+- Your organization must have purchased Copilot licenses to access the Copilot page in the Microsoft 365 admin center. While you don't need a license assigned to your admin account, you must have these licenses present within the organization for the Copilot page to be visible. For more information, see [Get started with Microsoft Copilot for Microsoft 365](microsoft-365-copilot-setup.md).

+ - To allow only members of a specific group to access and use Office Scripts, select **Specific group**, and then enter the name or email alias of the group to add it to the allow list. You may add only one group to the allowlist, and it must be one of the following types:

+5. To allow users with access to Office Scripts to share their scripts with others in your organization, select **Let users with access to Office Scripts share their scripts with others in the organization**. Sharing scripts outside of an organization isn't allowed.

+ - To allow only members of a specific group with access to Office Scripts to share their scripts, select **Specific group**, and then enter the name or email alias of the group to add it to the allow list. You may add only one group to the allowlist, and it must be one of the following types:

+ - To allow only members of a specific group with access to Office Scripts to use their scripts in flows, select **Specific group**, and then enter the name or email alias of the group to add it to the allow list. You may add only one group to the allowlist, and it must be one of the following types:

+If you enable this policy setting, Office Scripts will not be available for use in the installed Excel app on a desktop. You'll find Office Scripts settings under User Configuration\Administrative Templates\Microsoft Excel 2016\Miscellaneous in the Group Policy Management Console.

+ "enforcementLevel":"real_time",

+ "behaviorMonitoring": "enabled",

+ "scanHistoryMaximumItems": 10000,

+ "scanResultsRetentionDays": 90,

+Microsoft Defender for Endpoint provides multiple capabilities on mobile devices. Some of these capabilities are set to default, and some require admin configuration. The following table shows how to configure the resources related to Microsoft Defender for Endpoint on Android and iOS.

+|Web Protection|Admins can use this setting to change the web protection feature. When disabled, end users aren't asked for VPN permissions|Antiphishing = 0/1 (default), VPN = 0/1(default)|Antiphishing=0/1(default), VPN = 0/1(default)| WebProtection = true (default) / false|

+|Privacy for phishing alert report |If privacy is enabled, Defender for Endpoint won't send domain name and website details| Hide URLs in report=0(default)/1| DefenderExcludeURLInReport = 0(default)/1 |DefenderExcludeURLInReport = 0(default)/1|

+## Other configurations

+|Anti-phishing (Defender warning)|Informational| URL of malicious connection, connection information, Protocol type; [More information](android-privacy.md#web-page--network-information) | Domain name, IP address of malicious website; [More information](ios-privacy.md#web-page-or-network-information) |

+## Microsoft Defender Mobile App exclusion from Conditional Access(CA) Policies

+Microsoft Defender Mobile app is a security app that needs to constantly be running in the background to report the device security posture. This security posture is used in the Compliance and App Protection policies to secure the managed apps and ensure that corporate data is accessed only in a secured device. However, with restrictive Conditional Access policies such as having Block policies based on certain locations, or enforcing frequent sign ins can result in Defender blocked from reporting posture. If the Defender app fails to report the device posture this can lead to situation where the device is under a threat, leading to vulnerability of corporate data on the device. To ensure seamless protection, we recommend excluding the Defender app from the blocking Conditional Access Policy.

+### Apps required to exclude:

+1. **Xplat Broker App ( a0e84e36-b067-4d5c-ab4a-3db38e598ae2)**

+Xplat Broker App is the application responsible for forwarding Defender risk signals to the Defender backend. However, the presence of restrictive CA policies can result in Defender blocked from reporting signals. In these scenarios, we recommend excluding the Xplat Broker App. Note, that **Xplat Broker App** is also used by other platforms like Mac and Linux. So if the policy is same for these platforms, it is better to create a separate Conditional Access policy for Mobile.

+2. **TVM app (e724aa31-0f56-4018-b8be-f8cb82ca1196)**

+Microsoft Defender for Mobile TVM (Threat and Vulnerability Management) is the service, which provides the vulnerability assessment for the installed apps on the iOS devices. However, the presence of restrictive CA policies can result in Defender blocked from communicating the onboarding requests to the TVM backend services. This service should be excluded if MDVM (Vulnerability Assessment) is used in the organization.

+### Steps to exclude:

+1. Create service principal for the apps that needs to be excluded. [Steps to create service principal.](/graph/api/serviceprincipal-post-serviceprincipals?view=graph-rest-1.0&tabs=powershell#request)

+1. While creating the service principal object above, use these app IDs: **Xplat Broker App ( a0e84e36-b067-4d5c-ab4a-3db38e598ae2), TVM app (e724aa31-0f56-4018-b8be-f8cb82ca1196).**

+1. After the object is successfully created the two apps are visible in the CA screen and can be excluded.

+ Title: Review detected threats using the Microsoft Defender for Endpoint Antivirus and Intune integration

+description: Use the Microsoft Defender for Endpoint Antivirus and Intune integration to view and manage threat detections.

+keywords: detect, threats, detected threats, devices, URL,

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+- m365-security

+- tier2

+- mde-edr

+search.appverid: met150

+# Microsoft Defender for Endpoint Antivirus and Intune integration

+**Applies to:**

+- [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804)

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-investigatealerts-abovefoldlink)

+**Platforms**

+- Windows

+- macOS

+- Android

+In the Microsoft Defender portal, you can view and manage threat detections using the following steps:

+1. Visit [Microsoft XDR portal](https://security.microsoft.com/) and sign-in.

+ On the landing page, you'll see the **Devices with active malware** card with the following information:

+ - Display text: Applies to Intune-managed devices. Devices with multiple malware detections may be counted more than once.

+ - Last updated date and time.

+ - A bar with the Active and Malware remediated portions as per your scan.

+ You can select **View Details** for more information.

+2. Once remediated, you'll see the following text being displayed:

+ *Malware found on your devices have been remediated successfully*.

+## Manage threat detections in Microsoft Intune

+You can manage threat detections for any devices that are [enrolled in Microsoft Intune](/mem/intune/enrollment/windows-enrollment-methods) using the following steps:

+1. Go to the Microsoft Intune admin center at [intune.microsoft.com](https://intune.microsoft.com) and sign-in.

+2. In the navigation pane, select **Endpoint security**.

+3. Under **Manage**, select **Antivirus**. You'll see tabs for **Summary**, **Unhealthy endpoints**, and **Active malware**.

+4. Review the information on the available tabs, and then take action as necessary.

+ For example, when you can select a device that is listed under the **Active malware** tab, you can choose one action from the list of actions provided:

+ - Restart

+ - Quick Scan

+ - Full Scan

+ - Sync

+ - Update signatures

+## FAQs

+### In the Microsoft XDR portal > Devices with active malware > Devices with malware detections report, why does the Last update seem to be occurring today?

+To see when the malware was detected, you can do the following:

+1. Since this is an integration with Intune, visit [**Intune portal**](https://intune.microsoft.com) and select **Antivirus** and then select **Active malware** tab.

+2. Select **Export**.

+3. On your device, go to Downloads, and extract the Active malware_YYYY_MM_DD_THH_MM_SS.0123Z.csv.zip.

+4. Open the CSV and find the **LastStateChangeDateTime** column to see when malware was detected.

+### In the devices with malware detections report, why canΓÇÖt I see any information about which malware was detected on the device.

+To see the malware name, visit the [Intune portal](https://intune.microsoft.com) as this is an integration with Intune, select **Antivirus**, and select **Active malware** tab and you'll see a column named **Malware name**.

+### I see a different number for active malware in Devices with active malware report, when compared to numbers I see using Reports > Detected malware, and Intune > Antivirus > Active malware.

+The **Devices with active malware** report is based on the devices that were active within the last 1 day (24 hours) and had malware detections within the last 15 days.

+Use the following Advanced Hunting query:

+```kusto

+DeviceInfo

+| where Timestamp > startofday(datetime(2024-01-29 00:00:00))

+| where OnboardingStatus == "Onboarded"

+| where SensorHealthState == "Active"

+| distinct DeviceId, DeviceName

+| join kind=innerunique (

+AlertEvidence

+| where Timestamp > ago(15d)

+| where ServiceSource == "Microsoft Defender for Endpoint"

+| where DetectionSource == "Antivirus"

+DeviceName

+| distinct DeviceName, DeviceId, Title, AlertId, Timestamp

+```

+### I searched the computer name in the top search bar and got two devices with the same name. I don't know which one of those two devices the report is referring to?

+Use the Advanced Hunting query that is mentioned [here](#i-see-a-different-number-for-active-malware-in-devices-with-active-malware-report-when-compared-to-numbers-i-see-using-reports--detected-malware-and-intune--antivirus--active-malware) for details such as unique DeviceID, Title, AlertID, and the remediation process. After identifying, work with your IT adminΓÇÖs to make sure that the devices are uniquely named. If a device is retired, use [tags to decommission it.](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/how-to-use-tagging-effectively-part-1/ba-p/1964058)

+### I see malware detection in Intune and on the Devices with active malware report, but I donΓÇÖt see it in the MDE Alerts queue or in the Incidents queue.

+It might be that the URL's [Cloud Protection](configure-network-connections-microsoft-defender-antivirus.md) is currently not being allowed through your firewall or proxy.

+You need to ensure that when you run `%ProgramFiles%\Windows Defender\MpCmdRun.exe -ValidateMapsConnection` on your device, the reporting is Ok.

+## Related articles

+- [Alerts in Microsoft Defender for Endpoint](investigate-alerts.md)

+- [Alerts queue in Microsoft Defender XDR](alerts-queue-endpoint-detection-response.md)

+description: Learn how to run the Microsoft Defender for Endpoint Client Analyzer on macOS or Linux.

+If you're using a terminal, download the tool by entering the following command:

+ > The current SHA256 hash of 'XMDEClientAnalyzerBinary.zip' that is downloaded from this link is: '0A8E32B618F278BED60AB6763E9458BA2CD02C99D718E50DCCE51A7DBAC69863'

+ echo '0A8E32B618F278BED60AB6763E9458BA2CD02C99D718E50DCCE51A7DBAC69863 XMDEClientAnalyzerBinary.zip' | sha256sum -c

+3. Extract the contents of _XMDEClientAnalyzerBinary.zip_ on the machine.

+ If you're using a terminal, extract the files by entering the following command:

+4. Change to the tool's directory by entering the following command:

+5. Three new zip files are produced:

+ - **SupportToolLinuxBinary.zip** : For all Linux devices

+ - **SupportToolmacOSBinary.zip** : For Intel-based Mac devices

+ - **SupportToolmacOS-armBinary.zip** : For Arm-based Mac devices

+When using a terminal, unzip the file by entering one of the following commands based on machine type:

+7. Run the tool as _root_ to generate diagnostic package:

+ If you're using a terminal, download the tool by running the following command:

+ echo '926DEF4C6857641E205E7978126F7C2CE541D52AEA1C0E194DDB85F7BCFDE3D9 XMDEClientAnalyzer.zip' | sha256sum -c

+ If you're using a terminal, extract the files by using the following command:

+7. To collect actual diagnostic package and generate the result archive file, run again as root:

+Use the following command to get the machine diagnostic.

+--outdir OUTDIR Directory where diagnostics file will be generated

+--mdatp-log {info,debug,verbose,error,trace,warning}

+On running this command for the first time, it installs a Profile configuration.

+Syntax that can be used to limit the number of events being reported by the auditD plugin. This option sets the rate limit globally for AuditD causing a drop in all the audit events. When the limiter is enabled the number of auditd events are limited to 2500 events/sec. This option can be used in cases where we see high CPU usage from AuditD side.

+This option enables you to skip the faulty rules added in the auditd rules file while loading them. This option allows the auditd subsystem to continue loading rules even if there's a faulty rule. This option summarizes the results of loading the rules. In the background, this option runs the auditctl with the -c option.

+ Description: The main HTML output file that contains the findings and guidance that the analyzer script run on the machine can produce.

+ Description: The performance test reports. You'll see this only if you're using the performance parameter.