+ Title: "Microsoft 365 admin center Teams app usage reports"

+audience: Admin

+ms.localizationpriority: medium

+- M365-subscription-management

+- Adm_O365

+- Adm_NonTOC

+search.appverid:

+- BCS160

+- MST160

+- MET150

+- MOE150

+description: "Learn how to get the Microsoft Teams app usage report and gain insights into the Teams app activity in your organization."

+# Microsoft 365 Reports in the admin center - Microsoft Teams apps usage reports

+The Microsoft 365 Reports dashboard shows you the activity overview across the products in your organization. It enables you to drill in to individual product level reports to give you more granular insight about the activities within each product. Check out [the Reports overview topic](activity-reports.md). In the **Microsoft Teams app usage report**, you can gain insights into the Teams apps activity in your organization. This article explains how to access the report and view and interpret the various metrics within the report.

+You can use this report to understand who is installing/using apps, and deep dive on a per-app and per-user level.

+## What's in the report

+The Teams app usage report is available in the Microsoft 365 admin center and the data is provided through two separate reports:

+**App usage** - This report helps you answer:

+- How many apps have users in your environment installed?

+- How many apps have at least one active user in your environment?

+- How many apps are being used by platform (Windows, Mac, Web, or mobile)?

+- How many active users and active teams are using the app?

+**User activity** - This report helps you answer:

+- How many users in your environment have installed at least one app?

+- How many users in your environment have used at least one app?

+- How many users are using an app across platforms (Windows, Mac, Web, etc)?

+- How many apps has each user used?

+## How to get to the Microsoft Teams apps usage report

+1. In the admin center, go to the **Reports** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2074756" target="_blank">Usage</a> page.

+2. From the dashboard homepage, click on the **View more** button on the Microsoft Teams apps activity card.

+ :::image type="content" source="../../media/teams-apps-tile.png" alt-text="Microsoft Teams app.":::

+## Considerations

+- Usage/installs data for a newly published app can take about five days to show up in the report. Data for a given day will show up within 48 hours. For example, data for January 10th should show up in the report by around January 12th.

+- The start date for all installs metrics is October 2021. Only apps installed after that date will be counted.

+- App IDs in this report are the External (manifest) App IDs. For more information on how to tie this ID to an app in the Manage Apps experience in Teams Admin Center, see [Manage app setup policies in Microsoft Teams](/microsoftteams/teams-app-setup-policies#install-apps.md).

+- You can export the report data into an Excel .csv file by selecting the Export link. This exports data for all users/apps and enables you to do simple sorting and filtering for further analysis.

+## Exploring the report - App usage tab

+You can view the **App usage** in the Teams app usage report by choosing the **Apps usage** tab. <br/>

+On the top of the report, you will see three charts describing cross-app trends across your organization.

+- Apps installed

+- Apps used

+- Platform

+You can filter all charts by the time range picker in the top right.

+### Apps installed

+This chart shows you the total number of app installs across your organization up to each date within the selected period. For example ΓÇô if you select January 28th 2022, the chart will show you the total number of installs from October 2021 up to January 28th 2022.

+### Apps used

+This chart shows you the number of apps used across your organization on each date within the selected period. For example ΓÇô if you select January 28th, the chart will show you the total number of apps used on January 28th.

+

+### Platform

+This chart shows you the number of apps used across your organization by platform for the selected period. Available platforms are Windows, Mac, Mobile (across iOS and Android), and Web.

+### Apps usage details table

+This table shows you per-app view with the following metrics for each app. A subset of the metric columns are included by default, and you can select/edit the column list by clicking on **Choose columns**ΓÇ¥** in the top right.

+|**Metric**|**Definition**|**Included by default?**|

+|:--|:--|:--|

+|||

+|App ID <br/> |The external App identifier present in the app manifest. <br/> |Yes |

+|Last used date <br/> |The date when that app was last used by anyone in your organization. <br/> |Yes |

+|Teams using this app <br/> |The number of distinct Teams teams that have at least one user using this app. <br/> |Yes |

+|Users using this app <br/> |The number of distinct users in your organization that are using this app. <br/> |Yes |

+|Used on Windows <br/> | This indicates whether that app has been used on Windows by at least one user in your organization. <br/> |Yes |

+|Used on Mobile <br/> |This indicates whether that app has been used on Mobile by at least one user in your organization. <br/> |Yes |

+|Used on Web <br/> | This indicates whether that app has been used on Web by at least one user in your organization. <br/> |Yes |

+|Used on Mac <br/> |The number of ad hoc meetings a user organized during the specified time period. <br/>|No |

+|App name <br/> |The Name of this application as present in the app manifest. <br/>|No |

+|Publisher <br/> |The publisher of this application as present in the app manifest. This is only available for apps published to the global Store. <br/>|No |

+|||

+## Exploring the report - Teams apps usage user activity tab

+You can view the **user activity** in the Teams app usage report by choosing the **User activity** tab. <br/>

+On the top of the report, you will see three charts describing cross-app trends across your organization.

+- Users who have installed apps

+- User who have used apps

+- Platform

+You can filter all charts by the time range picker in the top right.

+### Users who have installed apps

+This chart shows you the total number of unique users that have installed an app up to each date within the selected period. For example ΓÇô if you select January 28th 2022 the chart will show you the total number of users from October 2021 up to January 28th 2022.

+### User who have used apps

+This chart shows you the number of unique users that have used any app on each date within the selected period. For example ΓÇô if you select January 28th, the chart will show you the total number of users on January 28th.

+### Platform

+This chart shows you the number of apps used across your organization by platform for the selected period. Available platforms are Windows, Mac, Mobile (across iOS and Android), and Web.

+

+### User activity details table

+This table shows you per-user view with the following metrics for each app. A subset of the metric columns are included by default, and you can select/edit the column list by clicking on **Choose columns** in the top right.

+|**Metric**|**Definition**|**Included by default?**|

+|:--|:--|:--|

+||||

+|User name <br/> |The User name for a unique user. Value is concealed by default. <br/> |Yes |

+|Apps installed <br/> |The number of unique apps (across Store and custom) that the user has installed. <br/> |Yes |

+|Apps used <br/> |The number of unique apps (across Store and custom) that the user has opened and/or used. <br/> |Yes |

+|Apps used in a Team <br/> |The number of unique apps (across Store and custom) that the user has opened and/or used in a Teams Team. <br/> |Yes |

+|Used on Windows <br/> | This indicates whether that user has used any app on Windows. <br/> |Yes |

+|Used on Mobile <br/> |This indicates whether that user has used any app on Mobile (iOS or Android). <br/> |Yes |

+|Used on Web <br/> | This indicates whether that user has used any app on Web. <br/> |Yes |

+|Used on Mac <br/> |This indicates whether that user has used any app on Mac. <br/>|No |

+|||

+## Managing apps in the Teams Admin Center

+For more information about how to manage your Teams apps, please refer to [About apps in Microsoft Teams](/microsoftteams/deploy-apps-microsoft-teams-landing-page.md).

+To link an app in this report to the Manage Apps experience in Teams Admin Center, you can use the following:

+- App Name

+- External App ID

+External App IDs are equivalent to the ID in the Manage apps page for Store apps. For custom apps, to view External App ID in the Manage Apps page, follow the instructions on [Manage apps setup policies in Microsoft Teams](/microsoftteams/teams-app-setup-policies) to add the column in the column settings. You can also view it on the app details page for a custom app

+

+- Use Exchange Online PowerShell. See this blog post for instructions: [Create Shared Mailboxes with Same Alias at Different Domains](https://blog.quadrotech-it.com/blog/create-shared-mailboxes-with-same-alias-at-different-domains-in-office-365/)

+>

+> - You can't reduce the number of licenses for your subscription if all licenses are currently assigned to users. To reduce the number of licenses, first [unassign one or more licenses from users](../../admin/manage/remove-licenses-from-users.md), then remove the licenses from the subscription.

+> - If you bought your subscription through a Microsoft Representative, contact them directly for help with reducing your license count.

+description: "A Microsoft Purview classifier is a tool you can train to recognize various types of content by giving it samples to look at. This article shows you how to create and train a custom classifier and how to retrain them to increase accuracy."

+A Microsoft Purview trainable classifier is a tool you can train to recognize various types of content by giving it samples to look at. Once trained, you can use it to identify item for application of Office sensitivity labels, Communications compliance policies, and retention label policies.

+1. Collect between 50-500 seed content items. These must be only samples that strongly represent the type of content you want the trainable classifier to positively identify as being in the category. See, [Default crawled file name extensions and parsed file types in SharePoint Server](/sharepoint/technical-reference/default-crawled-file-name-extensions-and-parsed-file-types) for the supported file types.

+Categorizaing and labeling content so it can be protected and handled properly is the starting place for the information protection discipline. Microsoft Purview has three ways to classify content.

+Manual categorizing requires human judgment and action. Users and admins categorize content as they encounter it. You can use either use the pre-existing labels and sensitive information types or use custom created ones. You can then protect the content and manage its disposition.

+These categorization mechanisms includes finding content by:

+This categorization method is well suited to content that isn't easily identified by either the manual or automated pattern-matching methods. This method of categorization is more about using a classifier to identify an item based on what the item is, not by elements that are in the item (pattern matching). A classifier learns how to identify a type of content by looking at hundreds of examples of the content you're interested in indentifying.

+- **custom trainable classifiers** - If you have content identification and categorization needs that extend beyond what the pre-trained classifiers cover, you can create and train your own classifiers.

+Microsoft Purview comes with multiple pre-trained classifiers:

+|Deleted quarantine message|QuarantineDelete|An Admin or user deleted an email message that was deemed to be harmful.|

+|Exported quarantine message|QuarantineExport|An Admin or user exported an email message that was deemed to be harmful.|

+|Previewed quarantine message|QuarantinePreview|An Admin or user previewed an email message that was deemed to be harmful.|

+|Released quarantine message|QuarantineRelease|An Admin or user released an email message from quarantine that was deemed to be harmful.|

+|Viewed quarantine message's header|QuarantineViewHeader|An Admin or user viewed the header an email message that was deemed to be harmful.|

+|Release request quarantine message|QuarantineReleaseRequest|A user requested the release of an email message that was deemed to be harmful.|

+- tier3

+- tier3

+- tier3

+- tier3

+- tier3

+- tier3

+- password

+- tier3

+- tier3

+- tier3

+- tier3

+- tier3

+- tier3

+Patterns of Hex encoded 128-bits symmetric key.

+The patterns are designed to match actual credentials with reasonable confidence. The patterns don't match credentials formatted as examples. Mockup values, redacted values, and placeholders, like credential type or usage descriptions, in the position where an actual secret value should present won't be matched.

+- tier3

+- Patterns of Hex encoded 128-bits symmetric key.

+The patterns are designed to match actual credentials with reasonable confidence. The patterns don't match credentials formatted as examples. Mockup values, redacted values, and placeholders, like credential type or usage descriptions, in the position where an actual secret value should present won't be matched.

+- tier3

+- Patterns of Base64 encoded 192-bits symmetric key.

+The patterns are designed to match actual credentials with reasonable confidence. The patterns don't match credentials formatted as examples. Mockup values, redacted values, and placeholders, like credential type or usage descriptions, in the position where an actual secret value should present won't be matched.

+- tier3

+This SIT is designed to match the security information that's used to provide access to administrative resources for [Azure COSMOS Database](/azure/cosmos-db/secure-access-to-data) accounts.

+- Patterns of Base64 encoded 512-bits symmetric key.

+The patterns are designed to match actual credentials with reasonable confidence. The patterns don't match credentials formatted as examples. Mockup values, redacted values, and placeholders, like credential type or usage descriptions, in the position where an actual secret value should present won't be matched.

+- tier3

+- Patterns of Hex encoded 128-bits symmetric key.

+The patterns are designed to match actual credentials with reasonable confidence. The patterns don't match credentials formatted as examples. Mockup values, redacted values, and placeholders, like credential type or usage descriptions, in the position where an actual secret value should present won't be matched.

+- tier3

+- tier3

+- Patterns of Base32 encoded 256-bits symmetric key.

+The patterns are designed to match actual credentials with reasonable confidence. The patterns don't match credentials formatted as examples. Mockup values, redacted values, and placeholders, like credential type or usage descriptions, in the position where an actual secret value should present won't be matched.

+- tier3

+- tier3

+- tier3

+- tier3

+- tier3

+A combination of 44-characters consisting of letters, digits, and special characters ending with and equals sign that isn't part of the pattern.

+- ends with an equal sign (=) that isn't part of the pattern.

+- Patterns of Base64 encoded 256-bits symmetric key.

+The patterns are designed to match actual credentials with reasonable confidence. The patterns don't match credentials formatted as examples. Mockup values, redacted values, and placeholders, like credential type or usage descriptions, in the position where an actual secret value should present won't be matched.

+- tier3

+Patterns of URL Encoded 256-bits symmetric key.

+The patterns are designed to match actual credentials with reasonable confidence. The patterns don't match credentials formatted as examples. Mockup values, redacted values, and placeholders, like credential type or usage descriptions, in the position where an actual secret value should present won't be matched.

+- tier3

+- Patterns of Base64 encoded 512-bits symmetric key.

+The patterns are designed to match actual credentials with reasonable confidence. The patterns don't match credentials formatted as examples. Mockup values, redacted values, and placeholders, like credential type or usage descriptions, in the position where an actual secret value should present will not be matched.

+- tier3

+- Patterns of Base64 URL encoded 256-bits symmetric key.

+The patterns are designed to match actual credentials with reasonable confidence. The patterns don't match credentials formatted as examples. Mockup values, redacted values, and placeholders, like credential type or usage descriptions, in the position where an actual secret value should present will not be matched.

+- tier3

+- tier3

+- Patterns of Base64 encoded 256-bits symmetric key.

+The patterns are designed to match actual credentials with reasonable confidence. The patterns don't match credentials formatted as examples. Mockup values, redacted values, and placeholders, like credential type or usage descriptions, in the position where an actual secret value should present will not be matched.

+- tier3

+- tier3

+- tier3

+- tier3

+- tier3

+- tier3

+- tier3

+- tier3

+- tier3

+- tier3

+- tier3

+- tier3

+- csv

+| Viva Learning | Australia |

+The Page Diagnostics for SharePoint tool is a browser extension for the new Microsoft Edge (https://www.microsoft.com/edge) and Chrome browsers that analyzes both SharePoint Online modern portal and classic publishing site pages.

+> [!IMPORTANT]

+> This tool only works for SharePoint Online, and canΓÇÖt be used on a SharePoint system page or on a SharePoint App page. The App page type is designed to be used for specific business applications within SharePoint Online and not for portals. The tool is designed to optimize portal pages and Teams site pages.

+[Use the Office 365 Content Delivery Network (CDN) with SharePoint Online](use-microsoft-365-cdn-with-spo.md)

+- You added a Microsoft 365 system account as a team owner to all teams you want to map.</br> [Create this account in Microsoft 365](/microsoft-365/admin/add-users/add-users) and assign it a Microsoft 365 license. Then, add the account as a team owner to all teams that you want to map. The Shifts connector uses this account when syncing Shifts changes from Blue Yonder WFM.

+- You added a Microsoft 365 system account as a team owner to all teams you want to map.</br> [Create this account in Microsoft 365](/microsoft-365/admin/add-users/add-users) and assign it a Microsoft 365 license. Then, add the account as a team owner to all teams that you want to map. The Shifts connector uses this account when syncing Shifts changes from UKG Dimensions.

+With your WFM system as the system of record, your frontline workers can efficiently manage their schedules and availability in Shifts on their devices. Frontline managers can continue to use your WFM system to set up schedules.

+ For a complete list of error messages and how to resolve them, see [List of error messages](#list-of-error-messages) later in this article.

+## List of error messages

+Here's the list of error messages that you may encounter and information to help you resolve them.

+|Error type |Error details |Resolution |

+||||

+|Unable to authenticate workforce management system.|The workforce management system account credentials you've provided are invalid or this account doesn't have the required permissions.|Update your WFM service account credentials in the connection settings. To do this, do one of the following:<ul><li>In the Microsoft 365 admin center, choose **Edit** on the Connector Management page or the connection details page to go to the Shifts connector wizard.</li><li>Use the [Set-CsTeamsShiftsConnectionInstance](/powershell/module/teams/set-csteamsshiftsconnectioninstance) or Update-CsTeamsShiftConnectionInstance cmdlet.</li><li>Use [this PowerShell script](shifts-connector-powershell-manage.md#change-connection-settings).</li></ul>|

+|Unable to authenticate Graph. |Authentication failed. Ensure that you've entered valid credentials for the designated actor and have the required permissions.|Make sure that your Microsoft 365 system account (also known as designated actor) is added as a team owner.<br> Or, update your Microsoft 365 system account credentials in the connection settings.|

+|Some users have failed to map correctly|Mapping failed for some users: \<X\> succeeded, \<X\> failed AAD user(s) and \<X\> failed workforce management system user(s).|Use the [Get-CsTeamsShiftsConnectionSyncResult](/powershell/module/teams/get-csteamsshiftsconnectionsyncresult) cmdlet or [this PowerShell script](shifts-connector-powershell-manage.md#user-mapping-errors) to identify the users for whom the mapping failed. Make sure that the users in the mapped team match the users in the WFM instance.|

+|Unable to map a team or teams in this batch. |This designated actor profile doesn't have team ownership privileges. |Make sure your Microsoft 365 system account (also known as designated actor) is added as a team owner.<br>If youΓÇÖve changed your Microsoft 365 system account, add that account as a team owner, and update the connection settings to use that account.|

+| |This team is already mapped to an existing connector instance. |Unmap the team from the existing connection by using the [Remove-CsTeamsShiftsConnectionTeamMap](/powershell/module/teams/remove-csteamsshiftsconnectionteammap) cmdlet. Or, create a new connection to remap the team.|

+| |This timezone is invalid. The timezone passed in is not using tz database format.|Make sure that the time zone is correct, and then remap the team.|

+| |We can't find this connector instance.|Map the team to an existing connection.|

+| |This AAD team couldn't be found.|Make sure that the team exists or create a new team.|

+With Blue Yonder WFM as the system of record, your frontline workers can efficiently manage their schedules and availability in Shifts on their devices. Frontline managers can continue to use Blue Yonder WFM to set up schedules.

+## Manage your connection

+After a connection is set up, you can manage and make changes to it in the Microsoft 365 admin center or by using PowerShell.

+### Use the Microsoft 365 admin center

+The Connector Management page lists each connection that you've set up, along with information such as health status and sync interval details. You can also access the wizard to make changes to any of your connections. For example, you can update sync settings and team mappings.

+To learn more, see [Use the Microsoft 365 admin center to manage your Shifts connection to Blue Yonder Workforce Management](shifts-connector-blue-yonder-admin-center-manage.md).

+### Use PowerShell

+You can use PowerShell to view an error report, change connection settings, disable sync, and more. For step-by-step guidance, see [Use PowerShell to manage your Shifts connection to Blue Yonder Workforce Management](shifts-connector-powershell-manage.md).

+> [!NOTE]

+> For a complete list of error messages, see [List of error messages](#list-of-error-messages) later in this article.

+## List of error messages

+Here's the list of error messages that you may encounter and information to help you resolve them.

+|Error type |Error details |Resolution |

+||||

+|Unable to authenticate workforce management system.|The workforce management system account credentials you've provided are invalid or this account doesn't have the required permissions.|Update your WFM service account credentials in the connection settings. To do this, do one of the following:<ul><li>In the Microsoft 365 admin center, choose **Edit** on the Connector Management page or the connection details page to go to the Shifts connector wizard.</li><li>Use the [Set-CsTeamsShiftsConnectionInstance](/powershell/module/teams/set-csteamsshiftsconnectioninstance) or Update-CsTeamsShiftConnectionInstance cmdlet.</li><li>Use [this PowerShell script](#change-connection-settings).</li></ul>|

+|Unable to authenticate Graph. |Authentication failed. Ensure that you've entered valid credentials for the designated actor and have the required permissions.|Make sure that your Microsoft 365 system account (also known as designated actor) is added as a team owner.<br> Or, update your Microsoft 365 system account credentials in the connection settings.|

+|Some users have failed to map correctly|Mapping failed for some users: \<X\> succeeded, \<X\> failed AAD user(s) and \<X\> failed workforce management system user(s).|Use the [Get-CsTeamsShiftsConnectionSyncResult](/powershell/module/teams/get-csteamsshiftsconnectionsyncresult) cmdlet or [this PowerShell script](#user-mapping-errors) to identify the users for whom the mapping failed. Make sure that the users in the mapped team match the users in the WFM instance.|

+|Unable to map a team or teams in this batch. |This designated actor profile doesn't have team ownership privileges. |Make sure your Microsoft 365 system account (also known as designated actor) is added as a team owner.<br>If youΓÇÖve changed your Microsoft 365 system account, add that account as a team owner, and update the connection settings to use that account.|

+| |This team is already mapped to an existing connector instance. |Unmap the team from the existing connection by using the [Remove-CsTeamsShiftsConnectionTeamMap](/powershell/module/teams/remove-csteamsshiftsconnectionteammap) cmdlet. Or, create a new connection to remap the team.|

+| |This timezone is invalid. The timezone passed in is not using tz database format.|Make sure that the time zone is correct, and then remap the team.|

+| |We can't find this connector instance.|Map the team to an existing connection.|

+| |This AAD team couldn't be found.|Make sure that the team exists or create a new team.|

+With UKG Dimensions as the system of record, your frontline workers can efficiently manage their schedules and availability in Shifts on their devices. Frontline managers can continue to use UKG Dimensions to set up schedules.

+## Manage your connection

+After a connection is set up, you can manage and make changes to it in the Microsoft 365 admin center or by using PowerShell.

+### Use the Microsoft 365 admin center

+The Connector Management page lists each connection that you've set up, along with information such as health status and sync interval details. You can also access the wizard to make changes to any of your connections. For example, you can update sync settings and team mappings.

+To learn more, see [Use the Microsoft 365 admin center to manage your Shifts connection to UKG Dimensions](shifts-connector-ukg-admin-center-manage.md).

+### Use PowerShell

+You can use PowerShell to view an error report, change connection settings, disable sync, and more. For step-by-step guidance, see [Use PowerShell to manage your Shifts connection to UKG Dimensions](shifts-connector-ukg-powershell-manage.md).

+The Connector Management page lists each connection that you've set up, along with information such as health status and sync interval details. You can also access the wizard to make changes to any of your connections. For example, you can update sync settings and team mappings.

+<!--USGovGCCHigh endpoints version 2022092900-->

+<!--File generated 2022-09-30 08:00:04.2160-->

+\* Either Granular Delegated Admin Privileges (GDAP or a Delegated Admin Privileges (DAP) relationship is required to onboard customers to Lighthouse. An indirect reseller relationship is no longer required to onboard to Lighthouse. If DAP and GDAP coexist in a customer tenant, GDAP permissions take precedence for MSP technicians in GDAP-enabled security groups.

+### [Microsoft defender for endpoint demonstrations]()

+#### [Microsoft Defender for Endpoint demonstration scenarios](defender-endpoint-demonstrations.md)

+#### [App reputation demonstrations](defender-endpoint-demonstration-app-reputation.md)

+#### [Attack surface reduction rules demonstrations](defender-endpoint-demonstration-attack-surface-reduction-rules.md)

+#### [Block at First Sight \(BAFS\) demonstration)](defender-endpoint-demonstration-block-at-first-sight-bafs.md)

+#### [Cloud-delivered protection demonstration](defender-endpoint-demonstration-cloud-delivered-protection.md)

+#### [Controlled folder access \(CFA\) demonstration test tool](defender-endpoint-demonstration-controlled-folder-access-test-tool.md)

+#### [Controlled folder access \(CFA\) demonstration](defender-endpoint-demonstration-controlled-folder-access.md)

+#### [Exploit protection \(EP\) demonstrations](defender-endpoint-demonstration-exploit-protection.md)

+#### [Network protection demonstration](defender-endpoint-demonstration-network-protection.md)

+#### [Potentially unwanted applications \(PUA\) demonstration](defender-endpoint-demonstration-potentially-unwanted-applications.md)

+#### [URL reputation demonstrations](defender-endpoint-demonstration-smartscreen-url-reputation.md)

+## Audit Antivirus Exclusions

+Exchange has supported integration with the Antimalware Scan Interface (AMSI) since the June 2021 Quarterly Updates for Exchange. It is highly recommended to ensure these updates are installed and AMSI is working using the guidance provided by the Exchange Team as this integration will allow the best ability for Defender Antivirus to detect and block exploitation of Exchange.

+Many organizations exclude the Exchange directories from antivirus scans for performance reasons. Microsoft recommendeds to audit AV exclusions on Exchange systems and assess if they can be removed without impacting performance in your environment to ensure the highest level of protection. Exclusions can managed by using Group Policy, PowerShell, or systems management tools like Microsoft Endpoint Configuration Manager.

+To audit AV exclusions on an Exchange Server running Defender Antivirus, run the **Get-MpPreference** command from an elevated PowerShell prompt.

+If exclusions cannot be removed for the Exchange processes and folders, running a Quick Scan in Defender Antivirus will scan the Exchange directories and files, regardless of exclusions.

+ Title: Microsoft Defender for Endpoint SmartScreen app reputation demonstration

+description: Test how Microsoft Defender for Endpoint SmartScreen helps you identify phishing and malware websites

+keywords: Microsoft Defender for Endpoint, phishing website, malware website, app reputation,

+search.product: eADQiWindows 10XVcnh

+search.appverid: met150

+ms.mktglfcycl: evaluation

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+# SmartScreen app reputation demonstration

+Test how Microsoft Defender for Endpoint SmartScreen helps you identify phishing and malware websites based on App reputation.

+## Scenario requirements and setup

+- Windows 10

+- Internet Explorer or Microsoft Edge browser required

+- To turn ON/OFF, go to **Settings** > **Update & Security** > **Windows Security** > **Open Windows Security** > **App & browser control** > **Check apps and files**

+## Scenario Demos

+### Known good program

+This program has a good reputation; the download should run uninterrupted:

+- [Known good program download](https://demo.smartscreen.msft.net/download/known/freevideo.exe)

+ <!-- Hide {this intro with no subsequent list items} [Replace this link when new/updated source becomes available] -->

+ Launching this link should render a message similar to the following:

+ :::image type="content" source="images/smartscreen-app-reputation-known-good.png" alt-text="Based on the target file's reputation, SmartScreen allows the download without interference.":::

+### Unknown program

+Because the program download doesn't have sufficient reputation to ensure that it's trustworthy, SmartScreen will show a warning before running the program download.

+- [Unknown program](https://demo.smartscreen.msft.net/download/unknown/freevideo.exe)

+ <!-- Hide {this intro with no subsequent list items} [Replace this link when new/updated source becomes available] -->

+

+ Launching this link should render a message similar to the following:

+ :::image type="content" source="images/smartscreen-app-reputation-unknown.png" alt-text="SmartScreen doesn't have sufficient reputation information about the download file, and warns the user to stop or proceed with caution.":::

+### Known malware

+This download is known malware; SmartScreen should block this program from running.

+- [Known malware](https://demo.smartscreen.msft.net/download/known/knownmalicious.exe)

+ <!-- Hide {this intro with no subsequent list items} [Replace this link when new/updated source becomes available] -->

+ Launching this link should render a message similar to the following:

+ :::image type="content" source="images/smartscreen-app-reputation-known-malware.png" alt-text="SmartScreen detects a file download with an unsafe reputation.; the download is blocked.":::

+## Learn more

+[Microsoft Defender SmartScreen Documentation](/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md)

+## See also

+[Microsoft Defender for Endpoint - demonstration scenarios](defender-endpoint-demonstrations.md)

+ Title: Microsoft Defender for Endpoint attack surface reduction rules demonstrations

+description: See how attack surface reduction rules block various known threat types.

+keywords: Microsoft Defender for Endpoint demonstration, attack surface reduction rules demonstration, ASR rules, demonstration

+search.product: eADQiWindows 10XVcnh

+search.appverid: met150

+ms.mktglfcycl: evaluation

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+# Attack surface reduction rules demonstrations

+Attack Surface Reduction (ASR) rules target specific behaviors that are typically used by malware and malicious apps to infect machines, such as:

+- Executable files and scripts used in Office apps or web mail that attempt to download or run files

+- Scripts that are obfuscated or otherwise suspicious

+- Behaviors that apps undertake that aren't inititated during normal day-to-day work

+## Scenario requirements and setup

+- Windows 10 1709 build 16273

+- Windows 10 1803 build (1803 rules)

+- Microsoft Defender AV

+- Microsoft Office (required for Office rules and sample)

+- [Download ASR PowerShell scripts](https://demo.wd.microsoft.com/Content/WindowsDefender_ASR_scripts.zip)

+## PowerShell commands

+```powershell

+Add-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -AttackSurfaceReductionRules_Actions Enabled

+Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EfC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled

+Add-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-4529-8536-B80A7769E899 -AttackSurfaceReductionRules_Actions Enabled

+Add-MpPreference -AttackSurfaceReductionRules_Ids 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -AttackSurfaceReductionRules_Actions Enabled

+Add-MpPreference -AttackSurfaceReductionRules_Ids D3E037E1-3EB8-44C8-A917-57927947596D -AttackSurfaceReductionRules_Actions Enabled

+Add-MpPreference -AttackSurfaceReductionRules_Ids 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -AttackSurfaceReductionRules_Actions Enabled

+Add-MpPreference -AttackSurfaceReductionRules_Ids 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -AttackSurfaceReductionRules_Actions Enabled

+Add-MpPreference -AttackSurfaceReductionRules_Ids D1E49AAC-8F56-4280-B9BA-993A6D77406C -AttackSurfaceReductionRules_Actions Enabled

+Add-MpPreference -AttackSurfaceReductionRules_Ids B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4 -AttackSurfaceReductionRules_Actions Enabled

+Add-MpPreference -AttackSurfaceReductionRules_Ids C1DB55AB-C21A-4637-BB3F-A12568109D35 -AttackSurfaceReductionRules_Actions Enabled

+Add-MpPreference -AttackSurfaceReductionRules_Ids 01443614-CD74-433A-B99E-2ECDC07BFC25 -AttackSurfaceReductionRules_Actions Enabled

+Add-MpPreference -AttackSurfaceReductionRules_Ids 26190899-1602-49E8-8B27-EB1D0A1CE869 -AttackSurfaceReductionRules_Actions AuditMode

+Add-MpPreference -AttackSurfaceReductionRules_Ids 7674BA52-37EB-4A4F-A9A1-F0F9A1619A2C -AttackSurfaceReductionRules_Actions AuditMode

+```

+### States

+- Enabled = Block mode (1)

+- AuditMode = Audit Mode (2)

+- Disabled = Off (0)

+### Verify configuration

+- Get-MpPreference

+## Test files

+Note - some test files have multiple exploits embedded and will trigger multiple rules

+| Rule name | Rule GUID | Windows version |

+|:|:|:|

+| Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 | 1709 |

+| [Block Office applications from creating child processes](https://demo.wd.microsoft.com/Content/TestFile_OfficeChildProcess_D4F940AB-401B-4EFC-AADC-AD5F3C50688A.docm) | D4F940AB-401B-4EFC-AADC-AD5F3C50688A | 1709 |

+| [Block Office applications from creating executable content](https://demo.wd.microsoft.com/Content/TestFile_Block_Office_applications_from_creating_executable_content_3B576869-A4EC-4529-8536-B80A7769E899.docm) | 3B576869-A4EC-4529-8536-B80A7769E899 | 1709 |

+| Block Office applications from injecting into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 | 1709 |

+| [Impede JavaScript and VBScript to launch executables](https://demo.wd.microsoft.com/Content/TestFile_Impede_JavaScript_and_VBScript_to_launch_executables_D3E037E1-3EB8-44C8-A917-57927947596D.js) | D3E037E1-3EB8-44C8-A917-57927947596D | 1709 |

+| Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC | 1709 |

+| [Block Win32 imports from Macro code in Office](https://demo.wd.microsoft.com/Content/Block_Win32_imports_from_Macro_code_in_Office_92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B.docm) | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B | 1709 |

+|[{Block Process Creations originating from PSExec & WMI commands](https://demo.wd.microsoft.com/Content/TestFile_PsexecAndWMICreateProcess_D1E49AAC-8F56-4280-B9BA-993A6D77406C.vbs) | D1E49AAC-8F56-4280-B9BA-993A6D77406C | 1803 |

+| [Block Execution of untrusted or unsigned executables inside removable USB media](https://demo.wd.microsoft.com/Content/UNSIGNED_ransomware_test_exe.exe) | B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4 | 1803 |

+| Aggressive Ransomware Prevention | C1DB55AB-C21A-4637-BB3F-A12568109D35 | 1803 |

+| Block executable files from running unless they meet a prevalence, age, or trusted list criteria | 01443614-CD74-433A-B99E-2ECDC07BFC25 | 1803 |

+| Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c | 1803 |

+## Scenarios

+### Setup

+Download and run this [setup script](https://demo.wd.microsoft.com/Content/ASR_SetupScript.zip). Before running the script set execution policy to Unrestricted using this PowerShell command: Set-ExecutionPolicy Unrestricted

+You can perform these manual steps instead:

+1. Create a folder under c: named demo, "c:\demo"

+2. Save this [clean file](https://demo.wd.microsoft.com/Content/testfile_safe.txt) into c:\demo (we need something to encrypt)

+3. Enable all rules using the powershell commands above.

+### Scenario 1: ASR blocks a test file with multiple vulnerabilities

+1. Enable all rules in block mode using the PowerShell commands above (you can copy paste all)

+2. Download and open any of the test file/documents linked above, enable editing and content if prompted.

+#### Scenario 1 expected results

+You should immediately see an "Action blocked" notification.

+### Scenario 2: ASR rule blocks the test file with the corresponding vulnerability

+1. Configure the rule you want to test using the PowerShell command from above.

+2. Example: Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EfC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled

+3. Download and open the test file/document for the rule you want to test linked above, enable editing and content if prompted

+4. Example: [Block Office applications from creating child processes](https://demo.wd.microsoft.com/Content/ransomware_testfile_doc.docm) D4F940AB-401B-4EFC-AADC-AD5F3C50688A

+#### Scenario 2 expected results

+You should immediately see an "Action blocked" notification.

+### Scenario 3 (1803): ASR rule blocks unsigned USB content from executing

+1. Configure the rule for USB protection (B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4).

+```powershell

+Add-MpPreference -AttackSurfaceReductionRules_Ids B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4 -AttackSurfaceReductionRules_Actions Enabled

+```

+3. Download the file and put it on a USB stick and execute it [Block Execution of untrusted or unsigned executables inside removable USB media](https://demo.wd.microsoft.com/Content/UNSIGNED_ransomware_test_exe.exe)

+#### Scenario 3 expected results

+You should immediately see an "Action blocked" notification.

+### Scenario 4: What would happen without ASR

+1. Turn off all ASR rules using PowerShell commands below in the cleanup section

+2. Download any test file/document linked above, enable editing and content if prompted

+#### Scenario 4 expected results

+- The files in c:\demo will be encrypted and you should get a warning message

+- Execute the test file again to decrypt the files

+## Clean-up

+Download and run this [clean-up script](https://demo.wd.microsoft.com/Content/ASR_CFA_CleanupScript.zip)

+Alternately, you can perform these manual steps:

+```powershell

+Add-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -AttackSurfaceReductionRules_Actions Disabled

+Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EfC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Disabled

+Add-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-4529-8536-B80A7769E899 -AttackSurfaceReductionRules_Actions Disabled

+Add-MpPreference -AttackSurfaceReductionRules_Ids 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -AttackSurfaceReductionRules_Actions Disabled

+Add-MpPreference -AttackSurfaceReductionRules_Ids D3E037E1-3EB8-44C8-A917-57927947596D -AttackSurfaceReductionRules_Actions Disabled

+Add-MpPreference -AttackSurfaceReductionRules_Ids 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -AttackSurfaceReductionRules_Actions Disabled

+Add-MpPreference -AttackSurfaceReductionRules_Ids 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -AttackSurfaceReductionRules_Actions Disabled

+Add-MpPreference -AttackSurfaceReductionRules_Ids D1E49AAC-8F56-4280-B9BA-993A6D77406C -AttackSurfaceReductionRules_Actions Disabled

+Add-MpPreference -AttackSurfaceReductionRules_Ids B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4 -AttackSurfaceReductionRules_Actions Disabled

+Add-MpPreference -AttackSurfaceReductionRules_Ids C1DB55AB-C21A-4637-BB3F-A12568109D35 -AttackSurfaceReductionRules_Actions Disabled

+Add-MpPreference -AttackSurfaceReductionRules_Ids 01443614-CD74-433A-B99E-2ECDC07BFC25 -AttackSurfaceReductionRules_Actions Disabled

+Add-MpPreference -AttackSurfaceReductionRules_Ids 26190899-1602-49E8-8B27-EB1D0A1CE869 -AttackSurfaceReductionRules_Actions Disabled

+Add-MpPreference -AttackSurfaceReductionRules_Ids 7674BA52-37EB-4A4F-A9A1-F0F9A1619A2C -AttackSurfaceReductionRules_Actions Disabled

+```

+Cleanup c:\demo encryption run the [encrypt/decrypt file](https://demo.wd.microsoft.com/Content/ransomware_cleanup_encrypt_decrypt.exe)

+## See also

+[Attack surface reduction rules deployment guide](attack-surface-reduction-rules-deployment.md)

+[Attack surface reduction rules reference](attack-surface-reduction-rules-reference.md)

+[Microsoft Defender for Endpoint - demonstration scenarios](defender-endpoint-demonstrations.md)

+ Title: Microsoft Defender for Endpoint Block at First Sight (BAFS) demonstration

+description: A demonstration that shows how Block at First Sight detects and blocks new malware within seconds.

+keywords: Microsoft Defender for Endpoint, cloud-delivered protection, detect malware, block malware, demonstration

+search.product: eADQiWindows 10XVcnh

+search.appverid: met150

+ms.mktglfcycl: evaluation

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+# Block at First Sight (BAFS) demonstration

+Block at First Sight, is a feature of Microsoft Defender Antivirus cloud-delivered protection that provides a way to detect and block new malware within seconds. You can test that it is working as expected by downloading a fake malware file.

+## Scenario requirements and setup

+- Windows 10 Anniversary update (1607) or later

+- Cloud protection enabled

+- You can [download and use the Powershell script](https://www.powershellgallery.com/packages/WindowsDefender_InternalEvaluationSettings/) to enable this setting and others

+- Note: You should see your browser ask to save this file in a few seconds.

+### Test BAFS

+- Click the create and download new file button

+- You should see the browser scanning the file, followed by an antivirus block notification.

+- [Create & download new file!](https://demowdtestground.blob.core.windows.net/samples/ztp_xzXLX_s1H8MsxK2SRlsjmzaH62cOZEaqtstGsOw/wdtestfile.exe?sv=2015-07-08&sr=b&sig=7JNcGzAYWEinuWKNmjoC6tDmEjGZMQj8rAEF9HIzJdE%3D&se=2022-09-30T18%3A29%3A28Z&sp=r)

+## See also

+[Block at First Sight](configure-block-at-first-sight-microsoft-defender-antivirus.md)

+[Microsoft Defender for Endpoint - demonstration scenarios](defender-endpoint-demonstrations.md)

+ Title: Microsoft Defender for Endpoint Cloud-delivered protection demonstration

+description: See how Cloud-delivered protection can automatically detect and delete malicious files.

+keywords: Microsoft Defender for Endpoint, Microsoft Defender ATP, virus protection, virus detection, virus deletion,

+search.product: eADQiWindows 10XVcnh

+search.appverid: met150

+ms.mktglfcycl: evaluation

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+# Cloud-delivered protection demonstration

+Cloud-delivered protection for Microsoft Defender Antivirus, also referred to as Microsoft Advanced Protection Service (MAPS), provides you with strong, fast protection in addition to our standard real-time protection.

+## Scenario requirements and setup

+- Windows 7, Windows 8.1 & Windows 10

+- Microsoft Defender Real-time protection is enabled

+- Cloud-delivered protection is enabled by default, however you may need to re-enable it if it has been disabled as part of previous organizational policies. For more information, see [Enable cloud-delivered protection in Microsoft Defender Antivirus](/windows/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus?ocid=wd-av-demo-cloud-middle).

+- You can also download and use the [PowerShell script](https://www.powershellgallery.com/packages/WindowsDefender_InternalEvaluationSettings/) to enable this setting and others on Windows 10.

+### Scenario

+1. Download the [test file](https://aka.ms/ioavtest). Important: The test file isn't malicious, it's just a harmless file simulating a virus.

+2. If you see file blocked by Microsoft Defender SmartScreen, select on "View downloads" button.

+ :::image type="content" source="images/cloud-delivered-protection-smartscreen-block.png" alt-text="SmartScreen blocks an unsafe download, and provides a button to select to view the **Downloads** list details.":::

+3. In Downloads menu right select on the blocked file and select on **Download unsafe file**.

+ :::image type="content" source="images/cloud-delivered-protection-smartscreen-block-view-downloads.png" alt-text="Lists the download as unsafe, but provides an option to proceed with the download":::

+4. You should see that "Microsoft Defender Antivirus" found a virus and deleted it.

+ > [!NOTE]

+ >

+ > In some cases, you might also see **Threat Found** notification from Microsoft Defender Security Center.

+ :::image type="content" source="images/cloud-delivered-protection-smartscreen-threat-found-notification.png" alt-text="Microsoft Defender Antivirus Threats found notification provides options to get details":::

+5. If the file executes, or if you see that it was blocked by Microsoft Defender SmartScreen, cloud-delivered protection isn't working. For more information, see [Configure and validate network connections for Microsoft Defender Antivirus](/windows/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus?ocid=wd-av-demo-cloud-middle).

+## See also

+[Utilize Microsoft cloud-delivered protection in Microsoft Defender Antivirus](/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus?ocid=wd-av-demo-cloud-bottom)

+[Microsoft Defender for Endpoint - demonstration scenarios](defender-endpoint-demonstrations.md)

+ Title: Microsoft Defender for Endpoint Controlled folder access (CFA) demonstration test tool

+description: See how malicious apps and threats are evaluated and countered by Microsoft Defender Antivirus.

+keywords: Microsoft Defender for Endpoint, protected folder access blocked, detect suspicious files, detect suspicious apps,

+search.product: eADQiWindows 10XVcnh

+search.appverid: met150

+ms.mktglfcycl: evaluation

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+# Controlled folder access (CFA) demonstration test tool (block script)

+Controlled Folder Access helps you protect valuable data from malicious apps and threats, such as ransomware. All apps (any executable file, including .exe, .scr, .dll files and others) are assessed by Microsoft Defender Antivirus, which then determines if the app is malicious or safe. If the app is determined to be malicious or suspicious, then it will not be allowed to make changes to any files in any protected folder.

+## Scenario requirements and setup

+- Windows 10 1709 build 16273

+- Microsoft Defender Antivirus (active mode)

+## PowerShell commands

+```powershell

+Set-MpPreference -EnableControlledFolderAccess <State>

+```

+States:

+- Enabled = Block mode (1)

+- AuditMode = Audit Mode (2)

+- Disabled = Off (0)

+### Verify configuration

+```powershell

+Get-MpPreference

+```

+## Scenario

+### Setup

+Download and run this [setup script](https://demo.wd.microsoft.com/Content/CFA_SetupScript.zip). Before running the script set execution policy to Unrestricted using this PowerShell command: Set-ExecutionPolicy Unrestricted

+You can perform these manual steps instead:

+1. Turn on CFA using powershell command: Set-MpPreference -EnableControlledFolderAccess Enabled

+2. Download the CFA [test tool](https://demo.wd.microsoft.com/Content/CFAtool.exe)

+3. Execute the PowerShell commands above

+## Scenario: Use the CFA test tool to simulate an untrusted process writing to a protected folder

+1. Launch CFA test tool

+2. Select the desired folder and create file

+- You can find more information [here](/windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md)

+## Clean-up

+Download and run this [cleanup script](https://demo.wd.microsoft.com/Content/ASR_CFA_CleanupScript.zip). You can perform these manual steps instead:

+- Set-MpPreference -EnableControlledFolderAccess Disabled

+## See also

+[Controlled folder access](/windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard)

+ Title: Microsoft Defender for Endpoint Controlled folder access (CFA) demonstrations

+description: Demonstrates how Controlled Folder Access protects valuable data from malicious apps and threats, such as ransomware.

+keywords: Microsoft Defender for Endpoint, Controlled folder access protection, Controlled folder access demonstration

+search.product: eADQiWindows 10XVcnh

+search.appverid: met150

+ms.mktglfcycl: evaluation

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+# Controlled folder access (CFA) demonstrations (block ransomware)

+Controlled Folder Access helps you protect valuable data from malicious apps and threats, such as ransomware. All apps (any executable file, including .exe, .scr, .dll files and others) are assessed by Microsoft Defender Antivirus, which then determines if the app is malicious or safe. If the app is determined to be malicious or suspicious, then it will not be allowed to make changes to any files in any protected folder.

+## Scenario requirements and setup

+- Windows 10 1709 build 16273

+- Microsoft Defender Antivirus (active mode)

+## PowerShell commands

+- Set-MpPreference -EnableControlledFolderAccess (State)

+- Set-MpPreference -ControlledFolderAccessProtectedFolders C:\demo\

+States

+- Enabled = Block mode (1)

+- AuditMode = Audit Mode (2)

+- Disabled = Off (0)

+## Verify configuration

+Get-MpPreference

+## Test file

+[CFA ransomware test file](https://demo.wd.microsoft.com/Content/ransomware_testfile_unsigned.exe)

+## Scenarios

+### Setup

+Download and run this [setup script](https://demo.wd.microsoft.com/Content/CFA_SetupScript.zip). Before running the script set execution policy to Unrestricted using this PowerShell command: Set-ExecutionPolicy Unrestricted

+You can perform these manual steps instead:

+1. Create a folder under c: named demo, "c:\demo"

+2. Save this [clean file](https://demo.wd.microsoft.com/Content/testfile_safe.txt) into c:\demo (we need something to encrypt)

+3. Execute PowerShell commands above

+### Scenario 1: CFA blocks ransomware test file

+1. Turn on CFA using PowerShell command: Set-MpPreference -EnableControlledFolderAccess Enabled

+2. Add the demo folder to protected folders list using PowerShell command: Set-MpPreference -ControlledFolderAccessProtectedFolders C:\demo\

+3. Download the ransomware [test file](https://demo.wd.microsoft.com/Content/ransomware_testfile_unsigned.exe)

+4. Execute the ransomware test file *this isn't ransomware, it simple tries to encrypt c:\demo

+#### Scenario 1 expected results

+5 seconds after executing the ransomware test file you should see a notification CFA blocked it

+### Scenario 2: What would happen without CFA

+1. Turn off CFA using this PowerShell command: Set-MpPreference -EnableControlledFolderAccess Disabled

+2. Execute the ransomware [test file](https://demo.wd.microsoft.com/Content/ransomware_testfile_unsigned.exe)

+#### Scenario 2 expected results

+- The files in c:\demo will be encrypted and you should get a warning message

+- Execute the ransomware test file again to decrypt the files

+## Clean-up

+Download and run this [cleanup script](https://demo.wd.microsoft.com/Content/ASR_CFA_CleanupScript.zip). You can perform these manual steps instead:

+- Set-MpPreference -EnableControlledFolderAccess Disabled

+- Cleanup c:\demo encryption run the [encrypt/decrypt file](https://demo.wd.microsoft.com/Content/ransomware_cleanup_encrypt_decrypt.exe)

+## See also

+[Controlled folder access](/windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard?ocid=wd-av-demo-cfa-bottom)

+ Title: Microsoft Defender for Endpoint Exploit protection (EP) demonstrations

+description: See how Exploit Protection automatically applies many exploit mitigation settings system wide and on individual apps.

+keywords: Microsoft Defender for Endpoint, system exploit protection, Enhanced Mitigation Experience Toolkit (EMET), demonstration

+search.product: eADQiWindows 10XVcnh

+search.appverid: met150

+ms.mktglfcycl: evaluation

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+# Exploit protection (EP) demonstrations

+Exploit Protection automatically applies exploit mitigation settings system wide and on individual apps. Many of the features in the Enhanced Mitigation Experience Toolkit (EMET) have been included in Exploit Protection, and you can convert and import existing EMET configuration profiles into Exploit Protection.

+## Scenario requirements and setup

+- Windows 10 1709 build 16273

+PowerShell command

+- Set-ProcessMitigation -PolicyFilePath ProcessMitigation.xml

+- Set-ProcessMitigation ΓÇôhelp

+Verify configuration

+- Get-ProcessMitigation

+### Sample xml file

+[EP xml config file](https://demo.wd.microsoft.com/Content/ProcessMitigation.xml?) (right select, "save target as")

+## Scenario

+### Scenario 1: Convert EMET xml to Exploit Protection settings

+1. Convert EMET to xml, run PowerShell command: ConvertTo-ProcessMitigationPolicy

+2. Apply settings, run PowerShell command: Set-ProcessMitigation -PolicyFilePath *use the XML from the prior step*

+3. Confirm settings were applied, run PowerShell command: Get-ProcessMitigation

+4. Review the event log for application compatibility

+### Scenario 2: Apply selfhost xml to Exploit Protection settings

+1. Download our EP xml config file (right select, "save target as") or use your own

+2. Apply settings, run PowerShell command: Set-ProcessMitigation -PolicyFilePath ProcessMitigation.xml

+3. Confirm settings were applied, run PowerShell command: Get-ProcessMitigation

+4. Review the event log for application compatibility

+## See also

+[Exploit Protection](/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard?ocid=wd-av-demo-ep-bottom)

+[Microsoft Defender for Endpoint - demonstration scenarios](defender-endpoint-demonstrations.md)

+ Title: Microsoft Defender for Endpoint Network protection demonstrations

+description: Shows how Network protection prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.

+keywords: network protection, protect against phishing scams, protect against exploits, protect against malicious content, demonstration

+search.product: eADQiWindows 10XVcnh

+search.appverid: met150

+ms.mktglfcycl: evaluation

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+# Network protection demonstrations

+Network Protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.

+## Scenario requirements and setup

+- Windows 10 1709 build 16273

+- Microsoft Defender Antivirus

+## PowerShell command

+Set-MpPreference -EnableNetworkProtection Enabled

+### States

+- Enabled = Block mode (1)

+- AuditMode = Audit Mode (2)

+- Disabled = Off (0)

+## Verify configuration

+Get-MpPreference

+## Scenario

+1. Turn on Network Protection using powershell command: Set-MpPreference -EnableNetworkProtection Enabled

+2. Using the browser of your choice (not Edge*), navigate to the [Network Protection website test](https://smartscreentestratings2.net/) (Edge has other security measures in place to protect from this vulnerability(smartscreen))

+## Expected results

+Navigation to the website should be blocked and you should see a "Connection blocked" notification.

+## Clean-up

+Set-MpPreference -EnableNetworkProtection Disabled

+## See also

+[Network Protection](network-protection.md)

+[Microsoft Defender for Endpoint - demonstration scenarios](defender-endpoint-demonstrations.md)

+ Title: Microsoft Defender for Endpoint Potentially unwanted applications (PUA) demonstration

+description: Demonstration to show how the Potentially Unwanted Applications (PUA) protection feature can identify and block PUAs from downloading and installing on endpoints.

+keywords: Microsoft Defender for Endpoint, potentially unwanted applications, (PUA), harmful application protection, demonstration

+search.product: eADQiWindows 10XVcnh

+search.appverid: met150

+ms.mktglfcycl: evaluation

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+# Potentially unwanted applications (PUA) demonstration

+The Potentially Unwanted Applications (PUA) protection feature in Microsoft Defender Antivirus can identify and block PUAs from downloading and installing on endpoints in your network. These applications are not considered viruses, malware, or other types of threats, but might perform actions on endpoints that adversely affect their performance or use.

+## Scenario requirements and setup

+- Windows 10

+- Enable PUA protection. See the [Detect and block Potentially Unwanted Applications](detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md) article for more information.

+- You can also [download and use the PowerShell script](https://www.powershellgallery.com/packages/WindowsDefender_InternalEvaluationSettings/) to enable this setting and others.

+## Scenario

+1. Go to [http://www.amtso.org/feature-settings-check-potentially-unwanted-applications/](http://www.amtso.org/feature-settings-check-potentially-unwanted-applications/)

+2. Click "Download the Potentially Unwanted Application ΓÇÿtestΓÇÖ file" link

+3. After downloading the file, it is automatically blocked and prevented from running.

+## See also

+[Detect and block Potentially Unwanted Applications](detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md)

+[Microsoft Defender for Endpoint - demonstration scenarios](defender-endpoint-demonstrations.md)

+ Title: Microsoft Defender for Endpoint SmartScreen URL reputation demonstrations

+description: Demonstrates how Microsoft Defender SmartScreen identifies phishing and malware websites based on URL reputation.

+keywords: Microsoft Defender for Endpoint, website phishing protection, website malware protection, URL reputation, demonstration,

+search.product: eADQiWindows 10XVcnh

+search.appverid: met150

+ms.mktglfcycl: evaluation

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+# URL reputation demonstrations

+Test how Microsoft Defender SmartScreen helps you identify phishing and malware websites based on URL reputation.

+Scenario requirements and setup

+- Windows 10 or 11

+- Microsoft Edge browser required

+- For more information, see [Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)

+## SmartScreen for Microsoft Edge URL scenario demonstrations

+### Is This Phishing?

+Alerts the user to a suspicious page and ask for feedback:

+- [Is this Phishing?](https://demo.smartscreen.msft.net/other/areyousure.html)

+ Launching this link should render a message similar to the following screenshot:

+ :::image type="content" source="images/smartscreen-url-reputation-is-this-phishing.png" alt-text="SmartScreen alerts the user the site is potentially a phishing site and possibly unsafe":::

+### Phishing Page

+A page known for phishing that should be blocked:

+- [A known Phishing page](https://demo.smartscreen.msft.net/phishingdemo.html)

+ Launching this link should render a message similar to the following example:

+ :::image type="content" source="images/smartscreen-url-reputation-this-is-phishing.png" alt-text="SmartScreen reports the site is known for containing phishing threats":::

+### Malware page

+A page that hosts malware and should be blocked:

+- [A known malware page](https://demo.smartscreen.msft.net/other/malware.html)

+ Launching this link should render a message similar to the following screenshot:

+ :::image type="content" source="images/smartscreen-url-reputation-malware-page.png" alt-text="SmartScreen alerts the user that the site is know for containing harmful programs":::

+### Blocked download

+Blocked from downloading because of its URL reputation

+- [Download blocked due to URL reputation](https://demo.smartscreen.msft.net/download/malwaredemo/freevideo.exe)

+ Launching this link should render a message similar to the Malware page message.

+### Exploit page

+A page that attacks a browser vulnerability

+- [Known browser exploit page](https://demo.smartscreen.msft.net/other/exploit.html)

+ Launching this link should render a message similar to the Malware page message.

+### Malvertising

+A benign page hosting a malicious advertisement

+- [A page known to contain malicious advertisements](https://demo.smartscreen.msft.net/other/exploit_frame.html)

+ Launching this link should render a message similar to the following screenshot:

+ :::image type="content" source="images/smartscreen-url-reputation-malvertising.png" alt-text="A demonstration of how SmartScreen responds to a frame on a page that is detected to be malicious. Only the malicious frame is blocked":::

+## See also

+[Microsoft Defender SmartScreen Documentation](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)

+[Microsoft Defender for Endpoint - demonstration scenarios](defender-endpoint-demonstrations.md)

+ Title: Microsoft Defender for Endpoint demonstration scenarios

+description: Lists Microsoft Defender for Endpoint demonstration scenarios that you can run.

+keywords: demonstration, Microsoft Defender for Endpoint demonstration, anti-Malware demonstration, Cloud-delivered protection, Block at First Sight (BAFS), Potentially unwanted applications (PUA)s, Microsoft security intelligence VDI, VDI security, Attack Surface Reduction (ASR) rules demonstration, Controlled folder access demonstration, Exploit Protection, Network Protection, Microsoft Defender SmartScreen, edge SmartScreen,

+search.product: eADQiWindows 10XVcnh

+search.appverid: met150

+ms.mktglfcycl: evaluation

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+# Microsoft Defender for Endpoint - demonstration scenarios

+The following demonstration scenarios will help you learn about the capabilities of Microsoft Defender for Endpoint on Windows (Mac and Linux are out of scope). Demonstration scenarios are provided for the following Microsoft Defender for Endpoint protection areas:

+- Attack surface protection (ASR)

+- Next Generation Protection (NGP)

+- Endpoint detection and response (EDR)

+> [!NOTE]

+> None of the sample files or _suspicious_ links provided in this collection are actually malicious; all links and demonstration files are harmless.

+>

+> We encourage you to read [Microsoft Defender Antivirus documentation](next-generation-protection.md), and to download the [Evaluation guide](evaluate-microsoft-defender-antivirus.md).

+## Demonstrations

+The following table lists the available demonstrations alphabetically, with their associated protection area.

+| # | Demonstration name | Protection area | Description |

+|:--|:|:|:|

+| 1 | [App reputation demonstration](defender-endpoint-demonstration-app-reputation.md) | NGP | Navigate to the app reputation page to see the demonstration scenario using Microsoft Edge. |

+| 2 | [Attack surface reduction rules demonstrations](defender-endpoint-demonstration-attack-surface-reduction-rules.md) | ASR | Download sample files to trigger each ASR rule. |

+| 3 | [Block at First Sight (BAFS) demonstration](defender-endpoint-demonstration-block-at-first-sight-bafs.md) | NGP | With the BAFS feature in Microsoft Defender Antivirus, newly discovered files are analyzed and - if needed - blocked. |

+| 4 | [Cloud-delivered protection demonstration](defender-endpoint-demonstration-cloud-delivered-protection.md) | NGP | Confirm that cloud-delivered protection is working properly on your computer. |

+| 5 | [Controlled folder access (CFA) demonstration (block script)](defender-endpoint-demonstration-controlled-folder-access-test-tool.md) | ASR | Download the CFA test tool. |

+| 6 | [Controlled folder access (CFA) demonstrations (block ransomware)](defender-endpoint-demonstration-controlled-folder-access.md) | ASR | Download and execute a sample file to trigger CFA ransomware protection. |

+| 7 | [Exploit protection (EP) demonstrations](defender-endpoint-demonstration-exploit-protection.md) | ASR | Apply custom exploit protection settings. |

+| 8 | [Network protection demonstrations](defender-endpoint-demonstration-network-protection.md) | ASR | Navigate to a suspicious URL to trigger network protection. |

+| 9 | [Potentially unwanted applications (PUA) demonstration](defender-endpoint-demonstration-potentially-unwanted-applications.md) | NGP | Confirm that potentially unwanted applications (PUAs) are being blocked on your network by downloading a fake (safe) PUA file. |

+| 10 | [URL reputation demonstrations](defender-endpoint-demonstration-smartscreen-url-reputation.md) | NGP | Navigate to the URL Reputation page to see the demonstration scenarios using Microsoft Edge. |

+## See also

+[Attack surface protection \(ASR\) overview](overview-attack-surface-reduction.md)

+[Test attack surface reduction rules](attack-surface-reduction-rules-deployment-test.md)

+[Next Generation Protection \(NGP\) overview](next-generation-protection.md)

+[Endpoint detection and response \(EDR\) overview](overview-endpoint-detection-response.md)

+[Microsoft Defender for Endpoint security blog](https://www.microsoft.com/security/blog/microsoft-defender-for-endpoint/)

+Microsoft 365 Defender can help detect malicious attachments delivered via email and security analysts can have visibility on threats coming in from Office 365, such as through email attachments.

+|Microsoft Defender for Office 365 remediation (Office content and email) |**Security Administrator** role assigned in either Azure AD ([https://portal.azure.com](https://portal.azure.com)) or the Microsoft 365 admin center ([https://admin.microsoft.com](https://admin.microsoft.com))<br/> and <br/>**Search and Purge** role assigned in the Microsoft 365 Defender > [Email & collaboration roles](https://security.microsoft.com/emailandcollabpermissions) <br/><br/>**IMPORTANT**: If you have the **Security Administrator** role assigned only in the Microsoft 365 Defender > [Email & collaboration roles](https://security.microsoft.com/emailandcollabpermissions), you will not be able to access the Action center or Microsoft 365 Defender capabilities. You must have the Security Administrator role assigned in Azure AD or the Microsoft 365 admin center. <br/><br/>To learn more, see the following resources: <br/>- [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference)<br/>- [Permissions in the Security & Compliance Center](/microsoft-365/security/office-365-security/permissions-in-the-security-and-compliance-center) |

+ - Additional file types that you can select from in the Microsoft 365 Defender portal^\*: `7z, 7zip, a, accdb, accde, action, ade, adp, appxbundle, asf, asp, aspx, avi, bin, bundle, bz, bz2, bzip2, cab, caction, cer, chm, command, cpl, crt, csh, css, der, dgz, dmg, doc, docx, dot, dotm, dtox, dylib, font, gz, gzip, hlp, htm, html, imp, inf, ins, ipa, isp, its, jnlp, js, jse, ksh, lqy, mad, maf, mag, mam, maq, mar, mas, mat, mav, maw, mda, mdb, mde, mdt, mdw, mdz, mht, mhtml, mscompress, msh, msh1, msh1xml, msh2, msh2xml, mshxml, msixbundle, o, obj, odp, ods, odt, one, onenote, ops, package, pages, pbix, pdb, pdf, php, pkg, plugin, pps, ppsm, ppsx, ppt, pptm, pptx, prf, prg, ps1, ps1xml, ps2, ps2xml, psc1, psc2, pst, pub, py, rar, rpm, rtf, scpt, service, sh, shb, shtm, shx, so, tar, tarz, terminal, tgz, tool, url, vhd, vsd, vsdm, vsdx, vsmacros, vss, vssx, vst, vstm, vstx, vsw, workflow, ws, xhtml, xla, xlam, xls, xlsb, xlsm, xlsx, xlt, xltm, xltx, zi, zip, zipx`.

+ The common attachments filter uses best effort true-typing to detect the file type regardless of the filename extension. If true-typing fails or isn't supported for the specified file type, then simple extension matching is used.

+\** Calls, meetings, and chat in Teams do not conform to IP-based Conditional Access policies.

+If your organization has [Microsoft Defender for Office 365](defender-for-office-365.md), and you have the [necessary permissions](#required-licenses-and-permissions), you have either **Explorer** or **Real-time detections** (formerly *Real-time reports* ΓÇö [see what's new](#new-features-in-threat-explorer-and-real-time-detections)!). Go to **Threat management**, and then choose **Explorer** _or_ **Real-time detections**.

+This does not impact any production tenants for both P1 and P2/E5 customers, which already have the 30 day data retention and search capabilities.

+- Allowed by user policy: A user creates policies at the mailbox level to allow domains or senders.

+1. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), choose **Threat management** > **Explorer** (or **Real-time detections**).

+1. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), choose **Threat management** \> **Explorer** (or **Real-time detections**). (This example uses Explorer.)

+1. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), choose **Threat management** \> **Explorer** (or **Real-time detections**). (This example uses Explorer.)

+1. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), choose **Threat management** \> **Explorer** (or **Real-time detections**). (This example uses Explorer.)

+- For the Microsoft 365 Defender portal, you must have one of the following roles assigned:

+To enable this behavior, follow these steps:

+To enable this behavior, follow these steps:

+To enable this behavior, follow these steps: