Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article describes Microsoft Defender for Endpoint features that are in preview or generally available (GA), released in the past six months.
For recent releases of Microsoft Defender for Endpoint, including build numbers, improvements, and fixes, see Microsoft Defender for Endpoint release notes.
Learn more about Preview features.
March 2026
| Type | Feature | Preview/GA | Description |
|---|---|---|---|
| Feature | Proactive user containment (contain user) | GA | The proactive user containment (contain user) action as part of the predictive shielding feature is now generally available. This action infuses activity data with exposure data to identify exposed credentials at risk of being compromised and reused to conduct malicious activity. |
February 2026
| Type | Feature | Preview/GA | Description |
|---|---|---|---|
| Release - macOS | Build 101.26012.0012 | GA | Release version 20.126012.12.0 released: See enhancements and features for this release. |
| Feature | What's new and release notes documentation updates | GA | The what's new and OS-specific release notes pages are now updated to provide better visibility and access to new features, improvements, and fixes: - The what's new page (this page) is now named New features in Microsoft Defender for Endpoint and includes both features and links to latest release notes. - The Release notes page now consolidates release details for all supported operating systems, including Windows Antivirus. The new page groups updates by platform and date, making it easier to find specific information. - All previous release notes pages redirect to the consolidated release notes page. |
| Feature | Support for software product vulnerability data on Windows 7 | GA | To provide comprehensive vulnerability management capabilities across all supported Windows versions, Microsoft Defender Vulnerability Management now gathers software product vulnerability data on Windows 7 devices. |
| Feature | Library management for live response | Preview | You can now view and manage files and scripts used during live response sessions in the Microsoft Defender portal. With this enhancement, you get a centralized view of all uploaded files and their properties, and can upload, view and delete files outside the live response session. |
| Feature | Effective settings tab | GA | The Effective settings tab under the device inventory Configuration management tab is now generally available. In this tab, you can view the actual value and configuration source of each security setting on a device. This helps identify configuration attempts that didn't take effect and eliminates gaps where intended protections aren't enforced. |
| Feature | Vulnerable components page renamed to Software components | GA | To reflect Defender Vulnerability Management's visibility into all software components identified in your organization, the Vulnerable components page is now named Software components. |
| Feature | Improved Device Vulnerabilities report experience | GA | To simplify and streamline the Device vulnerabilities report experience, the Vulnerable devices report now includes the following changes and enhancements: - The Vulnerable devices by Windows 10/11 version over time section is now removed. - The report's filters only include the Device group filter. - The report's history is now limited to the last 30 days. - The report's history is now limited to the last 30 days. Note: These changes are now visible to government cloud customers, but aren't yet visible in air-gapped environments. This visibility will be added in the coming months. |
| Release - macOS | Build 101.25122.0008 | GA | Release version 20.125122.8.0 released: See enhancements and features for this release. |
| Release - Linux | Build 101.25122.0004 | GA | Release version 30.125122.0004.0 released: See enhancements and features for this release. |
| Release - Windows | Windows Defender Antivirus: Platform 4.18.26010.5 / Engine 1.1.26010.1 | GA | See enhancements and features for this release. |
January 2026
| Type | Feature | Preview/GA | Description |
|---|---|---|---|
| Release - Linux | Build 101.25102.0005 | GA | Release version 30.125102.0005.0 released: See enhancements and features for this release. |
| Release - macOS | Build 101.25122.0007 | GA | Release version 20.125122.7.0 released: See enhancements and features for this release. |
| Release - macOS | Build 101.25122.0006 | GA | Release version 20.125122.6.0 released: See enhancements and features for this release. |
| Feature | Device vulnerabilities report enhancements | Preview | To simplify and streamline the Device vulnerabilities report experience, the Vulnerable devices report now includes several changes and enhancements (learn more). Note: These changes are not yet visible to government cloud customers. |
December 2025
| Type | Feature | Preview/GA | Description |
|---|---|---|---|
| Release - Linux | Build 101.25092.0005 | GA | Release version 30.125092.0005.0 released: See enhancements and features for this release. |
| Release - Linux | Build 101.25092.0002 | GA | Release version 30.125092.0002.0 released: See enhancements and features for this release. |
| Release - Android | Build 1.0.8412.0101 | GA | Build 1.0.8412.0101 released: See enhancements and features for this release. |
| Release - Android | Build 1.0.8321.0101 | GA | Build 1.0.8321.0101 released: See enhancements and features for this release. |
| Release - macOS | Build 101.25102.0019 | GA | Release version 20.125102.19.0 released: See enhancements and features for this release. |
| Release - Windows | Windows Defender Antivirus: Platform 4.18.25110.6 / Engine 1.1.25110.1 | GA | See enhancements and features for this release. |
| Feature | Triage collection | Preview | Use triage collection to prioritize incidents and hunt threats with the Sentinel Model Context Protocol (MCP) server. |
| Feature | New Microsoft Secure Score recommendations | Preview | Microsoft Secure Score now includes new recommendations to help organizations proactively prevent common endpoint attack techniques: - Disable Remote Registry service on Windows: Prevents remote access to the Windows registry, reducing attack surface and blocking unauthorized configuration changes, privilege escalation, and lateral movement. - Disable NTLM authentication for Windows workstations: Helps prevent credential theft and lateral movement attacks by removing support for an outdated and insecure protocol. |
| Feature | CVE exceptions | GA | CVE exceptions are now generally available, and also support the False positive justification and the status field as part of the response for the GET /api/vulnerabilities request. Learn more. |
November 2025
| Type | Feature | Preview/GA | Description |
|---|---|---|---|
| Feature | New predictive shielding response actions | Preview | Defender for Endpoint now includes the GPO hardening and Safeboot hardening response actions. These actions are part of the predictive shielding feature, which anticipates and mitigates potential threats before they materialize. |
| Feature | Custom data collection | Preview | Custom data collection enables organizations to expand and customize telemetry collection beyond default configurations to support specialized threat hunting and security monitoring needs. |
| Feature | Vulnerability management moves under Exposure management | Preview | The Vulnerability Management section in the Microsoft Defender portal is now located under Exposure management. This change is part of the vulnerability management integration to Microsoft Security Exposure Management, which significantly expands the scope and capabilities of the platform. Learn more. |
| Feature | Defender deployment tool - for Windows devices - for Linux devices |
Preview | The new Defender deployment tool is a lightweight, self-updating application that streamlines onboarding devices to the Defender endpoint security solution. The tool takes care of prerequisites, automates migrations from older solutions, and removes the need for complex onboarding scripts, separate downloads, and manual installations. It supports Windows and Linux devices. |
| Feature | Defender endpoint security solution for Windows 7 SP1 and Windows Server 2008 R2 SP1 | Preview | A Defender for endpoint security solution is now available for legacy Windows 7 SP1 and Windows Server 2008 R2 SP1 devices. The solution provides advanced protection capabilities and improved functionality for these devices compared to other solutions. The new solution is available using the new Defender deployment tool. |
| Release - Windows | Windows Defender Antivirus: Platform 4.18.25100.9008 / Engine 1.1.25100.9002 | GA | See enhancements and features for this release. |
October 2025
| Type | Feature | Preview/GA | Description |
|---|---|---|---|
| Release - Android | Build 1.0.8217.0101 | GA | Build 1.0.8217.0101 released: See enhancements and features for this release. |
| Release - Android | Build 1.0.8201.0101 | GA | Build 1.0.8201.0101 released: See enhancements and features for this release. |
| Release - macOS | Build 101.25082.0006 | GA | Release version 20.125082.6.0 released: See enhancements and features for this release. |
| Release - iOS | Build 1.1.70230101 | GA | Build 1.1.70230101 released: See enhancements and features for this release. |
| Release - iOS | Build 1.1.69250104 | GA | Build 1.1.69250104 released: See enhancements and features for this release. |
| Release - Windows Antivirus | Platform 4.18.25100.9008 / Engine 1.1.25100.9002 | GA | Platform 4.18.25100.9008 and Engine 1.1.25100.9002 released: See enhancements and features for this release. |
| Feature | Streamlined connectivity support for US government environments | Preview | Defender for Endpoint now supports streamlined connectivity for US government cloud environments. This enhancement simplifies onboarding by reducing the number of required service endpoints and improves reliability across restricted networks. For more information, see the required connectivity settings. |
| Feature | Isolation exclusions | GA | The Isolation exclusions feature is now generally available. Isolation exclusions allow designated processes or endpoints to bypass the restrictions of network isolation. This ensures that essential functions can continue while broader network exposure is limited. |
| Release - Linux | Build 101.25092.0001 | GA | Release version 30.125092.0001.0 released: See enhancements and features for this release. |
| Feature | CVE exceptions | Preview | You can now use CVE exceptions to exclude specific Common Vulnerabilities and Exposures (CVEs) from analysis in your environment. CVE exceptions allow you to control what type of data is relevant to your organization and to selectively exclude certain data from your remediation efforts. For more information, see Exceptions in Microsoft Defender Vulnerability Management and Create, view, and manage exceptions. |
| Feature | New Microsoft Secure Score recommendations | Preview | Microsoft Secure Score now includes new recommendations to help organizations proactively prevent common endpoint attack techniques: - Block web shell creation on servers (reduces the risk of web-based persistence and remote code execution attacks) - Block use of copied or impersonated system tools (helps prevent attacker misuse of legitimate administrative utilities for lateral movement or privilege escalation) - Block rebooting a machine in Safe Mode: Helps defend against attackers who attempt to disable endpoint protection or persist through reboots. |
September 2025
| Type | Feature | Preview/GA | Description |
|---|---|---|---|
| Release - Android | Build 1.0.8102.0101 | GA | Build 1.0.8102.0101 released: See enhancements and features for this release. |
| Release - macOS | Build 101.25072.0011 | GA | Release version 20.125072.11.0 released: See enhancements and features for this release. |
| Release - macOS | Configure offline security intelligence updates for Microsoft Defender for Endpoint on macOS | GA | Enables organizations to update security intelligence (antivirus definitions/signatures) on macOS endpoints offline from a local mirror server. |
| Release - Linux | Build 101.25082.0003 | GA | Release version 30.125082.0003.0 released: See enhancements and features for this release. |
| Release - Linux | Build 101.25072.0003 | GA | Release version 30.125072.0003.0 released: See enhancements and features for this release. |
| Release - iOS | Build 1.1.68200103 | GA | Build 1.1.68200103 released: See enhancements and features for this release. |