Microsoft Secure Score: New recommendation for Microsoft Defender for Endpoint

Originally posted by Microsoft Apr 1, 2026 Uncategorized 0 Comments

Microsoft Secure Score will add a new recommendation to block outbound traffic from mshta.exe in Microsoft Defender for Endpoint, starting public preview in late March 2026. This reduces risk from attacks using mshta.exe, requires admin action to enable, and impacts compliance monitoring and data access.

Introduction

To help organizations strengthen endpoint security and reduce exposure to common attack techniques, we’re introducing a new Microsoft Secure Score recommendation in Microsoft Defender for Endpoint (MDE). This recommendation focuses on blocking outbound traffic from mshta.exe, a legitimate Windows binary that is frequently abused by attackers to execute malicious scripts. Implementing this recommendation helps reduce risk from living-off-the-land binary (LOLBIN) attacks and improves your overall security posture.

When this will happen

  • Public Preview: Rollout begins late March 2026 and is expected to complete by early April 2026.
  • General Availability (Worldwide): Rollout begins late March 2026 and is expected to complete by late May 2026.

How this affects your organization

Who is affected

Admins managing Microsoft Defender for Endpoint and Microsoft Secure Score.

What will happen

  • A new Secure Score recommendation titled Block outbound traffic from mshta.exe will appear in Microsoft Secure Score for tenants enrolled in Public Preview: 

    user settingsView image in new tab

  • Secure Score points will reflect whether this recommendation is implemented.
  • The recommendation is not enabled by default and requires admin action to implement.
  • There is no direct user experience change unless your organization enforces the configuration.

Why this matters

What you can do to prepare

Compliance considerations

  • mshta.exe is commonly abused by attackers to download and execute malicious payloads from remote sources.
  • Blocking outbound traffic from this binary reduces attack surface and aligns with modern endpoint hardening best practices.
  • Review the new recommendation in Microsoft Secure Score once available.
  • Evaluate potential line of business or scripting dependencies before enforcement.
  • Implement the recommended configuration to improve your organization’s security posture.
  • Communicate these changes to your security and endpoint management teams.

Learn more: Microsoft Secure Score | Microsoft Defender XDR | Microsoft Defender | Microsoft Learn

Question Answer
Does the change alter how existing customer data is processed, stored, or accessed? Yes. Blocking outbound traffic from mshta.exe may prevent certain scripts or applications from accessing external resources.
Does the change alter how admins can monitor, report on, or demonstrate compliance activities? Yes. Microsoft Secure Score will reflect the implementation status of the new recommendation.
Does the change include an admin control, and can it be controlled through Entra ID group membership? Yes. Admins must explicitly implement the recommendation in Microsoft Defender for Endpoint.

Message ID: MC1266905

Comments are closed.

Joao Ferreira

I've been working with Microsoft Technologies over the last ten years, mainly focused on creating collaboration and productivity solutions that drive the adoption of Microsoft Modern Workplace.

Trending Posts

%d bloggers like this: