-|||

-This article is for people who set password expiration policy for a business, school, or nonprofit. To complete these steps, you need to sign in with your Microsoft 365 admin account. [What's an admin account?](Overview of the Microsoft 365 admin center](../admin-overview/admin-center-overview.md).

-You must be an [global admin or password administrator](about-admin-roles.md) to perform these steps.

-Office add-ins help you personalize your documents and streamline the way you access information on the web (see [Start using your Office add-in](https://support.microsoft.com/office/82e665c4-6700-4b56-a3f3-ef5441996862)).

-After you deploy an add-in, your end users can start using it in their Office applications (see [Start using your Office Add-in](https://support.microsoft.com/office/82e665c4-6700-4b56-a3f3-ef5441996862)). The add-in appears on all platforms that the add-in supports.

-For an overview of Message center, see [Message center in Microsoft 365](message-center.md). Or, to learn how to set your language preferences to enable machine translation for Message center posts, see [Language translation for Message center posts](language-translation-for-message-center-posts.md). If you'd like to program an alternative way to get real-time service health information and Message Center communications, please reference [Microsoft 365 Service Communications API Overview](/previous-versions/office/developer/o365-enterprise-developers/jj984343(v=office.15)).

- Add-RecipientPermission -Identity <bookingmailbox@emailaddress> -Trustee <adminusers@emailaddress> -AccessRights SendAs -Confirm:$false

- - If you're using Office 365 Germany, go to this <a href="https://go.microsoft.com/fwlink/p/?linkid=853213" target="_blank">Billing notifications</a> page.

- - If you're using Office 365 operated by 21Vianet, go to this <a href="https://go.microsoft.com/fwlink/p/?linkid=853215" target="_blank">Billing notifications</a> page.

-1. Under **Receive billing statement as email attachment?** switch the toggle to **On**.

-All Microsoft Information Protection solutions (sometimes abbreviated to MIP) are implemented by using [sensitivity labels](sensitivity-labels.md). To create and publish these labels, go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077149" target="_blank">Microsoft 365 compliance center</a>. You can also use the older portal, Office 365 Security & Compliance Center.

-First, create and configure the sensitivity labels that you want to make available for apps and other services. For example, the labels you want users to see and apply from Office apps.

-3. Now enable sensitivity labels for SharePoint and OneDrive. This additional step is a prerequisite to use sensitivity labels in Office for the web, and auto-labeling policies for SharePoint and OneDrive.

- Select the **Labels** tab, and then **Turn on now**.

- For full instructions, see [How to enable sensitivity labels for SharePoint and OneDrive (opt-in)](sensitivity-labels-sharepoint-onedrive-files.md#how-to-enable-sensitivity-labels-for-sharepoint-and-onedrive-opt-in).

-> For US Government tenants, sensitivity labels are now supported for all platforms.

-The Password reset tab shows detailed information on the status of self-service password reset enablement across your tenants.

-6. On the Configure page, in the **Method** dropdown, select **Paste JSON** as the method and paste the JSON text you copied in Step 5 in the text field that appears.

-This report provides an overview of the deployment progress of a given Windows security update for your Microsoft Managed Desktop devices. At the beginning of each security update release cycle, Microsoft Managed Desktop takes a snapshot of all the devices with an **Active** device status and sets its deployment target at 95% of that population. The graph shows your deployment progress for a selected release date compared to the Microsoft Managed Desktop average. While we focus on the Active population you can also pivot this report to show your **Active + Synced** and **Out of sync** device populations. You can view the deployment progress for previous releases by changing the available filters, but device level details are only available for the current release. Device information viewable in the table following the graph is also exportable for offline analysis.

-There should only be a few devices in the **Older** category. A large or growing **Older** population probably indicates a systemic problem that you should report to Microsoft Managed Desktop so we can investigate.

-description: Learn how to create a new security policy in Microsoft Defender for Business

-localization_priority: Normal

-# Create a new policy in Microsoft Defender for Business (preview)

-> [!IMPORTANT]

-> Microsoft Defender for Business is now in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. We will onboard an initial set of customers and partners in the coming weeks and will expand the preview leading up to general availability. Note that preview will launch with an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.

->

-> Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.

-Microsoft Defender for Business (preview) includes default policies that use recommended settings to protect your company's devices from day one. For example, you have **Next-generation protection** policies and **Firewall** policies that are built in using recommended security settings. But you're not limited to your default policies. You can create new policies, too, as described in this article.

-> [!TIP]

-> If you want to edit an existing policy, see [View or edit policies in Microsoft Defender for Business (preview)](mdb-view-edit-policies.md).

-## Create a new policy

-1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), and sign in.

-2. In the navigation pane, choose **Device configuration**. Policies are organized by operating system (such as **Windows client**) and policy type (such as **Next-generation protection** and **Firewall**).

-3. Select an operating system tab (for example, **Windows clients**), and then review the list of **Next-generation protection** policies.

-4. Under **Next-generation protection** or **Firewall**, select **+ Add**.

-5. On the **General information** tab, take the following steps:

- 1. Specify a name and description. This information will help you and your team identify the policy later on.

- 2. Review the policy order, and edit it if necessary. (For more information, see [Policy order](mdb-policy-order.md).)

- 3. Choose **Next**.

-7. On the **Device groups** tab, either create a new device group, or use an existing group. Policies are assigned to devices through device groups. Here are some things to keep in mind:

- - Initially, you might only have your default device group, which includes the devices people in your company are using to access company data and email. You can keep and use your default device group.

- - Create a new device group to apply a policy with specific settings that are different from the default policy.

- - When you set up your device group, you specify certain criteria, such as the operating system version. Devices that meet the criteria are included in that device group, unless you exclude them.

- - All device groups, including the default and custom device groups that you define, are stored in Azure Active Directory (Azure AD).

- To learn more about device groups, see [Device groups in Defender for Business (preview)](mdb-create-edit-device-groups.md).

-8. On the **Configuration settings** tab, specify the settings for your policy, and then choose **Next**. For more information about the individual settings, see [Configuration settings for Microsoft Defender for Business (preview)](mdb-next-gen-configuration-settings.md).

-9. On the **Review your policy** tab, review the general information, targeted devices, and configuration settings.

- - Make any needed changes by selecting **Edit**.

- - When youΓÇÖre ready to proceed, choose **Create policy**.

-## Next steps

-Choose one or more of the following tasks:

-##### [Evaluate ASR rules](evaluate-attack-surface-reduction.md)

-##### [Enable ASR rules](enable-attack-surface-reduction.md)

-##### [Customize ASR rules](customize-attack-surface-reduction.md)

-Whenever an attack surface reduction rule is triggered, a notification is displayed on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information.

-Get the current list of attack surface reduction GUIDs from [Customize attack surface reduction rules](customize-attack-surface-reduction.md)

-> The Connectivity Analyzer tool cloud connectivity checks are not compatible with Attack Surface Reduction rule [Block process creations originating from PSExec and WMI commands](attack-surface-reduction-rules-reference.md#block-process-creations-originating-from-psexec-and-wmi-commands). You will need to temporarily disable this rule to run the connectivity tool. Alternatively, you can temporarily add [ASR exclusions](customize-attack-surface-reduction.md#exclude-files-and-folders) when running the analyzer.

-Controlled folder access is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware). In a ransomware attack, your files can get encrypted and held hostage. With controlled folder access in place, a notification appears on the computer where an app attempted to make changes to a file in a protected folder. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.

-description: Individually set rules in audit, block, or disabled modes, and add files and folders that should be excluded from attack surface reduction rules

-keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, customize, configure, exclude

-ms.sitesec: library

-# Customize attack surface reduction rules

-**Applies to:**

-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-assignaccess-abovefoldlink)

-> [!IMPORTANT]

-> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

-[Attack surface reduction rules](enable-attack-surface-reduction.md) help prevent software behaviors that are often abused to compromise your device or network. For example, an attacker might try to run an unsigned script off of a USB drive, or have a macro in an Office document make calls directly to the Win32 API. Attack surface reduction rules can constrain these kinds of risky behaviors and improve your organization's defensive posture.

-Learn how to customize attack surface reduction rules by [excluding files and folders](#exclude-files-and-folders) or [adding custom text to the notification](#customize-the-notification) alert that appears on a user's computer.

-You can set attack surface reduction rules for devices running any of the following editions and versions of Windows:

-You can use Group Policy, PowerShell, and Mobile Device Management (MDM) configuration service providers (CSP) to configure these settings.

-See [Requirements](enable-attack-surface-reduction.md#requirements) in the "Enable attack surface reduction rules" article for information about supported operating systems and additional requirement information.

-## Exclude files and folders

-You can choose to exclude files and folders from being evaluated by attack surface reduction rules. When excluded, the file won't be blocked from running even if an attack surface reduction rule detects that the file contains malicious behavior.

-For example, consider the ransomware rule:

-The ransomware rule is designed to help enterprise customers reduce risks of ransomware attacks while ensuring business continuity. By default, the ransomware rule errors on the side of caution and protect against files that haven't yet attained sufficient reputation and trust. To reemphasize, the ransomware rule only triggers on files that have not gained enough positive reputation and prevalence, based on usage metrics of millions of our customers. Usually, the blocks are self resolved, because each file's "reputation and trust" values are incrementally upgraded as non-problematic usage increases.

-In cases in which blocks aren't self resolved in a timely manner, customers can - _at their own risk_ - make use of either the self-service mechanism or an Indicator of Compromise (IOC)-based "allow list" capability to unblock the files themselves.

-> [!WARNING]

-> Excluding or unblocking files or folders could potentially allow unsafe files to run and infect your devices. Excluding files or folders can severely reduce the protection provided by attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded.

-An exclusion applies to all rules that allow exclusions. You can specify an individual file, folder path, or the fully qualified domain name for a resource. However, you cannot limit an exclusion to a specific rule.

-An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.

-Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [use wildcards in the file name and folder path or extension exclusion lists](configure-extension-file-exclusions-microsoft-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) .

-If you are encountering problems with rules detecting files that you believe should not be detected, [use audit mode to test the rule](evaluate-attack-surface-reduction.md).

-See the [attack surface reduction rules reference](attack-surface-reduction-rules-reference.md) topic for details on each rule.

-### Use Group Policy to exclude files and folders

-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**.

-2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.

-3. Expand the tree to **Windows components** \> **Microsoft Defender Antivirus** \> **Microsoft Defender Exploit Guard** \> **Attack surface reduction**.

-4. Double-click the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Select **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.

-> [!WARNING]

-> Do not use quotes as they are not supported for either the **Value name** column or the **Value** column.

-### Use PowerShell to exclude files and folders

-1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**.

-2. Enter the following cmdlet:

- ```PowerShell

- Add-MpPreference -AttackSurfaceReductionOnlyExclusions "<fully qualified path or resource>"

- ```

- Continue to use `Add-MpPreference -AttackSurfaceReductionOnlyExclusions` to add more folders to the list.

-

- > [!IMPORTANT]

- > Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.

-### Use MDM CSPs to exclude files and folders

-Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions.

-## Customize the notification

-You can customize the notification for when a rule is triggered and blocks an app or file. See the [Windows Security](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center#customize-notifications-from-the-windows-defender-security-center) article.

-## Related topics

-description: See how attack surface reduction would block and prevent attacks with the custom demo tool.

-keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, evaluate, test, demo

-ms.sitesec: library

-# Evaluate attack surface reduction rules

-**Applies to:**

-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-enablesiem-abovefoldlink)

-Attack surface reduction rules help prevent actions typically used by malware to compromise devices or networks. Attack surface reduction rules help close off many of the common entry points used by malware and ransomware.

-Set attack surface reduction rules for devices running any of the following editions and versions of Windows:

-> [!Note]

-> Attack surface reduction rules in Windows Server 2012 R2 and Windows Server 2016 are available using the modern unified solution package. For more information, see [New functionality in the modern unified solution for Windows 2012 R2 and 2016 Preview](configure-server-endpoints.md#new-functionality-in-the-modern-unified-solution-for-windows-server-2012-r2-and-2016-preview) in the topic [Onboard Windows servers to the Microsoft Defender for Endpoint service](configure-server-endpoints.md).

-See also [Microsoft Defender for Endpoint: Defending Windows Server 2012 R2 and 2016](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/defending-windows-server-2012-r2-and-2016/ba-p/2783292).

-Learn how to evaluate attack surface reduction rules by [enabling audit mode](audit-windows-defender.md) to test the feature directly in your organization.

-> [!TIP]

-> You can also visit the Microsoft Defender for Endpoint demo scenario website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.

-## Use audit mode to measure impact

-Enable attack surface reduction rules in audit mode to view a record of apps that would have been blocked if the feature was fully enabled. Test how the feature will work in your organization to ensure it doesn't affect your line-of-business apps. You can also get an idea of how often the rules will fire during normal use.

-To enable an attack surface reduction rule in audit mode, use the following PowerShell cmdlet:

-```PowerShell

-Add-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions AuditMode

-```

-Where `<rule ID>` is a [GUID value of the attack surface reduction rule](attack-surface-reduction-rules-reference.md).

-To enable all the added attack surface reduction rules in audit mode, use the following PowerShell cmdlet:

-```PowerShell

-(Get-MpPreference).AttackSurfaceReductionRules_Ids | Foreach {Add-MpPreference -AttackSurfaceReductionRules_Ids $_ -AttackSurfaceReductionRules_Actions AuditMode}

-```

-> [!TIP]

-> If you want to fully audit how attack surface reduction rules will work in your organization, you'll need to use a management tool to deploy this setting to devices in your network(s).

-You can also use Group Policy, Intune, or mobile device management (MDM) configuration service providers (CSPs) to configure and deploy the setting. Learn more in the main [Attack surface reduction rules](attack-surface-reduction.md) article.

-## Review attack surface reduction events in Windows Event Viewer

-To review apps that would have been blocked, open Event Viewer and filter for Event ID 1121 in the Microsoft-Windows-Windows Defender/Operational log. The following table lists all network protection events.

-Event ID | Description

- 5007 | Event when settings are changed

- 1121 | Event when an attack surface reduction rule fires in block mode

- 1122 | Event when an attack surface reduction rule fires in audit mode

-## Customize attack surface reduction rules

-During your evaluation, you may wish to configure each rule individually or exclude certain files and processes from being evaluated by the feature.

-See [Customize attack surface reduction rules](customize-attack-surface-reduction.md) for information on configuring the feature with management tools, including Group Policy and MDM CSP policies.

-## See also

-When a mitigation is found on the device, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.

-Admins can configure auto-setup of VPN profile. This will automatically setup the Defender for Endpoint VPN profile without having the user to do so while onboarding. Note that VPN is used in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device.

-## Configure Microsoft Defender for Endpoint for Supervised Mode

-The Microsoft Defender for Endpoint on iOS app has specialized ability on supervised iOS/iPadOS devices, given the increased management capabilities provided by the platform on these types of devices. To take advantage of these capabilities, the Defender for Endpoint app needs to know if a device is in Supervised Mode.

-### Configure Supervised Mode via Intune

-Intune allows you to configure the Defender for iOS app through an App Configuration policy.

- > [!NOTE]

- > This app configuration policy for supervised devices is applicable only to managed devices and should be targeted for all managed iOS devices as a best practice.

-1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and go to **Apps** \> **App configuration policies** \> **Add**. Click on **Managed devices**.

- > [!div class="mx-imgBorder"]

- > 

-1. In the *Create app configuration policy* page, provide the following information:

- - Policy Name

- - Platform: Select iOS/iPadOS

- - Targeted app: Select **Microsoft Defender for Endpoint** from the list

- > [!div class="mx-imgBorder"]

- > 

-1. In the next screen, select **Use configuration designer** as the format. Specify the following property:

- - Configuration Key: issupervised

- - Value type: String

- - Configuration Value: {{issupervised}}

- > [!div class="mx-imgBorder"]

- > 

-1. Click **Next** to open the **Scope tags** page. Scope tags are optional. Click **Next** to continue.

-1. On the **Assignments** page, select the groups that will receive this profile. For this scenario, it is best practice to target **All Devices**. For more information on assigning profiles, see [Assign user and device profiles](/mem/intune/configuration/device-profile-assign).

- When deploying to user groups, a user must sign in to a device before the policy applies.

- Click **Next**.

-1. On the **Review + create** page, when you're done, choose **Create**. The new profile is displayed in the list of configuration profiles.

-> - [Customize attack surface reduction rules](customize-attack-surface-reduction.md)

-When network protection blocks a connection, a notification is displayed from the Action Center. Your security operations team can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your organization's details and contact information. In addition, individual attack surface reduction rules can be enabled and customized to suit certain techniques to monitor.

-To add an exclusion, see [Customize Attack surface reduction](customize-attack-surface-reduction.md).

-|Network inspection system|Specify additional definition sets for network traffic inspection|[Specify additional definition sets for network traffic inspection](specify-additional-definitions-network-traffic-inspection-mdav.md)|

-|Network inspection system|Turn on definition retirement|[Configure definition retirement](turn-on-definition-retirement.md)|

-|Network inspection system|Turn on protocol recognition|[Turn on protocol recognition](turn-on-protocol-recognition.md)|

-|Root|Turn off Microsoft Defender Antivirus|Not used (This setting must be set to **Not configured** to ensure any installed third-party antivirus apps work correctly)

-|`DeviceSubType` | `string` | Additional modifier for certain types of devices, for example, a mobile device can be a tablet or a smartphone |

-|`Model` | `string` | Model name or number of the product from the vendor or manufacturer |

-|`Vendor` | `string` | Name of the product vendor or manufacturer |

-1. In the [Microsoft 365 Defender portal](https://security.microsoft.com), go to **Email & collaboration** \> **Threat policies** \> **Rules** section \> **Quarantine policies** and then select **Quarantine policies**.

-1. In the Microsoft 365 Defender portal, go to **Email & collaboration** \> **Threat policies** \> **Rules** section \> **Quarantine policies** and then select **Quarantine policies**.

-1. In the [Microsoft 365 Defender portal](https://security.microsoft.com), go to **Email & collaboration** \> **Threat policies** \> **Rules** section \> **Quarantine policies** and then select **Quarantine policies**.

-1. In the [Microsoft 365 Defender portal](https://security.microsoft.com), go to **Email & collaboration** \> **Threat policies** \> **Rules** section \> **Quarantine policies** and then select **Quarantine policies**.

-1. In the [Microsoft 365 Defender portal](https://security.microsoft.com), go to **Email & collaboration** \> **Threat policies** \> **Rules** section \> **Quarantine policies** and then select **Quarantine policies**.

-The **Exchange transport rule** report shows the effect of mail flow rules (also known as transport rules) on incoming and outgoing messages in your organization.

-To view the report in the Microsoft 365 Defender portal, go to **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. On the **Email & collaboration reports** page, find **Exchange transport rule** and then click **View details**. To go directly to the report, open <https://security.microsoft.com/reports/ETRRuleReport>.

-

-On the **Exchange transport rule report** page, the available charts and data are described in the following sections.

-The **Exchange transport rule report** shows the effect of mail flow rules (also known as transport rules) on incoming and outgoing messages in your organization.

-To view the report, open the Security & Compliance Center at <https://protection.office.com>, go to **Reports** \> **Dashboard** and select **Exchange Transport rule**. To go directly to the report, open <https://security.microsoft.com/reports/ETRRuleReport>.

-

-> Clicking on the widget for this report in the Security & Compliance Center (protection.office.com) now takes you to the full report in the Microsoft 365 Defender portal (security.microsoft.com). For details about the report, see [Exchange transport rule report](view-email-security-reports.md#exchange-transport-rule-report).

-For more information, see this [overview of Microsoft Intune](/intune/fundamentals/what-is-intune).