MC1266905 - Microsoft Secure Score: New recommendation for Microsoft Defender for Endpoint

Message ID

MC1266905

View in Message Center

Service

Microsoft Defender XDR

Published

Mar 31, 2026

Tag

New feature

User impact

Admin impact

Summary

Microsoft Secure Score will add a new recommendation to block outbound traffic from mshta.exe in Microsoft Defender for Endpoint, starting public preview in late March 2026. This reduces risk from attacks using mshta.exe, requires admin action to enable, and impacts compliance monitoring and data access.

More information

Introduction

To help organizations strengthen endpoint security and reduce exposure to common attack techniques, we’re introducing a new Microsoft Secure Score recommendation in Microsoft Defender for Endpoint (MDE). This recommendation focuses on blocking outbound traffic from mshta.exe, a legitimate Windows binary that is frequently abused by attackers to execute malicious scripts. Implementing this recommendation helps reduce risk from living-off-the-land binary (LOLBIN) attacks and improves your overall security posture.

When this will happen

Public Preview: Rollout begins late March 2026 and is expected to complete by early April 2026.
General Availability (Worldwide): Rollout begins late March 2026 and is expected to complete by late May 2026.

How this affects your organization

Who is affected

Admins managing Microsoft Defender for Endpoint and Microsoft Secure Score.

What will happen

A new Secure Score recommendation titled “Block outbound traffic from mshta.exe” will appear in Microsoft Secure Score for tenants enrolled in Public Preview:
Secure Score points will reflect whether this recommendation is implemented.
The recommendation is not enabled by default and requires admin action to implement.
There is no direct user experience change unless your organization enforces the configuration.

Why this matters

mshta.exe is commonly abused by attackers to download and execute malicious payloads from remote sources.
Blocking outbound traffic from this binary reduces attack surface and aligns with modern endpoint hardening best practices.

What you can do to prepare

Review the new recommendation in Microsoft Secure Score once available.
Evaluate potential line of business or scripting dependencies before enforcement.
Implement the recommended configuration to improve your organization’s security posture.
Communicate these changes to your security and endpoint management teams.

Learn more: Microsoft Secure Score | Microsoft Defender XDR | Microsoft Defender | Microsoft Learn

Compliance considerations

Question	Answer
Does the change alter how existing customer data is processed, stored, or accessed?	Yes. Blocking outbound traffic from mshta.exe may prevent certain scripts or applications from accessing external resources.
Does the change alter how admins can monitor, report on, or demonstrate compliance activities?	Yes. Microsoft Secure Score will reflect the implementation status of the new recommendation.
Does the change include an admin control, and can it be controlled through Entra ID group membership?	Yes. Admins must explicitly implement the recommendation in Microsoft Defender for Endpoint.