- :::image type="content" source="../../media/dns-IONOS/IONOS-DomainConnects-1.png" alt-text="Select your domain in Microsoft 365.":::

- :::image type="content" source="../../media/dns-IONOS/IONOS-DomainConnects-2.png" alt-text="Select Start setup.":::

- :::image type="content" source="../../media/dns-IONOS/IONOS-DomainConnects-3.png" alt-text="Select Connect, and then Allow.":::

- :::image type="content" source="../../media/dns-IONOS/IONOS-domains-1.png" alt-text="Select Domains and SSL.":::

- :::image type="content" source="../../media/dns-IONOS/IONOS-domains-2.png" alt-text="Select DNS from the drop-down list.":::

- :::image type="content" source="../../media/dns-IONOS/IONOS-domains-3.png" alt-text="Select Add record.":::

- :::image type="content" source="../../media/dns-IONOS/IONOS-domains-4.png" alt-text="Select the TXT section.":::

- :::image type="content" source="../../media/dns-IONOS/IONOS-domains-5.png" alt-text="Select Save.":::

- :::image type="content" source="../../media/dns-IONOS/IONOS-DomainConnects-2.png" alt-text="Select Start setup.":::

- :::image type="content" source="../../media/dns-IONOS/IONOS-domains-1.png" alt-text="Select Domains and SSL.":::

- :::image type="content" source="../../media/dns-IONOS/IONOS-domains-2.png" alt-text="Select DNS from the drop-down list.":::

- :::image type="content" source="../../media/dns-IONOS/IONOS-domains-3.png" alt-text="Select Add record.":::

- :::image type="content" source="../../media/dns-IONOS/IONOS-domains-MX.png" alt-text="Select the MX section.":::

- :::image type="content" source="../../media/dns-IONOS/IONOS-domains-MX-Save.png" alt-text="Select Save.":::

- :::image type="content" source="../../media/dns-IONOS/IONOS-domains-Delete.png" alt-text="Select Delete record.":::

- :::image type="content" source="../../media/dns-IONOS/IONOS-domains-1.png" alt-text="Select Domains and SSL.":::

- :::image type="content" source="../../media/dns-IONOS/IONOS-domains-2.png" alt-text="Select DNS from the drop-down list.":::

- :::image type="content" source="../../media/dns-IONOS/IONOS-domains-Subdomains.png" alt-text="Select Subdomain.":::

- :::image type="content" source="../../media/dns-IONOS/IONOS-domains-add-subdomains.png" alt-text="Select Add subdomains.":::

- :::image type="content" source="../../media/dns-IONOS/IONOS-domains-1.png" alt-text="Select Domains and SSL.":::

- :::image type="content" source="../../media/dns-IONOS/IONOS-domains-2.png" alt-text="Select DNS from the drop-down list.":::

- :::image type="content" source="../../media/dns-IONOS/IONOS-domains-3.png" alt-text="Select Add record.":::

- :::image type="content" source="../../media/dns-IONOS/IONOS-domains-SPFTXT.png" alt-text="Select the SPF (TXT) section.":::

- :::image type="content" source="../../media/dns-IONOS/IONOS-domains-SPFTXT-Save.png" alt-text="Select Save.":::

- :::image type="content" source="../../media/dns-IONOS/IONOS-domains-1.png" alt-text="Select Domains and SSL.":::

- :::image type="content" source="../../media/dns-IONOS/IONOS-domains-2.png" alt-text="Select DNS from the drop-down list.":::

- :::image type="content" source="../../media/dns-IONOS/IONOS-domains-Subdomains.png" alt-text="Select Subdomain.":::

- :::image type="content" source="../../media/dns-IONOS/IONOS-domains-add-subdomains.png" alt-text="Select Add subdomains.":::

- :::image type="content" source="../../media/dns-IONOS/IONOS-domains-3.png" alt-text="Select Add record.":::

- :::image type="content" source="../../media/dns-IONOS/IONOS-domains-1.png" alt-text="Select Domains and SSL.":::

- :::image type="content" source="../../media/dns-IONOS/IONOS-domains-2.png" alt-text="Select DNS from the drop-down list.":::

- :::image type="content" source="../../media/dns-IONOS/IONOS-domains-3.png" alt-text="Select Add record.":::

- :::image type="content" source="../../media/dns-IONOS/IONOS-domains-SRV.png" alt-text="Select the SRV section.":::

- :::image type="content" source="../../media/dns-IONOS/IONOS-domains-SRV-Save.png" alt-text="Select Save.":::

- :::image type="content" source="../../media/dns-IONOS/IONOS-domains-1.png" alt-text="Select Domains and SSL.":::

- :::image type="content" source="../../media/dns-IONOS/IONOS-domains-2.png" alt-text="Select DNS from the drop-down list.":::

- :::image type="content" source="../../media/dns-IONOS/IONOS-domains-Subdomains.png" alt-text="Select Subdomain.":::

- :::image type="content" source="../../media/dns-IONOS/IONOS-domains-add-subdomains.png" alt-text="Select Add subdomains.":::

- :::image type="content" source="../../media/dns-IONOS/IONOS-domains-3.png" alt-text="Select Add record.":::

-> - As an admin, you can't assign or unassign licenses for a self-service purchase subscription bought by a user in your organization. You can [take over a self-service purchase subscription](../../commerce/subscriptions/manage-self-service-purchases-admins.md#take-over-a-self-service-purchase-subscription), and then assign or unassign licenses.

-> - As an admin, you can't assign or unassign licenses for a self-service purchase subscription bought by a user in your organization. You can [take over a self-service purchase subscription](../../commerce/subscriptions/manage-self-service-purchases-admins.md#take-over-a-self-service-purchase-subscription), and then assign or unassign licenses.

-> For more information about security defaults and the policies they enforce, see [What are security defaults?](/azure/active-directory/fundamentals/concept-fundamentals-security-defaults)

-1. Sign in to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a> with security administrator, Conditional Access administrator, or Global admin credentials.

-2. In the left pane, select **Show All,** and then under **Admin centers**, select **Azure Active Directory**.

-3. In the left pane of the **Azure Active Directory admin center,** select **Azure Active Directory**.

-4. From the left menu of the Dashboard, in the **Manage** section, select **Properties**.

- :::image type="content" source="../media/m365-campaigns-conditional-access/azure-ad-properties.png" alt-text="Screenshot of the Azure Active Directory admin center showing the location of the Properties menu item.":::

-5. At the bottom of the **Properties** page, select **Manage Security defaults**.

-6. In the right pane, you'll see the **Enable Security defaults** setting. If **Yes** is selected, then security defaults are already enabled and no further action is required. If security defaults are not currently enabled, then select **Yes** to enable them, and then select **Save**.

-description: "Admins can learn how to manage self-service purchases made by users in their organization."

-# Manage self-service purchases (Admin)

-As an admin, you can see self-service purchases made by people in your organization. You see the product name, purchaser name, subscriptions purchased, expiration date, purchase price, and assigned users for each self-service purchase. If required by your organization, you can turn off self-service purchasing on a per product basis via PowerShell. You have the same data management and access policies over products bought through self-service purchase or centrally.

-You can also control whether users in your organization can make self-service purchases. For more information, see [Use AllowSelfServicePurchase for the MSCommerce PowerShell module](allowselfservicepurchase-powershell.md).

-1. In the admin center, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page.

-## View who has licenses for a self-service purchase subscription

-> As an admin, you can't assign or unassign licenses for a self-service purchase subscription bought by a user in your organization. You can [take over a self-service purchase subscription](#take-over-a-self-service-purchase-subscription), and then assign or unassign licenses.

- > If there are multiple purchases for a product, that product is only listed once, and the **Available quantity** column shows the total of all subscriptions bought for that product.

-4. The **Users** list is grouped by the names of people who made self-service purchases.

-## Disable or enable self-service purchases

-You can disable or enable self-service purchases for users in your organization. The **MSCommerce** PowerShell module includes a **PolicyID** parameter value for **AllowSelfServicePurchase** that lets you control whether users in your organization can make self-service purchases, and for which products.

-> When you use the **AllowSelfServicePurchase** policy, it enables or disables both self-service purchases and self-service trials. For a list of the products available for self-service purchase, see [View a list of self-service purchase products and their status](allowselfservicepurchase-powershell.md#view-a-list-of-self-service-purchase-products-and-their-status). Only Project and Visio are available for trial subscriptions.

-You can assign existing licenses or purchase additional subscriptions through existing agreements for users assigned to self-service purchases. After you assign these centrally purchased licenses, you can request that purchasers cancel their existing subscriptions.

-1. In the admin center go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=868433" target="_blank">Purchase services</a> page.

-4. Follow the steps in [View who has licenses for a self-service purchased subscription](#view-who-has-licenses-for-a-self-service-purchase-subscription) to export a list of users to reference in the next step.

-6. Contact the person who bought the self-service purchase subscription and ask them to [cancel it](manage-self-service-purchases-users.md#cancel-a-subscription).

-## Take over a self-service purchase subscription

-You can take over a self-service purchase subscription made by a user in your organization. When you take over a self-service purchase subscription, you have two options:

-2. Cancel the self-service purchase subscription and remove licenses from assigned users.

-When you move users to a different subscription, the old subscription is automatically canceled. The user who originally bought the self-service purchase subscription receives an email that says the subscription was canceled.

-9. On the subscription details page, the **Subscription status** for the self-service purchased subscription shows as **Deleted**.

-### Cancel a self-service purchase subscription

-When you choose to cancel a self-service purchase subscription, users with licenses lose access to the product. The user who originally bought the self-service purchase subscription receives an email that says the subscription was canceled.

-## Need help? Contact us.

-For common questions about self-service purchases, see [Self-service purchases FAQ](self-service-purchase-faq.yml).

-If you have questions or need help with self-service purchases, [contact support](../../admin/get-help-support.md).

-2. Run the policy in simulation mode, which typically completes within a day. The completed simulation triggers an email notification that's sent to the user configured to receive activity alerts.

-Simulation typically completes in a day. The completed simulation triggers an email notification that's sent to the user configured to receive [activity alerts](alert-policies.md).

- **Create an information management policy for a list or library** If your organization needs to apply a specific information management policy to a very limited set of content, you can create an information management policy that applies only to an individual list or library. This method of creating an information management policy is the least flexible, because the policy applies only to one location, and it cannot be exported or reused for other locations. However, sometimes you may need to create unique information management policies with limited applicability to address specific situations.

-> [!NOTE]

-> You can create an information management policy for a list or library only if that list or library does not support multiple content types. If a list or library supports multiple content types, you need to define an information management policy for each individual list content type that is associated with that list or library. (Instances of a site content type that are associated with a specific list or library are known as list content types.)

- To control which policies are used in a site collection, site collection administrators can disable the ability to set policy features directly on a list or library. When this restriction is in effect, users who manage lists or libraries are limited to selecting policies from the site collection Policies list.

-

-An information management policy is a set of rules for a type of content. Information management policies enable organizations to control and track things like how long content is retained or what actions users can take with that content. Information management policies can help organizations comply with legal or governmental regulations, or they can simply enforce internal business processes. For example, an organization that must follow government regulations requiring that they demonstrate "adequate controls" of their financial statements might create one or more information management policies that audit specific actions in the authoring and approval process for all documents related to financial filings. For how-to information, see [Create and apply information management policies.](intro-to-info-mgmt-policies.md#__top)

-

-This auditing information is visually represented in [content explorer](data-classification-content-explorer.md) and [activity explorer](data-classification-activity-explorer.md) to help you understand how your sensitivity labels are being used and where this labeled content is located.

-|[Audit label-related user activity](sensitivity-labels-office-apps.md#auditing-labeling-activities) | Current Channel: 2011+ <br /><br> Monthly Enterprise Channel: 2011+ <br /><br> Semi-Annual Enterprise Channel: 2108+ | 16.43+ | 2.46+ | 16.0.13628+ | Yes |

-|[Audit label-related user activity](sensitivity-labels-office-apps.md#auditing-labeling-activities) | Current Channel: 2011+ <br /><br> Monthly Enterprise Channel: 2011+ <br /><br> Semi-Annual Enterprise Channel: 2108+ | 16.51+ ^\* | 4.2126+ | 4.2126+ | Yes |

-|[</li></ul>

-|Recommended identity and device access policies for three tiers of protection: <ul><li>Starting point</li><li>Enterprise (recommended)</li><li>Specialized</li></ul> <br> Additional recommendations for: <ul><li>External users (guests)</li><li>Microsoft Teams</li><li>SharePoint Online</li><li>Microsoft Defender for Cloud Apps</lu></ul>|Microsoft E3 or E5 <br><br> Azure Active Directory in either of these modes: <ul><li>Cloud-only</li><li>Hybrid with password hash sync (PHS) authentication</li><li>Hybrid with pass-through authentication (PTA)</li><li>Federated</li></ul>|Device enrollment for policies that require managed devices. See [Step 2. Manage endpoints with Intune](#step-2-manage-endpoints-with-intune) to enroll devices|

-| **[Defender for Business](mdb-overview.md)** (standalone) | **Antivirus, antimalware, and ransomware protection for devices**<ul><li>[Next-generation protection](../defender-endpoint/microsoft-defender-antivirus-in-windows-10.md) (antivirus/antimalware protection on devices together with cloud protection)</li><li>[Attack surface reduction](../defender-endpoint/overview-attack-surface-reduction.md) (network protection, firewall, and attack surface reduction rules) ^[[a](#fna)]</li><li>[Endpoint detection and response](../defender-endpoint/overview-endpoint-detection-response.md) (behavior-based detection and manual response actions)</li><li>[Automated investigation and response](../defender/m365d-autoir.md) (with self-healing for detected threats)</li><li>[Microsoft Defender Vulnerability Management](mdb-view-tvm-dashboard.md) (view exposed devices and recommendations)</li><li>[Cross-platform support for devices](mdb-onboard-devices.md) (Windows, Mac, iOS, and Android) ^[[b](#fnb)]</li><li>[Centralized management and reporting](mdb-get-started.md) (Microsoft 365 Defender portal)</li><li>[APIs for integration](../defender-endpoint/management-apis.md) (for Microsoft partners or your custom tools and apps)</li></ul> |

-| **[Microsoft 365 Business Premium](../../business-premium/index.md)** | **Defender for Business plus productivity and additional security capabilities**<ul><li>[Microsoft 365 Business Standard](../../admin/admin-overview/what-is-microsoft-365-for-business.md) (Office apps and services, and Microsoft Teams)</li><li>[Microsoft Intune](/mem/intune/fundamentals/what-is-intune) (device onboarding and management)</li><li>[Shared computer activation](/deployoffice/overview-shared-computer-activation) (for deploying Microsoft 365 Apps)</li><li>[Windows 10/11 Business](../../business-premium/m365bp-upgrade-windows-10-pro.md) (upgrade from previous versions of Windows Pro)</li><li>[Windows Autopilot](/mem/autopilot/windows-autopilot) (for setting up and configuring Windows devices)</li><li>[Exchange Online Protection](../office-365-security/eop-about.md) (antiphishing, antispam, antimalware, and spoof intelligence for email)</li><li>[Microsoft Defender for Office 365 Plan 1](/microsoft-365/security/office-365-security/defender-for-office-365) (advanced antiphishing, real-time detections, Safe Attachments, Safe Links)</li><li>[Auto-expanding archiving](../../compliance/autoexpanding-archiving.md) (for email)</li><li>[Azure Active Directory Premium Plan 1](/azure/active-directory/fundamentals/active-directory-whatis) (identity management)</li><li>[Azure Information Protection Premium Plan 1](/azure/information-protection/what-is-information-protection) (protection for sensitive information)</li><li>[Azure Virtual Desktop](/azure/virtual-desktop/overview) (centrally managed, secure virtual machines in the cloud)</li></ul> |

-|[Centralized management](../defender-endpoint/manage-atp-post-migration.md) ^[[1](#fn1)] | :::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included"::: |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::|

-|[Simplified client configuration](mdb-simplified-configuration.md)|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::| | |

-|[Microsoft Defender Vulnerability Management](../defender-endpoint/next-gen-threat-and-vuln-mgt.md)|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::| |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::|

-|[Attack surface reduction capabilities](../defender-endpoint/overview-attack-surface-reduction.md) ^[[2](#fn2)]|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::|

-|[Next-generation protection](../defender-endpoint/next-generation-protection.md)|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::|

-|[Endpoint detection and response](../defender-endpoint/overview-endpoint-detection-response.md) ^[[3](#fn3)]|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included"::: | |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::|

-|[Automated investigation and response](../defender-endpoint/automated-investigations.md) ^[[4](#fn4)]|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included"::: ||:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::|

-|[Threat hunting](../defender-endpoint/advanced-hunting-overview.md) and six months of data retention ^[[5](#fn5)] | | |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::|

-|[Threat analytics](../defender-endpoint/threat-analytics.md) ^[[6](#fn6)]|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included"::: | |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::|

-|[Cross-platform support](../defender-endpoint/minimum-requirements.md) <br/>(Windows, Mac, iOS, and Android OS) ^[[7](#fn7)]|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included"::: |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::|

-|[Microsoft Threat Experts](../defender-endpoint/microsoft-threat-experts.md)| | |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::|

-|Partner APIs|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::|

-|[Microsoft 365 Lighthouse integration](../../lighthouse/m365-lighthouse-overview.md) <br/>(For viewing security incidents across customer tenants) |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included"::: |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included"::: |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included"::: |

-| You currently have [Defender for Business](mdb-overview.md) or [Microsoft 365 Business Premium](../../business-premium/index.md), and you want to add on Microsoft Defender for Business servers. | <ol><li>In the Microsoft 365 admin center ([https://admin.microsoft.com/](https://admin.microsoft.com/)), in the navigation pane, choose **Billing** > **Purchase services**.</li><li>In the list of results, select the **Details** box for **Microsoft Defender for Business servers**.</li><li>Review the information, and complete the purchase process. You'll need one Microsoft Defender for Business servers license for each instance of Windows Server or Linux. Note that you won't assign the Microsoft Defender for Business servers license to users or devices. </li><li>Proceed to onboard your server. To get help with this, see [Onboard devices to Microsoft Defender for Business](mdb-onboard-devices.md). </li></ol> |

-| You do not have either Defender for Business or Microsoft 365 Business Premium yet. | <ol><li>Go to one of the following product pages: <ul><li>[Microsoft Defender for Business](https://aka.ms/DefenderforBusiness)</li><li>[Microsoft 365 for business](https://www.microsoft.com/en-us/microsoft-365/business-h)</li></ul></li><li>Review the information, and start your subscription today.</li><li>Depending on what you selected in the previous steps, use one of the following resources to set up your subscription:<ul><li>[Set up and configure Microsoft Defender for Business](mdb-setup-configuration.md)</li><li>[Set up and configure Microsoft 365 Business Premium](../../business-premium/index.md)</li></ul></li><li>Follow the steps in the preceding scenario ("You currently have Defender for Business or Microsoft 365 Business Premium and you want to add on Microsoft Defender for Business servers").</li></ol> |

- If you have Microsoft 365 Business Premium and you haven't set it up yet, see [Microsoft 365 Business Premium ΓÇô productivity and cybersecurity for small business](../../business-premium/index.md). This guidance walks you through how to set up and configure everything, including Defender for Business.

-4. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), where you'll view and manage security settings and devices for your organization.

-5. In the navigation bar, go to **Assets** > **Devices**. This action initiates the provisioning of Defender for Business for your tenant.

-When you use Defender for Business, you'll work with two main portals: the Microsoft 365 admin center, and the Microsoft 365 Defender portal. If your subscription also includes Microsoft Intune, you might use the Intune admin center instead. The following table summarizes these portals and how you'll use them.

-| The Microsoft 365 admin center ([https://admin.microsoft.com/](https://admin.microsoft.com/)) | Use the Microsoft 365 admin center to activate your trial and sign in for the first time.<p> You'll also use the Microsoft 365 admin center to: <ul><li>Add or remove users.</li><li>Assign user licenses.</li><li>View your products and services.</li><li>Complete setup tasks for your Microsoft 365 subscription.</li></ul>To learn more, see [Overview of the Microsoft 365 admin center](../../admin/admin-overview/admin-center-overview.md). |

-| The Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) | Use the Microsoft 365 Defender portal to set up and configure Defender for Business.<p>You'll use the Microsoft 365 Defender portal to: <ul><li>View your devices and device protection policies.</li><li>View detected threats and take action.</li><li>View security recommendations and manage your security settings.</li></ul>To learn more, see [Get started using the Microsoft 365 Defender portal](mdb-get-started.md). |

-| The Intune admin center ([https://intune.microsoft.com/](https://intune.microsoft.com/)) | We recommend using the Microsoft 365 Defender portal to manage your security settings and devices. However, you can use the Intune admin center instead if you prefer. To learn more about Intune, see [Microsoft Intune is an MDM and MAM provider for your devices](/mem/intune/fundamentals/what-is-intune). |

-As soon as you have signed up for Defender for Business, your first step is to add users and assign licenses. This article describes how to add users and includes next steps.

-| **Use the Microsoft 365 Defender portal** (*recommended*) | The Microsoft 365 Defender portal ([https://security.microsoft.com/](https://security.microsoft.com/)) is a one-stop shop for managing your company's devices, security policies, and security settings. You can access your security policies and settings, use the [Microsoft Defender Vulnerability Management dashboard](mdb-view-tvm-dashboard.md), and [view and manage incidents](mdb-view-manage-incidents.md) all in one place. <p>If you're using Intune, devices that you onboard to Defender for Business and your security policies are visible in the Intune admin center. To learn more, see the following articles:<ul><li>[How default settings in Defender for Business correspond to settings in Microsoft Intune](mdb-next-gen-configuration-settings.md#how-default-settings-in-defender-for-business-correspond-to-settings-in-microsoft-intune)</li><li>[Firewall in Defender for Business](mdb-firewall.md)</li></ul> |

-| **Use Intune** | If your company is already using Intune to manage security policies, you can continue using it to manage your devices and security policies. To learn more, see [Manage device security with endpoint security policies in Microsoft Intune](/mem/intune/protect/endpoint-security-policy). <p>If you decide to switch to the [simplified configuration process in Defender for Business](mdb-simplified-configuration.md), you'll be prompted to delete any existing security policies in Intune to avoid [policy conflicts](mdb-troubleshooting.yml) later. |

-| Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) |<ol><li>Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), and sign in.</li><li>In the navigation pane, choose **Device configuration**. Policies are organized by operating system and policy type.</li><li>Select an operating system tab (such as **Windows clients**).</li><li>Expand **Next-generation protection** to view your list of policies.</li><li>Select a policy to view more details about the policy.</li><li>To make changes or to learn more about policy settings, see the following articles: <ul><li>[View or edit device policies](mdb-view-edit-policies.md)</li><li>[Understand next-generation configuration settings](mdb-next-gen-configuration-settings.md)</li></ul></li><ol> |

-| Microsoft Intune admin center ([https://intune.microsoft.com](https://intune.microsoft.com)) |For help with managing your security settings in Intune, start with [Manage endpoint security in Microsoft Intune](/mem/intune/protect/endpoint-security). <ol><li>Go to [https://intune.microsoft.com](https://intune.microsoft.com) and sign in. You're now in the Intune admin center.</li><li>Select **Endpoint security**.</li><li>Select **Antivirus** to view your policies in that category.</li></ol>|

-| Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) |<ol><li>Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), and sign in.</li><li>In the navigation pane, choose **Device configuration**. Policies are organized by operating system and policy type.</li><li>Select an operating system tab (such as **Windows clients**).</li><li>Expand **Firewall** to view your list of policies.</li><li>Select a policy to view the details. </li><li>To make changes or to learn more about policy settings, see the following articles:<ul><li>[View or edit device policies](mdb-view-edit-policies.md)</li><li>[Firewall settings](mdb-firewall.md)</li><li>[Manage your custom rules for firewall policies](mdb-custom-rules-firewall.md)</li><ul></li><ol> |

-| Microsoft Intune admin center ([https://intune.microsoft.com](https://intune.microsoft.com)) |For help with managing your security settings in Intune, start with [Manage endpoint security in Microsoft Intune](/mem/intune/protect/endpoint-security). <ol><li>Go to [https://intune.microsoft.com](https://intune.microsoft.com) and sign in. You're now in the Intune admin center.</li><li>Select **Endpoint security**.</li><li>Select **Firewall** to view your policies in that category. Custom rules that are defined for firewall protection are listed as separate policies.</li></ol>|

-Web content filtering enables your security team to track and regulate access to websites based on content categories, such as:

-| **Automated Investigation** <br/>(turned on by default) | As alerts are generated, automated investigations can occur. Each automated investigation determines whether a detected threat requires action and then takes or recommends remediation actions, such as sending a file to quarantine, stopping a process, isolating a device, or blocking a URL. While an investigation is running, any related alerts that arise are added to the investigation until it's completed. If an affected entity is seen elsewhere, the automated investigation expands its scope to include that entity, and the investigation process repeats.<p>You can view investigations on the **Incidents** page. Select an incident, and then select the **Investigations** tab.<p>By default, automated investigation and response capabilities are turned on, tenant wide. **We recommend keeping automated investigation turned on**. If you turn it off, real-time protection in Microsoft Defender Antivirus will be affected, and your overall level of protection will be reduced. <p>[Learn more about automated investigations](../defender-endpoint/automated-investigations.md). |

-| **Live Response** | Defender for Business includes the following types of manual response actions: <ul><li>Run antivirus scan</li><li>Isolate device</li><li>Stop and quarantine a file</li><li>Add an indicator to block or allow a file</li></ul> <p>[Learn more about response actions](../defender-endpoint/respond-machine-alerts.md). |

-| **Enable EDR in block mode**<br/>(turned on by default) | Provides added protection from malicious artifacts when Microsoft Defender Antivirus isn't the primary antivirus product and is running in passive mode on a device. Endpoint detection and response (EDR) in block mode works behind the scenes to remediate malicious artifacts detected by EDR capabilities. Such artifacts might have been missed by the primary, non-Microsoft antivirus product.<p>[Learn more about EDR in block mode](../defender-endpoint/edr-in-block-mode.md). |

-| **Allow or block a file** <br/>(turned on by default) | Enables you to allow or block a file by using [indicators](../defender-endpoint/indicator-file.md). This capability requires Microsoft Defender Antivirus to be in active mode and [cloud protection](../defender-endpoint/cloud-protection-microsoft-defender-antivirus.md) turned on.<p>Blocking a file prevents it from being read, written, or executed on devices in your organization. <p>[Learn more about indicators for files](../defender-endpoint/indicator-file.md). |

-| **Custom network indicators**<br/>(turned on by default) | Enables you to allow or block an IP address, URL, or domain by using [network indicators](../defender-endpoint/indicator-ip-domain.md). This capability requires Microsoft Defender Antivirus to be in active mode and [network protection](../defender-endpoint/enable-network-protection.md) turned on.<p>You can allow or block IPs, URLs, or domains based on your threat intelligence. You can also prompt users if they open a risky app, but the prompt won't stop them from using the app.<p>[Learn more about network protection](../defender-endpoint/network-protection.md). |

-| **Tamper protection**<br/>(we recommend you turn on this setting) | Tamper protection prevents malicious apps from doing actions such as:<ul><li>Disable virus and threat protection</li><li>Disable real-time protection</li><li>Turn off behavior monitoring</li><li>Disable cloud protection</li><li>Remove security intelligence updates</li><li>Disable automatic actions on detected threats</li></ul><p>Tamper protection essentially locks Microsoft Defender Antivirus to its secure, default values and prevents your security settings from being changed by apps and unauthorized methods. <p>[Learn more about tamper protection](../defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection.md). |

-| **Show user details**<br/>(turned on by default) | Enables people in your organization to see details, such as employees' pictures, names, titles, and departments. These details are stored in Azure Active Directory (Azure AD).<p>[Learn more about user profiles in Azure AD](/azure/active-directory/fundamentals/active-directory-users-profile-azure-portal). |

-| **Skype for Business integration**<br/>(turned on by default) | Skype for Business was retired in July 2021. If you haven't already moved to Microsoft Teams, see [Set up Microsoft Teams in your small business](/microsoftteams/deploy-small-business). <p>Integration with Microsoft Teams (or the former Skype for Business) enables one-click communication between people in your business. |

-| **Device discovery**<br/>(turned on by default) | Enables your security team to find unmanaged devices that are connected to your company network. Unknown and unmanaged devices introduce significant risks to your network, whether it's an unpatched printer, a network device with a weak security configuration, or a server with no security controls.<p>Device discovery uses onboarded devices to discover unmanaged devices, so your security team can onboard the unmanaged devices and reduce your vulnerability. <p>[Learn more about device discovery](../defender-endpoint/device-discovery.md). |

-| **Preview features** | Microsoft is continually updating services such as Defender for Business to include new feature enhancements and capabilities. If you opt in to receive preview features, you'll be among the first to try upcoming features in the preview experience. <p>[Learn more about preview features](../defender-endpoint/preview.md). |

-| **Custom rules** | [Custom rules](mdb-custom-rules-firewall.md) let you block or allow specific connections. For example, suppose that you want to block all incoming connections on devices that are connected to a private network except for connections through a specific app on a device. In this case, you'd set **Private network** to block all incoming connections, and then add a custom rule to define the exception. <p>You can use custom rules to define exceptions for specific files or apps, an Internet protocol (IP) address, or a range of IP addresses. Depending on the type of custom rule you're creating, here are some examples of values you could use:<ul><li>Application file path: `C:\Windows\System\Notepad.exe or %WINDIR%\Notepad.exe`</li><li>IP: A valid IPv4/IPv6 address, such as `192.168.11.0` or `192.168.1.0/24`</li><li>IP: A valid IPv4/IPv6 address range, formatted like `192.168.1.0-192.168.1.9` (with no spaces included)</li></ul> |

-| **Turn on real-time protection** | Enabled by default, real-time protection locates and stops malware from running on devices. *We recommend keeping real-time protection turned on.* When real-time protection is turned on, it configures the following settings: <ul><li>Behavior monitoring is turned on ([AllowBehaviorMonitoring](/windows/client-management/mdm/policy-csp-defender#defender-allowbehaviormonitoring)).</li><li>All downloaded files and attachments are scanned ([AllowIOAVProtection](/windows/client-management/mdm/policy-csp-defender#defender-allowioavprotection)).</li><li>Scripts that are used in Microsoft browsers are scanned ([AllowScriptScanning](/windows/client-management/mdm/policy-csp-defender#defender-allowscriptscanning)).</li></ul> |

-| **Block at first sight** | Enabled by default, block at first sight blocks malware within seconds of detection, increases the time (in seconds) allowed to submit sample files for analysis, and sets your detection level to High. *We recommend keeping block at first sight turned on.*<br/><br/>When block at first sight is turned on, it configures the following settings for Microsoft Defender Antivirus:<ul><li>Blocking and scanning of suspicious files is set to the High blocking level ([CloudBlockLevel](/windows/client-management/mdm/policy-csp-defender#defender-cloudblocklevel)).</li><li>The number of seconds for a file to be blocked and checked is set to 50 seconds ([CloudExtendedTimeout](/windows/client-management/mdm/policy-csp-defender#defender-cloudextendedtimeout)).</li></ul> <br/>**Important** If block at first sight is turned off, it affects `CloudBlockLevel` and `CloudExtendedTimeout` for Microsoft Defender Antivirus. |

-| **Turn on network protection** | When turned on, network protection helps protect against phishing scams, exploit-hosting sites, and malicious content on the internet. It also prevents users from turning network protection off.<br/><br/>Network protection can be set to the following modes:<ul><li>**Block mode** is the default setting. It prevents users from visiting sites that are considered unsafe. *We recommend keeping network protection set to Block mode.*</li><li>**Audit mode** allows users to visit sites that might be unsafe and tracks network activity to/from such sites.</li><li>**Disabled mode** neither blocks users from visiting sites that might be unsafe nor tracks network activity to/from such sites.</li></ul> |

-| **Action to take on potentially unwanted apps (PUA)** | PUA can include advertising software; bundling software that offers to install other, unsigned software; and evasion software that attempts to evade security features. Although PUA isn't necessarily a virus, malware, or other type of threat, it can affect device performance. PUA protection blocks items that are detected as PUA. You can set PUA protection to the following modes: <ul><li>**Enabled** is the default setting. It blocks items detected as PUA on devices. *We recommend keeping PUA protection enabled.*</li><li>**Audit mode** takes no action on items detected as PUA.</li><li>**Disabled** doesn't detect or take action on items that might be PUA.</li></ul> |

-| **Scheduled scan type** | Consider running a weekly antivirus scan on your devices. You can choose from the following scan type options:<ul><li>**Quickscan** checks locations, such as registry keys and startup folders, where malware could be registered to start along with a device. *We recommend using the quickscan option.* </li><li>**Fullscan** checks all files and folders on a device.</li><li>**Disabled** means no scheduled scans will take place. Users can still run scans on their own devices. (In general, we don't recommend disabling scheduled scans.)</li></ul><br/> [Learn more about scan types](../defender-endpoint/schedule-antivirus-scans.md). |

-| **Use low performance** | This setting is turned off by default. *We recommend keeping this setting turned off.* However, you can turn on this setting to limit the device memory and resources that are used during scheduled scans. **Important** If you turn on **Use low performance**, it configures the following settings for Microsoft Defender Antivirus:<ul><li>Archive files aren't scanned ([AllowArchiveScanning](/windows/client-management/mdm/policy-csp-defender#defender-allowarchivescanning)).</li><li>Scans are assigned a low CPU priority ([EnableLowCPUPriority](/windows/client-management/mdm/policy-csp-defender#defender-enablelowcpupriority)).</li><li>If a full antivirus scan is missed, no catch-up scan will run ([DisableCatchupFullScan](/windows/client-management/mdm/policy-csp-defender#defender-disablecatchupfullscan)).</li><li>If a quick antivirus scan is missed, no catch-up scan will run ([DisableCatchupQuickScan](/windows/client-management/mdm/policy-csp-defender#defender-disablecatchupquickscan)).</li><li>Reduces the average CPU load factor during an antivirus scan from 50 percent to 20 percent ([AvgCPULoadFactor](/windows/client-management/mdm/policy-csp-defender#defender-avgcpuloadfactor)).</li></ul> |

-| **Active mode** <br/>(*recommended*) | Microsoft Defender Antivirus is used as the antivirus app on the machine. Files are scanned, threats are remediated, and detection information is reported in the Microsoft 365 Defender portal and in the Windows Security app on a device running Windows.<br/><br/>We recommend running Microsoft Defender Antivirus in active mode so that devices onboarded to Defender for Business will get all of the following types of protection: <ul><li>**Real-time protection**, which locates and stops malware from running on devices. </li><li>**Cloud protection**, which works with Microsoft Defender Antivirus and the Microsoft cloud to identify new threats, sometimes even before a single device is affected.</li><li>**Network protection**, which helps protect against phishing scams, exploit-hosting sites, and malicious content on the internet.</li><li>**Web content filtering**, which regulates access to websites based on content categories (such as adult content, high bandwidth, and legal liability) across all browsers.</li><li>**Protection from potentially unwanted applications**, such as advertising software, bundling software that offers to install other, unsigned software, and evasion software that attempts to evade security features.</li></ul> |

-Defender for Business is a new endpoint security solution that was designed especially for the small- and medium-sized business (up to 300 employees). With this endpoint security solution, your company's devices are better protected from ransomware, malware, phishing, and other threats.

-This article describes what's included in Defender for Business, with links to learn more about these features and capabilities.

-| [Microsoft 365 Business Premium and Defender for Business partner webinar series](https://aka.ms/M365MDBseries) | This webinar series provides: <ul><li>Practical guidance about how to have conversations with your customers about security and drive upsell to Microsoft 365 Business Premium. </li><li>Demos and deep dive walkthroughs for Microsoft 365 Lighthouse and Defender for Business. </li><li>A panel of experts to help answer your questions.</li></ul> |

-| [Microsoft 365 Business Premium partner playbook and readiness series](https://aka.ms/M365BPPartnerPlaybook) | Practical guidance on building a profitable managed services practice, with: <ul><li>Examples of successful managed service offerings from industry experts and peers. </li><li>Technical enablement and checklists from Microsoft experts. </li><li>Sales enablement and customer conversation aids to help you market your solution. </li></ul> |

-| Datacenter | One of the following datacenter locations: <ul><li>European Union</li><li>United Kingdom</li><li>United States</li></ul> |

-| User accounts |<ul><li>User accounts are created in the Microsoft 365 admin center ([https://admin.microsoft.com](https://admin.microsoft.com)).</li><li>Licenses for Defender for Business (or Microsoft 365 Business Premium) are assigned in the Microsoft 365 admin center.</li></ul>To get help with this task, see [Add users and assign licenses](mdb-add-users.md). |

-| Permissions | To sign up for Defender for Business, you must be a Global Admin.<br/><br/>To access the Microsoft 365 Defender portal, users must have one of the following [roles in Azure AD](mdb-roles-permissions.md) assigned:<ul><li>Security Reader</li><li>Security Admin</li><li>Global Admin</li></ul>To learn more, see [Roles and permissions in Defender for Business](mdb-roles-permissions.md). |

-| Client device operating system | To manage devices in the Microsoft 365 Defender portal, your devices must be running one of the following operating systems: <ul><li>Windows 10 or 11 Business</li><li>Windows 10 or 11 Professional</li><li>Windows 10 or 11 Enterprise</li><li>Mac (the three most-current releases are supported)</li></ul>Make sure that [KB5006738](https://support.microsoft.com/topic/october-26-2021-kb5006738-os-builds-19041-1320-19042-1320-and-19043-1320-preview-ccbce6bf-ae00-4e66-9789-ce8e7ea35541) is installed on the Windows devices. <br/><br/>If you're already managing devices in Microsoft Intune, you can continue to use it.^[[1](#fn1)] In that case, the following other operating systems are supported: <ul><li>iOS and iPadOS</li><li>Android OS</li></ul> |

-| Server requirements | To onboard a device running Windows Server or Linux Server, you'll need an additional license, such as [Microsoft Defender for Business servers](get-defender-business-servers.md)^[[2](#fn2)].<br/><br/>Windows Server endpoints must meet the [requirements for Defender for Endpoint](/microsoft-365/security/defender-endpoint/minimum-requirements#hardware-and-software-requirements), and enforcement scope must be turned on.<ol><li>In the Microsoft 365 Defender portal, go to **Settings** > **Endpoints** > **Configuration management** > **Enforcement scope**.</li><li>Select **Use MDE to enforce security configuration settings from MEM**, select **Windows Server**. </li><li>Select **Save**.</li></ol>Linux Server endpoints must meet the [prerequisites for Microsoft Defender for Endpoint on Linux](../defender-endpoint/microsoft-defender-endpoint-linux.md#prerequisites).|

-| [Automated investigations](../defender-endpoint/automated-investigations.md) |<ul><li>Quarantine a file</li><li>Remove a registry key</li><li>Kill a process</li><li>Stop a service</li><li>Disable a driver</li><li>Remove a scheduled task </li></ul> |

-| [Manual response actions](../defender-endpoint/respond-machine-alerts.md) |<ul><li>Run antivirus scan</li><li>Isolate a device</li><li>Add an indicator to block or allow a file</li></ul> |

-| [Live response](../defender-endpoint/live-response.md) |<ul><li>Collect forensic data</li><li>Analyze a file</li><li>Run a script</li><li>Send a suspicious entity to Microsoft for analysis</li><li>Remediate a file </li><li>Proactively hunt for threats</li></ul>|

-| **Global administrators** (also referred to as global admins) <p> *As a best practice, limit the number of global admins.* | Global admins can perform all kinds of tasks. The person who signed up your company for Microsoft 365 or for Defender for Business is a global administrator by default. <p> Global admins are able to modify settings across all Microsoft 365 portals, such as: <ul><li>The Microsoft 365 admin center ([https://admin.microsoft.com](https://admin.microsoft.com))</li><li>Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com))</li></ul> |

-| **Security administrators** (also referred to as security admins) | Security admins can perform the following tasks: <ul><li>View and manage security policies</li><li>View and manage security threats and alerts (these activities include taking response actions on endpoints)</li><li>View security information and reports</li></ul> |

-| **Security reader** | Security readers can perform the following tasks:<ul><li>View security policies</li><li>View security threats and alerts</li><li>View security information and reports</li></ul> |

-Defender for Business provides a streamlined setup and configuration experience, designed especially for the small and medium-sized business. Use this article as a guide for the overall process.

-The following diagram depicts the overall setup and configuration process for Defender for Business. If you used the setup wizard, then you've likely already completed steps 1-3, and possibly step 4.

-| 1 | [Get Defender for Business](get-defender-business.md) | Start a trial or paid subscription today. See [Get Microsoft Defender for Business](get-defender-business.md). |

-| 2 | [Add users and assign licenses](mdb-add-users.md) | Assign a license for Defender for Business (or Microsoft 365 Business Premium) to each member of your organization to protect their devices. See [Add users and assign licenses in Microsoft Defender for Business](mdb-add-users.md). |

-| 3 | [Assign security roles](mdb-roles-permissions.md) | People on your security team need certain permissions to perform tasks, such as reviewing detected threats & remediation actions, viewing & editing policies, onboarding devices, and using reports. You can grant these permissions through roles. See [Assign roles and permissions](mdb-roles-permissions.md). <p>You can also set up email notifications for your security team. See [Set up email notifications](mdb-email-notifications.md). |

-| The simplified configuration experience in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) | The simplified configuration experience includes a [wizard-like experience](mdb-use-wizard.md) to help you set up and configure Defender for Business. Simplified configuration also includes default security settings and policies to help protect your company's devices as soon as they're onboarded to Defender for Business. You can view and edit your default policies to suit your business needs. To learn more, see [View or edit device policies in Microsoft Defender for Business](mdb-view-edit-policies.md).<br/><br/>With the simplified experience, your security team uses the Microsoft 365 Defender portal as a one-stop shop to: <ul><li>Set up and configure Defender for Business</li><li>View and manage incidents</li><li>Respond to and mitigate threats</li><li>View reports</li><li>Review pending or completed actions |

-| **Microsoft Defender Vulnerability Management(core scenarios)** | Learn about Defender Vulnerability Management through three scenarios:<ol><li>Reduce your company's threat and vulnerability exposure.</li><li>Request a remediation.</li><li>Create an exception for security recommendations.</li></ol> <p> Defender Vulnerability Management uses a risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. |

-Defender for Business was designed to save small and medium-sized businesses time and effort. For example, you can do initial setup and configuration with a setup wizard. The setup wizard guides you through granting access to your security team, setting up email notifications for your security team, and onboarding your company's Windows devices.

-If your company has been using Microsoft 365 Business Premium, the Defender for Business setup wizard will run the first time someone goes to **Assets** > **Devices**.

-### September-2022 (Platform: 4.18.2209.7 | Engine: 1.1.19700.3)

-#### What's new

-#### Known Issues

-### Previous version updates: Technical upgrade support only

-After a new package version is released, support for the previous two versions is reduced to technical support only. Versions older than that are listed in this section, and are provided for technical upgrade support only.

-You can receive Defender Experts Notifications from Defender Experts through the following mediums:

-The following diagram shows which tier of protections each policy applies to and whether the policies apply to PCs or phones and tablets, or both categories of devices.

-## Three tiers of protection

-## Applying these capabilities across the three tiers of protection

-The following table summarizes our recommendations for using these capabilities across the three tiers of protection.

-|[</li></ul>|

-