Introducing selective response actions for high-value assets in Microsoft Defender
Deploying Microsoft Defender on high-value assets (HVAs) such as domain controllers, ADFS servers, and other Tier-0 systems, requires a thoughtful approach to balance strong protection with operational stability. Given the powerful response capabilities available, organizations often seek greater control over how these actions are applied in sensitive environments. Many organizations, especially those with strict privileged access management policies, also prefer to limit cloud-initiated administrative actions on Tier-0 systems to align with their security and compliance requirements. We introduced simplified onboarding in late 2025 with the release of the Defender deployment tool, and now we’re excited to announce that selective response actions for high-value assets are now available in public preview to afford security teams greater flexibility within the onboarding process. This new capability provides a more controlled and flexible approach, enabling organizations to define exactly which response actions are allowed on critical assets. Security teams can maintain operational continuity while still benefiting from the full visibility and protection of Defender. How it works Deploying Defender on high-value assets requires additional safeguards. This capability introduces a controlled onboarding experience that enforces strict boundaries from the start. Security teams can: Generate a custom onboarding package tailored specifically for Tier-0 and High-Value Assets Use the Defender deployment tool, a lightweight, dynamic tool that simplifies onboarding and removes the need for complex scripts Leverage secure key validation and package expiry, ensuring controlled and secure deployment Explicitly define which remote response actions are permitted on sensitive systems Onboard both Windows workstations and Windows Server environments This approach ensures that security controls are applied consistently and cannot be altered post-deployment, reducing the risk of misconfiguration or misuse. package settings Key benefits Selective response actions for high-value assets provide a safer and more controlled way to protect critical systems: Reduce operational risk by limiting powerful security actions on Tier-0 assets Prevent accidental or malicious disruptions caused by overprivileged or compromised accounts Align with privileged access management (PAM) policies by restricting cloud-initiated administrative actions Support compliance and regulatory requirements with stricter enforcement of security controls Maintain full Defender visibility and protection without overexposing sensitive systems Provide explicit and granular control over remote response capabilities Secure your most critical assets with confidence You can now extend Defender for Endpoint protection to your most critical Windows systems, while maintaining strict control over how those systems are accessed and managed. This capability empowers security teams to protect what matters most with confidence and precision. Learn more Learn more about how to set up selective response actions for high value assets To learn more about endpoint protection with Microsoft Defender, check out our website. To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.Assess Secure Boot status with Microsoft Defender
Understanding the Secure Boot certificate challenge Secure Boot is a foundational security feature that validates the integrity of your device's boot process, ensuring only trusted software can run during system startup. This protection has been quietly defending enterprise devices since 2012, but the original 2011 certificates that enable this trust are approaching their expiration date. When certificates expire in June 2026, devices that haven't transitioned to the new Windows UEFI CA 2023 certificates will no longer be able to receive new security protections for the early boot process. While these devices will continue to boot, they may no longer be able to receive or enforce new protections at the earliest stages of system startup. Over time, this can weaken the device’s root of trust and expose it to classes of attacks that operate before the operating system and security controls are fully loaded: Malicious or tampered boot components may no longer be reliably blocked if they are not signed with trusted certificates Devices may be unable to adopt future Secure Boot policy updates designed to mitigate newly discovered boot-level threats Attackers may attempt to leverage boot-level persistence techniques that operate below the visibility of traditional security controls As new vulnerabilities and protections are introduced, devices that are not updated will gradually fall behind in their ability to enforce trust at boot, but the challenge isn’t just knowing that this transition needs to happen, it’s understanding which devices in your fleet have successfully completed the update and which still require attention. Introducing Secure Boot 2023 certificate assessment A new recommendation in Defender allows you to ensure that devices are updated to Secure Boot 2023 certificates and boot manager, providing a centralized, at-scale view of Secure Boot certificate readiness across your environment. This assessment automatically categorizes your devices into: Exposed devices: Still trusting older Secure Boot certificates without trust for newer Secure Boot certificates Compliant devices: Successfully relying on the 2023 certificates and signed boot manager Not applicable devices: Systems where Secure Boot is disabled or not supported From the recommendation view, you can: Drill down into exposed devices and identify exactly which systems require attention Filter by OS platform and device context to prioritize remediation efforts Export device data to share with infrastructure and platform teams Track rollout progress across your organization Integrate findings into existing security posture workflows Take action on your Secure Boot readiness To access this tool in the Defender portal, navigate to Exposure Management → Recommendations → Devices → Misconfigurations. Once Defender identifies exposed devices, it provides remediation guidance. For detailed deployment guidance, including enterprise rollout strategies and validation practices, see: https://aka.ms/GetSecureBoot Your action plan Assess your exposure Navigate to the tool to understand how many devices in your environment require updates. Engage the right teams Secure Boot certificate deployment is typically owned by infrastructure and platform teams, so coordinate across your organization. Prioritize high-value assets Focus remediation efforts on critical devices and sensitive environments first. Track progress over time Monitor rollout progress and ensure coverage improves ahead of the June 2026 deadline. Learn more Visit the comprehensive Secure Boot guidance at https://aka.ms/GetSecureBoot Learn more about Microsoft Secure Score for Devices in Microsoft Defender for Endpoint To learn more about endpoint protection with Microsoft Defender, check out our website. To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.
How Microsoft Defender used predictive shielding to proactively disrupt a ransomware attack
Modern ransomware attacks are increasingly designed to blend in with normal IT operations, using trusted administrative tools to quietly weaken defenses and distribute malicious payloads at scale. In a recent real‑world incident, a human‑operated ransomware actor attempted to do exactly that by abusing Group Policy Objects (GPOs) to target hundreds of devices, but Microsoft Defender detected the attack and proactively hardened those devices before GPOs were deployed. The attacker’s plan The target organization, a large educational institution with more than a couple of thousand devices onboarded to Microsoft Defender, had already experienced a compromise of a domain admin account from an unmanaged device before the ransomware deployment attempt began. Because GPOs are a trusted mechanism for pushing configuration changes across devices, they present an attractive path for attackers looking to disable security tools or deploy ransomware broadly without needing to access each machine individually. This attacker’s plan involved weaponizing GPOs to: Push tampering configurations that could disable Defender protections across the environment Distribute and execute ransomware via scheduled tasks Leverage built‑in enterprise infrastructure to scale the attack This approach allowed the attacker to attempt ransomware deployment through standard administrative channels, minimizing the need for direct interaction with individual devices and increasing the potential for widespread impact. How Defender thwarted the attack First, Defender quickly detected the attack and contained the domain admin account that the attacker had compromised. Then, since the attacker had created a malicious GPO that disabled key Defender protections, a Defender tampering alert was triggered. In response, predictive shielding activated GPO hardening, temporarily pausing the propagation of new GPO policies across all MDE onboarded devices reachable from the attacker’s standpoint and achieved protection of ~85% of devices against the tampering policy before ransomware was deployed. Ten minutes later, the attacker attempted to distribute ransomware, but because GPO hardening had already been applied, GPO propagation was already disabled on the targeted devices and the attacker was unsuccessful. Defender recognized that GPO tampering is a precursor to ransomware distribution and acted preemptively. It didn’t wait for ransomware to appear; it acted on what the attacker was about to do, preventing downstream impact such as recovery costs and operational downtime. The results Zero machines were encrypted via the GPO path. Roughly 97% of devices the attacker attempted to encrypt were fully protected by Defender. A limited number of devices experienced encryption during concurrent ransomware activity over SMB; however, attack disruption successfully contained the incident and stopped further impact. 700 devices applied the predictive shielding GPO hardening policy, reflecting the attacker’s broad targeting scope, and blocking the propagation of the malicious policy set by the attacker within approximately 3 hours. Attackers are getting more sophisticated, finding ways to evade detection by abusing legitimate IT tools that organizations rely on and can’t simply turn off. Security teams can’t restrict these mechanisms without impacting daily operations. By detecting ransomware staging and predicting the attacker’s next move, Defender can apply targeted restrictions just in time, shifting from reactive response to proactive prevention, stopping only what matters when it matters while maintaining full business productivity. With average ransom demands now ranging from $2–5M, the downstream recovery and remediation savings from preventing these attacks can be massive. Learn more To learn more about this specific attack, check out the full case study: Case study: How predictive shielding in Defender stopped GPO-based ransomware before it started [microsoft.com] To learn more about endpoint protection with Microsoft Defender, check out our website. To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.End of Windows 10 Support: What Defender Customers Need to Know
As of today, October 14, 2025, Microsoft is officially ending support for Windows 10. This means that Windows 10 devices will no longer receive security or feature updates, nor technical support from Microsoft. While these devices will continue to operate, the lack of regular security updates increases vulnerability to cyber threats, including malware and viruses. Applications running on Windows 10 may also lose support as the platform stops receiving updates. Will Defender continue to protect Windows 10 devices? Defender supports a range of legacy systems, including Windows 10. (See here for a full list of supported operating systems.) Microsoft Defender will continue to provide detection and protection capabilities to the extent possible on Windows 10 and other legacy systems. Keep in mind that security solutions on legacy systems are inherently less secure and may not be able to receive all new features, so please review the next section for important actions you can take. For Windows 10 customers without Defender, Microsoft will continue to provide security intelligence updates for the built-in Microsoft Defender Antivirus protection through October 2028. Of course, Defender Antivirus alone isn't a comprehensive risk mitigation posture without Microsoft Defender detection and response deployed across your digital estate. What should customers do to protect their Windows 10 devices? Upgrade to Windows 11: Moving to Windows 11 is strongly recommended for PCs eligible to upgrade. Windows 11 delivers the latest security features, improved performance, and ongoing support at no additional cost. This is the best way to ensure your endpoints remain protected and compliant. Devices running Windows 10 will be more vulnerable, even with ongoing security intelligence updates (SIUs). Extended security update (ESU) program: If upgrading isn’t immediately possible, Microsoft offers an ESU program for Windows 10. The ESU program provides critical and important security updates but does not include new Windows features or technical support. Enterprise customers can purchase ESU for up to three years or receive it at no additional cost with a Windows 365 subscription. Cloud and virtual environments: Windows 10 devices accessing Windows 11 Cloud PCs via Windows 365 or Virtual Machines are entitled to ESU at no extra cost, with automatic updates. Consumer customers have options to enroll for one year of ESU, including free enrollment methods in certain regions. For further guidance, check out the posts below or connect with your Microsoft account team. End of support for Windows 10, Windows 8.1, and Windows 7 | Microsoft Windows How to prepare for Windows 10 end of support by moving to Windows 11 today | Windows Experience Blog Extended Security Updates (ESU) program for Windows 10 | Microsoft Learn To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.
Announcing mobile device tagging for iOS and Android
Microsoft Defender for Endpoint is helping decentralized SOC teams improve their approach to security and privacy across mobile devices by making it easier to tag iOS and Android devices – giving security admins more control over who has access to specific groups and device data.Defender for Endpoint and disconnected environments. Which proxy configuration wins?
This article is a follow-up to a previous one discussing conflicting proxy configurations and how Microsoft Defender for Endpoint behaves in these situations. The first article can be found in here. In this article we'll explore how Defender for Endpoint network traffic flows depending on which proxy configuration is in use, as well as what network traffic looks like when all three proxy configurations are set.
