Microsoft Defender for Endpoint Just Got Smarter: Local AI Agent Discovery & Runtime Protection Now in Public Preview + Video

Listen to this Post

Featured Image

Introduction:

The proliferation of local AI agents—coding assistants, desktop AI apps, and autonomous agent platforms—has created a massive blind spot for security teams. These agents run with user-level permissions, accessing files, tools, and services across endpoints, yet organizations have had zero visibility into their presence or activity. Microsoft Defender for Endpoint’s June 2026 public preview release changes everything, introducing automatic discovery of supported local AI agents and runtime protection that inspects the agent loop to block prompt injection and unsafe actions before they execute.

Learning Objectives:

  • Understand how Microsoft Defender for Endpoint automatically discovers local AI agents across Windows endpoints and visualizes them in the Defender portal
  • Learn to enable AI agent runtime protection via PowerShell and Intune, with three operational modes: Disabled, Audit, and Block
  • Master the phased deployment approach for runtime protection, including testing in audit mode, reviewing alerts, and rolling out blocking mode
  • Identify supported AI agents including CLI tools, desktop apps, agentic IDEs, and VS Code extensions
  • Investigate runtime protection detections using advanced hunting and Kusto Query Language (KQL)

You Should Know:

  1. Local AI Agent Discovery: Closing the Visibility Gap

Microsoft Defender for Endpoint now automatically discovers supported local AI agents running on onboarded Windows devices. This includes coding agents and IDE extensions, desktop AI assistants, local AI runtimes, and agent platforms. Discovered agents appear as assets in the AI agent inventory, exposure map, and advanced hunting, giving security teams centralized visibility into local AI agent usage across the organization.

Supported agents include:

  • CLI agents: Claude Code, Codex CLI, Gemini CLI, GitHub Copilot CLI, OpenCode, Antigravity CLI
  • Desktop apps: ChatGPT Desktop, Claude Desktop, Codex Desktop, Ollama Desktop, Poe Desktop
  • Agentic IDEs: Cursor, Antigravity IDE, Windsurf
  • VS Code extensions: Claude Code, Cline, Codex, Gemini Code Assist, GitHub Copilot, Roo Code
  • Claw-based agents: OpenClaw, Clawpilot, Claw/Nanobot

Defender defines an agent as a combination of a user, a device, and an agent type. For example, if Claude Code runs in 15 different project folders on the same device for the same user, it appears as a single agent entry in the inventory. When supported, Microsoft Defender also discovers MCP server configurations associated with these agents, including local and remote MCP server configurations.

2. Enabling Runtime Protection via PowerShell

Runtime protection is currently disabled by default and must be explicitly enabled. Before enabling, ensure devices meet these prerequisites:
– Devices are onboarded to Microsoft Defender for Endpoint
– Devices run a supported version of Windows with Microsoft Defender Antivirus in active mode
– Defender Antivirus is updated with current monthly platform and engine updates
– Runtime protection is currently only available on devices configured to receive Beta platform and engine updates
– One or more supported local AI agents are installed

To enable runtime protection, open an elevated PowerShell session and use the following command:

Set-MpPreference -AiAgentProtection <mode>

Replace `` with one of the following values:

| Mode | Value | Description |

||-|-|

| Disabled | 0 | Runtime protection is turned off |
| Block | 1 | Risky activity is blocked and alerts are generated |
| Audit | 2 | Activity is logged but not blocked; alerts are generated for monitoring |

Example usage:

 Enable audit mode for testing
Set-MpPreference -AiAgentProtection Audit

Enable blocking mode for production
Set-MpPreference -AiAgentProtection Block

Verify current setting
Get-MpPreference | Select-Object AiAgentProtection

Disable runtime protection
Set-MpPreference -AiAgentProtection Disabled

Note: The `AiAgentProtection` parameter is currently in public preview. It is expected to become more broadly available for Microsoft Agent 365 subscription users after July 1, 2026.

  1. Deploying Runtime Protection via Intune and Group Policy

For enterprise-wide deployment, Microsoft recommends a phased rollout approach:

Phase 1: Test in Audit Mode

Enable runtime protection in audit mode on a small set of devices where supported agents are actively used:

Set-MpPreference -AiAgentProtection Audit

Phase 2: Review and Tune

Monitor alerts in the Microsoft Defender portal for 1–2 weeks. If false positives are identified, submit them to Microsoft for analysis.

Phase 3: Deploy in Block Mode

After validating audit results, roll out blocking mode across the organization:

Set-MpPreference -AiAgentProtection Block

Intune Deployment:

For Intune-managed devices, configure AI agent runtime protection through Microsoft Defender for Endpoint Security Configuration Management. Navigate to the Microsoft Defender portal > Endpoint security > Antivirus > Create policy, and configure the AI agent protection settings under the “Advanced” section.

Group Policy Deployment:

For on-premises environments, use Group Policy Administrative Templates to configure the `AiAgentProtection` setting under Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > AI Agent Protection.

  1. How Runtime Protection Works: Inspecting the Agent Loop

Runtime protection targets the defining threat to local AI agents: prompt injection—malicious instructions hidden inside otherwise-legitimate content that an agent reads and then acts on. A single injected instruction can misuse agent access to exfiltrate data, modify code, or run harmful commands.

Defender inspects three key points in the agentic loop where content enters or leaves the agent’s reasoning:
– User prompt: The prompt submitted to the agent
– Pre-tool call: The tool invocation request before execution
– Post-tool response: The tool response after execution completes

This approach catches injection regardless of where the content originated—whether a file, a web page, a repository, or a tool’s output.

Example attack scenario: A coding agent fetches a project’s documentation to answer a question, and the page contains hidden text instructing the agent to read the local `.env` file and post its contents to an external URL. The agent treats the instruction as part of the page and is about to comply, but Defender detects the prompt injection in the tool response and blocks the action before any data leaves the device.

Runtime protection uses agent hooks—defined points in an agent’s execution where an external tool can inspect and act on the agent’s actions. Agents such as Claude Code and GitHub Copilot CLI expose these hook points. Each scan is a fast, inline check at one of these points rather than continuous monitoring, so the added latency is minimal.

Blocked and audited events appear as alerts in Microsoft Defender to support incident correlation and investigation workflows.

5. Investigating Runtime Protection Detections

When runtime protection generates an alert, security teams can investigate using the Microsoft Defender portal and advanced hunting with Kusto Query Language (KQL).

Viewing alerts in the Defender portal:

  • Navigate to Incidents & alerts > Alerts in the Microsoft Defender portal
  • Filter by Detection source: AI Agent Runtime Protection
  • Review alert details including the agent involved, device, user, and the specific action that was blocked or audited

Advanced hunting with KQL:

// Find all AI agent runtime protection events
AIAgentRuntimeProtectionEvents
| where Timestamp > ago(7d)
| project Timestamp, DeviceName, AccountName, AgentName, 
ActionType, IsBlocked, PromptContent, ToolCall
| order by Timestamp desc

// Investigate prompt injection attempts by agent
AIAgentRuntimeProtectionEvents
| where IsBlocked == true
| summarize BlockedCount = count() by AgentName, DeviceName
| order by BlockedCount desc

// Correlate with user activity
AIAgentRuntimeProtectionEvents
| where ActionType == "PromptInjectionDetected"
| join kind=inner (IdentityLogonEvents) on AccountName
| project Timestamp, AccountName, DeviceName, AgentName, 
IsBlocked, PromptContent

AgentsInfo table (Preview):

The `AgentsInfo` advanced hunting table is now available in preview, providing a unified schema for agent inventory and governance across all agent types, including Copilot Studio, Microsoft Foundry, Microsoft 365 Copilot, third-party, and endpoint discovery agents. The legacy `AIAgentsInfo` table remains accessible until July 1, 2026; customers should update queries to use `AgentsInfo` before this date.

6. Linux and Cross-Platform Considerations

While the current preview focuses on Windows endpoints, organizations managing mixed environments should consider these complementary approaches:

Linux endpoint visibility: For Linux-based AI agents (e.g., Ollama running on Ubuntu, Claude Code CLI on RHEL), consider implementing:

 Monitor AI agent processes and network connections
sudo ps aux | grep -E "ollama|claude|copilot|codex"
sudo netstat -tunap | grep -E "ollama|claude"

Audit file access by AI agents
sudo auditctl -w /home/user/.env -p rwa -k ai_agent_access
sudo auditctl -w /etc/ -p r -k ai_agent_read

Review logs for suspicious activity
sudo journalctl -f -u ollama.service
sudo tail -f /var/log/syslog | grep -i "agent|ai|prompt"

Network-level protection: For environments where AI agents access external APIs:

 Windows: Block outbound traffic to known malicious domains via Defender
Add-MpPreference -ExclusionProcess "ai_agent.exe"  Exclude legitimate agents
 Use network protection to block suspicious connections
Set-MpPreference -EnableNetworkProtection Enabled
 Linux: Use iptables to restrict agent outbound access
sudo iptables -A OUTPUT -m owner --uid-owner aiuser -j ACCEPT
sudo iptables -A OUTPUT -m owner --uid-owner aiuser -d 10.0.0.0/8 -j ACCEPT
sudo iptables -A OUTPUT -m owner --uid-owner aiuser -j LOG --log-prefix "AI_AGENT_BLOCKED"

7. Operational Best Practices and Troubleshooting

Before enabling runtime protection:

  1. Verify device onboarding status in the Defender portal
  2. Ensure devices receive Beta platform updates: `Set-MpPreference -PlatformUpdatesChannel Beta`

3. Confirm supported agent installation and version compatibility

4. Review existing security policies for conflicts

Troubleshooting common issues:

| Issue | Resolution |

|-||

| `AiAgentProtection` not recognized | Update Defender Antivirus platform to latest version; enable Beta updates channel |
| No alerts generated in audit mode | Verify supported agent is installed and active; check agent hook compatibility |
| Blocking mode causes false positives | Switch to audit mode for 1-2 weeks; submit false positives to Microsoft |
| Performance impact on endpoints | Runtime protection uses inline checks with minimal latency; monitor CPU/memory usage |
| Agents not appearing in inventory | Confirm device is onboarded; check agent is in supported list; allow up to 24 hours for discovery |

Monitoring and reporting:

  • Use Microsoft Secure Score recommendations to track adoption
  • Review AI agent inventory regularly for unauthorized agents
  • Correlate runtime protection alerts with other Defender XDR signals
  • Export alerts via Microsoft Graph API for SIEM integration

What Undercode Say:

  • Key Takeaway 1: Microsoft Defender for Endpoint’s new local AI agent discovery and runtime protection capabilities address a critical security gap—organizations finally have visibility into the AI agents running on their Windows endpoints and the ability to block prompt injection attacks at the device level.

  • Key Takeaway 2: The phased deployment approach (Audit → Review → Block) is essential for successful adoption. Starting in audit mode allows security teams to understand agent behavior, tune policies, and identify false positives before enabling blocking mode in production.

  • Key Takeaway 3: Runtime protection’s inspection of user prompts, pre-tool calls, and post-tool responses represents a sophisticated approach to catching prompt injection regardless of content origin. This is particularly valuable for coding assistants that interact with external repositories, documentation, and APIs.

  • Key Takeaway 4: The `AgentsInfo` advanced hunting table provides a unified schema for agent inventory and governance, enabling security teams to correlate agent activity with other security signals and investigate incidents more effectively.

  • Key Takeaway 5: Organizations should treat AI agent security as an extension of their endpoint security strategy. Discovery and runtime protection are just the beginning—governance policies, conditional access, and regular agent inventory reviews should follow.

The introduction of local AI agent discovery and runtime protection in Microsoft Defender for Endpoint marks a significant milestone in enterprise AI security. As AI agents become ubiquitous across development, productivity, and automation workflows, the attack surface expands dramatically. Prompt injection, data exfiltration, and unauthorized tool execution are no longer theoretical risks—they are real threats that security teams must address. Microsoft’s approach of combining discovery with inline runtime protection provides a practical, scalable solution that integrates with existing endpoint security infrastructure. However, organizations must act deliberately, starting with audit mode, understanding agent behavior, and gradually rolling out blocking policies. The capabilities are currently in public preview and limited to Windows endpoints with Beta updates, but the trajectory is clear: AI agent security will become a foundational component of modern endpoint protection.

Prediction:

  • +1 The integration of AI agent runtime protection into Microsoft Defender for Endpoint will accelerate enterprise adoption of AI coding assistants and autonomous agents, as security teams gain the confidence that prompt injection attacks can be detected and blocked before causing damage.
  • +1 By Q4 2026, competitor endpoint protection platforms (CrowdStrike, SentinelOne, Trellix) will announce similar AI agent discovery and runtime protection capabilities, validating this as a must-have feature category.
  • -1 Organizations that fail to enable runtime protection or delay deployment will experience at least one significant prompt injection incident within 12 months, as attackers increasingly target AI agents as high-value entry points.
  • +1 The `AgentsInfo` advanced hunting table will become the foundation for a new category of AI governance and compliance tools, enabling security teams to enforce policies across all agent types in the organization.
  • -1 Early adopters who skip the audit phase and enable blocking mode directly will face operational disruption from false positives, potentially slowing overall adoption and creating resistance to AI agent security controls.
  • +1 Microsoft will expand runtime protection to macOS and Linux endpoints by mid-2027, recognizing the cross-platform nature of modern AI agent deployments.
  • +1 The ability to discover MCP server configurations alongside local agents will drive better visibility into agent-to-agent communication patterns, helping security teams map AI agent supply chains and dependencies.

▶️ Related Video (72% Match):

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Derkvanderwoude Microsoft – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky