Defender Learn Updates: April 21-28, 2026

Defender

The public crawl surfaced 50 changed sources for this area in the April 21-28, 2026 window. Source hub: Defender Microsoft Learn.

What changed

• TOC — Updated; Changed in the April 21-28 window. Microsoft updated this Learn source during the seven-day window. What it could mean: give this a quick operational review for Defender because Microsoft Learn updates often track supported configuration or support guidance.

• Stream Microsoft Defender for Endpoint events to Azure Event Hubs — Updated; Changed in the April 21-28 window. Learn how to configure Microsoft Defender for Endpoint to stream Advanced Hunting events to your Event Hubs. What it could mean: review detection, policy, and response operations because Defender documentation changes can affect day-two security workflows.

• Onboard non-persistent virtual desktop infrastructure (VDI) devices — Updated; Changed in the April 21-28 window. Deploy the configuration package on virtual desktop infrastructure (VDI) device so that they're onboarded to Microsoft Defender for Endpoint service. What it could mean: review detection, policy, and response operations because Defender documentation changes can affect day-two security workflows.

• Endpoint detection and response in block mode — Updated; Changed in the April 21-28 window. Learn about endpoint detection and response in block mode What it could mean: review detection, policy, and response operations because Defender documentation changes can affect day-two security workflows.

• Deploy Microsoft Defender for Endpoint on iOS with Microsoft Intune — Updated; Changed in the April 21-28 window. Describes how to deploy Microsoft Defender for Endpoint on iOS using an app. What it could mean: review detection, policy, and response operations because Defender documentation changes can affect day-two security workflows.

• Prerequisites for Microsoft Defender for Endpoint on Linux — Updated; Changed in the April 21-28 window. Describes the requirements needed to install and use Microsoft Defender for Endpoint on Linux. What it could mean: review detection, policy, and response operations because Defender documentation changes can affect day-two security workflows.

• Microsoft Defender for Endpoint plug-in for Windows Subsystem for Linux (WSL) — Updated; Changed in the April 21-28 window. Learn how to set up and use the Defender for Endpoint plug-in for Windows Subsystem for Linux. What it could mean: review detection, policy, and response operations because Defender documentation changes can affect day-two security workflows.

• Microsoft Defender for Endpoint on macOS Prerequisites — Updated; Changed in the April 21-28 window. Learn how to install, and configure Microsoft Defender for Endpoint on macOS. What it could mean: review detection, policy, and response operations because Defender documentation changes can affect day-two security workflows.

• Understand and use attack surface reduction — Updated; Changed in the April 21-28 window. Learn about the attack surface reduction capabilities of Microsoft Defender for Endpoint. What it could mean: review detection, policy, and response operations because Defender documentation changes can affect day-two security workflows.

• Take response actions on a device in Microsoft Defender for Endpoint — Updated; Changed in the April 21-28 window. Take response actions on a device such as isolating devices, collecting an investigation package, managing tags, running an antivirus scan, and restricting app execution. What it could mean: review detection, policy, and response operations because Defender documentation changes can affect day-two security workflows.

• Microsoft Defender for Endpoint standard connectivity URLs - commercial — Updated; Changed in the April 21-28 window. Get a list of the standard connectivity URLs required to onboard and maintain devices in Microsoft Defender for Endpoint in US commercial cloud environments. What it could mean: review detection, policy, and response operations because Defender documentation changes can affect day-two security workflows.

• Microsoft Defender for Endpoint standard connectivity URLs - US government — Updated; Changed in the April 21-28 window. Get a list of the standard connectivity URLs required to onboard and maintain devices in Microsoft Defender for Endpoint in US government cloud environments. What it could mean: review detection, policy, and response operations because Defender documentation changes can affect day-two security workflows.

What it could mean

For Defender, the pattern is worth treating as operational signal, not just documentation churn. Use these changes to decide whether admin runbooks, pilot rings, support scripts, security baselines, or user-facing guidance need a quick refresh.

Complete Article List

• TOC — Updated; Changed in the April 21-28 window

• Stream Microsoft Defender for Endpoint events to Azure Event Hubs — Updated; Changed in the April 21-28 window

• Onboard non-persistent virtual desktop infrastructure (VDI) devices — Updated; Changed in the April 21-28 window

• Endpoint detection and response in block mode — Updated; Changed in the April 21-28 window

• Deploy Microsoft Defender for Endpoint on iOS with Microsoft Intune — Updated; Changed in the April 21-28 window

• Prerequisites for Microsoft Defender for Endpoint on Linux — Updated; Changed in the April 21-28 window

• Microsoft Defender for Endpoint plug-in for Windows Subsystem for Linux (WSL) — Updated; Changed in the April 21-28 window

• Microsoft Defender for Endpoint on macOS Prerequisites — Updated; Changed in the April 21-28 window

• Understand and use attack surface reduction — Updated; Changed in the April 21-28 window

• Take response actions on a device in Microsoft Defender for Endpoint — Updated; Changed in the April 21-28 window

• Microsoft Defender for Endpoint standard connectivity URLs - commercial — Updated; Changed in the April 21-28 window

• Microsoft Defender for Endpoint standard connectivity URLs - US government — Updated; Changed in the April 21-28 window

• Microsoft Defender for Endpoint streamlined connectivity URLs - commercial — Updated; Changed in the April 21-28 window

• Migrate to Microsoft Defender for Endpoint - Onboard — Updated; Changed in the April 21-28 window

• Configure the advanced delivery policy for non-Microsoft phishing simulations and email delivery to SecOps mailboxes — Updated; Changed in the April 21-28 window

• Automated investigation and response in Microsoft Defender for Office 365 — Updated; Changed in the April 21-28 window

• Anti-phishing policies in Microsoft 365 — Updated; Changed in the April 21-28 window

• Bulk email detection — Updated; Changed in the April 21-28 window

• Reports for Attack simulation training — Updated; Changed in the April 21-28 window

• Simulation automations for Attack simulation training — Updated; Changed in the April 21-28 window

• Simulate a phishing attack with Attack simulation training — Updated; Changed in the April 21-28 window

• Set up SPF identify valid email sources for your Microsoft 365 domain — Updated; Changed in the April 21-28 window

• Microsoft Defender for Office 365 support for Microsoft Teams — Updated; Changed in the April 21-28 window

• Outbound delivery pools — Updated; Changed in the April 21-28 window

• Manage quarantined messages and files as an admin — Updated; Changed in the April 21-28 window

• Find and release quarantined messages as a user — Updated; Changed in the April 21-28 window

• Safe Attachments for SharePoint, OneDrive, and Microsoft Teams — Updated; Changed in the April 21-28 window

• Roles and role groups in Microsoft Defender for Office 365 and Microsoft Purview — Updated; Changed in the April 21-28 window

• User reported settings in Teams — Updated; Changed in the April 21-28 window

• User reported settings — Updated; Changed in the April 21-28 window

• TOC — Updated; Changed in the April 21-28 window

• Activate Microsoft Defender unified role-based access control (URBAC) — Updated; Changed in the April 21-28 window

• Details and results of an automatic attack disruption action — Updated; Changed in the April 21-28 window

• Automatic attack disruption in Microsoft Defender — Updated; Changed in the April 21-28 window

• Create custom detection rules in Microsoft Defender XDR — Updated; Changed in the April 21-28 window

• Device entity page in Microsoft Defender — Updated; Changed in the April 21-28 window

• Investigate alerts in Microsoft Defender XDR — Updated; Changed in the April 21-28 window

• Security Copilot Phishing Triage Agent in Microsoft Defender — Updated; Changed in the April 21-28 window

• Microsoft Security Copilot Security Alert Triage Agent in Microsoft Defender (Preview) — New; Changed in the April 21-28 window

• Detect, block, and investigate threats to AI agents using Microsoft Defender (Preview) — Updated; Changed in the April 21-28 window

• Protect AI assets from emerging threats and vulnerabilities using Microsoft Defender — Updated; Changed in the April 21-28 window

• Manage predictive shielding in Microsoft Defender — Updated; Changed in the April 21-28 window

• Configuring Microsoft Defender Experts app in Teams — Updated; Changed in the April 21-28 window

• What's new in Microsoft Defender XDR — Updated; Changed in the April 21-28 window

• New features in Microsoft Defender for Endpoint - Microsoft Defender for Endpoint — Updated; Updated Apr 28, 2026

• Microsoft Defender unified role-based access control (RBAC) - Microsoft Defender XDR — Updated; Updated Apr 28, 2026

• Microsoft Defender for Endpoint release notes - Microsoft Defender for Endpoint — Updated; Updated Apr 27, 2026

• Microsoft Defender for Identity sensor v3.x prerequisites - Microsoft Defender for Identity — Updated; Updated Apr 27, 2026

• What is Microsoft Defender XDR? - Microsoft Defender XDR — Updated; Updated Apr 23, 2026

• Microsoft Defender Antivirus compatibility with other security products - Microsoft Defender for Endpoint — Updated; Updated Apr 21, 2026

Sources

• Defender Microsoft Learn hub

• MicrosoftDocs/defender-docs public source

• Source for TOC

• Source for Stream Microsoft Defender for Endpoint events to Azure Event Hubs

• Source for Onboard non-persistent virtual desktop infrastructure (VDI) devices

• Source for Endpoint detection and response in block mode

• Source for Deploy Microsoft Defender for Endpoint on iOS with Microsoft Intune

• Source for Prerequisites for Microsoft Defender for Endpoint on Linux

• Source for Microsoft Defender for Endpoint plug-in for Windows Subsystem for Linux (WSL)

• Source for Microsoft Defender for Endpoint on macOS Prerequisites

• Source for Understand and use attack surface reduction

• Source for Take response actions on a device in Microsoft Defender for Endpoint

• Source for Microsoft Defender for Endpoint standard connectivity URLs - commercial

• Source for Microsoft Defender for Endpoint standard connectivity URLs - US government

• Source for Microsoft Defender for Endpoint streamlined connectivity URLs - commercial

• Source for Migrate to Microsoft Defender for Endpoint - Onboard

• Source for Configure the advanced delivery policy for non-Microsoft phishing simulations and email delivery to SecOps mailboxes

• Source for Automated investigation and response in Microsoft Defender for Office 365

• Source for Anti-phishing policies in Microsoft 365

• Source for Bulk email detection

• Source for Reports for Attack simulation training

• Source for Simulation automations for Attack simulation training