Category | Microsoft Docs article | Related commit history on GitHub | Change details |
---|---|---|---|
admin | Add Partner | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/misc/add-partner.md | A Microsoft authorized partner can act as your subscription advisor and provide ## Before you begin - [Find out what type of billing account you have](../../commerce/manage-billing-accounts.md#view-my-billing-accounts).-- If you have a Microsoft Customer Agreement (MCA) billing account type, you must be a Billing account owner or contributor, a Billing profile owner or contributor, or an Invoice manager to do the tasks in this article. For information about billing account and billing profile roles, see [Understand your Microsoft business billing account](../../commerce/manage-billing-accounts.md) and [Understand your Microsoft business billing profile](../../commerce/billing-and-payments/manage-billing-profiles.md).+- If you have a Microsoft Customer Agreement (MCA) billing account type, you must be a Billing account owner or contributor, a Billing profile owner or contributor, or an Invoice manager to do the tasks in this article. For information about billing account and billing profile roles, see [Understand your Microsoft business billing account](../../commerce/manage-billing-accounts.md) and [Manage your Microsoft business billing profiles](../../commerce/billing-and-payments/manage-billing-profiles.md). - If you have a Microsoft Online Subscription Agreement (MOSA), you must be a Global or Billing admin to do the tasks in this article. For more information, see [About admin roles in the Microsoft 365 admin center](../add-users/about-admin-roles.md). > [!NOTE] |
commerce | Add Storage Space | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/add-storage-space.md | If you start to run out of storage for your SharePoint sites, you can use the Of ## Before you begin - [Find out what type of billing account you have.](manage-billing-accounts.md#view-my-billing-accounts).-- If you have a Microsoft Customer Agreement (MCA) billing account type, you must be a billing account owner or contributor, or a billing profile owner or contributor to do the tasks in this article. For information about billing account and billing profile roles, see [Understand your Microsoft business billing account](manage-billing-accounts.md) and [Understand your Microsoft business billing profile](billing-and-payments/manage-billing-profiles.md).+- If you have a Microsoft Customer Agreement (MCA) billing account type, you must be a billing account owner or contributor, or a billing profile owner or contributor to do the tasks in this article. For information about billing account and billing profile roles, see [Understand your Microsoft business billing account](manage-billing-accounts.md) and [Manage your Microsoft business billing profiles](billing-and-payments/manage-billing-profiles.md). - If you have a Microsoft Online Subscription Agreement (MOSA), you must be a global or billing admin to do the tasks in this article. For more information, see [About admin roles](../admin/add-users/about-admin-roles.md). > [!NOTE] |
commerce | Change Your Billing Addresses | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/change-your-billing-addresses.md | In most cases, these addresses are the same. If you need to change one or more o ## Before you begin - [Find out what type of billing account you have](../manage-billing-accounts.md#view-my-billing-accounts).+- If you have a Microsoft Customer Agreement (MCA) billing account type, you must be a billing account owner or contributor, or a billing profile owner or contributor to do the tasks in this article. For more information about billing account and billing profile roles, see [Understand your Microsoft business billing account](../manage-billing-accounts.md) and [Manage your Microsoft business billing profiles](manage-billing-profiles.md). - If you have a Microsoft Online Services Agreement (MOSA) billing account type, you must be a global or billing admin to do the tasks in this article. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md).-- If you have a Microsoft Customer Agreement (MCA) billing account type, you must be a billing account owner or contributor, or a billing profile owner or contributor to do the tasks in this article. For more information about billing account and billing profile roles, see [Understand your Microsoft business billing account](../manage-billing-accounts.md) and [Understand your Microsoft business billing profile](manage-billing-profiles.md). > [!NOTE] > If you're the person who signed up for the subscription, you're automatically a billing account owner or global admin. You can change your **Bill to** address in the Microsoft 365 admin center. Howev **If you have an MCA billing account type:** -1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>. - - If youΓÇÖre using the **Simplified view**, select **Billing**, then select **View payment methods**. - - If youΓÇÖre using the **Dashboard view**, go to the Billing > <a href="https://go.microsoft.com/fwlink/p/?linkid=2102895" target="_blank">Bills & payments</a> page. -2. On the **Bills & payments** page, select the **Billing profile** tab. -3. Select a billing profile. -4. On the billing profile details page, under **Bill-to address**, select **Edit**. -5. In the **Edit bill-to address** pane, update your organization information, then select **Save**. +1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">admin center</a>, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=2102895" target="_blank">Billing accounts</a> page. +2. On the **Overview** tab, select a billing account. +3. On the billing account details page, select the **Billing profiles** tab. The tab lists all billing profiles associated with the selected billing account. +4. Select a billing profile name to view its details page. +5. On the billing profile details page, under **Bill-to address**, select **Edit**. +6. In the **Edit bill-to address** pane, update your organization information, then select **Save**. **If you have an MOSA billing account type:** -1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>.admin center. +1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">admin center</a>. - If youΓÇÖre using the **Simplified view**, select **Billing**, then select **View payment methods**. - If youΓÇÖre using the **Dashboard view**, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=2102895" target="_blank">Bills & payments</a> page. 2. On the **Bills & payments** page, select the **Payment methods** tab. You can change your **Bill to** address in the Microsoft 365 admin center. Howev If you have an MOSA billing account type, you can change the service usage address for a subscription. What type of billing account do I have? -1. Go to the admin center. +1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">admin center</a>. - If youΓÇÖre using the **Simplified view**, select **Billing**. - If youΓÇÖre using the **Dashboard view**, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page. 2. Select the subscription to change. |
commerce | Manage Billing Notifications | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/manage-billing-notifications.md | If you have an MCA billing account type, billing notification emails are sent to - Billing profile contributor - Invoice manager -To learn more about billing profile roles and how to manage them, see [Understand Microsoft Customer Agreement administrative roles in Azure](/azure/cost-management-billing/manage/understand-mca-roles). --To change the billing profile roles assigned to users, use the following steps. +To change the billing profile roles assigned to users, see [Assign billing profile roles](manage-billing-profiles.md#assign-billing-profile-roles). -1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=2102895" target="_blank">Bills & payments</a> page. -2. On the **Billing profile** tab, select a billing profile. -3. In the **Billing profile roles** section, assign or remove roles for **Billing profile owner**, **Billing profile contributor**, or **Invoice manager**. +To learn more about billing profile roles and how to manage them, see [Understand Microsoft Customer Agreement administrative roles in Azure](/azure/cost-management-billing/manage/understand-mca-roles). ### If you have an MOSA billing account type |
commerce | Manage Billing Profiles | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/manage-billing-profiles.md | Title: Understand your Microsoft business billing profile + Title: "Manage your Microsoft business billing profiles" f1.keywords: - 'MACBillingBillsPaymentsBillingProfiles' +- admindeeplinkMAC - AdminSurgePortfolio - AdminTemplateSet search.appverid: MET150 description: "Learn about billing profiles and how they're used to pay invoices for Microsoft business accounts." Previously updated : 07/11/2023 Last updated : 02/16/2024 -# Understand your Microsoft business billing profile +# Manage your Microsoft business billing profiles -A billing profile contains payment method and invoice information associated with your billing account. You use a billing profile to pay for business products and services that you buy from Microsoft. A billing profile is automatically created when a billing account is created. For information about billing accounts, see [Understand your Microsoft billing account](../manage-billing-accounts.md). +A billing profile contains payment method and invoice information associated with your Microsoft business billing account. You use a billing profile to pay for business products and services that you buy from Microsoft. A billing profile is automatically created when a billing account is created, and you can add new billing profiles at any time. For information about billing accounts, see [Understand your Microsoft billing account](../manage-billing-accounts.md). -> [!NOTE] +> [!IMPORTANT] >-> Not all accounts have a billing profile. If you're not sure if you have a one, you can [view a list of your billing profiles](manage-billing-profiles.md#view-your-billing-profiles). +> This article only applies to customers with a Microsoft Customer Agreement billing account type. ## Before you begin -- You must be a Global or Billing admin to do the tasks in this article. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md).-- You must also have any role on the billing account or billing profile. For more information, see [What are billing profile roles?](#what-are-billing-profile-roles) and [What are billing account roles?](../manage-billing-accounts.md#what-are-billing-account-roles)+- [Find out what type of billing account you have](../manage-billing-accounts.md#view-my-billing-accounts). +- You must have a Microsoft Customer Agreement (MCA) billing account type, and be a billing profile owner or contributor to do the tasks in this article. For more information, see [What are billing profile roles?](#what-are-billing-profile-roles). + +> [!NOTE] +> If you're the person who signed up for the subscription, you're automatically a billing profile owner. ## View your billing profiles -> [!NOTE] -> -> If you follow these steps and the billing profiles list is empty, it means that you don't have a billing profile, and can't use this feature. --1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>. - - If you're using the **Simplified view**, select **Billing**, then select **View payment methods**. - - If you're using the **Dashboard view**, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=2102895" target="_blank">Bills & payments</a> page. -2. On the **Bills & payments** page, select the **Billing profile** tab. -3. Select a billing profile name to view its details page. +1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>, then go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=2102895" target="_blank">Billing accounts</a> page. +2. On the **Overview** tab, select a billing account. +3. On the billing account details page, select the **Billing profiles** tab. The tab lists all billing profiles associated with the selected billing account. +4. Select a billing profile name to view its details page. ## Understand the billing profile details page -The top of the **Billing profile** details page contains information about the payment method used to pay for the products and services that you buy, and shows details about how we invoice you. You can update your profile to change your payment method, Bill-to address, email address, and phone number. +The billing profile details page contains details like the billing profile name, status, the associated billing account, and address information. The details page also contains information about the invoice, billing notification settings, and payment method used to pay for the products and services that you buy. You can update your billing profile to change certain things like the profile name, the Bill-to address, and invoice and billing notification settings. -The following table lists the terms shown on the **Billing profile** details page. +The following table lists the terms shown on the billing profile details page. |Field name |Description | |-||-|Name |The name of your billing profile. To change the name, select **Update name**. | +|Billing profile ID |A read-only field that contains the unique identifier for the billing profile. | +|Name |The name of your billing profile. To change the name, select **Edit name**. | |Status |A read-only field that shows the status of the billing profile. |-|Invoice currency |The currency used for your invoice, based on the **Sold-to** country or region of the billing account. | -|Payment method |The payment method used for the billing profile. To make changes, select **Edit** or **Replace**. | -|Invoice frequency |Shows how often you receive an invoice. | -|Backup payment method |Shows the backup payment method, if one exists. | -|Invoice date |Shows the date the invoice is created. | -|Billing account |The billing account thatΓÇÖs associated with the billing profile. To view details about the billing account, select the link. For more information about billing accounts, see [Understand billing accounts](../manage-billing-accounts.md). | -|Get invoices in email statements |A setting you can turn on to receive the invoice as an email attachment. The default setting is **On**. | -|Bill-to address |Contains the contact name, address, email address, and phone number for the billing profile. | -|PO number (optional) |If you provide a purchase order (PO) number in this field, it appears on your invoice. | +|Billing account |The billing account associated with the billing profile. To view details about the billing account, select the link. For more information about billing accounts, see [Understand billing accounts](../manage-billing-accounts.md). | +|My role |A read-only field that shows your billing profile role. | +|Bill-to address |Contains the contact name, address, email address, and phone number for the billing profile. To make changes to the address details, select **Edit**. | +|Get invoices in email statements |A setting you can turn on to receive the invoice as an email attachment. The default setting is **On**. To turn this setting on or off, select **Edit settings**. | +|Additional recipients | The list of people who also receive a copy of the invoice by email. | +|Billing notification settings |A link to the **Billing notifications** page where you can edit notification settings, edit the organization email address, and manage the list of admins who receive billing notifications. To make changes, select **Edit settings**. | +|Invoice currency |The currency used for your invoice, based on the **Sold-to** country/region of the billing account. | +|Payment method |The payment method used by the billing profile. To make changes to the payment method, select **Edit** or **Replace**. | +|PO number (optional) |A purchase order (PO) number that you create to track changes for the billing profile. If you add a PO number in this field, it appears on your invoice. To add a PO number, select **Edit**. | ++## Add a billing profile ++1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">admin center</a>, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=2102895" target="_blank">Billing accounts</a> page. +2. On the **Overview** tab, select a billing account. +3. On the billing account details page, select the **Billing profiles** tab, then select **Add a billing profile.** +4. On the **Basic information** page, enter a name for the new billing profile, then select **Next**. +5. On the **Address information** page, to use the sold-to address for the bill-to address, select the **Same as sold-to address** check box. To add a new address, select **Add bill-to address**, enter the new address information, then select **Save**. +6. To use the bill-to address for the ship-to address, select the **Same as bill-to address** check box. To add a new address, select **Add ship-to address**, enter the new address information, then select **Save**. +7. Select **Next**. +8. On the **How to pay** page, select an existing payment method from the **Choose a card** drop-down list. To add a new payment method, select **Add a card**. +9. Select **Next**. +10. On the **Invoice settings** page, enter any other recipients that you want to receive the invoice. +11. If you want to include a purchase order number on your invoice, enter it in the **Purchase order number** text box. +12. Select **Next**. +13. On the **Review and finish** page, review the information and settings you entered for the new billing profile. You can edit everything except the associated billing account name on this page. When youΓÇÖre ready, select **Finish**. +14. After the billing profile is ready, select **Done**. ## What are billing profile roles? -The bottom of the **Billing profile** details page contains the **Billing profile roles** section. This section lists the names of the users assigned to specific billing profile roles. Billing profile roles have permissions to control purchases, and view and manage invoices. You can assign these roles to users who track, organize, and pay invoices. --Only a billing profile owner can grant access to billing profile roles. You can assign the following roles to users: +Billing profile roles have permissions to control purchases, and view and manage invoices. You can assign these roles to users who track, organize, and pay invoices. Only a billing profile owner can grant access to billing profile roles. You can assign the following roles to users: | Role | Description | |-- | | Only a billing profile owner can grant access to billing profile roles. You can > > Billing profile roles only apply to billing profiles, and don't apply to other Microsoft 365 admin center scenarios. +## View users and their billing profile roles ++1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">admin center</a>, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=2102895" target="_blank">Billing accounts</a> page. +2. On the **Overview** tab, select a billing account. +3. On the billing account details page, select the **Billing profiles** tab. +4. Select a billing profile name. +5. On the billing profile details page, select the **Billing profile roles** tab. + ## Assign billing profile roles > [!NOTE] > > You can only assign billing profile roles to users in your organization. -1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">admin center</a>. - - If you're using the **Simplified view**, select **Billing**, then select **View payment methods**. - - If you're using the **Dashboard view**, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=2102895" target="_blank">Bills & payments</a> page. -2. On the **Bills & payments** page, select the **Billing profile** tab. -3. Select a billing profile name to view its details page. -4. On the **Billing profile** details page, under **Billing profile roles**, select **Assign roles**. -5. In the **Assign roles** pane, type the name or email address, select the role you want to assign to them, then select **Assign**. +1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">admin center</a>, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=2102895" target="_blank">Billing accounts</a> page. +2. On the **Overview** tab, select a billing account. +3. On the billing account details page, select the **Billing profiles** tab. +4. Select a billing profile name to view its details page, then select the **Billing profile roles** tab. +5. To assign a new user role, select **Assign roles**. In the **Assign roles** pane, enter the name or email address, select the roles you want the user to have, then select **Assign**. +6. To change the roles for a current user, select their name from the list. In the **Edit roles** pane, change the roles assigned to the user, then select **Save**. +7. In the **Assign roles** pane, type the name or email address, select the role you want to assign to them, then select **Assign**. ## View related role assignments You can view the roles assigned to users for a billing account and related billing profiles across associated tenants. -1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">admin center</a>. - - If you're using the **Simplified view**, select **Billing**, then select **View payment methods**. - - If you're using the **Dashboard view**, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=2102895" target="_blank">Bills & payments</a> page. -2. On the **Bills & payments** page, select the **Billing profile** tab. -3. Select a billing profile name to view its details page. -4. On the **Billing profile** details page, under **Billing profile roles**, select **View related role assignments**. +1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">admin center</a>, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=2102895" target="_blank">Billing accounts</a> page. +2. On the **Overview** tab, select a billing account. +3. On the billing account details page, select the **Billing profiles** tab. +4. Select a billing profile name to view its details page, then select the **Billing profile roles** tab. +5. Select **View related role assignments**. To export the information shown in the **Related billing role assignments** pane, select **Export to CSV**. |
commerce | Manage Multi Tenant Billing | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/manage-multi-tenant-billing.md | As a Global administrator of an associated billing tenant, you can accept or dec ## Related articles [Understand your Microsoft business billing account](../manage-billing-accounts.md) (article)\-[Understand your Microsoft business billing profile](manage-billing-profiles.md)(article) +[Manage your Microsoft business billing profiles](manage-billing-profiles.md)(article) |
commerce | Manage Payment Methods | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/manage-payment-methods.md | -When you buy Microsoft business products or services, you can use an existing payment method to pay for then, or add a new one. You can use a credit or debit card to pay for the things you buy. +When you buy Microsoft business products or services, you can use an existing payment method to pay for them, or add a new one. You can use a credit or debit card to pay for the things you buy. > [!IMPORTANT] > When you buy Microsoft business products or services, you can use an existing pa ## Before you begin - [Find out what type of billing account you have](../manage-billing-accounts.md#view-my-billing-accounts).-- If you have a Microsoft Customer Agreement (MCA) billing account type, you must be a billing account owner or contributor, or a billing profile owner or contributor to dp the tasks in this article. For more information about billing account and billing profile roles, see [Understand your Microsoft business billing account](../manage-billing-accounts.md) and [Understand your Microsoft business billing profile](manage-billing-profiles.md).+- If you have a Microsoft Customer Agreement (MCA) billing account type, you must be a billing account owner or contributor, or a billing profile owner or contributor to dp the tasks in this article. For more information about billing account and billing profile roles, see [Understand your Microsoft business billing account](../manage-billing-accounts.md) and [Manage your Microsoft business billing profiles](manage-billing-profiles.md). - If you have a Microsoft Online Subscription Agreement (MOSA), you must be a global or billing admin to do the tasks in this article. For more information, see [[About admin roles]](../../admin/add-users/about-admin-roles.md).-- If you have an MCA billing account type and youΓÇÖre a billing profile owner or contributor, you can use the billing profile that's backed by a credit or debit card or invoice payment to make purchases or pay bills. If you're a billing invoice manager, you can only use a billing profile to pay bills. To learn more about billing profiles and roles, see [Understand your Microsoft business billing profile](manage-billing-profiles.md).+- If you have an MCA billing account type and youΓÇÖre a billing profile owner or contributor, you can use the billing profile that's backed by a credit or debit card or invoice payment to make purchases or pay bills. If you're a billing invoice manager, you can only use a billing profile to pay bills. To learn more about billing profiles and roles, see [Manage your Microsoft business billing profiles](manage-billing-profiles.md). > [!NOTE] > If you're the person who signed up for the subscription, you're automatically a billing account owner or global admin. When you replace an existing payment method, you can add a new one, or use a pay If you have an MCA billing account type, you can replace the payment method that's linked with a billing profile. -1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">admin center</a>. - - If you're using the **Simplified view**, select **Billing** > **View payment methods**. - - If you're using the **Dashboard view**, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=2102895" target="_blank">Bills & payments</a> page. -2. Select the **Billing profiles** tab, then select the billing profile to update. -3. On the **Billing profile** page, under **Payment method**, select **Replace**. -4. If you need to add a new payment method first, select **Add payment method**, enter the details, then select **Save**. -5. In the **Replace payment method** pane, select a different payment method from the drop-down list, then select **Replace**. +1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">admin center</a>, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=2102895" target="_blank">Billing accounts</a> page. +2. On the **Overview** tab, select a billing account. +3. On the billing account details page, select the **Billing profile** tab. The tab lists all billing profiles associated with the selected billing account. +4. Select a billing profile name to view its details page. +5. On the billing profile details page, in the **Invoice and billing notifications** section, under **Payment method**, select **Replace**. +6. Select a new payment method from the drop-down list. If you need to add a new payment method first, select **Add payment method**, enter the details, then select **Save**. +7. In the **Replace payment method** pane, select a different payment method from the drop-down list, then select **Replace**. ### Replace the payment method for a single subscription If a payment method is attached to any subscriptions or billing profiles, first ## Related content [Payment options for your Microsoft business subscription](pay-for-your-subscription.md) (article) \-[Understand your Microsoft business billing profile](manage-billing-profiles.md) (article) \ +[Manage your Microsoft business billing profiles](manage-billing-profiles.md) (article) \ [Change your billing frequency](change-payment-frequency.md) (article) |
commerce | Pay For Your Subscription | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/pay-for-your-subscription.md | You can manage payment methods whenever you need to. To learn how to add, change ## Before you begin - [Find out what type of billing account you have](../manage-billing-accounts.md#view-my-billing-accounts).-- If you have a Microsoft Customer Agreement (MCA) billing account type, you must be a Billing account owner or contributor, a Billing profile owner or contributor, or an Invoice manager to do the tasks in this article. For information about billing account and billing profile roles, see [Understand your Microsoft business billing account](../manage-billing-accounts.md) and [Understand your Microsoft business billing profile](manage-billing-profiles.md).+- If you have a Microsoft Customer Agreement (MCA) billing account type, you must be a Billing account owner or contributor, a Billing profile owner or contributor, or an Invoice manager to do the tasks in this article. For information about billing account and billing profile roles, see [Understand your Microsoft business billing account](../manage-billing-accounts.md) and [Manage your Microsoft business billing profiles](manage-billing-profiles.md). - If you have a Microsoft Online Subscription Agreement (MOSA), you must be a Global or Billing admin to do the tasks in this article. For more information, see [About admin roles in the Microsoft 365 admin center](../../admin/add-users/about-admin-roles.md). > [!NOTE] |
commerce | Understand Your Invoice | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/understand-your-invoice.md | The top of the first page of your invoice identifies who's accountable for payme | Term | Description | | | | | Sold to |The billing account that identifies the name and address of the legal entity responsible for payment. This information is managed on the <a href="https://go.microsoft.com/fwlink/p/?linkid=2084771" target="_blank">Billing accounts</a> page, where you can find the account agreement and manage roles and permissions. |-| Bill to |Identifies who receives the invoice. This information is managed on the <a href="https://go.microsoft.com/fwlink/p/?linkid=2103629" target="_blank">Billing profiles</a> page. The billing profile is also shown on the online invoice page, in the **Invoice summary** section. To learn more about billing profiles, see [Understand your Microsoft business billing profile](manage-billing-profiles.md). | -| Billing Profile |The name of the billing profile used to define invoice properties like **Bill to**, **PO number**, and payment terms. This information is managed on the <a href="https://go.microsoft.com/fwlink/p/?linkid=2103629" target="_blank">Billing profiles</a> page. For more information about billing profiles, see [Understand your Microsoft business billing profile](manage-billing-profiles.md). | +| Bill to |Identifies who receives the invoice. This information is managed on the <a href="https://go.microsoft.com/fwlink/p/?linkid=2103629" target="_blank">Billing profiles</a> page. The billing profile is also shown on the online invoice page, in the **Invoice summary** section. To learn more about billing profiles, see [Manage your Microsoft business billing profiles](manage-billing-profiles.md). | +| Billing Profile |The name of the billing profile used to define invoice properties like **Bill to**, **PO number**, and payment terms. This information is managed on the billing profiles page. For more information about billing profiles, see [Manage your Microsoft business billing profiles](manage-billing-profiles.md). | | Invoice number |A unique, Microsoft-generated invoice number used for tracking purposes. | | Invoice date |Date that the invoice is generated, typically five to 12 days after the end of the billing cycle. You can check your invoice date on the billing profile details page. Charges that occur between the end of the billing period and the invoice date are included in the invoice for the next month, since they are in the next billing period. The billing period start and end dates for each invoice are listed in the invoice PDF above **Billing Summary**.| | Payment terms |How you pay for your Microsoft bill. *Net 30 days* means that you pay by following instructions on your invoice, within 30 days of the invoice date. | |
commerce | Billing Experience Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-experience-overview.md | You also now have a *billing profile* associated with your billing account. A bi Like billing accounts, billing profiles also have special roles that you can assign to users in your organization. These roles let users do things like assign billing profile roles, edit the billing profile group, use the billing profile in a purchase, pay bills, and view the billing profile group. -For more information, see [Understand your Microsoft business billing profile](billing-and-payments/manage-billing-profiles.md). +For more information, see [Manage your Microsoft business billing profiles](billing-and-payments/manage-billing-profiles.md). ## Additional changes The following list describes other changes weΓÇÖve made to the billing experienc ## Related articles [Understand your Microsoft business billing account](manage-billing-accounts.md) (article)\-[Understand your Microsoft business billing profile](billing-and-payments/manage-billing-profiles.md) (article)\ +[Manage your Microsoft business billing profiles](billing-and-payments/manage-billing-profiles.md) (article)\ [Understand your bill or invoice](billing-and-payments/understand-your-invoice.md) (article)\ [Payment options for Microsoft business subscriptions](billing-and-payments/pay-for-your-subscription.md) (article) |
commerce | Manage Billing Accounts | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/manage-billing-accounts.md | The following table lists the terms shown on the billing account details page. |Account status |A read-only field that specifies the status of your commercial account with Microsoft. | |Sold-to |The details of the legal entity responsible for payment and identified on the invoice. This section contains the name and address of the individual or organization responsible for the account, together with a contact email address and phone number. The address provided here is used to determine your tax rate unless you opt to provide an alternative shipping address during your purchase. For more information, see [Tax information](billing-and-payments/tax-information.md). | |Tax ID |This field only applies if youΓÇÖre in a country or region that requires you to provide a VAT or local equivalent. For more information, see [Tax information](billing-and-payments/tax-information.md). |-|Billing profiles |The link goes to the list of billing profiles associated with the current billing account. A billing profile defines the properties of your invoice, like who receives the bill, how the bill is delivered, payment terms, and an optional purchase order (PO) number. For more information about billing profiles, see [Understand your Microsoft business billing profile](billing-and-payments/manage-billing-profiles.md). | +|Billing profiles |The link goes to the list of billing profiles associated with the current billing account. A billing profile defines the properties of your invoice, like who receives the bill, how the bill is delivered, payment terms, and an optional purchase order (PO) number. For more information about billing profiles, see [Manage your Microsoft business billing profiles](billing-and-payments/manage-billing-profiles.md). | |Registration number (Optional) |A legal registration number that you provide to us so we can review the details of your account. For more information, see [About registration numbers and under-review notifications](about-registration-numbers.md). To add a registration number, select **Edit**. | > [!NOTE] If you have an MCA billing account type, you can give users from other tenants a ## Related content [Tax information](billing-and-payments/tax-information.md) (article) \-[Understand billing profiles](billing-and-payments/manage-billing-profiles.md) (article) +[Manage your Microsoft business billing profiles](billing-and-payments/manage-billing-profiles.md) (article) |
commerce | Manage Saas Apps | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/manage-saas-apps.md | You can manage licenses and billing for third-party apps in the <a href="https:/ - [Find out what type of billing account you have](manage-billing-accounts.md#view-my-billing-accounts). - If you have a Microsoft Online Services Agreement (MOSA) billing account type, you must be a Global or Billing admin to do the tasks in this article. For more information, see [About admin roles in the Microsoft 365 admin center](../admin/add-users/about-admin-roles.md).-- If you have a Microsoft Customer Agreement (MCA) billing account type, you must be a Billing account owner or contributor to do the tasks in this article. For more information about billing account and billing profile roles, see [Understand your Microsoft business billing account](manage-billing-accounts.md) and [Understand your Microsoft business billing profile](billing-and-payments/manage-billing-profiles.md).+- If you have a Microsoft Customer Agreement (MCA) billing account type, you must be a Billing account owner or contributor to do the tasks in this article. For more information about billing account and billing profile roles, see [Understand your Microsoft business billing account](manage-billing-accounts.md) and [Manage your Microsoft business billing profiles](billing-and-payments/manage-billing-profiles.md). > [!NOTE] > If you're the person who signed up for the subscription, you're automatically a Global admin or Billing account owner. Third-party apps each have a billing profile assigned to them. Billing profiles - **Contact information** ΓÇô Billing address and a contact name - **Roles** ΓÇô Roles that allow you to change the billing profile, pay bills, or use the payment method on the billing profile to make purchase. -For more information about billing profiles, see [Understand your Microsoft business billing profile](billing-and-payments/manage-billing-profiles.md). +For more information about billing profiles, see [Manage your Microsoft business billing profiles](billing-and-payments/manage-billing-profiles.md). ### Edit the billing profile on a third-party app subscription A CSP can buy an offer in the Partner Center in their customer's currency so tha ## Related content -[Understand your Microsoft business billing profile](billing-and-payments/manage-billing-profiles.md) (article)\ +[Manage your Microsoft business billing profiles](billing-and-payments/manage-billing-profiles.md) (article)\ |
commerce | Cancel Your Subscription | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/cancel-your-subscription.md | This article only applies to canceling **Dynamics 365**, **Intune**, **Power Pla ## Before you begin - [Find out what type of billing account you have](../manage-billing-accounts.md#view-my-billing-accounts).-- If you have a Microsoft Customer Agreement (MCA) billing account type, you must be a Billing account owner or contributor, or a Billing profile owner or contributor to do the tasks in this article. For information about Billing account roles and Billing profile roles, see [Understand your Microsoft business billing account](../manage-billing-accounts.md) and [Understand your Microsoft business billing profile](../billing-and-payments/manage-billing-profiles.md).+- If you have a Microsoft Customer Agreement (MCA) billing account type, you must be a Billing account owner or contributor, or a Billing profile owner or contributor to do the tasks in this article. For information about Billing account roles and Billing profile roles, see [Understand your Microsoft business billing account](../manage-billing-accounts.md) and [Manage your Microsoft business billing profiles](../billing-and-payments/manage-billing-profiles.md). - If you have a Microsoft Online Subscription Agreement (MOSA), you must be a Global or Billing admin to do the tasks in this article. For more information, see [About admin roles in the Microsoft 365 admin center](../../admin/add-users/about-admin-roles.md). - If you added your own domain name to use with your subscription, you must [remove the domain](../../admin/get-help-with-domains/remove-a-domain.md) before you cancel your subscription. - If you have a domain subscription, to prevent any other charges for that subscription, [turn off recurring billing](renew-your-subscription.md). |
commerce | Manage Pay As You Go Services | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/manage-pay-as-you-go-services.md | By default, when you buy a subscription that has a Microsoft Calling Plan, you'r ## Before you begin - [Find out what type of billing account you have](../manage-billing-accounts.md#view-my-billing-accounts).-- You must have a Microsoft Customer Agreement (MCA) billing account type, and you must be a Billing account owner or contributor, or a Billing profile owner or contributor to do the tasks in this article. For information about billing account and billing profile roles, see [Understand your Microsoft business billing account](../manage-billing-accounts.md) and [Understand your Microsoft business billing profile](../billing-and-payments/manage-billing-profiles.md).+- You must have a Microsoft Customer Agreement (MCA) billing account type, and you must be a Billing account owner or contributor, or a Billing profile owner or contributor to do the tasks in this article. For information about billing account and billing profile roles, see [Understand your Microsoft business billing account](../manage-billing-accounts.md) and [Manage your Microsoft business billing profiles](../billing-and-payments/manage-billing-profiles.md). > [!NOTE] > If you're the person who signed up for the subscription, you're automatically a Billing account owner. |
commerce | Reactivate Your Subscription | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/reactivate-your-subscription.md | If your subscription expired, or if you canceled it within the cancellation poli ## Before you begin - [Find out what type of billing account you have](../manage-billing-accounts.md#view-my-billing-accounts).-- If you have a Microsoft Customer Agreement (MCA) billing account type, you must be a billing account owner or contributor, or a billing profile owner or contributor to do the tasks in this article. For information about billing account and billing profile roles, see [Understand your Microsoft business billing account](../manage-billing-accounts.md) and [Understand your Microsoft business billing profile](../billing-and-payments/manage-billing-profiles.md).+- If you have a Microsoft Customer Agreement (MCA) billing account type, you must be a billing account owner or contributor, or a billing profile owner or contributor to do the tasks in this article. For information about billing account and billing profile roles, see [Understand your Microsoft business billing account](../manage-billing-accounts.md) and [Manage your Microsoft business billing profiles](../billing-and-payments/manage-billing-profiles.md). - If you have a Microsoft Online Services Agreement (MOSA), you must be a global or billing admin to do the tasks in this article. For more information, see [About admin roles in the Microsoft 365 admin center](../../admin/add-users/about-admin-roles.md). > [!NOTE] |
commerce | Renew Your Subscription | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/renew-your-subscription.md | If you have a prepaid subscription for Microsoft 365 Business Standard that you ## Before you begin - [Find out what type of billing account you have](../manage-billing-accounts.md#view-my-billing-accounts).-- If you have a Microsoft Customer Agreement (MCA) billing account type, you must be a billing account owner or contributor, or a billing profile owner or contributor to do the tasks in this article. For information about billing account and billing profile roles, see [Understand your Microsoft business billing account](../manage-billing-accounts.md) and [Understand your Microsoft business billing profile](../billing-and-payments/manage-billing-profiles.md).+- If you have a Microsoft Customer Agreement (MCA) billing account type, you must be a billing account owner or contributor, or a billing profile owner or contributor to do the tasks in this article. For information about billing account and billing profile roles, see [Understand your Microsoft business billing account](../manage-billing-accounts.md) and [Manage your Microsoft business billing profiles](../billing-and-payments/manage-billing-profiles.md). - If you have a Microsoft Online Services Agreement (MOSA), you must be a global or billing admin to do the tasks in this article. For more information, see [About admin roles in the Microsoft 365 admin center](../../admin/add-users/about-admin-roles.md). > [!NOTE] |
commerce | Try Or Buy Microsoft 365 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/try-or-buy-microsoft-365.md | For all other procedures in this article, the following items are required: - You must have a Microsoft account, and you must be a Global or Billing admin for your organization. For more information, see [About admin roles](../admin/add-users/about-admin-roles.md). - [Find out what type of billing account you have](manage-billing-accounts.md#view-my-billing-accounts).-- If you have a Microsoft Customer Agreement (MCA) billing account type, you must also be a billing account owner or contributor to do the tasks described in this article. For more information, see [Understand billing accounts](manage-billing-accounts.md) and [Understand billing profiles](billing-and-payments/manage-billing-profiles.md).+- If you have a Microsoft Customer Agreement (MCA) billing account type, you must also be a billing account owner or contributor to do the tasks described in this article. For more information, see [Understand billing accounts](manage-billing-accounts.md) and [Manage your Microsoft business billing profiles](billing-and-payments/manage-billing-profiles.md). ::: moniker range="o365-21vianet" |
commerce | Understand Proposal Workflow | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/understand-proposal-workflow.md | To learn more about Tax IDs, and how to apply for tax-exempt status, see This section shows the billing profile used to determine what items are included on your invoice, and how you pay your invoices. Each billing cycle, you receive a separate invoice for each billing profile. You pay for invoices by using either check or wire transfer, or Azure prepayment. If you don't already have a billing profile, your Microsoft representative creates one for you. During checkout, you can select a different billing profile, if you have one, change the name of the billing profile, or add a P.O. number. You can also create a new billing profile. -For information about billing profiles, see [Manage billing profiles](billing-and-payments/manage-billing-profiles.md). +For information about billing profiles, see [Manage your Microsoft business billing profiles](billing-and-payments/manage-billing-profiles.md). ### Proposal items in this order |
enterprise | Cloud Microsoft Domain | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cloud-microsoft-domain.md | + + Title: "Unified cloud.microsoft domain for Microsoft 365 apps" +description: Describes the new cloud.microsoft domain for Microsoft 365 apps +++ Last updated : 02/15/2024+++ms.localizationpriority: medium ++++search.appverid: MET150 +f1.keywords: +audience: +content_well_notification: +- AI-contribution +++# Unified cloud.microsoft domain for Microsoft 365 apps ++Microsoft is unifying user-facing Microsoft 365 apps and services to a single and consistent domain: `cloud.microsoft`. ++The growth of Microsoft cloud services led to the expansion of the domain space they occupy, resulting in hundreds of domains. This fragmentation is a challenge for end user navigation, administrative simplicity, and the development of cross-app experiences. ++The `.microsoft` top-level domain is exclusive to Microsoft. The new domain doesn’t have traditional suffixes such as `.com` or `.net` in the end. This is by design. `cloud.microsoft` resides under the `.microsoft` top-level domain, for which Microsoft is a registry operator and the sole registrant. This domain allows for extra security, privacy, and protection against spoofing when you interact with apps within that domain. You can trust that any website or app that ends with `cloud.microsoft` is an official Microsoft product or service. ++## Benefits of a unified domain ++Consolidating authenticated user-facing Microsoft 365 experiences to a single domain benefits customer in several ways. For end users, it streamlines the overall experience by reducing sign-ins, redirects, and delays when navigating across apps. For admins, it reduces the complexity of allowlists that are required to help your organization stay secure and productive. For all our customers – and our developers – this change helps align for better and tighter integration across the Microsoft 365 ecosystem by streamlining development and improving performance of cross-app experiences. ++'Dot brand' top-level domains like `.microsoft` enhance security, trustworthiness, and integrity. Microsoft has exclusive rights to the `.microsoft` top-level domain, enabling enhanced security protocols and governance controls. All experiences on the `.microsoft` domain are legitimate and authentic, as Microsoft is the registry operator and sole registrant. ++## Requirements for admins ++Organizations currently following standard [Microsoft network guidance on domains and service endpoints](/microsoft-365/enterprise/urls-and-ip-address-ranges) shouldn't see an impact to the Microsoft 365 experience. The *.cloud.microsoft domain is already added to the official list of Office 365 URLs and IP address ranges. ++## Microsoft product and service URLs +The following Microsoft 365 products and services are now available in the `cloud.microsoft` domain. ++|**Service**|**URL**| +|:--|:--| +|Microsoft 365 Service Health Status Page | status.cloud.microsoft| +|Microsoft Loop | loop.cloud.microsoft| +|Microsoft Mesh | mesh.cloud.microsoft| +|Microsoft Setup | setup.cloud.microsoft| +|Microsoft Sway | sway.cloud.microsoft| +|Microsoft Viva Engage | engage.cloud.microsoft| +|Microsoft Viva Goals | goals.cloud.microsoft| +|Microsoft Viva Home | viva.cloud.microsoft| +|Microsoft Viva Insights | insights.cloud.microsoft| +|Microsoft Viva Learning | learning.cloud.microsoft| +|Microsoft Viva Pulse | pulse.cloud.microsoft| +|Microsoft Viva Skills | skills.cloud.microsoft| ++## See also ++- [Introducing cloud.microsoft: a unified domain for Microsoft 365 apps and services](https://techcommunity.microsoft.com/t5/microsoft-365-blog/introducing-cloud-microsoft-a-unified-domain-for-microsoft-365/ba-p/3804961) +- [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges) |
frontline | Flw Wellbeing Engagement | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/flw-wellbeing-engagement.md | Title: Engage your frontline employees and focus on wellbeing -description: Learn how to use Viva Connections, SharePoint, Microsoft Teams, and the Praise app to increase frontline worker wellbeing and engagement. +description: Learn how to use Viva Connections, SharePoint, Teams, and the Praise app to increase frontline worker wellbeing and engagement. searchScope: appliesto: - Microsoft Teams - Microsoft 365 for frontline workers Previously updated : 09/27/2022 Last updated : 02/15/2024 # Engage your frontline workers and focus on wellbeing -Nurture a sense of belonging among your frontline team by empowering to engage with your entire organization. +Nurture a sense of belonging among your frontline teams by empowering them to engage with your entire organization. -Survey's like MicrosoftΓÇÖs [Work Trend Index Pulse Report](https://www.microsoft.com/worklab/work-trend-index) show that many frontline workers: +Surveys like MicrosoftΓÇÖs [Work Trend Index Pulse Report](https://microsoft.com/worklab/work-trend-index) show that many frontline workers: - Wish more was being done to support their mental health-- Say leadership does not prioritize building culture+- Say leadership doesn't prioritize building culture - Believe that work stress will either stay the same or worsen in the coming year -You can help your frontline team overcome these challenges and feel supported in your organization by using [Viva Connections](#connect-frontline-workers-to-your-broader-organization-with-viva-connections), [Viva Engage](#create-communities-with-viva-engage), [Praise](#boost-morale-with-praise), [SharePoint, and Microsoft Stream](#support-engagement-with-sharepoint-and-microsoft-stream). +You can help your frontline teams overcome these challenges and feel supported in your organization by using Viva Connections, Viva Engage, Praise, and SharePoint. ## Connect frontline workers to your broader organization with Viva Connections -> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4Vpnn] +Keep everyone engaged and informed with [Viva Connections](/viva/connections/viva-connections-overview). Use the Viva Connections app in Teams to: -<!-- ![Image of a SharePoint homesite and mobile Viva Connections dashboard](media/viva-connections.png) This seems more like an IW image than a frontline one. Swapping out for the video. --> --[Viva Connections](/viva/connections/viva-connections-overview) brings the power of SharePoint into Microsoft Teams, so your frontline workers can easily access everything they need on the go. Use the Viva Connections app for Microsoft Teams to: --- Connect frontline workers and create opportunities to engage, communicate, and collaborate-- Make it easy for frontline workers to access important news and announcements-- Empower frontline workers around a common mission and goal+- Connect frontline workers and create opportunities to engage, communicate, and collaborate. +- Make it easy for frontline workers to access important news and announcements. +- Empower frontline workers around a common mission and goal. - Create a sense of belonging and provide tools that help foster wellbeing. -### Increase engagement with communications +You can customize Viva Connections to give your frontline easy access to resources, tools, relevant news, and popular destinations so they can access everything they need on the go. -Viva Connections is comprised of three main components that can be set up and customized in different ways to highlight tools and resources: the dashboard, feed and resources, shown below. +### Increase engagement with communications -![Viva Connections dashboard, feed, and resources.](media/viva-connections-mobile-flw.png) +The Viva Connections experience is composed of three main components: the feed, dashboard, and resources. -|Component |Description |Capabilities | -|:|:--|:| -|Dashboard |The Dashboard is your employeeΓÇÖs digital toolset and enables quick access to popular tasks. |Prioritize cards that help frontline workers accomplish popular tasks like clocking in and out, or viewing assigned tasks. Cards can be targeted to distinct roles and regions. | -|Feed |The Feed aggregates content from Viva Engage, SharePoint news, and Stream to display a personalized news stream. |Content in the Feed gets automatically aggregated based on sites and Viva Engage communities that the user follows. Content can be prioritized to display more prominently in the Feed. Use audience targeting to display content to specific audiences. | -|Resources |The Resources surface links to popular SharePoint portals and other content. |Resources are inherited from global navigation in SharePoint. Link to popular SharePoint portals like HR benefits and training resources. Modern SharePoint portals will display in Teams to provide the best possible viewing experience. | +- **Feed**: The feed aggregates content from multiple sources to display a personalized news and information stream. [Learn more](/viva/connections/viva-connections-overview#viva-connections-feed). +- **Dashboard**: The dashboard is your employeeΓÇÖs digital toolset that brings together the tools and resources they need. Prioritize cards that help your frontline accomplish daily tasks like clocking in and out of shifts or viewing assigned tasks. [Learn more](/viva/connections/viva-connections-overview#viva-connections-dashboard). +- **Resources**: Resources surfaces links to popular SharePoint sites and other content. Link to popular SharePoint sites like HR benefits and training resources. [Learn more](/viva/connections/viva-connections-overview#viva-connections-resources). -There are several ways to use Viva Connections to communicate with your workforce. Viva Connections features a [Feed where news, content from Viva Engage, and videos are aggregated and displayed](/viva/connections/viva-connections-overview#viva-connections-feed) in a personalized view based on the sites and communities that the viewer follows. The [Dashboard](/viva/connections/create-dashboard) can also be used to highlight certain cards that link to important news sources. +As you prioritize and align scenarios to support, consider how and where certain tools and resources should be located. -As you prioritize and align the scenarios to support, consider how and where certain tools and resources should be located. [Learn more about the differences between desktop and mobile apps](/viva/connections/viva-connections-overview#viva-connections-mobile-and-desktop-experiences). +[Learn more about the differences between the Viva Connections desktop and mobile experience](/viva/connections/viva-connections-overview#viva-connections-mobile-and-desktop-experiences). #### Empower your workers to share feedback -Creating channels for your frontline workers to share feedback helps these teams feel engaged and like their voices matter. In addition, getting feedback from these teams can provide insights into how your organization can improve processes. +Creating channels for your frontline workers to share feedback helps your teams feel engaged and like their voices matter. Additionally, getting feedback from your teams can provide insights into how your organization can improve processes. -- **On the Dashboard**: Use a [web link card](/viva/connections/create-dashboard#add-a-web-link-card) to make it easy to link to feedback channels such as [Microsoft Forms](https://support.microsoft.com/office/create-a-form-with-microsoft-forms-4ffb64cc-7d5d-402f-b82e-b1d49418fd9d) and [Viva Engage communities](https://support.microsoft.com/office/join-and-create-a-community-in-yammer-56aaf591-1fbc-4160-ba26-0c4723c23fd6). You can also [integrate third-party solutions into the Dashboard](https://cloudpartners.transform.microsoft.com/resources/viva-app-integration).+- **On the dashboard**: Use a [web link card](/viva/connections/create-dashboard#add-a-web-link-card) to make it easy to link to feedback channels such as [Microsoft Forms](https://support.microsoft.com/office/create-a-form-with-microsoft-forms-4ffb64cc-7d5d-402f-b82e-b1d49418fd9d) and [Viva Engage communities](https://support.microsoft.com/topic/communities-in-viva-engage-1ee29da1-5250-4c1e-b773-e7a78cfaf5d4). You can also [integrate third-party solutions](https://cloudpartners.transform.microsoft.com/resources/viva-app-integration) into the dashboard. > [!NOTE]- > Form creation requires an F3 or Enterprise license. Workers with F1 licenses can fill out forms, but they'll need to be created by someone with an F3 or Enterprise license. [Learn more about license types](flw-licensing-options.md) or [View the detailed license comparison table](https://go.microsoft.com/fwlink/?linkid=2139145). + > Form creation requires an F3 or Enterprise license. Workers with F1 licenses can fill out forms, but the forms need to be created by someone with an F3 or Enterprise license. [Learn more about license types](flw-licensing-options.md) or see the [Modern work plan comparison](https://go.microsoft.com/fwlink/p/?linkid=2139145) table. -- **In the Feed**: Strategically [publish a SharePoint news post](https://support.microsoft.com/office/create-and-share-news-on-your-sharepoint-sites-495f8f1a-3bef-4045-b33a-55e5abe7aed7#:~:text=In%20SharePoint%20Online%2C%20you%20can%20add%20news%20posts,instructions%20Create%20the%20news%20post%20.%20See%20More) targeted to frontline workers to highlight different ways to collect feedback and explains how feedback can improve the frontline worker experience.-- **In Resources**: Link to feedback tools so that frontline workers know where to go to provide feedback.+- **In the feed**: Strategically [publish a SharePoint news post](https://support.microsoft.com/office/create-and-share-news-on-your-sharepoint-sites-495f8f1a-3bef-4045-b33a-55e5abe7aed7#:~:text=In%20SharePoint%20Online%2C%20you%20can%20add%20news%20posts,instructions%20Create%20the%20news%20post%20.%20See%20More) targeted to frontline workers to highlight different ways to collect feedback and explains how feedback can improve the frontline worker experience. +- **In resources**: Link to feedback tools so that frontline workers know where to go to provide feedback. ### Promote health and wellbeing Frontline workers need extra support when it comes to managing health and wellbeing. Not only are their jobs fast paced, but they can also be physically and emotionally demanding. -- **On the Dashboard**: Surface daily health checks, wellness reminders, and [other third-party solutions that keep people feeling connected and productive](https://cloudpartners.transform.microsoft.com/resources/viva-app-integration).-- **In the Feed**: Use [SharePoint news posts](https://support.microsoft.com/office/create-and-share-news-on-your-sharepoint-sites-495f8f1a-3bef-4045-b33a-55e5abe7aed7#:~:text=In%20SharePoint%20Online%2C%20you%20can%20add%20news%20posts,instructions%20Create%20the%20news%20post%20.%20See%20More) and [Video news links](/viva/connections/video-news-links) to spotlight wellness and health resources. You can use audience targeting to make sure that posts reach the most relevant people.-- **In Resources**: Link to wellness and health resources to your workers can access them at any time.+- **On the dashboard**: Surface daily health checks, wellness reminders, and [other third-party solutions](https://cloudpartners.transform.microsoft.com/resources/viva-app-integration) that keep people feeling connected and productive. +- **In the feed**: Use [SharePoint news posts](https://support.microsoft.com/office/create-and-share-news-on-your-sharepoint-sites-495f8f1a-3bef-4045-b33a-55e5abe7aed7#:~:text=In%20SharePoint%20Online%2C%20you%20can%20add%20news%20posts,instructions%20Create%20the%20news%20post%20.%20See%20More) and [video news links](/viva/connections/video-news-links) to spotlight wellness and health resources. You can use audience targeting to make sure that posts reach the most relevant people. +- **In resources**: Link to wellness and health resources to your workers can access them at any time. ### Create a supportive digital ecosystem -Empowering frontline workers with the right technology makes their jobs easier and helps your organization quickly adapt to ever-changing work conditions. Use Viva Connections to create a digital ecosystem and curated employee experience. +Empowering frontline workers with the right technology makes their jobs easier and helps your organization quickly adapt to ever-changing work conditions. Use Viva Connections to create a digital ecosystem and a curated employee experience. -- **On the Dashboard**: Use [Adaptive card templates](/adaptive-cards/templating/), the [Card designer](/viva/connections/create-dashboard#design-your-own-card-with-a-quick-view), and [third-party integrations](https://cloudpartners.transform.microsoft.com/resources/viva-app-integration) to create custom cards and quick views that help workers access information and complete every day tasks such as:+- **On the dashboard**: Use [adaptive card templates](/adaptive-cards/templating/), the [Card designer](/viva/connections/create-dashboard#design-your-own-card-with-a-quick-view), and [third-party integrations](https://cloudpartners.transform.microsoft.com/resources/viva-app-integration) to create custom cards and quick views that help workers access information and complete every day tasks such as: - Finding or securing parking spaces - Accessing pay and benefits information - Requesting new uniforms and supplies-- **In the Feed**: [SharePoint news posts](https://support.microsoft.com/office/create-and-share-news-on-your-sharepoint-sites-495f8f1a-3bef-4045-b33a-55e5abe7aed7#:~:text=In%20SharePoint%20Online%2C%20you%20can%20add%20news%20posts,instructions%20Create%20the%20news%20post%20.%20See%20More) and [Video news links](/viva/connections/video-news-links) allow you to digitize organizational announcements. News posts are highlighted throughout the entire Microsoft 365 ecosystem, can be translated into different languages, and can be easily found when employees are searching for content.-- **In Resources**: Link to tools that your teams use to manage work, such as [Teams apps](flw-team-collaboration.md#apps-in-teams).+- **In the feed**: [SharePoint news posts](https://support.microsoft.com/office/create-and-share-news-on-your-sharepoint-sites-495f8f1a-3bef-4045-b33a-55e5abe7aed7#:~:text=In%20SharePoint%20Online%2C%20you%20can%20add%20news%20posts,instructions%20Create%20the%20news%20post%20.%20See%20More) and [video news links](/viva/connections/video-news-links) allow you to digitize organizational announcements. News posts are highlighted throughout the entire Microsoft 365 ecosystem, can be translated into different languages, and can be easily found when employees are searching for content. +- **In resources**: Link to tools that your teams use to manage work, such as [Teams apps](flw-team-collaboration.md#apps-in-teams). ### Get started planning, building, and launching Viva Connections -Review Viva Connections capabilities, technical requirements, and customization options. Then, work with stakeholders (such as representatives from HR and operations and process owners) who can accurately represent the needs of your frontline workforce. Take inventory of the highest priority needs and align them to Viva Connections capabilities to build a custom experience in Teams. [Get started planning, building, and launching Viva Connections for your organization](/viva/connections/plan-viva-connections). +Review Viva Connections capabilities, technical requirements, and customization options. Then, work with stakeholders (such as representatives from HR, operations, and process owners) who can accurately represent the needs of your frontline workforce. Take inventory of the highest priority needs and align them to Viva Connections capabilities to build a custom experience in Teams. ++[Learn how to plan, build, and launch Viva Connections in your organization](/viva/connections/viva-connections-setup-overview). ## Create communities with Viva Engage -Viva Engage is an internal social network that gives members of your organization opportunities to connect with each other. You can create communities where members of your organization can post messages and communicate. Having a variety of communities that span both frontline and non-frontline teams helps your on-the-ground workforce connect to each other and the broader organization. Communities can be based on: +[Viva Engage](/viva/engage/overview) is an internal social network that gives members of your organization opportunities to connect with each other. You can create [communities](https://support.microsoft.com/topic/communities-in-viva-engage-1ee29da1-5250-4c1e-b773-e7a78cfaf5d4) where members of your organization can ask and answer questions, share knowledge, and find belonging at work. Having a variety of communities that span both frontline and non-frontline teams helps your on-the-ground workforce connect to each other and the broader organization. ++Communities can be based on: - Location - Roles, such as cashiers or nurses Viva Engage is an internal social network that gives members of your organizatio - Identity groups - And more -### Host live events --Members of your leadership or management team can host live events in Viva Engage where employees can engage and ask questions in real time over chat. Your communications and management teams can use live events to share announcements, host morale events, and more. --[Learn more about how to organize a Microsoft Teams powered live event in Viva Engage](/viva/engage/organize-live-event). --[Learn more about Viva Engage](/viva/engage/overview). - ## Boost morale with Praise -The Praise app in Microsoft Teams lets managers and employees congratulate each other and share appreciation by sending badges in Teams chat and channels. Praise helps employees feel recognized for achievements such as meeting goals and going above and beyond to help customers. +The Praise app in Teams lets managers and employees congratulate each other and share appreciation by sending badges in Teams chats and channels. Praise helps employees feel recognized for achievements such as meeting goals and going above and beyond to help customers. [Learn how to manage Praise for your organization](/microsoftteams/manage-praise-app?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json). -## Support engagement with SharePoint and Microsoft Stream --One of the biggest struggles for frontline workers is feeling included in the broader organization. By recording important meetings in SharePoint and hosting videos in Microsoft Stream. +## Support engagement -### Record Teams meetings and store them in SharePoint +One of the biggest struggles for frontline workers is feeling included in the broader organization. -If your organization already uses Microsoft Teams, you may have recorded some of your meetings so that team members can catch up on meetings that they missed. Recording meetings can also benefit your frontline team by making them feel included in the organization. Some ways you can use recorded meetings to help frontline teams include: +If your organization already uses Teams, you might have recorded some of your meetings so that team members can catch up on meetings that they missed. Recording meetings can also benefit your frontline teams by making them feel included in the organization. Some ways you can use recorded meetings to help frontline teams include: - Give them earlier access to announcements such as product releases and new policies. - Help them understand your organization's broader business goals. If your organization already uses Microsoft Teams, you may have recorded some of [Learn how to record Teams meetings and store them in SharePoint](https://support.microsoft.com/office/record-a-meeting-in-teams-34dfbe7f-b07d-4a27-b4c6-de62f1348c24). -Once a meeting is recorded and saved in SharePoint, your corporate communications team can [add a card in Viva Connections](/viva/connections/create-dashboard#create-a-dashboard-and-add-cards) to make it easily accessible for your frontline team. --### Host live events and share video content on Microsoft Stream --Microsoft Stream is your organization's own streaming video platform. With Stream, anyone in your organization can record and upload videos to share. Ways you can use Stream to engage your frontline workers include: --- Share announcements such as product releases and new policies so your frontline team isn't the last to know.-- Members of the leadership team can introduce themselves and discuss their goals so your frontline team understands who drives decisions and why.-- Frontline teams from different locations can create videos introducing themselves and showcasing their location so workers in different places can feel connected.--> [!NOTE] -> Only users with an Enterprise license can host events or publish to stream. Users with F licenses can join events and view videos. --[Learn more about Microsoft Stream](https://support.microsoft.com/office/explore-stream-87a7d1e2-ef0e-44c6-88dc-74b23266cfc0). --Your corporate communications team can make sure everyone has easy access to stream videos by [adding a card in Viva Connections](/viva/connections/create-dashboard#create-a-dashboard-and-add-cards). +After a meeting is recorded and saved in SharePoint, your corporate communications team can [add a card in Viva Connections](/viva/connections/create-dashboard#create-a-dashboard-and-add-cards) to make it easily accessible for your frontline teams. |
frontline | Get Up And Running | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/get-up-and-running.md | - Title: Managers - Get your team started with Microsoft 365 for frontline workers------ -description: Learn how frontline managers can get their teams up and running with Microsoft 365 for frontline workers. -- - Teams_ITAdmin_FLW - - m365-frontline - - highpri -appliesto: - - Microsoft Teams - - Microsoft 365 for frontline workers Previously updated : 10/28/2022---# Managers - Get your team started with Microsoft 365 for frontline workers --Microsoft 365 for frontline workers includes a variety of capabilities to help your team do their best. Here are a few things you can start doing right away to get your team working together: --|Path |Description |Teams apps you'll need | -|-|--|--| -|[Enable quick communication](#enable-quick-communication) |Help your frontline team stay in touch. |Chats and Walkie Talkie | -|[Manage frontline schedules, time, and attendance](#manage-frontline-schedules-time-and-attendance) |Set up a schedule that you can manage in Teams. |Shifts | -|[Manage work items](#manage-work-items) |Use Teams and Microsoft 365 apps to assign and keep track of work items. |Tasks, Lists, Approvals, and Updates | -|[Foster connections and boost morale](#foster-connections-and-boost-morale-with-praise) |Send praise to your team members to help them feel appreciated. |Praise | --The apps that support these capabilities are included in Teams and most are ready to use right away. Some youΓÇÖll need to add to your team or set up before youΓÇÖre ready to use it. Also, most of these apps are pinned by default, meaning that members of your frontline team see them by default in the app bar, which is the bar at the bottom of the Teams mobile clients (iOS and Android) and on the side of the Teams desktop client. You can always add apps that arenΓÇÖt pinned based on your needs. [Learn how to add apps in Teams](https://support.microsoft.com/office/add-an-app-to-microsoft-teams-b2217706-f7ed-4e64-8e96-c413afd02f77). --This article helps you to set up a team, and then configure the features and apps you need to get your team going with these capabilities. --## Enable quick communication --Use the built-in communication tools in Teams to enable your frontline workers to stay in touch. You donΓÇÖt need to do any additional setup for the communication apps or to use them in your team. You always see the Teams, Chats, and Activity icons when you open Teams, either on desktop or mobile, while Walkie Talkie is only available on mobile. --### Teams --You and your frontline workers can create teams to help specific groups stay in touch. For example, you could create a Cashiers team so all your cashiers can communicate with each other and share information. If thereΓÇÖs a policy change that only applies to cashiers, you can post it in the Cashiers team so it reaches the people who need to see it. [Learn how to create a team in Teams](https://support.microsoft.com/office/set-up-groups-and-teams-a79afa20-aa01-44a3-b33d-5eaa72f6404f). --### Chats --Teams chat allows members of your frontline workforce to communicate seamlessly without having to use their personal messaging apps. [Learn more about chats](https://support.microsoft.com/office/first-things-to-know-about-chats-88ed0a06-6b59-43a3-8cf7-40c01f2f92f2). --### Activity --You can @Mention a team member to call their attention to a conversation. @Mentions send users a notification, so they see the message in Activity even if they miss it in the chat. --### Walkie Talkie --Walkie Talkie empowers your workers to have real-time conversations with workers at any location without leaving their station. For example, if an employee is helping a customer and needs assistance, they can use Walkie Talkie to contact an expert or manager without having to walk away from the customer. --Walkie Talkie is supported on Android devices with Google Mobile Services (GMS) and iOS devices. --## Manage frontline schedules, time, and attendance --You can use the Shifts app to create and manage schedules for your team. With Shifts, employees can request time off, volunteer for open shifts, request to swap shifts with coworkers, and clock in and out of their shifts. --To create a schedule in Shifts: --1. In Shifts, select **New schedule**, and then select **Create** on the team you want. -2. Select **Add group** to organize the schedule based on job type or location. You can have multiple groups on one schedule. For example, a healthcare organization could have a group for receptionists and a group for nurses. -3. Select **More options** (**...**), and then select **Rename group** to name the group. -4. To create a shift for a team member, select their row, and then select **More options** (**...**) > **Add shift**. --Watch [this video](https://support.microsoft.com/office/create-a-shifts-schedule-2b94ca38-36db-4a1c-8fee-f8f0fec9a984) to learn more about creating schedules in shifts. --If your organization is already using a workforce management system for scheduling, your IT team can integrate it with Shifts to pull all your schedules into Shifts. [Learn more about connecting your workforce management system](shifts-connectors.md). --## Manage work items --You can use the Tasks, Lists, Approvals, and Updates apps to manage and keep track of work items. You can choose to use just one app, or use several of them based on your needs. Anyone can create and assign tasks to themselves and team members. --### Tasks --Tasks is powered by Planner, and lets you create and assign work items for your team. To create and assign a task in Tasks: --1. Open the Tasks app. -2. Select **+ New list or plan** to create a task list for your team. -3. Give your plan a name. Under **Create in**, choose the team and channel you want the task plan to apply to. Then select **Create**. -- ![Screenshot of the New plan pane.](media/flw-manager-tasks.png) --4. To create a new task, give it a name. Then assign it to a member of the team that you created the plan in. You can also choose a due date. -- ![Screenshot of the page to name and assign a task.](media/flw-manager-assign-task.png) --5. After you created and assigned the task, it appears in the Tasks app for members of the team. If you don't assign the task to a specific person, it still shows up for the team. --Tasks is powered by Planner. Watch [this playlist](https://support.microsoft.com/office/organize-your-team-s-tasks-in-microsoft-planner-c931a8a8-0cbb-4410-b66e-ae13233135fb) to learn more about how you can use Planner and Tasks together. --### Approvals --Approvals lets your team submit requests for approval from within Teams. For example, if one of your team members wants to offer a discount on a large order, they can submit an approval request to get permission. --You can create templates for your frontline team that will allow them to submit streamlined approval requests. --1. From the Approvals hub, select **Create or manage templates**. -2. From the menu, select which team you want the template to apply to. -- ![Screenshot of the template management menu.](media/flw-manager-templateteam.png) --3. Select **New template** and then either choose an existing template from the template store or create one from scratch to suit your needs. -4. Choose who you want the template to apply to. Choose **Team wide** to make this template apply to everyone in the team you selected in step 2. -5. Select the team from the list. -6. Fill in the Basic settings, Form design, and Workflow settings. Then select **Preview**. -7. If the template looks good to you, choose **Publish**. -8. Members of your team will now be able to submit approval requests from the template you created. --[Learn more about creating templates for your team in Approvals](https://support.microsoft.com/office/discover-templates-in-approvals-c33ecf9f-b745-4287-b104-ac69469745e0). --### Lists --The Lists app helps you track information and organize work. You and your team can create lists for inventory, customer requests, supply needs, and more. --You can create a list from a template by choosing **+New List** from the Lists app. [Learn about what templates are available](https://support.microsoft.com/office/list-templates-in-microsoft-365-62f0e4cf-d55d-4f89-906f-4a34e036ded1). --If you have a spreadsheet that you collaborate on with your team, you can convert it to a list. --1. From the Lists app, select **+New List**. -2. Choose **From Excel** and upload the spreadsheet you want to turn into a list. -3. Confirm the column types are correct and adjust them if necessary. Then select **Next**. -4. Give your list a name, color, icon, and location. Then choose **Create**. --> [!NOTE] -> The Lists app isn't pinned by default, but you can [add it from the Teams app store](https://support.microsoft.com/office/add-an-app-to-microsoft-teams-b2217706-f7ed-4e64-8e96-c413afd02f77). --### Updates --Updates allows you to create, submit, and review updates. People can easily see their employee updates, check-ins, and reports in one place to make sure the team is on track for success, whether those are recurring processes that happen regularly or in-the-moment updates that might be needed at any time. --You can assign updates to your team members. Team members can also submit updates without being assigned. --1. In the Updates app, select **Create and manage templates**. -2. Choose a popular template, or choose **View more** to see all template options. You can choose a template or start from blank. -3. Fill in the Basic settings and Form design. -4. In Workflow settings, choose who you want to submit this update, view this update, and the times and due dates for the update. -5. The submitters you assigned can now see and submit the required update. --> [!NOTE] -> The Updates app isn't pinned by default, but you can [add it from the Teams app store](https://support.microsoft.com/office/add-an-app-to-microsoft-teams-b2217706-f7ed-4e64-8e96-c413afd02f77). --## Foster connections and boost morale with Praise --The Praise app in Teams helps you show appreciation to members of your team. You can send praise to team members to recognize their achievement, and team members can send praise to each other. You can also send praise in a channel conversation to recognize a group of people. Praise uses premade titles that call out positive qualities such as **Team Player** and **Awesome**. --1. Open a Teams chat or channel. Below the space where you write a message, select **Praise** or select **More apps** (**...**) to find it. -- ![Screenshot of the Praise icon in a chat](media/praise-icon.png) --2. Titles default to **Awesome**. To send a different title with your praise message, select a new one from the **Title** section. -3. Add the name of the people you want to praise and an optional note. -4. Select **Preview** to check it, and then select **Send**. --## Share training videos with your users --Help your team get comfortable and confident using their Microsoft 365 capabilities with these training resources. Each of these articles and videos only takes a few minutes to go through. --[Get started with Microsoft Teams](https://support.microsoft.com/office/get-started-with-microsoft-teams-b98d533f-118e-4bae-bf44-3df2470c2b12) --[Get started with Walkie Talkie](https://support.microsoft.com/office/get-started-with-teams-walkie-talkie-25bdc3d5-bbb2-41b7-89bf-650fae0c8e0c) --[Get started with Shifts](https://support.microsoft.com/office/what-is-shifts-f8efe6e4-ddb3-4d23-b81b-bb812296b821) --Shifts also includes a clock in and out feature. [Learn how to clock in and out with Shifts](https://support.microsoft.com/office/clock-in-and-out-with-shifts-ae7b676c-7666-46c7-9f68-85ff54acec8b) --[Get started with Tasks](https://support.microsoft.com/office/use-the-tasks-app-in-teams-e32639f3-2e07-4b62-9a8c-fd706c12c070) --[Learn about Approvals](https://support.microsoft.com/office/what-is-approvals-a9a01c95-e0bf-4d20-9ada-f7be3fc283d3) --[Learn about Lists](https://support.microsoft.com/office/create-a-list-from-the-lists-app-b5e0b7f8-136f-425f-a108-699586f8e8bd) --[Learn about the Updates mobile experience](https://support.microsoft.com/office/get-started-in-updates-c03a079e-e660-42dc-817b-ca4cfd602e5a#ID0EBF=Mobile) --[Learn how to send Praise](https://support.microsoft.com/office/send-praise-to-people-50f26b47-565f-40fe-8642-5ca2a5ed261e) |
lighthouse | M365 Lighthouse Deploy Standard Tenant Configurations Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-deploy-standard-tenant-configurations-overview.md | Check out the other [Microsoft 365 Lighthouse videos](https://www.youtube.com/pl ## Microsoft 365 Lighthouse default baseline -The Microsoft 365 Lighthouse default baseline is designed to ensure all managed tenants are healthy and secure. To view the tasks included in the default baseline, select **Default baseline** from the list. Select any of the tasks to view additional details about the task and the associated user impact. +The Microsoft 365 Lighthouse default baseline is designed to ensure all managed tenants are healthy and secure. To view the deployment tasks included in the default baseline, select **Default baseline** from the list. Select any of the deployment tasks to view additional details about the task and the associated user impact. :::image type="content" source="../media/m365-lighthouse-deploy-baselines/default-baseline-page.png" alt-text="Screenshot of the Default baseline page." lightbox="../media/m365-lighthouse-deploy-baselines/default-baseline-page.png"::: -### Default Lighthouse configurations +### Default baseline categories and deployment task descriptions -|Baseline configuration|Description| +|Default baseline category|Description of deployment tasks in the category| |||-|Require MFA for admins|A Conditional Access policy requiring multi-factor authentication for all admins. It's required for all cloud applications. For more information about this baseline, see [Conditional Access: Require MFA for all administrators](/azure/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa).| -|Require MFA for end users|A Conditional Access policy that requires multi-factor authentication for all users. It's required for all cloud applications. For more information about this baseline, see [Conditional Access: Require MFA for all users](/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa).| -|Block legacy authentication|A Conditional Access policy to block legacy client authentication. For more information about this baseline, see [Block legacy authentication to Microsoft Entra ID with Conditional Access](/azure/active-directory/conditional-access/block-legacy-authentication).| -|Set up device enrollment|Device enrollment allows your tenant devices to enroll in Microsoft Intune and provide Endpoint analytics visibility into your devices through device health monitoring. This configuration is done by setting up Auto Enrollment between Microsoft Entra ID and Microsoft Intune. For more information about this baseline, see [Set up enrollment for Windows devices](/mem/intune/enrollment/windows-enroll).| -|Configure app protection policy|A set of protection policies that allow you to manage and protect a managed tenant's organization's data within an application, independent of any mobile device management (MDM) solution. The organization's data will be protected with or without enrolling devices in an MDM solution.| -|Set up Microsoft Defender for Business|Provisions the tenant for Microsoft Defender for Business and onboards the devices already enrolled in Microsoft Intune to Microsoft Defender for Business. For more information, see [What is Microsoft Defender for Business?](../security/defender-business/mdb-overview.md)| -|Set up Exchange Online Protection and Microsoft Defender for Office 365|A policy to apply recommended anti-spam, anti-malware, anti-phishing, safe links and safe attachment policies to your tenants Exchange Online mailboxes.| -|Configure Microsoft Defender Antivirus for Windows 10 and later|A device configuration profile for Windows devices with pre-configured Microsoft Defender Antivirus settings. For more information about this baseline, see [Configure Microsoft Defender for Endpoint in Intune](/mem/intune/protect/advanced-threat-protection-configure).| -|Configure Microsoft Defender Firewall for Windows 10 and later|A firewall policy to help secure devices by preventing unwanted and unauthorized network traffic. For more information about this baseline, see [Best practices for configuring Windows Defender Firewall](/windows/security/threat-protection/windows-firewall/best-practices-configuring).| -|Configure a device compliance policy for Windows 10 and later|A Windows device policy with pre-configured settings to meet basic compliance requirements. For more information about this baseline, see [Conditional Access: Require compliant or Microsoft Entra hybrid joined device](/azure/active-directory/conditional-access/howto-conditional-access-policy-compliant-device).| -|Configure Microsoft Edge|A Microsoft Edge browser policy for Windows 10 or later with preconfigured settings to stay protected from phishing scams and malicious software. This policy also allows Microsoft Edge to safely save and monitor passwords and suggest strong passwords when needed.| +|Identity protection|Tasks within this category standardize configurations to help protect a customer's identity and apply best practices to help manage customer identities.| +|Email and apps protection|Tasks within this category standardize the configuration of email standards and productivity applications to help secure the applications. The tasks also apply best-practice recommendations to ensure customers are protected from malicious content within the applications.| +|Endpoint enrollment|Tasks within this category ensure all eligible devices in a customer's tenant are properly enrolled, appropriately managed, and are using a standardized installation of Microsoft 365 applications.| +|Endpoint protection|Tasks within this category build upon tasks in the Endpoint enrollment category by configuring the appropriate security standards and applying best practices for day-to-day device management.| +|Data protection|Tasks within this category apply best-practice recommendations for protecting a customer tenant from data loss and accidental leakage of sensitive data in productivity applications.| +|End-user experience|Tasks within this category help configure training to assist with end-user education and onboarding. The tasks also standardize branding across customer tenants for a more seamless experience.| ## Related content |
lighthouse | M365 Lighthouse Whats New | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-whats-new.md | We're continuously adding new features to [Microsoft 365 Lighthouse](m365-lighth > > To see which new features are currently available in your partner tenant, go to the **Home** page of Microsoft 365 Lighthouse, and then either select the **What's new** link in the upper-right corner of the page or select **What's new** on the **What's new & learning resources** card. +## January 2024 ++### Track upcoming subscription renewals ++To help you prioritize and drive subscription renewal discussions with customers more effectively, we've added a page to Microsoft 365 Lighthouse that lets you track customer subscriptions that are expiring within the next 90 days. ++To access this new page, in the left navigation pane in Lighthouse, select **Sales Advisor (Project Orland)** > **Upcoming renewals**. ++If you're new to Sales Advisor, you must be a Lighthouse Account Manager in your partner tenant to access the **Upcoming renewals** page. For more information, see [Overview of permissions in Microsoft 365 Lighthouse](m365-lighthouse-overview-of-permissions.md). If you already have access to Sales Advisor, you don't need the Lighthouse Account Manager role at this time. ++The **Upcoming renewals** page lists all customer subscriptions, sorted by subscription expiration date. You can sort and filter the list by expiration date, billing frequency, recurring billing status, number of licenses, and more. To make it easier to see all expiring subscriptions for each tenant, switch to the **Group list by tenant** view. ++[Go to the Upcoming renewals page now](https://lighthouse.microsoft.com/#view/Microsoft_Intune_MTM/UpcomingRenewals.ReactView) ++To learn more, see "Optimize your renewal conversations with simplified renewal insights" in [Blog post: Unlock the Copilot opportunity and grow your CSP business with Microsoft 365 Lighthouse](https://go.microsoft.com/fwlink/?linkid=2257055). ++### Microsoft Copilot opportunities in Sales Advisor ++We've added Microsoft Copilot opportunities to Sales Advisor to help you identify customers who are eligible to buy Microsoft Copilot for Microsoft 365. Microsoft Copilot is an AI companion that works everywhere you do and intelligently adapts to your needs. ++To access Copilot opportunities, in the left navigation pane in Microsoft 365 Lighthouse, select **Sales Advisor (Project Orland)** > **Opportunities**, and then select the **Customer growth** tab. ++Select a Copilot opportunity to see customer insights, suggested actions, and resources to engage with the customer. ++[Go to the Opportunities page now](https://lighthouse.microsoft.com/#view/Microsoft_Intune_MTM/OrlandInsights.ReactView) ++To learn more, see [Blog post: Unlock the Copilot opportunity and grow your CSP business with Microsoft 365 Lighthouse](https://go.microsoft.com/fwlink/?linkid=2257335). ++### Assign GDAP template settings automatically after customer approval of GDAP relationships ++You can now set up granular delegated admin privileges (GDAP) for any customer tenant—regardless of which delegated relationship has already been set up—without the need for extra steps after a GDAP relationship is activated. Assign a GDAP template to any customer tenant in Microsoft 365 Lighthouse, and once the customer approves the relationship, the security groups and support roles are automatically applied. There's no need to re-run GDAP Setup or take extra steps after a relationship is activated to apply all GDAP template settings. ++To assign a GDAP template, go to the **Home** page of Lighthouse and select **Set up GDAP** on the **GDAP Setup** card. ++[Go to GDAP Setup now](https://lighthouse.microsoft.com/#view/Microsoft_Intune_MTM/SetupGdap.ReactView) ++To learn more, see [Set up GDAP for your customers in Microsoft 365 Lighthouse](m365-lighthouse-setup-gdap.md). ++### Manage Sales Advisor access with new Lighthouse Account Manager role ++You can now manage Sales Advisor access directly from the Lighthouse permissions page in Microsoft 365 Lighthouse. Assign the Lighthouse Account Manager role to users in your partner tenant who need full access to Sales Advisor pages, data across the entire partner tenant, and capabilities like the ability to export data. ++To assign the Lighthouse Account Manager role, go to **Permissions** > **Lighthouse permissions**. ++Stay tuned for the announcement of additional Lighthouse management roles that you can use to further manage partner-tenant permissions in Lighthouse. ++[Go to the Lighthouse permissions page now](https://lighthouse.microsoft.com/#view/Microsoft_Intune_MTM/RBAC.ReactView) ++To learn more, see [Overview of permissions in Microsoft 365 Lighthouse](m365-lighthouse-overview-of-permissions.md). + ## October 2023 ### Data availability insights Data availability insights have been added to the following pages: To see the insights, go to any of these pages in Lighthouse. -### Assign GDAP template settings automatically after customer approval of GDAP relationships --You can now set up granular delegated admin privileges (GDAP) for any customer tenant—regardless of which delegated relationship has already been set up—without the need for extra steps after a GDAP relationship is activated. Assign a GDAP template to any customer tenant in Microsoft 365 Lighthouse and, once the customer approves the relationship, the security groups and support roles are automatically applied. There's no need to re-run GDAP Setup or take extra steps after a relationship is activated to apply all GDAP template settings. --To assign a GDAP template, go to the **Home** page of Lighthouse and select **Set up GDAP** on the **GDAP Setup** card. --[Go to GDAP Setup now](https://lighthouse.microsoft.com/#view/Microsoft_Intune_MTM/SetupGdap.ReactView) --To learn more, see [Set up GDAP for your customers in Microsoft 365 Lighthouse](m365-lighthouse-setup-gdap.md). - ## September 2023 ### Windows event logs The **Windows event logs** page in Microsoft 365 Lighthouse uses artificial inte [Go to the Windows event logs page now](https://lighthouse.microsoft.com/view/Microsoft_Intune_MTM/WindowsEventLogs.ReactView) +### Quick actions on the Home page ++You can now perform common actions like adding a new user, tagging your tenants, accessing other admin centers, and more from the Microsoft 365 Lighthouse Home page. The new command bar at the top of the Home page helps you find and perform these actions whenever you need them. + ## August 2023 ### Microsoft Secure Score |
security | Get Defender Business | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/get-defender-business.md | description: Find out how to get Microsoft Defender for Business, endpoint prote search.appverid: MET150 -+ audience: Admin |
security | Mdb Add Users | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-add-users.md | description: Add users and assign Defender for Business licenses to protect thei search.appverid: MET150 -+ audience: Admin |
security | Mdb Asr | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-asr.md | Title: Enable your attack surface reduction rules in Microsoft Defender for Busi description: Get an overview of attack surface reduction capabilities, including attack surface reduction rules, in Microsoft Defender for Business -+ Last updated 11/30/2023 |
security | Mdb Attack Disruption | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-attack-disruption.md | Title: Automatic attack disruption in Microsoft Defender for Business description: Learn about automatic attack disruption in Microsoft Defender for Business -+ Last updated 10/12/2023 |
security | Mdb Configure Security Settings | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-configure-security-settings.md | description: View and edit security policies and settings in Defender for Busine search.appverid: MET150 -+ audience: Admin |
security | Mdb Controlled Folder Access | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-controlled-folder-access.md | Title: Set up or edit your controlled folder access policy in Microsoft Defender description: Get an overview of attack surface reduction capabilities in Microsoft Defender for Business -+ Last updated 08/21/2023 |
security | Mdb Create Edit Device Groups | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-create-edit-device-groups.md | description: Security policies are applied to devices through device groups in D search.appverid: MET150 -+ audience: Admin |
security | Mdb Email Notifications | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-email-notifications.md | description: Set up email notifications to tell your security team about alerts search.appverid: MET150 -+ audience: Admin |
security | Mdb Firewall | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-firewall.md | description: Learn about Windows Defender Firewall settings in Defender for Busi search.appverid: MET150 -+ audience: Admin |
security | Mdb Get Started | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-get-started.md | description: Your security center in Defender for Business is the Microsoft Defe search.appverid: MET150 -+ audience: Admin |
security | Mdb Lighthouse Integration | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-lighthouse-integration.md | description: See how Microsoft Defender for Business integrates with Microsoft 3 search.appverid: MET150 -+ audience: Admin |
security | Mdb Manage Devices | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-manage-devices.md | description: Learn how to add, remove, and manage devices in Defender for Busine search.appverid: MET150 -+ audience: Admin |
security | Mdb Manage Subscription | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-manage-subscription.md | description: Learn about your options for managing your Defender for Business or search.appverid: MET150 -+ audience: ITPro Last updated 01/03/2024 |
security | Mdb Mtd | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-mtd.md | Title: Mobile threat defense capabilities in Microsoft Defender for Business description: Get an overview of mobile threat defense in Defender for Business. Learn about what's included and how to onboard devices. -+ Last updated 07/19/2023 |
security | Mdb Next Generation Protection | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-next-generation-protection.md | description: Learn how to view and edit your next-generation protection policies search.appverid: MET150 -+ audience: Admin |
security | Mdb Offboard Devices | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-offboard-devices.md | description: Learn about how to remove or offboard a device from Microsoft Defen search.appverid: MET150 -+ audience: Admin |
security | Mdb Onboard Devices | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-onboard-devices.md | description: See how to get devices onboarded to Defender for Business to protec search.appverid: MET150 -+ audience: Admin |
security | Mdb Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-overview.md | description: Microsoft Defender for Business is a cybersecurity solution for sma search.appverid: MET150 -+ audience: Admin |
security | Mdb Partners | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-partners.md | description: Download our new security guide or integrate your remote monitoring search.appverid: MET150 -+ audience: Admin |
security | Mdb Policy Order | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-policy-order.md | description: Learn about order of priority with cybersecurity policies to protec search.appverid: MET150 -+ audience: Admin |
security | Mdb Portal Advanced Feature Settings | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-portal-advanced-feature-settings.md | description: View and edit settings for the Microsoft Defender portal and advanc search.appverid: MET150 -+ audience: Admin |
security | Mdb Preview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-preview.md | ms.pagetype: security ms.localizationpriority: medium-+ audience: Admin - m365-security |
security | Mdb Reports | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-reports.md | description: Get an overview of security reports in Defender for Business. Repor search.appverid: MET150 -+ audience: Admin |
security | Mdb Requirements | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-requirements.md | description: Microsoft Defender for Business license, hardware, and software req search.appverid: MET150 -+ audience: Admin |
security | Mdb Respond Mitigate Threats | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-respond-mitigate-threats.md | description: As threats are detected in Defender for Business, you can take acti search.appverid: MET150 -+ audience: Admin |
security | Mdb Review Remediation Actions | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-review-remediation-actions.md | description: View remediations that were taken on detected threats or suspected search.appverid: MET150 -+ audience: Admin |
security | Mdb Roles Permissions | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-roles-permissions.md | description: Assign roles to your cybersecurity team. Learn about these roles an search.appverid: MET150 -+ audience: Admin |
security | Mdb Setup Configuration | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-setup-configuration.md | description: See how to set up your Defender for Business cybersecurity solution search.appverid: MET150 -+ audience: Admin |
security | Mdb Streaming Api | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-streaming-api.md | Title: Use the streaming API with Microsoft Defender for Business description: The Defender for Endpoint streaming API is available for Defender for Business and Microsoft 365 Business Premium. Stream of device file, registry, network, sign-in events, and other data to Azure Event Hub, Azure Storage, and Microsoft Sentinel to support advanced hunting and attack detection. -+ Last updated 12/12/2023 |
security | Mdb Tutorials | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-tutorials.md | description: Learn about several tutorials to help you get started using Defende search.appverid: MET150 -+ audience: Admin |
security | Mdb View Edit Create Policies | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-view-edit-create-policies.md | description: Learn how to view, edit, create, and delete cybersecurity policies search.appverid: MET150 -+ audience: Admin |
security | Mdb View Manage Incidents | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-view-manage-incidents.md | description: View and manage alerts, respond to threats, manage devices, and rev search.appverid: MET150 -+ audience: Admin |
security | Mdb View Tvm Dashboard | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-view-tvm-dashboard.md | description: Use your Microsoft Defender Vulnerability Management dashboard to s search.appverid: MET150 -+ audience: Admin |
security | Mdb Web Content Filtering | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-web-content-filtering.md | Title: Set up web content filtering in Microsoft Defender for Business description: Learn how to set up, view, and edit your web content filtering policy in Microsoft Defender for Business. -+ Last updated 06/28/2023 |
security | Trial Playbook Defender Business | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/trial-playbook-defender-business.md | f1.keywords: - NOCSH -+ audience: Admin |
security | Access Mssp Portal | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/access-mssp-portal.md | Title: Access the Microsoft Defender XDR MSSP customer portal description: Access the Microsoft Defender XDR MSSP customer portal -keywords: managed security service provider, mssp, configure, integration -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Admin Submissions Mde | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/admin-submissions-mde.md | Title: Submit files in Microsoft Defender for Endpoint description: Learn how to use the unified submissions feature in Microsoft Defender XDR to submit suspicious emails, URLs, email attachments, and files to Microsoft for scanning. -keywords: antivirus, spam, phish, file, alert, Microsoft Defender for Endpoint, false positive, false negative, blocked file, blocked url, submission, submit, report -search.product: eADQiWindows 10XVcnh search.appverid: met150 Previously updated : 10/02/2023 Last updated : 02/15/2024 -ms.sitesec: library -ms.pagetype: security ---+++ localization_priority: Normal audience: ITPro |
security | Advanced Features | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-features.md | Title: Configure advanced features in Microsoft Defender for Endpoint description: Turn on advanced features such as block file in Microsoft Defender for Endpoint. --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Alerts Queue Endpoint Detection Response | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/alerts-queue-endpoint-detection-response.md | -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security - tier1 - mde-edr Previously updated : 09/03/2018 Last updated : 02/15/2024 search.appverid: met150 |
security | Alerts Queue | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/alerts-queue.md | Title: View and organize the Microsoft Defender for Endpoint Alerts queue description: Learn about how the Microsoft Defender for Endpoint alerts queues work, and how to sort and filter lists of alerts. -keywords: alerts, queues, alerts queue, sort, order, filter, manage alerts, new, in progress, resolved, newest, time in queue, severity, time period, microsoft threat experts alerts -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security - tier1 - mde-edr Previously updated : 03/27/2020 Last updated : 02/15/2024 search.appverid: met150 |
security | Analyzer Feedback | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/analyzer-feedback.md | Title: Provide feedback on the Microsoft Defender for Endpoint Client Analyzer tool description: Provide feedback on the Microsoft Defender for Endpoint client analyzer tool -keywords: sensor, sensor health, misconfigured, inactive, no sensor data, sensor data, impaired communications, communication -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Analyzer Report | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/analyzer-report.md | Title: Understand the client analyzer HTML report description: Learn how to analyze the Microsoft Defender for Endpoint Client Analyzer HTML report -keywords: client analyzer report, html report, client analyzer -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Android Configure Mam | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-configure-mam.md | Title: Configure Microsoft Defender for Endpoint on Android risk signals using App Protection Policies (MAM) description: Describes how to configure Microsoft Defender for Endpoint risk signals using App Protection policies -keywords: microsoft, defender, Microsoft Defender for Endpoint, mde, android, configuration, MAM, App Protectection Policies, Managed app search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security ---+++ ms.localizationpriority: medium audience: ITPro |
security | Android Configure | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-configure.md | Title: Configure Microsoft Defender for Endpoint on Android features description: Describes how to configure Microsoft Defender for Endpoint on Android -keywords: microsoft, defender, Microsoft Defender for Endpoint, mde, android, configuration -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Android Intune | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-intune.md | Title: Deploy Microsoft Defender for Endpoint on Android with Microsoft Intune description: Describes how to deploy Microsoft Defender for Endpoint on Android with Microsoft Intune -keywords: microsoft, defender, Microsoft Defender for Endpoint, mde, android, installation, deploy, uninstallation, -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Android Privacy | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-privacy.md | Title: Microsoft Defender for Endpoint on Android - Privacy information description: Privacy controls, how to configure policy settings that impact privacy and information about the diagnostic data collected in Microsoft Defender for Endpoint on Android. -keywords: microsoft, defender, Microsoft Defender for Endpoint, android, privacy, diagnostic -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Android Support Signin | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-support-signin.md | Title: Troubleshoot issues on Microsoft Defender for Endpoint on Android description: Troubleshoot issues for Microsoft Defender for Endpoint on Android -keywords: microsoft, defender, Microsoft Defender for Endpoint, mde, android, cloud, connectivity, communication -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Android Whatsnew | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-whatsnew.md | Title: What's new in Microsoft Defender for Endpoint on Android description: Learn about the major changes for previous versions of Microsoft Defender for Endpoint on Android. -keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, installation, macos, whatsnew -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Api Microsoft Flow | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api-microsoft-flow.md | Title: How to use Power Automate Connector to set up a Flow for events description: Use Microsoft Defender for Endpoint Flow connector to create a flow that will be triggered anytime a new event occurs on your tenant. -keywords: flow, supported apis, api, Microsoft flow, query, automation, power automate -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Application Deployment Via Mecm | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/application-deployment-via-mecm.md | Title: Migrating servers from Microsoft Monitoring Agent to the unified solution description: Learn how to migrate down-level servers from Microsoft Monitoring Agent to the new unified solution step-by-step from this article. -keywords: migrate server, server, 2012r2, 2016, server migration onboard Microsoft Defender for Endpoint servers, MECM, Microsoft Monitoring Agent, MMA, downlevel server, unified solution, UA search.appverid: met150-ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Assign Portal Access | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/assign-portal-access.md | Title: Assign user access description: Assign read and write or read only access to the Microsoft Defender for Endpoint portal. -keywords: assign user roles, assign read and write access, assign read only access, user, user roles, roles -search.product: eADQiWindows 10XVcnh search.appverid: met150-ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Attack Simulations | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-simulations.md | Title: Experience Microsoft Defender for Endpoint through simulated attacks description: Run the provided attack scenario simulations to experience how Microsoft Defender for Endpoint can detect, investigate, and respond to breaches. -keywords: test, scenario, attack, simulation, simulated, diy, Microsoft Defender for Endpoint -search.product: eADQiWindows 10XVcnh search.appverid: met150-ms.sitesec: library -ms.pagetype: security -+ ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Attack Surface Reduction Rules Deployment Implement | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-implement.md | Title: Implement attack surface reduction rules description: Provides guidance to implement your attack surface reduction rules deployment. -keywords: Attack surface reduction rules deployment, ASR deployment, enable asr rules, configure ASR, host intrusion prevention system, protection rules, anti-exploit rules, anti-exploit, exploit rules, infection prevention rules, Microsoft Defender for Endpoint, configure ASR rules -search.product: eADQiWindows 10XVcnh -ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium audience: ITPro----++++ In cases in which blocks aren't self resolved in a timely manner, customers can > [!WARNING] > Excluding or unblocking files or folders could potentially allow unsafe files to run and infect your devices. Excluding files or folders can severely reduce the protection provided by attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded. -An exclusion can apply to all rules that allow exclusions or apply to specific rules using [per-rule exclusions](attack-surface-reduction-rules-deployment-test.md#configure-asr-per-rule-exclusions). You can specify an individual file, folder path, or the fully qualified domain name for a resource. +An exclusion can apply to all rules that allow exclusions or apply to specific rules using [per-rule exclusions](attack-surface-reduction-rules-deployment-test.md#configure-attack-surface-reduction-per-rule-exclusions). You can specify an individual file, folder path, or the fully qualified domain name for a resource. An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service continues to trigger events until the service is stopped and restarted. |
security | Attack Surface Reduction Rules Deployment Operationalize | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-operationalize.md | |
security | Attack Surface Reduction Rules Deployment Plan | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-plan.md | Title: Plan attack surface reduction rules deployment description: Provides guidance to plan your attack surface reduction rules deployment. -keywords: Attack surface reduction rules deployment, Microsoft Defender for Endpoint ASR deployment, Defender ASR rules, enable asr rules, configure ASR, host intrusion prevention system, protection rules, anti-exploit rules, anti-exploit, exploit rules, infection prevention rules, Microsoft Defender for Endpoint, configure ASR rules -search.product: eADQiWindows 10XVcnh -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium audience: ITPro----++++ search.appverid: met150 - [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037) -Before you test or enable attack surface reduction rules, you should plan your deployment. Careful planning helps you test your attack surface reduction rules deployment and get ahead of any rule exceptions. When planning to test attack surface reduction rules it's important to start with the right business unit. Start with a small group of people in a specific business unit. You can identify some champions within a particular business unit who can provide feedback to help tune your implementation. +Before you test or enable attack surface reduction rules, you should plan your deployment. Careful planning helps you test your attack surface reduction rules deployment and get ahead of any rule exceptions. When planning to test attack surface reduction rules, make sure you start with the right business unit. Start with a small group of people in a specific business unit. You can identify some champions within a particular business unit who can provide feedback to help tune your implementation. > :::image type="content" source="images/asr-rules-planning-steps.png" alt-text="The attack surface reduction rules planning steps." lightbox="images/asr-rules-planning-steps.png"::: Depending on your business needs, you might decide to include multiple business ## Identify ASR rules champions -Attack surface reduction rules champions are members in your organization that will help with your initial attack surface reduction rules rollout during the preliminary testing and implementation phases. Your champions are typically employees who are more technically adept, and who aren't derailed by intermittent work-flow outages. The champions' involvement continues throughout the broader expansion of attack surface reduction rules deployment to your organization. Your attack surface reduction rules champions are first to experience each level of the attack surface reduction rules rollout. +Attack surface reduction rules champions are members in your organization who can help with your initial attack surface reduction rules rollout during the preliminary testing and implementation phases. Your champions are typically employees who are more technically adept, and who aren't derailed by intermittent work-flow outages. The champions' involvement continues throughout the broader expansion of attack surface reduction rules deployment to your organization. Your attack surface reduction rules champions are first to experience each level of the attack surface reduction rules rollout. It's important to provide a feedback and response channel for your attack surface reduction rules champions to alert you to attack surface reduction rules-related work disruptions and receive attack surface reduction rules-rollout related communications. Typical roles and responsibilities include: ## ASR rules ring deployment For large enterprises, Microsoft recommends deploying attack surface reduction rules in "rings." Rings are groups of devices that are visually represented as concentric circles that radiate outward like nonoverlapping tree rings. When the innermost ring is successfully deployed, you can transition to the next ring into the testing phase. Thorough assessment of your business units, attack surface reduction rules champions, apps, and processes is imperative to defining your rings.-In most cases, your organization will have deployment rings for phased rollouts of Windows updates. You can use your existing ring design to implement attack surface reduction rules. +In most cases, your organization has deployment rings for phased rollouts of Windows updates. You can use your existing ring design to implement attack surface reduction rules. See: [Create a deployment plan for Windows](/windows/deployment/update/create-deployment-plan) ## Other articles in this deployment collection |
security | Attack Surface Reduction Rules Deployment Test | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-test.md | Title: Test attack surface reduction rules -description: Provides guidance to test your attack surface reduction rules deployment. Microsoft Defender for Endpoint ASR test includes, audit Defender rules, configure ASR rules using Intune, Microsoft ASR rules reporting, ASR rules exclusions, ASR rules event viewer. +description: Learn how to test attack surface reduction rules in Defender for Endpoint. ms.localizationpriority: medium audience: ITPro----++++ search.appverid: met150 Testing Microsoft Defender for Endpoint attack surface reduction rules helps you determine if rules impede line-of-business operations prior to enabling any rule. By starting with a small, controlled group, you can limit potential work disruptions as you expand your deployment across your organization. -In this section of the ASR rules deployment guide, you'll learn how to: +In this section of the attack surface reduction rules deployment guide, you'll learn how to: - configure rules using Microsoft Intune-- use Microsoft Defender for Endpoint ASR rules reports-- configure ASR rules exclusions-- enable ASR rules using PowerShell-- use Event Viewer for ASR rules events+- use Microsoft Defender for Endpoint attack surface reduction rules reports +- configure attack surface reduction rules exclusions +- enable attack surface reduction rules using PowerShell +- use Event Viewer for attack surface reduction rules events > [!NOTE]-> Before you begin testing ASR rules, it is recommended that you first disable all rules that you have previously set to either **audit** or **enable** (if applicable). See [Attack surface reduction rules reports](attack-surface-reduction-rules-report.md) for information about using the ASR rules report to disable ASR rules. +> Before you begin testing attack surface reduction rules, it is recommended that you first disable all rules that you have previously set to either **audit** or **enable** (if applicable). See [Attack surface reduction rules reports](attack-surface-reduction-rules-report.md) for information about using the attack surface reduction rules report to disable attack surface reduction rules. Begin your attack surface reduction rules deployment with ring 1. -> :::image type="content" source="images/asr-rules-testing-steps.png" alt-text="The Microsoft Defender for Endpoint attack surface reduction (ASR rules) test steps. Audit ASR rules, configure ASR rules exclusions. Configure ASR rules Intune. ASR rules exclusions. ASR rules event viewer." lightbox="images/asr-rules-testing-steps.png"::: +> :::image type="content" source="images/asr-rules-testing-steps.png" alt-text="The Microsoft Defender for Endpoint attack surface reduction (ASR rules) test steps. Audit attack surface reduction rules, configure ASR rules exclusions. Configure ASR rules Intune. ASR rules exclusions. ASR rules event viewer." lightbox="images/asr-rules-testing-steps.png"::: -## Step 1: Test ASR rules using Audit +## Step 1: Test attack surface reduction rules using Audit -Begin the testing phase by turning on the ASR rules with the rules set to Audit, starting with your champion users or devices in ring 1. Typically, the recommendation is that you enable all the rules (in Audit) so that you can determine which rules are triggered during the testing phase. Rules that are set to Audit don't generally impact functionality of the entity or entities to which the rule is applied but do generate logged events for the evaluation; there is no effect on end users. +Begin the testing phase by turning on the attack surface reduction rules with the rules set to Audit, starting with your champion users or devices in ring 1. Typically, the recommendation is that you enable all the rules (in Audit) so that you can determine which rules are triggered during the testing phase. Rules that are set to Audit don't generally impact functionality of the entity or entities to which the rule is applied but do generate logged events for the evaluation; there is no effect on end users. -### Configure ASR rules using Intune +### Configure attack surface reduction rules using Intune -You can use Microsoft Intune Endpoint Security to configure custom ASR rules. +You can use Microsoft Intune Endpoint Security to configure custom attack surface reduction rules. 1. Open the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 2. Go to **Endpoint Security** > **Attack surface reduction**. You can use Microsoft Intune Endpoint Security to configure custom ASR rules. > :::image type="content" source="images/asr-mem-create-profile.png" alt-text="The profile creation page for ASR rules" lightbox="images/asr-mem-create-profile.png"::: 5. Select **Create**.-6. In the **Basics** tab of the **Create profile** pane, in **Name** add a name for your policy. In **Description** add a description for your ASR rules policy. +6. In the **Basics** tab of the **Create profile** pane, in **Name** add a name for your policy. In **Description** add a description for your attack surface reduction rules policy. 7. In the **Configuration settings** tab, under **Attack Surface Reduction Rules**, set all rules to **Audit mode**. > [!div class="mx-imgBorder"]- > :::image type="content" source="images/asr-mem-configuration-settings.png" alt-text="The configuration of ASR rules to Audit mode" lightbox="images/asr-mem-configuration-settings.png"::: + > :::image type="content" source="images/asr-mem-configuration-settings.png" alt-text="The configuration of attack surface reduction rules to Audit mode" lightbox="images/asr-mem-configuration-settings.png"::: > [!NOTE]- > There are variations in some ASR rules mode listings; _Blocked_ and _Enabled_ provide the same functionality. + > There are variations in some attack surface reduction rules mode listings; _Blocked_ and _Enabled_ provide the same functionality. 8. [Optional] In the **Scope tags** pane, you can add tag information to specific devices. You can also use role-based access control and scope tags to make sure that the right admins have the right access and visibility to the right Intune objects. Learn more: [Use role-based access control (RBAC) and scope tags for distributed IT in Intune](/mem/intune/fundamentals/scope-tags). 9. In the **Assignments** pane, you can deploy or "assign" the profile to your user or device groups. Learn more: [Assign device profiles in Microsoft Intune](/mem/intune/configuration/device-profile-assign#exclude-groups-from-a-profile-assignment) You can use Microsoft Intune Endpoint Security to configure custom ASR rules. > [!div class="mx-imgBorder"] > :::image type="content" source="images/asr-mem-review-create.png" alt-text="The Create profile page" lightbox="images/asr-mem-review-create.png"::: -Your new attack surface reduction policy for ASR rules is listed in **Endpoint security | Attack surface reduction**. +Your new attack surface reduction policy for attack surface reduction rules is listed in **Endpoint security | Attack surface reduction**. > [!div class="mx-imgBorder"] > :::image type="content" source="images/asr-mem-my-asr-rules.png" alt-text=" The Attack surface reduction page" lightbox="images/asr-mem-my-asr-rules.png"::: <a name='step-2-understand-the-asr-rules-reporting-page-in-the-microsoft-365-defender-portal'></a> -## Step 2: Understand the ASR rules reporting page in the Microsoft Defender portal +## Step 2: Understand the attack surface reduction rules reporting page in the Microsoft Defender portal -The ASR rules reporting page is found in **Microsoft Defender portal** > **Reports** > **Attack surface reduction rules**. This page has three tabs: +The attack surface reduction rules reporting page is found in **Microsoft Defender portal** > **Reports** > **Attack surface reduction rules**. This page has three tabs: - Detections - Configuration The ASR rules reporting page is found in **Microsoft Defender portal** > **Repor Provides a 30-day timeline of detected audit and blocked events. > [!div class="mx-imgBorder"]-> :::image type="content" source="images/attack-surface-reduction-rules-report-main-detections-card.png" alt-text="Graph that shows the ASR rules report summary detections card." lightbox="images/attack-surface-reduction-rules-report-main-detections-card.png"::: +> :::image type="content" source="images/attack-surface-reduction-rules-report-main-detections-card.png" alt-text="Graph that shows the attack surface reduction rules report summary detections card." lightbox="images/attack-surface-reduction-rules-report-main-detections-card.png"::: -The Attack Surface reduction rules pane provides an overview of detected events on a per-rule basis. +The attack surface reduction rules pane provides an overview of detected events on a per-rule basis. > [!NOTE]-> There are some variations in ASR rules reports. Microsoft is in the process of updating the behavior of the ASR rules reports to provide a consistent experience. +> There are some variations in attack surface reduction rules reports. Microsoft is in the process of updating the behavior of the attack surface reduction rules reports to provide a consistent experience. -Click **View detections** to open the **Detections** tab. +Select **View detections** to open the **Detections** tab. ->:::image type="content" source="images/attack-surface-reduction-rules-report-main-tabs-search.png" alt-text="Screenshot that shows the ASR rules report search feature." lightbox="images/attack-surface-reduction-rules-report-main-tabs-search.png"::: +>:::image type="content" source="images/attack-surface-reduction-rules-report-main-tabs-search.png" alt-text="Screenshot that shows the attack surface reduction rules report search feature." lightbox="images/attack-surface-reduction-rules-report-main-tabs-search.png"::: The **GroupBy** and **Filter** pane provide the following options: The **GroupBy** returns results set to the following groups: :::image type="content" source="images/attack-surface-reduction-rules-report-main-tabs-search-configuration-tab.png" alt-text="Screenshot that shows the ASR rules report search feature on the configuration tab." lightbox="images/attack-surface-reduction-rules-report-main-tabs-search-configuration-tab.png"::: -**Filter** opens the **Filter on rules** page, which enables you to scope the results to only the selected ASR rules: +**Filter** opens the **Filter on rules** page, which enables you to scope the results to only the selected attack surface reduction rules: > [!div class="mx-imgBorder"] > :::image type="content" source="images/asr-defender365-filter.png" alt-text="The Attack surface reduction rules detections filter on rules" lightbox="images/asr-defender365-filter.png"::: The **GroupBy** returns results set to the following groups: ### Configuration tab -ListsΓÇöon a per-computer basisΓÇöthe aggregate state of ASR rules: Off, Audit, Block. +ListsΓÇöon a per-computer basisΓÇöthe aggregate state of attack surface reduction rules: Off, Audit, Block. ->:::image type="content" source="images/attack-surface-reduction-rules-report-main-configuration-tab.png" alt-text="Screenshot that shows the ASR rules report main configuration tab." lightbox="images/attack-surface-reduction-rules-report-main-configuration-tab.png"::: +>:::image type="content" source="images/attack-surface-reduction-rules-report-main-configuration-tab.png" alt-text="Screenshot that shows the attack surface reduction rules report main configuration tab." lightbox="images/attack-surface-reduction-rules-report-main-configuration-tab.png"::: -On the Configurations tab, you can checkΓÇöon a per-device basisΓÇöwhich ASR rules are enabled, and in which mode, by selecting the device for which you want to review ASR rules. +On the Configurations tab, you can check, on a per-device basis, which attack surface reduction rules are enabled, and in which mode, by selecting the device for which you want to review attack surface reduction rules. >:::image type="content" source="images/attack-surface-reduction-rules-report-configuration-add-to-policy.png" alt-text="Screenshot that shows the ASR rules fly-out to add ASR rules to devices." lightbox="images/attack-surface-reduction-rules-report-configuration-add-to-policy.png"::: -The **Get started** link opens the Microsoft Intune admin center, where you can create or modify an endpoint protection policy for ASR: +The **Get started** link opens the Microsoft Intune admin center, where you can create or modify an endpoint protection policy for attack surface reduction: > [!div class="mx-imgBorder"] > :::image type="content" source="images/asr-defender365-05b-mem1.png" alt-text="The *Endpoint security menu item on the Overview page" lightbox="images/asr-defender365-05b-mem1.png"::: The Endpoint Security | Attack surface reduction pane opens: This tab provides a method to select detected entities (for example, false positives) for exclusion. When exclusions are added, the report provides a summary of the expected impact. > [!NOTE]-> Microsoft Defender Antivirus AV exclusions are honored by ASR rules. See [Configure and validate exclusions based on extension, name, or location](configure-extension-file-exclusions-microsoft-defender-antivirus.md). +> Microsoft Defender Antivirus AV exclusions are honored by attack surface reduction rules. See [Configure and validate exclusions based on extension, name, or location](configure-extension-file-exclusions-microsoft-defender-antivirus.md). > [!div class="mx-imgBorder"] > :::image type="content" source="Images/asr-defender365-06d.png" alt-text="The pane for exclusion of the detected file" lightbox="Images/asr-defender365-06d.png"::: This tab provides a method to select detected entities (for example, false posit > [!NOTE] > If you have a Microsoft Defender 365 E5 (or Windows E5?) license, this link will open the Microsoft Defender 365 Reports > Attack surface reductions > [Exclusions](https://security.microsoft.com/asr?viewid=exclusions) tab. -For more information about using the ASR rules report, see [Attack surface reduction rules reports](attack-surface-reduction-rules-report.md). +For more information about using the attack surface reduction rules report, see [Attack surface reduction rules reports](attack-surface-reduction-rules-report.md). -## Configure ASR per-rule exclusions +## Configure attack surface reduction per-rule exclusions -ASR rules now provide the capability to configure rule-specific exclusions, known as "Per Rule Exclusions." +Attack surface reduction rules now provide the capability to configure rule-specific exclusions, known as "Per Rule Exclusions." > [!NOTE] > Per-rule exclusions cannot currently be configured by using PowerShell or Group Policy. ASR rules now provide the capability to configure rule-specific exclusions, know To configure specific rule exclusions: 1. Open the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), and navigate to **Home** > **Endpoint security** > **Attack surface reduction**.-1. If it isn't already configured, set the rule for which you want to configure exclusions to **Audit** or **Block**. -1. In **ASR Only Per Rule Exclusion**, click the toggle to change from **Not configured** to **Configured.** -1. Enter the names of the files or application that you want to exclude. -1. At the bottom of the **Create profile** wizard, select **Next** and follow the wizard instructions. ++2. If it isn't already configured, set the rule for which you want to configure exclusions to **Audit** or **Block**. ++3. In **ASR Only Per Rule Exclusion**, click the toggle to change from **Not configured** to **Configured.** ++4. Enter the names of the files or application that you want to exclude. ++5. At the bottom of the **Create profile** wizard, select **Next** and follow the wizard instructions. >:::image type="content" source="images/attack-surface-reduction-rules-report-per-rule-exclusion.png" alt-text="Screenshot that shows the configuration settings for adding ASR per-rule exclusions." lightbox="images/attack-surface-reduction-rules-report-per-rule-exclusion.png"::: > [!TIP] > Use the checkboxes next to your list of exclusion entries to select items to **Delete**, **Sort**, **Import**, or **Export**. -### Use PowerShell as an alternative method to enable ASR rules +### Use PowerShell as an alternative method to enable attack surface reduction rules -You can use PowerShell - as an alternative to Intune - to enable ASR rules in audit mode to view a record of apps that would have been blocked if the feature was fully enabled. You can also get an idea of how often the rules fire during normal use. +You can use PowerShell - as an alternative to Intune - to enable attack surface reduction rules in audit mode to view a record of apps that would have been blocked if the feature was fully enabled. You can also get an idea of how often the rules fire during normal use. To enable an attack surface reduction rule in audit mode, use the following PowerShell cmdlet: Event ID | Description [Operationalize attack surface reduction rules](attack-surface-reduction-rules-deployment-operationalize.md) [Attack surface reduction rules reference](attack-surface-reduction-rules-reference.md)+ [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)] |
security | Attack Surface Reduction Rules Deployment | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment.md | This deployment collection provides information about the following aspects of a - attack surface reduction rules advanced hunting - attack surface reduction rules event viewer -## ASR rules deployment steps +## Attack surface reduction rules deployment steps As with any new, wide-scale implementation, which could potentially impact your line-of-business operations, it's important to be methodical in your planning and implementation. Careful planning and deployment of attack surface reduction rules is necessary to ensure they work best for your unique customer workflows. To work in your environment, you need to plan, test, implement, and operationalize attack surface reduction rules carefully. We recommended that you enable the following three _standard protection rules_. - [Block abuse of exploited vulnerable signed drivers](attack-surface-reduction-rules-reference.md#block-abuse-of-exploited-vulnerable-signed-drivers) - [Block persistence through Windows Management Instrumentation (WMI) event subscription](attack-surface-reduction-rules-reference.md#block-persistence-through-wmi-event-subscription) -Typically, you can enable the standard protection rules with minimal-to-no noticeable impact to the end user. For an easy method to enable the standard protection rules, see: [Simplified standard protection option](attack-surface-reduction-rules-report.md#simplified-standard-protection-option). +Typically, you can enable the standard protection rules with minimal-to-no noticeable impact to the end user. For an easy method to enable the standard protection rules, see [Simplified standard protection option](attack-surface-reduction-rules-report.md#simplified-standard-protection-option). > [!NOTE] > For customers who are using a non-Microsoft HIPS and are transitioning to Microsoft Defender for Endpoint attack surface reduction rules, Microsoft advises running the HIPS solution alongside attack surface reduction rules deployment until the moment you shift from Audit mode to Block mode. Keep in mind that you must reach out to your non-Microsoft antivirus provider for exclusion recommendations. -## Before you begin testing or enabling ASR rules +## Before you begin testing or enabling attack surface reduction rules -During your initial preparation, it's vital that you understand the capabilities of the systems that you put in place. Understanding the capabilities help you determine which attack surface reduction rules are most important for protecting your organization. Additionally, there are several prerequisites, which you must attend to in preparation of your attack surface reduction deployment. +During your initial preparation, it's vital to understand the capabilities of the systems that you put in place. Understanding the capabilities help you determine which attack surface reduction rules are most important for protecting your organization. Additionally, there are several prerequisites, which you must attend to in preparation of your attack surface reduction deployment. > [!IMPORTANT] > This guide provides images and examples to help you decide how to configure attack surface reduction rules; these images and examples might not reflect the best configuration options for your environment. -Before you start, review [Overview of attack surface reduction](overview-attack-surface-reduction.md), and [Demystifying attack surface reduction rules - Part 1](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/demystifying-attack-surface-reduction-rules-part-1/ba-p/1306420) for foundational information. To understand the areas of coverage and potential impact, familiarize yourself with the current set of attack surface reduction rules; see [Attack surface reduction rules reference](attack-surface-reduction-rules-reference.md). While you're familiarizing yourself with the attack surface reduction rules set, take note of the per-rule GUID mappings; see: [Attack surface reduction rule to GUID matrix](attack-surface-reduction-rules-reference.md#asr-rule-to-guid-matrix). +Before you start, review [Overview of attack surface reduction](overview-attack-surface-reduction.md), and [Demystifying attack surface reduction rules - Part 1](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/demystifying-attack-surface-reduction-rules-part-1/ba-p/1306420) for foundational information. To understand the areas of coverage and potential impact, familiarize yourself with the current set of attack surface reduction rules; see [Attack surface reduction rules reference](attack-surface-reduction-rules-reference.md). While you're familiarizing yourself with the attack surface reduction rules set, take note of the per-rule GUID mappings; see [Attack surface reduction rule to GUID matrix](attack-surface-reduction-rules-reference.md#asr-rule-to-guid-matrix). Attack surface reduction rules are only one capability of the attack surface reduction capabilities within Microsoft Defender for Endpoint. This document goes into more detail on deploying attack surface reduction rules effectively to stop advanced threats like human-operated ransomware and other threats. -### ASR rules list by category +### Attac surface reduction rules list by category The following table shows attack surface reduction rules by category: -<br/> - | Polymorphic threats | Lateral movement & credential theft | Productivity apps rules | Email rules | Script rules | Misc rules | |:|:|:|:|:|:|-| Block executable files from running unless they meet a prevalence (1000 machines), age, or trusted list criteria | Block process creations originating from PSExec and WMI commands | Block Office apps from creating executable content | Block executable content from email client and webmail | Block obfuscated JS/VBS/PS/macro code | Block abuse of exploited vulnerable signed drivers <sup>[[1](#fn1)]<sup></sup> | +| Block executable files from running unless they meet a prevalence (1,000 machines), age, or trusted list criteria | Block process creations originating from PSExec and WMI commands | Block Office apps from creating executable content | Block executable content from email client and webmail | Block obfuscated JS/VBS/PS/macro code | Block abuse of exploited vulnerable signed drivers <sup>[[1](#fn1)]<sup></sup> | | Block untrusted and unsigned processes that run from USB | Block credential stealing from the Windows local security authority subsystem (lsass.exe)<sup>[[2](#fn1)]<sup></sup> | Block Office apps from creating child processes | Block only Office communication applications from creating child processes | Block JS/VBS from launching downloaded executable content | | | Use advanced protection against ransomware | Block persistence through WMI event subscription | Block Office apps from injecting code into other processes | Block Office communication apps from creating child processes | | | | | | Block Adobe Reader from creating child processes | | | | (<a id="fn1">1</a>) _Block abuse of exploited vulnerable signed drivers_ is now available under **Endpoint Security** > **Attack Surface Reduction**. -(<a id="fn1">2</a>) Some attack surface reduction rules generate considerable noise, but don't block functionality. For example, if you're updating Chrome, Chrome accesses **lsass.exe**; passwords are stored in **lsass** on the device. However, Chrome shouldn't be accessing local device **lsass.exe**. If you enable the rule to block access to **lsass**, you see many events. Those events are good events because the software update process shouldn't access lsass.exe. Using this rule blocks Chrome updates from accessing **lsass**, but won't block Chrome from updating. This is also true of other applications that make unnecessary calls to **lsass.exe**. The _block access to lsass_ rule will block unnecessary calls to **lsass**, but doesn't block the application from running. +(<a id="fn1">2</a>) Some attack surface reduction rules generate considerable noise, but don't block functionality. For example, if you're updating Chrome, Chrome accesses **lsass.exe**; passwords are stored in **lsass** on the device. However, Chrome shouldn't be accessing local device **lsass.exe**. If you enable the rule to block access to **lsass**, you see many events. Those events are good events because the software update process shouldn't access lsass.exe. Using this rule blocks Chrome updates from accessing **lsass**, but won't block Chrome from updating. This is also true of other applications that make unnecessary calls to **lsass.exe**. The _block access to lsass_ rule blocks unnecessary calls to **lsass**, but doesn't block the application from running. ### Attack surface reduction infrastructure requirements To take full advantage of attack surface reduction rules and reporting, we recom > There are multiple methods to configure attack surface reduction rules. Attack surface reduction rules can be configured using: Microsoft Intune, PowerShell, Group Policy, Microsoft Configuration Manager (ConfigMgr), Intune OMA-URI. > If you are using a different infrastructure configuration than what is listed for _Infrastructure requirements_, you can learn more about deploying attack surface reduction rules using other configurations here: [Enable attack surface reduction rules](enable-attack-surface-reduction.md). -### ASR rules dependencies +### Attack surface reduction rules dependencies Microsoft Defender Antivirus must be enabled and configured as primary anti-virus solution, and must be in the following mode: Microsoft Defender Antivirus must not be in any of the following modes: See [Cloud-delivered protection and Microsoft Defender Antivirus](cloud-protection-microsoft-defender-antivirus.md) for more. -### Cloud Protection (MAPS) must be enabled to enable ASR rules +### Cloud Protection (MAPS) must be enabled to enable attack surface reduction rules Microsoft Defender Antivirus works seamlessly with Microsoft cloud services. These cloud protection services, also referred to as Microsoft Advanced Protection Service (MAPS), enhances standard real-time protection, arguably providing the best antivirus defense. Cloud protection is critical to preventing breaches from malware and a critical component of attack surface reduction rules. [Turn on cloud-delivered protection in Microsoft Defender Antivirus](enable-cloud-protection-microsoft-defender-antivirus.md). -### Microsoft Defender Antivirus components must be current versions for ASR rules +### Microsoft Defender Antivirus components must be current versions for attack surface reduction rules The following Microsoft Defender Antivirus component versions must be no more than two versions older than the most-currently-available version: The following Microsoft Defender Antivirus component versions must be no more th - **Microsoft Defender Antivirus engine version** - Microsoft Defender Antivirus engine is updated monthly. - **Microsoft Defender Antivirus security intelligence** - Microsoft continually updates Microsoft Defender security intelligence (also known as, definition and signature) to address the latest threats, and to refine detection logic. -Keeping Microsoft Defender Antivirus versions current helps reduce ASR rules false positive results and improves Microsoft Defender Antivirus detection capabilities. For more details on the current versions and how to update the different Microsoft Defender Antivirus components visit [Microsoft Defender Antivirus platform support](microsoft-defender-antivirus-updates.md). +Keeping Microsoft Defender Antivirus versions current helps reduce attack surface reduction rules false positive results and improves Microsoft Defender Antivirus detection capabilities. For more details on the current versions and how to update the different Microsoft Defender Antivirus components visit [Microsoft Defender Antivirus platform support](microsoft-defender-antivirus-updates.md). ### Caveat -Some rules don't work well if unsigned, internally developed application and scripts are in high usage. It's more difficult to deploy ASR rules if code signing isn't enforced. +Some rules don't work well if unsigned, internally developed application and scripts are in high usage. It's more difficult to deploy attack surface reduction rules if code signing isn't enforced. ## Other articles in this deployment collection Some rules don't work well if unsigned, internally developed application and scr [Demystifying attack surface reduction rules - Part 4](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/demystifying-attack-surface-reduction-rules-part-4/ba-p/1384425) -### ASR rules collection +### Attack surface reduction rules collection [Overview of attack surface reduction](overview-attack-surface-reduction.md) Some rules don't work well if unsigned, internally developed application and scr [Attack surface reduction](https://security.microsoft.com/asr?viewid=detections) -[ASR rules Configurations](https://security.microsoft.com/asr?viewid=configuration) +[Attack surface reduction rules configurations](https://security.microsoft.com/asr?viewid=configuration) ++[Attack surface reduction rules exclusions](https://security.microsoft.com/asr?viewid=exclusions) -[ASR rules Exclusions](https://security.microsoft.com/asr?viewid=exclusions) [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)] |
security | Attack Surface Reduction Rules Reference | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference.md | |
security | Attack Surface Reduction Rules Report | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-report.md | Title: Attack surface reduction rules reporting description: Provides information about attack surface reduction rules detections, configuration, block threats, and methods to enable three standard rules and exclusions. -keywords: Attack surface reduction rules, ASR, asr rules, hips, host intrusion prevention system, protection rules, anti-exploit rules, antiexploit, exploit rules, infection prevention rules, Microsoft Defender for Endpoint, configure ASR rules, ASR rule description -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium audience: ITPro----++++ The **Add exclusions** tab presents a ranked list of detections by file name and > [!IMPORTANT] > Excluding files or folders can severely reduce the protection provided by ASR rules. Excluded files are allowed to run, and no report or event will be recorded.-> If ASR rules are detecting files that you believe shouldn't be detected, you should [use audit mode first to test the rule](attack-surface-reduction-rules-deployment-test.md#step-1-test-asr-rules-using-audit). +> If ASR rules are detecting files that you believe shouldn't be detected, you should [use audit mode first to test the rule](attack-surface-reduction-rules-deployment-test.md#step-1-test-attack-surface-reduction-rules-using-audit). When you select a file, a **Summary & expected impact** fly out opens, presenting the following types of information: |
security | Attack Surface Reduction | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction.md | |
security | Auto Investigation Action Center | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/auto-investigation-action-center.md | Title: Visit the Action center to see remediation actions description: Use the action center to view details and results following an automated investigation keywords: action, center, autoir, automated, investigation, response, remediation ms.sitesec: library ms.pagetype: security |
security | Autoir Investigation Results | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/autoir-investigation-results.md | Title: View the details and results of an automated investigation description: During and after an automated investigation, you can view the results and key findings keywords: automated, investigation, results, analyze, details, remediation, autoair search.appverid: met150 ms.sitesec: library ms.pagetype: security f1.keywords: |
security | Automated Investigations | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/automated-investigations.md | Title: Use automated investigations to investigate and remediate threats description: Understand the automated investigation flow in Microsoft Defender for Endpoint. -keywords: automated, investigation, detection, Microsoft Defender for Endpoint -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium Last updated 08/31/2022-+ audience: ITPro - m365-security |
security | Automation Levels | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/automation-levels.md | Title: Automation levels in automated investigation and remediation description: Get an overview of automation levels and how they work in Microsoft Defender for Endpoint-+ -+ ms.localizationpriority: medium Last updated 07/27/2023-+ audience: ITPro - m365-security |
security | Azure Server Integration | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/azure-server-integration.md | Title: Integration with Microsoft Defender for Cloud description: Learn about Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud -keywords: integration, server, azure, 2012r2, 2016, 2019, server onboarding, device management, configure Microsoft Defender for Endpoint servers, onboard Microsoft Defender for Endpoint servers, onboard Microsoft Defender for Endpoint servers -search.product: eADQiWindows 10XVcnh search.appverid: met150-ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Basic Permissions | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/basic-permissions.md | Title: Use basic permissions to access the portal description: Learn how to use basic permissions to access the Microsoft Defender for Endpoint portal. keywords: assign user roles, assign read and write access, assign read only access, user, user roles, roles ms.sitesec: library ms.pagetype: security |
security | Behavioral Blocking Containment | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/behavioral-blocking-containment.md | Title: Behavioral blocking and containment description: Learn about behavioral blocking and containment capabilities at Microsoft Defender for Endpoint -keywords: Microsoft Defender for Endpoint, EDR in block mode, passive mode blocking -ms.pagetype: security ---+++ audience: ITPro |
security | Built In Protection | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/built-in-protection.md | Title: Built-in protection helps guard against ransomware description: Learn how built-in protection protects against ransomware as part of Microsoft Defender for Endpoint. search.appverid: MET150---+++ audience: Admin Last updated 06/06/2023 |
security | Check Sensor Status | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/check-sensor-status.md | Title: Check the device health at Microsoft Defender for Endpoint description: Check the sensor health on devices to identify which ones are misconfigured, inactive, or aren't reporting sensor data. -keywords: sensor, sensor health, misconfigured, inactive, no sensor data, sensor data, impaired communications, communication -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Client Behavioral Blocking | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/client-behavioral-blocking.md | Title: Client behavioral blocking description: Client behavioral blocking is part of behavioral blocking and containment capabilities at Microsoft Defender for Endpoint -keywords: behavioral blocking, rapid protection, client behavior, Microsoft Defender for Endpoint -ms.pagetype: security ---+++ audience: ITPro |
security | Cloud Protection Microsoft Antivirus Sample Submission | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-antivirus-sample-submission.md | Title: Cloud protection and sample submission at Microsoft Defender Antivirus description: Learn about cloud-delivered protection and Microsoft Defender Antivirus -keywords: Microsoft Defender Antivirus, next-generation technologies, antivirus sample submission, next-generation av, machine learning, antimalware, security, defender, cloud, cloud-delivered protection -ms.sitesec: library ms.localizationpriority: medium--++ -+ Last updated 02/24/2022 |
security | Cloud Protection Microsoft Defender Antivirus | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus.md | Title: Cloud protection and Microsoft Defender Antivirus description: Learn about cloud protection and Microsoft Defender Antivirus -keywords: Microsoft Defender Antivirus, next-generation technologies, next-generation av, machine learning, antimalware, security, defender, cloud, cloud protection -ms.sitesec: library ms.localizationpriority: medium--++ -+ |
security | Collect Diagnostic Data Update Compliance | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/collect-diagnostic-data-update-compliance.md | Title: Collect diagnostic data for Update Compliance and Microsoft Defender Antivirus -description: Use a tool to collect data to troubleshoot Update Compliance issues when using the Microsoft Defender Antivirus Assessment add-in. +description: Learn how to collect diagnostic data that's used by Microsoft support and engineering teams when they help with troubleshooting issues with Microsoft Defender Antivirus. ms.localizationpriority: medium--++ Last updated 08/22/2023 -+ |
security | Collect Diagnostic Data | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/collect-diagnostic-data.md | Title: Collect diagnostic data of Microsoft Defender Antivirus description: Use a tool to collect data to troubleshoot Microsoft Defender Antivirus ms.localizationpriority: medium--++ Last updated 02/02/2024 -+ |
security | Command Line Arguments Microsoft Defender Antivirus | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus.md | Title: Use the command line to manage Microsoft Defender Antivirus description: Run Microsoft Defender Antivirus scans and configure next-generation protection with a dedicated command-line utility. ms.localizationpriority: medium--++ -+ Last updated 06/06/2023 |
security | Common Exclusion Mistakes Microsoft Defender Antivirus | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/common-exclusion-mistakes-microsoft-defender-antivirus.md | Title: Common mistakes to avoid when defining exclusions description: Avoid common mistakes when defining exclusions for Microsoft Defender Antivirus scans. ms.localizationpriority: medium--++ -+ Last updated 07/18/2023 |
security | Comprehensive Guidance On Linux Deployment | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/comprehensive-guidance-on-linux-deployment.md | Title: Advanced deployment guidance for Microsoft Defender for Endpoint on Linux description: Learn how to deploy Defender for Endpoint on Linux and address issues such as high cpu utilization --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security Last updated 11/29/2023 - [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037) -This article provides advanced deployment guidance for Microsoft Defender for Endpoint on Linux. You'll get a brief summary of the deployment steps, learn about the system requirements, then be guided through the actual deployment steps. You'll also learn how to verify that the device has been correctly onboarded. +This article provides advanced deployment guidance for Microsoft Defender for Endpoint on Linux. You get a brief summary of the deployment steps, learn about the system requirements, then be guided through the actual deployment steps. You'll also learn how to verify that the device has been correctly onboarded. For information about Microsoft Defender for Endpoint capabilities, see [Advanced Microsoft Defender for Endpoint capabilities](#advanced-microsoft-defender-for-endpoint-capabilities). For a detailed list of supported Linux distros, see [System requirements](micros ||| |Disk space |Minimum: 2 GB <br> NOTE: More disk space might be needed if cloud diagnostics are enabled for crash collections. | |RAM |1 GB<br> 4 GB is preferred|-|CPU |If the Linux system is running only 1 vcpu, we recommend it be increased to 2 vcpu's<br> 4 cores are preferred | +|CPU |If the Linux system is running only one vcpu, we recommend it be increased to two vcpu's<br> 4 cores are preferred | |OS version|Kernel filter driver|Comments| |||| The following table describes the settings that are recommended as part of `mdat - Save the setting as `mdatp_managed.json` file. - Copy the setting to this path `/etc/opt/microsoft/mdatp/managed/`. For more information, see [Set preferences for Microsoft Defender for Endpoint on Linux](linux-preferences.md).-- Add your third-party antimalware processes and paths to the exclusion list from the prior step.-- Verify that you've added your current exclusions from your third-party antimalware to the prior step.+- Add your non-Microsoft antimalware processes and paths to the exclusion list from the prior step. +- Verify that you've added your current exclusions from your non-Microsoft antimalware solution to the prior step. ### Applications that Microsoft Defender for Endpoint can impact -High I/O workloads such as Postgres, OracleDB, Jira, and Jenkins may require additional exclusions depending on the amount of activity that is being processed (which is then monitored by Defender for Endpoint). It's best to follow guidance from third party application providers for exclusions if you experience performance degradation after installing Defender for Endpoint. Also keep in mind [Common Exclusion Mistakes for Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/common-exclusion-mistakes-microsoft-defender-antivirus). +High I/O workloads such as Postgres, OracleDB, Jira, and Jenkins might require other exclusions, depending on the amount of activity that is being processed (and monitored by Defender for Endpoint). It's best to follow guidance from non-Microsoft application providers for their exclusions if you experience performance degradation after installing Defender for Endpoint. Also keep in mind [Common Exclusion Mistakes for Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/common-exclusion-mistakes-microsoft-defender-antivirus). -You can refer to these documents for more information if you experience performance degradation: +If you experience performance degradation, see the following resources: - [Troubleshoot performance issues for Microsoft Defender for Endpoint on Linux](linux-support-perf.md). - [Troubleshoot AuditD performance issues with Microsoft Defender for Endpoint on Linux](troubleshoot-auditd-performance-issues.md). Learn how to troubleshoot issues that might occur during installation in [Troubl ## 14. Check resource utilization statistics -Check performance statistics and compare to pre-deployment utilization compared to post-deployment. +Check performance statistics and compare to predeployment utilization compared to post-deployment. ## 15. Verify communication with Microsoft Defender for Endpoint backend Use the following syntaxes to help identify the process that is causing CPU over :::image type="content" source="images/cpu-utilization.png" alt-text="This is CPU utilization"::: -The following table lists the processes that may cause a high CPU usage: +The following table lists the processes that might cause a high CPU usage: |Process name|Component used|MDE engine used| |||| Use the following table to troubleshoot high CPU utilization: ||||| |wdavdaemon|FANotify | Antivirus & EDR|- Download and run Microsoft Defender for Endpoint Client Analyzer. For more information, see [Run the client analyzer on macOS or Linux](run-analyzer-macos-linux.md). <br/><br/> - Collect diagnostic data using the [Client analyzer tool](https://aka.ms/xMDEClientAnalyzerBinary).<br/><br/> - Open a CSS support case with Microsoft. For more information, see [CSS security support case](/mem/get-support). |wdavdaemon unprivileged|N/A|Antivirus engine| The following diagram shows the workflow and steps required in order to add Antivirus exclusions. <br/><br/> :::image type="content" source="images/unprivileged-plugins.png" alt-text="Screenshot that shows This is unprivileged sensors." lightbox="images/unprivileged-plugins.png"::: <br/><br/>**General troubleshooting guidance**<br/> - If you have in-house apps/scripts or a legitimate third-party app/script getting flagged, Microsoft security researchers analyze suspicious files to determine if they're threats, unwanted applications, or normal files. Submit files you think are malware or files that you believe have been incorrectly classified as malware by using the unified submissions experience (for more information, see [Unified submissions experience](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/unified-submissions-in-microsoft-365-defender-now-generally/ba-p/3270770)) or [File submissions](https://www.microsoft.com/wdsi/filesubmission). <br/><br/> - See [troubleshoot performance issues for Microsoft Defender for Endpoint on Linux](linux-support-perf.md).<br/><br/> - Download and run Microsoft Defender for Endpoint Client Analyzer. For more information, see [Run the client analyzer on macOS or Linux](run-analyzer-macos-linux.md). <br/><br/> - Collect diagnostic data using the [Client analyzer tool](https://aka.ms/xMDEClientAnalyzerBinary).<br/><br/> - Open a CSS support case with Microsoft. For more information, see [CSS security support case](/mem/get-support).-|wdavdaemon edr| N/A |EDR engine|The following diagram shows the workflow and steps to troubleshoot wdavedaemon_edr process issues. <br/><br/> :::image type="content" source="images/wdavdaemon_edr_engine.png" alt-text="Image of troubleshooting wdavdaemon edr process." lightbox="images/wdavdaemon_edr_engine.png"::: <br/><br/>**General troubleshooting guidance**<br/>- If you have in-house apps/scripts or a legitimate third-party app/script getting flagged, Microsoft security researchers analyze suspicious files to determine if they're threats, unwanted applications, or normal files. Submit files you think are malware or files that you believe have been incorrectly classified as malware by using the unified submissions experience (for more information, see [Unified submissions experience](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/unified-submissions-in-microsoft-365-defender-now-generally/ba-p/3270770)) or [File submissions](https://www.microsoft.com/wdsi/filesubmission). <br/><br/> - See [troubleshoot performance issues for Microsoft Defender for Endpoint on Linux](linux-support-perf.md).<br/><br/> - Download and run Microsoft Defender for Endpoint Client Analyzer. For more information, see [Run the client analyzer on macOS or Linux](run-analyzer-macos-linux.md). <br/><br/> - Collect diagnostic data using the [Client analyzer tool](https://aka.ms/xMDEClientAnalyzerBinary).<br/><br/> - Open a CSS support case with Microsoft. For more information, see [CSS security support case](/mem/get-support). +|wdavdaemon edr| N/A |EDR engine|The following diagram shows the workflow and steps to troubleshoot wdavedaemon_edr process issues. <br/><br/> :::image type="content" source="images/wdavdaemon_edr_engine.png" alt-text="Image of troubleshooting wdavdaemon edr process." lightbox="images/wdavdaemon_edr_engine.png"::: <br/><br/>**General troubleshooting guidance**<br/>- If you have in-house apps/scripts or a legitimate third-party app/script getting flagged, Microsoft security researchers analyze suspicious files to determine if they're threats, unwanted applications, or normal files. Submit files you think are malware or files that you believe are incorrectly classified as malware by using the unified submissions experience (for more information, see [Unified submissions experience](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/unified-submissions-in-microsoft-365-defender-now-generally/ba-p/3270770)) or [File submissions](https://www.microsoft.com/wdsi/filesubmission). <br/><br/> - See [troubleshoot performance issues for Microsoft Defender for Endpoint on Linux](linux-support-perf.md).<br/><br/> - Download and run Microsoft Defender for Endpoint Client Analyzer. For more information, see [Run the client analyzer on macOS or Linux](run-analyzer-macos-linux.md). <br/><br/> - Collect diagnostic data using the [Client analyzer tool](https://aka.ms/xMDEClientAnalyzerBinary).<br/><br/> - Open a CSS support case with Microsoft. For more information, see [CSS security support case](/mem/get-support). |mdatp_audisp_plugin|Audit framework|Audit log ingestion| See [Troubleshoot AuditD performance issues with Microsoft Defender for Endpoint on Linux](troubleshoot-auditd-performance-issues.md). ## 22. Uninstall your non-Microsoft solution |
security | Conditional Access | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/conditional-access.md | Title: Enable Conditional Access to better protect users, devices, and data description: Enable Conditional Access to prevent applications from running if a device is considered at risk and an application is determined to be non-compliant. -keywords: conditional access, block applications, security level, intune, -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Configuration Management Reference Microsoft Defender Antivirus | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configuration-management-reference-microsoft-defender-antivirus.md | Title: Manage Microsoft Defender Antivirus in your business description: Learn how to use Group Policy, Configuration Manager, PowerShell, WMI, Intune, and the command line to manage Microsoft Defender Antivirus -keywords: group policy, gpo, config manager, sccm, scep, powershell, wmi, intune, defender, antivirus, antimalware, security, protection -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium--++ Last updated 10/18/2021 -+ |
security | Configure Advanced Scan Types Microsoft Defender Antivirus | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-advanced-scan-types-microsoft-defender-antivirus.md | Title: Configure scanning options for Microsoft Defender Antivirus description: You can configure Microsoft Defender Antivirus to scan email storage files, back-up or reparse points, network files, and archived files (such as .zip files). ms.localizationpriority: medium--++ -+ Previously updated : 07/05/2023 Last updated : 02/16/2024 - m365-security - tier2 |
security | Configure Automated Investigations Remediation | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-automated-investigations-remediation.md | Title: Configure automated investigation and remediation capabilities description: Set up your automated investigation and remediation capabilities in Microsoft Defender for Endpoint. --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Configure Block At First Sight Microsoft Defender Antivirus | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus.md | Title: Enable block at first sight to detect malware in seconds description: Turn on the block at first sight feature to detect and block malware within seconds. -keywords: scan, block at first sight, malware, first sight, cloud, defender, antivirus -ms.sitesec: library ms.localizationpriority: high--++ -+ Previously updated : 04/10/2023 Last updated : 02/16/2024 |
security | Configure Cloud Block Timeout Period Microsoft Defender Antivirus | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md | Title: Configure the Microsoft Defender Antivirus cloud block timeout period description: You can configure how long Microsoft Defender Antivirus will block a file from running while waiting for a cloud determination. -keywords: Microsoft Defender Antivirus, antimalware, security, defender, cloud, timeout, block, period, seconds -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium--++ -+ Previously updated : 10/18/2021 Last updated : 02/16/2024 - m365-security - tier2 |
security | Configure Conditional Access | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-conditional-access.md | Title: Configure Conditional Access in Microsoft Defender for Endpoint description: Learn about steps that you need to do in Intune, Microsoft Defender XDR, and Azure to implement Conditional access -keywords: conditional access, conditional, access, device risk, risk level, integration, intune integration -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Configure Contextual File Folder Exclusions Microsoft Defender Antivirus | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-contextual-file-folder-exclusions-microsoft-defender-antivirus.md | Title: Contextual file and folder exclusions description: Describes the contextual file and folder exclusions capability for Microsoft Defender Antivirus on Windows. This capability allows you to be more specific when you define under which context Microsoft Defender Antivirus shouldn't scan a file or folder, by applying restrictions --++ ms.localizationpriority: medium Last updated 12/07/2023-+ audience: ITPro - m365-security |
security | Configure Device Connectivity | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-device-connectivity.md | Title: Onboarding devices using streamlined connectivity for Microsoft Defender for Endpoint description: Learn how to use a streamlined domain or static IP ranges during onboarding when connecting devices to Microsoft Defender for Endpoint ---+++ |
security | Configure Device Discovery | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-device-discovery.md | Title: Configure device discovery description: Learn how to configure device discovery in Microsoft Defender XDR using basic or standard discovery -keywords: basic, standard, configure endpoint discovery, device discovery -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Configure Endpoints Gp | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-gp.md | |
security | Configure Endpoints Mdm | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-mdm.md | Title: Onboard Windows devices to Defender for Endpoint using Intune description: Use Microsoft Intune to deploy the configuration package on devices so that they are onboarded to the Defender for Endpoint service. -keywords: onboard devices using mdm, device management, onboard Microsoft Defender for Endpoint devices, mdm -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Configure Endpoints Non Windows | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-non-windows.md | ms.pagetype: security ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Configure Endpoints Sccm | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-sccm.md | Title: Onboard Windows devices using Configuration Manager description: Use Configuration Manager to deploy the configuration package on devices so that they are onboarded to the Defender for Endpoint service. -keywords: onboard devices using sccm, device management, configure Microsoft Defender for Endpoint devices -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Configure Endpoints Script | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-script.md | Title: Onboard Windows devices using a local script description: Use a local script to deploy the configuration package on devices to enable onboarding of the devices to the service. -keywords: configure devices using a local script, device management, configure Microsoft Defender for Endpoint devices search.appverid: met150 ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Configure Endpoints Vdi | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-vdi.md | |
security | Configure Environment | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-environment.md | Title: Configure your network environment to ensure connectivity with Defender f description: Learn how to configure your network environment to connect with the Defender for Endpoint service search.appverid: met150 --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Configure Exclusions Microsoft Defender Antivirus | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-exclusions-microsoft-defender-antivirus.md | description: You can exclude files (including files modified by specified proces ms.localizationpriority: medium Last updated 01/02/2024--++ -+ ms.audience: ITPro |
security | Configure Extension File Exclusions Microsoft Defender Antivirus | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus.md | |
security | Configure Local Policy Overrides Microsoft Defender Antivirus | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-local-policy-overrides-microsoft-defender-antivirus.md | description: Enable or disable users from locally changing settings in Microsoft ms.localizationpriority: medium--++ Last updated 07/13/2023 -+ - m365-security - tier2 |
security | Configure Machines Asr | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-machines-asr.md | Title: Optimize ASR rule deployment and detections description: Optimize your attack surface reduction rules to identify and prevent typical malware exploits. -keywords: onboard, Intune management, Microsoft Defender for Endpoint, Microsoft Defender, Windows Defender, attack surface reduction, ASR, security baseline -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Configure Machines Onboarding | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-machines-onboarding.md | Title: Get devices onboarded to Microsoft Defender for Endpoint description: Track onboarding of Intune-managed devices to Microsoft Defender for Endpoint and increase onboarding rate. -keywords: onboard, Intune management, Microsoft Defender for Endpoint, Microsoft Defender, Windows Defender, configuration management -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Configure Machines Security Baseline | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-machines-security-baseline.md | Title: Increase compliance to the Microsoft Defender for Endpoint security baseline description: The Microsoft Defender for Endpoint security baseline sets security controls to provide optimal protection. -keywords: Intune management, Microsoft Defender for Endpoint, Microsoft Defender, Microsoft Defender for Endpoint ASR, security baseline -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Configure Machines | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-machines.md | Title: Ensure your devices are configured properly description: Properly configure devices to boost overall resilience against threats and enhance your capability to detect and respond to attacks. -keywords: onboard, Intune management, Microsoft Defender for Endpoint, Microsoft Defender, Windows Defender, attack surface reduction, ASR, security baseline -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Configure Microsoft Defender Antivirus Features | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-microsoft-defender-antivirus-features.md | Title: Configure Microsoft Defender Antivirus features description: You can configure Microsoft Defender Antivirus features with Intune, Microsoft Configuration Manager, Group Policy, and PowerShell. -keywords: Microsoft Defender Antivirus, antimalware, security, defender, configure, configuration, Config Manager, Microsoft Configuration Manager, SCCM, Intune, MDM, mobile device management, GP, group policy, PowerShell -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium -+ - m365-security - tier2 |
security | Configure Microsoft Threat Experts | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-microsoft-threat-experts.md | Title: Configure and manage Microsoft Defender Experts capabilities description: Register to Microsoft Threats Experts to configure, manage, and use it in your daily security operations and security administration work. -keywords: Microsoft Threat Experts, managed threat hunting service, MTE, Microsoft managed hunting service -search.product: Windows 10 -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Configure Mssp Notifications | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-mssp-notifications.md | Title: Configure alert notifications that are sent to MSSPs description: Configure alert notifications that are sent to MSSPs -keywords: managed security service provider, mssp, configure, integration -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Configure Mssp Support | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-mssp-support.md | Title: Configure managed security service provider support description: Take the necessary steps to configure the MSSP integration with the Microsoft Defender for Endpoint -keywords: managed security service provider, mssp, configure, integration -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security Last updated 12/18/2020 [!include[Prerelease information](../../includes/prerelease.md)] -You'll need to take the following configuration steps to enable the managed security service provider (MSSP) integration. +To enable the managed security service provider (MSSP) integration, follow the guidance in this article. > [!NOTE] > The following terms are used in this article to distinguish between the service provider and service consumer: You'll need to take the following configuration steps to enable the managed secu > - MSSPs: Security organizations that offer to monitor and manage security devices for an organization. > - MSSP customers: Organizations that engage the services of MSSPs. -The integration will allow MSSPs to take the following actions: +The integration allows MSSPs to take the following actions: - Get access to MSSP customer's Microsoft Defender portal - Get email notifications, and - Fetch alerts through security information and event management (SIEM) tools -Before MSSPs can take these actions, the MSSP customer will need to grant access to their Defender for Endpoint tenant so that the MSSP can access the portal. +Before MSSPs can take these actions, the MSSP customer needs to grant access to their Defender for Endpoint tenant so that the MSSP can access the portal. -Typically, MSSP customers take the initial configuration steps to grant MSSPs access to their Windows Defender Security Central tenant. After access is granted, other configuration steps can be done by either the MSSP customer or the MSSP. +Typically, MSSP customers take the initial configuration steps to grant MSSPs access to their Windows Defender Security Central tenant. After access is granted, the MSSP or customer can do the other configuration steps. In general, these are the configuration steps to complete: -In general, the following configuration steps need to be taken: --- **Grant the MSSP access to Microsoft Defender XDR**-- This action needs to be done by the MSSP customer. It grants the MSSP access to the MSSP customer's Defender for Endpoint tenant. --- **Configure alert notifications sent to MSSPs**-- This action can be taken by either the MSSP customer or MSSP. This lets the MSSPs know what alerts they need to address for the MSSP customer. --- **Fetch alerts from MSSP customer's tenant into SIEM system**-- This action is taken by the MSSP. It allows MSSPs to fetch alerts in SIEM tools. --- **Fetch alerts from MSSP customer's tenant using APIs**-- This action is taken by the MSSP. It allows MSSPs to fetch alerts using APIs. +| Step | Who does it| +||| +| **Grant the MSSP access to Microsoft Defender XDR**. This action grants the MSSP access to the MSSP customer's Defender for Endpoint tenant. | MSSP Customer | +| **Configure alert notifications sent to MSSPs**. This action lets the MSSPs know what alerts they need to address for the MSSP customer. | MSSP customer or MSSP | +| **Fetch alerts from MSSP customer's tenant into SIEM system**. This action allows MSSPs to fetch alerts in SIEM tools. | MSSP | +| **Fetch alerts from MSSP customer's tenant using APIs**. This action allows MSSPs to fetch alerts using APIs. | MSSP | ## Multi-tenant access for MSSPs -For information on how to implement a multi-tenant delegated access, see [Multi-tenant access for Managed Security Service Providers](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/multi-tenant-access-for-managed-security-service-providers/ba-p/1533440). +For information on how to implement a multitenant delegated access, see [Multi-tenant access for Managed Security Service Providers](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/multi-tenant-access-for-managed-security-service-providers/ba-p/1533440). -## Related topics +## Related articles - [Grant MSSP access to the portal](grant-mssp-access.md) - [Access the MSSP customer portal](access-mssp-portal.md) |
security | Configure Network Connections Microsoft Defender Antivirus | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus.md | description: Configure and test your connection to the Microsoft Defender Antivi ms.localizationpriority: medium---+++ Last updated 06/26/2023 |
security | Configure Notifications Microsoft Defender Antivirus | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-notifications-microsoft-defender-antivirus.md | Title: Configure Microsoft Defender Antivirus notifications description: Learn how to configure and customize both standard and other Microsoft Defender Antivirus notifications on endpoints. -keywords: notifications, defender, antivirus, endpoint, management, admin -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium-+ -+ Last updated 10/18/2021 -+ - m365-security - tier2 |
security | Configure Process Opened File Exclusions Microsoft Defender Antivirus | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md | description: You can exclude files from scans if they've been opened by a specif ms.localizationpriority: medium--++ -+ - m365-security - tier2 |
security | Configure Protection Features Microsoft Defender Antivirus | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-protection-features-microsoft-defender-antivirus.md | Title: Enable and configure Microsoft Defender Antivirus protection features description: Enable behavior-based, heuristic, and real-time protection in Microsoft Defender Antivirus. -keywords: heuristic, machine learning, behavior monitor, real-time protection, always-on, Microsoft Defender Antivirus, antimalware, security, defender -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium--++ -+ - m365-security - tier2 |
security | Configure Proxy Internet | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-proxy-internet.md | Title: Configure your devices to connect to the Defender for Endpoint service using a proxy description: Learn how to configure your devices to enable communication with the cloud service using a proxy. -keywords: configure, proxy, internet, internet connectivity, settings, proxy settings, netsh, winhttp, proxy server search.appverid: met150 --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Configure Real Time Protection Microsoft Defender Antivirus | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus.md | Title: Enable and configure Microsoft Defender Antivirus always-on protection description: Enable and configure Microsoft Defender Antivirus real-time protection features such as behavior monitoring, heuristics, and machine learning -keywords: antivirus, real-time protection, rtp, machine learning, behavior monitoring, heuristics ms.localizationpriority: medium--++ Last updated 05/24/2023-+ - m365-security |
security | Configure Remediation Microsoft Defender Antivirus | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-remediation-microsoft-defender-antivirus.md | description: Configure what Microsoft Defender Antivirus should do when it detec ms.localizationpriority: medium--++ Last updated 09/15/2023 -+ - m365-security - tier2 |
security | Configure Server Endpoints | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-server-endpoints.md | Title: Onboard Windows servers to the Microsoft Defender for Endpoint service description: Onboard Windows servers so that they can send sensor data to the Microsoft Defender for Endpoint sensor. -keywords: onboard server, server, 2012r2, 2016, 2019, server onboarding, device management, configure Microsoft Defender for Endpoint servers, onboard Microsoft Defender for Endpoint servers, onboard Microsoft Defender for Endpoint servers -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium Last updated 07/12/2023-+ audience: ITPro - m365-security |
security | Configure Server Exclusions Microsoft Defender Antivirus | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus.md | Title: Microsoft Defender Antivirus exclusions on Windows Server -+ description: Windows Server includes automatic exclusions, based on server role. You can also add custom exclusions. ms.localizationpriority: medium Last updated 08/07/2023--++ |
security | Configure Siem | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-siem.md | Title: Migrate from the MDE SIEM API to the Microsoft Defender XDR alerts API description: Learn how to ingest incidents and alerts, and integrate SIEM tools. -keywords: configure siem, security information and events management tools, splunk, arcsight, custom indicators, rest api, alert definitions, indicators of compromise search.appverid: met150 -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security Last updated 12/18/2020 ## Use the new Microsoft Defender XDR API for all your alerts -> [!IMPORTANT] -> In February we announced the [Deprecation of the Microsoft Defender for Endpoint SIEM API would be postponed](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/deprecating-the-legacy-siem-api-postponed/ba-p/3139643). -After gathering customer feedback, we have learned there are challenges with the timeline originally communicated. As a result, we are making changes to our timeline to improve our customers' experience in migrating to the new API. -The new Microsoft Defender XDR alerts API, released to public preview in MS Graph, is the official and recommended API for customers migrating from the SIEM API. This API will enable customers to work with alerts across all Microsoft Defender XDR products using a single integration. We expect the new API to reach general availability (GA) by Q1 CY 2023. -To provide customers with more time to plan and prepare their migration to the new Microsoft Defender XDR APIs, we have pushed the SIEM API deprecation date to December 31, 2023. This will give customers one year from the expected GA release of Microsoft Defender XDR APIs to migrate from the SIEM API. At the time of deprecation, the SIEM API will be declared "deprecated" but not "retired." This means that until this date, the SIEM API will continue to function for existing customers. After the deprecation date, the SIEM API will continue to be available, however it will only be supported for security-related fixes. -Effective December 31st, 2024, three years after the original deprecation announcement, we reserve the right to turn off the SIEM API, without additional notice. +The Microsoft Defender XDR alerts API, released to public preview in MS Graph, is the official and recommended API for customers migrating from the SIEM API. This API enables customers to work with alerts across all Microsoft Defender XDR products using a single integration. We expect the new API to reach general availability (GA) by Q1 CY 2023. -For additional information about the new APIs see the blog announcement: [The new Microsoft Defender XDR APIs in Microsoft Graph are now available in public preview!](https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/the-new-microsoft-365-defender-apis-in-microsoft-graph-are-now/ba-p/3603099) +The SIEM API was deprecated on December 31, 2023. It's declared to be "deprecated," but not "retired." This means that until this date, the SIEM API continues to function for existing customers. After the deprecation date, the SIEM API will continue to be available, however it will only be supported for security-related fixes. ++Effective December 31, 2024, three years after the original deprecation announcement, we reserve the right to turn off the SIEM API, without further notice. ++For additional information about the new APIs, see the blog announcement: [The new Microsoft Defender XDR APIs in Microsoft Graph are now available in public preview!](https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/the-new-microsoft-365-defender-apis-in-microsoft-graph-are-now/ba-p/3603099) API documentation: [Use the Microsoft Graph security API - Microsoft Graph](/graph/api/resources/security-api-overview#alerts-and-incidents-preview) -If you are a customer using the SIEM API, we strongly recommend planning and executing the migration. Listed below is information about the options available to migrate to a supported capability: +If you're a customer using the SIEM API, we strongly recommend planning and executing the migration. This article includes information about the options available to migrate to a supported capability: ++1. [Pulling MDE alerts into an external system](#pulling-defender-for-endpoint-alerts-into-an-external-system) (SIEM/SOAR). -1. [Pulling MDE alerts into an external system](#pulling-defender-for-endpoint-alerts-into-an-external-system) (SIEM/SOAR) -1. [Calling the Microsoft Defender XDR alerts API directly](#calling-the-microsoft-365-defender-alerts-api-directly) +1. [Calling the Microsoft Defender XDR alerts API directly](#calling-the-microsoft-365-defender-alerts-api-directly). Read about the new Microsoft Defender XDR [alerts and incidents API](https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/the-new-microsoft-365-defender-apis-in-microsoft-graph-are-now/ba-p/3603099#:~:text=Incidents%3A%20Contain%20incident%20metadata%20and%20a%20collection%20of,richer%20and%20actionable%20information%20for%20your%20automation%20flows.) ### Pulling Defender for Endpoint alerts into an external system -If you are pulling Defender for Endpoint alerts into an external system, there are various supported options to give organizations the flexibility to work with the solution of their choice: +If you're pulling Defender for Endpoint alerts into an external system, there are several supported options to give organizations the flexibility to work with the solution of their choice: 1. **Microsoft Sentinel** is a scalable, cloud-native, SIEM and Security orchestration, automation, and response (SOAR) solution. Delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for attack detection, threat visibility, proactive hunting, and threat response. The Microsoft Defender XDR connector allows customers to easily pull in all their incidents and alerts from all Microsoft Defender XDR products. To learn more about the integration, see [Microsoft Defender XDR integration with Microsoft Sentinel](/azure/sentinel/microsoft-365-defender-sentinel-integration).+ 1. **IBM Security QRadar** SIEM provides centralized visibility and intelligent security analytics to identify and prevent threats and vulnerabilities from disrupting business operations. [QRadar SIEM team has just announced the release of a new DSM](https://community.ibm.com/community/user/security/blogs/gaurav-sharma/2022/10/18/ibm-qradar-and-microsoft-defender) that is integrated with the new Microsoft Defender XDR alerts API to pull in Microsoft Defender for Endpoint alerts. New customers are welcome to take advantage of the new DSM upon release. Learn more about the new DSM and how to easily migrate to it at [Microsoft Defender XDR - IBM Documentation](https://www.ibm.com/docs/en/dsm?topic=microsoft-365-defender).+ 1. **Splunk SOAR** helps customers orchestrate workflows and automate tasks in seconds to work smarter and respond faster. Splunk SOAR is integrated with the new Microsoft Defender XDR APIs, including the alerts API. For more information, see [Microsoft Defender XDR | Splunkbase](https://splunkbase.splunk.com/app/6563) -Additional integrations are listed in [Technological partners of Microsoft Defender XDR](technological-partners.md), or contact your SIEM / SOAR provider to learn about integrations they may provide. +Other integrations are listed in [Technological partners of Microsoft Defender XDR](technological-partners.md), or contact your SIEM / SOAR provider to learn about integrations they provide. <a name='calling-the-microsoft-365-defender-alerts-api-directly'></a> The below table provides a mapping between the SIEM API to the Microsoft Defende | SIEM API property | Mapping | Microsoft Defender XDR alert API property | |:|::|:|-| AlertTime |->| createdDateTime | -| ComputerDnsName |->| evidence/deviceEvidence: deviceDnsName | -| AlertTitle |->| title | -| Category |->| category | -| Severity |->| severity | -| AlertId |->| id | -| Actor |->| actorDisplayName | -| LinkToWDATP |->| alertWebUrl | -| IocName | X | IoC fields not supported | -| IocValue | X | IoC fields not supported | -| CreatorIocName | X | IoC fields not supported | -| CreatorIocValue | X | IoC fields not supported | -| Sha1 |->| evidence/fileEvidence/fileDetails: sha1 (or evidence/processEvidence/imageFile: sha1) | -| FileName |->| evidence/fileEvidence/fileDetails: fileName (or evidence/processEvidence/image: fileName) | -| FilePath |->| evidence/fileEvidence/fileDetails: filePath (or evidence/processEvidence/image: filePath) | -| IPAddress |->| evidence/ipEvidence: ipAddress | -| URL | -> | evidence/urlEvidence: url | -| IoaDefinitionId |->| detectorId | -| UserName |->| evidence/userEvidence/userAccount: accountName | -| AlertPart | X | Obsolete (MDE alerts are atomic/complete that are updatable, while the SIEM API were immutable records of detections) | -| FullId | X | IoC fields not supported | -| LastProcessedTimeUtc |->| lastActivityDateTime | -| ThreatCategory |->| mitreTechniques [] | -| ThreatFamilyName |->| threatFamilyName | -| ThreatName |->| threatDisplayName | -| RemediationAction |->| evidence: remediationStatus | -| RemediationIsSuccess |->| evidence: remediationStatus (implied) | -| Source |->| detectionSource (use with serviceSource: microsoftDefenderForEndpoint) | -| Md5 | X | Not supported | -| Sha256 |->| evidence/fileEvidence/fileDetails: sha256 (or evidence/processEvidence/imageFile: sha256) | -| WasExecutingWhileDetected |->| evidence/processEvidence: detectionStatus | -| UserDomain |->| evidence/userEvidence/userAccount: domainName | -| LogOnUsers |->| evidence/deviceEvidence: loggedOnUsers [] | -| MachineDomain |->| Included in evidence/deviceEvidence: deviceDnsName | -| MachineName |->| Included in evidence/deviceEvidence: deviceDnsName | -| InternalIPV4List | X | Not supported | -| InternalIPV6List | X | Not supported | -| FileHash |->| Use sha1 or sha256 | -| DeviceID |->| evidence/deviceEvidence: mdeDeviceId | -| MachineGroup |->| evidence/deviceEvidence: rbacGroupName | -| Description |->| description | -| DeviceCreatedMachineTags |->| evidence: tags [] (for deviceEvidence) | -| CloudCreatedMachineTags |->| evidence: tags [] (for deviceEvidence) | -| CommandLine | -> | evidence/processEvidence: processCommandLine | -| IncidentLinkToWDATP |->| incidentWebUrl | -| ReportId | X | Obsolete (MDE alerts are atomic/complete that are updatable, while the SIEM API were immutable records of detections) | -| LinkToMTP |->| alertWebUrl | -| IncidentLinkToMTP |->| incidentWebUrl | -| ExternalId | X | Obsolete | -| IocUniqueId | X | IoC fields not supported | +| `AlertTime` |->| `createdDateTime` | +| `ComputerDnsName` |->| `evidence/deviceEvidence: deviceDnsName` | +| `AlertTitle` |->| `title` | +| `Category` |->| `category` | +| `Severity` |->| `severity` | +| `AlertId` |->| `id` | +| `Actor` |->| `actorDisplayName` | +| `LinkToWDATP` |->| alertWebUrl | +| `IocName` | X | IoC fields not supported | +| `IocValue` | X | IoC fields not supported | +| `CreatorIocName` | X | IoC fields not supported | +| `CreatorIocValue` | X | IoC fields not supported | +| `Sha1` |->| `evidence/fileEvidence/fileDetails: sha1 (or evidence/processEvidence/imageFile: sha1)` | +| `FileName` |->| `evidence/fileEvidence/fileDetails: fileName (or evidence/processEvidence/image: fileName)` | +| `FilePath` |->| `evidence/fileEvidence/fileDetails: filePath (or evidence/processEvidence/image: filePath)` | +| `IPAddress` |->| `evidence/ipEvidence: ipAddress` | +| `URL` | -> | `evidence/urlEvidence: url` | +| `IoaDefinitionId` |->| `detectorId` | +| `UserName` |->| `evidence/userEvidence/userAccount: accountName` | +| `AlertPart` | X | Obsolete (Defender for Endpoint alerts are atomic/complete that are updatable, while the SIEM API were immutable records of detections) | +| `FullId` | X | IoC fields not supported | +| `LastProcessedTimeUtc` |->| `lastActivityDateTime` | +| `ThreatCategory` |->| `mitreTechniques []` | +| `ThreatFamilyName` |->| `threatFamilyName` | +| `ThreatName` |->| `threatDisplayName` | +| `RemediationAction` |->| `evidence: remediationStatus` | +| `RemediationIsSuccess` |->| `evidence: remediationStatus (implied)` | +| `Source` |->| `detectionSource (use with serviceSource: microsoftDefenderForEndpoint)` | +| `Md5` | X | Not supported | +| `Sha256` |->| `evidence/fileEvidence/fileDetails: sha256 (or evidence/processEvidence/imageFile: sha256)` | +| `WasExecutingWhileDetected` |->| `evidence/processEvidence: detectionStatus` | +| `UserDomain` |->| `evidence/userEvidence/userAccount: domainName` | +| `LogOnUsers` |->| `evidence/deviceEvidence: loggedOnUsers []` | +| `MachineDomain` |->| Included in `evidence/deviceEvidence: deviceDnsName` | +| `MachineName` |->| Included in `evidence/deviceEvidence: deviceDnsName` | +| `InternalIPV4List` | X | Not supported | +| `InternalIPV6List` | X | Not supported | +| `FileHash` |->| Use `sha1` or `sha256` | +| `DeviceID` |->| `evidence/deviceEvidence: mdeDeviceId` | +| `MachineGroup` |->| `evidence/deviceEvidence: rbacGroupName` | +| `Description` |->| `description` | +| `DeviceCreatedMachineTags` |->| `evidence: tags [] (for deviceEvidence)` | +| `CloudCreatedMachineTags` |->| `evidence: tags [] (for deviceEvidence)` | +| `CommandLine` | -> | `evidence/processEvidence: processCommandLine` | +| `IncidentLinkToWDATP` |->| `incidentWebUrl` | +| `ReportId` | X | Obsolete (Defender for Endpoint alerts are atomic/complete that are updatable, while the SIEM API were immutable records of detections) | +| `LinkToMTP` |->| `alertWebUrl` | +| `IncidentLinkToMTP` |->| `incidentWebUrl` | +| `ExternalId` | X | Obsolete | +| `IocUniqueId` | X | IoC fields not supported | ## Ingest alerts using security information and events management (SIEM) tools |
security | Configure Updates | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-updates.md | Title: Create a custom gradual rollout process for Microsoft Defender updates description: Learn how to use supported tools to create a custom gradual rollout process for updates -keywords: update tools, gpo, intune, mdm, microsoft endpoint manager, policy, powershell f1.keywords: - NOCSH--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security The following table lists the available group policy settings for configuring up |Setting title|Description|Location| ||||-|Select gradual Microsoft Defender monthly platform update rollout channel|Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout. <p> Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. <p> Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. <p> Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). <p> Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). <p> Critical- Time Delay: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only. <p>If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices.|Windows Components\Microsoft Defender Antivirus| -|Select gradual Microsoft Defender monthly engine update rollout channel|Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout. <p> Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. <p> Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. <p> Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). <p> Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). <p> Critical- Time Delay: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only.<p> If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices.|Windows Components\Microsoft Defender Antivirus| -|Select gradual Microsoft Defender daily security intelligence updates rollout channel|Enable this policy to specify when devices receive Microsoft Defender security intelligence updates during the daily gradual rollout. <p> Current Channel (Staged): Devices will be offered updates after the release cycle. Suggested to apply to a small, representative part of production population (~10%). <p> Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). <p> If you disable or do not configure this policy, the device will stay up to date automatically during the daily release cycle. Suitable for most devices.|Windows Components\Microsoft Defender Antivirus| -|Disable gradual rollout of Microsoft Defender updates|Enable this policy to disable gradual rollout of Defender updates. <p> Current Channel (Broad): Devices set to this channel will be offered updates last during the gradual release cycle. Best for datacenter machines that only receive limited updates. <p> Note: This setting applies to both monthly as well as daily Defender updates and will override any previously configured channel selections for platform and engine updates. <p> If you disable or do not configure this policy, the device will remain in Current Channel (Default) unless specified otherwise in specific channels for platform and engine updates. Stay up to date automatically during the gradual release cycle. Suitable for most devices.|Windows Components\Microsoft Defender Antivirus\MpEngine| +|Select gradual Microsoft Defender monthly platform update rollout channel|Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout. <p> Beta Channel: Devices set to this channel are the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. <p> Current Channel (Preview): Devices set to this channel are offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. <p> Current Channel (Staged): Devices are offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). <p> Current Channel (Broad): Devices are offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). <p> Critical- Time Delay: Devices are offered updates with a 48-hour delay. Suggested for critical environments only. <p>If you disable or don't configure this policy, the device stays up to date automatically during the gradual release cycle. Suitable for most devices.|Windows Components\Microsoft Defender Antivirus| +|Select gradual Microsoft Defender monthly engine update rollout channel|Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout. <p> Beta Channel: Devices set to this channel are the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. <p> Current Channel (Preview): Devices set to this channel are offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. <p> Current Channel (Staged): Devices are offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). <p> Current Channel (Broad): Devices are offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). <p> Critical- Time Delay: Devices are offered updates with a 48-hour delay. Suggested for critical environments only.<p> If you disable or don't configure this policy, the device stays up to date automatically during the gradual release cycle. Suitable for most devices.|Windows Components\Microsoft Defender Antivirus| +|Select gradual Microsoft Defender daily security intelligence updates rollout channel|Enable this policy to specify when devices receive Microsoft Defender security intelligence updates during the daily gradual rollout. <p> Current Channel (Staged): Devices are offered updates after the release cycle. Suggested to apply to a small, representative part of production population (~10%). <p> Current Channel (Broad): Devices are offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). <p> If you disable or don't configure this policy, the device stays up to date automatically during the daily release cycle. Suitable for most devices.|Windows Components\Microsoft Defender Antivirus| +|Disable gradual rollout of Microsoft Defender updates|Enable this policy to disable gradual rollout of Defender updates. <p> Current Channel (Broad): Devices set to this channel are offered updates last during the gradual release cycle. Best for datacenter machines that only receive limited updates. <p> Note: This setting applies to both monthly and daily Defender updates and overrides any previously configured channel selections for platform and engine updates. <p> If you disable or don't configure this policy, the device remains in Current Channel (Default) unless specified otherwise in specific channels for platform and engine updates. Stay up to date automatically during the gradual release cycle. Suitable for most devices.|Windows Components\Microsoft Defender Antivirus\MpEngine| ## Group Policy > [!NOTE]-> An updated Defender ADMX template will be published together with the 21H2 release of Windows 10. A non-localized version is available for download at [defender-updatecontrols](https://github.com/microsoft/defender-updatecontrols) on GitHub. +> An updated Defender ADMX template are published together with the 21H2 release of Windows 10. A non-localized version is available for download at [defender-updatecontrols](https://github.com/microsoft/defender-updatecontrols) on GitHub. You can use [Group Policy](/windows/win32/srvnodes/group-policy?redirectedfrom=MSDN) to configure and manage Microsoft Defender Antivirus on your endpoints. In general, you can use the following procedure to configure or change Microsoft Defender Antivirus group policy settings: -1. On your Group Policy management machine, open the **Group Policy Management Console**, right-click the **Group Policy Object** (GPO) you want to configure and click **Edit**. +1. On your Group Policy management machine, open the **Group Policy Management Console**, right-click the **Group Policy Object** (GPO) you want to configure and select **Edit**. 2. Using the Group Policy Management Editor go to **Computer configuration**. -3. Click **Administrative templates**. +3. Select **Administrative templates**. 4. Expand the tree to **Windows components > Microsoft Defender Antivirus**. -5. Expand the section (referred to as **Location** in the table in this topic) that contains the setting you want to configure, double-click the setting to open it, and make configuration changes. +5. Expand the section (referred to as **Location** in the table in this article) that contains the setting you want to configure, double-click the setting to open it, and make configuration changes. 6. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx). |
security | Configure Vulnerability Email Notifications | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-vulnerability-email-notifications.md | Title: Configure vulnerability email notifications in Microsoft Defender for Endpoint description: Use Microsoft Defender for Endpoint to configure email notification settings for vulnerability events. -keywords: email notifications, configure alert notifications, Microsoft Defender for Endpoint, Microsoft Defender for Endpoint notifications, Microsoft Defender for Endpoint alerts, windows enterprise, windows education -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Connected Applications | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/connected-applications.md | Title: Connected applications in Microsoft Defender for Endpoint description: View connected partner applications that use standard OAuth 2.0 protocol to authenticate and provide tokens for use with Microsoft Defender for Endpoint APIs. -keywords: partners, applications, third-party, connections, sentinelone, lookout, bitdefender, corrata, morphisec, paloalto, ziften, better mobile -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Contact Support | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/contact-support.md | Title: Contact Microsoft Defender for Endpoint support description: Learn how to contact Microsoft Defender for Endpoint support -keywords: support, contact, premier support, solutions, problems, case -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Controlled Folders | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/controlled-folders.md | Title: Protect important folders from ransomware from encrypting your files with controlled folder access description: Files in default folders can be protected from being changed by malicious apps. Prevent ransomware from encrypting your files. -keywords: controlled folder access, windows 10, windows defender, ransomware, protect, files, folders -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium Last updated 01/06/2023--++ audience: ITPro--++ |
security | Customize Controlled Folders | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/customize-controlled-folders.md | Title: Customize controlled folder access description: Add other folders that should be protected by controlled folder access, or allow apps that are incorrectly blocking changes to important files. -keywords: Controlled folder access, windows 10, windows 11, windows defender, ransomware, protect, files, folders, customize, add folder, add app, allow, add executable ms.localizationpriority: medium audience: ITPro--++ -+ |
security | Customize Exploit Protection | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/customize-exploit-protection.md | Title: Customize exploit protection -keywords: Exploit protection, mitigations, enable, powershell, dep, cfg, emet, aslr description: You can enable or disable specific mitigations used by exploit protection using the Windows Security app or PowerShell. You can also audit mitigations and export configurations. -ms.sitesec: library ms.localizationpriority: medium audience: ITPro --++ -+ - m365-security |
security | Customize Run Review Remediate Scans Microsoft Defender Antivirus | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/customize-run-review-remediate-scans-microsoft-defender-antivirus.md | Title: Run and customize scheduled and on-demand scans description: Customize and initiate Microsoft Defender Antivirus scans on endpoints across your network -keywords: scan, schedule, customize, exclusions, exclude files, remediation, scan results, quarantine, remove threat, quick scan, full scan, Microsoft Defender Antivirus search.product: eADQiWindows 10XVcnh -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium--++ Last updated 09/03/2018 -+ |
security | Data Collection Analyzer | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/data-collection-analyzer.md | Title: Data collection for advanced troubleshooting on Windows description: Learn how to use the client analyzer to collect data for complex troubleshooting scenarios -keywords: analzyer, collect data, troubleshooting mdeclientanalyzer, advanced troubleshooting -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Data Storage Privacy | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/data-storage-privacy.md | Title: Microsoft Defender for Endpoint data storage and privacy description: Learn about how Microsoft Defender for Endpoint handles privacy and data that it collects. -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Defender Compatibility | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-compatibility.md | Title: Antivirus solution compatibility with Defender for Endpoint description: Learn about how Windows Defender works with Microsoft Defender for Endpoint. Also learn how Defender for Endpoint works when a third-party anti-malware client is used. -keywords: windows defender compatibility, defender, Microsoft Defender for Endpoint, defender for endpoint, antivirus, mde -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Defender Endpoint Antivirus Exclusions | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-antivirus-exclusions.md | |
security | Defender Endpoint Demonstration App Reputation | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-app-reputation.md | Title: Microsoft Defender for Endpoint SmartScreen app reputation demonstration description: Test how Microsoft Defender for Endpoint SmartScreen helps you identify phishing and malware websites -keywords: Microsoft Defender for Endpoint, phishing website, malware website, app reputation, -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Defender Endpoint Demonstration Attack Surface Reduction Rules | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-attack-surface-reduction-rules.md | Title: Microsoft Defender for Endpoint attack surface reduction rules demonstrations description: See how attack surface reduction rules block various known threat types. -keywords: Microsoft Defender for Endpoint demonstration, attack surface reduction rules demonstration, ASR rules, demonstration -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security Attack surface reduction rules target specific behaviors that are typically used ## Scenario requirements and setup - Windows 11, Windows 10 1709 build 16273 or later-- Windows Server 2022, Windows Server 2019, Windows Server 2016 and Windows Server 2012 R2 with the unified MDE client.-- Microsoft Defender AV-- Microsoft Office (required for Office rules and sample)+- Windows Server 2022, Windows Server 2019, Windows Server 2016, or Windows Server 2012 R2 with the unified MDE client. +- Microsoft Defender Antivirus +- Microsoft 365 Apps (Office; required for Office rules and sample) - [Download attack surface reduction PowerShell scripts](https://demo.wd.microsoft.com/Content/WindowsDefender_ASR_scripts.zip) ## PowerShell commands You can perform these manual steps instead: 2. Save this [clean file](https://demo.wd.microsoft.com/Content/testfile_safe.txt) into c:\demo. 3. Enable all rules using the PowerShell command. -### Scenario 1: ASR blocks a test file with multiple vulnerabilities +### Scenario 1: Attack surface reduction blocks a test file with multiple vulnerabilities 1. Enable all rules in block mode using the PowerShell commands (you can copy paste all)-2. Download and open any of the test file/documents, enable editing and content if prompted. +2. Download and open any of the test file/documents, and enable editing and content, if prompted. #### Scenario 1 expected results You should immediately see an "Action blocked" notification. ### Scenario 2: ASR rule blocks the test file with the corresponding vulnerability -1. Configure the rule you want to test using the PowerShell command from the previous step. -2. Example: `Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EfC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled` -3. Download and open the test file/document for the rule you want to test, enable editing and content if prompted -4. Example: [Block Office applications from creating child processes](https://demo.wd.microsoft.com/Content/ransomware_testfile_doc.docm) D4F940AB-401B-4EFC-AADC-AD5F3C50688A +1. Configure the rule you want to test using the PowerShell command from the previous step. ++ Example: `Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EfC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled` ++2. Download and open the test file/document for the rule you want to test, and enable editing and content, if prompted. ++ Example: [Block Office applications from creating child processes](https://demo.wd.microsoft.com/Content/ransomware_testfile_doc.docm) D4F940AB-401B-4EFC-AADC-AD5F3C50688A #### Scenario 2 expected results You should immediately see an "Action blocked" notification. ### Scenario 3 (Windows 10 or later): ASR rule blocks unsigned USB content from executing -1. Configure the rule for USB protection (B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4). +1. Configure the rule for USB protection (`B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4`). ```powershell Add-MpPreference -AttackSurfaceReductionRules_Ids B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4 -AttackSurfaceReductionRules_Actions Enabled Add-MpPreference -AttackSurfaceReductionRules_Ids B2B3F03D-6A65-4F7B-A9C7-1C7EF7 You should immediately see an "Action blocked" notification. -### Scenario 4: What would happen without ASR +### Scenario 4: What would happen without attack surface reduction -1. Turn off all attack surface reduction rules using PowerShell commands in the cleanup section -2. Download any test file/document, enable editing and content if prompted +1. Turn off all attack surface reduction rules using PowerShell commands in the cleanup section. ++2. Download any test file/document, and enable editing and content, if prompted. #### Scenario 4 expected results Download and run this [clean-up script](https://demo.wd.microsoft.com/Content/AS Alternately, you can perform these manual steps: ------------ ```powershell Add-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -AttackSurfaceReductionRules_Actions Disabled Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EfC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Disabled Add-MpPreference -AttackSurfaceReductionRules_Ids 26190899-1602-49E8-8B27-EB1D0A Add-MpPreference -AttackSurfaceReductionRules_Ids 7674BA52-37EB-4A4F-A9A1-F0F9A1619A2C -AttackSurfaceReductionRules_Actions Disabled ``` - -Cleanup **c:\demo** encryption by running the [encrypt/decrypt file](https://demo.wd.microsoft.com/Content/ransomware_cleanup_encrypt_decrypt.exe) +Clean up **c:\demo** encryption by running the [encrypt/decrypt file](https://demo.wd.microsoft.com/Content/ransomware_cleanup_encrypt_decrypt.exe) ## See also Cleanup **c:\demo** encryption by running the [encrypt/decrypt file](https://dem [Attack surface reduction rules reference](attack-surface-reduction-rules-reference.md) [Microsoft Defender for Endpoint - demonstration scenarios](defender-endpoint-demonstrations.md)+ [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)] |
security | Defender Endpoint Demonstration Cloud Delivered Protection | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-cloud-delivered-protection.md | Title: Microsoft Defender for Endpoint Cloud-delivered protection demonstration description: See how Cloud-delivered protection can automatically detect and delete malicious files. -keywords: Microsoft Defender for Endpoint, Microsoft Defender ATP, virus protection, virus detection, virus deletion, -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Defender Endpoint Demonstration Controlled Folder Access Test Tool | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-controlled-folder-access-test-tool.md | Title: Microsoft Defender for Endpoint Controlled folder access (CFA) demonstration test tool description: See how malicious apps and threats are evaluated and countered by Microsoft Defender Antivirus. -keywords: Microsoft Defender for Endpoint, protected folder access blocked, detect suspicious files, detect suspicious apps, -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Defender Endpoint Demonstration Controlled Folder Access | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-controlled-folder-access.md | Title: Microsoft Defender for Endpoint Controlled folder access (CFA) demonstrations description: Demonstrates how Controlled Folder Access protects valuable data from malicious apps and threats, such as ransomware. -keywords: Microsoft Defender for Endpoint, Controlled folder access protection, Controlled folder access demonstration -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security Last updated 10/21/2022 - [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037) -Controlled Folder Access helps you protect valuable data from malicious apps and threats, such as ransomware. All apps (any executable file, including .exe, .scr, .dll files and others) are assessed by Microsoft Defender Antivirus, which then determines if the app is malicious or safe. If the app is determined to be malicious or suspicious, then it will not be allowed to make changes to any files in any protected folder. +Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Microsoft Defender Antivirus assesses all apps (any executable file, including .exe, .scr, .dll files and others) and then determines if the app is malicious or safe. If the app is determined to be malicious or suspicious, then the app can't make changes to any files in any protected folder. ## Scenario requirements and setup Set-ExecutionPolicy Unrestricted You can perform these manual steps instead: -1. Create a folder under c: named demo, "c:\demo" -2. Save this [clean file](https://demo.wd.microsoft.com/Content/testfile_safe.txt) into c:\demo (we need something to encrypt) -3. Execute PowerShell commands above +1. Create a folder under c: named demo, "c:\demo". ++2. Save this [clean file](https://demo.wd.microsoft.com/Content/testfile_safe.txt) into c:\demo (we need something to encrypt). ++3. Execute PowerShell commands listed earlier in this article. ### Scenario 1: CFA blocks ransomware test file Set-MpPreference -EnableControlledFolderAccess Disabled #### Scenario 2 expected results -- The files in c:\demo will be encrypted and you should get a warning message+- The files in c:\demo are encrypted and you should get a warning message - Execute the ransomware test file again to decrypt the files ## Clean-up Download and run this [cleanup script](https://demo.wd.microsoft.com/Content/ASR Set-MpPreference -EnableControlledFolderAccess Disabled ``` -Cleanup c:\demo encryption run the [encrypt/decrypt file](https://demo.wd.microsoft.com/Content/ransomware_cleanup_encrypt_decrypt.exe) +Clean up c:\demo encryption by using the [encrypt/decrypt file](https://demo.wd.microsoft.com/Content/ransomware_cleanup_encrypt_decrypt.exe) ## See also+ [Controlled folder access](/windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard?ocid=wd-av-demo-cfa-bottom)+ [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)] |
security | Defender Endpoint Demonstration Exploit Protection | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-exploit-protection.md | Title: Microsoft Defender for Endpoint Exploit protection (EP) demonstrations description: See how Exploit Protection automatically applies many exploit mitigation settings system wide and on individual apps. -keywords: Microsoft Defender for Endpoint, system exploit protection, Enhanced Mitigation Experience Toolkit (EMET), demonstration -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Defender Endpoint Demonstration Network Protection | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-network-protection.md | Title: Microsoft Defender for Endpoint Network protection demonstrations description: Shows how Network protection prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. -keywords: network protection, protect against phishing scams, protect against exploits, protect against malicious content, demonstration -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Defender Endpoint Demonstration Potentially Unwanted Applications | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-potentially-unwanted-applications.md | Title: Microsoft Defender for Endpoint Potentially unwanted applications (PUA) demonstration description: Demonstration to show how the Potentially Unwanted Applications (PUA) protection feature can identify and block PUAs from downloading and installing on endpoints. -keywords: Microsoft Defender for Endpoint, potentially unwanted applications, (PUA), harmful application protection, demonstration -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Defender Endpoint Demonstration Smartscreen Url Reputation | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-smartscreen-url-reputation.md | Title: Microsoft Defender for Endpoint SmartScreen URL reputation demonstrations description: Demonstrates how Microsoft Defender SmartScreen identifies phishing and malware websites based on URL reputation. -keywords: Microsoft Defender for Endpoint, website phishing protection, website malware protection, URL reputation, demonstration, -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Defender Endpoint Demonstrations | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-demonstrations.md | Title: Microsoft Defender for Endpoint demonstration scenarios description: Lists Microsoft Defender for Endpoint demonstration scenarios that you can run. -keywords: demonstration, Microsoft Defender for Endpoint demonstration, anti-Malware demonstration, Cloud-delivered protection, Block at First Sight (BAFS), Potentially unwanted applications (PUA)s, Microsoft security intelligence VDI, VDI security, attack surface reduction rules demonstration, Controlled folder access demonstration, Exploit Protection, Network Protection, Microsoft Defender SmartScreen, edge SmartScreen, -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Defender Endpoint False Positives Negatives | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-false-positives-negatives.md | Title: Address false positives/negatives in Microsoft Defender for Endpoint description: Learn how to handle false positives or false negatives in Microsoft Defender for Endpoint. --++ ms.localizationpriority: medium Last updated 07/18/2023-+ audience: ITPro - m365-security |
security | Defender Endpoint Plan 1 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-plan-1.md | Title: Overview of Microsoft Defender for Endpoint Plan 1 description: Get an overview of Defender for Endpoint Plan 1. Learn about the features and capabilities included in this endpoint protection subscription. search.appverid: MET150 ---+++ audience: ITPro |
security | Defender Endpoint Subscription Settings | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-subscription-settings.md | Title: Manage your Microsoft Defender for Endpoint subscription settings across client devices description: Learn about your options for managing your Defender for Endpoint subscription settings. Choose Plan 1, Plan 2, or mixed mode. search.appverid: MET150 ---+++ audience: ITPro Last updated 01/02/2024 |
security | Defender Endpoint Trial User Guide | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-trial-user-guide.md | Title: Trial user guide - Microsoft Defender for Endpoint description: Use this guide to get the most of your 90-day free trial. See how Defender for Endpoint can help prevent, detect, investigate, and respond to advanced threats. search.appverid: MET150 ---+++ audience: ITPro Last updated 07/07/2022 |
security | Deploy Manage Report Microsoft Defender Antivirus | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deploy-manage-report-microsoft-defender-antivirus.md | Title: Deploy, manage, and report on Microsoft Defender Antivirus description: You can deploy and manage Microsoft Defender Antivirus with Intune, Microsoft Configuration Manager, Group Policy, PowerShell, or WMI -keywords: deploy, manage, update, protection, Microsoft Defender Antivirus ms.localizationpriority: medium Last updated 03/23/2023 --++ -+ - m365-security |
security | Deployment Strategy | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deployment-strategy.md | Title: Identify Defender for Endpoint architecture and deployment method description: Select the best Microsoft Defender for Endpoint deployment strategy for your environment -keywords: deploy, plan, deployment strategy, cloud native, management, on prem, evaluation, onboarding, local, group policy, gp, endpoint manager, mem, intune -search.product: eADQiWindows 10XVcnh -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Deployment Vdi Microsoft Defender Antivirus | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md | description: Get an overview of how to configure Microsoft Defender Antivirus in ms.localizationpriority: medium Last updated 03/06/2023 --++ -+ |
security | Detect Block Potentially Unwanted Apps Microsoft Defender Antivirus | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md | Title: Block potentially unwanted applications with Microsoft Defender Antivirus description: Enable the potentially unwanted application (PUA) antivirus feature to block unwanted software such as adware. ms.localizationpriority: high--++ audience: ITPro -+ |
security | Device Control Deploy Manage Gpo | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-deploy-manage-gpo.md | Title: Deploy and manage device control in Microsoft Defender for Endpoint with Group Policy description: Learn how to deploy and manage device control in Defender for Endpoint using Group Policy---+++ Last updated 02/14/2024 |
security | Device Control Deploy Manage Intune | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-deploy-manage-intune.md | Title: Deploy and manage device control in Microsoft Defender for Endpoint with Microsoft Intune description: Learn how to deploy and manage device control in Defender for Endpoint using Microsoft Intune---+++ Last updated 02/14/2024 |
security | Device Control Faq | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-faq.md | Title: Microsoft Defender for Endpoint Device Control frequently asked questions description: Answers frequently asked questions about device control in Defender for Endpoint --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Device Control Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-overview.md | Title: Device control in Microsoft Defender for Endpoint description: Get an overview of device control, including removable storage access control and device installation policies in Defender for Endpoint ---+++ Last updated 02/14/2024 |
security | Device Control Policies | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-policies.md | Title: Device control policies in Microsoft Defender for Endpoint description: Learn about Device control policies in Defender for Endpoint ---+++ Last updated 02/14/2024 |
security | Device Control Report | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-report.md | description: Monitor your organization's data security through device control re ms.localizationpriority: medium Last updated 02/01/2024--++ -+ audience: ITPro |
security | Device Control Walkthroughs | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-walkthroughs.md | Title: Device control walkthroughs description: Learn how to work with device control in Defender for Endpoint. ---+++ Last updated 02/14/2024 |
security | Device Discovery Faq | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-discovery-faq.md | Title: Device discovery frequently asked questions description: Find answers to frequently asked questions (FAQs) about device discovery -keywords: device discovery, discover, passive, proactive, network, visibility, server, workstation, onboard, unmanaged devices -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Device Discovery | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-discovery.md | Title: Device discovery overview description: Learn how to leverage endpoint discovery in Microsoft Defender XDR to find unmanaged devices in your network -keywords: device discovery, discover, passive, proactive, network, visibility, server, workstation, onboard, unmanaged devices -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Enable Attack Surface Reduction | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction.md | Enterprise-level management such as Intune or Microsoft Configuration Manager is You can exclude files and folders from being evaluated by most attack surface reduction rules. This means that even if an attack surface reduction rule determines the file or folder contains malicious behavior, it doesn't block the file from running. > [!IMPORTANT]-> Excluding files or folders can severely reduce the protection provided by attack surface reduction rules. Excluded files will be allowed to run, and no report or event will be recorded. If attack surface reduction rules are detecting files that you believe shouldn't be detected, you should [use audit mode first to test the rule](attack-surface-reduction-rules-deployment-test.md#step-1-test-asr-rules-using-audit). +> Excluding files or folders can severely reduce the protection provided by attack surface reduction rules. Excluded files will be allowed to run, and no report or event will be recorded. If attack surface reduction rules are detecting files that you believe shouldn't be detected, you should [use audit mode first to test the rule](attack-surface-reduction-rules-deployment-test.md#step-1-test-attack-surface-reduction-rules-using-audit). An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service continues to trigger events until the service is stopped and restarted. When adding exclusions, keep these points in mind: * Exclusions are typically based on individual files or folders (using folder paths or the full path of the file to be excluded). * Exclusion paths can use environment variables and wildcards. See [Use wildcards in the file name and folder path or extension exclusion lists](configure-extension-file-exclusions-microsoft-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists)-* When deployed through Group Policy or PowerShell, exclusions apply to all attack surface reduction rules. Using Intune, it is possible to configure an exclusion for a specific attack surface reduction rule. See [Configure attack surface reduction rules per-rule exclusions](attack-surface-reduction-rules-deployment-test.md#configure-asr-per-rule-exclusions) +* When deployed through Group Policy or PowerShell, exclusions apply to all attack surface reduction rules. Using Intune, it is possible to configure an exclusion for a specific attack surface reduction rule. See [Configure attack surface reduction rules per-rule exclusions](attack-surface-reduction-rules-deployment-test.md#configure-attack-surface-reduction-per-rule-exclusions) * Exclusions can be added based on certificate and file hashes, by allowing specified Defender for Endpoint file and certificate indicators. See [Manage indicators](manage-indicators.md). ## Policy Conflict |
security | Linux Whatsnew | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-whatsnew.md | This article is updated frequently to let you know what's new in the latest rele - [What's new in Defender for Endpoint on iOS](ios-whatsnew.md) <details>-<summary> Feburary-2024 (Build: 101.23122.0002 | Release version: 30.123122.0002.0)</summary> - - -## Feburary-2024 Build: 101.23122.0002 | Release version: 30.123122.0002.0 - ++<summary> February-2024 (Build: 101.23122.0002 | Release version: 30.123122.0002.0)</summary> ++## February-2024 Build: 101.23122.0002 | Release version: 30.123122.0002.0 +  Released: **February 5,2024**<br/>  Published: **February 5,2024**<br/>  Build: **101.23122.0002**<br/>  Release version: **30.123122.0002.0**<br/>  Engine version: **1.1.23100.2010**<br/>  Signature version: **1.399.1389.0**<br/>- + **What's new**- There are multiple fixes and new changes in this release:- -- Microsoft Defender for Endpoint on Linux now officially supports Mariner 2, Rocky 8.7 and higher, Alma 9.2 and higher version distros. If you already have MDE running on any of these distros and facing any issues in the older versions, please upgrade to the latest MDE version. Refer our public deployment docs for more details. ++- Microsoft Defender for Endpoint on Linux now officially supports Mariner 2, Rocky 8.7 and higher, Alma 9.2 and higher version distros. If you already have Defender for Endpoint running on any of these distros and facing any issues in the older versions, please upgrade to the latest Defender for Endpoint version. Refer our public deployment docs for more details. - Updated default engine version to `1.1.23100.2010`, and default signatures version to `1.399.1389.0`. - General stability and performance improvements. - Bug fixes.- + </details> <details>- <summary> January-2024 (Build: 101.23112.0009 | Release version: 30.123112.0009.0)</summary> +<summary> January-2024 (Build: 101.23112.0009 | Release version: 30.123112.0009.0)</summary> ## January-2024 Build: 101.23112.0009 | Release version: 30.123112.0009.0 There are multiple fixes and new changes in this release: ```bash sudo mdatp threat quarantine restore threat-path --path [threat-original-path] --destination-path [destination-folder] ```- - Starting with this release, Microsoft Defender for Endpoint on Linux will no longer be shipping a solution for RHEL 6. +- Starting with this release, Microsoft Defender for Endpoint on Linux will no longer be shipping a solution for RHEL 6. RHEL 6 'Extended end of life support' is poised to end by June 30, 2024 and customers are advised to plan their RHEL upgrades accordingly aligned with guidance from Red Hat. Customers who need to run Defender for Endpoint on RHEL 6 servers can continue to leverage version 101.23082.0011 (does not expire before June 30, 2024) supported on kernel versions 2.6.32-754.49.1.el6.x86_64 or prior. - Engine Update to `1.1.23080.2007` and Signatures Ver: `1.395.1560.0`. sudo systemctl disable mdatp <summary> October-2023 (Build: 101.23082.0009 | Release version: 30.123082.0009.0)</summary> +++ ## October-2023 Build: 101.23082.0009 | Release version: 30.123082.0009.0  Released: **October 9,2023**<br/> sudo systemctl disable mdatp <summary> October-2023 (Build: 101.23082.0006 | Release version: 30.123082.0006.0)</summary> +++ ## October-2023 Build: 101.23082.0006 | Release version: 30.123082.0006.0  Released: **October 9,2023**<br/> sudo systemctl disable mdatp <summary> September-2023 (Build: 101.23072.0021 | Release version: 30.123072.0021.0)</summary> +++ ## September-2023 Build: 101.23072.0021 | Release version: 30.123072.0021.0  Released: **September 11,2023**<br/> sudo systemctl disable mdatp <summary> July-2023 (Build: 101.23062.0010 | Release version: 30.123062.0010.0)</summary> +++ ## July-2023 Build: 101.23062.0010 | Release version: 30.123062.0010.0  Released: **July 26,2023**<br/> sudo systemctl disable mdatp <summary> July-2023 (Build: 101.23052.0009 | Release version: 30.123052.0009.0)</summary> +++ ## July-2023 Build: 101.23052.0009 | Release version: 30.123052.0009.0  Released: **July 10,2023**<br/> sudo systemctl disable mdatp <summary> June-2023 (Build: 101.98.89 | Release version: 30.123042.19889.0)</summary> +++ ## June-2023 Build: 101.98.89 | Release version: 30.123042.19889.0  Released: **June 12,2023**<br/> sudo systemctl disable mdatp <summary> May-2023 (Build: 101.98.64 | Release version: 30.123032.19864.0)</summary> +++ ## May-2023 Build: 101.98.64 | Release version: 30.123032.19864.0  Released: **May 3,2023**<br/> sudo systemctl disable mdatp <summary> April-2023 (Build: 101.98.58 | Release version: 30.123022.19858.0)</summary> +++ ## April-2023 Build: 101.98.58 | Release version: 30.123022.19858.0  Released: **April 20,2023**<br/> Example: sudo apt purge mdatp sudo apt-get install mdatp ```- 2. As an alternative you can follow the instructions to [uninstall](/microsoft-365/security/defender-endpoint/linux-resources#uninstall), then [install](/microsoft-365/security/defender-endpoint/linux-install-manually#application-installation) the latest version of the package. If you don't want to uninstall mdatp, you can disable rtp and mdatp in sequence before upgrading. sudo systemctl disable mdatp <summary> March-2023 (Build: 101.98.30 | Release version: 30.123012.19830.0)</summary> +++ ## March-2023 Build: 101.98.30 | Release version: 30.123012.19830.0  Released: **March , 20,2023**<br/> In case the issue reappears with some different denials. We need to run the miti <details> <summary> March-2023 (Build: 101.98.05 | Release version: 30.123012.19805.0)</summary> - ## March-2023 (Build: 101.98.05 | Release version: 30.123012.19805.0)  Released: **March , 08,2023**<br/> In case the issue reappears with some different denials. We need to run the miti **What's new** -- There are multiple fixes and new changes in this release - - Improved Data Completeness for Network Connection events. - - Improved Data Collection capabilities for file ownership/permissions changes - - seManage in part of the package, to that seLinux policies can be configured in different distro (fixed). - - Bug fix - - Improved enterprise daemon stability. - - AuditD stop path clean-up: - - Improve the stability of mdatp stop flow. - - Added new field to wdavstate to keep track of platform update time. - - Stability improvements to parsing Defender for Endpoint onboarding blob. - - Scan doesn't proceed if a valid license isn't present (fixed) - - Added performance tracing option to xPlatClientAnalyzer, with tracing enabled mdatp process dumps the flow in all_process.zip file that can be used for analysis of performance issues. - - Added support in Defender for Endpoint for the following RHEL-6 kernel versions: - - `2.6.32-754.43.1.el6.x86_64` - - `2.6.32-754.49.1.el6.x86_64` - - Other fixes +There are multiple fixes and new changes in this release. ++- Improved Data Completeness for Network Connection events +- Improved Data Collection capabilities for file ownership/permissions changes +- seManage in part of the package, to that seLinux policies can be configured in different distro (fixed). +- Improved enterprise daemon stability +- AuditD stop path clean-up +- Improved the stability of mdatp stop flow. +- Added new field to wdavstate to keep track of platform update time. +- Stability improvements to parsing Defender for Endpoint onboarding blob. +- Scan doesn't proceed if a valid license isn't present (fixed) +- Added performance tracing option to xPlatClientAnalyzer, with tracing enabled mdatp process dumps the flow in all_process.zip file that can be used for analysis of performance issues. +- Added support in Defender for Endpoint for the following RHEL-6 kernel versions: + - `2.6.32-754.43.1.el6.x86_64` + - `2.6.32-754.49.1.el6.x86_64` +- Other fixes **Known issues** Example: sudo apt purge mdatp sudo apt-get install mdatp ```- As an alternative, you can follow the instructions to [uninstall](/microsoft-365/security/defender-endpoint/linux-resources#uninstall), then [install](/microsoft-365/security/defender-endpoint/linux-install-manually#application-installation) the latest version of the package. In case you don't want to uninstall mdatp you can disable rtp and mdatp in sequence before upgrade. Caution: Some customers(<1%) are experiencing issues with this method. sudo mdatp config real-time-protection --value=disabled sudo systemctl disable mdatp ```+ </details> - <details> <summary>Jan-2023 (Build: 101.94.13 | Release version: 30.122112.19413.0)</summary> - ## Jan-2023 (Build: 101.94.13 | Release version: 30.122112.19413.0)  Released: **January 10, 2023**<br/> sudo systemctl disable mdatp <details> <summary>Nov-2022 (Build: 101.85.27 | Release version: 30.122092.18527.0)</summary> - ## Nov-2022 (Build: 101.85.27 | Release version: 30.122092.18527.0)  Released: **November 02, 2022**<br/> sudo systemctl disable mdatp <details> <summary>Sep-2022 (Build: 101.80.97 | Release version: 30.122072.18097.0)</summary> - ## Sep-2022 (Build: 101.80.97 | Release version: 30.122072.18097.0)  Released: **September 14, 2022**<br/> As an alternative approach, follow the instructions to [uninstall](/microsoft-36 <details> <summary>Aug-2022 (Build: 101.78.13 | Release version: 30.122072.17813.0)</summary> - ## Aug-2022 (Build: 101.78.13 | Release version: 30.122072.17813.0)  Released: **August 24, 2022**<br/> As an alternative approach, follow the instructions to [uninstall](/microsoft-36 <details> <summary>Aug-2022 (Build: 101.75.43 | Release version: 30.122071.17543.0)</summary> - ## Aug-2022 (Build: 101.75.43 | Release version: 30.122071.17543.0)  Released: **August 2, 2022**<br/> As an alternative approach, follow the instructions to [uninstall](/microsoft-36 <details> <summary>Jul-2022 (Build: 101.73.77 | Release version: 30.122062.17377.0)</summary> - ## Jul-2022 (Build: 101.73.77 | Release version: 30.122062.17377.0)  Released: **July 21, 2022**<br/> As an alternative approach, follow the instructions to [uninstall](/microsoft-36 <details> <summary>Jun-2022 (Build: 101.71.18 | Release version: 30.122052.17118.0)</summary> -  Released: **June 24, 2022**<br/>  Published: **June 24, 2022**<br/>  Build: **101.71.18**<br/> As an alternative approach, follow the instructions to [uninstall](/microsoft-36 <details> <summary>May-2022 (Build: 101.68.80 | Release version: 30.122042.16880.0)</summary> - ## May-2022 (Build: 101.68.80 | Release version: 30.122042.16880.0)  Released: **May 23, 2022**<br/> As an alternative approach, follow the instructions to [uninstall](/microsoft-36 <details> <summary>May-2022 (Build: 101.65.77 | Release version: 30.122032.16577.0)</summary> - ## May-2022 (Build: 101.65.77 | Release version: 30.122032.16577.0)  Released: **May 2, 2022**<br/> As an alternative approach, follow the instructions to [uninstall](/microsoft-36 </details><details> <summary>Mar-2022 (Build: 101.62.74 | Release version: 30.122022.16274.0)</summary> -  Released: **Mar 24, 2022**<br/>  Published: **Mar 24, 2022**<br/>  Build: **101.62.74**<br/> As an alternative approach, follow the instructions to [uninstall](/microsoft-36 </details><details> <summary>Mar-2022 (Build: 101.60.93 | Release version: 30.122012.16093.0)</summary> - ## Mar-2022 (Build: 101.60.93 | Release version: 30.122012.16093.0)  Released: **Mar 9, 2022**<br/> As an alternative approach, follow the instructions to [uninstall](/microsoft-36 </details><details> <summary>Mar-2022 (Build: 101.60.05 | Release version: 30.122012.16005.0)</summary> -  Released: **Mar 3, 2022**<br/>  Published: **Mar 3, 2022**<br/>  Build: **101.60.05**<br/> As an alternative approach, follow the instructions to [uninstall](/microsoft-36 </details><details> <summary>Feb-2022 (Build: 101.58.80 | Release version: 30.122012.15880.0)</summary> - ## Feb-2022 (Build: 101.58.80 | Release version: 30.122012.15880.0)  Released: **Feb 20, 2022**<br/> As an alternative approach, follow the instructions to [uninstall](/microsoft-36 </details><details> <summary>Jan-2022 (Build: 101.56.62 | Release version: 30.121122.15662.0)</summary> - ## Jan-2022 (Build: 101.56.62 | Release version: 30.121122.15662.0)  Released: **Jan 26, 2022**<br/> As an alternative approach, follow the instructions to [uninstall](/microsoft-36 </details><details> <summary>Jan-2022 (Build: 101.53.02 | Release version: (30.121112.15302.0)</summary> -  Released: **Jan 8, 2022**<br/>  Published: **Jan 8, 2022**<br/>  Build: **101.53.02**<br/> As an alternative approach, follow the instructions to [uninstall](/microsoft-36 <p><b> What's new </b></p> - - Added a capability to detect vulnerable log4j jars in use by Java applications. The machine is periodically inspected for running Java processes with loaded log4j jars. The information is reported to the Microsoft Defender for Endpoint backend and is exposed in the Vulnerability Management area of the portal. </details> As an alternative approach, follow the instructions to [uninstall](/microsoft-36 <p><b>What's new</b></p> -- - Added a new switch to the command-line tool to control whether archives are scanned during on-demand scans. This can be configured through mdatp config scan-archives --value [enabled/disabled]. By default, this setting is set to enabled. +- Added a new switch to the command-line tool to control whether archives are scanned during on-demand scans. This can be configured through mdatp config scan-archives --value [enabled/disabled]. By default, this setting is set to enabled. - Bug fixes As an alternative approach, follow the instructions to [uninstall](/microsoft-36 <p><b>What's new</b></p> - - Added new switches to the command-line tool: - Control degree of parallelism for on-demand scans. This can be configured through `mdatp config maximum-on-demand-scan-threads --value [number-between-1-and-64]`. By default, a degree of parallelism of `2` is used. - Control whether scans after security intelligence updates are enabled or disabled. This can be configured through `mdatp config scan-after-definition-update --value [enabled/disabled]`. By default, this setting is set to `enabled`. As an alternative approach, follow the instructions to [uninstall](/microsoft-36 <p><b>What's new</b></p> - - Performance improvements & bug fixes </details> As an alternative approach, follow the instructions to [uninstall](/microsoft-36 <p><b>What's new</b></p> - - Performance improvements & bug fixes </details> As an alternative approach, follow the instructions to [uninstall](/microsoft-36 <p><b>What's new</b></p> - - Beginning with this version, threats detected during on-demand antivirus scans triggered through the command-line client are automatically remediated. Threats detected during scans triggered through the user interface still require manual action. - `mdatp diagnostic real-time-protection-statistics` now supports two more switches: - `--sort`: sorts the output descending by total number of files scanned As an alternative approach, follow the instructions to [uninstall](/microsoft-36 <p><b>What's new</b></p> - - Microsoft Defender for Endpoint on Linux is now available in preview for US Government customers. For more information, see [Microsoft Defender for Endpoint for US Government customers](gov.md). +- Microsoft Defender for Endpoint on Linux is now available in preview for US Government customers. For more information, see [Microsoft Defender for Endpoint for US Government customers](gov.md). - Fixed an issue where usage of Microsoft Defender for Endpoint on Linux on systems with FUSE filesystems was leading to OS hang - Performance improvements & other bug fixes As an alternative approach, follow the instructions to [uninstall](/microsoft-36 <p><b>What's new</b></p> -- - Performance improvement for the situation where an entire mount point is added to the antivirus exclusion list. Prior to this version, the product processed file activity originating from the mount point. Beginning with this version, file activity for excluded mount points is suppressed, leading to better product performance +- Performance improvement for the situation where an entire mount point is added to the antivirus exclusion list. Prior to this version, the product processed file activity originating from the mount point. Beginning with this version, file activity for excluded mount points is suppressed, leading to better product performance - Added a new option to the command-line tool to view information about the last on-demand scan. To view information about the last on-demand scan, run `mdatp health --details antivirus` - Other performance improvements & bug fixes As an alternative approach, follow the instructions to [uninstall](/microsoft-36 <p>What's new</b></p> - - EDR for Linux is now [generally available](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/edr-for-linux-is-now-is-generally-available/ba-p/2048539) +- EDR for Linux is now [generally available](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/edr-for-linux-is-now-is-generally-available/ba-p/2048539) - Added a new command-line switch (`--ignore-exclusions`) to ignore AV exclusions during custom scans (`mdatp scan custom`) - Extended `mdatp diagnostic create` with a new parameter (`--path [directory]`) that allows the diagnostic logs to be saved to a different directory - Performance improvements & bug fixes |
security | Microsoft Defender Endpoint Mac | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-mac.md | There are several methods and deployment tools that you can use to install and c ### System requirements The three most recent major releases of macOS are supported.-- 14 (Sonoma), 13 (Ventura), 12 (Monterey), 11 (Big Sur)+- 14 (Sonoma), 13 (Ventura), 12 (Monterey) > [!IMPORTANT] > On macOS 11 (Big Sur) and above, Microsoft Defender for Endpoint requires additional configuration profiles. If you are an existing customer upgrading from earlier versions of macOS, make sure to deploy the additional configuration profiles listed on [New configuration profiles for macOS Big Sur and newer versions of macOS](mac-sysext-policies.md). |
security | Overview Attack Surface Reduction | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction.md | Title: Understand and use attack surface reduction description: Learn about the attack surface reduction capabilities of Microsoft Defender for Endpoint. -keywords: asr, attack surface reduction, attack surface reduction rules, Microsoft Defender for Endpoint, microsoft defender, antivirus, av, windows defender -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro Audit mode lets you see a record of what *would* have happened if you had enable You can enable audit mode when testing how the features work. Enabling audit mode only for testing helps to prevent audit mode from affecting your line-of-business apps. You can also get an idea of how many suspicious file modification attempts occur over a certain period of time. -The features won't block or prevent apps, scripts, or files from being modified. However, the Windows Event Log records events as if the features were fully enabled. With audit mode, you can review the event log to see what effect the feature would have had if it was enabled. +The features don't block or prevent apps, scripts, or files from being modified. However, the Windows Event Log records events as if the features were fully enabled. With audit mode, you can review the event log to see what effect the feature would have had if it was enabled. To find the audited entries, go to **Applications and Services** \> **Microsoft** \> **Windows** \> **Windows Defender** \> **Operational**. You can enable audit mode using Group Policy, PowerShell, and configuration serv | Audit options | How to enable audit mode | How to view events | |||| | Audit applies to all events | [Enable controlled folder access](enable-controlled-folders.md) | [Controlled folder access events](evaluate-controlled-folder-access.md#review-controlled-folder-access-events-in-windows-event-viewer) |-| Audit applies to individual rules | [Step 1: Test attack surface reduction rules using Audit mode](attack-surface-reduction-rules-deployment-test.md#step-1-test-asr-rules-using-audit) | [Step 2: Understand the Attack surface reduction rules reporting page](attack-surface-reduction-rules-deployment-test.md#step-2-understand-the-asr-rules-reporting-page-in-the-microsoft-365-defender-portal) | +| Audit applies to individual rules | [Step 1: Test attack surface reduction rules using Audit mode](attack-surface-reduction-rules-deployment-test.md#step-1-test-attack-surface-reduction-rules-using-audit) | [Step 2: Understand the Attack surface reduction rules reporting page](attack-surface-reduction-rules-deployment-test.md#step-2-understand-the-asr-rules-reporting-page-in-the-microsoft-365-defender-portal) | | Audit applies to all events | [Enable network protection](enable-network-protection.md) | [Network protection events](evaluate-network-protection.md#review-network-protection-events-in-windows-event-viewer) | | Audit applies to individual mitigations | [Enable exploit protection](enable-exploit-protection.md) | [Exploit protection events](exploit-protection.md#review-exploit-protection-events-in-windows-event-viewer) | You can also manually navigate to the event area that corresponds to the feature > [!div class="mx-imgBorder"] > ![Animation highlighting the create custom view option on the Event viewer window.](images/events-create.gif) -3. Go to the XML tab and select **Edit query manually**. You'll see a warning that you can't edit the query using the **Filter** tab if you use the XML option. Select **Yes**. +3. Go to the XML tab and select **Edit query manually**. You see a warning that you can't edit the query using the **Filter** tab if you use the XML option. Select **Yes**. 4. Paste the XML code for the feature you want to filter events from into the XML section. -5. Select **OK**. Specify a name for your filter. This creates a custom view that filters to only show the events related to that feature. +5. Select **OK**. Specify a name for your filter. This action creates a custom view that filters to only show the events related to that feature. #### XML for attack surface reduction rule events You can access these events in Windows Event viewer: |||::|| |Exploit protection|Security-Mitigations (Kernel Mode/User Mode)|1|ACG audit| |Exploit protection|Security-Mitigations (Kernel Mode/User Mode)|2|ACG enforce|-|Exploit protection|Security-Mitigations (Kernel Mode/User Mode)|3|Do not allow child processes audit| +|Exploit protection|Security-Mitigations (Kernel Mode/User Mode)|3|Don't allow child processes audit| |Exploit protection|Security-Mitigations (Kernel Mode/User Mode)|4|Don't allow child processes block| |Exploit protection|Security-Mitigations (Kernel Mode/User Mode)|5|Block low integrity images audit| |Exploit protection|Security-Mitigations (Kernel Mode/User Mode)|6|Block low integrity images block| |
security | Threat Protection Reports | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/threat-protection-reports.md | Title: Threat protection report in Microsoft Defender for Endpoint -description: Track alert detections, categories, and severity using the threat protection report -keywords: alert detection, source, alert by category, alert severity, alert classification, determination +description: Track alert detections, categories, and severity using the threat protection report. -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security Last updated 1/31/2024 Due to the deprecation of the Defender for Endpoint Threat protection report, you can use the Defender XDR alerts view, filtered against Defender for Endpoint, to see the current status of alerts for protected devices. For alert status, such as *unresolved*, you can filter against *New* and *In progress* items. [Learn more about Defender XDR Alerts](../defender/investigate-alerts.md). ## Use Advanced hunting queries-Due to the deprecation of the Defender for Endpoint Threat protection report, you can use Advanced hunting queries to find Defender for Endpoint threat protection information. Note that currently there is no alert status in Advanced hunting elements that maps to resolve/unresolve. [Learn more about Advanced hunting in Defender XDR](../defender/advanced-hunting-overview.md). See below for a sample advanced hunting query that shows endpoint related threat protection details. +Due to the deprecation of the Defender for Endpoint Threat protection report, you can use Advanced hunting queries to find Defender for Endpoint threat protection information. Currently there's no alert status in Advanced hunting elements that maps to resolve/unresolve. [Learn more about Advanced hunting in Defender XDR](../defender/advanced-hunting-overview.md). See the following section for a sample advanced hunting query that shows endpoint related threat protection details. ### Alert status+ ```kusto // Severity AlertInfo AlertInfo | render timechart ``` -## Related topics +## Related articles - [Device health and compliance report](device-health-reports.md) [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)] |
security | Time Settings | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/time-settings.md | Title: Microsoft Defender XDR time zone settings description: Use the info contained here to configure the Microsoft Defender XDR time zone settings and view license information. -keywords: settings, Microsoft Defender, cybersecurity threat intelligence, Microsoft Defender for Endpoint, time zone, utc, local time, license -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Troubleshoot Asr Rules | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-asr-rules.md | Title: Report and troubleshoot Microsoft Defender for Endpoint ASR Rules -description: This topic describes how to report and troubleshoot Microsoft Defender for Endpoint ASR Rules + Title: Report and troubleshoot Microsoft Defender for Endpoint attack surface reduction rules +description: This article describes how to report and troubleshoot Microsoft Defender for Endpoint attack surface reduction ules ms.localizationpriority: medium audience: ITPro--++ -+ - mde-asr - admindeeplinkDEFENDER search.appverid: met150 Last updated 07/18/2023 -# Report and troubleshoot Microsoft Defender for Endpoint ASR Rules +# Report and troubleshoot Defender for Endpoint attack surface reduction rules [!INCLUDE [Microsoft Defender XDR rebranding](../../includes/microsoft-defender.md)] Last updated 07/18/2023 The <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender portal</a> is the new interface for monitoring and managing security across your Microsoft identities, data, devices, apps, and infrastructure. Here you can easily view the security health of your organization, act to configure devices, users, and apps, and get alerts for suspicious activity. The Microsoft Defender portal is intended for security admins and security operations teams to better manage and protect their organization. Visit the Microsoft Defender portal at<a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank"><https://security.microsoft.com></a>. -In <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender portal</a>, we offer you a complete look at the current ASR rules configuration and events in your estate. Note that your devices must be onboarded into the Microsoft Defender for Endpoint service for these reports to be populated. -Here's a screenshot from the Microsoft Defender portal (under **Reports** \> **Devices** \> **Attack surface reduction**). At the device level, select **Configuration** from the **Attack surface reduction rules** pane. The following screen is displayed, where you can select a specific device and check its individual ASR rule configuration. +In <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender portal</a>, we offer you a complete look at the current attack surface reduction rules configuration and events in your estate. Your devices must be onboarded into the Microsoft Defender for Endpoint service for these reports to be populated. +Here's a screenshot from the Microsoft Defender portal (under **Reports** \> **Devices** \> **Attack surface reduction**). At the device level, select **Configuration** from the **Attack surface reduction rules** pane. The following screen is displayed, where you can select a specific device and check its individual attack surface reduction rule configuration. ## Microsoft Defender for Endpoint - Advanced hunting One of the most powerful features of Microsoft Defender for Endpoint is advanced Advanced hunting is a query-based (Kusto Query Language) threat-hunting tool that lets you explore up to 30 days of the captured (raw) data, that Defender for Endpoint collects from your devices. Through advanced hunting, you can proactively inspect events to locate interesting indicators and entities. The flexible access to data helps unconstrained hunting for both known and potential threats. -Through advanced hunting, it's possible to extract ASR rules information, create reports, and get in-depth information on the context of a given ASR rule audit or block event. +Through advanced hunting, it's possible to extract attack surface reduction rules information, create reports, and get in-depth information on the context of a given attack surface reduction rule audit or block event. -ASR rules events are available to be queried from the DeviceEvents table in the advanced hunting section of the Microsoft Defender XDR. For example, a simple query such as the one below can report all the events that have ASR rules as data source, for the last 30 days, and will summarize them by the ActionType count, that in this case it will be the actual codename of the ASR rule. +Attack surface reduction rules events are available to be queried from the DeviceEvents table in the advanced hunting section of the Microsoft Defender XDR. For example, a simple query such as the one below can report all the events that have attack surface reduction rules as data source, for the last 30 days, and will summarize them by the ActionType count, that in this case it is the actual codename of the attack surface reduction rule. ```kusto DeviceEvents With advanced hunting you can shape the queries to your liking, so that you can ## Microsoft Defender for Endpoint machine timeline -An alternative to advanced hunting, but with a narrower scope, is the Microsoft Defender for Endpoint machine timeline. You can view all the collected events of a device, for the past six months, in the Microsoft Defender XDR, by going to the Machines list, select a given machine, and then click on the Timeline tab. +An alternative to advanced hunting, but with a narrower scope, is the Microsoft Defender for Endpoint machine timeline. You can view all the collected events of a device, for the past six months, in the Microsoft Defender XDR, by going to the Machines list, select a given machine, and then select on the Timeline tab. -Pictured below is a screenshot of the Timeline view of these events on a given endpoint. From this view, you can filter the events list based on any of the Event Groups along the right-side pane. You can also enable or disable Flagged and Verbose events while viewing alerts and scrolling through the historical timeline. +The following screenshot shows the Timeline view of these events on a given endpoint. From this view, you can filter the events list based on any of the Event Groups along the right-side pane. You can also enable or disable Flagged and Verbose events while viewing alerts and scrolling through the historical timeline. :::image type="content" source="images/mic-sec-def-timelinenew.png" alt-text="The Microsoft Defender XDR timeline" lightbox="images/mic-sec-def-timelinenew.png"::: -## How to troubleshoot ASR rules? +## How to troubleshoot attack surface reduction rules? -The first and most immediate way is to check locally, on a Windows device, which ASR rules are enabled (and their configuration) is by using the PowerShell cmdlets. +The first and most immediate way is to check locally, on a Windows device, which attack surface reduction rules are enabled (and their configuration) is by using the PowerShell cmdlets. -Here are a few other sources of information that Windows offers, to troubleshoot ASR rules' impact and operation. +Here are a few other sources of information that Windows offers, to troubleshoot attack surface reduction rules' impact and operation. ### Querying which rules are active -One of the easiest ways to determine if ASR rules are already enabled is through a PowerShell cmdlet, Get-MpPreference. +One of the easiest ways to determine if attack surface reduction rules are already enabled is through a PowerShell cmdlet, Get-MpPreference. Here's an example: :::image type="content" source="images/getmpreferencescriptnew.png" alt-text="The get mppreference script" lightbox="images/getmpreferencescriptnew.png"::: -There are multiple ASR rules active, with different configured actions. +There are multiple attack surface reduction rules active, with different configured actions. -To expand the above information on ASR rules, you can use the properties **AttackSurfaceReductionRules_Ids** and/or **AttackSurfaceReductionRules_Actions**. +To expand the above information on attack surface reduction rules, you can use the properties **AttackSurfaceReductionRules_Ids** and/or **AttackSurfaceReductionRules_Actions**. Example: Get-MPPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids :::image type="content" source="images/getmpref-examplenew.png" alt-text="The get mpreference example" lightbox="images/getmpref-examplenew.png"::: -The above shows all the IDs for ASR rules that have a setting different from 0 (Not Configured). +The above shows all the IDs for attack surface reduction rules that have a setting different from 0 (Not Configured). The next step is then to list the actual actions (Block or Audit) that each rule is configured with. Get-MPPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Act ### Querying blocking and auditing events -ASR rule events can be viewed within the Windows Defender log. +attack surface reduction rule events can be viewed within the Windows Defender log. To access it, open Windows Event Viewer, and browse to **Applications and Services Logs** \> **Microsoft** \> **Windows** \> **Windows Defender** \> **Operational**. |
security | Troubleshoot Asr | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-asr.md | Title: Troubleshoot problems with attack surface reduction rules description: Resources and sample code to troubleshoot issues with attack surface reduction rules in Microsoft Defender for Endpoint. -keywords: troubleshoot, error, fix, windows defender eg, asr, rules, hips, troubleshoot, audit, exclusion, false positive, broken, blocking, Microsoft Defender for Endpoint -ms.pagetype: security -ms.sitesec: library ms.localizationpriority: medium audience: ITPro--++ Last updated 07/28/2023 -+ search.appverid: met150 > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-pullalerts-abovefoldlink) -When you use [attack surface reduction rules](attack-surface-reduction.md) you may run into issues, such as: +When you use [attack surface reduction rules](attack-surface-reduction.md) you might run into issues, such as: - A rule blocks a file, process, or performs some other action that it shouldn't (false positive) - A rule doesn't work as described, or doesn't block a file or process that it should (false negative) Attack surface reduction rules only work on devices with the following condition - Endpoints are running Windows 10 Enterprise or later. -- Endpoints are using Microsoft Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Microsoft Defender Antivirus to disable itself](/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).+- Endpoints are using Microsoft Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app causes Microsoft Defender Antivirus to disable itself](/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility). - [Real-time protection](/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus) is enabled. - Audit mode isn't enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md). -If these prerequisites have all been met, proceed to the next step to test the rule in audit mode. +If these prerequisites are met, proceed to the next step to test the rule in audit mode. ## Use audit mode to test the rule Follow these instructions in [Use the demo tool to see how attack surface reduction rules work](evaluate-attack-surface-reduction.md) to test the specific rule you're encountering problems with. -1. Enable audit mode for the specific rule you want to test. Use Group Policy to set the rule to **Audit mode** (value: **2**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md). Audit mode allows the rule to report the file or process, but will still allow it to run. +1. Enable audit mode for the specific rule you want to test. Use Group Policy to set the rule to **Audit mode** (value: **2**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md). Audit mode allows the rule to report the file or process, but allows it to run. 2. Perform the activity that is causing an issue (for example, open or execute the file or process that should be blocked but is being allowed). -3. [Review the attack surface reduction rule event logs](attack-surface-reduction.md) to see if the rule would have blocked the file or process if the rule had been set to **Enabled**. +3. [Review the attack surface reduction rule event logs](attack-surface-reduction.md) to see if the rule would block the file or process if the rule were set to **Enabled**. If a rule isn't blocking a file or process that you're expecting it should block, first check if audit mode is enabled. -Audit mode may have been enabled for testing another feature, or by an automated PowerShell script, and may not have been disabled after the tests were completed. +Audit mode might be enabled for testing another feature, or by an automated PowerShell script, and might not be disabled after the tests were completed. If you've tested the rule with the demo tool and with audit mode, and attack surface reduction rules are working on preconfigured scenarios, but the rule isn't working as expected, proceed to either of the following sections based on your situation: |
security | Troubleshoot Cloud Connect Mdemac | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-cloud-connect-mdemac.md | Title: Troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint on macOS description: This topic describes how to troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint on macOS -keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, installation, deploy, uninstallation, intune, jamf, macos, monterey, ventura, bigsur, mde for mac -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Troubleshoot Collect Support Log | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-collect-support-log.md | Title: Collect support logs in Microsoft Defender for Endpoint using live response description: Learn how to collect logs using live response to troubleshoot Microsoft Defender for Endpoint issues -keywords: support, log, collect, troubleshoot, live response, liveanalyzer, analyzer, live, response -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Troubleshoot Exploit Protection Mitigations | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-exploit-protection-mitigations.md | Title: Troubleshoot exploit protection mitigations -keywords: Exploit protection, mitigations, troubleshoot, import, export, configure, emet, convert, conversion, deploy, install description: Learn how to deal with unwanted mitigations in Windows Security, including a process to remove all mitigations and import a baseline configuration file instead.-search.product: eADQiWindows 10XVcnh -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium audience: ITPro--++ Last updated 08/09/2018 -+ - m365-security |
security | Troubleshoot Live Response | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-live-response.md | Title: Troubleshoot Microsoft Defender for Endpoint live response issues -description: Troubleshoot issues that might arise when using live response in Microsoft Defender for Endpoint -keywords: troubleshoot live response, live, response, locked, file +description: Troubleshoot issues that might arise when using live response in Microsoft Defender for Endpoint. -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security Last updated 12/18/2020 This page provides detailed steps to troubleshoot live response issues. -## File cannot be accessed during live response sessions +## File can't be accessed during live response sessions -If while trying to take an action during a live response session, you encounter an error message stating that the file can't be accessed, you need to use the steps below to address the issue. +If while trying to take an action during a live response session, you encounter an error message stating that the file can't be accessed, take the following steps to address the issue. 1. Copy the following script code snippet and save it as a PS1 file: If while trying to take an action during a live response session, you encounter ## Slow live response sessions or delays during initial connections -Live response leverages Defender for Endpoint sensor registration with WNS service in Windows. If you're having connectivity issues with live response, confirm the following details: +Live response uses Defender for Endpoint sensor registration with WNS service in Windows. If you're having connectivity issues with live response, confirm the following details: 1. WpnService (Windows Push Notifications System Service) isn't disabled.-2. WpnService connectivity with WNS cloud isn't disabled via group policy or MDM setting. ['Turn off notifications network usage'](/windows/client-management/mdm/policy-csp-notifications) shouldn't be set to '1'. -Refer to the articles below to fully understand the WpnService service behavior and requirements: +2. WpnService connectivity with WNS cloud isn't disabled via group policy or MDM setting. ['Turn off notifications network usage'](/windows/client-management/mdm/policy-csp-notifications) shouldn't be set to `1`. ++Refer to the following articles to fully understand the WpnService service behavior and requirements: - [Windows Push Notification Services (WNS) overview](/windows/uwp/design/shell/tiles-and-notifications/windows-push-notification-services--wns--overview) - [Enterprise Firewall and Proxy Configurations to Support WNS Traffic](/windows/uwp/design/shell/tiles-and-notifications/firewall-allowlist-config) |
security | Troubleshoot Mdatp | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-mdatp.md | Title: Troubleshoot Microsoft Defender for Endpoint service issues description: Find solutions and workarounds to known issues such as server errors when trying to access the service. -keywords: troubleshoot Microsoft Defender for Endpoint, server error, access denied, invalid credentials, no data, dashboard portal, allow, event viewer -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Troubleshoot Np | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-np.md | Title: Troubleshoot problems with Network protection description: Resources and sample code to troubleshoot issues with Network protection in Microsoft Defender for Endpoint. -keywords: troubleshoot, error, fix, windows defender eg, asr, rules, hips, troubleshoot, audit, exclusion, false positive, broken, blocking, Microsoft Defender for Endpoint -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium audience: ITPro--++ -+ There are four steps to troubleshooting these problems: ## Confirm prerequisites -Network protection will only work on devices with the following conditions: +Network protection works on devices with the following conditions: > [!div class="checklist"] > Network protection will only work on devices with the following conditions: ## Use audit mode -You can enable network protection in audit mode and then visit a website that we've created to demo the feature. All website connections will be allowed by network protection but an event will be logged to indicate any connection that would have been blocked if network protection was enabled. +You can enable network protection in audit mode and then visit a website that's designed to demo the feature. All website connections are allowed by network protection but an event is logged to indicate any connection that would be blocked if network protection were enabled. 1. Set network protection to **Audit mode**. You can enable network protection in audit mode and then visit a website that we 2. Perform the connection activity that is causing an issue (for example, attempt to visit the site, or connect to the IP address you do or don't want to block). -3. [Review the network protection event logs](network-protection.md#review-network-protection-events-in-windows-event-viewer) to see if the feature would have blocked the connection if it had been set to **Enabled**. +3. [Review the network protection event logs](network-protection.md#review-network-protection-events-in-windows-event-viewer) to see if the feature would block the connection if it were set to **Enabled**. If network protection isn't blocking a connection that you're expecting it should block, enable the feature. You can enable network protection in audit mode and then visit a website that we ## Report a false positive or false negative -If you've tested the feature with the demo site and with audit mode, and network protection is working on pre-configured scenarios, but isn't working as expected for a specific connection, use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/wdsi/filesubmission) to report a false negative or false positive for network protection. With an E5 subscription, you can also [provide a link to any associated alert](alerts-queue.md). +If you've tested the feature with the demo site and with audit mode, and network protection is working on preconfigured scenarios, but isn't working as expected for a specific connection, use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/wdsi/filesubmission) to report a false negative or false positive for network protection. With an E5 subscription, you can also [provide a link to any associated alert](alerts-queue.md). See [Address false positives/negatives in Microsoft Defender for Endpoint](defender-endpoint-false-positives-negatives.md). See [Address false positives/negatives in Microsoft Defender for Endpoint](defen The current exclusion options are: 1. Setting up a custom allow indicator.-2. Using IP exclusions: `Add-MpPreference -ExclusionIpAddress 192.168.1.1` ++2. Using IP exclusions: `Add-MpPreference -ExclusionIpAddress 192.168.1.1`. + 3. Excluding an entire process. For more information, see [Microsoft Defender Antivirus exclusions](configure-exclusions-microsoft-defender-antivirus.md). ## Collect diagnostic data for file submissions -When you report a problem with network protection, you're asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues. +When you report a problem with network protection, you're asked to collect and submit diagnostic data for Microsoft support and engineering teams to help troubleshoot issues. 1. Open an elevated command prompt and change to the Windows Defender directory: |
security | Troubleshoot Onboarding Error Messages | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-onboarding-error-messages.md | Title: Troubleshoot onboarding issues and error messages description: Troubleshoot onboarding issues and error message while completing setup of Microsoft Defender for Endpoint. -keywords: troubleshoot, troubleshooting, Azure Active Directory, onboarding, error message, error messages, microsoft defender for endpoint -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Troubleshoot Onboarding | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-onboarding.md | Title: Troubleshoot Microsoft Defender for Endpoint onboarding issues description: Troubleshoot issues that might arise during the onboarding of devices or to the Microsoft Defender for Endpoint service. -keywords: troubleshoot onboarding, onboarding issues, event viewer, data collection and preview builds, sensor data and diagnostics -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Troubleshoot Performance Issues | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-performance-issues.md | Title: Troubleshoot performance issues description: Troubleshoot high CPU usage related to the real-time protection service in Microsoft Defender for Endpoint. -keywords: troubleshoot, performance, high CPU utilization, high CPU usage, error, fix, update compliance, oms, monitor, report, Microsoft Defender Antivirus search.appverid: met150 -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium-+ Last updated 10/19/2021 audience: ITPro |
security | Troubleshoot Reporting | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-reporting.md | Title: Troubleshoot problems with reporting tools for Microsoft Defender Antivirus description: Identify and solve common problems when attempting to report in Microsoft Defender Antivirus protection status in Update Compliance -keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, Microsoft Defender Antivirus -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium --++ -+ - m365-security |
security | Troubleshoot Security Config Mgt | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-security-config-mgt.md | Title: Troubleshoot onboarding issues related to Security Management for Microsoft Defender for Endpoint description: Troubleshoot issues that might arise during the onboarding of devices using Security Management for Microsoft Defender for Endpoint. --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Troubleshoot Siem | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-siem.md | Title: Troubleshoot SIEM tool integration issues in Microsoft Defender for Endpoint description: Troubleshoot issues that might arise when using SIEM tools with Microsoft Defender for Endpoint. -keywords: troubleshoot, siem, client secret, secret -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Troubleshooting Mode Scenarios | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshooting-mode-scenarios.md | Title: Troubleshooting mode scenarios in Microsoft Defender for Endpoint description: Use the Microsoft Defender for Endpoint troubleshooting mode to address various antivirus issues. search.appverid: met150 --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Tune Performance Defender Antivirus | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tune-performance-defender-antivirus.md | description: Describes the procedure to tune the performance of Microsoft Defend ms.localizationpriority: medium audience: ITPro-- Previously updated : 04/18/2023-++ Last updated : 02/16/2024+ - m365-security - mde-ngp search.appverid: met150 Microsoft Defender Antivirus performance analyzer has the following prerequisites: - Supported Windows versions: Windows 10, Windows 11, Windows 2012 R2 with the Modern Unified Solution and Windows Server 2016 and above-- Platform Version: 4.18.2108.7++- Platform Version: `4.18.2108.7` or later - PowerShell Version: PowerShell Version 5.1, PowerShell ISE, remote PowerShell (4.18.2201.10+), PowerShell 7.x (4.18.2201.10+) ## What is Microsoft Defender Antivirus performance analyzer? Microsoft Defender Antivirus performance analyzer has the following prerequisite Similar to the way mechanics perform diagnostics and service on a vehicle that has performance problems, performance analyzer can help you improve Defender Antivirus performance. Some options to analyze include: To start recording system events, open PowerShell in administrative mode and per 3. Press **ENTER** to stop and save recording, or **Ctrl+C** to cancel recording. -4. Analyze the results using the performance analyzer's `Get-MpPerformanceReport` parameter. For example, on executing the command `Get-MpPerformanceReport -Path <recording.etl> -TopFiles 3 -TopScansPerFile 10`, the user is provided with a list of top-ten scans for the top 3 files affecting performance. +4. Analyze the results using the performance analyzer's `Get-MpPerformanceReport` parameter. For example, on executing the command `Get-MpPerformanceReport -Path <recording.etl> -TopFiles 3 -TopScansPerFile 10`, the user is provided with a list of top-ten scans for the top three files affecting performance. For more information on command-line parameters and options, see the [New-MpPerformanceRecording](#new-mpperformancerecording) and [Get-MpPerformanceReport](#get-mpperformancereport). For more information on command-line parameters and options, see the [New-MpPerf ## Performance tuning data and information -Based on the query, the user will be able to view data for scan counts, duration (total/min/average/max/median), path, process, and **reason for scan**. The image below shows sample output for a simple query of the top 10 files for scan impact. +Based on the query, the user is able to view data for scan counts, duration (total/min/average/max/median), path, process, and **reason for scan**. The following image shows sample output for a simple query of the top 10 files for scan impact. :::image type="content" source="images/example-output.png" alt-text="Example output for a basic TopFiles query" lightbox="images/example-output.png"::: ## Additional functionality: exporting and converting to CSV and JSON The results of the performance analyzer can also be exported and converted to a CSV or JSON file.-For examples that describe the process of "export" and "convert" through sample codes, see below. +For examples that describe the process of "export" and "convert" through sample codes, see the following sections. -Starting with Defender version 4.18.2206.X, users will be able to view scan skip reason information under "SkipReason" column. The possible values are: +Starting with Defender version `4.18.2206.X`, users are able to view scan skip reason information under "SkipReason" column. The possible values are: -1. Not Skipped -1. Optimization (typically due to performance reasons) -1. User skipped (typically due to user-set exclusions) +- Not Skipped +- Optimization (typically due to performance reasons) +- User skipped (typically due to user-set exclusions) ### For CSV Starting with Defender version 4.18.2206.X, users will be able to view scan skip (Get-MpPerformanceReport -Path .\Repro-Install.etl -Topscans 1000).TopScans | ConvertTo-Json -Depth 1 ``` -To ensure machine-readable output for exporting with other data processing systems, it is recommended to use `-Raw` parameter for `Get-MpPerformanceReport`. See below for details. +To ensure machine-readable output for exporting with other data processing systems, it's recommended to use `-Raw` parameter for `Get-MpPerformanceReport`. See the following sections for more details. ## PowerShell reference New-MpPerformanceRecording -RecordTo <String> The `New-MpPerformanceRecording` cmdlet collects a performance recording of Microsoft Defender Antivirus scans. These performance recordings contain Microsoft-Antimalware-Engine and NT kernel process events and can be analyzed after collection using the [Get-MpPerformanceReport](#get-mpperformancereport) cmdlet. -This `New-MpPerformanceRecording` cmdlet provides an insight into problematic files that could cause a degradation in the performance of Microsoft Defender Antivirus. This tool is provided "AS IS", and is not intended to provide suggestions on exclusions. Exclusions can reduce the level of protection on your endpoints. Exclusions, if any, should be defined with caution. +This `New-MpPerformanceRecording` cmdlet provides an insight into problematic files that could cause a degradation in the performance of Microsoft Defender Antivirus. This tool is provided "AS IS", and isn't intended to provide suggestions on exclusions. Exclusions can reduce the level of protection on your endpoints. Exclusions, if any, should be defined with caution. For more information on the performance analyzer, see [Performance Analyzer](/windows-hardware/test/wpt/windows-performance-analyzer) docs. Get-MpPerformanceReport [-Path] <String> The `Get-MpPerformanceReport` cmdlet analyzes a previously collected Microsoft Defender Antivirus performance recording ([New-MpPerformanceRecording](#new-mpperformancerecording)) and reports the file paths, file extensions, and processes that cause the highest impact to Microsoft Defender Antivirus scans. -The performance analyzer provides an insight into problematic files that could cause a degradation in the performance of Microsoft Defender Antivirus. This tool is provided "AS IS" and is not intended to provide suggestions on exclusions. Exclusions can reduce the level of protection on your endpoints. Exclusions, if any, should be defined with caution. +The performance analyzer provides an insight into problematic files that could cause a degradation in the performance of Microsoft Defender Antivirus. This tool is provided "AS IS" and isn't intended to provide suggestions on exclusions. Exclusions can reduce the level of protection on your endpoints. Exclusions, if any, should be defined with caution. For more information on the performance analyzer, see [Performance Analyzer](/windows-hardware/test/wpt/windows-performance-analyzer) docs. Using \-Raw in the above command specifies that the output should be machine rea ##### -TopPaths -Requests a top-paths report and specifies how many top paths to output, sorted by "Duration". Aggregates the scans based on their path and directory. User can specify how many directories should be displayed on each level and the depth of the selection. +Requests a top-paths report and specifies how many top paths to output, sorted by Duration. Aggregates the scans based on their path and directory. User can specify how many directories should be displayed on each level and the depth of the selection. ```yaml - Type: Int32 Requests a top-paths report and specifies how many top paths to output, sorted b ##### -TopPathsDepth -Specifies recursive depth that will be used to group and display aggregated path results. For example "C:\" corresponds to a depth of 1, "C:\Users\Foo" corresponds to a depth of 3. +Specifies recursive depth that is used to group and display aggregated path results. For example "C:\" corresponds to a depth of 1, "C:\Users\Foo" corresponds to a depth of 3. -This flag can accompany all other Top Path options. If missing, a default value of 3 is assumed. Value cannot be 0. +This flag can accompany all other Top Path options. If missing, a default value of 3 is assumed. Value can't be 0. ```yaml - Type: Int32 This flag can accompany all other Top Path options. If missing, a default value | flag | definition | |:|:| -| -**TopScansPerPath** | Specifies how may top scans to specify for each top path. | -| -**TopFilesPerPath** | Specifies how may top files to specify for each top path. | +| -**TopScansPerPath** | Specifies how many top scans to specify for each top path. | +| -**TopFilesPerPath** | Specifies how many top files to specify for each top path. | | -**TopScansPerFilePerPath** | Specifies how many top scans to output for each top file for each top path, sorted by "Duration" | | -**TopExtensionsPerPath** | Specifies how many top extensions to output for each top path | | -**TopScansPerExtensionPerPath** | Specifies how many top scans to output for each top extension for each top path | Accept wildcard characters: False ##### -Path -Specifies the path(s) to one or more locations. +Specifies the path or paths to one or more locations. ```yaml Type: String Accept wildcard characters: False ##### -Raw -Specifies that output of performance recording should be machine readable and readily convertible to serialization formats like JSON (for example, via Convert-to-JSON command). This is recommended for users interested in batch processing with other data processing systems. +Specifies that output of performance recording should be machine readable and readily convertible to serialization formats like JSON (for example, via Convert-to-JSON command). This configuration is recommended for users interested in batch processing with other data processing systems. ```yaml Type: <SwitchParameter> Accept wildcard characters: False ##### -TopExtensions -Specifies how many top extensions to output, sorted by "Duration". +Specifies how many top extensions to output, sorted by Duration. ```yaml Type: Int32 Accept wildcard characters: False ##### -TopExtensionsPerProcess -Specifies how many top extensions to output for each top process, sorted by "Duration". +Specifies how many top extensions to output for each top process, sorted by Duration. ```yaml Type: Int32 Accept wildcard characters: False ##### -TopFiles -Requests a top-files report and specifies how many top files to output, sorted by "Duration". +Requests a top-files report and specifies how many top files to output, sorted by Duration. ```yaml Type: Int32 Accept wildcard characters: False ##### -TopFilesPerExtension -Specifies how many top files to output for each top extension, sorted by "Duration". +Specifies how many top files to output for each top extension, sorted by Duration. ```yaml Type: Int32 Accept wildcard characters: False ##### -TopFilesPerProcess -Specifies how many top files to output for each top process, sorted by "Duration". +Specifies how many top files to output for each top process, sorted by Duration. ```yaml Type: Int32 Accept wildcard characters: False ##### -TopProcesses -Requests a top-processes report and specifies how many of the top processes to output, sorted by "Duration". +Requests a top-processes report and specifies how many of the top processes to output, sorted by Duration. ```yaml Type: Int32 Accept wildcard characters: False ##### -TopProcessesPerExtension -Specifies how many top processes to output for each top extension, sorted by "Duration". +Specifies how many top processes to output for each top extension, sorted by Duration. ```yaml Type: Int32 Accept wildcard characters: False ##### -TopProcessesPerFile -Specifies how many top processes to output for each top file, sorted by "Duration ". +Specifies how many top processes to output for each top file, sorted by Duration. ```yaml Type: Int32 Accept wildcard characters: False ##### -TopScans -Requests a top-scans report and specifies how many top scans to output, sorted by "Duration". +Requests a top-scans report and specifies how many top scans to output, sorted by Duration. ```yaml Type: Int32 Accept wildcard characters: False ##### -TopScansPerExtension -Specifies how many top scans to output for each top extension, sorted by "Duration". +Specifies how many top scans to output for each top extension, sorted by Duration. ```yaml Type: Int32 Accept wildcard characters: False ##### -TopScansPerExtensionPerProcess -Specifies how many top scans to output for each top extension for each top process, sorted by "Duration". +Specifies how many top scans to output for each top extension for each top process, sorted by Duration. ```yaml Type: Int32 Accept wildcard characters: False ##### -TopScansPerFile -Specifies how many top scans to output for each top file, sorted by "Duration". +Specifies how many top scans to output for each top file, sorted by Duration. ```yaml Type: Int32 Accept wildcard characters: False ##### -TopScansPerFilePerExtension -Specifies how many top scans to output for each top file for each top extension, sorted by "Duration". +Specifies how many top scans to output for each top file for each top extension, sorted by Duration. ```yaml Type: Int32 Accept wildcard characters: False ##### -TopScansPerFilePerProcess -Specifies how many top scans for output for each top file for each top process, sorted by "Duration". +Specifies how many top scans for output for each top file for each top process, sorted by Duration. ```yaml Type: Int32 Accept wildcard characters: False ##### -TopScansPerProcess -Specifies how many top scans to output for each top process in the Top Processes report, sorted by "Duration". +Specifies how many top scans to output for each top process in the Top Processes report, sorted by Duration. ```yaml Type: Int32 Accept wildcard characters: False ##### -TopScansPerProcessPerExtension -Specifies how many top scans for output for each top process for each top extension, sorted by "Duration". +Specifies how many top scans for output for each top process for each top extension, sorted by Duration. ```yaml Type: Int32 Accept wildcard characters: False ##### -TopScansPerProcessPerFile -Specifies how many top scans for output for each top process for each top file, sorted by "Duration". +Specifies how many top scans for output for each top process for each top file, sorted by Duration. ```yaml Type: Int32 |
security | Uefi Scanning In Defender For Endpoint | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/uefi-scanning-in-defender-for-endpoint.md | Title: UEFI scanning in Defender for Endpoint description: Learn how Microsoft Defender for Endpoint is extending its protection capabilities to the firmware level with a new Unified Extensible Firmware Interface (UEFI) scanner. -keywords: Microsoft Defender for Endpoint, EDR in block mode, passive mode blocking -ms.pagetype: security ---+++ audience: ITPro |
security | Update Agent Mma Windows | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/update-agent-mma-windows.md | Title: Update your agent on devices for Microsoft Defender for Endpoint description: Learn about your options for updating or replacing your MMA agent on Windows devices for Defender for Endpoint. --++ ms.localizationpriority: medium Last updated 10/05/2023-+ audience: ITPro - m365-security |
security | Use Group Policy Microsoft Defender Antivirus | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/use-group-policy-microsoft-defender-antivirus.md | Title: Configure Microsoft Defender Antivirus with Group Policy description: Learn how to use a Group Policy to configure and manage Microsoft Defender Antivirus on your endpoints in Microsoft Defender for Endpoint. -keywords: group policy, GPO, configuration, settings ms.localizationpriority: medium--++ Last updated 05/24/2023 -+ audience: ITPro |
security | Use Intune Config Manager Microsoft Defender Antivirus | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/use-intune-config-manager-microsoft-defender-antivirus.md | Title: Configure Microsoft Defender Antivirus using Microsoft Intune description: Use Microsoft Intune to configure Microsoft Defender Antivirus and Endpoint Protection -keywords: scep, intune, endpoint protection, configuration -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium--++ Last updated 12/16/2021--++ audience: ITPro |
security | Use Powershell Cmdlets Microsoft Defender Antivirus | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/use-powershell-cmdlets-microsoft-defender-antivirus.md | Title: Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus description: In Windows 10 and Windows 11, you can use PowerShell cmdlets to run scans, update Security intelligence, and change settings in Microsoft Defender Antivirus. -keywords: scan, command line, mpcmdrun, defender -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium--++ Last updated 09/06/2022 -+ audience: ITPro For a list of the cmdlets and their functions and available parameters, see the PowerShell cmdlets are most useful in Windows Server environments that don't rely on a graphical user interface (GUI) to configure software. > [!NOTE]-> PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [Microsoft Endpoint Configuration Manager](/configmgr), [Group Policy Management Console](use-group-policy-microsoft-defender-antivirus.md), or [Microsoft Defender Antivirus Group Policy ADMX templates](https://www.microsoft.com/download/101445). +> PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [Microsoft Endpoint Configuration Manager](/configmgr), [Group Policy Management Console](use-group-policy-microsoft-defender-antivirus.md), or [Microsoft Defender Antivirus Group Policy ADMX templates](/troubleshoot/windows-client/group-policy/create-and-manage-central-store). Changes made with PowerShell will affect local settings on the endpoint where the changes are deployed or made. This means that deployments of policy with Group Policy, Microsoft Endpoint Configuration Manager, or Microsoft Intune can overwrite changes made with PowerShell. |
security | Use Wmi Microsoft Defender Antivirus | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/use-wmi-microsoft-defender-antivirus.md | Title: Configure Microsoft Defender Antivirus with WMI description: Learn how to configure and manage Microsoft Defender Antivirus by using WMI scripts to retrieve, modify, and update settings in Microsoft Defender for Endpoint. -keywords: wmi, scripts, windows management instrumentation, configuration -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium--++ Last updated 10/18/2018--++ audience: ITPro |
security | User Roles | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/user-roles.md | Title: Create and manage roles for role-based access control description: Create roles and define the permissions assigned to the role as part of the role-based access control implementation in the Microsoft Defender XDR -keywords: user roles, roles, access rbac -ms.sitesec: library ms.pagetype: security--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Validate Antimalware | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/validate-antimalware.md | Title: AV detection test for verifying device's onboarding and reporting services description: AV detection test to verify the device's proper onboarding and reporting to the service. --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Verify Connectivity | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/verify-connectivity.md | Title: Verify client connectivity to Microsoft Defender for Endpoint service URL description: Learn how to verify client connectivity to Defender for Endpoint service URLs search.appverid: met150 --+++ ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | View Incidents Queue | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/view-incidents-queue.md | Title: View and organize the Incidents queue description: See the list of incidents and learn how to apply filters to limit the list and get a more focused view. -keywords: view, organize, incidents, aggregate, investigations, queue, ttp -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Web Content Filtering | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/web-content-filtering.md | Title: Web content filtering description: Use web content filtering in Microsoft Defender for Endpoint to track and regulate access to websites based on their content categories. --++ ms.localizationpriority: medium Last updated 02/02/2024-+ audience: ITPro - m365-security |
security | Web Protection Monitoring | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/web-protection-monitoring.md | Title: Monitoring web browsing security in Microsoft Defender for Endpoint description: Use web protection in Microsoft Defender for Endpoint to monitor web browsing security -keywords: web protection, web threat protection, web browsing, monitoring, reports, cards, domain list, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser search.appverid: met150 -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security |
security | Web Protection Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/web-protection-overview.md | Title: Web protection description: Learn about the web protection in Microsoft Defender for Endpoint and how it can protect your organization -keywords: web protection, web threat protection, web browsing, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser, malicious websites search.appverid: met150 -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium Last updated 12/16/2022-+ audience: ITPro - m365-security |
security | Web Protection Response | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/web-protection-response.md | Title: Respond to web threats in Microsoft Defender for Endpoint description: Respond to alerts related to malicious and unwanted websites. Understand how web threat protection informs end users through their web browsers and Windows notifications -keywords: web protection, web threat protection, web browsing, alerts, response, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser, notifications, end users, Windows notifications, blocking page, -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security Web protection in Microsoft Defender for Endpoint lets you efficiently investiga Microsoft Defender for Endpoint generates the following [alerts](manage-alerts.md) for malicious or suspicious web activity: -- **Suspicious connection blocked by network protection**: This alert is generated when an attempt to access a malicious website or a website in your custom indicator list is *stopped* by network protection in *block* mode-- **Suspicious connection detected by network protection**: This alert is generated when an attempt to access a malicious website or a website in your custom indicator list is detected by network protection in *audit only* mode+- **Suspicious connection blocked by network protection**: This alert is generated when network protection (in block mode) stops an attempt to access a malicious website or a website in your custom indicator list. +- **Suspicious connection detected by network protection**: This alert is generated when network protection (in audit mode) detects an attempt to access a malicious website or a website in your custom indicator list. Each alert provides the following information: You can dive deeper by selecting the URL or domain of the website in the alert. :::image type="content" source="images/wtp-website-details.png" alt-text="The domain or URL entity details page" lightbox="images/wtp-website-details.png"::: -[Learn more about URL or domain entity pages](investigate-domain.md) +For more information, see [About URL or domain entity pages](investigate-domain.md). ## Inspect the device You can also check the device that attempted to access a blocked URL. Selecting the name of the device on the alert page opens a page with comprehensive information about the device. -[Learn more about device entity pages](investigate-machines.md) +For more information, see [About device entity pages](investigate-machines.md). ## Web browser and Windows notifications for end users -With web protection in Microsoft Defender for Endpoint, your end users will be prevented from visiting malicious or unwanted websites using Microsoft Edge or other browsers. Because blocking is performed by [network protection](network-protection.md), they will see a generic error from the web browser. They will also see a notification from Windows. +With web protection in Defender for Endpoint, your end users are prevented from visiting malicious or unwanted websites using Microsoft Edge or other browsers. Because blocking is done by [network protection](network-protection.md) and not their web browser, users see a generic error from the web browser. They also see a notification from Windows. :::image type="content" source="images/wtp-browser-blocking-page.png" alt-text="The Microsoft Edge showing a 403 error, and the Windows notification" lightbox="images/wtp-browser-blocking-page.png"::: With web protection in Microsoft Defender for Endpoint, your end users will be p :::image type="content" source="images/wtp-chrome-browser-blocking-page.png" alt-text="The Chrome web browser showing a secure connection warning, and the Windows notification" lightbox="images/wtp-chrome-browser-blocking-page.png"::: *Web threat blocked on Chrome* -## Related topics +## Related articles - [Web protection overview](web-protection-overview.md) - [Web content filtering](web-content-filtering.md) |
security | Web Threat Protection | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/web-threat-protection.md | Title: Protect your organization against web threats description: Learn about web protection in Microsoft Defender for Endpoint and how it can protect your organization. -keywords: web protection, web threat protection, web browsing, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser search.appverid: met150 -ms.sitesec: library -ms.pagetype: security --++ ms.localizationpriority: medium Last updated 08/22/2022-+ audience: ITPro - m365-security-Web threat protection is part of [Web protection](web-protection-overview.md) in Defender for Endpoint. It uses [network protection](network-protection.md) to secure your devices against web threats. By integrating with Microsoft Edge and popular third-party browsers like Chrome and Firefox, web threat protection stops web threats without a web proxy and can protect devices while they are away or on premises. Web threat protection stops access to phishing sites, malware vectors, exploit sites, untrusted or low-reputation sites, as well as sites that you have blocked in your [custom indicator list](manage-indicators.md). +Web threat protection is part of [Web protection](web-protection-overview.md) in Defender for Endpoint. It uses [network protection](network-protection.md) to secure your devices against web threats. By integrating with Microsoft Edge and popular third-party browsers like Chrome and Firefox, web threat protection stops web threats without a web proxy and can protect devices while they're away or on premises. Web threat protection stops access to phishing sites, malware vectors, exploit sites, untrusted or low-reputation sites, and sites that you are blocked because they're in your [custom indicator list](manage-indicators.md). > [!NOTE] > It might take up to two hours for devices to receive new custom indicators. ## Prerequisites -Web protection uses network protection to provide web browsing security on Microsoft Edge and third-party web browsers. +Web protection uses network protection to provide web browsing security on Microsoft Edge and non-Microsoft web browsers. To turn on network protection on your devices: The following procedure describes how to configure web threat protection using t 5. On the **Configuration settings** tab, expand **Web Protection**, specify your settings, and then choose **Next**. - - Set **Enable network protection** to **Enabled** so web protection is turned on. Alternately, you can set network protection to **Audit mode** to see how it will work in your environment. In audit mode, network protection does not prevent users from visiting sites or domains, but it does track detections as events. + - Set **Enable network protection** to **Enabled** so web protection is turned on. Alternately, you can set network protection to **Audit mode** to see how it works in your environment. In audit mode, network protection doesn't prevent users from visiting sites or domains, but it does track detections as events. - To protect users from potential phishing scams and malicious software, turn **Require SmartScreen for Microsoft Edge Legacy** to **Yes**. - To prevent users from bypassing warnings about potentially malicious sites, set **Block malicious site access** to **Yes**. - To prevent users from bypassing the warnings and downloading unverified files, set **Block unverified file download** to **Yes**. -6. On the **Scope tags** tab, if your organization is using scope tags, choose **+ Select scope tags**, and then choose **Next**. (If you are not using scope tags, choose **Next**.) To learn more about scope tags, see [Use role-based access control (RBAC) and scope tags for distributed IT](/mem/intune/fundamentals/scope-tags). +6. On the **Scope tags** tab, if your organization is using scope tags, choose **+ Select scope tags**, and then choose **Next**. (If you aren't using scope tags, choose **Next**.) To learn more about scope tags, see [Use role-based access control (RBAC) and scope tags for distributed IT](/mem/intune/fundamentals/scope-tags). 7. On the **Assignments** tab, specify the users and devices to receive the web protection policy, and then choose **Next**. 8. On the **Review + create** tab, review your policy settings, and then choose **Create**. -## Related topics +## Related articles - [Web protection overview](web-protection-overview.md) - [Web threat protection](web-threat-protection.md) |
security | Whats New In Microsoft Defender Endpoint | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/whats-new-in-microsoft-defender-endpoint.md | Title: What's new in Microsoft Defender for Endpoint description: See what features are generally available (GA) in the latest release of Microsoft Defender for Endpoint, and security features in Windows 10 and Windows Server. -keywords: what's new in Microsoft Defender for Endpoint, ga, generally available, capabilities, available, new search.appverid: met150 --++ ms.localizationpriority: medium Last updated 01/24/2024-+ audience: ITPro - m365-security |
security | Why Use Microsoft Defender Antivirus | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/why-use-microsoft-defender-antivirus.md | Title: Why you should use Microsoft Defender Antivirus together with Microsoft Defender for Endpoint description: For best results, use Microsoft Defender Antivirus together with your other Microsoft offerings. -keywords: windows defender, antivirus, third party av -ms.sitesec: library ms.localizationpriority: medium audience: ITPro --++ -+ - m365-security |
security | Windows Whatsnew | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/windows-whatsnew.md | Title: What's new in Microsoft Defender for Endpoint on Windows description: Learn about the latest feature releases of Microsoft Defender for Endpoint on Windows Client and Server. -keywords: microsoft, defender, Microsoft Defender for Endpoint, windows, windows client, windows server, whats new search.appverid: met150 --++ ms.localizationpriority: medium Last updated 11/06/2023-+ audience: ITPro - m365-security |
security | Zero Trust With Microsoft Defender Endpoint | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/zero-trust-with-microsoft-defender-endpoint.md | Title: Zero Trust with Microsoft Defender for Endpoint description: Microsoft Defender for Endpoint contributes to a strong Zero Trust strategy and architecture. -keywords: Zero Trust, Microsoft Defender XDR for Endpoint, Microsoft Defender XDR, security architecture, security strategy, cyber security, enterprise security, devices, device, identity, users, data, applications, incidents, automated investigation and remediation -search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.sitesec: library -ms.pagetype: security f1.keywords: - NOCSH--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security |
syntex | Backup Pricing | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/backup/backup-pricing.md | Microsoft 365 Backup will charge you for content size of the following for 365 d > [!NOTE] > Restore points or size of restores will not be charged. Although Azure is being used to process the payments, there are no additional Azure API or storage costs beyond the Microsoft 365 Backup usage charges mentioned above. -As an example, if you have a site under protection that is currently 1 GB for the first month, you'll be charged 1 GB of Backup usage. If you delete content in that site such that it's now only 0.5 GB, your next monthly bill will still be for 1 GB since the backup tool is retaining that deleted content for a year. After a year when the backup of that deleted content expires, the 0.5 GB being retained for backup purposes will no long be charged for Backup. +As an example, if you have a site under protection that is currently 1 GB for the first month, you'll be charged 1 GB of Backup usage. If you delete content in that site such that it's now only 0.5 GB, your next monthly bill will still be for 1 GB since the backup tool is retaining that deleted content for a year. After a year when the backup of that deleted content expires, the 0.5 GB being retained for backup purposes will no longer be charged for Backup. > [!NOTE] > These prices are subject to change when the product becomes generally available. A partner application integrated with Microsoft 365 Backup storage might charge a different rate for their service. |
syntex | Syntex Licensing | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/syntex-licensing.md | Title: Licensing for Microsoft Syntex Previously updated : 09/25/2023 Last updated : 02/15/2024 audience: admin As of July 1, 2023, per-user licenses are no longer available for purchase. Per- Users with active per-user licenses can perform the following tasks: - Apply an unstructured document processing model to a library. (Unlicensed users can be granted access to a content center and can create models there, but can't apply them to a document library.)-- Create a structured document processing model or a freeform document processing model via the entry point in a library.+- Create a prebuilt, structured, or freeform document processing model via the entry point in a library. - Upload content to a library where a custom model has been applied. - Run an unstructured document processing model on-demand. - Create a modern template with content assembly. |