+ Title: How to secure your business data with Microsoft 365 for business

+description: "Top 10 ways to protect your business from ransomware, phishing, and malicious URLs or attachments with Microsoft 365 for business."

+# How to secure your business data with Microsoft 365 for business

+> This article is designed for small and medium-sized businesses who have up to 300 users. If you're looking for information for enterprise organizations, see [Deploy ransomware protection for your Microsoft 365 tenant](../../solutions/ransomware-protection-microsoft-365.md).

+## Secure your business data

+| **Fortify your environment** <br/> (Tasks your admin completes.) | [**1. Sign in and set up your environment**](m365bp-setup-overview.md). Complete the basic setup process for Microsoft 365 for your business or campaign. Add users, assign licenses, and configure your domain to work with Microsoft 365.<br/><br/>[**2. Boost your security protection**](m365bp-security-overview.md). Set up critical front-line security measures to prevent cyberattacks. Set up multi-factor authentication (MFA), protect your admin accounts, and protect against malware and other threats. |

+4. In the top right of the page, find the **Preview on** control. Select **Preview on** so you can use all the controls described in [Boost your security protection for your campaign](m365bp-security-overview.md).

+Proceed to [boost your security protection](m365bp-security-overview.md).

+# Protect against malware and other cyberthreats

+## January 2023

+- **Default experience for Defender for Business when an enterprise plan is added**. Defender for Business now retains its default experience ([simplified configuration and setup](../security/defender-business/mdb-simplified-configuration.md)) even if an enterprise plan, such as [Defender for Endpoint Plan 2](../security/defender-endpoint/microsoft-defender-endpoint.md) or [Microsoft Defender for Servers Plan 1 or 2](/azure/defender-for-cloud/plan-defender-for-servers) is added. To learn more, see [What happens if I have a mix of Microsoft endpoint security subscriptions](/microsoft-365/security/defender-business/mdb-faq?#what-happens-if-i-have-a-mix-of-microsoft-endpoint-security-subscriptions)?

+ Title: "Boost your security protection with Microsoft 365 Business Premium"

+# Boost your security protection

+In this mission, you bump up your security defenses. You begin by enforcing multifactor authentication (MFA) requirements by using either security defaults or Conditional Access. You'll set up the different admin roles and specific levels of security for them. Admin account access is a high-value target for the enemy hackers, and protecting those accounts is critical because the access and control they provide can impact the entire system. And, you'll protect your email content and devices.

+Once you've achieved this objective, proceed to [boost your security protection](m365bp-security-overview.md).

+- Start with the [guided setup experience](m365bp-setup.md#guided-setup-process) for basic setup and configuration, and then proceed to [Boost your security protection](m365bp-security-overview.md); or

+**As soon as you've completed the guided setup process, proceed to [boost your security protection](m365bp-security-overview.md)**.

+Proceed to [Boost your security protection](m365bp-security-overview.md).

+|You activated the subscription by using a product key.| If the subscription was bought and activated by using a 25-character product key, you see the word "Prepaid" in the **Purchase channel** column of the **Your products** page. |See [Add licenses to a prepaid subscription by using a Microsoft 365 product key](#add-licenses-to-a-prepaid-subscription-by-using-a-microsoft-365-product-key). |

+|Friendly name|Operation|Description|

+|Friendly name|Operation|Description|

+|Friendly name|Operation|Description|

+|Friendly name|Operation|Description|

+|Friendly name|Operation|Description|

+|Friendly name|Operation|Description|

+|Friendly name|Operation|Description|

+|Friendly name|Operation|Description|

+|Activity|Operation|Description|

+|Friendly name|Operation|Description|

+|Friendly name|Operation|Description|

+|Friendly name|Operation|Description|

+|Friendly name|Operation|Description|

+|Friendly name|Operation|Description|

+|Friendly name|Operation|Description|

+|Friendly name|Operation|Description|

+|Friendly name|Operation|Description|

+|Friendly name|Operation|Description|

+|Activity type|Internal or external user|User ID that's logged|Organization logged in to|Forms user type|

+The following table lists events that result from using [sensitivity labels](sensitivity-labels.md) with sites and items that are managed by Microsoft Purview. Items include documents, emails, and calendar events. For auto-labeling policies, items also include files and schematized data assets in Microsoft Purview Data Map.

+|Friendly name|Operation|Description|

+|Applied sensitivity label to site|SiteSensitivityLabelApplied|A sensitivity label was applied to a SharePoint site or Teams site that isn't group-connected.|

+|Removed sensitivity label from site|SiteSensitivityLabelRemoved|A sensitivity label was removed from a SharePoint site or Teams site that isn't group-connected.|

+|Applied sensitivity label to file|FileSensitivityLabelApplied <br /><br> SensitivityLabelApplied|A sensitivity label was applied to an item by using Microsoft 365 apps, Office on the web, or an auto-labeling policy. <br /><br>The operations for this activity are different depending on how the label was applied:<br /> - Office on the web or an auto-labeling policy (FileSensitivityLabelApplied) <br /> - Microsoft 365 apps (SensitivityLabelApplied)|

+|Changed sensitivity label applied to file|FileSensitivityLabelChanged<br /><br>SensitivityLabelUpdated|A different sensitivity label was applied to an item. <br /><br>The operations for this activity are different depending on how the label was changed:<br /> - Office on the web or an auto-labeling policy (FileSensitivityLabelChanged) <br /> - Microsoft 365 apps (SensitivityLabelUpdated)|

+|Changed sensitivity label on a site|SiteSensitivityLabelChanged|A different sensitivity label was applied to a SharePoint site or Teams site that isn't group-connected.|

+|Removed sensitivity label from file|FileSensitivityLabelRemoved <br /><br> SensitivityLabelRemoved|A sensitivity label was removed from an item by using Microsoft 365 apps, Office on the web, an auto-labeling policy, or the [Unlock-SPOSensitivityLabelEncryptedFile](/powershell/module/sharepoint-online/unlock-sposensitivitylabelencryptedFile) cmdlet. <br /><br>The operations for this activity are different depending on how the label was removed:<br /> - Office on the web or an auto-labeling policy (FileSensitivityLabelRemoved) <br /> - Microsoft 365 apps (SensitivityLabelRemoved)|

+Additional auditing information for sensitivity labels:

+- When you use sensitivity labels for Microsoft 365 Groups, and therefore Teams sites that are group-connected, the labels are audited with group management in Azure Active Directory. For more information, see [Audit logs in Azure Active Directory](/azure/active-directory/reports-monitoring/concept-audit-logs).

+- When you use sensitivity labels for Teams meeting invites, and Teams meeting options and chat, see [Search the audit log for events in Microsoft Teams](/microsoftteams/audit-log-events).

+- When you use sensitivity labels with Power BI, see [Audit schema for sensitivity labels in Power BI](/power-bi/enterprise/service-security-sensitivity-label-audit-schema).

+- When you apply sensitivity labels by using the Azure Information Protection client or scanner, or the Microsoft Information Protection (MIP) SDK, see [Azure Information Protection audit log reference](/azure/information-protection/audit-logs).

+|Friendly name|Operation|Description|

+|Friendly name|Operation|Description|

+|Friendly name|Operation|Description|

+|Friendly name|Operation|Description|

+|Friendly name|Operation|Description|

+|Friendly name|Operation|Description|

+|Friendly name|Operation|Description|

+|Friendly name|Operation|Description|

+| Detects documents that authorize the export or import of a good in a specific quantity from source to destination. This model categorizes different documents including Bill of Ladings, Certificate of Origin, Commercial Invoice, Export import customs declaration, Importer Security Filing (ISF). | Detects content in .docx, .docm, .doc, .dotx, .dotm, .dot, .pdf, .rtf, .txt, .one, .pptx, .pptm, .ppt, .potx, .potm, .pot, .ppsx, .ppsm, .pps, .ppam, .ppa, .txt, .one files. | English |

+| Wire transfer is a method of electronic funds transfer from one person or entity to another. The model captures all the wire transfer receipts and acknowledgements. | Detects content in .docx, .docm, .doc, .dotx, .dotm, .dot, .pdf, .rtf, .txt files. | English |

+| Compliance Administrator | Compliance Administrator | Purview compliance portal > Permissions > Purview solutions > Roles |

+| Information Protection Admin | Compliance Data Administrator | Purview compliance portal > Permissions > Purview solutions > Roles |

+You can access the contents of the inactive mailbox by using the Content Search tool in the Microsoft Purview compliance portal. For more information, see the [Feature reference for Content search](ediscovery-content-search-reference.md#searching-inactive-mailboxes) article.

+Please do not add protocol, e.g. https://, file:// into the URL. You can use a flexible syntax to include and exclude domains, subdomains, websites, and subsites in your website groups.

+- Sometimes a user may have an active mailbox and an inactive mailbox that have different SMTP addresses. In this case, only the specific mailbox that you select as a location for a content search is searched. In other words, if you add a user's mailbox to a search, you can't assume that both their active and inactive mailboxes are searched. Only the mailbox that you explicitly add to the search is searched.

+ #script begin

+ " "

+ write-host "***********************************************"

+ write-host "Security & Compliance Center " -foregroundColor yellow -backgroundcolor darkgreen

+ write-host "eDiscovery cases - Holds report " -foregroundColor yellow -backgroundcolor darkgreen

+ write-host "***********************************************"

+ " "

+

+ #prompt users to specify a path to store the output files

+ $time = get-date -Format dd-MM-yyyy_hh.mm

+ $Path = Read-Host 'Enter a folder path to save the report to a .csv file (filename is created automatically)'

+ $outputpath = $Path + '\' + 'CaseHoldsReport' + ' ' + $time + '.csv'

+ $noholdsfilepath = $Path + '\' + 'CaseswithNoHolds' + $time + '.csv'

+

+ #add case details to the csv file

+ function add-tocasereport {

+ Param([string]$casename,

+ [String]$casetype,

+ [String]$casestatus,

+ [datetime]$casecreatedtime,

+ [string]$casemembers,

+ [datetime]$caseClosedDateTime,

+ [string]$caseclosedby,

+ [string]$holdname,

+ [String]$Holdenabled,

+ [string]$holdcreatedby,

+ [string]$holdlastmodifiedby,

+ [string]$ExchangeLocation,

+ [string]$sharePointlocation,

+ [string]$ContentMatchQuery,

+ [datetime]$holdcreatedtime,

+ [datetime]$holdchangedtime,

+ [string]$holdstatus,

+ [string]$holderror

+ )

+

+ $addRow = New-Object PSObject

+ Add-Member -InputObject $addRow -MemberType NoteProperty -Name "Case name" -Value $casename

+ Add-Member -InputObject $addRow -MemberType NoteProperty -Name "Case type" -Value $casetype

+ Add-Member -InputObject $addRow -MemberType NoteProperty -Name "Case status" -Value $casestatus

+ Add-Member -InputObject $addRow -MemberType NoteProperty -Name "Case members" -Value $casemembers

+ Add-Member -InputObject $addRow -MemberType NoteProperty -Name "Case created time" -Value $casecreatedtime

+ Add-Member -InputObject $addRow -MemberType NoteProperty -Name "Case closed time" -Value $caseClosedDateTime

+ Add-Member -InputObject $addRow -MemberType NoteProperty -Name "Case closed by" -Value $caseclosedby

+ Add-Member -InputObject $addRow -MemberType NoteProperty -Name "Hold name" -Value $holdname

+ Add-Member -InputObject $addRow -MemberType NoteProperty -Name "Hold enabled" -Value $Holdenabled

+ Add-Member -InputObject $addRow -MemberType NoteProperty -Name "Hold created by" -Value $holdcreatedby

+ Add-Member -InputObject $addRow -MemberType NoteProperty -Name "Hold last changed by" -Value $holdlastmodifiedby

+ Add-Member -InputObject $addRow -MemberType NoteProperty -Name "Exchange locations" -Value $ExchangeLocation

+ Add-Member -InputObject $addRow -MemberType NoteProperty -Name "SharePoint locations" -Value $sharePointlocation

+ Add-Member -InputObject $addRow -MemberType NoteProperty -Name "Hold query" -Value $ContentMatchQuery

+ Add-Member -InputObject $addRow -MemberType NoteProperty -Name "Hold created time (UTC)" -Value $holdcreatedtime

+ Add-Member -InputObject $addRow -MemberType NoteProperty -Name "Hold changed time (UTC)" -Value $holdchangedtime

+ Add-Member -InputObject $addrow -MemberType NoteProperty -Name "Hold Status" -Value $holdstatus

+ Add-Member -InputObject $addrow -MemberType NoteProperty -Name "Hold Error" -Value $holderror

+

+ $allholdreport = $addRow | Select-Object "Case name", "Case type", "Case status", "Hold name", "Hold enabled", "Case members", "Case created time", "Case closed time", "Case closed by", "Exchange locations", "SharePoint locations", "Hold query", "Hold created by", "Hold created time (UTC)", "Hold last changed by", "Hold changed time (UTC)", "Hold Status", "Hold Error"

+ $allholdreport | export-csv -path $outputPath -notypeinfo -append -Encoding ascii

+ }

+

+ #get information on the cases and pass values to the case report function

+ " "

+ write-host "Gathering a list of eDiscovery (Standard) cases and holds..."

+ " "

+ $edc = Get-ComplianceCase -ErrorAction SilentlyContinue

+ foreach ($cc in $edc) {

+ write-host "Working on case :" $cc.name

+ if ($cc.status -eq 'Closed') {

+ $cmembers = ((Get-ComplianceCaseMember -Case $cc.name).windowsLiveID) -join ';'

+ add-tocasereport -casename $cc.name -casetype $cc.casetype -casestatus $cc.Status -caseclosedby $cc.closedby -caseClosedDateTime $cc.ClosedDateTime -casemembers $cmembers

+ }

+ else {

+ $cmembers = ((Get-ComplianceCaseMember -Case $cc.name).windowsLiveID) -join ';'

+ $policies = Get-CaseHoldPolicy -Case $cc.Name | % { Get-CaseHoldPolicy $_.Name -Case $_.CaseId -DistributionDetail }

+ if ($policies -ne $NULL) {

+ foreach ($policy in $policies) {

+ $rule = Get-CaseHoldRule -Policy $policy.name

+ add-tocasereport -casename $cc.name -casetype $cc.casetype -casemembers $cmembers -casestatus $cc.Status -casecreatedtime $cc.CreatedDateTime -holdname $policy.name -holdenabled $policy.enabled -holdcreatedby $policy.CreatedBy -holdlastmodifiedby $policy.LastModifiedBy -ExchangeLocation (($policy.exchangelocation.name) -join ';') -SharePointLocation (($policy.sharePointlocation.name) -join ';') -ContentMatchQuery $rule.ContentMatchQuery -holdcreatedtime $policy.WhenCreatedUTC -holdchangedtime $policy.WhenChangedUTC -holdstatus $policy.DistributionStatus -holderror $policy.DistributionResults

+ }

+ }

+ else {

+ Write-Host "No hold policies found in case:" $cc.name -foregroundColor 'Yellow'

+ " "

+ [string]$cc.name | out-file -filepath $noholdsfilepath -append

+ }

+ }

+ }

+

+ #get information on the cases and pass values to the case report function

+ " "

+ write-host "Gathering a list of eDiscovery (Premium) cases and holds..."

+ " "

+ $edc = Get-ComplianceCase -CaseType Advanced -ErrorAction SilentlyContinue

+ foreach ($cc in $edc) {

+ write-host "Working on case :" $cc.name

+ if ($cc.status -eq 'Closed') {

+ $cmembers = ((Get-ComplianceCaseMember -Case $cc.name).windowsLiveID) -join ';'

+ add-tocasereport -casename $cc.name -casestatus $cc.Status -casetype $cc.casetype -caseclosedby $cc.closedby -caseClosedDateTime $cc.ClosedDateTime -casemembers $cmembers

+ }

+ else {

+ $cmembers = ((Get-ComplianceCaseMember -Case $cc.name).windowsLiveID) -join ';'

+ $policies = Get-CaseHoldPolicy -Case $cc.Name | % { Get-CaseHoldPolicy $_.Name -Case $_.CaseId -DistributionDetail }

+ if ($policies -ne $NULL) {

+ foreach ($policy in $policies) {

+ $rule = Get-CaseHoldRule -Policy $policy.name

+ add-tocasereport -casename $cc.name -casetype $cc.casetype -casemembers $cmembers -casestatus $cc.Status -casecreatedtime $cc.CreatedDateTime -holdname $policy.name -holdenabled $policy.enabled -holdcreatedby $policy.CreatedBy -holdlastmodifiedby $policy.LastModifiedBy -ExchangeLocation (($policy.exchangelocation.name) -join ';') -SharePointLocation (($policy.sharePointlocation.name) -join ';') -ContentMatchQuery $rule.ContentMatchQuery -holdcreatedtime $policy.WhenCreatedUTC -holdchangedtime $policy.WhenChangedUTC -holdstatus $policy.DistributionStatus -holderror $policy.DistributionResults

+

+ }

+ }

+ else {

+ write-host "No hold policies found in case:" $cc.name -foregroundColor 'Yellow'

+ " "

+ [string]$cc.name | out-file -filepath $noholdsfilepath -append

+ }

+ }

+ }

+

+ " "

+ Write-host "Script complete! Report files saved to this folder: '$Path'"

+ " "

+ #script end

+| Encrypted mail and attachment | Decryption to file | No | Yes |

+| File in SharePoint with MIP label | Search | No | Yes |

+> [!IMPORTANT]

+> eDiscovery (Standard) doesn't support legacy encryption protocols.

+> [!NOTE]

+> Review filters only support wildcards (? or *) on a single term. Using wildcards in searches on phrases that consist of multiple terms aren't supported.

+ > To maintain referential integrity for users who have insider risk alerts or cases in Microsoft 365 or other systems, anonymization of usernames isn't preserved for exported alerts when using the exporting API or when exporting to [Microsoft Purview eDiscovery solutions](/microsoft-365/compliance/ediscovery). Exported alerts will display usernames for each alert in this case. If you're exporting to CSV files from alerts or cases, anonymization *is* preserved.

+> To maintain referential integrity for users who have insider risk alerts or cases in Microsoft 365 or other systems, anonymization of usernames isn't preserved for exported alerts when using the exporting API or when exporting to [Microsoft Purview eDiscovery solutions](/microsoft-365/compliance/ediscovery). Exported alerts will display usernames for each alert in this case. If you're exporting to CSV files from alerts or cases, anonymization *is* preserved.

+|[Let users assign permissions: <br /> - Prompt users for custom permissions (users, groups, and organizations)](encryption-sensitivity-labels.md#support-for-organization-wide-custom-permissions) |Preview: [Current Channel (Preview)](https://office.com/insider) | Under review | Under review | Under review | Under review |

+|[Default sublabel for parent label](sensitivity-labels-office-apps.md#specify-a-default-sublabel-for-a-parent-label)| Preview: [Beta Channel](https://office.com/insider) | Under review | Under review | Under review | Under review |

+- At least one of the following patterns:

+ - A keyword from Keyword_sin is found.

+ - A keyword from Keyword_sin_collaborative is found.

+- A keyword from Keyword_sin is found.

+ <!-- Canada Social Insurance Number -->

+ <Entity id="a2f29c85-ecb8-4514-a610-364790c0773e" patternsProximity="300" recommendedConfidence="75">

+ <Pattern confidenceLevel="85">

+ <Any minMatches="1">

+ </Pattern>

+ <Pattern confidenceLevel="75">

+ </Pattern>

+ </Entity>

+- NAS (case sensitive)

+- numéro d’assurance social

+- numéro d’assurance sociale

+- assurance social

+- carte dΓÇÖassurance sociale

+|U.S. GLBA: Scan content shared outside - low count <br/> | Content contains sensitive information: <br/> Credit Card Number - Min count 1, Max count 9 <br/> U.S. Bank Account Number - Min count 1, Max count 9 <br/> U.S. Individual Taxpayer Identification Number (ITIN) - Min count 1, Max count 9 <br/> U.S. Social Security Number (SSN) - Min count 1, Max count 9 <br/> Contains content matching any of the following trainable classifiers: <br/> Tax <br/> Finance <br/> Budget <br/> Content is shared with: <br/> People outside my organization <br/> |Send a notification <br/> |

+|U.S. GLBA: Scan content shared outside - high count <br/> | Content contains sensitive information: <br/> Credit Card Number - Min count 10, Max count 500 <br/> U.S. Bank Account Number - Min count 10, Max count 500 <br/> U.S. Individual Taxpayer Identification Number (ITIN) - Min count 10, Max count 500 <br/> U.S. Social Security Number (SSN) - Min count 10, Max count 500 <br/> Contains content matching any of the following trainable classifiers: <br/> Tax <br/> Finance <br/> Budget <br/> Content is shared with: <br/> People outside my organization <br/> | Block access to content <br/> Send a notification <br/> Allow override <br/> Require business justification <br/> Send incident report <br/> |

+|U.S. PII: Scan content shared outside - low count <br/> | Content contains sensitive information: <br/> U.S. Individual Taxpayer Identification Number (ITIN) - Min count 1, Max count 9 <br/> U.S. Social Security Number (SSN) - Min count 1, Max count 9 <br/> U.S. / U.K. Passport Number - Min count 1, Max count 9 <br/> Contains content matching any of the following trainable classifiers: <br/> HR <br/> Tax <br/> Invoice <br/> Healthcare <br/> Health/Medical Forms <br/> Employee disciplinary action files <br/> Legal affairs <br/> Agreements <br/> Content is shared with: <br/> People outside my organization <br/> |Send a notification <br/> |

+|U.S. PII: Scan content shared outside - high count <br/> | Content contains sensitive information: <br/> U.S. Individual Taxpayer Identification Number (ITIN) - Min count 10, Max count 500 <br/> U.S. Social Security Number (SSN) - Min count 10, Max count 500 <br/> U.S. / U.K. Passport Number - Min count 10, Max count 500 <br/> Contains content matching any of the following trainable classifiers: <br/> HR <br/> Tax <br/> Invoice <br/> Healthcare <br/> Health/Medical Forms <br/> Employee disciplinary action files <br/> Legal affairs <br/> Agreements <br/> Content is shared with: <br/> People outside my organization <br/> | Block access to content <br/> Send a notification <br/> Allow override <br/> Require business justification <br/> Send incident report <br/> |

+> [!div class="mx-tdCol2BreakAll"]

+> | Optimize URLs | Port/Protocol | Purpose |

+> | | | |

+> | <https://outlook.office365.com> | TCP 443 | This is one of the primary URLs Outlook uses to connect to its Exchange Online server and has a high volume of bandwidth usage and connection count. Low network latency is required for online features including: instant search, other mailbox calendars, free / busy lookup, manage rules and alerts, Exchange online archive, emails departing the outbox. |

+> | <https://outlook.office.com> | TCP 443 | This URL is used for Outlook Online Web Access to connect to Exchange Online server, and is sensitive to network latency. Connectivity is particularly required for large file upload and download with SharePoint Online. |

+> | `https://\<tenant\>.sharepoint.com` | TCP 443 | This is the primary URL for SharePoint Online and has high-bandwidth usage. |

+> | `https://\<tenant\>-my.sharepoint.com` | TCP 443 | This is the primary URL for OneDrive for Business and has high bandwidth usage and possibly high connection count from the OneDrive for Business Sync tool. |

+> | Teams Media IPs (no URL) | UDP 3478, 3479, 3480, and 3481 | Relay Discovery allocation and real-time traffic. These are the endpoints used for Skype for Business and Microsoft Teams Media traffic (calls, meetings, etc.). Most endpoints are provided when the Microsoft Teams client establishes a call (and are contained within the required IPs listed for the service). Use of the UDP protocol is required for optimal media quality. |

+The VPN client should be configured so that traffic to the **Optimize** IPs are routed in this way. This allows the traffic to utilize local Microsoft resources such as Microsoft 365 Service Front Doors [such as the Azure Front Door](https://azure.microsoft.com/blog/azure-front-door-service-is-now-generally-available/) that delivers Microsoft 365 services and connectivity endpoints as close to your users as possible. This allows us to deliver high performance levels to users wherever they are in the world and takes full advantage of [Microsoft's world class global network](https://azure.microsoft.com/blog/how-microsoft-builds-its-fast-and-reliable-global-network/), which is likely within a few milliseconds of your users' direct egress.

+ Title: "Optimize search requests in SharePoint Online modern site pages"

+recommendations: true

+audience: Admin

+f1.keywords:

+- NOCSH

+ms.localizationpriority: medium

+search.appverid:

+- SPO160

+- MET150

+- M365-collaboration

+- enabler-strategic

+- m365initiative-spsites

+description: "Learn how to optimize search requests for SharePoint portal pages."

+# Optimize search requests in SharePoint Online modern site pages

+SharePoint Online modern site pages contain links that load data from (or make calls to) from Search backend. The more search requests made by a page, the longer the page takes to load, and the longer the end user has to wait to get search results back.

+This article will help you understand how to determine the number and impact of search requests from your modern site pages and how to limit their effect on end user perceived latency.

+>[!NOTE]

+>For more information about performance in SharePoint Online modern portals, see [Performance in the modern SharePoint experience](/sharepoint/modern-experience-performance).

+## Use the Page Diagnostics for SharePoint tool to analyze search requests made on a page

+The Page Diagnostics for SharePoint tool is a browser extension for the new Microsoft Edge (https://www.microsoft.com/edge) and Chrome browsers that analyzes both SharePoint Online modern portal and classic publishing site pages. The tool provides a report for each analyzed page showing how the page performs against a defined set of performance criteria. To install and learn about the Page Diagnostics for SharePoint tool, visit [Use the Page Diagnostics tool for SharePoint Online](./page-diagnostics-for-spo.md).

+>[!NOTE]

+> The Page Diagnostics tool only works for SharePoint Online, and cannot be used on a SharePoint system page.

+When you analyze a SharePoint site page with the Page Diagnostics for SharePoint tool, you can see information about search requests in the **Number of search requests on a page** result in the Diagnostic tests pane. The line will appear in green if the site page contains fewer than the baseline number of search requests, and red if the page exceeds the baseline number.

+- Modern site pages should contain no more than **3** search requests

+Possible results include:

+- **Attention required** (red): The page exceeds the baseline number of search requests

+- **No action required** (green): The page contains fewer than the baseline number of search requests

+>[!NOTE]

+>The Page Diagnostics tool will only count non-cached search requests. To learn more about search requests caching please see the ΓÇ£**Remediate performance issues related to too many search requests on a page**ΓÇ¥ section below.

+If the **Search Requests to SharePoint** result appears in the **Attention required** section, you can click the result for details, including the total number of search requests on the page and a list of the originators of these search requests.

+**Attention Required**

+

+## Remediate performance issues related to too many search requests on a page

+If a page contains too many search requests, you can use the list of URLs in the **Search Requests to SharePoint** results to determine whether there are any repeated search calls and what web parts the search requests are coming from.

+**Using a cache** to store the results of a search request for all members of a selected group can improve the performance of a warm request by allowing the client to use the cached search results instead of making an additional search request for each subsequent page load.

+## Configure Events or Highlighted Content Web Parts to use caching of search results

+It is recommended to enable group-level caching of search requests on Events or Highlighted Content web parts, especially for popular home pages or on category pages that are starting points for navigating to more detailed pages. After being enabled, the web part will first look in the cache for existing search results that match the query and the security group(s). If it doesn't find any search results in the cache, it will look in the search index.

+1. Go to the site page that contains an Events or Highlighted Content web part and select **Edit**.

+2. Select the Events or Highlighted Content web part and then select **Edit web part** :::image type="icon" source="../media/modern-portal-optimization/edit-web-part-icon.png":::

+3. In the web part settings pane, scroll to the **Group-level caching** setting.

+4. Specify the security group(s) by entering a group name or email. The search results will be cached for all users who belong to the same security group(s) and improve page performance.

+ 

+5. Republish your SharePoint site page.

+>[!NOTE]

+>Please see the articles on [Events](https://support.microsoft.com/office/5fe4da93-5fa9-4695-b1ee-b0ae4c981909) and [Highlighted Content](https://support.microsoft.com/office/e34199b0-ff1a-47fb-8f4d-dbcaed329efd) web parts for more information.

+## Related topics

+[Tune SharePoint Online performance](tune-sharepoint-online-performance.md)

+[Tune Office 365 performance](tune-microsoft-365-performance.md)

+[Performance in the modern SharePoint experience](/sharepoint/modern-experience-performance)

+[Content delivery networks](content-delivery-networks.md)

+[Use the Office 365 Content Delivery Network (CDN) with SharePoint Online](use-microsoft-365-cdn-with-spo.md)

+- **A CSV file that defines the teams you're creating**. This file must have a title line, and must contain these required columns, in the following order, starting with the first column:

+- **A CSV file that maps the users you're adding to each team**. This file must have a title line, and must contain these required columns, in the following order, starting with the first column:

+Watch the following video for an overview of the virtual appointments experience in Teams:

+1. In the left navigation of the [Microsoft 365 admin center](https://admin.microsoft.com/), choose **Setup**. Go to the **Apps and email** section, and then under **Get your frontline workforce up and running**, select **Video**. Here, you can learn more about the capabilities that Microsoft 365 for frontline workers offers.

+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4TQop]

+With Microsoft 365 A3, A5, E3, E5, F1, F3, Business Basic, Business Standard, and Business Premium licenses, you can use basic Virtual Appointments capabilities that make it easy to schedule and join business-to-customer meetings. For example, you can schedule appointments in the Bookings calendar and external attendees can [join through a browser](browser-join.md) without having to download Teams. [Teams Premium](/microsoftteams/teams-add-on-licensing/licensing-enhance-teams) (Preview) unlocks advanced Virtual Appointments capabilities that your organization can use to manage and personalize the experience. These include a queue view of scheduled and on-demand appointments, SMS text notifications, custom waiting rooms, and analytics.

+## Week of January 16, 2023

+| Published On |Topic title | Change |

+|||--|

+| 1/18/2023 | [Audit log activities](/microsoft-365/compliance/audit-log-activities?view=o365-worldwide) | modified |

+| 1/18/2023 | [Troubleshoot installation issues for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-support-install?view=o365-worldwide) | modified |

+| 1/18/2023 | [Allow or block email using the Tenant Allow/Block List](/microsoft-365/security/office-365-security/tenant-allow-block-list-email-spoof-configure?view=o365-worldwide) | modified |

+| 1/18/2023 | [Allow or block files using the Tenant Allow/Block List](/microsoft-365/security/office-365-security/tenant-allow-block-list-files-configure?view=o365-worldwide) | modified |

+| 1/18/2023 | [Allow or block URLs using the Tenant Allow/Block List](/microsoft-365/security/office-365-security/tenant-allow-block-list-urls-configure?view=o365-worldwide) | modified |

+| 1/18/2023 | [Create assessment templates in Microsoft Purview Compliance Manager](/microsoft-365/compliance/compliance-manager-templates-create?view=o365-worldwide) | modified |

+| 1/18/2023 | [Modify assessment templates in Microsoft Purview Compliance Manager](/microsoft-365/compliance/compliance-manager-templates-modify?view=o365-worldwide) | modified |

+| 1/18/2023 | [Reduce the attack surface for Microsoft Teams](/microsoft-365/security/office-365-security/step-by-step-guides/reducing-attack-surface-in-microsoft-teams?view=o365-worldwide) | added |

+| 1/18/2023 | [Troubleshoot performance issues for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-support-perf?view=o365-worldwide) | modified |

+| 1/18/2023 | [Deploy and manage using Intune](/microsoft-365/security/defender-endpoint/deploy-and-manage-using-intune?view=o365-worldwide) | modified |

+| 1/18/2023 | [Sign up for Microsoft 365 Business Premium](/microsoft-365/business-premium/get-microsoft-365-business-premium?view=o365-worldwide) | modified |

+| 1/18/2023 | [Security defaults and Conditional Access](/microsoft-365/business-premium/m365bp-conditional-access?view=o365-worldwide) | modified |

+| 1/18/2023 | [Working with device groups in Microsoft 365 Business Premium](/microsoft-365/business-premium/m365bp-device-groups-mdb?view=o365-worldwide) | modified |

+| 1/18/2023 | [Get started with the Microsoft Service Trust Portal](/microsoft-365/compliance/get-started-with-service-trust-portal?view=o365-worldwide) | modified |

+| 1/19/2023 | [Bookings with me](/microsoft-365/bookings/bookings-in-outlook?view=o365-worldwide) | modified |

+| 1/19/2023 | [Learn about Endpoint data loss prevention](/microsoft-365/compliance/endpoint-dlp-learn-about?view=o365-worldwide) | modified |

+| 1/19/2023 | [Reduce the attack surface for Microsoft Teams](/microsoft-365/security/office-365-security/step-by-step-guides/reducing-attack-surface-in-microsoft-teams?view=o365-worldwide) | modified |

+| 1/20/2023 | [Add more SharePoint storage to your subscription](/microsoft-365/commerce/add-storage-space?view=o365-worldwide) | modified |

+| 1/20/2023 | [Optimize search requests in SharePoint Online modern site pages](/microsoft-365/enterprise/modern-search-optimization?view=o365-worldwide) | added |

+| 1/20/2023 | [Deploy Microsoft Defender for Endpoint on Linux with SaltStack](/microsoft-365/security/defender-endpoint/linux-install-with-saltack?view=o365-worldwide) | added |

+| 1/20/2023 | [Implementing VPN split tunneling for Microsoft 365](/microsoft-365/enterprise/microsoft-365-vpn-implement-split-tunnel?view=o365-worldwide) | modified |

+| 1/20/2023 | [Requirements for Microsoft 365 Lighthouse](/microsoft-365/lighthouse/m365-lighthouse-requirements?view=o365-worldwide) | modified |

+| 1/20/2023 | [Configure Microsoft Defender for Endpoint risk signals using App Protection Policies (MAM)](/microsoft-365/security/defender-endpoint/android-configure-mam?view=o365-worldwide) | modified |

+| 1/20/2023 | [Take response actions on a file in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/respond-file-alerts?view=o365-worldwide) | modified |

+| 1/18/2023 | [Audit log activities](/microsoft-365/compliance/audit-log-activities?view=o365-worldwide) | modified |

+| 1/18/2023 | [Troubleshoot installation issues for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-support-install?view=o365-worldwide) | modified |

+| 1/18/2023 | [Allow or block email using the Tenant Allow/Block List](/microsoft-365/security/office-365-security/tenant-allow-block-list-email-spoof-configure?view=o365-worldwide) | modified |

+| 1/18/2023 | [Allow or block files using the Tenant Allow/Block List](/microsoft-365/security/office-365-security/tenant-allow-block-list-files-configure?view=o365-worldwide) | modified |

+| 1/18/2023 | [Allow or block URLs using the Tenant Allow/Block List](/microsoft-365/security/office-365-security/tenant-allow-block-list-urls-configure?view=o365-worldwide) | modified |

+| 1/18/2023 | [Create assessment templates in Microsoft Purview Compliance Manager](/microsoft-365/compliance/compliance-manager-templates-create?view=o365-worldwide) | modified |

+| 1/18/2023 | [Modify assessment templates in Microsoft Purview Compliance Manager](/microsoft-365/compliance/compliance-manager-templates-modify?view=o365-worldwide) | modified |

+| 1/18/2023 | [Reduce the attack surface for Microsoft Teams](/microsoft-365/security/office-365-security/step-by-step-guides/reducing-attack-surface-in-microsoft-teams?view=o365-worldwide) | added |

+| 1/18/2023 | [Troubleshoot performance issues for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-support-perf?view=o365-worldwide) | modified |

+| 1/18/2023 | [Deploy and manage using Intune](/microsoft-365/security/defender-endpoint/deploy-and-manage-using-intune?view=o365-worldwide) | modified |

+| 1/18/2023 | [Sign up for Microsoft 365 Business Premium](/microsoft-365/business-premium/get-microsoft-365-business-premium?view=o365-worldwide) | modified |

+| 1/18/2023 | [Security defaults and Conditional Access](/microsoft-365/business-premium/m365bp-conditional-access?view=o365-worldwide) | modified |

+| 1/18/2023 | [Working with device groups in Microsoft 365 Business Premium](/microsoft-365/business-premium/m365bp-device-groups-mdb?view=o365-worldwide) | modified |

+| 1/18/2023 | [Get started with the Microsoft Service Trust Portal](/microsoft-365/compliance/get-started-with-service-trust-portal?view=o365-worldwide) | modified |

+| 1/19/2023 | [Bookings with me](/microsoft-365/bookings/bookings-in-outlook?view=o365-worldwide) | modified |

+| 1/19/2023 | [Learn about Endpoint data loss prevention](/microsoft-365/compliance/endpoint-dlp-learn-about?view=o365-worldwide) | modified |

+| 1/19/2023 | [Reduce the attack surface for Microsoft Teams](/microsoft-365/security/office-365-security/step-by-step-guides/reducing-attack-surface-in-microsoft-teams?view=o365-worldwide) | modified |

+| 1/20/2023 | [Add more SharePoint storage to your subscription](/microsoft-365/commerce/add-storage-space?view=o365-worldwide) | modified |

+| 1/20/2023 | [Optimize search requests in SharePoint Online modern site pages](/microsoft-365/enterprise/modern-search-optimization?view=o365-worldwide) | added |

+| 1/20/2023 | [Deploy Microsoft Defender for Endpoint on Linux with SaltStack](/microsoft-365/security/defender-endpoint/linux-install-with-saltack?view=o365-worldwide) | added |

+| 1/20/2023 | [Implementing VPN split tunneling for Microsoft 365](/microsoft-365/enterprise/microsoft-365-vpn-implement-split-tunnel?view=o365-worldwide) | modified |

+| 1/20/2023 | [Requirements for Microsoft 365 Lighthouse](/microsoft-365/lighthouse/m365-lighthouse-requirements?view=o365-worldwide) | modified |

+| 1/20/2023 | [Configure Microsoft Defender for Endpoint risk signals using App Protection Policies (MAM)](/microsoft-365/security/defender-endpoint/android-configure-mam?view=o365-worldwide) | modified |

+| 1/20/2023 | [Take response actions on a file in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/respond-file-alerts?view=o365-worldwide) | modified |

+In addition, each MSP customer tenant must meet the following requirements to be actively monitored and managed in Lighthouse:

+- Must have delegated access set up for the Managed Service Provider (MSP) to be able to manage the customer tenant

+ > [!NOTE]

+ > Either Granular Delegated Admin Privileges (GDAP) or a Delegated Admin Privileges (DAP) relationship is required to onboard customers to Lighthouse. An indirect reseller relationship is no longer required to onboard to Lighthouse. If DAP and GDAP coexist in a customer tenant, GDAP permissions take precedence for MSP technicians in GDAP-enabled security groups.

+- Must reside in the same geographic region (Americas, European Union, or Asia plus Australia) as the partner organization that manages them

+Customer tenants that don't meet these requirements will have access to only a limited set of experiences in Lighthouse, including GDAP setup and management, user search, user details, tenant tagging, and service health.

+> - Alternately, you could use [Microsoft Defender for Servers Plan 1 or Plan 2](/azure/defender-for-cloud/plan-defender-for-servers) to onboard your servers. To learn more, see [What happens if I have a mix of Microsoft endpoint security subscriptions](mdb-faq.yml#what-happens-if-i-have-a-mix-of-microsoft-endpoint-security-subscriptions)?

+> If you're planning to onboard an instance of Windows Server or Linux Server, you'll need an additional license, such as [Microsoft Defender for Business servers](get-defender-business-servers.md). Alternately, you could use [Microsoft Defender for Servers Plan 1 or Plan 2](/azure/defender-for-cloud/plan-defender-for-servers). To learn more, see [What happens if I have a mix of Microsoft endpoint security subscriptions](mdb-faq.yml#what-happens-if-i-have-a-mix-of-microsoft-endpoint-security-subscriptions)?

+(<a id="fn2">2</a>) To onboard servers, we recommend using [Microsoft Defender for Business servers](get-defender-business-servers.md). Alternately, you could use [Microsoft Defender for Servers Plan 1 or Plan 2](/azure/defender-for-cloud/plan-defender-for-servers). To learn more, see [What happens if I have a mix of Microsoft endpoint security subscriptions?](mdb-faq.yml#what-happens-if-i-have-a-mix-of-microsoft-endpoint-security-subscriptions) and [Onboard devices to Microsoft Defender for Business](mdb-onboard-devices.md).

+###### [Saltstack based deployment](linux-install-with-saltack.md)

+Microsoft Defender for Endpoint on Android, which already protects enterprise users on Mobile Device Management (MDM) scenarios, now extends support to Mobile App Management (MAM), for devices that are not enrolled using Intune mobile device management (MDM). It also extends this support to customers who use other enterprise mobility management solutions, while still using Intune for mobile application management (MAM). This capability allows you to manage and protect your organization's data within an application.

+Microsoft Defender for Endpoint on Android supports both the configurations of MAM.

+- **Validate that the Microsoft Defender for Endpoint-Intune connector is enabled**.

+ b. Select **Settings > Endpoints > Advanced Features > Microsoft Intune Connection** is turned on.

+ :::image type="content" source="images/enable-intune-connection.png" alt-text="The Advanced features section in the Microsoft 365 Defender portal." lightbox="images/enable-intune-connection.png":::

+ :::image type="content" source="images/validate-intune-connector.png" alt-text="The intune-connector status pane in the Microsoft 365 Defender portal." lightbox="images/validate-intune-connector.png":::

+- **Enable Microsoft Defender for Endpoint on Android Connector for App Protection Policy (APP)**.

+ :::image type="content" source="images/app-settings.png" alt-text="The application settings pane in the Microsoft 365 Defender portal." lightbox="images/app-settings.png":::

+- **Create an app protection policy**.

+ Block access or wipe data of a managed app based on Microsoft Defender for Endpoint risk signals by creating an app protection policy.

+ Microsoft Defender for Endpoint can be configured to send threat signals to be used in app protection policies (APP, also known as MAM). With this capability, you can use Microsoft Defender for Endpoint to protect managed apps.

+ 1. Create a policy.

+ App protection policies (APP) are rules that ensure an organization's data remains safe or contained in a managed app. A policy can be a rule that is enforced when the user attempts to access or move "corporate" data, or a set of actions that are prohibited or monitored when the user is inside the app.

+ :::image type="content" source="images/create-policy.png" alt-text="The Create policy tab in the App protection policies page in the Microsoft 365 Defender portal." lightbox="images/create-policy.png":::

+ 2. Add apps.

+

+ a. Choose how you want to apply this policy to apps on different devices. Then add at least one app.

+ Use this option to specify whether this policy applies to unmanaged devices. In Android, you can specify the policy applies to Android Enterprise, Device Admin, or Unmanaged devices. You can also choose to target your policy to apps on devices of any management state.

+ b. Select Apps.

+ A managed app is an app that has app protection policies applied to it, and can be managed by Intune. Any app that has been integrated with the [Intune SDK](/mem/intune/developer/app-sdk) or wrapped by the [Intune App Wrapping Tool](/mem/intune/developer/apps-prepare-mobile-application-management) can be managed using Intune app protection Policies. See the official list of [Microsoft Intune protected apps](/mem/intune/apps/apps-supported-intune-apps) that have been built using these tools and are available for public use.

+ *Example: Outlook as a managed app*

+ :::image type="content" source="images/managed-app.png" alt-text="The Public apps pane in the Microsoft 365 Defender portal." lightbox="images/managed-app.png":::

+ 3. Set sign-in security requirements for your protection policy.

+ Select **Setting > Max allowed device threat level** in **Device Conditions** and enter a value. Then select **Action: "Block Access"**. Microsoft Defender for Endpoint on Android shares this Device Threat Level.

+ :::image type="content" source="images/conditional-launch.png" alt-text="The Device conditions pane in the Microsoft 365 Defender portal" lightbox="images/conditional-launch.png":::

+

+- **Assign user groups for whom the policy needs to be applied.**

+ :::image type="content" source="images/assignment.png" alt-text="The Included groups pane in the Microsoft 365 Defender portal." lightbox="images/assignment.png":::

+- The broker app must be installed.

+- Users have the required licenses for the managed app and have the app installed.

+4. Install the Microsoft Defender for Endpoint (Mobile) app and launch back Managed app onboarding screen.

+ :::image type="content" source="images/download-mde.png" alt-text="The illustrative pages that contain the procedure of downloading MDE and launching back the app-onboarding screen." lightbox="images/download-mde.png":::

+5. Click **Continue > Launch**. The Microsoft Defender for Endpoint app onboarding/activation flow is initiated. Follow the steps to complete onboarding. You will automatically be redirected back to Managed app onboarding screen, which now indicates that the device is healthy.

+## Configure Network Protection

+1. In Microsoft Endpoint Manager Admin center, navigate to **Apps > App configuration policies**. Create a new App configuration policy. Click Managed Apps.

+2. Provide a name and description to uniquely identify the policy. Target the policy to **'Selected apps'** and search for **'Microsoft Defender Endpoint for Android'**. Click the entry and then click **Select** and then **Next**.

+3. Add the key and value from the table below. Ensure that the **ΓÇ£DefenderMAMConfigsΓÇ¥** key is present in every policy that you create using Managed Apps route. For Managed Devices route, this key should not exist. When you are done, click **Next**.

+ | Key | Value Type | Default (true-enable, false-disable) | Description |

+ | | | | |

+ | `DefenderNetworkProtectionEnable` | Integer | 0 | 1 - Enable , 0 - Disable ; This setting is used by IT admins to enable or disable the network protection capabilities in the defender app|

+ |`DefenderAllowlistedCACertificates`| String | None | None-Disable; This setting is managed by an admin to establish trust for root CA and self signed certificates.|

+ |`DefenderCertificateDetection`|Integer| 1 |0 - Disable , 1 - Audit mode , 2 - Enable ; When network protection is enabled, Audit mode for certificate detection is enabled by default. In audit mode, notification alerts are sent to SOC admins, but no end user notifications are displayed to the user when Defender detects a bad certificate. Admins can disable this detection with 0 as the value and enable full feature functionality by setting 2 as the value. When this feature is enabled with value as 2, end user notifications are sent to the user when Defender detects a bad certificate. Alerts are also sent to SOC Admins. |

+ | `DefenderOpenNetworkDetection` | Integer | 0 | 1 - enable, 0 - disable; This setting is managed by IT Admins to enable or disable open network detection informational alerts with no end user detection experience. |

+ | `DefenderEndUserTrustFlowEnable` | String | false | true - enable, false - disable; This setting is used by IT admins to enable or disable the end user in-app experience to trust and untrust the unsecure and suspicious networks. |

+ | `DefenderNetworkProtectionAutoRemediation` | String | true | true - enable, false - disable; This setting is used by the IT admin to enable or disable the remediation alerts that are sent when a user performs remediation activities like switching to safer Wi-Fi access points or deleting suspicious certificates detected by Defender. |

+ | `DefenderNetworkProtectionPrivacy` | String | true | true - enable, false - disable; This setting is managed by IT admins to enable or disable privacy in network protection. |

+

+4. Include or exclude the groups you want the policy to apply to. Proceed to review and submit the policy.

+1. Give the policy a **name**.

+1. Under the Select Public Apps, choose **Microsoft Defender for Endpoint** as the target app.

+1. In Settings page, under the General Configuration Settings add **DefenderExcludeURLInReport**, **DefenderExcludeAppInReport** as the keys and value as true.

+1. Assign this policy to users. By default, this value is set to false.

+1. Review and create the policy.

+1. Give the policy a **name**.

+1. Select **Microsoft Defender for Endpoint** in public apps.

+1. In Settings page, select **Use configuration designer** and **DefenderOptionalVPN** or **DefenderOptionalAccessibility** or **both** as the key and value type as Boolean.

+1. To enable Optional permissions, enter value as **true** and assign this policy to users. By default, this value is set to false.

+For users with key set as true, the users will be able to onboard the app without giving these permissions.

+1. Select **Next** and assign this profile to targeted devices/users.

+> [!NOTE]

+Before you get started with Printer protection, you must confirm your [Microsoft 365 subscription](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans?rtc=3). To access and use Printer Protection through group policy, you must have Microsoft 365 E5.

+3. Create one XML file for printer group(s):

+ Use the properties in printer group to create one XML file for the printer group(s), save the XML file to network share, and define the setting as follows:

+ Take a look at the **Overview** > **Group**. You can create different group types. Here's one group example XML file for any network printer and USB printer and PDF/XPS printer group: [XML file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Printer%20Protection%20Samples/Group%20Policy/Printer_Groups.xml).

+ Use the properties in printer protection policy rule(s) to create an XML for each group's printer access policy rule, save the XML file to network share, and deliver the setting as follows:

+ Take a look at the **Overview** -> **Access policy rule**, you can use **Parameters** to set condition for specific Entry. Here's one [example XML file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Printer%20Protection%20Samples/Group%20Policy/Printer_Policies.xml).

+ If you want to have a copy of the file (evidence) when Print access happens, set right **Options** in your Printer protection policy rule in the XML file, and then specify the location where system can save the copy.

+Here are some common scenarios to help you familiarize with Microsoft Defender for Endpoint Printer Protection. In the following samples, 'Default Enforcement' hasn't been used because the 'Default Enforcement' will apply to both the removable storage and the printer.

+Allows to print only through approved USB printer when machine is in corporate network, VPN connected, or print through PDF/XPS file.

+ :::image type="content" source="media/screenshot-of-removable-storage.png" alt-text="This is the screenshot of removable of storage." lightbox="media/screenshot-of-removable-storage.png":::

+ Combine these two groups into [one XML file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Printer%20Protection%20Samples/Group%20Policy/Printer_Groups.xml). See step 3 from the [Deploy using group policy](deploy-and-manage-using-group-policy.md) section to deploy this configuration.

+ :::image type="content" source="media/block-write-execute-access.png" alt-text="This is block write access screenshot." lightbox="media/block-write-execute-access.png":::

+ Combine these two policy rules into [one XML file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Printer%20Protection%20Samples/Group%20Policy/Printer_Policies.xml). See step 4 from the [Deploy using group policy](deploy-and-manage-using-group-policy.md) section to deploy this configuration.

+| **Options** | Defines whether to display notification or not |**When Type Allow is selected**: <p>0: nothing<p>4: disable **AuditAllowed** and **AuditDenied** for this Entry. Even if **Allow** happens and the AuditAllowed is setting configured, the system won't send event. <p>8: create a copy of the file as evidence, and fire "RemovableStorageFileEvent" event, this has to be used together with 'Set location for a copy of the file' setting through Intune or Group Policy. <p>**When Type Deny is selected**: <p>0: nothing<p>4: disable **AuditDenied** for this Entry. Even if **Block** happens and the AuditDenied is setting configured, the system won't show notification. <p>**When Type **AuditAllowed** is selected**: <p>0: nothing <p>1: nothing <p>2: send event<p> **When Type **AuditDenied** is selected**: <p>0: nothing <p>1: show notification <p>2: send event<p>3: show notification and send event |

+//RemovableStoragePolicyTriggered: event triggered by Disk and file system level enforcement

+//information of the evidence file

+- sinceTime (required): The start time from which you want to see data changes. Vulnerability management generates data on new and updated vulnerabilities every 6 hours. The data returned will include all the changes captured in the 6 hour period the specified sinceTime falls into, along with the changes in any subsequent 6 hour periods up to and including the most recently generated data.

+ Title: Deploy Microsoft Defender for Endpoint on Linux with SaltStack

+description: Describes how to deploy Microsoft Defender for Endpoint on Linux using Saltstack.

+keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, installation, deploy, uninstallation, puppet, saltstack, linux, redhat, ubuntu, debian, sles, suse, centos, fedora, amazon linux 2

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+- m365-security

+- tier3

+search.appverid: met150

+# Deploy Microsoft Defender for Endpoint on Linux with Saltstack

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)

+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-investigateip-abovefoldlink)

+This article describes how to deploy Defender for Endpoint on Linux using Saltstack. A successful deployment requires the completion of all of the following tasks:

+- [Download the onboarding package](#download-the-onboarding-package)

+- [Create Saltstack state files](#create-saltstack-state-files)

+- [Deployment](#deployment)

+- [References](#references)

+## Prerequisites and system requirements

+Before you get started, see [the main Defender for Endpoint on Linux page](microsoft-defender-endpoint-linux.md) for a description of prerequisites and system requirements for the current software version.

+In addition, for Saltstack deployment, you need to be familiar with Saltstack administration, have Saltstack installed, have configured the Master and Minions, and know how to apply states. Saltstack has many ways to complete the same task. These instructions assume availability of supported Saltstack modules, such as *apt* and *unarchive* to help deploy the package. Your organization might use a different workflow. Refer to the [Saltstack documentation](https://docs.saltproject.io/) for details.

+- Saltstack needs to be installed on at least one computer (Saltstack calls the computer as the master).

+- The Saltstack master must have accepted the managed nodes (Saltstack calls the nodes as minions) connections.

+- The Saltstack minions must be able to resolve communication to the Saltstack master (be default the minions try to communicate with a machine named 'salt').

+- Rung this ping test:

+ ```bash

+ sudo salt '*' test.ping

+ ```

+- The Saltstack master has a file server location where the Microsoft Defender for Endpoint files can be distributed from (by default Saltstack uses the /srv/salt folder as the default distribution point)

+## Download the onboarding package

+Download the onboarding package from Microsoft 365 Defender portal:

+1. In Microsoft 365 Defender portal, go to **Settings > Endpoints > Device management > Onboarding**.

+2. In the first drop-down menu, select **Linux Server** as the operating system. In the second drop-down menu, select **Your preferred Linux configuration management tool** as the deployment method.

+3. Select **Download onboarding package**. Save the file as WindowsDefenderATPOnboardingPackage.zip.

+ :::image type="content" source="images/portal-onboarding-linux-2.png" alt-text="The Download onboarding package option" lightbox="images/portal-onboarding-linux-2.png":::

+4. On the SaltStack Master, extract the contents of the archive to the SaltStack Server's folder (typically `/srv/salt`):

+ ```bash

+ ls -l

+ ```

+ ```Output

+ total 8

+ -rw-r--r-- 1 test staff 4984 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip

+ ```

+ ```bash

+ unzip WindowsDefenderATPOnboardingPackage.zip -d /srv/salt/mde

+ ```

+ ```Output

+ Archive: WindowsDefenderATPOnboardingPackage.zip

+ inflating: /srv/salt/mde/mdatp_onboard.json

+ ```

+## Create Saltstack state files

+Create a SaltState state file in your configuration repository (typically `/srv/salt`) that applies the necessary states to deploy and onboard Defender for Endpoint.

+- Add the Defender for Endpoint repository and key, `install_mdatp.sls`:

+ Defender for Endpoint on Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insiders-fast*, *insiders-slow*, or *prod*. Each of these channels corresponds to a Linux software repository.

+ The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in *insiders-fast* are the first ones to receive updates and new features, followed later by *insiders-slow* and lastly by *prod*.

+ In order to preview new features and provide early feedback, it's recommended that you configure some devices in your enterprise to use either *insiders-fast* or *insiders-slow*.

+ > [!WARNING]

+ > Switching the channel after the initial installation requires the product to be reinstalled. To switch the product channel: uninstall the existing package, re-configure your device to use the new channel, and follow the steps in this document to install the package from the new location.

+ Note your distribution and version and identify the closest entry for it under `https://packages.microsoft.com/config/[distro]/`.

+ In the following commands, replace *[distro]* and *[version]* with the information you've identified.

+ > [!NOTE]

+ > In case of Oracle Linux and Amazon Linux 2, replace *[distro]* with "rhel". For Amazon Linux 2, replace *[version]* with "7". For Oracle utilize, replace *[version]* with the version of Oracle Linux.

+ ```bash

+ cat /srv/salt/install_mdatp.sls

+ ```

+ ```output

+ add_ms_repo:

+ pkgrepo.managed:

+ - humanname: Microsoft Defender Repository

+ {% if grains['os_family'] == 'Debian' %}

+ - name: deb [arch=amd64,armhf,arm64] https://packages.microsoft.com/[distro]/[version]/[channel] [codename] main

+ - dist: [codename]

+ - file: /etc/apt/sources.list.d/microsoft-[channel].list

+ - key_url: https://packages.microsoft.com/keys/microsoft.asc

+ - refresh: true

+ {% elif grains['os_family'] == 'RedHat' %}

+ - name: packages-microsoft-[channel]

+ - file: microsoft-[channel]

+ - baseurl: https://packages.microsoft.com/[distro]/[version]/[channel]/

+ - gpgkey: https://packages.microsoft.com/keys/microsoft.asc

+ - gpgcheck: true

+ {% endif %}

+ ```

+- Add the package installed state to `install_mdatp.sls` after the `add_ms_repo` state defined above

+ ```Output

+ install_mdatp_package:

+ pkg.installed:

+ - name: matp

+ - required: add_ms_repo

+ ```

+- Add the onboarding file deployment to `install_mdatp.sls` after the `install_mdatp_package` state defined above

+ ```Output

+ copy_mde_onboarding_file:

+ file.managed:

+ - name: /etc/opt/microsoft/mdatp/mdatp_onboard.json

+ - source: salt://mde/mdatp_onboard.json

+ - required: install_mdatp_package

+ ```

+ The completed install state file should look similar to this:

+ ```Output

+ add_ms_repo:

+ pkgrepo.managed:

+ - humanname: Microsoft Defender Repository

+ {% if grains['os_family'] == 'Debian' %}

+ - name: deb [arch=amd64,armhf,arm64] https://packages.microsoft.com/[distro]/[version]/prod [codename] main

+ - dist: [codename]

+ - file: /etc/apt/sources.list.d/microsoft-[channel].list

+ - key_url: https://packages.microsoft.com/keys/microsoft.asc

+ - refresh: true

+ {% elif grains['os_family'] == 'RedHat' %}

+ - name: packages-microsoft-[channel]

+ - file: microsoft-[channel]

+ - baseurl: https://packages.microsoft.com/[distro]/[version]/[channel]/

+ - gpgkey: https://packages.microsoft.com/keys/microsoft.asc

+ - gpgcheck: true

+ {% endif %}

+ install_mdatp_package:

+ pkg.installed:

+ - name: matp

+ - required: add_ms_repo

+

+ copy_mde_onboarding_file:

+ file.managed:

+ - name: /etc/opt/microsoft/mdatp/mdatp_onboard.json

+ - source: salt://mde/mdatp_onboard.json

+ - required: install_mdatp_package

+ ```

+Create a SaltState state file in your configuration repository (typically `/srv/salt`) that applies the necessary states to offboard and remove Defender for Endpoint. Before using the offboarding state file, you'll need to download the offboading package from the Security portal and extract it in the same way you did the onboarding package. The downloaded offboarding package is only valid for a limited period of time.

+- Create an Uninstall state file `uninstall_mdapt.sls` and add the state to remove the `mdatp_onboard.json` file

+ ```bash

+ cat /srv/salt/uninstall_mdatp.sls

+ ```

+ ```Output

+ remove_mde_onboarding_file:

+ file.absent:

+ - name: /etc/opt/microsoft/mdatp/mdatp_onboard.json

+ ```

+- Add the offboarding file deployment to the `uninstall_mdatp.sls` file after the `remove_mde_onboarding_file` state defined in the previous section

+ ```Output

+ offboard_mde:

+ file.managed:

+ - name: /etc/opt/microsoft/mdatp/mdatp_offboard.json

+ - source: salt://mde/mdatp_offboard.json

+ ```

+- Add the removal of the MDATP package to the `uninstall_mdatp.sls` file after the `offboard_mde` state defined in the previous section

+ ```Output

+ remove_mde_packages:

+ pkg.removed:

+ - name: mdatp

+ ```

+ The complete uninstall state file should look similar to the following output:

+

+ ```Output

+ remove_mde_onboarding_file:

+ file.absent:

+ - name: /etc/opt/microsoft/mdatp/mdatp_onboard.json

+ offboard_mde:

+ file.managed:

+ - name: /etc/opt/microsoft/mdatp/mdatp_offboard.json

+ - source: salt://mde/offboard/mdatp_offboard.json

+ remove_mde_packages:

+ pkg.removed:

+ - name: mdatp

+ ```

+## Deployment

+Now apply the state to the minions. The below command will apply the state to machines with the name that begins with `mdetest`.

+- Installation:

+ ```bash

+ salt 'mdetest*' state.apply install_mdatp

+ ```

+ > [!IMPORTANT]

+ > When the product starts for the first time, it downloads the latest antimalware definitions. Depending on your Internet connection, this can take up to a few minutes.

+- Validation/configuration:

+ ```bash

+ salt 'mdetest*' cmd.run 'mdatp connectivity test'

+ ```

+ ```bash

+ salt 'mdetest*' cmd.run 'mdatp health'

+ ```

+- Uninstallation:

+ ```bash

+ salt 'mdetest*' state.apply uninstall_mdatp

+ ```

+## Log installation issues

+See [Log installation issues](linux-resources.md#log-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs.

+## Operating system upgrades

+When upgrading your operating system to a new major version, you must first uninstall Defender for Endpoint on Linux, install the upgrade, and finally reconfigure Defender for Endpoint on Linux on your device.

+## References

+- [Add or remove YUM repositories](https://docs.Saltstack.com/Saltstack/latest/collections/Saltstack/builtin/yum_repository_module.html)

+- [Manage packages with the dnf package manager](https://docs.Saltstack.com/Saltstack/latest/collections/Saltstack/builtin/dnf_module.html)

+- [Add and remove APT repositories](https://docs.Saltstack.com/Saltstack/latest/collections/Saltstack/builtin/apt_repository_module.html)

+- [Manage apt-packages](https://docs.Saltstack.com/Saltstack/latest/collections/Saltstack/builtin/apt_module.html)

+## See also

+- [Investigate agent health issues](health-status.md)

+#### Unmonitor Filesystems

+Configure filesystems to be unmonitored/excluded from Real Time Protection. The filesystems configured will be validated against Microsoft Defender's list of permitted filesystems that can be unmonitored. By default NFS and Fuse are unmonitored from RTP and Quick and Full scans.

+|Description|Value|

+|||

+|**Key**|unmonitoredFilesystems|

+|**Data type**|Array of strings|

+ "unmonitoredFilesystems": ["nfs"],

+ - New config, unmonitoredFilesystems, can be used to unmonitor certain filesystems.

+- While upgrading mdatp to version 101.94.13, you may notice that health is false, with health_issues as "no active supplementary event provider". This may happen due to misconfigured/conflicting auditd rules on existing machines. To mitigate the issue, the auditd rules on the existing machines needs to be fixed. Following steps can help you to identify such auditd rules (These commands needs to be run as super user). Please take backup of following file: /etc/audit/rules.d/audit.rules as these steps are only to identify failures.

+```bash

+echo -c >> /etc/audit/rules.d/audit.rules

+augenrules --load

+```

+> [!NOTE]

+> Microsoft Defender for Endpoint no longer supports macOS Catalina (10.15) as Apple ended support for Catalina (10.15) in December 2022.

+Apple has fixed an issue on macOS [Ventura upgrade](<https://developer.apple.com/documentation/macos-release-notes/macos-13_1-release-notes>), which is fixed with the latest OS update. The issue impacts Microsoft Defender for Endpoint security extensions, and might result in losing Full Disk Access Authorization, impacting its ability to function properly.<br>

+<br>

+**Catalina Deprecation**<br>

+Microsoft Defender for Endpoint no longer supports macOS Catalina (10.15) as Apple ended support for Catalina (10.15) in December 2022.

+</br>

+|lastSeen|DateTimeOffset|Time and date of the last received full device report. A device typically sends a full report every 24 hours. <br> NOTE: This property does not correspond to the lastseen value in the UI. It is pertains to the last device update.|

+### November-2022 (Platform: 4.18.2211.5 | Engine: 1.1.19900.2)

+- Security intelligence update version: **1.381.144.0**

+- Release date: **December 8, 2022**

+- Platform: **4.18.2211.5**

+- Engine: **1.1.19900.2**

+- Support phase: **Security and Critical Updates**

+#### What's new

+#### Known Issues

+### October-2022 (Platform: 4.18.2210.6 | Engine: 1.1.19800.4)

+- Security intelligence update version: **1.379.4.0**

+- Release date: **November 10, 2022**

+- Platform: **4.18.2210.6**

+- Engine: **1.1.19800.4**

+- Support phase: **Security and Critical Updates**

+#### What's new

+#### Known Issues

+### September-2022 (Platform: 4.18.2209.7 | Engine: 1.1.19700.3)

+- Security intelligence update version: **1.377.8.0**

+- Release date: **October 10, 2022**

+- Platform: **4.18.2209.7**

+- Engine: **1.1.19700.3**

+- Support phase: **Security and Critical Updates**

+#### What's new

+#### Known Issues

+After a new package version is released, support for the previous two versions is reduced to technical support only. Versions older than that are listed in this section, and are provided for technical upgrade support only.

+#### August-2022 (Platform: 4.18.2207.7 | Engine: 1.1.19600.3)

+- Security intelligence update version: **1.373.1647.0**

+- Release date: **September 6, 2022**

+- Platform: **4.18.2207.7**

+- Engine: **1.1.19600.3**

+- Support phase: **Technical upgrade support (only)**

+##### What's new

+##### Known Issues

+#### July-2022 (Platform: 4.18.2207.5 | Engine: 1.1.19500.2)

+- Security intelligence update version: **1.373.219.0**

+- Release date: **August 15, 2022**

+- Platform: **4.18.2207.5**

+- Engine: **1.1.19500.2**

+- Support phase: **Technical upgrade support (only)**

+##### What's new

+##### Known Issues

+#### May-2022 (Platform: 4.18.2205.7 | Engine: 1.1.19300.2)

+- Security intelligence update version: **1.369.88.0**

+- Released: **June 22, 2022**

+- Platform: **4.18.2205.7**

+- Engine: **1.1.19300.2**

+- Support phase: **Technical upgrade support (only)**

+##### What's new

+##### Known issues

+- None

+#### March-2022 *UPDATE* (Platform: 4.18.2203.5 | Engine: 1.1.19200.5)

+- Security intelligence update version: **1.363.817.0**

+- Released: **April 22, 2022**

+- Platform: **4.18.2203.5**

+- Engine: **1.1.19200.5**

+- Support phase: **Technical upgrade support (only)**

+#### What's new

+##### Known issues

+- None

+#### March-2022 (Platform: 4.18.2203.5 | Engine: 1.1.19100.5)

+- Security intelligence update version: **1.361.1449.0**

+- Released: **April 7, 2022**

+- Platform: **4.18.2203.5**

+- Engine: **1.1.19100.5**

+- Support phase: **Technical upgrade support (only)**

+##### What's new

+##### Known issues

+#### February-2022 (Platform: 4.18.2202.4 | Engine: 1.1.19000.8)

+- Security intelligence update version: **1.361.14.0**

+- Released: **March 14, 2022**

+- Platform: **4.18.2202.4**

+- Engine: **1.1.19000.8**

+- Support phase: **Technical upgrade support (only)**

+##### What's new

+##### Known issues

+- None

+#### January-2022 (Platform: 4.18.2201.10 | Engine: 1.1.18900.2)

+- Security intelligence update version: **1.357.8.0**

+- Released: **February 9, 2022**

+- Platform: **4.18.2201.10**

+- Engine: **1.1.18900.2**

+- Support phase: **Technical upgrade support (only)**

+##### What's new

+##### Known issues

+- None

+#### November-2021 (Platform: 4.18.2111.5 | Engine: 1.1.18800.4)

+- Security intelligence update version: **1.355.2.0**

+- Released: **December 9th, 2021**

+- Platform: **4.18.2111.5**

+- Engine: **1.1.18800.4**

+- Support phase: **Technical upgrade support (only)**

+##### What's new

+##### Known issues

+- None

+#### October-2021 (Platform: 4.18.2110.6 | Engine: 1.1.18700.4)

+- Security intelligence update version: **1.353.3.0**

+- Released: **October 28th, 2021**

+- Platform: **4.18.2110.6**

+- Engine: **1.1.18700.4**

+- Support phase: **Technical upgrade support (only)**

+##### What's new

+##### Known issues

+- None

+#### September-2021 (Platform: 4.18.2109.6 | Engine: 1.1.18600.4)

+- Security intelligence update version: **1.351.7.0**

+- Released: **October 7th, 2021**

+- Platform: **4.18.2109.6**

+- Engine: **1.1.18600.4**

+- Support phase: **Technical upgrade support (only)**

+##### What's new

+##### Known issues

+- None

+#### August-2021 (Platform: 4.18.2108.7 | Engine: 1.1.18500.10)

+- Security intelligence update version: **1.349.22.0**

+- Released: **September 2, 2021**

+- Platform: **4.18.2108.7**

+- Engine: **1.1.18500.10**

+- Support phase: **Technical upgrade support (only)**

+##### What's new

+##### Known issues

+- None

+#### July-2021 (Platform: 4.18.2107.4 | Engine: 1.1.18400.4)

+- Security intelligence update version: **1.345.13.0**

+- Released: **August 5, 2021**

+- Platform: **4.18.2107.4**

+- Engine: **1.1.18400.4**

+- Support phase: **Technical upgrade support (only)**

+##### What's new

+##### Known issues

+- None

+#### June-2021 (Platform: 4.18.2106.5 | Engine: 1.1.18300.4)

+- Security intelligence update version: **1.343.17.0**

+- Released: **June 28, 2021**

+- Platform: **4.18.2106.5**

+- Engine: **1.1.18300.4**

+- Support phase: **Technical upgrade support (only)**

+##### What's new

+##### Known issues

+- None

+#### May-2021 (Platform: 4.18.2105.4 | Engine: 1.1.18200.4)

+- Security intelligence update version: **1.341.8.0**

+- Released: **June 3, 2021**

+- Platform: **4.18.2105.4**

+- Engine: **1.1.18200.4**

+- Support phase: **Technical upgrade support (only)**

+##### What's new

+##### Known issues

+- None

+#### April-2021 (Platform: 4.18.2104.14 | Engine: 1.1.18100.5)

+- Security intelligence update version: **1.337.2.0**

+- Released: **April 26, 2021** (Engine: 1.1.18100.6 released May 5, 2021)

+- Platform: **4.18.2104.14**

+- Engine: **1.1.18100.5**

+- Support phase: **Technical upgrade support (only)**

+##### What's new

+##### Known issues

+- None

+#### March-2021 (Platform: 4.18.2103.7 | Engine: 1.1.18000.5)

+- Security intelligence update version: **1.335.36.0**

+- Released: **April 2, 2021**

+- Platform: **4.18.2103.7**

+- Engine: **1.1.18000.5**

+- Support phase: **Technical upgrade support (only)**

+##### What's new

+##### Known issues

+- None

+#### February-2021 (Platform: 4.18.2102.3 | Engine: 1.1.17900.7)

+- Security intelligence update version: **1.333.7.0**

+- Released: **March 9, 2021**

+- Platform: **4.18.2102.3**

+- Engine: **1.1.17900.7**

+- Support phase: **Technical upgrade support (only)**

+##### What's new

+##### Known issues

+- None

+#### January-2021 (Platform: 4.18.2101.9 | Engine: 1.1.17800.5)

+- Security intelligence update version: **1.327.1854.0**

+- Released: **February 2, 2021**

+- Platform: **4.18.2101.9**

+- Engine: **1.1.17800.5**

+- Support phase: **Technical upgrade support (only)**

+##### What's new

+##### Known issues

+- None

+#### November-2020 (Platform: 4.18.2011.6 | Engine: 1.1.17700.4)

+- Security intelligence update version: **1.327.1854.0**

+- Released: **December 03, 2020**

+- Platform: **4.18.2011.6**

+- Engine: **1.1.17700.4**

+- Support phase: **Technical upgrade support (only)**

+##### What's new

+##### Known issues

+- None

+#### October-2020 (Platform: 4.18.2010.7 | Engine: 1.1.17600.5)

+- Security intelligence update version: **1.327.7.0**

+- Released: **October 29, 2020**

+- Platform: **4.18.2010.7**

+- Engine: **1.1.17600.5**

+- Support phase: **Technical upgrade support (only)**

+##### What's new

+##### Known issues

+- None

+#### September-2020 (Platform: 4.18.2009.7 | Engine: 1.1.17500.4)

+- Security intelligence update version: **1.325.10.0**

+- Released: **October 01, 2020**

+- Platform: **4.18.2009.7**

+- Engine: **1.1.17500.4**

+- Support phase: **Technical upgrade support (only)**

+##### What's new

+##### Known issues

+- None

+#### August-2020 (Platform: 4.18.2008.9 | Engine: 1.1.17400.5)

+- Security intelligence update version: **1.323.9.0**

+- Released: **August 27, 2020**

+- Platform: **4.18.2008.9**

+- Engine: **1.1.17400.5**

+- Support phase: **Technical upgrade support (only)**

+##### What's new

+##### Known issues

+- None

+#### July-2020 (Platform: 4.18.2007.8 | Engine: 1.1.17300.4)

+- Security intelligence update version: **1.321.30.0**

+- Released: **July 28, 2020**

+- Platform: **4.18.2007.8**

+- Engine: **1.1.17300.4**

+- Support phase: **Technical upgrade support (only)**

+##### What's new

+##### Known issues

+- None

+#### June-2020 (Platform: 4.18.2006.10 | Engine: 1.1.17200.2)

+- Security intelligence update version: **1.319.20.0**

+- Released: **June 22, 2020**

+- Platform: **4.18.2006.10**

+- Engine: **1.1.17200.2**

+- Support phase: **Technical upgrade support (only)**

+##### What's new

+##### Known issues

+- None

+#### May-2020 (Platform: 4.18.2005.4 | Engine: 1.1.17100.2)

+- Security intelligence update version: **1.317.20.0**

+- Released: **May 26, 2020**

+- Platform: **4.18.2005.4**

+- Engine: **1.1.17100.2**

+- Support phase: **Technical upgrade support (only)**

+##### What's new

+##### Known issues

+- None

+#### April-2020 (Platform: 4.18.2004.6 | Engine: 1.1.17000.2)

+- Security intelligence update version: **1.315.12.0**

+- Released: **April 30, 2020**

+- Platform: **4.18.2004.6**

+- Engine: **1.1.17000.2**

+- Support phase: **Technical upgrade support (only)**

+##### What's new

+##### Known issues

+- None

+#### March-2020 (Platform: 4.18.2003.8 | Engine: 1.1.16900.2)

+- Security intelligence update version: **1.313.8.0**

+- Released: **March 24, 2020**

+- Platform: **4.18.2003.8**

+- Engine: **1.1.16900.4**

+- Support phase: **Technical upgrade support (only)**

+##### What's new

+##### Known issues

+- [**Fixed**] Microsoft Defender Antivirus is skipping files when running a scan.

+#### February-2020 (Platform: - | Engine: 1.1.16800.2)

+- Security intelligence update version: **1.311.4.0**

+- Released: **February 25, 2020**

+- Platform/Client: **-**

+- Engine: **1.1.16800.2**

+- Support phase: **Technical upgrade support (only)**

+##### What's new

+- None

+##### Known issues

+- None

+#### January-2020 (Platform: 4.18.2001.10 | Engine: 1.1.16700.2)

+- Security intelligence update version: **1.309.32.0**

+- Released: **January 30, 2020**

+- Platform/Client: **4.18.2001.10**

+- Engine: **1.1.16700.2**

+- Support phase: **Technical upgrade support (only)**

+##### What's new

+##### Known issues

+- [**Fixed**] devices utilizing [modern standby mode](/windows-hardware/design/device-experiences/modern-standby) may experience a hang with the Windows Defender filter driver that results in a gap of protection. Affected machines appear to the customer as having not updated to the latest antimalware platform.

+#### November-2019 (Platform: 4.18.1911.3 | Engine: 1.1.16600.7)

+- Security intelligence update version: **1.307.13.0**

+- Released: **December 7, 2019**

+- Platform: **4.18.1911.3**

+- Engine: **1.1.17000.7**

+- Support phase: **No support**

+##### What's new

+##### Known issues

+- When this update is installed, the device needs the jump package 4.18.2001.10 to be able to update to the latest platform version.

+The below table provides the Microsoft Defender Antivirus platform and engine versions that are shipped with the latest Windows 10 releases:

+### 20230118.1

+- Defender package version: **20230118.1**

+- Security intelligence version: **1.381.2404.0**

+- Engine version: **1.1.19900.2**

+- Platform version: **4.18.2211.5**

+#### Fixes

+#### Additional information

+### 20221209.1

+- Defender package version: **20221209.1**

+- Security intelligence version: **1.381.144.0**

+- Engine version: **1.1.19900.2**

+- Platform version: **4.18.2211.5**

+#### Fixes

+#### Additional information

+### 20221102.3

+- Defender package version: **20221102.3**

+- Security intelligence version: **1.377.1180.0**

+- Engine version: **1.1.19700.3**

+- Platform version: **4.18.2210.4**

+#### Fixes

+#### Additional information

+### 20221014.1

+- Package version: **20221014.1**

+- Platform version: **4.18.2209.7**

+- Engine version: **1.1.19700.3**

+- Signature version: **1.373.208.0**

+#### Fixes

+#### Additional information

+### 20220929.1

+- Package version: **20220929.1**

+- Platform version: **4.18.2207.7**

+- Engine version: **1.1.19600.3**

+- Signature version: **1.373.1243.0**

+#### Fixes

+- None

+#### Additional information

+- None

+### 20220925.2

+- Package version: **20220925.2**

+- Platform version: **4.18.2207.7**

+- Engine version: **1.1.19600.3**

+- Signature version: **1.373.1371.0**

+#### Fixes

+#### Additional information

+### 20220901.4

+- Package version: **20220901.4**

+- Platform version: **4.18.2205.7**

+- Engine version: **1.1.19500.2**

+- Signature version: **1.373.1371.0**

+#### Fixes

+#### Additional information

+### 20220802.1

+- Package version: **20220802.1**

+- Platform version: **4.18.2205.7**

+- Engine version: **1.1.19400.3**

+- Signature version: **1.371.1205.0**

+#### Fixes

+#### Additional information

+### 20220629.5

+- Package version: **20220629.5**

+- Platform version: **4.18.2205.7**

+- Engine version: **1.1.19300.2**

+- Signature version: **1.369.220.0**

+#### Fixes

+#### Additional information

+### 20220603.3

+- Package version: **20220603.3**

+- Platform version: **4.18.2203.5**

+- Engine version: **1.1.19200.6**

+- Signature version: **1.367.1009.0**

+#### Fixes

+#### Additional information

+### 20220506.6

+- Package version: **20220506.6**

+- Platform version: **4.18.2203.5**

+- Engine version: **1.1.19200.5**

+- Signature version: **1.363.1436.0**

+#### Fixes

+#### Additional information

+### 20220321.1

+- Package version: **20220321.1**

+- Platform version: **4.18.2202.4**

+- Engine version: **1.1.19000.8**

+- Signature version: **1.351.337.0**

+#### Fixes

+#### Additional information

+### 20220305.1

+- Package version: **20220305.1**

+- Platform version: **4.18.2201.10**

+- Engine version: **1.1.18900.3**

+- Signature version: **1.359.1405.0**

+#### Fixes

+#### Additional information

+### 20220203.1

+- Package version: **20220203.1**

+- Platform version: **4.18.2111.5**

+- Engine version: **1.1.18900.2**

+- Signature version: **1.357.32.0**

+#### Fixes

+#### Additional information

+### 20220105.1

+- Package version: **20220105.1**

+- Platform version: **4.18.2111.5**

+- Engine version: **1.1.18800.4**

+- Signature version: **1.355.1482.0**

+#### Fixes

+#### Additional information

+### 1.1.2112.01

+- Package version: **1.1.2112.01**

+- Platform version: **4.18.2110.6**

+- Engine version: **1.1.18700.4**

+- Signature version: **1.353.2283.0**

+#### Fixes

+#### Additional information

+### 1.1.2111.02

+- Package version: **1.1.2111.02**

+- Platform version: **4.18.2110.6**

+- Engine version: **1.1.18700.4**

+- Signature version: **1.353.613.0**

+#### Fixes

+#### Additional information

+### 1.1.2110.01

+- Package version: **1.1.2110.01**

+- Platform version: **4.18.2109.6**

+- Engine version: **1.1.18500.10**

+- Signature version: **1.349.2103.0**

+#### Fixes

+#### Additional information

+### 1.1.2109.01

+- Package version: **1.1.2109.01**

+- Platform version: **4.18.2107.4**

+- Engine version: **1.1.18400.5**

+- Signature version: **1.347.891.0**

+#### Fixes

+#### Additional information

+### 1.1.2108.01

+- Package version: **1.1.2108.01**

+- Platform version: **4.18.2107.4**

+- Engine version: **1.1.18300.4**

+- Signature version: **1.343.2244.0**

+#### Fixes

+#### Additional information

+### 1.1.2107.02

+- Package version: **1.1.2107.02**

+- Platform version: **4.18.2105.5**

+- Engine version: **1.1.18300.4**

+- Signature version: **1.343.658.0**

+#### Fixes

+#### Additional information

+### 1.1.2106.01

+- Package version: **1.1.2106.01**

+- Platform version: **4.18.2104.14**

+- Engine version: **1.1.18100.6**

+- Signature version: **1.339.1923.0**

+#### Fixes

+#### Additional information

+### 1.1.2105.01

+- Package version: **1.1.2105.01**

+- Platform version: **4.18.2103.7**

+- Engine version: **1.1.18100.6**

+- Signature version: **1.339.42.0**

+#### Fixes

+#### Additional information

+### 1.1.2104.01

+- Package version: **1.1.2104.01**

+- Platform version: **4.18.2102.4**

+- Engine version: **1.1.18000.5**

+- Signature version: **1.335.232.0**

+#### Fixes

+#### Additional information

+### 1.1.2103.01

+- Package version: **1.1.2103.01**

+- Platform version: **4.18.2101.9**

+- Engine version: **1.1.17800.5**

+- Signature version: **1.331.2302.0**

+#### Fixes

+#### Additional information

+### 1.1.2102.03

+- Package version: **1.1.2102.03**

+- Platform version: **4.18.2011.6**

+- Engine version: **1.1.17800.5**

+- Signature version: **1.331.174.0**

+#### Fixes

+#### Additional information

+### 1.1.2101.02

+- Package version: **1.1.2101.02**

+- Platform version: **4.18.2011.6**

+- Engine version: **1.1.17700.4**

+- Signature version: **1.329.1796.0**

+#### Fixes

+#### Additional information

+### 1.1.2012.01

+- Package version: **1.1.2012.01**

+- Platform version: **4.18.2010.7**

+- Engine version: **1.1.17600.5**

+- Signature version: **1.327.1991.0**

+#### Fixes

+#### Additional information

+### 1.1.2011.02

+- Package version: **1.1.2011.02**

+- Platform version: **4.18.2010.7**

+- Engine version: **1.1.17600.5**

+- Signature version: **1.327.658.0**

+#### Fixes

+#### Additional information

+### 1.1.2011.01

+- Package version: **1.1.2011.01**

+- Platform version: **4.18.2009.7**

+- Engine version: **1.1.17600.5**

+- Signature version: **1.327.344.0**

+#### Fixes

+#### Additional information

+### 1.1.2009.10

+- Package version: **1.1.2011.01**

+- Platform version: **4.18.2008.9**

+- Engine version: **1.1.17400.5**

+- Signature version: **1.327.2216.0**

+#### Fixes

+#### Additional information

+- Download file

+- Collect file

+The **Download file** button can have the following states:

+- **Active** - You'll be able to collect the file.

+- **Disabled** - If the button is grayed out or disabled during an active collection attempt, you may not have appropriate RBAC permissions to collect files.

+ The following permissions are required:

+ For Portable Executable file (.exe, .sys, .dll, and others)

+ - Global admin or Advanced live response or Alerts

+ Non-Portable Executable file (.txt, .docx, and others)

+ - Global admin or Advanced live response

+If a file isn't already stored by Microsoft Defender for Endpoint, you can't download it. Instead, you'll see a **Collect file** button in the same location.

+The **Collect file** button can have the following states:

+- **Active** - You'll be able to collect the file.

+- **Disabled** - If the button is grayed out or disabled during an active collection attempt, you may not have appropriate RBAC permissions to collect files.

+ The following permissions are required:

+ For Portable Executable file (.exe, .sys, .dll, and others)

+ - Global admin or Advanced live response or Alerts

+ Non-Portable Executable file (.txt, .docx, and others)

+ - Global admin or Advanced live response

+If a file hasn't been seen in the organization in the past 30 days, **Collect file** will be disabled.

+## Running the analyzer using a terminal or SSH scenario

+Open a terminal or SSH into the relevant machine and run the following commands:

+### Download

+```sh

+wget --quiet -O XMDEClientAnalyzer.zip https://aka.ms/XMDEClientAnalyzer

+```

+### Verify

+```sh

+echo '815F3E83EB1E6C33D712F101618018E1E38211D4E2807C3A9EF3CC0B0F95225C XMDEClientAnalyzer.zip' | sha256sum -c

+```

+### Extract

+```sh

+unzip -q XMDEClientAnalyzer.zip -d XMDEClientAnalyzer

+```

+### Change to the tool's directory

+```sh

+cd XMDEClientAnalyzer

+```

+### Install the components

+Run as a non-root user to install required pip and lxml components.

+```sh

+./mde_support_tool.sh

+```

+### Collect the diagnosics

+To collect the actual diagnostic package and generate the result archive file, run again as root.

+```sh

+sudo ./mde_support_tool.sh -d

+```

+| `ProfileAvailability` | `string` | Indicates the availability status of the profile data for the file: Available - profile was successfully queried and file data returned, Missing - profile was successfully queried but no file info was found, Error - error in querying the file info or maximum allotted time was exceeded before query could be completed, or an empty value - if file ID is invalid or the maximum number of files was reached |

+|Security operator|Security operations \ Security data \ Security data basics (read) </br>Security operations \ Security data \ Alerts (manage) </br>Security operations \ Security data \ Response (manage)</br>Configuration \ Security settings \ (All permissions)|_**Defender for Endpoint only permissions**_</br>Security operations \ Security data \ Basic live response (manage)</br>Security operations \ Security data \ Advanced live response (manage)</br>Security posture \ Posture management \ Vulnerability management (read)</br>Security posture \ Posture management \ Exception handling (manage)</br>Security posture \ Posture management \ Remediation handling (manage)</br></br>_**Defender for Office only permissions**_ </br>Security operations \ Raw data (Email & collaboration) \ Email message headers (read)</br>Configuration \ System settings \ (All permissions)</br></br>_**Defender for Identity only permissions**_ </br>Configuration \ System settings \ (read)|

+You can easily apply a [retention label](../compliance/retention.md) to unstructured, structured and prebuilt models in Microsoft Syntex.

+> Retention labels are not yet available for freeform document processing models.

+