-1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>.

- - If youΓÇÖre using the **Simplified view**, select **Billing**, then select **View payment methods**.

- - If youΓÇÖre using the **Dashboard view**, go to the Billing > <a href="https://go.microsoft.com/fwlink/p/?linkid=2102895" target="_blank">Bills & payments</a> page.

-2. On the **Bills & payments** page, select the **Billing profile** tab.

-3. Select a billing profile.

-4. On the billing profile details page, under **Bill-to address**, select **Edit**.

-5. In the **Edit bill-to address** pane, update your organization information, then select **Save**.

-1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>.admin center.

-1. Go to the admin center.

-To learn more about billing profile roles and how to manage them, see [Understand Microsoft Customer Agreement administrative roles in Azure](/azure/cost-management-billing/manage/understand-mca-roles).

-To change the billing profile roles assigned to users, use the following steps.

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=2102895" target="_blank">Bills & payments</a> page.

-2. On the **Billing profile** tab, select a billing profile.

-3. In the **Billing profile roles** section, assign or remove roles for **Billing profile owner**, **Billing profile contributor**, or **Invoice manager**.

-# Understand your Microsoft business billing profile

-A billing profile contains payment method and invoice information associated with your billing account. You use a billing profile to pay for business products and services that you buy from Microsoft. A billing profile is automatically created when a billing account is created. For information about billing accounts, see [Understand your Microsoft billing account](../manage-billing-accounts.md).

-> [!NOTE]

-> Not all accounts have a billing profile. If you're not sure if you have a one, you can [view a list of your billing profiles](manage-billing-profiles.md#view-your-billing-profiles).

-> [!NOTE]

->

-> If you follow these steps and the billing profiles list is empty, it means that you don't have a billing profile, and can't use this feature.

-1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>.

- - If you're using the **Simplified view**, select **Billing**, then select **View payment methods**.

- - If you're using the **Dashboard view**, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=2102895" target="_blank">Bills & payments</a> page.

-2. On the **Bills & payments** page, select the **Billing profile** tab.

-3. Select a billing profile name to view its details page.

-The top of the **Billing profile** details page contains information about the payment method used to pay for the products and services that you buy, and shows details about how we invoice you. You can update your profile to change your payment method, Bill-to address, email address, and phone number.

-The following table lists the terms shown on the **Billing profile** details page.

-|Name |The name of your billing profile. To change the name, select **Update name**. |

-|Invoice currency |The currency used for your invoice, based on the **Sold-to** country or region of the billing account. |

-|Payment method |The payment method used for the billing profile. To make changes, select **Edit** or **Replace**. |

-|Invoice frequency |Shows how often you receive an invoice. |

-|Backup payment method |Shows the backup payment method, if one exists. |

-|Invoice date |Shows the date the invoice is created. |

-|Billing account |The billing account thatΓÇÖs associated with the billing profile. To view details about the billing account, select the link. For more information about billing accounts, see [Understand billing accounts](../manage-billing-accounts.md). |

-|Get invoices in email statements |A setting you can turn on to receive the invoice as an email attachment. The default setting is **On**. |

-|Bill-to address |Contains the contact name, address, email address, and phone number for the billing profile. |

-|PO number (optional) |If you provide a purchase order (PO) number in this field, it appears on your invoice. |

-The bottom of the **Billing profile** details page contains the **Billing profile roles** section. This section lists the names of the users assigned to specific billing profile roles. Billing profile roles have permissions to control purchases, and view and manage invoices. You can assign these roles to users who track, organize, and pay invoices.

-Only a billing profile owner can grant access to billing profile roles. You can assign the following roles to users:

-1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">admin center</a>.

- - If you're using the **Simplified view**, select **Billing**, then select **View payment methods**.

- - If you're using the **Dashboard view**, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=2102895" target="_blank">Bills & payments</a> page.

-2. On the **Bills & payments** page, select the **Billing profile** tab.

-3. Select a billing profile name to view its details page.

-4. On the **Billing profile** details page, under **Billing profile roles**, select **Assign roles**.

-5. In the **Assign roles** pane, type the name or email address, select the role you want to assign to them, then select **Assign**.

-1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">admin center</a>.

- - If you're using the **Simplified view**, select **Billing**, then select **View payment methods**.

- - If you're using the **Dashboard view**, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=2102895" target="_blank">Bills & payments</a> page.

-2. On the **Bills & payments** page, select the **Billing profile** tab.

-3. Select a billing profile name to view its details page.

-4. On the **Billing profile** details page, under **Billing profile roles**, select **View related role assignments**.

-[Understand your Microsoft business billing profile](manage-billing-profiles.md)(article)

-When you buy Microsoft business products or services, you can use an existing payment method to pay for then, or add a new one. You can use a credit or debit card to pay for the things you buy.

-1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">admin center</a>.

- - If you're using the **Simplified view**, select **Billing** > **View payment methods**.

- - If you're using the **Dashboard view**, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=2102895" target="_blank">Bills & payments</a> page.

-2. Select the **Billing profiles** tab, then select the billing profile to update.

-3. On the **Billing profile** page, under **Payment method**, select **Replace**.

-4. If you need to add a new payment method first, select **Add payment method**, enter the details, then select **Save**.

-5. In the **Replace payment method** pane, select a different payment method from the drop-down list, then select **Replace**.

-[Understand your Microsoft business billing profile](manage-billing-profiles.md) (article) \

-| Bill to |Identifies who receives the invoice. This information is managed on the <a href="https://go.microsoft.com/fwlink/p/?linkid=2103629" target="_blank">Billing profiles</a> page. The billing profile is also shown on the online invoice page, in the **Invoice summary** section. To learn more about billing profiles, see [Understand your Microsoft business billing profile](manage-billing-profiles.md). |

-| Billing Profile |The name of the billing profile used to define invoice properties like **Bill to**, **PO number**, and payment terms. This information is managed on the <a href="https://go.microsoft.com/fwlink/p/?linkid=2103629" target="_blank">Billing profiles</a> page. For more information about billing profiles, see [Understand your Microsoft business billing profile](manage-billing-profiles.md). |

-For more information, see [Understand your Microsoft business billing profile](billing-and-payments/manage-billing-profiles.md).

-[Understand your Microsoft business billing profile](billing-and-payments/manage-billing-profiles.md) (article)\

-|Billing profiles |The link goes to the list of billing profiles associated with the current billing account. A billing profile defines the properties of your invoice, like who receives the bill, how the bill is delivered, payment terms, and an optional purchase order (PO) number. For more information about billing profiles, see [Understand your Microsoft business billing profile](billing-and-payments/manage-billing-profiles.md). |

-[Understand billing profiles](billing-and-payments/manage-billing-profiles.md) (article)

-For more information about billing profiles, see [Understand your Microsoft business billing profile](billing-and-payments/manage-billing-profiles.md).

-[Understand your Microsoft business billing profile](billing-and-payments/manage-billing-profiles.md) (article)\

-For information about billing profiles, see [Manage billing profiles](billing-and-payments/manage-billing-profiles.md).

-description: Learn how to use Viva Connections, SharePoint, Microsoft Teams, and the Praise app to increase frontline worker wellbeing and engagement.

-Nurture a sense of belonging among your frontline team by empowering to engage with your entire organization.

-Survey's like MicrosoftΓÇÖs [Work Trend Index Pulse Report](https://www.microsoft.com/worklab/work-trend-index) show that many frontline workers:

-You can help your frontline team overcome these challenges and feel supported in your organization by using [Viva Connections](#connect-frontline-workers-to-your-broader-organization-with-viva-connections), [Viva Engage](#create-communities-with-viva-engage), [Praise](#boost-morale-with-praise), [SharePoint, and Microsoft Stream](#support-engagement-with-sharepoint-and-microsoft-stream).

-> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4Vpnn]

-<!--  This seems more like an IW image than a frontline one. Swapping out for the video. -->

-[Viva Connections](/viva/connections/viva-connections-overview) brings the power of SharePoint into Microsoft Teams, so your frontline workers can easily access everything they need on the go. Use the Viva Connections app for Microsoft Teams to:

-### Increase engagement with communications

-Viva Connections is comprised of three main components that can be set up and customized in different ways to highlight tools and resources: the dashboard, feed and resources, shown below.

-

-|Component |Description |Capabilities |

-|:|:--|:|

-|Dashboard |The Dashboard is your employeeΓÇÖs digital toolset and enables quick access to popular tasks. |Prioritize cards that help frontline workers accomplish popular tasks like clocking in and out, or viewing assigned tasks. Cards can be targeted to distinct roles and regions. |

-|Feed |The Feed aggregates content from Viva Engage, SharePoint news, and Stream to display a personalized news stream. |Content in the Feed gets automatically aggregated based on sites and Viva Engage communities that the user follows. Content can be prioritized to display more prominently in the Feed. Use audience targeting to display content to specific audiences. |

-|Resources |The Resources surface links to popular SharePoint portals and other content. |Resources are inherited from global navigation in SharePoint. Link to popular SharePoint portals like HR benefits and training resources. Modern SharePoint portals will display in Teams to provide the best possible viewing experience. |

-There are several ways to use Viva Connections to communicate with your workforce. Viva Connections features a [Feed where news, content from Viva Engage, and videos are aggregated and displayed](/viva/connections/viva-connections-overview#viva-connections-feed) in a personalized view based on the sites and communities that the viewer follows. The [Dashboard](/viva/connections/create-dashboard) can also be used to highlight certain cards that link to important news sources.

-As you prioritize and align the scenarios to support, consider how and where certain tools and resources should be located. [Learn more about the differences between desktop and mobile apps](/viva/connections/viva-connections-overview#viva-connections-mobile-and-desktop-experiences).

-Creating channels for your frontline workers to share feedback helps these teams feel engaged and like their voices matter. In addition, getting feedback from these teams can provide insights into how your organization can improve processes.

- > Form creation requires an F3 or Enterprise license. Workers with F1 licenses can fill out forms, but they'll need to be created by someone with an F3 or Enterprise license. [Learn more about license types](flw-licensing-options.md) or [View the detailed license comparison table](https://go.microsoft.com/fwlink/?linkid=2139145).

-Empowering frontline workers with the right technology makes their jobs easier and helps your organization quickly adapt to ever-changing work conditions. Use Viva Connections to create a digital ecosystem and curated employee experience.

-Review Viva Connections capabilities, technical requirements, and customization options. Then, work with stakeholders (such as representatives from HR and operations and process owners) who can accurately represent the needs of your frontline workforce. Take inventory of the highest priority needs and align them to Viva Connections capabilities to build a custom experience in Teams. [Get started planning, building, and launching Viva Connections for your organization](/viva/connections/plan-viva-connections).

-Viva Engage is an internal social network that gives members of your organization opportunities to connect with each other. You can create communities where members of your organization can post messages and communicate. Having a variety of communities that span both frontline and non-frontline teams helps your on-the-ground workforce connect to each other and the broader organization. Communities can be based on:

-### Host live events

-Members of your leadership or management team can host live events in Viva Engage where employees can engage and ask questions in real time over chat. Your communications and management teams can use live events to share announcements, host morale events, and more.

-[Learn more about how to organize a Microsoft Teams powered live event in Viva Engage](/viva/engage/organize-live-event).

-[Learn more about Viva Engage](/viva/engage/overview).

-The Praise app in Microsoft Teams lets managers and employees congratulate each other and share appreciation by sending badges in Teams chat and channels. Praise helps employees feel recognized for achievements such as meeting goals and going above and beyond to help customers.

-## Support engagement with SharePoint and Microsoft Stream

-One of the biggest struggles for frontline workers is feeling included in the broader organization. By recording important meetings in SharePoint and hosting videos in Microsoft Stream.

-### Record Teams meetings and store them in SharePoint

-If your organization already uses Microsoft Teams, you may have recorded some of your meetings so that team members can catch up on meetings that they missed. Recording meetings can also benefit your frontline team by making them feel included in the organization. Some ways you can use recorded meetings to help frontline teams include:

-Once a meeting is recorded and saved in SharePoint, your corporate communications team can [add a card in Viva Connections](/viva/connections/create-dashboard#create-a-dashboard-and-add-cards) to make it easily accessible for your frontline team.

-### Host live events and share video content on Microsoft Stream

-Microsoft Stream is your organization's own streaming video platform. With Stream, anyone in your organization can record and upload videos to share. Ways you can use Stream to engage your frontline workers include:

-> [!NOTE]

-> Only users with an Enterprise license can host events or publish to stream. Users with F licenses can join events and view videos.

-[Learn more about Microsoft Stream](https://support.microsoft.com/office/explore-stream-87a7d1e2-ef0e-44c6-88dc-74b23266cfc0).

-Your corporate communications team can make sure everyone has easy access to stream videos by [adding a card in Viva Connections](/viva/connections/create-dashboard#create-a-dashboard-and-add-cards).

-description: Learn how frontline managers can get their teams up and running with Microsoft 365 for frontline workers.

- - Teams_ITAdmin_FLW

- - m365-frontline

- - highpri

-appliesto:

- - Microsoft Teams

- - Microsoft 365 for frontline workers

-# Managers - Get your team started with Microsoft 365 for frontline workers

-Microsoft 365 for frontline workers includes a variety of capabilities to help your team do their best. Here are a few things you can start doing right away to get your team working together:

-|Path |Description |Teams apps you'll need |

-|-|--|--|

-|[Enable quick communication](#enable-quick-communication) |Help your frontline team stay in touch. |Chats and Walkie Talkie |

-|[Manage frontline schedules, time, and attendance](#manage-frontline-schedules-time-and-attendance) |Set up a schedule that you can manage in Teams. |Shifts |

-|[Manage work items](#manage-work-items) |Use Teams and Microsoft 365 apps to assign and keep track of work items. |Tasks, Lists, Approvals, and Updates |

-|[Foster connections and boost morale](#foster-connections-and-boost-morale-with-praise) |Send praise to your team members to help them feel appreciated. |Praise |

-The apps that support these capabilities are included in Teams and most are ready to use right away. Some youΓÇÖll need to add to your team or set up before youΓÇÖre ready to use it. Also, most of these apps are pinned by default, meaning that members of your frontline team see them by default in the app bar, which is the bar at the bottom of the Teams mobile clients (iOS and Android) and on the side of the Teams desktop client. You can always add apps that arenΓÇÖt pinned based on your needs. [Learn how to add apps in Teams](https://support.microsoft.com/office/add-an-app-to-microsoft-teams-b2217706-f7ed-4e64-8e96-c413afd02f77).

-This article helps you to set up a team, and then configure the features and apps you need to get your team going with these capabilities.

-## Enable quick communication

-Use the built-in communication tools in Teams to enable your frontline workers to stay in touch. You donΓÇÖt need to do any additional setup for the communication apps or to use them in your team. You always see the Teams, Chats, and Activity icons when you open Teams, either on desktop or mobile, while Walkie Talkie is only available on mobile.

-### Teams

-You and your frontline workers can create teams to help specific groups stay in touch. For example, you could create a Cashiers team so all your cashiers can communicate with each other and share information. If thereΓÇÖs a policy change that only applies to cashiers, you can post it in the Cashiers team so it reaches the people who need to see it. [Learn how to create a team in Teams](https://support.microsoft.com/office/set-up-groups-and-teams-a79afa20-aa01-44a3-b33d-5eaa72f6404f).

-### Chats

-Teams chat allows members of your frontline workforce to communicate seamlessly without having to use their personal messaging apps. [Learn more about chats](https://support.microsoft.com/office/first-things-to-know-about-chats-88ed0a06-6b59-43a3-8cf7-40c01f2f92f2).

-### Activity

-You can @Mention a team member to call their attention to a conversation. @Mentions send users a notification, so they see the message in Activity even if they miss it in the chat.

-### Walkie Talkie

-Walkie Talkie empowers your workers to have real-time conversations with workers at any location without leaving their station. For example, if an employee is helping a customer and needs assistance, they can use Walkie Talkie to contact an expert or manager without having to walk away from the customer.

-Walkie Talkie is supported on Android devices with Google Mobile Services (GMS) and iOS devices.

-## Manage frontline schedules, time, and attendance

-You can use the Shifts app to create and manage schedules for your team. With Shifts, employees can request time off, volunteer for open shifts, request to swap shifts with coworkers, and clock in and out of their shifts.

-To create a schedule in Shifts:

-1. In Shifts, select **New schedule**, and then select **Create** on the team you want.

-2. Select **Add group** to organize the schedule based on job type or location. You can have multiple groups on one schedule. For example, a healthcare organization could have a group for receptionists and a group for nurses.

-3. Select **More options** (**...**), and then select **Rename group** to name the group.

-4. To create a shift for a team member, select their row, and then select **More options** (**...**) > **Add shift**.

-Watch [this video](https://support.microsoft.com/office/create-a-shifts-schedule-2b94ca38-36db-4a1c-8fee-f8f0fec9a984) to learn more about creating schedules in shifts.

-If your organization is already using a workforce management system for scheduling, your IT team can integrate it with Shifts to pull all your schedules into Shifts. [Learn more about connecting your workforce management system](shifts-connectors.md).

-## Manage work items

-You can use the Tasks, Lists, Approvals, and Updates apps to manage and keep track of work items. You can choose to use just one app, or use several of them based on your needs. Anyone can create and assign tasks to themselves and team members.

-### Tasks

-Tasks is powered by Planner, and lets you create and assign work items for your team. To create and assign a task in Tasks:

-1. Open the Tasks app.

-2. Select **+ New list or plan** to create a task list for your team.

-3. Give your plan a name. Under **Create in**, choose the team and channel you want the task plan to apply to. Then select **Create**.

- 

-4. To create a new task, give it a name. Then assign it to a member of the team that you created the plan in. You can also choose a due date.

- 

-5. After you created and assigned the task, it appears in the Tasks app for members of the team. If you don't assign the task to a specific person, it still shows up for the team.

-Tasks is powered by Planner. Watch [this playlist](https://support.microsoft.com/office/organize-your-team-s-tasks-in-microsoft-planner-c931a8a8-0cbb-4410-b66e-ae13233135fb) to learn more about how you can use Planner and Tasks together.

-### Approvals

-Approvals lets your team submit requests for approval from within Teams. For example, if one of your team members wants to offer a discount on a large order, they can submit an approval request to get permission.

-You can create templates for your frontline team that will allow them to submit streamlined approval requests.

-1. From the Approvals hub, select **Create or manage templates**.

-2. From the menu, select which team you want the template to apply to.

- 

-3. Select **New template** and then either choose an existing template from the template store or create one from scratch to suit your needs.

-4. Choose who you want the template to apply to. Choose **Team wide** to make this template apply to everyone in the team you selected in step 2.

-5. Select the team from the list.

-6. Fill in the Basic settings, Form design, and Workflow settings. Then select **Preview**.

-7. If the template looks good to you, choose **Publish**.

-8. Members of your team will now be able to submit approval requests from the template you created.

-[Learn more about creating templates for your team in Approvals](https://support.microsoft.com/office/discover-templates-in-approvals-c33ecf9f-b745-4287-b104-ac69469745e0).

-### Lists

-The Lists app helps you track information and organize work. You and your team can create lists for inventory, customer requests, supply needs, and more.

-You can create a list from a template by choosing **+New List** from the Lists app. [Learn about what templates are available](https://support.microsoft.com/office/list-templates-in-microsoft-365-62f0e4cf-d55d-4f89-906f-4a34e036ded1).

-If you have a spreadsheet that you collaborate on with your team, you can convert it to a list.

-1. From the Lists app, select **+New List**.

-2. Choose **From Excel** and upload the spreadsheet you want to turn into a list.

-3. Confirm the column types are correct and adjust them if necessary. Then select **Next**.

-4. Give your list a name, color, icon, and location. Then choose **Create**.

-> [!NOTE]

-> The Lists app isn't pinned by default, but you can [add it from the Teams app store](https://support.microsoft.com/office/add-an-app-to-microsoft-teams-b2217706-f7ed-4e64-8e96-c413afd02f77).

-### Updates

-Updates allows you to create, submit, and review updates. People can easily see their employee updates, check-ins, and reports in one place to make sure the team is on track for success, whether those are recurring processes that happen regularly or in-the-moment updates that might be needed at any time.

-You can assign updates to your team members. Team members can also submit updates without being assigned.

-1. In the Updates app, select **Create and manage templates**.

-2. Choose a popular template, or choose **View more** to see all template options. You can choose a template or start from blank.

-3. Fill in the Basic settings and Form design.

-4. In Workflow settings, choose who you want to submit this update, view this update, and the times and due dates for the update.

-5. The submitters you assigned can now see and submit the required update.

-> [!NOTE]

-> The Updates app isn't pinned by default, but you can [add it from the Teams app store](https://support.microsoft.com/office/add-an-app-to-microsoft-teams-b2217706-f7ed-4e64-8e96-c413afd02f77).

-## Foster connections and boost morale with Praise

-The Praise app in Teams helps you show appreciation to members of your team. You can send praise to team members to recognize their achievement, and team members can send praise to each other. You can also send praise in a channel conversation to recognize a group of people. Praise uses premade titles that call out positive qualities such as **Team Player** and **Awesome**.

-1. Open a Teams chat or channel. Below the space where you write a message, select **Praise** or select **More apps** (**...**) to find it.

- 

-2. Titles default to **Awesome**. To send a different title with your praise message, select a new one from the **Title** section.

-3. Add the name of the people you want to praise and an optional note.

-4. Select **Preview** to check it, and then select **Send**.

-## Share training videos with your users

-Help your team get comfortable and confident using their Microsoft 365 capabilities with these training resources. Each of these articles and videos only takes a few minutes to go through.

-[Get started with Microsoft Teams](https://support.microsoft.com/office/get-started-with-microsoft-teams-b98d533f-118e-4bae-bf44-3df2470c2b12)

-[Get started with Walkie Talkie](https://support.microsoft.com/office/get-started-with-teams-walkie-talkie-25bdc3d5-bbb2-41b7-89bf-650fae0c8e0c)

-[Get started with Shifts](https://support.microsoft.com/office/what-is-shifts-f8efe6e4-ddb3-4d23-b81b-bb812296b821)

-Shifts also includes a clock in and out feature. [Learn how to clock in and out with Shifts](https://support.microsoft.com/office/clock-in-and-out-with-shifts-ae7b676c-7666-46c7-9f68-85ff54acec8b)

-[Get started with Tasks](https://support.microsoft.com/office/use-the-tasks-app-in-teams-e32639f3-2e07-4b62-9a8c-fd706c12c070)

-[Learn about Approvals](https://support.microsoft.com/office/what-is-approvals-a9a01c95-e0bf-4d20-9ada-f7be3fc283d3)

-[Learn about Lists](https://support.microsoft.com/office/create-a-list-from-the-lists-app-b5e0b7f8-136f-425f-a108-699586f8e8bd)

-[Learn about the Updates mobile experience](https://support.microsoft.com/office/get-started-in-updates-c03a079e-e660-42dc-817b-ca4cfd602e5a#ID0EBF=Mobile)

-[Learn how to send Praise](https://support.microsoft.com/office/send-praise-to-people-50f26b47-565f-40fe-8642-5ca2a5ed261e)

-The Microsoft 365 Lighthouse default baseline is designed to ensure all managed tenants are healthy and secure. To view the tasks included in the default baseline, select **Default baseline** from the list. Select any of the tasks to view additional details about the task and the associated user impact.

-### Default Lighthouse configurations

-|Baseline configuration|Description|

-|Require MFA for admins|A Conditional Access policy requiring multi-factor authentication for all admins. It's required for all cloud applications. For more information about this baseline, see [Conditional Access: Require MFA for all administrators](/azure/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa).|

-|Require MFA for end users|A Conditional Access policy that requires multi-factor authentication for all users. It's required for all cloud applications. For more information about this baseline, see [Conditional Access: Require MFA for all users](/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa).|

-|Block legacy authentication|A Conditional Access policy to block legacy client authentication. For more information about this baseline, see [Block legacy authentication to Microsoft Entra ID with Conditional Access](/azure/active-directory/conditional-access/block-legacy-authentication).|

-|Set up device enrollment|Device enrollment allows your tenant devices to enroll in Microsoft Intune and provide Endpoint analytics visibility into your devices through device health monitoring. This configuration is done by setting up Auto Enrollment between Microsoft Entra ID and Microsoft Intune. For more information about this baseline, see [Set up enrollment for Windows devices](/mem/intune/enrollment/windows-enroll).|

-|Configure app protection policy|A set of protection policies that allow you to manage and protect a managed tenant's organization's data within an application, independent of any mobile device management (MDM) solution. The organization's data will be protected with or without enrolling devices in an MDM solution.|

-|Set up Microsoft Defender for Business|Provisions the tenant for Microsoft Defender for Business and onboards the devices already enrolled in Microsoft Intune to Microsoft Defender for Business. For more information, see [What is Microsoft Defender for Business?](../security/defender-business/mdb-overview.md)|

-|Set up Exchange Online Protection and Microsoft Defender for Office 365|A policy to apply recommended anti-spam, anti-malware, anti-phishing, safe links and safe attachment policies to your tenants Exchange Online mailboxes.|

-|Configure Microsoft Defender Antivirus for Windows 10 and later|A device configuration profile for Windows devices with pre-configured Microsoft Defender Antivirus settings. For more information about this baseline, see [Configure Microsoft Defender for Endpoint in Intune](/mem/intune/protect/advanced-threat-protection-configure).|

-|Configure Microsoft Defender Firewall for Windows 10 and later|A firewall policy to help secure devices by preventing unwanted and unauthorized network traffic. For more information about this baseline, see [Best practices for configuring Windows Defender Firewall](/windows/security/threat-protection/windows-firewall/best-practices-configuring).|

-|Configure a device compliance policy for Windows 10 and later|A Windows device policy with pre-configured settings to meet basic compliance requirements. For more information about this baseline, see [Conditional Access: Require compliant or Microsoft Entra hybrid joined device](/azure/active-directory/conditional-access/howto-conditional-access-policy-compliant-device).|

-|Configure Microsoft Edge|A Microsoft Edge browser policy for Windows 10 or later with preconfigured settings to stay protected from phishing scams and malicious software. This policy also allows Microsoft Edge to safely save and monitor passwords and suggest strong passwords when needed.|

-### Assign GDAP template settings automatically after customer approval of GDAP relationships

-You can now set up granular delegated admin privileges (GDAP) for any customer tenant&mdash;regardless of which delegated relationship has already been set up&mdash;without the need for extra steps after a GDAP relationship is activated. Assign a GDAP template to any customer tenant in Microsoft 365 Lighthouse and, once the customer approves the relationship, the security groups and support roles are automatically applied. There's no need to re-run GDAP Setup or take extra steps after a relationship is activated to apply all GDAP template settings.

-To assign a GDAP template, go to the **Home** page of Lighthouse and select **Set up GDAP** on the **GDAP Setup** card.

-[Go to GDAP Setup now](https://lighthouse.microsoft.com/#view/Microsoft_Intune_MTM/SetupGdap.ReactView)

-To learn more, see [Set up GDAP for your customers in Microsoft 365 Lighthouse](m365-lighthouse-setup-gdap.md).

-keywords: managed security service provider, mssp, configure, integration

-ms.sitesec: library

-ms.pagetype: security

-keywords: antivirus, spam, phish, file, alert, Microsoft Defender for Endpoint, false positive, false negative, blocked file, blocked url, submission, submit, report

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-ms.sitesec: library

-ms.pagetype: security

-keywords: alerts, queues, alerts queue, sort, order, filter, manage alerts, new, in progress, resolved, newest, time in queue, severity, time period, microsoft threat experts alerts

-ms.sitesec: library

-ms.pagetype: security

-keywords: sensor, sensor health, misconfigured, inactive, no sensor data, sensor data, impaired communications, communication

-ms.sitesec: library

-ms.pagetype: security

-keywords: client analyzer report, html report, client analyzer

-ms.sitesec: library

-ms.pagetype: security

-keywords: microsoft, defender, Microsoft Defender for Endpoint, mde, android, configuration, MAM, App Protectection Policies, Managed app

-ms.sitesec: library

-ms.pagetype: security

-keywords: microsoft, defender, Microsoft Defender for Endpoint, mde, android, configuration

-ms.sitesec: library

-ms.pagetype: security

-keywords: microsoft, defender, Microsoft Defender for Endpoint, mde, android, installation, deploy, uninstallation,

-ms.sitesec: library

-ms.pagetype: security

-keywords: microsoft, defender, Microsoft Defender for Endpoint, android, privacy, diagnostic

-ms.sitesec: library

-ms.pagetype: security

-keywords: microsoft, defender, Microsoft Defender for Endpoint, mde, android, cloud, connectivity, communication

-ms.sitesec: library

-ms.pagetype: security

-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, installation, macos, whatsnew

-ms.sitesec: library

-ms.pagetype: security

-keywords: flow, supported apis, api, Microsoft flow, query, automation, power automate

-ms.sitesec: library

-ms.pagetype: security

-keywords: migrate server, server, 2012r2, 2016, server migration onboard Microsoft Defender for Endpoint servers, MECM, Microsoft Monitoring Agent, MMA, downlevel server, unified solution, UA

-ms.sitesec: library

-ms.pagetype: security

-keywords: assign user roles, assign read and write access, assign read only access, user, user roles, roles

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: test, scenario, attack, simulation, simulated, diy, Microsoft Defender for Endpoint

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: Attack surface reduction rules deployment, ASR deployment, enable asr rules, configure ASR, host intrusion prevention system, protection rules, anti-exploit rules, anti-exploit, exploit rules, infection prevention rules, Microsoft Defender for Endpoint, configure ASR rules

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-An exclusion can apply to all rules that allow exclusions or apply to specific rules using [per-rule exclusions](attack-surface-reduction-rules-deployment-test.md#configure-asr-per-rule-exclusions). You can specify an individual file, folder path, or the fully qualified domain name for a resource.

-keywords: Attack surface reduction rules deployment, Microsoft Defender for Endpoint ASR deployment, Defender ASR rules, enable asr rules, configure ASR, host intrusion prevention system, protection rules, anti-exploit rules, anti-exploit, exploit rules, infection prevention rules, Microsoft Defender for Endpoint, configure ASR rules

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-Before you test or enable attack surface reduction rules, you should plan your deployment. Careful planning helps you test your attack surface reduction rules deployment and get ahead of any rule exceptions. When planning to test attack surface reduction rules it's important to start with the right business unit. Start with a small group of people in a specific business unit. You can identify some champions within a particular business unit who can provide feedback to help tune your implementation.

-Attack surface reduction rules champions are members in your organization that will help with your initial attack surface reduction rules rollout during the preliminary testing and implementation phases. Your champions are typically employees who are more technically adept, and who aren't derailed by intermittent work-flow outages. The champions' involvement continues throughout the broader expansion of attack surface reduction rules deployment to your organization. Your attack surface reduction rules champions are first to experience each level of the attack surface reduction rules rollout.

-In most cases, your organization will have deployment rings for phased rollouts of Windows updates. You can use your existing ring design to implement attack surface reduction rules.

-description: Provides guidance to test your attack surface reduction rules deployment. Microsoft Defender for Endpoint ASR test includes, audit Defender rules, configure ASR rules using Intune, Microsoft ASR rules reporting, ASR rules exclusions, ASR rules event viewer.

-In this section of the ASR rules deployment guide, you'll learn how to:

-> Before you begin testing ASR rules, it is recommended that you first disable all rules that you have previously set to either **audit** or **enable** (if applicable). See [Attack surface reduction rules reports](attack-surface-reduction-rules-report.md) for information about using the ASR rules report to disable ASR rules.

-> :::image type="content" source="images/asr-rules-testing-steps.png" alt-text="The Microsoft Defender for Endpoint attack surface reduction (ASR rules) test steps. Audit ASR rules, configure ASR rules exclusions. Configure ASR rules Intune. ASR rules exclusions. ASR rules event viewer." lightbox="images/asr-rules-testing-steps.png":::

-## Step 1: Test ASR rules using Audit

-Begin the testing phase by turning on the ASR rules with the rules set to Audit, starting with your champion users or devices in ring 1. Typically, the recommendation is that you enable all the rules (in Audit) so that you can determine which rules are triggered during the testing phase. Rules that are set to Audit don't generally impact functionality of the entity or entities to which the rule is applied but do generate logged events for the evaluation; there is no effect on end users.

-### Configure ASR rules using Intune

-You can use Microsoft Intune Endpoint Security to configure custom ASR rules.

-6. In the **Basics** tab of the **Create profile** pane, in **Name** add a name for your policy. In **Description** add a description for your ASR rules policy.

- > :::image type="content" source="images/asr-mem-configuration-settings.png" alt-text="The configuration of ASR rules to Audit mode" lightbox="images/asr-mem-configuration-settings.png":::

- > There are variations in some ASR rules mode listings; _Blocked_ and _Enabled_ provide the same functionality.

-Your new attack surface reduction policy for ASR rules is listed in **Endpoint security | Attack surface reduction**.

-## Step 2: Understand the ASR rules reporting page in the Microsoft Defender portal

-The ASR rules reporting page is found in **Microsoft Defender portal** > **Reports** > **Attack surface reduction rules**. This page has three tabs:

-> :::image type="content" source="images/attack-surface-reduction-rules-report-main-detections-card.png" alt-text="Graph that shows the ASR rules report summary detections card." lightbox="images/attack-surface-reduction-rules-report-main-detections-card.png":::

-The Attack Surface reduction rules pane provides an overview of detected events on a per-rule basis.

-> There are some variations in ASR rules reports. Microsoft is in the process of updating the behavior of the ASR rules reports to provide a consistent experience.

-Click **View detections** to open the **Detections** tab.

->:::image type="content" source="images/attack-surface-reduction-rules-report-main-tabs-search.png" alt-text="Screenshot that shows the ASR rules report search feature." lightbox="images/attack-surface-reduction-rules-report-main-tabs-search.png":::

-**Filter** opens the **Filter on rules** page, which enables you to scope the results to only the selected ASR rules:

-ListsΓÇöon a per-computer basisΓÇöthe aggregate state of ASR rules: Off, Audit, Block.

->:::image type="content" source="images/attack-surface-reduction-rules-report-main-configuration-tab.png" alt-text="Screenshot that shows the ASR rules report main configuration tab." lightbox="images/attack-surface-reduction-rules-report-main-configuration-tab.png":::

-On the Configurations tab, you can checkΓÇöon a per-device basisΓÇöwhich ASR rules are enabled, and in which mode, by selecting the device for which you want to review ASR rules.

-The **Get started** link opens the Microsoft Intune admin center, where you can create or modify an endpoint protection policy for ASR:

-> Microsoft Defender Antivirus AV exclusions are honored by ASR rules. See [Configure and validate exclusions based on extension, name, or location](configure-extension-file-exclusions-microsoft-defender-antivirus.md).

-For more information about using the ASR rules report, see [Attack surface reduction rules reports](attack-surface-reduction-rules-report.md).

-## Configure ASR per-rule exclusions

-ASR rules now provide the capability to configure rule-specific exclusions, known as "Per Rule Exclusions."

-1. If it isn't already configured, set the rule for which you want to configure exclusions to **Audit** or **Block**.

-1. In **ASR Only Per Rule Exclusion**, click the toggle to change from **Not configured** to **Configured.**

-1. Enter the names of the files or application that you want to exclude.

-1. At the bottom of the **Create profile** wizard, select **Next** and follow the wizard instructions.

-### Use PowerShell as an alternative method to enable ASR rules

-You can use PowerShell - as an alternative to Intune - to enable ASR rules in audit mode to view a record of apps that would have been blocked if the feature was fully enabled. You can also get an idea of how often the rules fire during normal use.

-## ASR rules deployment steps

-Typically, you can enable the standard protection rules with minimal-to-no noticeable impact to the end user. For an easy method to enable the standard protection rules, see: [Simplified standard protection option](attack-surface-reduction-rules-report.md#simplified-standard-protection-option).

-## Before you begin testing or enabling ASR rules

-During your initial preparation, it's vital that you understand the capabilities of the systems that you put in place. Understanding the capabilities help you determine which attack surface reduction rules are most important for protecting your organization. Additionally, there are several prerequisites, which you must attend to in preparation of your attack surface reduction deployment.

-Before you start, review [Overview of attack surface reduction](overview-attack-surface-reduction.md), and [Demystifying attack surface reduction rules - Part 1](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/demystifying-attack-surface-reduction-rules-part-1/ba-p/1306420) for foundational information. To understand the areas of coverage and potential impact, familiarize yourself with the current set of attack surface reduction rules; see [Attack surface reduction rules reference](attack-surface-reduction-rules-reference.md). While you're familiarizing yourself with the attack surface reduction rules set, take note of the per-rule GUID mappings; see: [Attack surface reduction rule to GUID matrix](attack-surface-reduction-rules-reference.md#asr-rule-to-guid-matrix).

-### ASR rules list by category

-<br/>

-| Block executable files from running unless they meet a prevalence (1000 machines), age, or trusted list criteria | Block process creations originating from PSExec and WMI commands | Block Office apps from creating executable content | Block executable content from email client and webmail | Block obfuscated JS/VBS/PS/macro code | Block abuse of exploited vulnerable signed drivers <sup>[[1](#fn1)] |

-(<a id="fn1">2</a>) Some attack surface reduction rules generate considerable noise, but don't block functionality. For example, if you're updating Chrome, Chrome accesses **lsass.exe**; passwords are stored in **lsass** on the device. However, Chrome shouldn't be accessing local device **lsass.exe**. If you enable the rule to block access to **lsass**, you see many events. Those events are good events because the software update process shouldn't access lsass.exe. Using this rule blocks Chrome updates from accessing **lsass**, but won't block Chrome from updating. This is also true of other applications that make unnecessary calls to **lsass.exe**. The _block access to lsass_ rule will block unnecessary calls to **lsass**, but doesn't block the application from running.

-### ASR rules dependencies

-### Cloud Protection (MAPS) must be enabled to enable ASR rules

-### Microsoft Defender Antivirus components must be current versions for ASR rules

-Keeping Microsoft Defender Antivirus versions current helps reduce ASR rules false positive results and improves Microsoft Defender Antivirus detection capabilities. For more details on the current versions and how to update the different Microsoft Defender Antivirus components visit [Microsoft Defender Antivirus platform support](microsoft-defender-antivirus-updates.md).

-Some rules don't work well if unsigned, internally developed application and scripts are in high usage. It's more difficult to deploy ASR rules if code signing isn't enforced.

-### ASR rules collection

-[ASR rules Configurations](https://security.microsoft.com/asr?viewid=configuration)

-[ASR rules Exclusions](https://security.microsoft.com/asr?viewid=exclusions)

-keywords: Attack surface reduction rules, ASR, asr rules, hips, host intrusion prevention system, protection rules, anti-exploit rules, antiexploit, exploit rules, infection prevention rules, Microsoft Defender for Endpoint, configure ASR rules, ASR rule description

-ms.sitesec: library

-ms.pagetype: security

-> If ASR rules are detecting files that you believe shouldn't be detected, you should [use audit mode first to test the rule](attack-surface-reduction-rules-deployment-test.md#step-1-test-asr-rules-using-audit).

-keywords: automated, investigation, detection, Microsoft Defender for Endpoint

-ms.sitesec: library

-ms.pagetype: security

-keywords: integration, server, azure, 2012r2, 2016, 2019, server onboarding, device management, configure Microsoft Defender for Endpoint servers, onboard Microsoft Defender for Endpoint servers, onboard Microsoft Defender for Endpoint servers

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: Microsoft Defender for Endpoint, EDR in block mode, passive mode blocking

-ms.pagetype: security

-keywords: sensor, sensor health, misconfigured, inactive, no sensor data, sensor data, impaired communications, communication

-ms.sitesec: library

-ms.pagetype: security

-keywords: behavioral blocking, rapid protection, client behavior, Microsoft Defender for Endpoint

-ms.pagetype: security

-keywords: Microsoft Defender Antivirus, next-generation technologies, antivirus sample submission, next-generation av, machine learning, antimalware, security, defender, cloud, cloud-delivered protection

-ms.sitesec: library

-keywords: Microsoft Defender Antivirus, next-generation technologies, next-generation av, machine learning, antimalware, security, defender, cloud, cloud protection

-ms.sitesec: library

-description: Use a tool to collect data to troubleshoot Update Compliance issues when using the Microsoft Defender Antivirus Assessment add-in.

-This article provides advanced deployment guidance for Microsoft Defender for Endpoint on Linux. You'll get a brief summary of the deployment steps, learn about the system requirements, then be guided through the actual deployment steps. You'll also learn how to verify that the device has been correctly onboarded.

-|CPU |If the Linux system is running only 1 vcpu, we recommend it be increased to 2 vcpu's<br> 4 cores are preferred |

-High I/O workloads such as Postgres, OracleDB, Jira, and Jenkins may require additional exclusions depending on the amount of activity that is being processed (which is then monitored by Defender for Endpoint). It's best to follow guidance from third party application providers for exclusions if you experience performance degradation after installing Defender for Endpoint. Also keep in mind [Common Exclusion Mistakes for Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/common-exclusion-mistakes-microsoft-defender-antivirus).

-You can refer to these documents for more information if you experience performance degradation:

-Check performance statistics and compare to pre-deployment utilization compared to post-deployment.

-The following table lists the processes that may cause a high CPU usage:

-|wdavdaemon edr| N/A |EDR engine|The following diagram shows the workflow and steps to troubleshoot wdavedaemon_edr process issues. <br/><br/> :::image type="content" source="images/wdavdaemon_edr_engine.png" alt-text="Image of troubleshooting wdavdaemon edr process." lightbox="images/wdavdaemon_edr_engine.png"::: <br/><br/>**General troubleshooting guidance**<br/>- If you have in-house apps/scripts or a legitimate third-party app/script getting flagged, Microsoft security researchers analyze suspicious files to determine if they're threats, unwanted applications, or normal files. Submit files you think are malware or files that you believe have been incorrectly classified as malware by using the unified submissions experience (for more information, see [Unified submissions experience](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/unified-submissions-in-microsoft-365-defender-now-generally/ba-p/3270770)) or [File submissions](https://www.microsoft.com/wdsi/filesubmission). <br/><br/> - See [troubleshoot performance issues for Microsoft Defender for Endpoint on Linux](linux-support-perf.md).<br/><br/> - Download and run Microsoft Defender for Endpoint Client Analyzer. For more information, see [Run the client analyzer on macOS or Linux](run-analyzer-macos-linux.md). <br/><br/> - Collect diagnostic data using the [Client analyzer tool](https://aka.ms/xMDEClientAnalyzerBinary).<br/><br/> - Open a CSS support case with Microsoft. For more information, see [CSS security support case](/mem/get-support).

-keywords: conditional access, block applications, security level, intune,

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: group policy, gpo, config manager, sccm, scep, powershell, wmi, intune, defender, antivirus, antimalware, security, protection

-ms.sitesec: library

-ms.pagetype: security

-keywords: scan, block at first sight, malware, first sight, cloud, defender, antivirus

-ms.sitesec: library

-keywords: Microsoft Defender Antivirus, antimalware, security, defender, cloud, timeout, block, period, seconds

-ms.sitesec: library

-ms.pagetype: security

-keywords: conditional access, conditional, access, device risk, risk level, integration, intune integration

-ms.sitesec: library

-ms.pagetype: security

-keywords: basic, standard, configure endpoint discovery, device discovery

-ms.sitesec: library

-ms.pagetype: security

-keywords: onboard devices using mdm, device management, onboard Microsoft Defender for Endpoint devices, mdm

-ms.sitesec: library

-ms.pagetype: security

-keywords: onboard devices using sccm, device management, configure Microsoft Defender for Endpoint devices

-ms.sitesec: library

-ms.pagetype: security

-keywords: configure devices using a local script, device management, configure Microsoft Defender for Endpoint devices

-keywords: onboard, Intune management, Microsoft Defender for Endpoint, Microsoft Defender, Windows Defender, attack surface reduction, ASR, security baseline

-ms.sitesec: library

-ms.pagetype: security

-keywords: onboard, Intune management, Microsoft Defender for Endpoint, Microsoft Defender, Windows Defender, configuration management

-ms.sitesec: library

-ms.pagetype: security

-keywords: Intune management, Microsoft Defender for Endpoint, Microsoft Defender, Microsoft Defender for Endpoint ASR, security baseline

-ms.sitesec: library

-ms.pagetype: security

-keywords: onboard, Intune management, Microsoft Defender for Endpoint, Microsoft Defender, Windows Defender, attack surface reduction, ASR, security baseline

-ms.sitesec: library

-ms.pagetype: security

-keywords: Microsoft Defender Antivirus, antimalware, security, defender, configure, configuration, Config Manager, Microsoft Configuration Manager, SCCM, Intune, MDM, mobile device management, GP, group policy, PowerShell

-ms.sitesec: library

-ms.pagetype: security

-keywords: Microsoft Threat Experts, managed threat hunting service, MTE, Microsoft managed hunting service

-search.product: Windows 10

-ms.sitesec: library

-ms.pagetype: security

-keywords: managed security service provider, mssp, configure, integration

-ms.sitesec: library

-ms.pagetype: security

-keywords: managed security service provider, mssp, configure, integration

-ms.sitesec: library

-ms.pagetype: security

-You'll need to take the following configuration steps to enable the managed security service provider (MSSP) integration.

-The integration will allow MSSPs to take the following actions:

-Before MSSPs can take these actions, the MSSP customer will need to grant access to their Defender for Endpoint tenant so that the MSSP can access the portal.

-Typically, MSSP customers take the initial configuration steps to grant MSSPs access to their Windows Defender Security Central tenant. After access is granted, other configuration steps can be done by either the MSSP customer or the MSSP.

-In general, the following configuration steps need to be taken:

- This action needs to be done by the MSSP customer. It grants the MSSP access to the MSSP customer's Defender for Endpoint tenant.

- This action can be taken by either the MSSP customer or MSSP. This lets the MSSPs know what alerts they need to address for the MSSP customer.

- This action is taken by the MSSP. It allows MSSPs to fetch alerts in SIEM tools.

- This action is taken by the MSSP. It allows MSSPs to fetch alerts using APIs.

-For information on how to implement a multi-tenant delegated access, see [Multi-tenant access for Managed Security Service Providers](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/multi-tenant-access-for-managed-security-service-providers/ba-p/1533440).

-## Related topics

-keywords: notifications, defender, antivirus, endpoint, management, admin

-ms.sitesec: library

-ms.pagetype: security

-keywords: heuristic, machine learning, behavior monitor, real-time protection, always-on, Microsoft Defender Antivirus, antimalware, security, defender

-ms.sitesec: library

-ms.pagetype: security

-keywords: configure, proxy, internet, internet connectivity, settings, proxy settings, netsh, winhttp, proxy server

-keywords: antivirus, real-time protection, rtp, machine learning, behavior monitoring, heuristics

-keywords: onboard server, server, 2012r2, 2016, 2019, server onboarding, device management, configure Microsoft Defender for Endpoint servers, onboard Microsoft Defender for Endpoint servers, onboard Microsoft Defender for Endpoint servers

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: configure siem, security information and events management tools, splunk, arcsight, custom indicators, rest api, alert definitions, indicators of compromise

-ms.sitesec: library

-ms.pagetype: security

-> [!IMPORTANT]

-> In February we announced the [Deprecation of the Microsoft Defender for Endpoint SIEM API would be postponed](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/deprecating-the-legacy-siem-api-postponed/ba-p/3139643).

-After gathering customer feedback, we have learned there are challenges with the timeline originally communicated. As a result, we are making changes to our timeline to improve our customers' experience in migrating to the new API.

-The new Microsoft Defender XDR alerts API, released to public preview in MS Graph, is the official and recommended API for customers migrating from the SIEM API. This API will enable customers to work with alerts across all Microsoft Defender XDR products using a single integration. We expect the new API to reach general availability (GA) by Q1 CY 2023.

-To provide customers with more time to plan and prepare their migration to the new Microsoft Defender XDR APIs, we have pushed the SIEM API deprecation date to December 31, 2023. This will give customers one year from the expected GA release of Microsoft Defender XDR APIs to migrate from the SIEM API. At the time of deprecation, the SIEM API will be declared "deprecated" but not "retired." This means that until this date, the SIEM API will continue to function for existing customers. After the deprecation date, the SIEM API will continue to be available, however it will only be supported for security-related fixes.

-Effective December 31st, 2024, three years after the original deprecation announcement, we reserve the right to turn off the SIEM API, without additional notice.

-For additional information about the new APIs see the blog announcement: [The new Microsoft Defender XDR APIs in Microsoft Graph are now available in public preview!](https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/the-new-microsoft-365-defender-apis-in-microsoft-graph-are-now/ba-p/3603099)

-If you are a customer using the SIEM API, we strongly recommend planning and executing the migration. Listed below is information about the options available to migrate to a supported capability:

-1. [Pulling MDE alerts into an external system](#pulling-defender-for-endpoint-alerts-into-an-external-system) (SIEM/SOAR)

-1. [Calling the Microsoft Defender XDR alerts API directly](#calling-the-microsoft-365-defender-alerts-api-directly)

-If you are pulling Defender for Endpoint alerts into an external system, there are various supported options to give organizations the flexibility to work with the solution of their choice:

-Additional integrations are listed in [Technological partners of Microsoft Defender XDR](technological-partners.md), or contact your SIEM / SOAR provider to learn about integrations they may provide.

-| AlertTime |->| createdDateTime |

-| ComputerDnsName |->| evidence/deviceEvidence: deviceDnsName |

-| AlertTitle |->| title |

-| Category |->| category |

-| Severity |->| severity |

-| AlertId |->| id |

-| Actor |->| actorDisplayName |

-| LinkToWDATP |->| alertWebUrl |

-| IocName | X | IoC fields not supported |

-| IocValue | X | IoC fields not supported |

-| CreatorIocName | X | IoC fields not supported |

-| CreatorIocValue | X | IoC fields not supported |

-| Sha1 |->| evidence/fileEvidence/fileDetails: sha1 (or evidence/processEvidence/imageFile: sha1) |

-| FileName |->| evidence/fileEvidence/fileDetails: fileName (or evidence/processEvidence/image: fileName) |

-| FilePath |->| evidence/fileEvidence/fileDetails: filePath (or evidence/processEvidence/image: filePath) |

-| IPAddress |->| evidence/ipEvidence: ipAddress |

-| URL | -> | evidence/urlEvidence: url |

-| IoaDefinitionId |->| detectorId |

-| UserName |->| evidence/userEvidence/userAccount: accountName |

-| AlertPart | X | Obsolete (MDE alerts are atomic/complete that are updatable, while the SIEM API were immutable records of detections) |

-| FullId | X | IoC fields not supported |

-| LastProcessedTimeUtc |->| lastActivityDateTime |

-| ThreatCategory |->| mitreTechniques [] |

-| ThreatFamilyName |->| threatFamilyName |

-| ThreatName |->| threatDisplayName |

-| RemediationAction |->| evidence: remediationStatus |

-| RemediationIsSuccess |->| evidence: remediationStatus (implied) |

-| Source |->| detectionSource (use with serviceSource: microsoftDefenderForEndpoint) |

-| Md5 | X | Not supported |

-| Sha256 |->| evidence/fileEvidence/fileDetails: sha256 (or evidence/processEvidence/imageFile: sha256) |

-| WasExecutingWhileDetected |->| evidence/processEvidence: detectionStatus |

-| UserDomain |->| evidence/userEvidence/userAccount: domainName |

-| LogOnUsers |->| evidence/deviceEvidence: loggedOnUsers [] |

-| MachineDomain |->| Included in evidence/deviceEvidence: deviceDnsName |

-| MachineName |->| Included in evidence/deviceEvidence: deviceDnsName |

-| InternalIPV4List | X | Not supported |

-| InternalIPV6List | X | Not supported |

-| FileHash |->| Use sha1 or sha256 |

-| DeviceID |->| evidence/deviceEvidence: mdeDeviceId |

-| MachineGroup |->| evidence/deviceEvidence: rbacGroupName |

-| Description |->| description |

-| DeviceCreatedMachineTags |->| evidence: tags [] (for deviceEvidence) |

-| CloudCreatedMachineTags |->| evidence: tags [] (for deviceEvidence) |

-| CommandLine | -> | evidence/processEvidence: processCommandLine |

-| IncidentLinkToWDATP |->| incidentWebUrl |

-| ReportId | X | Obsolete (MDE alerts are atomic/complete that are updatable, while the SIEM API were immutable records of detections) |

-| LinkToMTP |->| alertWebUrl |

-| IncidentLinkToMTP |->| incidentWebUrl |

-| ExternalId | X | Obsolete |

-| IocUniqueId | X | IoC fields not supported |

-keywords: update tools, gpo, intune, mdm, microsoft endpoint manager, policy, powershell

-|Select gradual Microsoft Defender monthly platform update rollout channel|Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout. <p> Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. <p> Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. <p> Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). <p> Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). <p> Critical- Time Delay: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only. <p>If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices.|Windows Components\Microsoft Defender Antivirus|

-|Select gradual Microsoft Defender monthly engine update rollout channel|Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout. <p> Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. <p> Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. <p> Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). <p> Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). <p> Critical- Time Delay: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only.<p> If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices.|Windows Components\Microsoft Defender Antivirus|

-|Select gradual Microsoft Defender daily security intelligence updates rollout channel|Enable this policy to specify when devices receive Microsoft Defender security intelligence updates during the daily gradual rollout. <p> Current Channel (Staged): Devices will be offered updates after the release cycle. Suggested to apply to a small, representative part of production population (~10%). <p> Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). <p> If you disable or do not configure this policy, the device will stay up to date automatically during the daily release cycle. Suitable for most devices.|Windows Components\Microsoft Defender Antivirus|

-|Disable gradual rollout of Microsoft Defender updates|Enable this policy to disable gradual rollout of Defender updates. <p> Current Channel (Broad): Devices set to this channel will be offered updates last during the gradual release cycle. Best for datacenter machines that only receive limited updates. <p> Note: This setting applies to both monthly as well as daily Defender updates and will override any previously configured channel selections for platform and engine updates. <p> If you disable or do not configure this policy, the device will remain in Current Channel (Default) unless specified otherwise in specific channels for platform and engine updates. Stay up to date automatically during the gradual release cycle. Suitable for most devices.|Windows Components\Microsoft Defender Antivirus\MpEngine|

-> An updated Defender ADMX template will be published together with the 21H2 release of Windows 10. A non-localized version is available for download at [defender-updatecontrols](https://github.com/microsoft/defender-updatecontrols) on GitHub.

-1. On your Group Policy management machine, open the **Group Policy Management Console**, right-click the **Group Policy Object** (GPO) you want to configure and click **Edit**.

-3. Click **Administrative templates**.

-5. Expand the section (referred to as **Location** in the table in this topic) that contains the setting you want to configure, double-click the setting to open it, and make configuration changes.

-keywords: email notifications, configure alert notifications, Microsoft Defender for Endpoint, Microsoft Defender for Endpoint notifications, Microsoft Defender for Endpoint alerts, windows enterprise, windows education

-ms.sitesec: library

-ms.pagetype: security

-keywords: partners, applications, third-party, connections, sentinelone, lookout, bitdefender, corrata, morphisec, paloalto, ziften, better mobile

-ms.sitesec: library

-ms.pagetype: security

-keywords: support, contact, premier support, solutions, problems, case

-ms.sitesec: library

-ms.pagetype: security

-keywords: controlled folder access, windows 10, windows defender, ransomware, protect, files, folders

-ms.sitesec: library

-ms.pagetype: security

-keywords: Controlled folder access, windows 10, windows 11, windows defender, ransomware, protect, files, folders, customize, add folder, add app, allow, add executable

-keywords: Exploit protection, mitigations, enable, powershell, dep, cfg, emet, aslr

-ms.sitesec: library

-keywords: scan, schedule, customize, exclusions, exclude files, remediation, scan results, quarantine, remove threat, quick scan, full scan, Microsoft Defender Antivirus

-ms.sitesec: library

-ms.pagetype: security

-keywords: analzyer, collect data, troubleshooting mdeclientanalyzer, advanced troubleshooting

-ms.sitesec: library

-ms.pagetype: security

-ms.sitesec: library

-ms.pagetype: security

-keywords: windows defender compatibility, defender, Microsoft Defender for Endpoint, defender for endpoint, antivirus, mde

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: Microsoft Defender for Endpoint, phishing website, malware website, app reputation,

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: Microsoft Defender for Endpoint demonstration, attack surface reduction rules demonstration, ASR rules, demonstration

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-### Scenario 1: ASR blocks a test file with multiple vulnerabilities

-2. Download and open any of the test file/documents, enable editing and content if prompted.

-1. Configure the rule you want to test using the PowerShell command from the previous step.

-2. Example: `Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EfC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled`

-3. Download and open the test file/document for the rule you want to test, enable editing and content if prompted

-4. Example: [Block Office applications from creating child processes](https://demo.wd.microsoft.com/Content/ransomware_testfile_doc.docm) D4F940AB-401B-4EFC-AADC-AD5F3C50688A

-1. Configure the rule for USB protection (B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4).

-### Scenario 4: What would happen without ASR

-1. Turn off all attack surface reduction rules using PowerShell commands in the cleanup section

-2. Download any test file/document, enable editing and content if prompted

-

-Cleanup **c:\demo** encryption by running the [encrypt/decrypt file](https://demo.wd.microsoft.com/Content/ransomware_cleanup_encrypt_decrypt.exe)

-keywords: Microsoft Defender for Endpoint, Microsoft Defender ATP, virus protection, virus detection, virus deletion,

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: Microsoft Defender for Endpoint, protected folder access blocked, detect suspicious files, detect suspicious apps,

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: Microsoft Defender for Endpoint, Controlled folder access protection, Controlled folder access demonstration

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-Controlled Folder Access helps you protect valuable data from malicious apps and threats, such as ransomware. All apps (any executable file, including .exe, .scr, .dll files and others) are assessed by Microsoft Defender Antivirus, which then determines if the app is malicious or safe. If the app is determined to be malicious or suspicious, then it will not be allowed to make changes to any files in any protected folder.

-1. Create a folder under c: named demo, "c:\demo"

-2. Save this [clean file](https://demo.wd.microsoft.com/Content/testfile_safe.txt) into c:\demo (we need something to encrypt)

-3. Execute PowerShell commands above

-Cleanup c:\demo encryption run the [encrypt/decrypt file](https://demo.wd.microsoft.com/Content/ransomware_cleanup_encrypt_decrypt.exe)

-keywords: Microsoft Defender for Endpoint, system exploit protection, Enhanced Mitigation Experience Toolkit (EMET), demonstration

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: network protection, protect against phishing scams, protect against exploits, protect against malicious content, demonstration

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: Microsoft Defender for Endpoint, potentially unwanted applications, (PUA), harmful application protection, demonstration

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: Microsoft Defender for Endpoint, website phishing protection, website malware protection, URL reputation, demonstration,

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: demonstration, Microsoft Defender for Endpoint demonstration, anti-Malware demonstration, Cloud-delivered protection, Block at First Sight (BAFS), Potentially unwanted applications (PUA)s, Microsoft security intelligence VDI, VDI security, attack surface reduction rules demonstration, Controlled folder access demonstration, Exploit Protection, Network Protection, Microsoft Defender SmartScreen, edge SmartScreen,

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: deploy, manage, update, protection, Microsoft Defender Antivirus

-keywords: deploy, plan, deployment strategy, cloud native, management, on prem, evaluation, onboarding, local, group policy, gp, endpoint manager, mem, intune

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: device discovery, discover, passive, proactive, network, visibility, server, workstation, onboard, unmanaged devices

-ms.sitesec: library

-ms.pagetype: security

-keywords: device discovery, discover, passive, proactive, network, visibility, server, workstation, onboard, unmanaged devices

-ms.sitesec: library

-ms.pagetype: security

-> Excluding files or folders can severely reduce the protection provided by attack surface reduction rules. Excluded files will be allowed to run, and no report or event will be recorded. If attack surface reduction rules are detecting files that you believe shouldn't be detected, you should [use audit mode first to test the rule](attack-surface-reduction-rules-deployment-test.md#step-1-test-asr-rules-using-audit).

-* When deployed through Group Policy or PowerShell, exclusions apply to all attack surface reduction rules. Using Intune, it is possible to configure an exclusion for a specific attack surface reduction rule. See [Configure attack surface reduction rules per-rule exclusions](attack-surface-reduction-rules-deployment-test.md#configure-asr-per-rule-exclusions)

-<summary> Feburary-2024 (Build: 101.23122.0002 | Release version: 30.123122.0002.0)</summary>

-

-

-## Feburary-2024 Build: 101.23122.0002 | Release version: 30.123122.0002.0

-

-

-

-

-

- <summary> January-2024 (Build: 101.23112.0009 | Release version: 30.123112.0009.0)</summary>

- - Starting with this release, Microsoft Defender for Endpoint on Linux will no longer be shipping a solution for RHEL 6.

-

- - Improved Data Completeness for Network Connection events.

- - Improved Data Collection capabilities for file ownership/permissions changes

- - seManage in part of the package, to that seLinux policies can be configured in different distro (fixed).

- - Bug fix

- - Improved enterprise daemon stability.

- - AuditD stop path clean-up:

- - Improve the stability of mdatp stop flow.

- - Added new field to wdavstate to keep track of platform update time.

- - Stability improvements to parsing Defender for Endpoint onboarding blob.

- - Scan doesn't proceed if a valid license isn't present (fixed)

- - Added performance tracing option to xPlatClientAnalyzer, with tracing enabled mdatp process dumps the flow in all_process.zip file that can be used for analysis of performance issues.

- - Added support in Defender for Endpoint for the following RHEL-6 kernel versions:

- - `2.6.32-754.43.1.el6.x86_64`

- - `2.6.32-754.49.1.el6.x86_64`

- - Other fixes

-

-

- - Added a new switch to the command-line tool to control whether archives are scanned during on-demand scans. This can be configured through mdatp config scan-archives --value [enabled/disabled]. By default, this setting is set to enabled.

- - Microsoft Defender for Endpoint on Linux is now available in preview for US Government customers. For more information, see [Microsoft Defender for Endpoint for US Government customers](gov.md).

- - Performance improvement for the situation where an entire mount point is added to the antivirus exclusion list. Prior to this version, the product processed file activity originating from the mount point. Beginning with this version, file activity for excluded mount points is suppressed, leading to better product performance

- - EDR for Linux is now [generally available](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/edr-for-linux-is-now-is-generally-available/ba-p/2048539)

-keywords: asr, attack surface reduction, attack surface reduction rules, Microsoft Defender for Endpoint, microsoft defender, antivirus, av, windows defender

-ms.sitesec: library

-ms.pagetype: security

-The features won't block or prevent apps, scripts, or files from being modified. However, the Windows Event Log records events as if the features were fully enabled. With audit mode, you can review the event log to see what effect the feature would have had if it was enabled.

-| Audit applies to individual rules | [Step 1: Test attack surface reduction rules using Audit mode](attack-surface-reduction-rules-deployment-test.md#step-1-test-asr-rules-using-audit) | [Step 2: Understand the Attack surface reduction rules reporting page](attack-surface-reduction-rules-deployment-test.md#step-2-understand-the-asr-rules-reporting-page-in-the-microsoft-365-defender-portal) |

-3. Go to the XML tab and select **Edit query manually**. You'll see a warning that you can't edit the query using the **Filter** tab if you use the XML option. Select **Yes**.

-5. Select **OK**. Specify a name for your filter. This creates a custom view that filters to only show the events related to that feature.

-|Exploit protection|Security-Mitigations (Kernel Mode/User Mode)|3|Do not allow child processes audit|

-description: Track alert detections, categories, and severity using the threat protection report

-keywords: alert detection, source, alert by category, alert severity, alert classification, determination

-ms.sitesec: library

-ms.pagetype: security

-Due to the deprecation of the Defender for Endpoint Threat protection report, you can use Advanced hunting queries to find Defender for Endpoint threat protection information. Note that currently there is no alert status in Advanced hunting elements that maps to resolve/unresolve. [Learn more about Advanced hunting in Defender XDR](../defender/advanced-hunting-overview.md). See below for a sample advanced hunting query that shows endpoint related threat protection details.

-## Related topics

-keywords: settings, Microsoft Defender, cybersecurity threat intelligence, Microsoft Defender for Endpoint, time zone, utc, local time, license

-ms.sitesec: library

-ms.pagetype: security

-description: This topic describes how to report and troubleshoot Microsoft Defender for Endpoint ASR Rules

-# Report and troubleshoot Microsoft Defender for Endpoint ASR Rules

-In <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender portal</a>, we offer you a complete look at the current ASR rules configuration and events in your estate. Note that your devices must be onboarded into the Microsoft Defender for Endpoint service for these reports to be populated.

-Here's a screenshot from the Microsoft Defender portal (under **Reports** \> **Devices** \> **Attack surface reduction**). At the device level, select **Configuration** from the **Attack surface reduction rules** pane. The following screen is displayed, where you can select a specific device and check its individual ASR rule configuration.

-Through advanced hunting, it's possible to extract ASR rules information, create reports, and get in-depth information on the context of a given ASR rule audit or block event.

-ASR rules events are available to be queried from the DeviceEvents table in the advanced hunting section of the Microsoft Defender XDR. For example, a simple query such as the one below can report all the events that have ASR rules as data source, for the last 30 days, and will summarize them by the ActionType count, that in this case it will be the actual codename of the ASR rule.

-An alternative to advanced hunting, but with a narrower scope, is the Microsoft Defender for Endpoint machine timeline. You can view all the collected events of a device, for the past six months, in the Microsoft Defender XDR, by going to the Machines list, select a given machine, and then click on the Timeline tab.

-Pictured below is a screenshot of the Timeline view of these events on a given endpoint. From this view, you can filter the events list based on any of the Event Groups along the right-side pane. You can also enable or disable Flagged and Verbose events while viewing alerts and scrolling through the historical timeline.

-## How to troubleshoot ASR rules?

-The first and most immediate way is to check locally, on a Windows device, which ASR rules are enabled (and their configuration) is by using the PowerShell cmdlets.

-Here are a few other sources of information that Windows offers, to troubleshoot ASR rules' impact and operation.

-One of the easiest ways to determine if ASR rules are already enabled is through a PowerShell cmdlet, Get-MpPreference.

-There are multiple ASR rules active, with different configured actions.

-To expand the above information on ASR rules, you can use the properties **AttackSurfaceReductionRules_Ids** and/or **AttackSurfaceReductionRules_Actions**.

-The above shows all the IDs for ASR rules that have a setting different from 0 (Not Configured).

-ASR rule events can be viewed within the Windows Defender log.

-keywords: troubleshoot, error, fix, windows defender eg, asr, rules, hips, troubleshoot, audit, exclusion, false positive, broken, blocking, Microsoft Defender for Endpoint

-ms.pagetype: security

-ms.sitesec: library

-When you use [attack surface reduction rules](attack-surface-reduction.md) you may run into issues, such as:

-If these prerequisites have all been met, proceed to the next step to test the rule in audit mode.

-1. Enable audit mode for the specific rule you want to test. Use Group Policy to set the rule to **Audit mode** (value: **2**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md). Audit mode allows the rule to report the file or process, but will still allow it to run.

-3. [Review the attack surface reduction rule event logs](attack-surface-reduction.md) to see if the rule would have blocked the file or process if the rule had been set to **Enabled**.

-Audit mode may have been enabled for testing another feature, or by an automated PowerShell script, and may not have been disabled after the tests were completed.

-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, installation, deploy, uninstallation, intune, jamf, macos, monterey, ventura, bigsur, mde for mac

-ms.sitesec: library

-ms.pagetype: security

-keywords: support, log, collect, troubleshoot, live response, liveanalyzer, analyzer, live, response

-ms.sitesec: library

-ms.pagetype: security

-keywords: Exploit protection, mitigations, troubleshoot, import, export, configure, emet, convert, conversion, deploy, install

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-description: Troubleshoot issues that might arise when using live response in Microsoft Defender for Endpoint

-keywords: troubleshoot live response, live, response, locked, file

-ms.sitesec: library

-ms.pagetype: security

-## File cannot be accessed during live response sessions

-If while trying to take an action during a live response session, you encounter an error message stating that the file can't be accessed, you need to use the steps below to address the issue.

-Live response leverages Defender for Endpoint sensor registration with WNS service in Windows. If you're having connectivity issues with live response, confirm the following details:

-2. WpnService connectivity with WNS cloud isn't disabled via group policy or MDM setting. ['Turn off notifications network usage'](/windows/client-management/mdm/policy-csp-notifications) shouldn't be set to '1'.

-Refer to the articles below to fully understand the WpnService service behavior and requirements:

-keywords: troubleshoot Microsoft Defender for Endpoint, server error, access denied, invalid credentials, no data, dashboard portal, allow, event viewer

-ms.sitesec: library

-ms.pagetype: security

-keywords: troubleshoot, error, fix, windows defender eg, asr, rules, hips, troubleshoot, audit, exclusion, false positive, broken, blocking, Microsoft Defender for Endpoint

-ms.sitesec: library

-ms.pagetype: security

-Network protection will only work on devices with the following conditions:

-You can enable network protection in audit mode and then visit a website that we've created to demo the feature. All website connections will be allowed by network protection but an event will be logged to indicate any connection that would have been blocked if network protection was enabled.

-3. [Review the network protection event logs](network-protection.md#review-network-protection-events-in-windows-event-viewer) to see if the feature would have blocked the connection if it had been set to **Enabled**.

-If you've tested the feature with the demo site and with audit mode, and network protection is working on pre-configured scenarios, but isn't working as expected for a specific connection, use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/wdsi/filesubmission) to report a false negative or false positive for network protection. With an E5 subscription, you can also [provide a link to any associated alert](alerts-queue.md).

-2. Using IP exclusions: `Add-MpPreference -ExclusionIpAddress 192.168.1.1`

-When you report a problem with network protection, you're asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues.

-keywords: troubleshoot, troubleshooting, Azure Active Directory, onboarding, error message, error messages, microsoft defender for endpoint

-ms.sitesec: library

-ms.pagetype: security

-keywords: troubleshoot onboarding, onboarding issues, event viewer, data collection and preview builds, sensor data and diagnostics

-ms.sitesec: library

-ms.pagetype: security

-keywords: troubleshoot, performance, high CPU utilization, high CPU usage, error, fix, update compliance, oms, monitor, report, Microsoft Defender Antivirus

-ms.sitesec: library

-ms.pagetype: security

-keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, Microsoft Defender Antivirus

-ms.sitesec: library

-ms.pagetype: security

-keywords: troubleshoot, siem, client secret, secret

-ms.sitesec: library

-ms.pagetype: security

-4. Analyze the results using the performance analyzer's `Get-MpPerformanceReport` parameter. For example, on executing the command `Get-MpPerformanceReport -Path <recording.etl> -TopFiles 3 -TopScansPerFile 10`, the user is provided with a list of top-ten scans for the top 3 files affecting performance.

-Based on the query, the user will be able to view data for scan counts, duration (total/min/average/max/median), path, process, and **reason for scan**. The image below shows sample output for a simple query of the top 10 files for scan impact.

-For examples that describe the process of "export" and "convert" through sample codes, see below.

-Starting with Defender version 4.18.2206.X, users will be able to view scan skip reason information under "SkipReason" column. The possible values are:

-1. Not Skipped

-1. Optimization (typically due to performance reasons)

-1. User skipped (typically due to user-set exclusions)

-To ensure machine-readable output for exporting with other data processing systems, it is recommended to use `-Raw` parameter for `Get-MpPerformanceReport`. See below for details.

-This `New-MpPerformanceRecording` cmdlet provides an insight into problematic files that could cause a degradation in the performance of Microsoft Defender Antivirus. This tool is provided "AS IS", and is not intended to provide suggestions on exclusions. Exclusions can reduce the level of protection on your endpoints. Exclusions, if any, should be defined with caution.

-The performance analyzer provides an insight into problematic files that could cause a degradation in the performance of Microsoft Defender Antivirus. This tool is provided "AS IS" and is not intended to provide suggestions on exclusions. Exclusions can reduce the level of protection on your endpoints. Exclusions, if any, should be defined with caution.

-Requests a top-paths report and specifies how many top paths to output, sorted by "Duration". Aggregates the scans based on their path and directory. User can specify how many directories should be displayed on each level and the depth of the selection.

-Specifies recursive depth that will be used to group and display aggregated path results. For example "C:\" corresponds to a depth of 1, "C:\Users\Foo" corresponds to a depth of 3.

-This flag can accompany all other Top Path options. If missing, a default value of 3 is assumed. Value cannot be 0.

-| -**TopScansPerPath** | Specifies how may top scans to specify for each top path. |

-| -**TopFilesPerPath** | Specifies how may top files to specify for each top path. |

-Specifies the path(s) to one or more locations.

-Specifies that output of performance recording should be machine readable and readily convertible to serialization formats like JSON (for example, via Convert-to-JSON command). This is recommended for users interested in batch processing with other data processing systems.

-Specifies how many top extensions to output, sorted by "Duration".

-Specifies how many top extensions to output for each top process, sorted by "Duration".

-Requests a top-files report and specifies how many top files to output, sorted by "Duration".

-Specifies how many top files to output for each top extension, sorted by "Duration".

-Specifies how many top files to output for each top process, sorted by "Duration".

-Requests a top-processes report and specifies how many of the top processes to output, sorted by "Duration".

-Specifies how many top processes to output for each top extension, sorted by "Duration".

-Specifies how many top processes to output for each top file, sorted by "Duration ".

-Requests a top-scans report and specifies how many top scans to output, sorted by "Duration".

-Specifies how many top scans to output for each top extension, sorted by "Duration".

-Specifies how many top scans to output for each top extension for each top process, sorted by "Duration".

-Specifies how many top scans to output for each top file, sorted by "Duration".

-Specifies how many top scans to output for each top file for each top extension, sorted by "Duration".

-Specifies how many top scans for output for each top file for each top process, sorted by "Duration".

-Specifies how many top scans to output for each top process in the Top Processes report, sorted by "Duration".

-Specifies how many top scans for output for each top process for each top extension, sorted by "Duration".

-Specifies how many top scans for output for each top process for each top file, sorted by "Duration".

-keywords: Microsoft Defender for Endpoint, EDR in block mode, passive mode blocking

-ms.pagetype: security

-keywords: group policy, GPO, configuration, settings

-keywords: scep, intune, endpoint protection, configuration

-ms.sitesec: library

-ms.pagetype: security

-keywords: scan, command line, mpcmdrun, defender

-ms.sitesec: library

-ms.pagetype: security

-> PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [Microsoft Endpoint Configuration Manager](/configmgr), [Group Policy Management Console](use-group-policy-microsoft-defender-antivirus.md), or [Microsoft Defender Antivirus Group Policy ADMX templates](https://www.microsoft.com/download/101445).

-keywords: wmi, scripts, windows management instrumentation, configuration

-ms.sitesec: library

-ms.pagetype: security

-keywords: user roles, roles, access rbac

-ms.sitesec: library

-keywords: view, organize, incidents, aggregate, investigations, queue, ttp

-ms.sitesec: library

-ms.pagetype: security

-keywords: web protection, web threat protection, web browsing, monitoring, reports, cards, domain list, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser

-ms.sitesec: library

-ms.pagetype: security

-keywords: web protection, web threat protection, web browsing, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser, malicious websites

-ms.sitesec: library

-ms.pagetype: security

-keywords: web protection, web threat protection, web browsing, alerts, response, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser, notifications, end users, Windows notifications, blocking page,

-ms.sitesec: library

-ms.pagetype: security

-[Learn more about URL or domain entity pages](investigate-domain.md)

-[Learn more about device entity pages](investigate-machines.md)

-With web protection in Microsoft Defender for Endpoint, your end users will be prevented from visiting malicious or unwanted websites using Microsoft Edge or other browsers. Because blocking is performed by [network protection](network-protection.md), they will see a generic error from the web browser. They will also see a notification from Windows.

-## Related topics

-keywords: web protection, web threat protection, web browsing, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser

-ms.sitesec: library

-ms.pagetype: security

-Web threat protection is part of [Web protection](web-protection-overview.md) in Defender for Endpoint. It uses [network protection](network-protection.md) to secure your devices against web threats. By integrating with Microsoft Edge and popular third-party browsers like Chrome and Firefox, web threat protection stops web threats without a web proxy and can protect devices while they are away or on premises. Web threat protection stops access to phishing sites, malware vectors, exploit sites, untrusted or low-reputation sites, as well as sites that you have blocked in your [custom indicator list](manage-indicators.md).

-Web protection uses network protection to provide web browsing security on Microsoft Edge and third-party web browsers.

- - Set **Enable network protection** to **Enabled** so web protection is turned on. Alternately, you can set network protection to **Audit mode** to see how it will work in your environment. In audit mode, network protection does not prevent users from visiting sites or domains, but it does track detections as events.

-6. On the **Scope tags** tab, if your organization is using scope tags, choose **+ Select scope tags**, and then choose **Next**. (If you are not using scope tags, choose **Next**.) To learn more about scope tags, see [Use role-based access control (RBAC) and scope tags for distributed IT](/mem/intune/fundamentals/scope-tags).

-## Related topics

-keywords: what's new in Microsoft Defender for Endpoint, ga, generally available, capabilities, available, new

-keywords: windows defender, antivirus, third party av

-ms.sitesec: library

-keywords: microsoft, defender, Microsoft Defender for Endpoint, windows, windows client, windows server, whats new

-keywords: Zero Trust, Microsoft Defender XDR for Endpoint, Microsoft Defender XDR, security architecture, security strategy, cyber security, enterprise security, devices, device, identity, users, data, applications, incidents, automated investigation and remediation

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-As an example, if you have a site under protection that is currently 1 GB for the first month, you'll be charged 1 GB of Backup usage. If you delete content in that site such that it's now only 0.5 GB, your next monthly bill will still be for 1 GB since the backup tool is retaining that deleted content for a year. After a year when the backup of that deleted content expires, the 0.5 GB being retained for backup purposes will no long be charged for Backup.