An online service that adds a post-breach layer of protection to Windows 10 clients, helping to detect threats that made it past other defenses and providing organizations with information to investigate and remedy breaches across multiple endpoints. Previously named Microsoft Defender Advanced Threat Protection (ATP), and initially named Windows Defender Advanced Threat Protection.
Microsoft admins had a rough Friday the 13th this past January 13, thanks to a problem with Windows Security and Defender for Endpoint. The Attack Surface Reduction (ASR) rule pushed to some Windows 10 and 11 customers caused havoc for a number of users, thanks to false positives causing deletion of files connected to the "Block Win32 API calls from Office macro" rule. The result: Affected users lost pinned shortcuts and icons across their desktop, Taskbar and Start Menu.
On Saturday January 14, Microsoft released an updated build (1.381.2164.0) meant to help customers recover from the mess. However, the updated security intelligence build doesn't restore deleted files, meaning users will have to recreate links for "a significant sub-set of the affection applications that were deleted."
Microsoft created a PowerShell script to help customers recover a small number of the applications likely affected. Microsoft also is advising E5 and A5 admins with access to Defender for Endpoint Advanced Hunting to run certain queries to identify impacted devices. (Those without access to Advanced Hunting, like Defender for Business, are unable to do this.)
There's no word from Microsoft if the company believes it can create a fix which could recover the deleted files, but IT pros commenting on various blogs are doubtful. Admins are more interested in knowing how Microsoft could release this type of update without having checked for possible impacts -- another question that is highly unlikely to get a public or private answer.
"This doesn't seem like the kind of thing that should make it through testing," said Directions on Microsoft analyst Wes Miller.
The options for licensing Microsoft Defender for Endpoint vary depending on the usage scenario; however, in certain cases, there is no good licensing option.
Microsoft 365 Defender is not a single service, but a shared portal and an umbrella brand for a set of Microsoft 365 security services designed to keep data, devices, and user credentials secure.
Microsoft Defender for Endpoint is gradually replacing the legacy Endpoint Protection product, but the latter is better for some specific scenarios and environments.
A range of considerations and complications can come into play when planning for a deployment of shared devices. This collection of reports discuss a range of licensing and technology considerations that organizations may want to take into account to ensure their shared devices are properly licensed and ideally deployed.
Licensing shared devices correctly requires that organizations understand how a device will be used and which licensing options are available from Microsoft.
Microsoft Defender offers limited security capabilities for mobile devices, and the cost to users may not be worth it to users of iPhones and iPads.
The two Microsoft Defender for Endpoint plans can be complicated to untangle.
Microsoft 365 E3 receives a limited layer of centrally managed endpoint protection, partially filling the security gap that existed below Microsoft Defender for Endpoint.
Microsoft Defender for Servers plans can be complicated to untangle.