+|[Default sublabel for parent label](sensitivity-labels-office-apps.md#specify-a-default-sublabel-for-a-parent-label)| Preview: [Beta Channel](https://office.com/insider) | Under review | Under review | Under review | Under review |

+ 21H2/SV1|>=22000.593|[KB5011563: Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Search.aspx?q=KB5019275)

+ "computerDnsName": "TEST_DOMAIN",

+ "AssignedApplicationId": "9E0FA0EB-0A51-4357-9C87-C21BFBE07571",

+ "ScannerSoftwareVersion": "7.1.1",

+ "LastCommandExecutionTimestamp": "2022-05-08T12:18:41.538203Z",

+ "computerDnsName": "TEST_DOMAIN2",

+ "AssignedApplicationId": "9E0FA0EB-0A51-4357-9C87-C21BFBE07571",

+ "ScannerSoftwareVersion": "7.1.1",

+ "LastCommandExecutionTimestamp": "2022-12-19T20:29:04.8242449Z",

+ "lastSeen": "2021-12-19T20:29:04.8242449Z",

+ "AssignedApplicationId": "9E0FA0EB-0A51-4357-9C87-C21BFBE07571",

+ "ScannerSoftwareVersion": "7.1.1",

+ "LastCommandExecutionTimestamp": "2021-12-19T20:29:04.8242449Z",

+ "id": "4asdff0c-3344-46d3-bxxe-a9334rtgfcaa_eb6df89dfdf9032f61eedf14c4b90f77",

+ "machineId": "eb663a27676kjhj61bc268a79eedf14c4t78u7",

+ "machineName": "DESKTOP-Test",

+ "lastSeen": "2022-12-21T14:34:19.5698988Z",

+ "AssignedApplicationId": "9E0FA0EB-0A51-4357-9C87-C21BFBE07571",

+ "ScannerSoftwareVersion": "7.1.1",

+ "LastCommandExecutionTimestamp": "2022-12-21T14:34:19.5698988Z",

+ },

+scanAuthenticationParams|Object|Set of authenticated scan objects, contains: authentication type, username, password. See [Get all scan definitions](./get-all-scan-definitions.md).

+scannerAgent|Object|Set of scanner agent objects, contains: id, device id, device name, the date and time (in UTC) the device was last seen, assigned application id, scanner software version, and the date and time (in UTC) the scanner agent was last executed. See [Get all scan definitions](./get-all-scan-definitions.md).

+latestScan|Object|Latest scan object contains: scan status, failure, the date and time (in UTC) the scan was executed. See [Get all scan definitions](./get-all-scan-definitions.md).

+### Microsoft Defender for Cloud Apps

+The Microsoft Defender for Cloud Apps / Cloud App Catalog identifies apps you would want end users to be warned upon accessing with Microsoft 365 Defender for Endpoint, and mark them as _Monitored_. The domains listed under monitored apps would be later synced to Microsoft 365 Defender for Endpoint:

+ - If network protection is configured and active on the device, web content filtering (WCF) policies created in the MDEP Portal are respected in browsers, including Chromium Microsoft Edge for macOS. Web content filtering in Microsoft Edge on Mac currently requires network protection; other E5 feature, such as Microsoft Defender for Cloud Apps or Custom Indicators currently also require network protection.

+### Microsoft Defender for Cloud Apps

+The Microsoft Defender for Cloud Apps / Cloud App Catalog identifies apps you would want end users to be warned upon accessing with Microsoft 365 Defender for Endpoint, and mark them as _Monitored_. The domains listed under monitored apps would be later synced to Microsoft 365 Defender for Endpoint:

+- **For toast message experience**: Press the toast message itself. End user will be redirected to a custom redirect URL set globally in Microsoft Defender for Cloud Apps (More information at the bottom of this page)

+> Tracking bypasses per app** ΓÇô You can track how many users have bypassed the warning in the _Application_ page in Microsoft Defender for Cloud Apps.

+For many organizations, it's important to take the cloud controls provided by Microsoft Defender for Cloud Apps, and to not only set limitations on end users when needed, but to also educate and coach them about:

+2. By default, action will be taken for all apps and domains that were marked as Monitored in Microsoft Defender for Cloud Apps portal for all the onboarded endpoints in the organization.

+3. Full URLs are currently not supported and won't be sent from Microsoft Defender for Cloud Apps to Microsoft 365 Defender for Endpoint, if any full URLs are listed under Microsoft Defender for Cloud Apps monitored apps, hence, user won't get warned on access attempt (for example, google.com/drive isn't supported, while drive.google.com is supported).

+- [Microsoft 365 Defender for Endpoint integration with Microsoft Microsoft 365 Defender for Cloud Apps](/defender-cloud-apps/mde-integration)

+In order to be eligible to purchase Microsoft Defender for Endpoint Server SKU, you must have already purchased a combined minimum of any of the following: Windows E5/A5, Microsoft 365 E5/A5, or Microsoft 365 E5 Security subscription licenses.

+Use the table below for guidance on the configurations required, along with the permissions needed for the scanning account, on each device to be scanned:

+>[!NOTE]

+> The below steps are only one recommended way to configure the permissions on each device to be scanned and uses the Performance Monitor Users group. You can also configure the permissions in the following ways:

+>

+> - Add the account to a different user group and give all the permissions required to that group.

+> - Give these permissions explicitly to the scanning account.

+>[!NOTE]

+>To configure and apply the permission to a group of devices to be scanned using a group policy, see [Configure a group of devices with a group policy](#configure-a-group-of-devices-with-a-group-policy).

+|Windows Management Instrumentation (WMI) is enabled | To enable remote Windows Management Instrumentation (WMI): </br> </br> - Verify the Windows Management Instrumentation service is running. </br> - Go to **Control Panel** &gt; **All Control Panel Items** &gt; **Windows Defender Firewall** &gt; **Allowed applications** and ensure Windows Management Instrumentation (WMI) is allowed through Windows Firewall.|

+|Performance Monitor Users group has 'Enable Account' and 'Remote Enable' permissions on Root/CIMV2 WMI namespace | To verify or enable these permissions: </br> </br> - Run wmimgmt.msc </br> - Right click **WMI Control (Local)** and select **Properties**</br> - Go to the Security tab</br> - Select the relevant WMI namespace and select **Security**</br> - Add the specified group and select to allow the specific permissions</br> - Select **Advanced**, choose the specified entry and select **Edit**</br> - Set **Applies To** to ΓÇ£This namespace and subnamespacesΓÇ¥|

+|**Performance Monitor Users** group should have permissions on DCOM operations| To verify or enable these permissions: </br></br> - Run dcomcnfg </br> - Navigate to **Component Services** > **Computers** > **My Computer** </br> - Right click My Computer and choose **Properties** </br> - Go to the COM Security tab </br> - Go to **Launch and Activation Permissions** and select **Edit Limits** </br> - Add the specified group and select to allow **Remote Activation** |

+### Configure a group of devices with a group policy

+A group policy will let you bulk apply the configurations required, as well as the permissions required for the scanning account, to a group of devices to be scanned.

+Follow these steps on a domain controller to configure a group of devices at the same time:

+| Step | Description |

+|:|:|

+|Create a new Group Policy Object| - On the domain controller open the Group Policy Management Console </br> - Follow these steps to [Create a Group Policy Object](/windows/security/threat-protection/windows-firewall/create-a-group-policy-object) </br> - Once your Group Policy Object (GPO) is created, right-click on your GPO and select **Edit** to open the Group Policy Management Editor console and complete the steps below |

+|Enable Windows Management Instrumentation (WMI)| To enable remote Windows Management Instrumentation (WMI): </br> </br> - Go to **Computer Configuration** &gt; **Policies** &gt; **Windows Settings** &gt; **Security Settings** &gt; **System Services** </br> - Right-click **Windows Management Instrumentation** </br> - Select the **Define this policy setting** box and choose **Automatic**|

+|Allow WMI through the firewall| To allow Windows Management Instrumentation (WMI) through the firewall: </br> </br> - Go to **Computer Configuration** &gt; **Policies** &gt; **Windows Settings** &gt; **Security Settings** &gt; **Windows Defender Firewall and Advanced Security** &gt; **Inbound Rules** </br> - Right-click and select **New Rule** </br> - Choose **Predefined** and select **Windows Management Instrumentation (WMI)** from the list. Then select **Next** </br> - Select the **Windows Management Instrumentation (WMI-In)** checkbox. Then select **Next** </br> - Select **Allow the connection**. Then select **Finish** </br> - Right-click the newly added rule and select **Properties** </br> - Go to the **Advanced** tab and uncheck the **Private** and **Public** options as only **Domain** is required|

+|Grant permissions to perform DCOM operations| To grant permissions to perform DCOM operations: </br> </br> - Go to **Computer Configuration** &gt; **Policies** &gt; **Windows Settings** &gt; **Security Settings** &gt; **Local Policies** &gt; **Security Operations** </br> - Right-click **DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax** and select **Properties** </br> - Select **Define this policy setting** box and select **Edit Security** </br> - Add the user or group you are granting permissions to and select **Remote Activation** |

+|Grant permissions to the Root\CIMV2 WMI namespace by running a PowerShell script via group policy: | - Create a PowerShell, see [Example PowerShell script](#example-powershell-script) for a recommended script you can modify according to your needs. </br> - Go to **Computer Configuration**&gt; **Policies** &gt; **Windows Settings** &gt;**Scripts (Startup/Shutdown)** &gt; **Startup** </br> - Go to the **PowerShell Scripts** tab </br> - Select **Show Files** and copy the script you created to this folder </br> - Return to the scripts configuration windows and select **Add** </br> - Enter the script name </br> |

+#### Example PowerShell script

+Use the following PowerShell script as a starting point to grant permissions to the Root\CIMV2 WMI namespace via group policy:

+```powershell

+Param ()

+Process {

+ $ErrorActionPreference = "Stop"

+ $accountSID = "S-1-5-32-558" # Performance Monitor Users built-in group, please change or pass parameter as you wish

+ $computerName = "."

+ $remoteparams = @{ComputerName=$computerName}

+ $invokeparams = @{Namespace="root\cimv2";Path="__systemsecurity=@"} + $remoteParams

+ $output = Invoke-WmiMethod @invokeparams -Name GetSecurityDescriptor

+ if ($output.ReturnValue -ne 0) {

+ throw "GetSecurityDescriptor failed: $($output.ReturnValue)"

+ }

+ $acl = $output.Descriptor

+ $CONTAINER_INHERIT_ACE_FLAG = 0x2

+ $ACCESS_MASK = 0x21 # Enable Account + Remote Enable

+ $ace = (New-Object System.Management.ManagementClass("win32_Ace")).CreateInstance()

+ $ace.AccessMask = $ACCESS_MASK

+ $ace.AceFlags = $CONTAINER_INHERIT_ACE_FLAG

+ $trustee = (New-Object System.Management.ManagementClass("win32_Trustee")).CreateInstance()

+ $trustee.SidString = $accountSID

+ $ace.Trustee = $trustee

+ $ACCESS_ALLOWED_ACE_TYPE = 0x0

+ $ace.AceType = $ACCESS_ALLOWED_ACE_TYPE

+ $acl.DACL += $ace.psobject.immediateBaseObject

+ $setparams = @{Name="SetSecurityDescriptor";ArgumentList=$acl.psobject.immediateBaseObject} + $invokeParams

+ $output = Invoke-WmiMethod @setparams

+ if ($output.ReturnValue -ne 0) {

+ throw "SetSecurityDescriptor failed: $($output.ReturnValue)"

+ }

+}

+```

+Once the GPO policy is applied to a device, all the required settings will be applied and your gMSA account will be able to access and scan the device.