Microsoft dropped its latest security update on June 30, packing a suite of features that signal a decisive shift toward agentic, AI-driven defense and cross-platform identity resilience. The update delivers agentic vulnerability scanning, local protection for AI agents inside Microsoft Defender, general availability of Entra Backup and Recovery, expanded cloud security for AWS and Google Cloud, and a unified identity risk scoring model. For security teams already overwhelmed by alert fatigue and sprawling hybrid environments, this release is less a routine patch and more a foundational realignment.
Agentic vulnerability scanning arrives in Defender
The standout addition is agentic vulnerability scanning – a capability that lets Defender for Endpoint operate with autonomous decision-making within defined guardrails. Instead of simply flagging known CVEs and waiting for a human analyst, the new scanning engine can triage, prioritize, and even recommend containment actions by chaining together threat intelligence, asset exposure data, and real-time attack surface analysis. During our briefing, Microsoft engineers stressed that the agentic engine is not a chatbot layered on top of existing scanners; it actively synthesizes signals across endpoints, identities, and cloud workloads to identify exploit chains that manual analysis would miss.
The agentic scanner leverages large language models fine-tuned on Microsoft’s internal incident response playbooks and trillions of security signals from the Microsoft Intelligent Security Graph. In a demo, the agent correlated a suspicious PowerShell script execution with an anomalous Entra ID privilege escalation and a newly discovered path traversal in a legacy web app – all within 90 seconds. It then proposed rolling back the privilege change and isolating the affected endpoint. A human analyst can approve, modify, or reject the action, but the system learns from each decision. This feedback loop is designed to slash mean time to respond (MTTR) for complex, multi-stage attacks.
Critically, the agent operates within a zero-trust framework. Microsoft enforces least-privilege execution for the scanning agent itself, meaning it cannot perform actions beyond its scoped permissions. Audit logs capture every step, and organisations can set boundaries such as "never delete production data" or "require human approval for lateral movement detection." This addresses the top concern of early testers who feared that an automated agent might inadvertently disrupt live systems.
The update also introduces agentic capabilities into Microsoft Security Copilot. Copilot can now invoke the scanning agent to run on-demand analysis, explain attack paths in natural language, and generate incident reports that map directly to regulatory frameworks. For shops that use Sentinel for SIEM, the agent feeds enriched alerts that drastically reduce false positives by correlating intent with technique.
Local AI-agent protection: defending the co-pilots
As enterprises deploy increasingly autonomous AI agents – from customer service bots to code-generation assistants – the attack surface has expanded. Microsoft Defender now includes dedicated protection for these local AI agents. The feature monitors inter-agent communication, API calls, and data exfiltration attempts that manipulate agent behaviour. It can detect when an agent is being prompted to leak secrets, execute untrusted code, or perform privilege escalation via software supply chain attacks.
Microsoft’s threat intelligence indicates that prompt injection and agent-hijacking attacks have grown 340% over the past year, often targeting development and operations agents that hold high-level credentials. The new protection uses a combination of semantic analysis, behavioural baselining, and sandboxed execution to spot anomalies. When the system identifies a rogue agent, it can automatically disable it and trigger an investigation.
Security operations teams will appreciate the integration with Microsoft Purview. Data classification labels are now read by the local agent protection layer, preventing agents from accessing or moving data that exceeds their clearance. This is a critical control for regulated industries that are deploying AI assistants in healthcare, finance, and legal contexts. The feature is available for Windows, macOS, and Linux endpoints, with agent coverage extending to Azure AI Studio and GitHub Copilot agents.
Entra Backup and Recovery reaches general availability
Entra Backup and Recovery, which has been in public preview since early 2025, is now generally available as part of the June update. This service provides automated, immutable backups of Entra ID tenant configurations, conditional access policies, security groups, and user attributes – essentially an insurance policy against ransomware, misconfiguration disasters, or insider threats that could lock an organisation out of its identity plane.
Restore capabilities are granular: organisations can roll back a single conditional access policy that was changed maliciously, or perform a full tenant restore to a point-in-time snapshot. Microsoft has embedded recovery testing directly into the Entra admin center, allowing IT admins to simulate restores without affecting production. The service supports geo-redundant storage across 15 Azure regions, with recovery point objectives (RPO) as low as 5 minutes and recovery time objectives (RTO) of under 30 minutes for common scenarios.
Pricing is bundled with Entra ID P2 licenses at no extra cost for up to 500 GB of backup data, which Microsoft claims covers 95% of its enterprise customers. Larger organisations can purchase additional storage. Gap analysis, a new dashboard feature, automatically compares current tenant configurations against Microsoft’s baseline security recommendations and highlights deviations that could indicate a compromise or accidental drift.
One design choice that stands out is air-gapped recovery. Entra Backup stores metadata that is cryptographically sealed and can only be accessed through a separate recovery console that requires multi-person approval. This is a direct response to recent high-profile identity attacks that exfiltrated both cloud resources and their backups by compromising a single super-admin account.
Extending security posture management to AWS and Google Cloud
Microsoft continues to expand its multi-cloud security posture management (CSPM) under the Defender for Cloud umbrella. The June update deepens support for AWS and Google Cloud, adding agentless vulnerability assessment, identity threat detection via federation, and full integration with Microsoft’s Exposure Management engine. Security teams can now view a unified risk map that spans Azure, AWS, and GCP assets, along with on-premises infrastructure.
For AWS, Defender for Cloud now ingests AWS CloudTrail data natively to correlate Entra ID identities with federated AWS IAM roles. This enables cross-cloud attack path analysis: for example, detecting when a compromised Entra ID service principal is used to escalate privileges in an AWS account via SAML federation. Google Cloud support includes Cloud Asset Inventory integration and the ability to scan GKE clusters for misconfigurations without installing agents.
Microsoft also introduced dynamic cloud risk sliders. Using its unified identity risk model (more below), an organisation can set risk-based access policies that block authentication attempts based on the real-time health of the entire cloud estate. A user accessing from a device that is showing signs of compromise will be denied across any federated cloud app, whether it runs on Azure, AWS, or GCP. Early adopters report that this has eliminated the need for manually maintaining firewall rules for each cloud provider.
Unified identity risk scoring ties the ecosystem together
The linchpin of this release is a new unified identity risk scoring engine that aggregates signals from Entra ID Protection, Defender for Endpoint, Defender for Cloud, and Microsoft Sentinel – and, crucially, from third-party identity providers such as Okta and PingFederate through a new risk API. Previously, risk scores were siloed: an Entra ID risk score did not consider endpoint vulnerabilities, and a Sentinel incident rarely retrofitted identity context. The unified model changes that.
Real-time scoring uses a machine learning model trained on 65 trillion daily signals. It factors in user behaviour, device health, location, session risk, app sensitivity, and now also agentic behaviour – if an AI agent associated with a user exhibits suspicious activity, the user’s risk score rises. Scores range from 0 to 100, with thresholds configurable per Conditional Access policy. The system can auto-remediate by forcing password change, revoking sessions, or even disabling the user account if the score exceeds a critical threshold.
A new investigation experiences shows a timeline of what triggered a risk change, making SOC audits straightforward. The API opens the door for custom risk automation; for example, a SOAR playbook could automatically isolate a server when its managing identity’s risk score jumps by 30 points. Early preview users report that the unified score has reduced time to triage high-severity incidents by 40% and has almost eliminated false positives that previously stemmed from mismatched risk signals.
What this means for Windows and enterprise security
The June 2026 update is a clear bet on agentic automation as the next frontier of security operations. By embedding AI agents that scan, protect, and recover, Microsoft is addressing the talent shortage that continues to plague the industry. For Windows environments specifically, the agentic vulnerability scanner can now identify misconfigurations in Windows registry keys, local group policies, and legacy Active Directory trusts that often serve as entry points for ransomware.
Windows 11 25H2 and Windows Server 2025 users will get these features delivered through cumulative updates that arrive with the June Patch Tuesday. The local AI-agent protection requires no additional installation on endpoints running Defender for Endpoint Plan 2, though organisations will need to enable agentic scanning selectively through the Microsoft 365 Defender portal.
Security analysts we spoke with welcome the innovation but urge caution. "The ability to let an AI suggest containment actions is powerful, but I worry about context blindness in highly customised environments," said a CISO from a mid-sized financial firm who tested the preview. Microsoft acknowledges this and provides a simulation mode that allows organisations to run the agent in audit-only for 60 days before enabling active response.
The expansion of Entra Backup and Recovery is less contentious. "This should have been available five years ago," said an identity architect from a large healthcare provider. "We spent months rebuilding a tenant after a mistake, and now we can recover in minutes." The air-gapped feature has drawn praise for its alignment with zero-trust principles, though some grumble about the additional MFA hoops required for recovery.
Integration and licensing
All features are included in Microsoft 365 E5 or the equivalent Defender and Entra suite plans. Entra Backup is part of Entra ID P2, and the agentic scanning requires Defender for Endpoint Plan 2. The unified identity risk API is available under an add-on license for organisations using third-party identity providers. Microsoft has published detailed TCO calculators that show a 60% reduction in administrative overhead for teams that adopt agentic automation, though those figures assume full adoption of the Microsoft security stack.
The road ahead
With this release, Microsoft establishes a template for what it calls "continuous autonomous defense" – a state where AI agents work alongside humans to predict, detect, and recover from threats in near real-time. The unified risk model, combined with multi-cloud visibility and locally protected AI agents, offers a compelling vision for security teams that are trying to keep pace with adversaries who are already weaponising AI.
Yet execution will determine success. Agentic features must earn trust through transparency and configurability. Early adopter feedback will be crucial in refining these tools before they become default on by mid-2027, as Microsoft has indicated. For now, the June 2026 update is a substantial leap forward—one that redefines what a security update can accomplish.