Updates from: 02/10/2024 06:21:26
Category Microsoft Docs article Related commit history on GitHub Change details
microsoft-365-copilot-page Microsoft 365 Copilot Page https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/copilot/microsoft-365-copilot-page.md
You can manage Microsoft Copilot for Microsoft 365 through the Microsoft 365 adm
## Before you begin -- You must have a Copilot for Microsoft 365 license for the Copilot page to appear in the Microsoft 365 admin center. For more information, see [Get started with Microsoft Copilot for Microsoft 365](microsoft-365-copilot-setup.md).
+- Your organization must have purchased Copilot licenses to access the Copilot page in the Microsoft 365 admin center. While you don't need a license assigned to your admin account, you must have these licenses present within the organization for the Copilot page to be visible. For more information, see [Get started with Microsoft Copilot for Microsoft 365](microsoft-365-copilot-setup.md).
- You must be a Global Administrator to access the Copilot page. For more information, see [About admin roles in the Microsoft 365 admin center](/microsoft-365/admin/add-users/about-admin-roles).
admin Manage Office Scripts Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/manage-office-scripts-settings.md
description: "Learn how to manage Office Scripts settings for users in your orga
- To allow all users in your organization to access and use Office Scripts, leave **Everyone** (the default) selected.
- - To allow only members of a specific group to access and use Office Scripts, select **Specific group**, and then enter the name or email alias of the group to add it to the allow list. You may add only one group to the allow list, and it must be one of the following types:
+ - To allow only members of a specific group to access and use Office Scripts, select **Specific group**, and then enter the name or email alias of the group to add it to the allow list. You may add only one group to the allowlist, and it must be one of the following types:
- Microsoft 365 group - Distribution group - Security group
description: "Learn how to manage Office Scripts settings for users in your orga
To learn more about the different types of groups, see [Compare groups](../create-groups/compare-groups.md).
-5. To allow users with access to Office Scripts to share their scripts with others in your organization, select **Let users with access to Office Scripts share their scripts with others in the organization**. Sharing scripts outside of an organization is not allowed.
+5. To allow users with access to Office Scripts to share their scripts with others in your organization, select **Let users with access to Office Scripts share their scripts with others in the organization**. Sharing scripts outside of an organization isn't allowed.
> [!NOTE] > If you later turn off script sharing for your organization, users will still be able to run previously-shared scripts.
description: "Learn how to manage Office Scripts settings for users in your orga
- To allow all users with access to Office Scripts to share their scripts, leave **Everyone** (the default) selected.
- - To allow only members of a specific group with access to Office Scripts to share their scripts, select **Specific group**, and then enter the name or email alias of the group to add it to the allow list. You may add only one group to the allow list, and it must be one of the following types:
+ - To allow only members of a specific group with access to Office Scripts to share their scripts, select **Specific group**, and then enter the name or email alias of the group to add it to the allow list. You may add only one group to the allowlist, and it must be one of the following types:
- Microsoft 365 group - Distribution group - Security group
description: "Learn how to manage Office Scripts settings for users in your orga
- To allow all users with access to Office Scripts to use their scripts in flows, leave **Everyone** (the default) selected.
- - To allow only members of a specific group with access to Office Scripts to use their scripts in flows, select **Specific group**, and then enter the name or email alias of the group to add it to the allow list. You may add only one group to the allow list, and it must be one of the following types:
+ - To allow only members of a specific group with access to Office Scripts to use their scripts in flows, select **Specific group**, and then enter the name or email alias of the group to add it to the allow list. You may add only one group to the allowlist, and it must be one of the following types:
- Microsoft 365 group - Distribution group - Security group
description: "Learn how to manage Office Scripts settings for users in your orga
Group Policy has a setting to control whether Office Scripts (including the relevant commands on the **Automate** tab) are available for use.
-If you enable this policy setting, Office Scripts won't be available for use in the installed Excel app on a desktop. You'll find Office Scripts settings under User Configuration\Administrative Templates\Microsoft Excel 2016\Miscellaneous in the Group Policy Management Console.
+If you enable this policy setting, Office Scripts will not be available for use in the installed Excel app on a desktop. You'll find Office Scripts settings under User Configuration\Administrative Templates\Microsoft Excel 2016\Miscellaneous in the Group Policy Management Console.
After applying this policy setting, users will still see the **Automate** tab, but the **Office Scripts** and **Automate** options will be greyed out. They can select the **Record Actions** button, but if they do, they'll see the following message: "You don't have access to Office Scripts. Your organization's admin may have turned off this feature, or you don't meet the requirements."
admin Manage Self Service Purchases Org Trials For Msproject https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/manage-self-service-purchases-org-trials-for-msproject.md
- Title: "Manage self-service purchases and organizational trials for Microsoft Project"-- NOCSH--- Previously updated : 11/28/2023----- Tier2-- scotvorg-- M365-subscription-management -- Adm_O365-- Adm_TOC--- AdminSurgePortfolio-- admindeeplinkMAC
-description: "Manage self-service purchases and organizational trials for Microsoft Project."
--
-# Manage self-service purchases and organizational trials for Microsoft Project
-
-> [!IMPORTANT]
-> The Microsoft Project will soon be renamed as Microsoft Planner. For more information, see the [new Microsoft Planner](https://techcommunity.microsoft.com/t5/planner-blog/the-new-microsoft-planner-a-unified-experience-bringing-together/ba-p/3977998).
-
-Microsoft Project is a tool that helps users to coordinate tasks. It allows for individual and team planning with tasks that have rich content, files, checklists, and more. For users who need more advanced options of project management with extra features, Microsoft Project offers a free trial experience that can help users and administrators decide if the product suits their needs.
-
-As an administrator, you can utilize the Microsoft 365 admin center to manage self-service purchases and trials for Microsoft Project. You can control whether users in your organization can sign up for trials or make purchases.
-
-## Before you begin
-
-Some of these actions may require you to have a specific administrator role to make changes. For a detailed view of roles and capabilities, see [About Microsoft 365 admin roles](../add-users/about-admin-roles.md).
-
-Understand what types of purchases and trials can be initiated by you or the users in your organization. For more information, see [Product purchase and trial explanation](../../commerce/subscriptions/manage-self-service-purchases-admins.md). The offerings vary by product.
-
-## Enable or disable project trials
-
-You can enable or disable purchases or trials for users in your organization. For instructions on how to use this control, see [Enable or disable purchases and trials via PowerShell module](../add-users/about-admin-roles.md).
-
-If trials are enabled, users have the chance to try Microsoft Project and request a license. If trials are disabled, users won't be allowed to start a trial, but rather will be given the ability to request a license for Microsoft Project.
-
-## Manage license requests
-
-There are a few ways to manage self-service license requests:
-
-1. Approve or deny a license request. For information on approving or denying a license request, see [Approve or Deny a license request](../../commerce/licenses/manage-license-requests.md).
-2. Use the option that would align the Microsoft Project-specific process for license request and approval with the prevailing one in your organization. If you would like to align with your organizationΓÇÖs license request and approval process, there's an option to display a message to your users that indicates the process they can follow. Through this message, your users are directed toward your organizationΓÇÖs preferred internal process. For the set-up process, see [Using your own request process](../../commerce/licenses/manage-license-requests.md).
-3. Lastly, if you donΓÇÖt have the authority to approve the license requests, you can share the license-request details to the right point of contact (POC). For instructions regarding sharing the details with the POC, see [Sharing a license request by email](../../commerce/licenses/manage-license-requests.md).
-
-## Cancel a purchase or trial subscription
-
-An administrator can cancel a purchase or trial subscription for their users in the organization. The users will then lose access to certain features in Microsoft Project. The administrator, or the owners of the subscription, on canceling the subscription will receive an email that states that the subscription was canceled.
-
-For instructions on how to cancel a purchase or trial subscription, see [Cancel a purchase or trial subscription](../../commerce/subscriptions/manage-self-service-purchases-admins.md).
security Linux Preferences https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-preferences.md
The following configuration profile contains entries for all settings described
```JSON { "antivirusEngine":{
- "enforcementLevel":"passive",
+ "enforcementLevel":"real_time",
+ "behaviorMonitoring": "enabled",
"scanAfterDefinitionUpdate":true, "scanArchives":true,
+ "scanHistoryMaximumItems": 10000,
+ "scanResultsRetentionDays": 90,
"maximumOnDemandScanThreads":2, "exclusionsMergePolicy":"merge", "exclusions":[
security Mobile Resources Defender Endpoint https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mobile-resources-defender-endpoint.md
search.appverid: met150 Previously updated : 09/19/2023 Last updated : 02/09/2024 # Resources for Microsoft Defender for Endpoint for mobile devices
-Microsoft Defender for Endpoint provides multiple capabilities on mobile devices. Some of these capabilities are enabled by default while others are configured by IT admins. The following table shows how to configure the resources related to Microsoft Defender for Endpoint on Android and iOS.
+Microsoft Defender for Endpoint provides multiple capabilities on mobile devices. Some of these capabilities are set to default, and some require admin configuration. The following table shows how to configure the resources related to Microsoft Defender for Endpoint on Android and iOS.
## Feature configurations | Configuration| Description | Android AE config key | Android MAM | iOS | |--|-|--|-|--|
-|Web Protection|Admins can use this to configure web protection feature. When disabled, end users are not asked for VPN permissions|Antiphishing = 0/1 (default), VPN = 0/1(default)|Antiphishing=0/1(default), VPN = 0/1(default)| WebProtection = true (default) / false|
+|Web Protection|Admins can use this setting to change the web protection feature. When disabled, end users aren't asked for VPN permissions|Antiphishing = 0/1 (default), VPN = 0/1(default)|Antiphishing=0/1(default), VPN = 0/1(default)| WebProtection = true (default) / false|
|Network Protection| Network protection is disabled by default. Admins can enable it to include rogue WiFi and certificate detection (only available on android) on mobile.|Enable Network protection in Microsoft Defender = 0(default)/1| DefenderNetworkProtectionEnable = 0(default)/1|DefenderNetworkProtectionEnable = 0(default)/1| ## Privacy configuration |Configuration| Description | Android AE config key | Android MAM | iOS | |-|-|--|-|--|
-|Privacy for phishing alert report |If privacy is enabled, Defender for Endpoint will not send domain name and website details| Hide URLs in report=0(default)/1| DefenderExcludeURLInReport = 0(default)/1 |DefenderExcludeURLInReport = 0(default)/1|
+|Privacy for phishing alert report |If privacy is enabled, Defender for Endpoint won't send domain name and website details| Hide URLs in report=0(default)/1| DefenderExcludeURLInReport = 0(default)/1 |DefenderExcludeURLInReport = 0(default)/1|
|Configure Privacy for malware threat report| Control the collection of app details (name, package information) in the threat report |Hide app details in report= 0(default)/1|DefenderExcludeAppInReport = 0(default)/1| |Configure privacy in vulnerability assessment of apps| Control what app data shows up in the security portal when Defender for Vulnerability Management is enabled|Enable Vulnerability Management privacy= 0(default)/1|DefenderTVMPrivacyMode = 0(default)/1|DefenderTVMPrivacyMode = 0(default)/1| |Network protection | Control the collection of network and certificate details in the alert report|Enable Network protection privacy = 1/0 |DefenderNetworkProtectionPrivacy = 1/0 |DefenderNetworkProtectionPrivacy |
-## Additional configurations
+## Other configurations
|Configuration| Description | Android AE config key | Android MAM | iOS | |-|-|--|-|--|
Microsoft Defender for Endpoint provides multiple capabilities on mobile devices
|Alert type | Severity | Privacy information (Android)| Privacy information (iOS)| |--|--|||
-|Anti-phishing (defender warning)|Informational| URL of malicious connection, connection information, Protocol type; [More information](android-privacy.md#web-page--network-information) | Domain name, IP address of malicious website; [More information](ios-privacy.md#web-page-or-network-information) |
+|Anti-phishing (Defender warning)|Informational| URL of malicious connection, connection information, Protocol type; [More information](android-privacy.md#web-page--network-information) | Domain name, IP address of malicious website; [More information](ios-privacy.md#web-page-or-network-information) |
|Anti-phishing (Defender warning overlooked)|Low | | | |Anti-malware| Medium | Information about malicious APKs including install source, storage location, time of install, etc.; [More information](android-privacy.md#app-information) | |
Suspicious certificates |Informational| | |
[Complete privacy information for iOS](ios-privacy.md) +
+## Microsoft Defender Mobile App exclusion from Conditional Access(CA) Policies
+
+Microsoft Defender Mobile app is a security app that needs to constantly be running in the background to report the device security posture. This security posture is used in the Compliance and App Protection policies to secure the managed apps and ensure that corporate data is accessed only in a secured device. However, with restrictive Conditional Access policies such as having Block policies based on certain locations, or enforcing frequent sign ins can result in Defender blocked from reporting posture. If the Defender app fails to report the device posture this can lead to situation where the device is under a threat, leading to vulnerability of corporate data on the device. To ensure seamless protection, we recommend excluding the Defender app from the blocking Conditional Access Policy.
+
+### Apps required to exclude:
+
+1. **Xplat Broker App ( a0e84e36-b067-4d5c-ab4a-3db38e598ae2)**
+Xplat Broker App is the application responsible for forwarding Defender risk signals to the Defender backend. However, the presence of restrictive CA policies can result in Defender blocked from reporting signals. In these scenarios, we recommend excluding the Xplat Broker App. Note, that **Xplat Broker App** is also used by other platforms like Mac and Linux. So if the policy is same for these platforms, it is better to create a separate Conditional Access policy for Mobile.
++
+2. **TVM app (e724aa31-0f56-4018-b8be-f8cb82ca1196)**
+Microsoft Defender for Mobile TVM (Threat and Vulnerability Management) is the service, which provides the vulnerability assessment for the installed apps on the iOS devices. However, the presence of restrictive CA policies can result in Defender blocked from communicating the onboarding requests to the TVM backend services. This service should be excluded if MDVM (Vulnerability Assessment) is used in the organization.
+
+### Steps to exclude:
+
+1. Create service principal for the apps that needs to be excluded. [Steps to create service principal.](/graph/api/serviceprincipal-post-serviceprincipals?view=graph-rest-1.0&tabs=powershell#request)
+1. While creating the service principal object above, use these app IDs: **Xplat Broker App ( a0e84e36-b067-4d5c-ab4a-3db38e598ae2), TVM app (e724aa31-0f56-4018-b8be-f8cb82ca1196).**
+1. After the object is successfully created the two apps are visible in the CA screen and can be excluded.
+
security Review Detected Threats https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/review-detected-threats.md
+
+ Title: Review detected threats using the Microsoft Defender for Endpoint Antivirus and Intune integration
+description: Use the Microsoft Defender for Endpoint Antivirus and Intune integration to view and manage threat detections.
+keywords: detect, threats, detected threats, devices, URL,
+
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
++
+ms.localizationpriority: medium
+
+audience: ITPro
+
+- m365-security
+- tier2
+- mde-edr
+ Last updated : 02/02/2024+
+search.appverid: met150
++
+# Microsoft Defender for Endpoint Antivirus and Intune integration
++
+**Applies to:**
+
+- [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804)
+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-investigatealerts-abovefoldlink)
+
+**Platforms**
+
+- Windows
+- macOS
+- Android
+
+In the Microsoft Defender portal, you can view and manage threat detections using the following steps:
+
+1. Visit [Microsoft XDR portal](https://security.microsoft.com/) and sign-in.
+
+ On the landing page, you'll see the **Devices with active malware** card with the following information:
+
+ - Display text: Applies to Intune-managed devices. Devices with multiple malware detections may be counted more than once.
+ - Last updated date and time.
+ - A bar with the Active and Malware remediated portions as per your scan.
+
+ You can select **View Details** for more information.
+
+2. Once remediated, you'll see the following text being displayed:
+
+ *Malware found on your devices have been remediated successfully*.
+
+## Manage threat detections in Microsoft Intune
+
+You can manage threat detections for any devices that are [enrolled in Microsoft Intune](/mem/intune/enrollment/windows-enrollment-methods) using the following steps:
+
+1. Go to the Microsoft Intune admin center at [intune.microsoft.com](https://intune.microsoft.com) and sign-in.
+
+2. In the navigation pane, select **Endpoint security**.
+
+3. Under **Manage**, select **Antivirus**. You'll see tabs for **Summary**, **Unhealthy endpoints**, and **Active malware**.
+
+4. Review the information on the available tabs, and then take action as necessary.
+
+ For example, when you can select a device that is listed under the **Active malware** tab, you can choose one action from the list of actions provided:
+ - Restart
+ - Quick Scan
+ - Full Scan
+ - Sync
+ - Update signatures
+
+## FAQs
+
+### In the Microsoft XDR portal > Devices with active malware > Devices with malware detections report, why does the Last update seem to be occurring today?
+
+To see when the malware was detected, you can do the following:
+
+1. Since this is an integration with Intune, visit [**Intune portal**](https://intune.microsoft.com) and select **Antivirus** and then select **Active malware** tab.
+2. Select **Export**.
+3. On your device, go to Downloads, and extract the Active malware_YYYY_MM_DD_THH_MM_SS.0123Z.csv.zip.
+4. Open the CSV and find the **LastStateChangeDateTime** column to see when malware was detected.
+
+### In the devices with malware detections report, why canΓÇÖt I see any information about which malware was detected on the device.
+
+To see the malware name, visit the [Intune portal](https://intune.microsoft.com) as this is an integration with Intune, select **Antivirus**, and select **Active malware** tab and you'll see a column named **Malware name**.
+
+### I see a different number for active malware in Devices with active malware report, when compared to numbers I see using Reports > Detected malware, and Intune > Antivirus > Active malware.
+
+The **Devices with active malware** report is based on the devices that were active within the last 1 day (24 hours) and had malware detections within the last 15 days.
+
+Use the following Advanced Hunting query:
+
+```kusto
+DeviceInfo
+| where Timestamp > startofday(datetime(2024-01-29 00:00:00))
+| where OnboardingStatus == "Onboarded"
+| where SensorHealthState == "Active"
+| distinct DeviceId, DeviceName
+| join kind=innerunique (
+AlertEvidence
+| where Timestamp > ago(15d)
+| where ServiceSource == "Microsoft Defender for Endpoint"
+| where DetectionSource == "Antivirus"
+DeviceName
+| distinct DeviceName, DeviceId, Title, AlertId, Timestamp
+```
+
+### I searched the computer name in the top search bar and got two devices with the same name. I don't know which one of those two devices the report is referring to?
+
+Use the Advanced Hunting query that is mentioned [here](#i-see-a-different-number-for-active-malware-in-devices-with-active-malware-report-when-compared-to-numbers-i-see-using-reports--detected-malware-and-intune--antivirus--active-malware) for details such as unique DeviceID, Title, AlertID, and the remediation process. After identifying, work with your IT adminΓÇÖs to make sure that the devices are uniquely named. If a device is retired, use [tags to decommission it.](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/how-to-use-tagging-effectively-part-1/ba-p/1964058)
+
+### I see malware detection in Intune and on the Devices with active malware report, but I donΓÇÖt see it in the MDE Alerts queue or in the Incidents queue.
+
+It might be that the URL's [Cloud Protection](configure-network-connections-microsoft-defender-antivirus.md) is currently not being allowed through your firewall or proxy.
+
+You need to ensure that when you run `%ProgramFiles%\Windows Defender\MpCmdRun.exe -ValidateMapsConnection` on your device, the reporting is Ok.
+
+## Related articles
+
+- [Alerts in Microsoft Defender for Endpoint](investigate-alerts.md)
+- [Alerts queue in Microsoft Defender XDR](alerts-queue-endpoint-detection-response.md)
security Run Analyzer Macos Linux https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-analyzer-macos-linux.md
Title: Run the client analyzer on macOS or Linux
-description: Learn how to run the Microsoft Defender for Endpoint Client Analyzer on macOS or Linux
+description: Learn how to run the Microsoft Defender for Endpoint Client Analyzer on macOS or Linux.
keywords: client analyzer, troubleshoot sensor, analyzer, mdeanalyzer, macos, linux, mdeanalyzer ms.mktglfcycl: deploy
There are two ways to run the client analyzer tool:
## Running the binary version of the client analyzer 1. Download the [XMDE Client Analyzer Binary](https://aka.ms/XMDEClientAnalyzerBinary) tool to the macOS or Linux machine you need to investigate.\
-If using a terminal download using the command:
+If you're using a terminal, download the tool by entering the following command:
```console wget --quiet -O XMDEClientAnalyzerBinary.zip https://aka.ms/XMDEClientAnalyzerBinary
If using a terminal download using the command:
2. Verify the download. > [!NOTE]
- > The current SHA256 hash of 'XMDEClientAnalyzerBinary.zip' that is downloaded from this link is: '708C2257109D200C2862637363BEC0C073ACD66CBD5120EB1DDE28F7AA9C9C1E'
+ > The current SHA256 hash of 'XMDEClientAnalyzerBinary.zip' that is downloaded from this link is: '0A8E32B618F278BED60AB6763E9458BA2CD02C99D718E50DCCE51A7DBAC69863'
```console
- echo '708C2257109D200C2862637363BEC0C073ACD66CBD5120EB1DDE28F7AA9C9C1E XMDEClientAnalyzerBinary.zip' | sha256sum -c
+ echo '0A8E32B618F278BED60AB6763E9458BA2CD02C99D718E50DCCE51A7DBAC69863 XMDEClientAnalyzerBinary.zip' | sha256sum -c
```
-3. Extract the contents of <i>XMDEClientAnalyzerBinary.zip</i> on the machine.
+3. Extract the contents of _XMDEClientAnalyzerBinary.zip_ on the machine.
- If using a terminal download using the command:
+ If you're using a terminal, extract the files by entering the following command:
```console unzip -q XMDEClientAnalyzerBinary.zip -d XMDEClientAnalyzerBinary ```
-4. Change to the tool's directory using the following command:
+4. Change to the tool's directory by entering the following command:
```console cd XMDEClientAnalyzerBinary ```
-5. Three new zip files will be produced:
- 1. **SupportToolLinuxBinary.zip** : For all Linux devices
- 2. **SupportToolmacOSBinary.zip** : For Intel-based Mac devices
- 3. **SupportToolmacOS-armBinary.zip** : For Arm-based Mac devices
+5. Three new zip files are produced:
+
+ - **SupportToolLinuxBinary.zip** : For all Linux devices
+ - **SupportToolmacOSBinary.zip** : For Intel-based Mac devices
+ - **SupportToolmacOS-armBinary.zip** : For Arm-based Mac devices
6. Unzip one of the above 3 zip files based on the machine you need to investigate.\
-When using a terminal, unzip the file using one of the following commands based on machine type:
+When using a terminal, unzip the file by entering one of the following commands based on machine type:
- Linux
When using a terminal, unzip the file using one of the following commands based
unzip -q SupportToolmacOS-armBinary.zip ```
-7. Run the tool as <i>root</i> to generate diagnostic package:
+7. Run the tool as _root_ to generate diagnostic package:
```console sudo ./MDESupportTool -d
When using a terminal, unzip the file using one of the following commands based
1. Download the [XMDE Client Analyzer](https://aka.ms/XMDEClientAnalyzer) tool to the macOS or Linux machine you need to investigate.
- If using a terminal, download by running the command:
+ If you're using a terminal, download the tool by running the following command:
```console wget --quiet -O XMDEClientAnalyzer.zip https://aka.ms/XMDEClientAnalyzer
When using a terminal, unzip the file using one of the following commands based
2. Verify the download ```console
- echo 'A13C262EDD1C657EC056DD03E9F0487B4FD897964F1ABF968445E19035ABFD6D XMDEClientAnalyzer.zip' | sha256sum -c
+ echo '926DEF4C6857641E205E7978126F7C2CE541D52AEA1C0E194DDB85F7BCFDE3D9 XMDEClientAnalyzer.zip' | sha256sum -c
``` 3. Extract the contents of XMDEClientAnalyzer.zip on the machine.\
- If using a terminal unzip using the command:
+ If you're using a terminal, extract the files by using the following command:
```console unzip -q XMDEClientAnalyzer.zip -d XMDEClientAnalyzer
When using a terminal, unzip the file using one of the following commands based
./mde_support_tool.sh ```
-7. To collect actual diagnostic package and generate the result archive file run again as root:
+7. To collect actual diagnostic package and generate the result archive file, run again as root:
```console sudo ./mde_support_tool.sh -d
When using a terminal, unzip the file using one of the following commands based
### Primary command lines
-Use this for getting machine diagnostic
+Use the following command to get the machine diagnostic.
```console -h, --help show this help message and exit --output OUTPUT, -o OUTPUT Output path to export report
+--outdir OUTDIR Directory where diagnostics file will be generated
--no-zip, -nz If set a directory will be created instead of an archive file --force, -f Will overwrite if output directory exists --diagnostic, -d Collect extensive machine diagnostic information --bypass-disclaimer Do not display disclaimer bannermdatp-log {info,trace,error,warning,debug,verbose}
+--mdatp-log {info,debug,verbose,error,trace,warning}
Set MDATP log level --max-log-size MAX_LOG_SIZE Maximum log file size in MB before rotating(Will restart mdatp)
Use OS tracing facilities to record Defender for Endpoint performance traces.
--mask MASK Mask to select with event to trace. Defaults to all ```
-On running this command for the first time, it will install a Profile configuration.
+On running this command for the first time, it installs a Profile configuration.
Follow this to approve profile installation: [Apple Support Guide](https://support.apple.com/guide/mac-help/configuration-profiles-standardize-settings-mh35561/mac#:~:text=Install%20a%20configuration%20profile%20you%E2%80%99ve%20received).
Usage example: `sudo ./MDESupportTool exclude -d /var/foo/bar`
### AuditD Rate Limiter
-Syntax that can be used to limit the number of events being reported by the auditD plugin. This option will set the rate limit globally for AuditD causing a drop in all the audit events. When the limiter is enabled the number of auditd events will be limited to 2500 events/sec. This option can be used in cases where we see high CPU usage from AuditD side.
+Syntax that can be used to limit the number of events being reported by the auditD plugin. This option sets the rate limit globally for AuditD causing a drop in all the audit events. When the limiter is enabled the number of auditd events are limited to 2500 events/sec. This option can be used in cases where we see high CPU usage from AuditD side.
> [!NOTE] > This functionality exists for Linux only.
Usage example: `sudo ./mde_support_tool.sh ratelimit -e true`
### AuditD Skip Faulty Rules
-This option enables you to skip the faulty rules added in the auditd rules file while loading them. This option allows the auditd subsystem to continue loading rules even if there is a faulty rule. This option summarizes the results of loading the rules. In the background, this option runs the auditctl with the -c option.
+This option enables you to skip the faulty rules added in the auditd rules file while loading them. This option allows the auditd subsystem to continue loading rules even if there's a faulty rule. This option summarizes the results of loading the rules. In the background, this option runs the auditctl with the -c option.
> [!NOTE] > This functionality is only available on Linux.
Usage example: `sudo ./mde_support_tool.sh skipfaultyrules -e true`
- report.html
- Description: The main HTML output file that will contain the findings and guidance that the analyzer script run on the machine can produce.
+ Description: The main HTML output file that contains the findings and guidance that the analyzer script run on the machine can produce.
- mde_diagnostic.zip
Usage example: `sudo ./mde_support_tool.sh skipfaultyrules -e true`
- perf_benchmark.tar.gz
- Description: The performance test reports. You will see this only if you are using the performance parameter.
+ Description: The performance test reports. You'll see this only if you're using the performance parameter.
[!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)]