check before: 2026-06-02
Product:
Defender, Defender for Endpoint, Defender XDR
Platform:
Online, US Instances, World tenant
Status:
Change type:
Admin impact, Retirement
Links:
Details:
Summary:
Microsoft Defender for Endpoint will remove SMB signature inspection events from Advanced Hunting starting July 1, 2026, due to low customer value. Users must update queries referencing SMB_Client to filter on port 445 instead. Other network signature events remain unchanged; no tenant action is required to enable this change.
Details:
[Introduction]
To improve endpoint performance and focus on higher-value network telemetry, Microsoft is removing SMB signature inspection events from Advanced Hunting in Microsoft Defender for Endpoint. This change reflects observed low customer value for SMB signature data on endpoints and our continued investment in more advanced SMB visibility through Zeek-based network capabilities.
[When this will happen:]
The rollout to Worldwide, GCC, GCC High, and DoD will begin on July 1, 2026, and will complete shortly thereafter across all tenants.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2026-06-02
updated:
2026-06-02
Task Type
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
Last updated 3 days ago ago
