-|Groups an admin can create|There are no Microsoft 365 group specific limits. There's an overall Azure AD object limit specific to each organization. An Azure AD admin who can manage groups in the organization can create an unlimited number of Microsoft 365 groups up to the Azure AD object limit. See [AAD service limits and restrictions](/active-directory/enterprise-users/directory-service-limits-restrictions).|

-The **Train a custom model** section shows the types of custom models you can create.

-

- - **Use a custom environment** to use a custom environment. Choose the environment that you want to use from the list. ([See the requirements for a custom environment](/microsoft-365/contentunderstanding/set-up-content-understanding#requirements)).

- - To establish GDAP security groups and add users, you'll need Global Administrator, User Administrator, or Groups Administrator to set up users with standing access to GDAP roles. You can assign these roles in Azure Active Directory (ADD).

- - To enable the just-in-time (JIT) Only tier, you'll need to have Global Administrator or a combination of User Administrator and Privilege Role Administrator.

-[Microsoft Defender for Endpoint](microsoft-defender-endpoint.md) includes a wide range of capabilities to prevent, detect, investigate, and respond to advanced cyberthreats. As with any endpoint protection or antivirus solution, sometimes files, folders, or processes that aren't a threat can be detected as malicious by Defender for Endpoint or Microsoft Defender Antivirus. These entities can be blocked or sent to quarantine, even though theyΓÇÖre not actually a threat. You can take certain actions to prevent false positives and similar issues from occurring. These actions include:

-When youΓÇÖre dealing with false positives, or known entities that are generating alerts, you don't necessarily need to add an exclusion. Sometimes classifying and suppressing an alert is enough. We recommend submitting false positives (and false negatives) to Microsoft for analysis as well. The following table describes some scenarios and what steps to take with respect to file submissions, alert suppressions, and exclusions.

-| [Performance issues](troubleshoot-performance-issues.md) such as one of the following issues: <br/>- A system is having high CPU usage or other performance issues. <br/>- A system is having memory leak issues. <br/>- An app is slow to load on devices. <br/>- An app is slow to open a file on devices. | 1. [Collect diagnostic data](collect-diagnostic-data.md) for Microsoft Defender Antivirus. <br/><br/>2. If youΓÇÖre using a non-Microsoft antivirus solution, [check with the vendor for any needed exclusions](troubleshoot-performance-issues.md#check-with-vendor-for-antivirus-exclusions). <br/><br/>3. [Analyze the Microsoft Protection Log](troubleshoot-performance-issues.md#analyze-the-microsoft-protection-log) to see the estimated performance impact. <br/><br/>4. Define an exclusion for Microsoft Defender Antivirus](configure-exclusions-microsoft-defender-antivirus.md) (if necessary). <br/><br/>5. [Create an indicator for Defender for Endpoint](manage-indicators.md) (only if necessary). |

-| [Compatibility issues](microsoft-defender-antivirus-compatibility.md) with non-Microsoft antivirus products. <br/>Example: Defender for Endpoint relies on security intelligence updates for devices, whether theyΓÇÖre running Microsoft Defender Antivirus or a non-Microsoft antivirus solution. | 1. If youΓÇÖre using a non-Microsoft antivirus product as your primary antivirus/antimalware solution, [set Microsoft Defender Antivirus to passive mode](microsoft-defender-antivirus-compatibility.md#requirements-for-microsoft-defender-antivirus-to-run-in-passive-mode). <br/><br/>2. If youΓÇÖre switching from a non-Microsoft antivirus/antimalware solution to Defender for Endpoint, see [Make the switch to Defender for Endpoint](switch-to-mde-overview.md). This guidance includes: <br/> - [Exclusions you might need to define for the non-Microsoft antivirus/antimalware solution](switch-to-mde-phase-2.md#add-microsoft-defender-for-endpoint-to-the-exclusion-list-for-your-existing-solution); <br/> - [Exclusions you might need to define for Microsoft Defender Antivirus](switch-to-mde-phase-2.md#add-your-existing-solution-to-the-exclusion-list-for-microsoft-defender-antivirus); and <br/> - [Troubleshooting information](switch-to-mde-troubleshooting.md) (just in case something goes wrong while migrating). |

-> An ΓÇ£allowΓÇ¥ indicator is the strongest type of exclusion you can define in Defender for Endpoint. Make sure to use indicators sparinglyΓÇöonly when necessaryΓÇöand review all exclusions periodically.

-If you have a file that you think is wrongly detected as malware (a false positive), or a file that you suspect might be malware even though it wasnΓÇÖt detected (a false negative), you can submit the file to Microsoft for analysis. Your submission will be scanned immediately, and will then be reviewed by Microsoft security analysts. YouΓÇÖll be able to check the status of your submission on the [submission history page](https://www.microsoft.com/wdsi/submissionhistory).

-If youΓÇÖre getting alerts in the Microsoft 365 Defender portal for tools or processes that you know aren't actually a threat, you can suppress those alerts. To suppress an alert, you create a suppression rule, and specify what actions to take for that on other, identical alerts. You can create suppression rules for a specific alert on a single device, or for all alerts that have the same title across your organization.

-To learn more, see the following articles:

-> - [Defender for Endpoint Plan 1](defender-endpoint-plan-1.md) is available as a standalone plan, and is included in Microsoft 365 E3.

-> - [Defender for Endpoint Plan 2](microsoft-defender-endpoint.md) is available as a standalone plan, and is included in Microsoft 365 E5.

-| [Microsoft Defender Antivirus](microsoft-defender-antivirus-windows.md) <br/>[Defender for Endpoint Plan 1 or Plan 2](defender-endpoint-plan-1-2.md) | - [Automatic exclusions](#automatic-exclusions) (for Windows Server 2016 and later) <br/>- [Custom exclusions](#custom-exclusions), such as process-based exclusions, folder location-based exclusions, file extension exclusions, or contextual file and folder exclusions<br/>- [Custom remediation actions](#custom-remediation-actions) based on threat severity or for specific threats <br/><br/> *The standalone versions of Defender for Endpoint Plan 1 and Plan 2 don't include server licenses. To onboard servers, youΓÇÖll need another license, such as [Microsoft Defender for Servers Plan 1 or 2](/azure/defender-for-cloud/defender-for-servers-introduction). If you're a small or medium-sized business using [Microsoft Defender for Business](../defender-business/mdb-overview.md), you can get [Microsoft Defender for Business servers](../defender-business/get-defender-business-servers.md).* |

-[Automatic exclusions](configure-server-exclusions-microsoft-defender-antivirus.md#the-list-of-automatic-exclusions) include operating system files and server roles and features. These exclusions wonΓÇÖt be scanned by [real-time protection](configure-protection-features-microsoft-defender-antivirus.md) but are still subject to [quick, full, or on-demand antivirus scans](schedule-antivirus-scans.md#quick-scan-full-scan-and-custom-scan). The following table provides some examples and includes links to learn more.

-| Operating system files <br/>(See [Automatic exclusions](configure-server-exclusions-microsoft-defender-antivirus.md#the-list-of-automatic-exclusions).) | `%windir%\SoftwareDistribution\Datastore\*\Datastore.edb` <br/> `%allusersprofile%\NTUser.pol` <br/> Windows Update files <br/> Windows Security files <br/> … and more |

-| Server roles and features <br/>(See [Default exclusions for roles](configure-server-exclusions-microsoft-defender-antivirus.md#default-exclusions-for-all-roles).) | File Replication Service (FRS) <br/> Hyper-V <br/> SYSVOL <br/> Active Directory <br/> DNS Server <br/> Print Server <br/> Web Server <br/> Windows Server Update Services |

-[Custom exclusions](configure-exclusions-microsoft-defender-antivirus.md) include files and folders that you specify. Exclusions for files, folders, and processes will be skipped by scheduled scans, on-demand scans, and real-time protection. Exclusions for process-opened files wonΓÇÖt be scanned by [real-time protection](configure-protection-features-microsoft-defender-antivirus.md) but are still subject to [quick, full, or on-demand antivirus scans](schedule-antivirus-scans.md#quick-scan-full-scan-and-custom-scan).

-Sometimes, legitimate applications exhibit software behaviors that could be blocked by attack surface reduction rules. If thatΓÇÖs occurring in your organization, you can define exclusions for certain files and folders. Such exclusions are applied to all attack surface reduction rules. See [Enable attack surface reduction (ASR) rules](attack-surface-reduction-rules-deployment-implement.md#exclude-files-and-folders).

-You can specify folders, file extensions in a specific directory, and file names to be excluded from automated investigation and remediation capabilities. Such automation folder exclusions will apply to all devices onboarded to Defender for Endpoint. These exclusions are still subject to antivirus scans. See [Manage automation folder exclusions](manage-automation-folder-exclusions.md).

-Most organizations have several different types of exclusions and indicators to determine whether users should be able to access and use a file or process. Exclusions and indicators are processed in a particular order so that [policy conflicts are handled systematically](indicator-file.md#policy-conflict-handling).

-1. If a detected file/process isnΓÇÖt allowed by Windows Defender Application Control and AppLocker, itΓÇÖs blocked. Otherwise, it proceeds to Microsoft Defender Antivirus.

-2. If the detected file/process isnΓÇÖt part of an exclusion for Microsoft Defender Antivirus, itΓÇÖs blocked. Otherwise, Defender for Endpoint checks for a custom indicator for the file/process.

-4. If the detected file/process isnΓÇÖt blocked by attack surface reduction rules, controlled folder access, or SmartScreen protection, it proceeds to Microsoft Defender Antivirus.

-5. If the detected file/process isnΓÇÖt allowed by Microsoft Defender Antivirus, itΓÇÖs checked for an action based on its threat ID.

-In cases where Defender for Endpoint indicators conflict, hereΓÇÖs what to expect:

-[Automated investigation and remediation capabilities](automated-investigations.md) in Defender for Endpoint first determine a verdict for each piece of evidence, and then take an action depending on Defender for Endpoint indicators. Thus, a file/process could get a verdict of ΓÇ£goodΓÇ¥ (which means no threats were found) and still be blocked if thereΓÇÖs an indicator with that action. Similarly, an entity could get a verdict of ΓÇ£badΓÇ¥ (which means itΓÇÖs determined to be malicious) and still be allowed if thereΓÇÖs an indicator with that action.

-If your organization is using other server workloads, such as Exchange Server, SharePoint Server, or SQL Server, be aware that only built-in server roles (that could be prerequisites for software you install later) on Windows Server are excluded by [automatic exclusions](#automatic-exclusions) feature (and only when using their default installation location). YouΓÇÖll likely need to define antivirus exclusions for these additional workloads, or for all workloads if you disable automatic exclusions.

-Here are some examples of technical documentation to identify and implement the exclusions you need:

-Depending on what you're using, you might need to refer to the documentation for that server workload.

->If you choose to create a ΓÇÿGlobal exceptionΓÇÖ in the Defender Vulnerability management security recommendation, the status in the Microsoft Secure Score recommended action will be updated with the exception justification. Updates may take up to 2 hours.

->If you choose to create an ΓÇÿException per device groupΓÇÖ in the Defender Vulnerability manage security recommendation, Secure Score will not be updated and the recommended action will remain as ΓÇÿTo addressΓÇÖ.