secrets theft
Unusual RPC user and session discovery
Authentication coercion attack

Example Advanced Hunting queries

1. Remote registry key save events, abused for remote credential dumping.

let remoteRegistryInterface = '338cd001-2244-31f1-aaaa-900038001003'; let registrySaveOpnums = dynamic([20, 31]); // BaseRegSaveKey, BaseRegSaveKeyEx DeviceEvents | where ActionType == 'InboundRemoteRpcCall' | extend AdditionalFields = parse_json(AdditionalFields) | extend RpcInterface = tostring(AdditionalFields.RpcInterfaceUuid), OpNum = toint(AdditionalFields.RpcOpNum) | where RpcInterface == remoteRegistryInterface and OpNum in(registrySaveOpnums)

2. Remote Service Creation events, could indicate lateral movement:

let remoteServicesInterface = '367abb81-9844-35f1-ad32-98f038001003'; let serviceCreationOpnums = dynamic([12, 24, 44, 45, 60]); // RCreateServiceW, RCreateServiceA, RCreateServiceWOW64A, RCreateServiceWOW64W, RCreateWowService DeviceEvents | where ActionType == 'InboundRemoteRpcCall' | extend AdditionalFields = parse_json(AdditionalFields) | extend RpcInterface = tostring(AdditionalFields.RpcInterfaceUuid), OpNum = toint(AdditionalFields.RpcOpNum) | where RpcInterface == remoteServicesInterface and OpNum in(serviceCreationOpnums)

3. Session discovery events, could indicate account discovery:

let srvsvcInterface = '4b324fc8-1670-01d3-1278-5a47bf6ee188'; let netrSessionEnumOpnum = 12; DeviceEvents | where ActionType == 'InboundRemoteRpcCall' | extend AdditionalFields = parse_json(AdditionalFields) | extend RpcInterface = tostring(AdditionalFields.RpcInterfaceUuid), OpNum = toint(AdditionalFields.RpcOpNum) | where RpcInterface == srvsvcInterface and OpNum == netrSessionEnumOpnum | summarize dcount(DeviceId) by AccountName, AccountDomain, AccountSid

Check out the advanced hunting tab to see monitored RPC activity in your environment and stay tuned for more updates from Defender.

Learn more

To learn more about endpoint protection with Microsoft Defender, check out our website.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

How Microsoft Defender used predictive shielding to proactively disrupt a ransomware attack

AvivSharon — Mon, 01 Jun 2026 17:16:47 GMT

Modern ransomware attacks are increasingly designed to blend in with normal IT operations, using trusted administrative tools to quietly weaken defenses and distribute malicious payloads at scale.

In a recent real‑world incident, a human‑operated ransomware actor attempted to do exactly that by abusing Group Policy Objects (GPOs) to target hundreds of devices, but Microsoft Defender detected the attack and proactively hardened those devices before GPOs were deployed.

The attacker’s plan

The target organization, a large educational institution with more than a couple of thousand devices onboarded to Microsoft Defender, had already experienced a compromise of a domain admin account from an unmanaged device before the ransomware deployment attempt began.

Because GPOs are a trusted mechanism for pushing configuration changes across devices, they present an attractive path for attackers looking to disable security tools or deploy ransomware broadly without needing to access each machine individually. This attacker’s plan involved weaponizing GPOs to:

Push tampering configurations that could disable Defender protections across the environment
Distribute and execute ransomware via scheduled tasks
Leverage built‑in enterprise infrastructure to scale the attack

This approach allowed the attacker to attempt ransomware deployment through standard administrative channels, minimizing the need for direct interaction with individual devices and increasing the potential for widespread impact.

How Defender thwarted the attack

First, Defender quickly detected the attack and contained the domain admin account that the attacker had compromised. Then, since the attacker had created a malicious GPO that disabled key Defender protections, a Defender tampering alert was triggered. In response, predictive shielding activated GPO hardening, temporarily pausing the propagation of new GPO policies across all MDE onboarded devices reachable from the attacker’s standpoint and achieved protection of ~85% of devices against the tampering policy before ransomware was deployed.

Ten minutes later, the attacker attempted to distribute ransomware, but because GPO hardening had already been applied, GPO propagation was already disabled on the targeted devices and the attacker was unsuccessful. Defender recognized that GPO tampering is a precursor to ransomware distribution and acted preemptively. It didn’t wait for ransomware to appear; it acted on what the attacker was about to do, preventing downstream impact such as recovery costs and operational downtime.

The results

Zero machines were encrypted via the GPO path.
Roughly 97% of devices the attacker attempted to encrypt were fully protected by Defender. A limited number of devices experienced encryption during concurrent ransomware activity over SMB; however, attack disruption successfully contained the incident and stopped further impact.
700 devices applied the predictive shielding GPO hardening policy, reflecting the attacker’s broad targeting scope, and blocking the propagation of the malicious policy set by the attacker within approximately 3 hours.

Attackers are getting more sophisticated, finding ways to evade detection by abusing legitimate IT tools that organizations rely on and can’t simply turn off. Security teams can’t restrict these mechanisms without impacting daily operations. By detecting ransomware staging and predicting the attacker’s next move, Defender can apply targeted restrictions just in time, shifting from reactive response to proactive prevention, stopping only what matters when it matters while maintaining full business productivity. With average ransom demands now ranging from $2–5M, the downstream recovery and remediation savings from preventing these attacks can be massive.

Learn more

To learn more about this specific attack, check out the full case study: Case study: How predictive shielding in Defender stopped GPO-based ransomware before it started [microsoft.com]
To learn more about endpoint protection with Microsoft Defender, check out our website.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

Introducing selective response actions for high-value assets in Microsoft Defender

amibarayev — Mon, 18 May 2026 15:50:40 GMT

Deploying Microsoft Defender on high-value assets (HVAs) such as domain controllers, ADFS servers, and other Tier-0 systems, requires a thoughtful approach to balance strong protection with operational stability. Given the powerful response capabilities available, organizations often seek greater control over how these actions are applied in sensitive environments. Many organizations, especially those with strict privileged access management policies, also prefer to limit cloud-initiated administrative actions on Tier-0 systems to align with their security and compliance requirements.

We introduced simplified onboarding in late 2025 with the release of the Defender deployment tool, and now we’re excited to announce that selective response actions for high-value assets are now available in public preview to afford security teams greater flexibility within the onboarding process. This new capability provides a more controlled and flexible approach, enabling organizations to define exactly which response actions are allowed on critical assets. Security teams can maintain operational continuity while still benefiting from the full visibility and protection of Defender.

How it works

Deploying Defender on high-value assets requires additional safeguards. This capability introduces a controlled onboarding experience that enforces strict boundaries from the start.

Security teams can:

Generate a custom onboarding package tailored specifically for Tier-0 and High-Value Assets
Use the Defender deployment tool, a lightweight, dynamic tool that simplifies onboarding and removes the need for complex scripts
Leverage secure key validation and package expiry, ensuring controlled and secure deployment
Explicitly define which remote response actions are permitted on sensitive systems
Onboard both Windows workstations and Windows Server environments

This approach ensures that security controls are applied consistently and cannot be altered post-deployment, reducing the risk of misconfiguration or misuse.

Image 1: selective response actions in the Defender deployment tool package settings

Key benefits

Selective response actions for high-value assets provide a safer and more controlled way to protect critical systems:

Reduce operational risk by limiting powerful security actions on Tier-0 assets
Prevent accidental or malicious disruptions caused by overprivileged or compromised accounts
Align with privileged access management (PAM) policies by restricting cloud-initiated administrative actions
Support compliance and regulatory requirements with stricter enforcement of security controls
Maintain full Defender visibility and protection without overexposing sensitive systems
Provide explicit and granular control over remote response capabilities

Image 2: view of the available response actions for a particular device in the Defender portal

Secure your most critical assets with confidence

You can now extend Defender for Endpoint protection to your most critical Windows systems, while maintaining strict control over how those systems are accessed and managed. This capability empowers security teams to protect what matters most with confidence and precision.

Learn more

Learn more about how to set up selective response actions for high value assets
To learn more about endpoint protection with Microsoft Defender, check out our website.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

Assess Secure Boot status with Microsoft Defender

amitcohen — Mon, 27 Apr 2026 16:38:22 GMT

Understanding the Secure Boot certificate challenge

Secure Boot is a foundational security feature that validates the integrity of your device's boot process, ensuring only trusted software can run during system startup. This protection has been quietly defending enterprise devices since 2012, but the original 2011 certificates that enable this trust are approaching their expiration date.

When certificates expire in June 2026, devices that haven't transitioned to the new Windows UEFI CA 2023 certificates will no longer be able to receive new security protections for the early boot process. While these devices will continue to boot, they may no longer be able to receive or enforce new protections at the earliest stages of system startup. Over time, this can weaken the device’s root of trust and expose it to classes of attacks that operate before the operating system and security controls are fully loaded:

Malicious or tampered boot components may no longer be reliably blocked if they are not signed with trusted certificates
Devices may be unable to adopt future Secure Boot policy updates designed to mitigate newly discovered boot-level threats
Attackers may attempt to leverage boot-level persistence techniques that operate below the visibility of traditional security controls

As new vulnerabilities and protections are introduced, devices that are not updated will gradually fall behind in their ability to enforce trust at boot, but the challenge isn’t just knowing that this transition needs to happen, it’s understanding which devices in your fleet have successfully completed the update and which still require attention.

Introducing Secure Boot 2023 certificate assessment

A new recommendation in Defender allows you to ensure that devices are updated to Secure Boot 2023 certificates and boot manager, providing a centralized, at-scale view of Secure Boot certificate readiness across your environment.

This assessment automatically categorizes your devices into:

Exposed devices: Still trusting older Secure Boot certificates without trust for newer Secure Boot certificates
Compliant devices: Successfully relying on the 2023 certificates and signed boot manager
Not applicable devices: Systems where Secure Boot is disabled or not supported

From the recommendation view, you can:

Drill down into exposed devices and identify exactly which systems require attention
Filter by OS platform and device context to prioritize remediation efforts
Export device data to share with infrastructure and platform teams
Track rollout progress across your organization
Integrate findings into existing security posture workflows

[Secure Boot 2023 recommendation in MDE portal showing deployment status across the fleet]

Take action on your Secure Boot readiness

To access this tool in the Defender portal, navigate to Exposure Management → Recommendations → Devices → Misconfigurations. Once Defender identifies exposed devices, it provides remediation guidance.

For detailed deployment guidance, including enterprise rollout strategies and validation practices, see: https://aka.ms/GetSecureBoot

Your action plan

Assess your exposure
Navigate to the tool to understand how many devices in your environment require updates.
Engage the right teams
Secure Boot certificate deployment is typically owned by infrastructure and platform teams, so coordinate across your organization.
Prioritize high-value assets
Focus remediation efforts on critical devices and sensitive environments first.
Track progress over time
Monitor rollout progress and ensure coverage improves ahead of the June 2026 deadline.

Learn more

Visit the comprehensive Secure Boot guidance at https://aka.ms/GetSecureBoot
Learn more about Microsoft Secure Score for Devices in Microsoft Defender for Endpoint
To learn more about endpoint protection with Microsoft Defender, check out our website.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

Introducing effective settings: See security configurations enforced on your device

ArielMichaeli1 — Mon, 09 Mar 2026 16:00:00 GMT

See exactly which security configurations are enforced on your device

Security teams spend significant time defining policies for Microsoft Defender security settings. But when it comes to investigations or troubleshooting, the real question is often simple: what is currently being enforced on this device? Today, we’re excited to share that the settings experience is now generally available in Defender to provide this critical visibility.

Figure #1: Effective settings tab on the device page

From intended policy to real-world enforcement

Understanding device security posture sometimes means correlating policy intent across multiple management sources, including Intune, Group Policy Object (GPO), and local admin configurations. With effective settings, administrators can see the effective value of each security setting on a specific device—along with the configuration source—and quickly identify configuration attempts that didn’t take effect. This helps eliminate silent gaps where intended protections are not actually enforced, reducing the risk of unnoticed exposure during incidents or active attacks. And this shift from intent to reality helps teams move faster when validating posture, investigating incidents, or resolving conflicts between management tools.

A new view on the device page

The effective settings tab is available as a new tab under the configuration management tab on the device page. From this single location, you can:

View the actual value enforced for each security setting
Identify the configuring source responsible for that value
See additional configuration attempts from other sources that were evaluated but not applied

For complex or layered scenarios such as Microsoft Defender Antivirus exclusions and Attack Surface Reduction (ASR) rules, all configured rules are shown together with their effective value, configuring source, and additional configuration attempts.

This makes it far simpler to understand why a device behaves the way it does, without jumping between consoles or guessing which policy “won.”

Figure #2: Simple settings side panelFigure #3: Complex settings side panel

Practical use cases

Security admins and analysts can use effective settings for use cases like:

Validating enforcement – Confirm that intended security configurations are truly applied on devices
Troubleshooting conflicts – Quickly spot competing policies or management sources that prevented a configuration from being enforced
Improving operational confidence – Reduce uncertainty by relying on an authoritative, device-level view of security settings

Platform support and what’s next

The current release focuses on Windows platform antivirus security settings, including ASR rules and exclusions. This is just the beginning. Our roadmap includes expanding coverage across additional platforms, and a broader set of security settings configured through the Microsoft 365 Defender and Intune portals.

Getting started

If you’re using Microsoft Defender for Endpoint, head to a device page and open the configuration management → effective settings tab to explore the experience firsthand.

Supported versions:

Microsoft Defender for Endpoint Sense client: 10.8735.26018.1000 or later
Microsoft Defender Antivirus platform: 4.18.25010.11 (January 2025 release) or later

Learn more

Learn more about investigating devices in Defender. To get started, navigate to a device page and open the configuration management → effective settings tab.
To learn more about Microsoft Defender endpoint protection, check out our website.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

Transparent and customizable onboarding for modern and legacy Windows devices

Sinclaire_Hamilton — Tue, 03 Mar 2026 03:25:40 GMT

Onboarding all devices in your estate is paramount for strong security posture. In fact, Microsoft Threat Intelligence research shows that in the majority of ransomware attacks, the spreader machine was a device that was not yet onboarded. But customers often struggle to follow complex steps that differ by OS, accidentally duplicate devices because they can’t tell whether onboarding is in progress or failed, or have incorrect initial configuration settings causing system incompatibility. That’s why we’re introducing an updated onboarding experience via the Defender deployment tool for Windows that improves progress visibility and adds controls—like package naming and configurable expiry—to help administrators manage onboarding securely at scale.

What’s new

The Defender deployment tool streamlines the onboarding process by dynamically adapting to the operating system, delivering healthy endpoint security to a diverse estate of Windows devices. It is the preferred automated solution that works on modern and legacy devices and removes the need for a separate onboarding file by embedding the onboarding package and all related information within a downloadable .exe that can be run to onboard devices. This updated experience makes onboarding more predictable and transparent, while adding administrative controls that help reduce exposure if onboarding packages are accidentally shared beyond your organization:

A single, runnable .exe for onboarding with the onboarding information embedded (no separate onboarding file required)

Silent and non-interactive onboarding options to support large-scale deployments with tools like Group Policy or Configuration Manager

Custom package identifiers to help track and manage onboarding packages across your organization

Configurable onboarding package expiry (up to one year)

Customizable name identifiers and keys for increased control and visibility

New portal entry points and guidance to make it easier to find the right onboarding and offboarding method for Windows, including directly from the device inventory page

The new, streamlined onboarding tab in the Defender portal

Customize your deployment package

This experience moves away from using scripts and loose blobs, making it more difficult for onboarding to take place at the hands of unauthorized users and significantly decreasing security issues related to blobs in the wild that don't expire. And for the first time, you can set custom expiry dates on onboarding packages for 1 day, 7 days, or a custom amount up to a year. Expiry for onboarding packages protects customers from unwanted onboarding and compliance issues, limiting packages from getting misused if they’re found in a public place. Expiry reduces the likelihood of unauthorized package usage, together with the new portal-provided key that you must input to complete the onboarding process.

Customize your deployment package with a name and expiry date

See your onboarding telemetry in detail

Deployment tool events are available in the device timeline and advanced hunting tabs for increased transparency into onboarding progress and errors, so you can quickly address any issues.

On the new deployment packages page, you can see your organization's onboarding packages at a glance and click to see more package properties, increasing visibility and traceability within the onboarding process. This is a great foundation for adding even more onboarding-related telemetry to view per device in the future. You can even filter by active or expired packages and hide packages you no longer wish to see.

The new deployment packages page in the Defender portal

To experience this next iteration of the Defender deployment tool for Windows, navigate to Settings > Endpoints > Onboarding > Windows, or jump there directly from the device inventory page. There you'll see the newly designed onboarding page in the Defender portal, complete with on/offboarding guides. Select the Defender deployment tool from the options shown.

New onboarding and offboarding buttons on the device inventory page

The Defender deployment tool is also available for Linux. We look forward continuing to share ways we're making it easier to onboard devices to Defender.

Learn more

Deploy Microsoft Defender endpoint security to Windows devices using the Defender deployment tool (preview) - Microsoft Defender for Endpoint | Microsoft Learn

Deploy Microsoft Defender endpoint security to Linux devices using the Defender deployment tool (preview) - Microsoft Defender for Endpoint | Microsoft Learn

To learn more about Microsoft Defender's endpoint protection, check out our website.

To learn more about Microsoft Security solutions, visit our website. Bookmark the https://www.microsoft.com/security/blog/ to keep up with our expert coverage on security matters. Follow us on LinkedIn (https://www.linkedin.com/showcase/microsoft-security/) and X (https://twitter.com/@MSFTSecurity) for the latest news and updates on cybersecurity.

Introducing library management in Microsoft Defender

amibarayev — Tue, 17 Feb 2026 17:52:18 GMT

In dynamic investigation environments, preparation and agility are key. Security analysts working with live response in Microsoft Defender often rely on scripts and tools to triage, investigate, and remediate threats. Until now, these assets had to be uploaded during active sessions, limiting manageability and increasing time to action.

Recognizing the need for better readiness and control, Defender now introduces a more proactive and efficient way to manage these assets: library management.

The new library management experience in Defender brings powerful enhancements to how security teams manage scripts and files used in live response. With this centralized and streamlined interface, analysts no longer need to wait for an active session to organize their investigation tools everything can now be managed proactively, directly from the portal. This enhancement in Defender’s live response tooling improves operational readiness, enhances visibility and control, and helps streamline response workflows across SOC teams.

What’s new in library management?

Centralized script and file management – Security teams can now upload, manage, and clean up their entire collection of Live Response scripts and files outside of an active investigation. This proactive approach allows better preparation and alignment across analysts.

Upload in advance – Easily upload PowerShell scripts, batch files, or other response tools ahead of time, so they're immediately accessible when needed during an investigation.

View script contents in the portal – No need to switch tools, analysts can review script contents directly within the Defender UI to validate logic and confirm functionality before execution.

Clean and organize – Outdated or redundant scripts can be deleted with a click, keeping your library lean, relevant, and audit-friendly.

Boost analyst understanding with Copilot – Understanding unfamiliar scripts can slow down investigations. That’s where Microsoft Security Copilot comes in.

Copilot automatically analyzes scripts in the library and provides:

Summarized behavior descriptions
Security-relevant insights
Execution risk context

This makes it easier for analysts—especially those new to a team or handling inherited tools—to assess what a script does before running it, reducing errors and increasing confidence.

Get started today

You can access the Library Management experience from the live response page in the Microsoft Defender portal. Start uploading your investigation tools, explore script previews, and let Copilot assist in surfacing the intent and behavior of your scripts.

Ignite 2025: Microsoft Defender now prevents threats on endpoints during an attack

clairelevy — Thu, 20 Nov 2025 21:50:11 GMT

This year at Microsoft Ignite, Microsoft Defender is announcing exciting innovations for endpoint protection that help security teams deploy faster, gain more visibility, and proactively block attackers during active attacks:

Predictive shielding: Defender is the first security solution to not only respond instantly during an attack but also jump ahead of attackers, predicting and preventing the next move before it happens with just-in-time hardening controls that block specific attacker techniques to protect critical assets.
Custom data collection: Defender is now the only endpoint protection solution that allows data-hungry security teams to meet specific telemetry needs by optimizing their data collection right within the Defender portal, without the need to rely on fragmented and siloed solutions.
Expanded Defender support for legacy Windows devices: Better protect vulnerable legacy devices with consistent OS support of Microsoft Defender capabilities across Windows 7 & Windows 2008 R2 and higher.
Defender deployment tool: Streamline the onboarding process with a lightweight tool that dynamically adapts to the operating system, delivering healthy endpoint security to a diverse estate of Windows and Linux devices.

Video: Check out what's new in endpoint protection with Defender

Jump ahead of attackers: autonomous defense, real results

Automatic attack disruption is a capability unique to Microsoft Defender that contains attacks wherever they appear in your environment. It automatically detects and disrupts in-progress attacks with over 99% confidence, disrupting ransomware in an average of 3 minutes. In recent months, it disabled nearly half a million compromised accounts while saving over 270,000 devices.

But today’s landscape is relentless: over 80% of advanced attacks are multi-stage and persistent, forcing defenders to be perfect over and over again. Even in the face of this incessant threat, the industry-wide approach of reactively responding to attacks is accepted as the best we can do. Until now.

Today we are thrilled to move the bounds of endpoint protection by introducing predictive shielding, a groundbreaking, proactive capability of attack disruption.

It acts in two steps:

1. As soon as a compromised asset is contained, Defender predicts the attack paths and tactics the adversary will use next, in many cases narrowing down tens of thousands of possible pathways to just a few with the highest likelihood.

Image 1: Defender predicts the path and tactics an attacker will use

2. Then, it jumps ahead of the attacker and shields those pathways by using just-in-time hardening methods, giving the attacker nowhere to go.

Image 2: Defender shields the path with just-in-time hardening tactics

So how can Defender do this when no one else can? It comes down to a combination of our unique visibility, leading threat intelligence, and AI-powered innovation. Defender uses AI technology to analyze the attack as it’s happening, identifying patterns of known attackers based on Microsoft’s deep threat intelligence, and then applies that to our unique understanding of the organization’s environment based on graph insights and integration as part of the Microsoft platform. With all this context, Defender can identify common attack techniques, which assets they’re trying to get to, and how they’ll try to get there.

Based on these insights, Defender deploys innovative hardening capabilities that block specific attacker tactics and turn on as the attack is underway, just before an attacker attempts to use those tactics. Today we are starting with hardening capabilities seen in sophisticated ransomware campaigns, including group policy objects (GPO), safe mode reboot for tampering, and domain account compromise.

While the precision of predictive shielding allows us to block operations surgically, security teams remain in command, with full visibility and control. All collected data and predictive shielding actions are available for investigation in the Defender portal, with controls that allow security teams to turn off hardening tactics with one click.

Image 3: The Defender portal provides full visibility into predictive shielding actions, with the option to turn them off

Ready to see the future of autonomous defense? Join us online or in person for our Microsoft Ignite session on November 20^th.

See the data you want to see, right in Defender

Security teams today are data savvy and are always looking for full visibility into their telemetry. Defender has long provided over 200 types of raw event types, each enriched with numerous properties and accessible through the threat hunting experience in the Defender portal. But each organization has unique data requirements, so many security teams use complex add-on products to collect and analyze additional data, contributing to the already overwhelming number of solutions they’re using.

That’s why today we’re announcing the ability to collect and hunt across custom data right within the Defender portal. You can now easily build custom data collection rules based on your organization’s specific needs using natural language; no PhD required! We are releasing several new data types that can be collected, for example the highly requested AMSI for hunting over script content, and Kerberos for hunting auth-based and network attacks.

Image 4: Easily create custom data collection rules in the Defender portal

This truly integrated custom data offering is possible thanks to Microsoft’s platform approach, as the additional telemetry can be collected and analyzed via Defender and stored via Microsoft Sentinel. This expansion puts you in complete control of any customized, add-on data, including exactly which data types are collected and how long they are stored. No other security solution has fully integrated and customizable telemetry collection and analysis.

Expanded support for Windows 7 and 2008 R2

Upgrading to the latest versions of each operating system as soon as possible is critical to optimize your security, but we understand that this is simply not realistic for many organizations. Our data shows that more than 90% of enterprises continue to have at least some legacy devices in their environment. Attackers know they present gaps in even the tightest security posture.

That’s why today we are improving Defender’s coverage with expanded support for Windows 7 and Windows 2008 R2 to help you keep your legacy systems protected. We know that many organizations have Windows 7 and 2008 R2 in their environments, and it’s a critical milestone for us to support customers in bringing a consistent endpoint protection capability set across OS versions with Microsoft Defender.

Image 5: Operating system coverage with Microsoft Defender

This new release further expands Defender support to the broad set of Windows, macOS, iOs, Android, and Linux versions listed in image 5. We’re committed to meeting you where you are to help you protect the most vulnerable points in your environment, so we are always evaluating demand and will continue to expand our coverage moving forward.

Simplified deployment for Windows and Linux

Organizations are faced with the challenge of securing diverse device fleets spanning multiple operating systems, hardware configurations, and user scenarios. Historically, the more diverse your operating system estate, the more complex your onboarding process, because it often requires a combination of endpoint management solutions like Microsoft Intune, but also scripts, downloads, and multiple manual installations to ensure coverage.

To help security teams onboard simply and securely, we’ve built new Defender deployment tools for Windows and Linux, which handle the entire process for you. Just download a single package and it will dynamically adapt to the operating system, take care of prerequisites, and install the latest version of Defender available as needed for older devices that don’t have it already built in. The Defender deployment tools eliminate friction, automate tricky steps, and provide predictability throughout the onboarding journey.

They also have several controls built in that allow you to test for issues before onboarding and can accommodate complex scenarios like virtual desktop infrastructure. For customers of Microsoft Intune and Microsoft Defender for Cloud, the Defender deployment tools work in tandem, available to use for legacy systems or complex scenarios.

This release is the latest step in our journey to secure diverse device environments and sets the foundation for a unified and intuitive deployment experience—one that meets the demands of modern IT and security teams across organizations of all sizes.

We hope you’ll join us online or in San Francisco for our Microsoft Ignite session on November 20^th to learn more about these and other exciting announcements in Defender’s industry-leading endpoint protection.

Featured sessions:

BRK240: Endpoint security in the AI era: What's new in Defender; November 20^th 9:45am PT
THR747: Disrupt ransomware attacks before harm occurs with Microsoft Defender; November 21^st 9:30am PT
BRK241: Microsoft Defender: Building the agentic SOC with guest Allie Mellen; November 19^th 9:00am PT
BRK246: Blueprint for building the SOC of the future; November 19^th 4:00pm PT

Related resources:

To learn more about Defender’s endpoint protection, visit our website. Bookmark our blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

End of Windows 10 Support: What Defender Customers Need to Know

clairelevy — Tue, 14 Oct 2025 16:26:01 GMT

As of today, October 14, 2025, Microsoft is officially ending support for Windows 10. This means that Windows 10 devices will no longer receive security or feature updates, nor technical support from Microsoft. While these devices will continue to operate, the lack of regular security updates increases vulnerability to cyber threats, including malware and viruses. Applications running on Windows 10 may also lose support as the platform stops receiving updates.

Will Defender continue to protect Windows 10 devices?

Defender supports a range of legacy systems, including Windows 10. (See here for a full list of supported operating systems.) Microsoft Defender will continue to provide detection and protection capabilities to the extent possible on Windows 10 and other legacy systems. Keep in mind that security solutions on legacy systems are inherently less secure and may not be able to receive all new features, so please review the next section for important actions you can take.
For Windows 10 customers without Defender, Microsoft will continue to provide security intelligence updates for the built-in Microsoft Defender Antivirus protection through October 2028. Of course, Defender Antivirus alone isn't a comprehensive risk mitigation posture without Microsoft Defender detection and response deployed across your digital estate.

What should customers do to protect their Windows 10 devices?

Upgrade to Windows 11:
Moving to Windows 11 is strongly recommended for PCs eligible to upgrade. Windows 11 delivers the latest security features, improved performance, and ongoing support at no additional cost. This is the best way to ensure your endpoints remain protected and compliant. Devices running Windows 10 will be more vulnerable, even with ongoing security intelligence updates (SIUs).
Extended security update (ESU) program:
If upgrading isn’t immediately possible, Microsoft offers an ESU program for Windows 10. The ESU program provides critical and important security updates but does not include new Windows features or technical support.
- Enterprise customers can purchase ESU for up to three years or receive it at no additional cost with a Windows 365 subscription.
- Cloud and virtual environments: Windows 10 devices accessing Windows 11 Cloud PCs via Windows 365 or Virtual Machines are entitled to ESU at no extra cost, with automatic updates.
- Consumer customers have options to enroll for one year of ESU, including free enrollment methods in certain regions.

For further guidance, check out the posts below or connect with your Microsoft account team.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

Multi-tenant endpoint security policies distribution is now in Public Preview

tomasbeerthuis — Thu, 07 Aug 2025 16:17:41 GMT

We’re excited to announce a key milestone in Defender’s multi-tenant management journey—Microsoft Defender for Endpoint security policies can now be distributed across multiple tenants from the Defender multi-tenant portal. This capability empowers security teams to manage policies at scale, ensuring consistency and saving valuable time.

What is content distribution?

Content distribution is a powerful Defender feature that enables scalable management of content across tenants. With this capability, you can create content distribution profiles in the multi-tenant portal that allow you to seamlessly replicate existing content—such as custom detection rules and now, endpoint security policies—from a source tenant to designated target tenants. Once distributed, the content runs on the target tenant, enabling centralized control with localized execution.

How it works

- Security policies are now a selectable content type when creating a distribution profile.
- Simply choose existing policies from your home tenant and add them to the distribution profile. You can also decide which Microsoft Entra group(s) will be applied as scope. Policy targeting will be based on the Entra device groups that exist in every tenant, and you select the relevant groups for each tenant.
- Upon completion, policies are automatically distributed to the selected tenants and are applied on the targeted machines.

Distributed policies also appear in a hierarchical view, with the original policy serving as the parent. You can find the policies that were distributed from the tenant under the original policy. This appears on the endpoint security policies page within multi-tenant management.

The last distribution status for the original policy reflects the overall status of its distributed copies, and the tenants and tenant groups sections indicate the recipients of the policy.

At any time, you can update the policies, tenants, scope or any other settings, and sync to apply these changes.

This new capability enables consistency (maintaining uniform security posture across tenants), efficiency (eliminating manual duplication and reducing operational overhead), and scalability (easily expanding coverage as the tenant landscape grows).

FAQ

What pre-requisites are required?

Access to more than one tenant with Microsoft Defender for Endpoint, with delegated access via Azure B2B or GDAP (CSP Partners only), using the multi-tenant management capability.
A subscription to Microsoft 365 E5 or Office E5.

What permissions are needed to distribute MDE security policies?

To access endpoint security policies, users require the security administrator role in each relevant tenant.
To distribute content using multi-tenant management content distribution, the Security settings (manage) or Security Data Basic (read) permission is required. Both roles are assigned to the Security Administrator and Security Reader Microsoft Entra built-in roles by default.

Can I update or expand distribution profiles later?

Yes. You can add more content, include additional tenants, or modify scopes as needed.

Learn more

For more information, see Content distribution in multitenant management. To get started, navigate to the Content distribution page.
To learn more about Microsoft Defender's endpoint protection, check out our website and video.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

Maintain connectivity for essential services with selective network isolation

amibarayev — Wed, 25 Jun 2025 16:29:44 GMT

Network isolation refers to how Microsoft Defender for Endpoint restricts a compromised device’s communication within the network in order to contain threats and prevent lateral movement. But oftentimes when isolating devices, certain critical services like management tools or security solutions need to remain operational.

That's why Defender for Endpoint has launched selective isolation exclusions, which allow you to exclude specific devices, processes, IP addresses, or services from unilateral network isolation actions. This allows essential functions (e.g., remote remediation or monitoring) to continue in the event of a breach, while limiting broader network exposure.

Isolation Modes

There are two modes available:

Full isolation:
- In this mode, the device is completely isolated from the network, and no exceptions are allowed. All traffic is blocked, except for essential communications with the Defender agent.
- Exclusions cannot be applied in full isolation mode. This is the most secure option, suitable for scenarios where a high level of containment is necessary.

[New] Selective isolation:
- Selective isolation allows administrators to apply exclusions to ensure that critical tools and network communications can still function, even while maintaining the device’s isolated state.
- ⚠️ Note: Any exclusion weakens device isolation and increases security risks. To minimize risk, configure exclusions only when absolutely necessary. Regularly review and update exclusions to align with security policies.

To get started, read the isolation exclusions documentation.

Learn more

Microsoft’s participation in MITRE ATT&CK® Evaluations: Enterprise 2025

KarthikSelvaraj — Fri, 13 Jun 2025 19:00:00 GMT

Microsoft has a long-standing relationship with MITRE and holds deep respect for the unique role that the organization plays within the security ecosystem. MITRE ATT&CK® Evaluations have been instrumental in helping us improve our products. We are grateful for their invaluable contributions in advancing security for all.

After extensive deliberation, Microsoft has decided to not participate in the evaluation this year. This decision allows us to focus all our resources on the Secure Future Initiative and on delivering product innovation to our customers. We look forward to continuing our collaboration with the MITRE team and wish them all the best for this year’s evaluation.

Behavior monitoring is now generally available for Microsoft Defender for Endpoint on macOS

JoshBregman — Tue, 10 Jun 2025 20:17:04 GMT

Enhancing macOS security with behavior monitoring

As attackers become more sophisticated in today’s rapidly evolving threat landscape, security strategies must continue to innovate to keep pace. For instance, static signature-based approaches to malware detection are useful but not enough. Rather, when combined with more dynamic forms of detection like behavior monitoring, your environment is better equipped to block new and evolving threats.

Behavior monitoring observes how software behaves in real-time to detect and analyze potential threats based on the behavior of the applications, daemons, and files within your system. Behavior monitoring is a cornerstone of Microsoft Defender’s cloud-based protection strategy. A wide array of our most advanced protection capabilities rely on behavior monitoring’s cloud models to not only detect but also effectively respond to complex and evolving threats.

Today, we’re excited to announce that behavior monitoring is now generally available on macOS, and is rolling out broadly over the course of the next few weeks. Like with Windows and Linux, behavior monitoring for macOS extends Defender for Endpoint’s protection beyond static signatures to track the larger scale relationships between processes. This capability significantly enhances the early detection of suspicious or malicious activities by spotting unusual process interactions and patterns.

What does this mean for customers?

By extending this critical technology to macOS, customers will benefit from a consistent level of protection across all of their devices. Behavior monitoring introduces a rich new stream of telemetry that helps lay important groundwork for advancing innovative protections against threats targeting macOS users. In the future, it will be possible to build custom logic based on the process and file system events supported by behavior monitoring, equipping you with a more dynamic and tailored way to secure your endpoints.

Real-world example of behavior monitoring

Let's understand the significance of this feature. The Atomic macOS Stealer (AMOS) is a sophisticated macOS malware engineered to steal sensitive information from systems. It targets a broad spectrum of data, including Keychain passwords, system information, files from desktop and documents folders, macOS user passwords, browser data (such as cookies and login credentials), and cryptocurrency wallets. To evade detection, AMOS employs obfuscation techniques like XOR encryption, making its payloads challenging to identify through static analysis alone. Due to its advanced nature, effective detection of AMOS necessitates dynamic analysis and behavior detection methods, rather than relying solely on static signature-based approaches.

Behavior monitoring alerts are displayed in the Microsoft Defender XDR portal alongside all other alerts, enabling effective investigation.

The following image in the Microsoft Defender XDR portal shows that Defender detected and terminated a suspicious action using behavior monitoring on macOS.

The following image is an alert in the Microsoft Defender XDR portal that shows that a suspicious action was blocked using behavior monitoring technology.

To experience the Mac antivirus behavior monitoring and blocking, users will need a minimum version Microsoft Defender for Endpoint, which is 101.25032.0006.

Availability

Our macOS behavior monitoring and blocking capabilities are available on the following major versions of Mac currently supported by Microsoft Defender for Endpoint:

macOS Ventura (13)

macOS Sonoma (14)

macOS Sequoia (15)

Behavior Monitoring is being rolled out automatically following our safe deployment practices (SDP) per the schedule below.

Channel	Staring Date	App Version
External	3/31/2025	> 101.25042.0002
Production	5/19/2025	> 101.25032.0006

Once fully deployed, behavior monitoring will be on by default for everyone. You can confirm your device’s enrollment status by checking the output of mdatp health --details features in your terminal.

If your device is not yet enabled automatically, you can enable it manually.

Enabling Behavior Monitoring

For customers that need to change the settings of behavior monitoring, you can use Intune or a 3rd party MDM for enterprises or manually using sudo mdatp config behavior-monitoring for a trial deployment. Support for behavior monitoring in Defender for Endpoint’s security settings management experience is expected this summer.

Additional resources for securing macOS with behavior monitoring

The following resources can help you optimize your macOS security and behavior monitoring settings:

Refer to the following article for more details about configurations related to behavior monitoring.

Monitor the What's new in Microsoft Defender for Endpoint on Mac page for upcoming announcements.

Read this blog to learn more about how behavior monitoring works on Linux.

We welcome your feedback and look forward to hearing from you! You can submit feedback through the Microsoft Defender XDR portal.

Learn more

Manage global exclusion policies for Linux across both AV and EDR

Rutuja_dange — Thu, 05 Jun 2025 16:36:57 GMT

Create and manage global exclusions for Linux

Global exclusions for Microsoft Defender for Endpoint on Linux are now generally available. This will allow security teams to create and manage exclusion that apply to both antivirus (AV) and endpoint detection and response (EDR)—helping reduce false positives, improve performance, and streamline security operations on Linux servers.

Many organizations rely on exclusions to maintain optimal performance and ensure compatibility—especially in Linux server environments running custom applications or handling high input/output workloads. Until now, the absence of a unified exclusion scope across both AV and EDR made it challenging to tackle performance issues and avoid disruptions to trusted software due to false positives.

With global exclusions, organizations can now effortlessly exclude specific files, folders, and processes from both AV and EDR using a single, centralized configuration—ensuring consistent protection, improved accuracy, and better performance across their Linux workloads.

Key benefits

Unified scope for antivirus + endpoint detection and response: Apply exclusions across both antivirus and endpoint detection and response using a single exclusion scope called “Global”.

Mitigation of performance issues: Helps address performance issues—such as high CPU and memory usage—by excluding noisy processes.

Reduced false positives: Avoid flagging known and trusted files or custom applications unique to your environment. By excluding trusted files and processes—such as Tanium used in endpoint management—you can avoid incorrect detections and focus on high-fidelity signals.

Centralized, scalable management: Configure exclusions via security settings management using the Defender portal, Microsoft Intune, or JSON-based policies.

How it works

Global exclusions in Microsoft Defender for Endpoint for Linux are applied at the sensor level. This early-stage filtering helps eliminate noise from trusted sources before any pre-processing by antivirus or endpoint detection and response engines. By default, these exclusions apply to real-time protection and passive mode, but not to on-demand custom scans. Here’s the summary of how it works:

Scope: Applies to both real-time protection and EDR detections on Linux. It does not impact on-demand scans.

Supported types: You can exclude files, folders and processes

Configuration options:

- Microsoft Defender portal: Use the built-in security settings management experience.
- Microsoft Intune: Use the endpoint security blade to define and deploy exclusion policies.
- JSON-based policies: For advanced deployments, exclusions can be defined in managed JSON and deployed via configuration management tools.

This flowchart shows when and where global exclusions are applied in the context of Microsoft Defender for Endpoint on Linux.

Getting started

For detailed guidance on how to configure, validate, and manage global exclusions, please refer to our documentation: Configure and validate exclusions for Microsoft Defender for Endpoint on Linux - Microsoft Defender for Endpoint | Microsoft Learn.

To start using global exclusions for Microsoft Defender for Endpoint on Linux, please upgrade to the latest version 101.24092.0001 or above.

Discover how automatic attack disruption protects critical assets while ensuring business continuity

DorFenigshtein — Tue, 27 May 2025 18:40:02 GMT

Protecting critical assets

Traditional security solutions often operate in a one-size-fits-all alert model that treats every detection equally, regardless of how important the asset is. But not all assets are equal. Critical assets are systems governing access, identity, or sensitive data. They are essential to an organization’s operations and security, for example, domain controllers, cloud connectivity gateways, key management servers, and others. If attackers compromise these assets, business continuity suffers at great scale. As these systems typically have less routine activity, any alert on them is far more significant.

Threat actors specifically target these high-value systems, meaning that even weaker signals need to be properly investigated. With short-staffed SOC teams, it has historically been a challenge to respond to these types of signals effectively. Given assets like domain controllers are the backbone to an organization’s daily operations, protecting critical infrastructure means proactively stopping adversaries before they inflict damage. So how do security solutions help SOC teams effectively protect critical assets while ensuring business continuity?

To help security teams meet this challenge, Microsoft Defender developed automatic attack disruption: a built-in self-defense capability that identifies & disrupts multi-domain attacks in near real time to prevent further damage across the organization. We recently announced how we protect domain controllers against ransomware as the latest attack disruption innovation.

Behind the scenes, attack disruption uses a critical asset framework to achieve this outcome. This framework is developed from the latest threat research and tested internally within Microsoft’s security infrastructure to provide the context needed to differentiate true threats from noise for critical assets, empowering organizations to act decisively when it matters most. Using the native integration between Microsoft Defender for Endpoint and Microsoft Security Exposure Management, we can automatically identify critical assets in your environment and apply deep contextual insights based on each asset’s unique threat profile to disrupt attacks accordingly.

This blog post dives into how this framework drives real impact, its core components, innovative methodology, and how it helps ensure that organizations are proactive and efficient in their defense strategy specifically for critical asset protection.

Real world impact

By applying the critical asset framework, Microsoft Defender was able to disrupt attacks targeting high-value assets several days earlier in the kill chain in 40% of triggered incidents. This early intervention significantly reduces attacker dwell time, helping prevent impact and limit damage. Additionally, in another 40% of incidents, risk-based contextual insights transformed weak signals into clear, actionable disruption opportunities. These were unique incidents, false negatives in the past, that are now being surfaced and mitigated for the first time.

Neutralizing a human-operated attack on a global enterprise’s domain controller

In this scenario, a global enterprise was running multiple endpoint detection & response vendors in their environment, including Microsoft Defender for Endpoint. The organization was targeted by an advanced, human-operated attack on their domain controllers. Only Microsoft’s solution was able to stop the attack thanks to Defender’s early detection and disruption capabilities. The threat was neutralized before any damage could be inflicted, demonstrating the necessity of automatic attack disruption in the fight against ransomware. Meanwhile, critical assets onboarded to the other vendor were impacted.

Attack story showing automatic attack disruption saving domain controllers onboarded to Microsoft Defender for Endpoint whereas those onboarded to a different EDR solution were encrypted.

Core principles for protecting critical assets

Now that you’ve seen how effective attack disruption is for protecting critical assets, let’s take a look at the core principles shaping our framework:

Prioritization and classification: By classifying assets based on their criticality and role we ensure that disruption actions are triggered precisely where they matter most. With fewer benign events on critical systems, every detection is more likely to reflect a genuine threat, enabling faster, more targeted responses that directly enhance client security and operational confidence.

Proactive, real-time defense: Our context-driven approach enables early detection and disruption of threats, often stopping attacks days before they can cause significant harm.

Adaptive and scalable: Although our initial focus has been on domain controllers, the framework is designed to be flexible and protect a variety of other critical assets such as cloud connectivity solutions and publicly connected devices, based on each asset’s unique behavioral context.

We take these principles and translate them into actionable detection and disruption actions tailored to protect critical assets from the sophisticated and persistent threats that they frequently face.

Under the hood of critical asset protection

Asset classification: Our process starts by analyzing each asset’s role and criticality using Microsoft Security Exposure Management to identify and prioritize critical assets, guiding every disruption decision along the way.
Detector integration and management:
- Targeted detector selection: We have engineered a specialized set of detectors most relevant to high-value assets, guided by extensive asset-specific threat research. This ensures each critical asset is protected by detectors selected specifically for the threats it faces.
- Automated quality evaluation: Our system continuously assesses each detector’s signal-to-noise ratio and overall impact, deploying only those that meet our strict standards.
- Integrated security platform: A dedicated module orchestrates every step - from generating alerts and enriching them with context to automatically triggering the right containment or remediation action via one streamlined workflow.
Contextual disruption execution: When a detector triggers on a critical asset, our framework immediately enriches the alert with detailed contextual telemetry. This enriched data is leveraged in several powerful ways. For example, events are correlated to accurately identify any impacted users - even when initial detections lack clear user data (such as when a malicious payload runs under the SYSTEM account via a service, where our framework traces the creator of the service). The framework also assesses remote activity to capture additional related entities, applying tailored threat lists specific to each asset type. These examples demonstrate how our context-driven approach transforms raw detections into precise, actionable intelligence that enable targeted responses like user containment and soon, IP containment for critical assets.

Where we’re heading

As the threat landscape evolves, we continue investing in attack disruption’s ability to protect critical assets. Our roadmap includes:

Scaling through AI-driven behavioral coverage: We’re shifting from a detector-centric approach to an AI-driven model that continuously learns from vast volumes of telemetry and behavioral patterns. We’re shifting the framework to identify and disrupt threats dynamically, improving precision, expanding coverage, and adapting faster than static rules ever could.
Extending asset coverage: Beyond domain controllers, upcoming iterations will include additional high-value assets such as Entra Connect Sync servers, internet-facing servers, SQLs servers, and more - providing comprehensive protection across your organization’s critical infrastructure.
Deepening integration: This innovation has been made possible through the integration between Microsoft Defender for Endpoint and Microsoft Security Exposure Management, which provides advanced asset classification. Our ongoing partnership ensures we continue to innovate and deliver tailored solutions that address unique client needs.

Conclusion

The ability to protect critical assets represents a paradigm shift in cybersecurity, moving from reactive alerting to proactive, context-aware disruption that prioritizes not just alerts, but the assets themselves. By recognizing that not all assets carry the same risk, our approach ensures that protection efforts are focused where they matter most, enabling true end-to-end defense. By integrating advanced asset classification and context-driven intelligence into our security platform, we’re not only protecting critical systems like domain controllers but also empowering customers with decisive, actionable insights.

As we continue to innovate, our commitment remains clear: to deliver intelligent, effective security solutions that safeguard your most vital assets against even the most advanced threats.

Learn more

Explore these resources to stay updated on the latest automatic attack disruption capabilities and how we protect critical assets:

Learn more about Microsoft Defender for Endpoint.

Read our latest security blog on how we protect against ransomware attacks using domain controllers.

Read about the new containment features.

Learn how attack disruption safeguards your domain controllers in this video.

Check out our latest infographic.

Read about automatic attack disruption.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

Defender for Endpoint successfully passes the AV-Comparatives 2025 Anti-Tampering Test

amibarayev — Thu, 15 May 2025 17:21:19 GMT

The rise of tampering attacks

In cybersecurity, anti-tampering protection refers to the defensive measures designed to prevent unauthorized modifications to security systems, policies, and settings. When threat actors compromise an organization, they often start by tampering with security solutions in an effort to further exploit and achieve persistence within the environment. Common tampering tactics include disabling or altering antivirus and endpoint detection and response (EDR) tools, turning off real-time protection and security intelligence updates, editing high-value device and access policies, and creating exclusions that allow malicious activities to go undetected. After having tampered successfully, attackers gain valuable time to install malicious tools, exfiltrate data, move laterally, and launch ransomware attacks.

In recent years, Microsoft has observed a significant volume of attacks involving antivirus tampering. In May 2024 alone, Microsoft Defender XDR detected over 176,000 incidents involving tampering with security settings, impacting more than 5,600 organizations ¹. On average, during that time frame, organizations that encountered tampering activity saw over 31 attempts. Techniques observed by Microsoft include Windows Registry modifications, use of malicious tooling such as NSudo (Defeat Defender), Defender Control, Configure Defender, ToggleDefender, custom malicious PowerShell or batch scripts, and driver tampering.

Defender for Endpoint effectively thwarts tampering attacks

Microsoft Defender for Endpoint offers robust anti-tampering capabilities that protect against end-user and third-party security settings changes, even in the context of a privileged user. These built-in controls can prevent local and non-authorized remote administrators from altering critical settings at the organizational, platform, and device levels – you can even create specific rules for high-value device types such as domain controllers. This means that you are automatically protected against common tampering tactics used by attackers including the modification of registry settings, DLLs, file systems, and agents. On top of that, any attempt to create exclusions in your antivirus and EDR tools or to terminate or suspend your system processes and services will be thwarted. These settings are on-by-default for all Defender for Endpoint customers, delivering comprehensive anti-tampering protection from day one.

We are pleased to announce that AV-Comparatives has certified Microsoft Defender for Endpoint for successfully thwarting all tampering attempts levied during the 2025 Anti-Tampering Test. The test involved rigorous evaluation of security solutions to defend against sophisticated attack techniques aimed at disabling or bypassing protection mechanisms. This includes attempts to disable or modify Windows kernel components and disable or terminate processes in the Windows user space. Even under sustained attack (various tests, tools, and procedures designed to penetrate our anti-tampering controls), Defender for Endpoint demonstrated its ability to maintain protection. This evaluation not only validates the effectiveness of our advanced tampering and defense evasion controls but also reinforces Defender for Endpoint’s position as a leader in endpoint detection and response.

Defender for Endpoint successfully thwarted 100% of the tampering attacks made against the categories shown above in AV-Comparatives 2025 Anti-Tampering Test

Learn more

Explore the following resources to learn more about how Defender for Endpoint defends against tampering attacks:

Protect security settings with tamper protection

Protect your organization from the effects of tampering

See additional evaluation results for Defender for Endpoint, demonstrating the industry-leading effectiveness of our endpoint security solution:

Microsoft is named a Leader in the 2024 Gartner® Magic Quadrant™ for Endpoint Protection Platforms

Microsoft Defender XDR demonstrates 100% detection coverage across all cyberattack stages in the 2024 MITRE ATT&CK® Evaluations: Enterprise

Forrester names Microsoft a Leader in the 2023 Endpoint Security Wave™ report

AV-Comparatives awards 2024 for Microsoft

AV-Comparatives antivirus tests performed on Microsoft Defender

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹ Microsoft Digital Defense Report 2024

Sensor Disconnection Notifications with Microsoft Defender for IoT and Microsoft Sentinel 🚀

BelleKriger — Fri, 12 Dec 2025 10:46:35 GMT

What Does This Playbook Do?

This new automated playbook sends real-time email notifications whenever a sensor disconnects from the cloud. This ensures you’re immediately alerted if there’s an issue, allowing you to take quick action to investigate and resolve the problem.

Why It’s Important:

Real-Time Alerts: Get instant notifications when a sensor goes offline.
Proactive Monitoring: Identify the issue early, reducing downtime and improving response times.
Seamless Integration: Works effortlessly with Microsoft Defender for IoT and Microsoft Sentinel for a unified security approach.

How to Set It Up:

Setting up this playbook is quick and easy. For step-by-step instructions, check out the detailed setup guide here.

This playbook was created in collaboration with Marian Hristov, a leading partner working with Defender for IoT.