-3. Check or clear the option to allow or prevent users access the Office store.

- 

-4. Make changes to the checkbox **Let users access the Office Store**.

- - Activating the checkbox turns on access to all Word, Excel and PowerPoint add-ins for all users in your organization.

- - Deactivating the checkbox turns off access to all Word, Excel and PowerPoint add-ins for all users in your organization.

-Depending on the billing frequency that you chose when you bought your subscription, you receive an invoice either monthly or annually. The amount of time since the last invoice date is called the *Billing Period* and shown on page one of the invoice. This time period represents the date range during which charges accrue for the current invoice. If you made a change to your subscription outside of this date range, like adding or removing licenses, the associated charges appear on the invoice for the next billing period.

-|Billing Option|How frequently the customer is billed. The frequency options are upfront, monthly, quarterly, semi-annually, or annually.|

-Depending on the billing frequency you choose when you bought your subscription, you receive an invoice either upfront, monthly, quarterly, semi-annually, or annually. The amount of time since the last invoice date is the **Billing Period** and is on page one of the invoice. This time represents the date range during which charges accrue for the current invoice. If you made a change to your subscription outside of this date range, like adding or removing licenses, the associated charges appear on the invoice for the next billing period.

-description: "This article shows you how you can diagnose common issues with your SharePoint Online site using Internet Explorer developer tools."

-# Diagnosing performance issues with SharePoint Online

-This article shows you how you can diagnose common issues with your SharePoint Online site using Internet Explorer developer tools.

-There are four different ways that you can identify that a page on a SharePoint Online site has a performance problem with the customizations.

-This topic describes how to use each of these methods to diagnose performance issues. Once you've figured out the cause of the problem, you can work toward a solution using the articles about improving SharePoint performance that you can find on https://aka.ms/tune.

-## Use the Site and Page performance diagnostic from the Microsoft 365 Admin Center

-> [!NOTE]

-> If you're an administrator, and you're having trouble with performance in SharePoint, select **Run Tests** below, which will populate the Site and Page Performance diagnostic in the Microsoft 365 Admin Center. These tests will check your configuration and quickly recommend next steps to help improve SharePoint performance for your tenant.

->> [!div class="nextstepaction"]

->> [Run Tests: Check SharePoint Performance](https://aka.ms/PillarSiteandPagePerf)

-> [!NOTE]

-> This feature is not available for Microsoft 365 Government, Microsoft 365 operated by 21Vianet, or Microsoft 365 Germany.

-## Using the F12 tool bar to diagnose performance in SharePoint Online

-In this article, we use Internet Explorer 11. Versions of the F12 developer tools on other browsers have similar features though they may look slightly different. For information on the F12 developer tools, see:

-## Setting up a non-customized baseline for SharePoint Online

-The best way to determine your site's performance weak points is to set up a completely out-of-the-box site collection in SharePoint Online. This way you can compare all the various aspects of your site with what you would get with no customization on the page. The OneDrive for Business home page is a good example of a separate site collection that is unlikely to have any customizations.

-In SharePoint Online, you can access the information that is sent back to the browser in the response header for each file. The most useful value for diagnosing performance issues is **SPRequestDuration**, which displays the amount of time that the request took on the server to be processed. This can help determine if the request is heavy and resource intensive. This is the best insight you have into how much work the server is doing to serve the page.

-## What's causing performance issues in SharePoint Online?

-The article [Navigation options for SharePoint Online](navigation-options-for-sharepoint-online.md) shows an example of using the SPRequestDuration value to determine that the complicated structural navigation was causing the page to take a long time to process on the server. By taking a value for a baseline site (without customization), it's possible to determine if any given file is taking a long time to load. The example used in [Navigation options for SharePoint Online](navigation-options-for-sharepoint-online.md) is the main .aspx file. That file contains most of the ASP.NET code that runs for your page load. Depending on the site template you use, this could be start.aspx, home.aspx, default.aspx, or another name if you customize the home page. If this number is considerably higher than your baseline site, then it's a good indication that there's something complex going on in your page that is causing performance issues.

-For example, if you have a complex navigation try changing the navigation to not show sub-sites then check the developer tools to see if this makes a difference. Or if you have a large amount of content roll-ups try removing them from your page and see if this improves things. If you eliminate all of the possible causes and add them back in one at a time, you can easily identify which features are the biggest problem and then work towards a solution.

->[!NOTE]

->The network connectivity test tool supports tenants in WW Commercial but not GCC Moderate, GCC High, DoD or China.

-The FastTrack request for assistance (RFA) form is now available in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2226341" target="_blank">Microsoft 365 admin center</a>. Tenant admins use this form to request help from FastTrack specialists on their deployment and migration efforts. FastTrack assistance is available for tenants with 150 or more licenses from one of the [eligible plans](/microsoft-365/fasttrack/eligibility) for the following Microsoft product families: Microsoft 365, Office 365, Microsoft Viva, Enterprise Mobility + Security, and Windows 10/11.

-## How to submit an RFA in the admin center

-1. In the Microsoft 365 admin center, open the <a href="https://go.microsoft.com/fwlink/p/?linkid=2226341" target="_blank">Advanced deployment guides & assistance</a> page. On the **FastTrack assistance** tab, select **Submit a new request**:

-1. Read the overview to see what information is needed for an RFA, and select **Next**.

-1. Select the products for FastTrack assistance, your planned deployment date, and whether you would like assistance with any more options (if applicable), and select **Next**.

-1. On the **Customer details** page, enter a unique project name, your organization's service location, your preferred language, and any comments about the project, and select **Next**.

-1. On the **Contacts** page, enter your phone number and confirm your title, and select **Next**.

-1. Enter the primary contact and business sponsor for the request. If youΓÇÖre also the primary contact, select the **Same as the requester** checkbox, and select **Next**.

-1. On the **Review** page, view your request's information and make edits, if needed. Select the checkbox next to the acknowledgment message, and select **Submit**. 

-1. After submission, receipt of your request will be confirmed, your RFA ID will be provided, and you'll be given the option to provide feedback about your experience. Select **Done**.

-## How to find RFA details and status updates

-1. After you submit your RFA, you can find your tenant's RFA history on the **FastTrack assistance** tab of the <a href="https://go.microsoft.com/fwlink/p/?linkid=2226341" target="_blank">Advanced deployment guides & assistance</a> page at the Microsoft 365 admin center.

-2. Under **Request for assistance status and history**, you can find a list of all historical submissions for your tenant with the request name, requested products, status, submission date, and who submitted the request.

-3. Select an RFA to open a details pane with the request details and status history.

-keywords: action, center, autoir, automated, investigation, response, remediation

-ms.sitesec: library

-ms.pagetype: security

-keywords: automated, investigation, results, analyze, details, remediation, autoair

-ms.sitesec: library

-ms.pagetype: security

-keywords: assign user roles, assign read and write access, assign read only access, user, user roles, roles

-ms.sitesec: library

-ms.pagetype: security

- - has-azure-ad-ps-ref, azure-ad-ref-level-one-done

-4. Advanced cloud-based protection is provided for cases when Microsoft Defender Antivirus running on the endpoint needs more intelligence to verify the intent of a suspicious file.

- 2. After examining the metadata, if Microsoft Defender Antivirus cloud protection can't reach a conclusive verdict, it can request a sample of the file for further inspection. This request honors the settings configuration for sample submission:

- 2. **Always Prompt**

- - This setting isn't available in macOS cloud protection

- 4. **Do not send**

- - "Don't send" is the equivalent to the "Disabled" setting in macOS policy

- 3. After metadata and/or files are submitted to cloud protection, you can use **samples**, **detonation**, or **big data analysis** machine-learning models to reach a verdict. Turning off cloud-delivered protection limits analysis to only what the client can provide through local machine-learning models, and similar functions.

-keywords: health state, antivirus, os platform, windows 10 version, version, health, compliance, state

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: download, client analyzer, troubleshoot sensor, analyzer, mdeanalyzer

-ms.sitesec: library

-ms.pagetype: security

-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, installation, deploy, uninstallation, intune, jamf, macos, big sur, monterey, ventura, mde for mac

-ms.sitesec: library

-ms.pagetype: security

-keywords: Microsoft Defender Antivirus, antimalware, security, cloud, block at first sight

-ms.sitesec: library

-keywords: Network protection, exploits, malicious website, ip, domain, domains, enable, turn on

-ms.sitesec: library

-ms.pagetype: security

-keywords: Windows Server, Defender Antivirus

-ms.sitesec: library

-ms.pagetype: security

-keywords: Endpoint Attack Notification, managed threat hunting, managed detection and response (MDR) service, MTE, Microsoft Threat Experts, endpoint attack notification, Ask Defender Experts, experts on demand

-search.product: Windows 10

-ms.sitesec: library

-ms.pagetype: security

-description: See how controlled folder access can help protect files from being changed by malicious apps.

-keywords: Exploit protection, windows 10, windows 11, windows defender, ransomware, protect, evaluate, test, demo, try

-ms.sitesec: library

-Enable the controlled folder access in audit mode to see a record of what *would* have happened if it was fully enabled. Test how the feature will work in your organization to ensure it doesn't affect your line-of-business apps. You can also get an idea of how many suspicious file modification attempts generally occur over a certain period of time.

-Event ID | Description

- 5007 | Event when settings are changed

- 1124 | Audited controlled folder access event

- 1123 | Blocked controlled folder access event

-During your evaluation, you may wish to add to the list of protected folders, or allow certain apps to modify files.

-keywords: Exploit protection, exploits, kernel, events, evaluate, demo, try, mitigation

-ms.sitesec: library

-ms.pagetype: security

-keywords: attack surface reduction, evaluate, next, generation, protection

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: Microsoft Defender Antivirus, cloud protection, cloud, antimalware, security, defender, evaluate, test, protection, compare, real-time protection

-ms.sitesec: library

-keywords: Network protection, exploits, malicious website, ip, domain, domains, evaluate, test, demo

-ms.sitesec: library

-[Network protection](network-protection.md) helps prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.

-This article helps you evaluate network protection by enabling the feature and guiding you to a testing site. The sites in this evaluation article aren't malicious. They're specially created websites that pretend to be malicious. The site will replicate the behavior that would happen if a user visited a malicious site or domain.

-Enable network protection in audit mode to see which IP addresses and domains would have been blocked. You can make sure it doesn't affect line-of-business apps, or get an idea of how often blocks occur.

- The network connection will be allowed and a test message will be displayed.

-keywords: troubleshoot, event viewer, log summary, failure code, failed, Microsoft Defender for Endpoint service, can't start, broken, can't start

-ms.sitesec: library

-ms.pagetype: security

-You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/library/aa745633(v=bts.10).aspx) on individual devices. This can help when, for example, a device isn't appearing in the Devices list. In this scenario, you can look for event IDs on the device and then use the table below to determine further troubleshooting steps based on the corresponding event ID.

-3. Events recorded by the service will appear in the log.

- |4|Microsoft Defender for Endpoint service contacted the server at `variable`.|Variable = URL of the Defender for Endpoint processing servers. <p> This URL will match that seen in the Firewall or network activity.|Normal operating notification; no action required.|

- |5|Microsoft Defender for Endpoint service failed to connect to the server at `variable`.|Variable = URL of the Defender for Endpoint processing servers. <p> The service couldn't contact the external processing servers at that URL.|Check the connection to the URL. See [Configure proxy and Internet connectivity](configure-proxy-internet.md).|

- |6|Microsoft Defender for Endpoint service isn't onboarded and no onboarding parameters were found.|The device didn't onboard correctly and won't be reporting to the portal.|Onboarding must be run before starting the service. <p> Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. <p> See [Onboard Windows client devices](configure-endpoints.md).|

- |7|Microsoft Defender for Endpoint service failed to read the onboarding parameters. Failure: `variable`.|Variable = detailed error description. The device didn't onboard correctly and won't be reporting to the portal.|Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. <p> See [Onboard Windows client devices](configure-endpoints.md).|

- |8|Microsoft Defender for Endpoint service failed to clean its configuration. Failure code: `variable`.|**During onboarding:** The service failed to clean its configuration during the onboarding. The onboarding process continues. <p> **During offboarding:** The service failed to clean its configuration during the offboarding. The offboarding process finished but the service keeps running.|**Onboarding:** No action required. <p> **Offboarding:** Reboot the system. <p> See [Onboard Windows client devices](configure-endpoints.md).|

- |9|Microsoft Defender for Endpoint service failed to change its start type. Failure code: `variable`.|**During onboarding:** The device didn't onboard correctly and won't be reporting to the portal. <p>**During offboarding:** Failed to change the service start type. The offboarding process continues. |Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. <p> See [Onboard Windows client devices](configure-endpoints.md).|

- |10|Microsoft Defender for Endpoint service failed to persist the onboarding information. Failure code: `variable`.|The device didn't onboard correctly and won't be reporting to the portal.|Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. <p> See [Onboard Windows client devices](configure-endpoints.md).|

- |11|Onboarding or re-onboarding of Defender for Endpoint service completed.|The device onboarded correctly.|Normal operating notification; no action required. <p> It may take several hours for the device to appear in the portal.|

- |15|Microsoft Defender for Endpoint cannot start command channel with URL: `variable`.|Variable = URL of the Defender for Endpoint processing servers. <p> The service couldn't contact the external processing servers at that URL.|Check the connection to the URL. See [Configure proxy and Internet connectivity](configure-proxy-internet.md).|

- |17|Microsoft Defender for Endpoint service failed to change the Connected User Experiences and Telemetry service location. Failure code: `variable`.|An error occurred with the Windows telemetry service.|[Ensure the diagnostic data service is enabled](troubleshoot-onboarding.md#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy)">Ensure the diagnostic data service is enabled. <p> Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. <p> See [Onboard Windows client devices](configure-endpoints.md).|

- |19|OOBE (Windows Welcome) has not yet completed.|Service will only start after any Windows updates have finished installing.|Normal operating notification; no action required. <p> If this error persists after a system restart, ensure all Windows updates have full installed.|

- |20|Cannot wait for OOBE (Windows Welcome) to complete. Failure code: `variable`.|Internal error.|If this error persists after a system restart, ensure all Windows updates have full installed.|

- |25|Microsoft Defender for Endpoint service failed to reset health status in the registry. Failure code: `variable`.|The device didn't onboard correctly. It will report to the portal, however the service may not appear as registered in SCCM or the registry.|Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. <p> See [Onboard Windows client devices](configure-endpoints.md).|

- |26|Microsoft Defender for Endpoint service failed to set the onboarding status in the registry. Failure code: `variable`.|The device didn't onboard correctly. <p> It will report to the portal, however the service may not appear as registered in SCCM or the registry.|Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. <p> See [Onboard Windows client devices](configure-endpoints.md).|

- |27|Microsoft Defender for Endpoint service failed to enable SENSE aware mode in Microsoft Defender Antivirus. Onboarding process failed. Failure code: `variable`.|Normally, Microsoft Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the device, and the device is reporting to Defender for Endpoint.|Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. <p> See [Onboard Windows client devices](configure-endpoints.md). <p> Ensure real-time antimalware protection is running properly.|

- |28|Microsoft Defender for Endpoint Connected User Experiences and Telemetry service registration failed. Failure code: `variable`.|An error occurred with the Windows telemetry service.|[Ensure the diagnostic data service is enabled](troubleshoot-onboarding.md#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy). <p> Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. <p> See [Onboard Windows client devices](configure-endpoints.md).|

- |29|Failed to read the offboarding parameters. Error type: %1, Error code: %2, Description: %3|This event occurs when the system can't read the offboarding parameters.|Ensure the device has Internet access, then run the entire offboarding process again. Ensure the offboarding package hasn't expired.|

- |30|Microsoft Defender for Endpoint service failed to disable SENSE aware mode in Microsoft Defender Antivirus. Failure code: `variable`.|Normally, Microsoft Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the device, and the device is reporting to Defender for Endpoint.|Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. <p> See [Onboard Windows client devices](configure-endpoints.md). <p> Ensure real-time antimalware protection is running properly.|

- |33|Microsoft Defender for Endpoint service failed to persist SENSE GUID. Failure code: `variable`.|A unique identifier is used to represent each device that is reporting to the portal. <p> If the identifier doesn't persist, the same device might appear twice in the portal.|Check registry permissions on the device to ensure the service can update the registry.|

- |34|Microsoft Defender for Endpoint service failed to add itself as a dependency on the Connected User Experiences and Telemetry service, causing onboarding process to fail. Failure code: `variable`.|An error occurred with the Windows telemetry service.|[Ensure the diagnostic data service is enabled](troubleshoot-onboarding.md#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy). <p> Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. <p> See [Onboard Windows client devices](configure-endpoints.md).|

- |37|Microsoft Defender for Endpoint A module is about to exceed its quota. Module: %1, Quota: {%2} {%3}, Percentage of quota utilization: %4.|The device has almost used its allocated quota of the current 24-hour window. It's about to be throttled.|Normal operating notification; no action required.|

- |38|Network connection is identified as low. Microsoft Defender for Endpoint will contact the server every %1 minutes. Metered connection: %2, internet available: %3, free network available: %4.|The device is using a metered/paid network and will be contacting the server less frequently.|Normal operating notification; no action required.|

- |39|Network connection is identified as normal. Microsoft Defender for Endpoint will contact the server every %1 minutes. Metered connection: %2, internet available: %3, free network available: %4.|The device isn't using a metered/paid connection and will contact the server as usual.|Normal operating notification; no action required.|

- |40|Battery state is identified as low. Microsoft Defender for Endpoint will contact the server every %1 minutes. Battery state: %2.|The device has low battery level and will contact the server less frequently.|Normal operating notification; no action required.|

- |41|Battery state is identified as normal. Microsoft Defender for Endpoint will contact the server every %1 minutes. Battery state: %2.|The device doesn't have low battery level and will contact the server as usual.|Normal operating notification; no action required.|

- |46|Failed to register and start the event trace session [%1] due to lack of resources. Error code: %2. This is most likely because there are too many active event trace sessions. The service will retry in 1 minute.|An error occurred on service startup while creating ETW session due to lack of resources. The service started and is running, but won't report any sensor event until the ETW session is started.|Normal operating notification; no action required. The service will try to start the session every minute.|

- |48|Failed to add a provider [%1] to event trace session [%2]. Error code: %3. This means that events from this provider will not be reported.|Failed to add a provider to ETW session. As a result, the provider events aren't reported.|Check the error code. If the error persists contact Support.|

- |54| Global (per-pattern) state changed. State: %1, pattern: %2 | If state = 0: Cyber-data reporting rule has reached its defined capping quota and won't send more data until the capping quota expires. If state = 1: The capping quota expired and the rule will resume sending data. | Normal operating notification; no action required. |

- |62|Failed to start Connected User Experiences and Telemetry service. Failure code: %1|Connected User Experiences and Telemetry (diagtrack) service failed to start. Non-Microsoft Defender for Endpoint telemetry won't be sent from this machine.|Look for more troubleshooting hints in the event log: Microsoft-Windows-UniversalTelemetryClient/Operational.|

- |90|Failed to configure System Guard Runtime Monitor to connect to cloud service in geo-region %1. Failure code: %2|System Guard Runtime Monitor won't send attestation data to the cloud service.|Check the permissions on register path: "HKLM\Software\Microsoft\Windows\CurrentVersion\Sgrm". If no issues spotted, contact Support.|

- |91|Failed to remove System Guard Runtime Monitor geo-region information. Failure code: %1|System Guard Runtime Monitor won't send attestation data to the cloud service.|Check the permissions on register path: "HKLM\Software\Microsoft\Windows\CurrentVersion\Sgrm". If no issues spotted, contact Support.|

- |401 | Microsoft Defender for Endpoint service failed to generate key. Failure code: %1. | Failed to create crypto key.|If machine is not reporting, contact support. Otherwise, no action required. |

- |402 |Microsoft Defender for Endpointservice failed to persist authentication state. Failure code: %1.| Failed to persist authentication state. | If machine is not reporting, contact support. Otherwise, no action required. |

- |408|Microsoft Defender for Endpoint service failed to remove persist authentication state. State: %1, Failure code: %2. |Failed to persist authentication state. |If machine is not reporting, contact support. Otherwise, no action required.|

- |409| Microsoft Defender for Endpoint service failed to open key. Failure code: %1. |Failed to open crypto key.|If machine is not reporting, contact support. Otherwise, no action required.|

- |410|Registration is required as part of re-onboarding of Microsoft Defender for Endpoint service. |Occurs during reonboarding. |Normal operating notification; no action required.|

-keywords: exclude

-ms.sitesec: library

-ms.pagetype: security

-keywords: Ask Defender Experts, experts on demand, managed threat hunting, managed detection and response (MDR) service, MTE, Microsoft Threat Experts, endpoint attack notification, Endpoint Attack Notification

-search.product: Windows 10

-ms.sitesec: library

-ms.pagetype: security

-keywords: mitigations, vulnerabilities, vulnerability, mitigation, exploit, exploits, emet

-keywords: mitigations, vulnerabilities, vulnerability, mitigation, exploit, exploits, emet

-ms.sitesec: library

-ms.pagetype: security

-keywords: misconfigured, inactive, fix sensor, sensor health, no sensor data, sensor data, impaired communications, communication

-ms.sitesec: library

-ms.pagetype: security

-description: Learn the steps and requirements to integrate your solution with Microsoft Defender for Endpoint and be a partner

-keywords: partner, integration, solution validation, certification, requirements, member, misa, application portal

-ms.sitesec: library

-ms.pagetype: security

-To become a Defender for Endpoint solution partner, you'll need to follow and complete the following steps.

-Once the Microsoft Defender for Endpoint team has reviewed and approves the integration, we'll direct you to be included as a partner at the Microsoft Intelligent Security Association.

-Microsoft Defender for Endpoint supports third-party applications discovery and integration using the in-product [partner page](partner-applications.md) that is embedded within the Microsoft Defender for Endpoint management portal.

-To have your company listed as a partner in the in-product partner page, you'll need to provide the following information:

-1. A square logo (SVG).

-2. Name of the product to be presented.

-3. Provide a 15-word product description.

-4. Link to the landing page for the customer to complete the integration or blog post that includes sufficient information for customers. Any press release including the Microsoft Defender for Endpoint product name should be reviewed by the marketing and engineering teams. Wait for at least 10 days for the review process to be done.

-5. If you use a multi-tenant Microsoft Entra ID approach, we need the Microsoft Entra application name to track usage of the application.

-6. Include the User-Agent field in each API call made to Microsoft Defender for Endpoint public set of APIs or Graph Security APIs. This is used for statistical purposes, troubleshooting, and partner recognition. In addition, this step is a requirement for membership in Microsoft Intelligent Security Association (MISA).

-Partnerships with Microsoft Defender for Endpoint help our mutual customers to further streamline, integrate, and orchestrate defenses. We're happy that you chose to become a Microsoft Defender for Endpoint partner and to achieve our common goal of effectively protecting customers and their assets by preventing and responding to modern threats together.

-## Related topics

-keywords: government, gcc, high, requirements, capabilities, defender, Microsoft Defender for Endpoint, endpoint, dod

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-description: Take the necessary steps to configure MSSP integration with the Microsoft Defender for Endpoint

-keywords: managed security service provider, mssp, configure, integration

-ms.sitesec: library

-ms.pagetype: security

-To implement a multi-tenant delegated access solution, take the following steps:

- These groups will be linked to the Roles you create in Defender for Endpoint. To do so, in the customer AD tenant, create three groups. In our example approach, we create the following groups:

- Adding the MSSP as a connected organization will allow the MSSP to request and have accesses provisioned.

- To do so, in the customer AD tenant, access Identity Governance: Catalogs, and add **New Catalog**. In our example, we will call it **MSSP Accesses**.

- Access packages are the collection of rights and accesses that a requestor will be granted upon approval.

-keywords: mdatp health, command, health, status, command, onboarding status

-ms.sitesec: library

-ms.pagetype: security

-keywords: windows defender, firewall

-ms.sitesec: library

-ms.pagetype: security

-keywords: ioc, certificate, certificates, manage, allowed, blocked, block, clean, malicious, file hash, ip address, urls, domain

-ms.sitesec: library

-ms.pagetype: security

-keywords: file, hash, manage, allowed, blocked, block, clean, malicious, file hash, ip address, urls, domain

-ms.sitesec: library

-ms.pagetype: security

-keywords: import, indicator, list, ioc, csv, manage, allowed, blocked, block, clean, malicious, file hash, ip address, urls, domain

-ms.sitesec: library

-ms.pagetype: security

-3. Update the details of the indicator and click **Save** or click the **Delete** button if you'd like to remove the entity from the list.

-4. Select **Import**. Do this for all the files you'd like to import.

-Parameter|Type|Description

-:|:|:

-indicatorType|Enum|Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url". **Required**

-indicatorValue|String|Identity of the [Indicator](ti-indicator.md) entity. **Required**

-action|Enum|The action that will be taken if the indicator will be discovered in the organization. Possible values are: "Allowed", "Audit", "BlockAndRemediate", "Warn", and "Block". **Required**

-title|String|Indicator alert title. **Required**

-description|String| Description of the indicator. **Required**

-expirationTime|DateTimeOffset|The expiration time of the indicator in the following format YYYY-MM-DDTHH:MM:SS.0Z. The indicator gets deleted if the expiration time passes and whatever happens at the expiration time occurs at the seconds (SS) value. **Optional**

-severity|Enum|The severity of the indicator. Possible values are: "Informational", "Low", "Medium" and "High". **Optional**

-recommendedActions|String|TI indicator alert recommended actions. **Optional**

-rbacGroups|String|Comma-separated list of RBAC groups the indicator would be applied to. **Optional**

-category|String|Category of the alert. Examples include: Execution and credential access. **Optional**

-mitretechniques|String|MITRE techniques code/id (comma separated). For more information, see [Enterprise tactics](https://attack.mitre.org/tactics/enterprise/). **Optional** It is recommended to add a value in category when a MITRE technique.

-GenerateAlert|String|Whether the alert should be generated. Possible Values are: True or False. **Optional**

-description: Learn how to use Defender for Endpoint sensitivity labels to protect, prioritize, and investigate incidents that involve data loos, dlp, security incidents.

-ms.sitesec: library

-ms.pagetype: security

-Defender for Endpoint helps to make prioritization of security incidents simpler with the use of sensitivity labels too. For example, sensitivity labels quickly identify incidents that may involve devices with sensitive information on them (such as confidential information).

-2. Scroll to the right to see the **Data sensitivity** column. This column reflects sensitivity labels that have been observed on devices related to the incidents providing an indication of whether sensitive files may be impacted by the incident.

-5. Select the devices that store sensitive data and search through the timeline to identify which files may be impacted then take appropriate action to ensure that data is protected.

- You can narrow down the events shown on the device timeline by searching for data sensitivity labels. Doing this will show only events associated with files that have said label name.

-keywords: investigate, investigation, devices, device, alerts queue, dashboard, IP address, file, submit, submissions, deep analysis, timeline, search, domain, URL, IP

-ms.sitesec: library

-ms.pagetype: security

-keywords: proxy, network protection, forward proxy, network events, audit, block, domain names, domain

-ms.sitesec: library

-ms.pagetype: security

-keywords: investigate domain, domain, malicious domain, Microsoft Defender for Endpoint, alert, URL

-ms.sitesec: library

-ms.pagetype: security

-keywords: investigate, investigation, file, malicious activity, attack motivation, deep analysis, deep analysis report

-ms.sitesec: library

-ms.pagetype: security

-The file capabilities view lists a file's activities as mapped to the MITRE ATT&CKΓäó techniques.

-keywords: investigate, investigation, IP address, alert, Microsoft Defender for Endpoint, external IP

-ms.sitesec: library

-ms.pagetype: security

-keywords: devices, tags, groups, endpoint, alerts queue, alerts, device name, domain, last seen, internal IP, active alerts, threat category, filter, sort, review alerts, network, connection, type, password stealer, ransomware, exploit, threat, low severity, service health

-ms.sitesec: library

-ms.pagetype: security

-You can click on affected devices whenever you see them in the portal to open a detailed report about that device. Affected devices are identified in the following areas:

-When you investigate a specific device, you'll see:

-The device details section provides information such as the domain, OS, and health state of the device. If there's an investigation package available on the device, you'll see a link that allows you to download the package.

-To further inspect the event and related events, you can quickly run an [advanced hunting](advanced-hunting-overview.md) query by selecting **Hunt for related events**. The query will return the selected event and the list of other events that occurred around the same time on the same endpoint.

-**Security recommendations** are generated from Microsoft Defender for Endpoint's [Vulnerability Management](tvm-dashboard-insights.md) capability. Selecting a recommendation will show a panel where you can view relevant details such as description of the recommendation and the potential risks associated with not enacting it. See [Security recommendation](tvm-security-recommendation.md) for details.

-The **Security policies** tab shows the endpoint security policies that are applied on the device. You'll see a list of policies, type, status, and last check-in time. Selecting the name of a policy, will take you to the policy details page where you can see the policy settings status, applied devices, and assigned groups.

-The **Software inventory** tab lets you view software on the device, along with any weaknesses or threats. Selecting the name of the software will take you to the software details page where you can view security recommendations, discovered vulnerabilities, installed devices, and version distribution. See [Software inventory](tvm-software-inventory.md) for details

-The **Discovered vulnerabilities** tab shows the name, severity, and threat insights of discovered vulnerabilities on the device. Selecting specific vulnerabilities will show a description and details.

-The **Azure Advanced Threat Protection** card will display a high-level overview of alerts related to the device and their risk level, if you have enabled the Microsoft Defender for Identity feature, and there are any active alerts. More information is available in the "Alerts" drill down.

-The **Logged on users** card shows how many users have logged on in the past 30 days, along with the most and least frequent users. Selecting the "See all users" link opens the details pane, which displays information such as user type, log on type, and when the user was first and last seen. For more information, see [Investigate user entities](investigate-user.md).

-> However, the "All users" side-pane calculates all sorts of user logons so it is expected to see more frequent users in the side-pane, given that those users may not be interactive.

-Other information in the card include: the last full scan, last quick scan, security intelligence update version, engine update version, platform update version, and Defender Antivirus mode.

-Please note that a grey circle indicates that the data is unknown.

-## Related topics

-keywords: investigate, account, user, user entity, alert, Microsoft Defender for Endpoint

-ms.sitesec: library

-ms.pagetype: security

-keywords: microsoft, defender, Microsoft Defender for Endpoint, ios, configure, features, ios

-ms.sitesec: library

-ms.pagetype: security

-Microsoft Defender for Endpoint on iOS along with Microsoft Intune and Microsoft Entra ID enables enforcing Device compliance and Conditional Access policies based on device risk score. Defender for Endpoint is a Mobile Threat Defense (MTD) solution that you can deploy to leverage this capability via Intune.

-By default, Defender for Endpoint on iOS includes and enables the web protection feature. [Web protection](web-protection-overview.md) helps to secure devices against web threats and protect users from phishing attacks. Note that Anti-phishing and custom indicators (URL and Domain) are supported as part of Web Protection. IP based custom indicators are currently not supported on iOS. Web Content Filtering is currently not supported on mobile platforms (Android and iOS).

-Defender for Endpoint on iOS uses a VPN in order to provide this capability. Please note this is a local VPN and unlike traditional VPN, network traffic is not sent outside the device.

-While enabled by default, there might be some cases that require you to disable VPN. For example, you want to run some apps that do not work when a VPN is configured. In such cases, you can choose to disable VPN from the app on the device by following the steps below:

-1. On your iOS device, open the **Settings** app, click or tap **General** and then **VPN**.

-2. Click or tap the "i" button for Microsoft Defender for Endpoint.

-> Web Protection will not be available when VPN is disabled. To re-enable Web Protection, open the Microsoft Defender for Endpoint app on the device and click or tap **Start VPN**.

-Web Protection is one of the key features of Defender for Endpoint and it requires a VPN to provide that capability. The VPN used is a local/loopback VPN and not a traditional VPN, however there are several reasons for which customers might not prefer the VPN. Customers who do not want to set up a VPN, there is an option to disable **Web Protection** and deploy Defender for Endpoint without that feature. Other Defender for Endpoint features will continue to work.

-This configuration is available for both the enrolled (MDM) devices as well as unenrolled (MAM) devices. For customers with MDM, admins can configure the **Web Protection** through Managed devices in the App Config. For customers without enrollment, using MAM, admins can configure the **Web Protection** through Managed apps in the App Config.

- - Defender will send the heartbeat to the Microsoft Defender portal whenever user opens the app.

- - Click Next and assign this profile to targeted devices/users.

- - Defender will send the heartbeat to the Microsoft Defender portal whenever user opens the app.

- - Click Next and assign this profile to targeted devices/users.

-**For enrolled devices (MDM)**:

-1. Provide name and description for the policy. In Platform choose **iOS/iPad**.

-1. In targeted app choose **Microsoft Defender for Endpoint**.

-1. In the Settings page, choose configuration settings format **Use configuration designer**.

-1. Add 'DefenderNetworkProtectionEnable' as the configuration key, value type as 'String' and value as 'true' to enable Network Protection. (Network protection is disabled by default.)

- :::image type="content" source="images/np-mdmconfig-key.png" alt-text="Screenshot that shows the add mdm configuration policy." lightbox="images/np-mdmconfig-key.png":::

-1. For other configurations related to Network protection, add the following keys, choose the corresponding value type and value.

- | Key | Value Type | Default (true-enable, false-disable) | Description |

- | | | | |

- | `DefenderOpenNetworkDetection` | Integer | 0 | 1 - Audit, 0 - Disable(default), 2 - Enable. This setting is managed by an IT Admin to audit, disable, or enable open network detection, respectively. In 'Audit' mode, alerts will be sent only to the ATP portal with no end-user experience. For end-user experience, set the config to 'Enable' mode.|

- | `DefenderEndUserTrustFlowEnable` | String | false | true - enable, false - disable; This setting is used by IT admins to enable or disable the end user in-app experience to trust and untrust the unsecure and suspicious networks. |

- | `DefenderNetworkProtectionAutoRemediation` | String | true | true - enable, false - disable; This setting is used by the IT admin to enable or disable the remediation alerts that are sent when a user performs remediation activities like switching to safer WIFI access points or deleting suspicious certificates detected by Defender. |

- | `DefenderNetworkProtectionPrivacy` | String | true | true - enable, false - disable; This setting is managed by IT admin to enable or disable privacy in network protection. |

-1. In the Assignments section, admin can choose groups of users to include and exclude from the policy.

-1. Review and create the configuration policy.

-**For unenrolled devices (MAM)**:

-Follow the below steps for setting up MAM config for unenrolled devices for Network protection (Authenticator device registration is required for MAM configuration) in iOS devices. Network Protection initialization will require the end user to open the app once.

- |`DefenderOpenNetworkDetection`|0| 1 - Audit, 0 - Disable (default), 2 - Enable. This setting is managed by an IT admin to enable, audit, or disable open network detection. In Audit mode, alerts will be sent only to the ATP portal with no user side experience. For user experience, set the config to "Enable" mode.|

-## Co-existence of multiple VPN profiles

-Apple iOS does not support multiple device-wide VPNs to be active simultaneously. While multiple VPN profiles can exist on the device, only one VPN can be active at a time.

-Follow the steps in the link below to set up app protection policies with Microsoft Defender for Endpoint [Configure Defender risk signals in app protection policy (MAM)](ios-install-unmanaged.md)

-Microsoft Defender for Endpoint on iOS enables Privacy Controls for both the Admins and the End Users. This includes the controls for enrolled (MDM) as well as unenrolled (MAM) devices.

-Customers can now enable privacy control for the phish report sent by Microsoft Defender for Endpoint on iOS. This will ensure that the domain name is not sent as part of the phish alert whenever a phish website is detected and blocked by Microsoft Defender for Endpoint.

- - In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Apps** \> **App configuration policies** \> **Add** \> **Managed devices**.

- - Give the policy a name, **Platform \> iOS/iPadOS**, select the profile type.

- - Select **Microsoft Defender for Endpoint** as the target app.

- - On the Settings page, select **Use configuration designer** and add **DefenderExcludeURLInReport** as the key and value type as **Boolean**.

- - For users with key set as `true`, the phish alert will not contain the domain name information whenever a malicious site is detected and blocked by Defender for Endpoint.

- - Select **Next** and assign this profile to targeted devices/users.

-1. **Admin Privacy Controls (MAM)** Use the following steps to enable privacy and not collect the domain name as part of the phish alert report for unenrolled devices.

- - In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Apps** \> **App configuration policies** \> **Add** \> **Managed apps**.

- - Give the policy a name.

- - Under **Select Public Apps**, choose **Microsoft Defender for Endpoint** as the target app.

- - On the Settings page, under the **General Configuration Settings**, add **DefenderExcludeURLInReport** as the key and value as `true`.

- - For users with key set as `true`, the phish alert will not contain the domain name information whenever a malicious site is detected and blocked by Defender for Endpoint.

- - Select **Next** and assign this profile to targeted devices/users.

-1. **End User Privacy Controls** These controls help the end user to configure the information shared to their organization.

- - For Supervised devices, End User controls will not be visible. Admin will decide and controls the settings.

- - However, for Unsupervised devices, the control will be displayed under the **Settings \> Privacy**.

- - Users will see a toggle for **Unsafe Site Info**.

- - This toggle is only visible if Admin has set **DefenderExcludeURLInReport = true**.

- - If enabled by Admin, Users can decide if they want to send the unsafe site info to their Organization or not.

- - By default, it's set to `false`. The unsafe site information will not be sent.

- - If user toggles it to `true`, the unsafe site details will be sent.

-Turning the above privacy controls on or off will not impact the device compliance check or conditional access.

-> On Supervised devices with the configuration profile, Microsoft Defender for Endpoint can access the entire URL and if it is found to be phishing, it will be blocked.

- - For users with key set as `true`, the users will be able to onboard the app without giving the VPN permission.

-1. **End User flow** - User will install and open the app to start the onboarding.

- - Even if the user has skipped VPN, the device will be able to onboard, and a heartbeat will be sent.

- - If VPN is disabled, web protection will not be active.

- - Later, the user can enable web protection from within the app. This will install the VPN configuration on the device.

-Microsoft Defender for Endpoint has the capability of detecting unmanaged and managed devices that are jailbroken. These jailbreak checks are done periodically. If a device is detected to be jailbroken,

-1. A **High**-risk alert will be reported to the Microsoft Defender portal. If device Compliance and Conditional Access is set up based on device risk score, then the device will be blocked from accessing corporate data.

-1. User data on app will be cleared. When user opens the app after jailbreaking the VPN profile also will be deleted and no web protection will be offered.

-1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** \> **Compliance policies** \> **Create Policy**. Select "iOS/iPadOS" as platform and click **Create**.

-1. Specify a name of the policy, for example "Compliance Policy for Jailbreak".

-1. In the compliance settings page, click to expand **Device Health** section and click **Block** for **Jailbroken devices** field.

-1. In the **Actions for noncompliance** section, select the actions as per your requirements and select **Next**.

-1. In the **Assignments** section, select the user groups that you want to include for this policy and then select **Next**.

-1. In the **Review+Create** section, verify that all the information entered is correct and then select **Create**.

- - Only if end-user approves the privacy, the app information will be sent to the Defender for Endpoint console.

- - For users with key set as `true`, there will be an option to send Feedback data to Microsoft within the app (**Menu** \> **Help & Feedback** \> **Send Feedback to Microsoft**).

-keywords: microsoft, defender, Microsoft Defender for Endpoint, ios, configure, features, ios

-ms.sitesec: library

-ms.pagetype: security

-keywords: microsoft, defender, Microsoft Defender for Endpoint, ios, app, installation, deploy, uninstallation, intune

-ms.sitesec: library

-ms.pagetype: security

-keywords: microsoft, defender, Microsoft Defender for Endpoint, ios, policy, overview

-ms.sitesec: library

-ms.pagetype: security

-keywords: microsoft, defender, Microsoft Defender for Endpoint, ios, troubleshoot, faq, how to

-ms.sitesec: library

-ms.pagetype: security

-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, installation, macos, whatsnew

-ms.sitesec: library

-ms.pagetype: security

-ms.sitesec: library

-description: Learn how to deploy Defender for Endpoint on Linux with Chef

-keywords: microsoft, defender, atp, linux, scans, antivirus, microsoft defender for endpoint (linux)

-ms.sitesec: library

-ms.pagetype: security

-The Chef components are already installed and a Chef repository exists (chef generate repo \<reponame\>) to store the cookbook that will be used to deploy to Defender for Endpoint on Chef managed Linux servers.

-This command will create a new folder structure for the new cookbook called mdatp. You can also use an existing cookbook if you already have one you'd like to use to add the MDE deployment into.

-You'll need to modify the version number, distribution, and repo name to match the version you're deploying to and the channel you'd like to deploy.

-To test deploy it on the Chef workstation, just run ``sudo chef-client -z -o mdatp``.

-After your deployment you should consider creating and deploying a configuration file to the servers based on [Set preferences for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-preferences).

-After you've created and tested your configuration file, you can place it into the cookbook/mdatp/files folder where you also placed the onboarding package. Then you can create a settings_mdatp.rb file in the mdatp/recipies folder and add this text:

-To include this step as part of the recipe just add include_recipe ':: settings_mdatp' to your default.rb file within the recipe folder.

-keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, exclusions, scans, antivirus

-ms.sitesec: library

-ms.pagetype: security

-keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos, fedora, amazon linux 2

-ms.sitesec: library

-ms.pagetype: security

-keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos, fedora, amazon linux 2

-ms.sitesec: library

-ms.pagetype: security

-keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, installation, deploy, uninstallation, puppet, saltstack, linux, redhat, ubuntu, debian, sles, suse, centos, fedora, amazon linux 2

-ms.sitesec: library

-ms.pagetype: security

-## References

- "scanResultsRetentionDays": 90,

-keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, privacy, diagnostic

-ms.sitesec: library

-ms.pagetype: security

-keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, pua, pus

-ms.sitesec: library

-ms.pagetype: security

-keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos

-keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, scans, antivirus, microsoft defender for endpoint (linux)

-ms.sitesec: library

-ms.pagetype: security

-Linux (and Unix) have a tool called **crontab** (similar to Task Scheduler) to be able to run scheduled tasks.

-## Pre-requisite

-## For those who use Ansible, Chef, Puppet, or SaltStack

-See [https://docs.ansible.com/ansible/latest/modules/cron_module.html](https://docs.ansible.com/ansible/latest/modules/cron_module.html) for more information.

-See <https://docs.chef.io/resources/cron/> for more information.

-See [https://puppet.com/blog/automating-puppet-cron-jobs-and-scheduled-tasks/](https://puppet.com/blog/automating-puppet-cron-jobs-and-scheduled-tasks/) for more information.

-See <https://docs.saltproject.io/en/latest/ref/states/all/salt.states.cron.html> for more information.

-keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, installation, proxy

-ms.sitesec: library

-ms.pagetype: security

-description: Learn how to troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint on Linux

-keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, cloud, connectivity, communication

-ms.sitesec: library

-ms.pagetype: security

-expected output:

-Failures with curl error 35 or 60, indicate certificate pinning rejection. Please check if the connection is under SSL or HTTPS inspection. If so, add Microsoft Defender for Endpoint to the allow list.

-To test that a connection is not blocked in an environment without a proxy or with a transparent proxy, run the following command in the terminal:

-The output of above command should show no rules or any user added rules. In case the rules didn't get removed, then perform the following steps to clear the audit rules file.

-Using Oracle Linux 8.8 with kernel version **5.15.0-0.30.20.el8uek.x86_64, 5.15.0-0.30.20.1.el8uek.x86_64** might result into kernel hang issues.

-Following steps can be taken to mitigate this issue:

-1. Use a kernel version higher or lower than **5.15.0-0.30.20.el8uek.x86_64, 5.15.0-0.30.20.1.el8uek.x86_64** on Oracle Linux 8.8, if you want to use eBPF as supplementary subsystem provider. Note, min kernel version for Oracle Linux is RHCK 3.10.0 and Oracle Linux UEK is 5.4.

-2. Switch to auditd mode if customer needs to use the same kernel version

-keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, events

-ms.sitesec: library

-ms.pagetype: security

-description: Troubleshoot installation issues for Microsoft Defender for Endpoint on Linux

-keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, installation

-ms.sitesec: library

-ms.pagetype: security

-An error in installation may or may not result in a meaningful error message by the package manager. To verify if the installation succeeded, obtain and check the installation logs using:

-Verify that the package you are installing matches the host distribution and version.

-For [manual deployment](linux-install-manually.md), make sure the correct distro and version had been chosen.

-If the Microsoft Defender for Endpoint installation fails due to missing dependencies errors, you can manually download the pre-requisite dependencies.

-1. Check if "mdatp" user exists:

- where `<systemd_path>` is `/lib/systemd/system` for Ubuntu and Debian distributions and /usr/lib/systemd/system` for Rhel, CentOS, Oracle and SLES. Then rerun step 2.

-4. If the above steps don't work, check if SELinux is installed and in enforcing mode. If so, try setting it to permissive (preferably) or disabled mode. It can be done by setting the parameter `SELINUX` to "permissive" or "disabled" in `/etc/selinux/config` file, followed by reboot. Check the man-page of selinux for more details.

-7. Ensure that the file system containing wdavdaemon isn't mounted with "noexec".

- Currently supported file systems for on-access activity are listed [here](microsoft-defender-endpoint-linux.md#system-requirements). Any files outside these file systems won't be scanned.

-## Command-line tool "mdatp" isn't working

- Path to a zip file that contains the logs will be displayed as an output. Reach out to our customer support with these logs.

-keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, performance, AuditD, XMDEClientAnalyzer, installation, deploy, uninstallation

-ms.sitesec: library

-ms.pagetype: security

-keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, cloud, connectivity, communication

-ms.sitesec: library

-ms.pagetype: security

-keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, whatsnew, release

- <summary> November-2023 (Build: 101.23102.0003 | Release version: 30.123102.0003.0)</summary>

- <summary> November-2023 (Build: 101.23092.0012 | Release version: 30.123092.0012.0)</summary>

- <summary> November-2023 (Build: 101.23082.0011 | Release version: 30.123082.0011.0)</summary>

- <summary> October-2023 (Build: 101.23082.0009 | Release version: 30.123082.0009.0)</summary>

- <summary> October-2023 (Build: 101.23082.0006 | Release version: 30.123082.0006.0)</summary>

- <summary> September-2023 (Build: 101.23072.0021 | Release version: 30.123072.0021.0)</summary>

- - In mde_installer.sh v0.6.3, users can use the `--channel` argument to provide the channel of the configured repository during cleanup. For example, `sudo ./mde_installer --clean --channel prod`

- - The Network Extension can now be reset by administrators using `mdatp network-protection reset`.

- - Other performance improvements

- - Bug Fixes

- <summary> July-2023 (Build: 101.23062.0010 | Release version: 30.123062.0010.0)</summary>

- - If a proxy is set for Defender for Endpoint, then it's visible in the `mdatp health` command output

- - With this release we provided two options in mdatp diagnostic hot-event-sources:

- - Network Protection: Connections that are blocked by Network Protection and have the block overridden by users are now correctly reported to Microsoft Defender XDR

- - Improved logging in Network Protection block and audit events for debugging

- <summary> July-2023 (Build: 101.23052.0009 | Release version: 30.123052.0009.0)</summary>

- - The build version schema is updated from this release. While the major version number remains same as 101, the minor version number now has five digits followed by four digit patch number that is, `101.xxxxx.yyy`

- - Improved Network Protection memory consumption under stress

- - Updated the engine version to `1.1.20300.5` and signature version to `1.391.2837.0`.

- - Bug fixes.

- <summary> June-2023 (Build: 101.98.89 | Release version: 30.123042.19889.0)</summary>

- - Improved Network Protection Proxy handling.

- - In Passive mode, Defender for Endpoint no longer scans when Definition update happens.

- - Devices continue to be protected even after Defender for Endpoint agent has expired. We recommend upgrading the Defender for Endpoint Linux agent to the latest available version to receive bug fixes, features and performance improvements.

- - Removed semanage package dependency.

- - Engine Update to `1.1.20100.7` and Signatures Ver: `1.385.1648.0`.

- - Bug fixes.

- <summary> May-2023 (Build: 101.98.64 | Release version: 30.123032.19864.0)</summary>

- - Health message improvements to capture details about auditd failures.

- - Improvements to handle augenrules, which was causing installation failure.

- - Periodic memory cleanup in engine process.

- - Fix for memory issue in mdatp audisp plugin.

- - Handled missing plugin directory path during installation.

- - When conflicting application is using blocking fanotify, with default configuration mdatp health shows unhealthy. This is now fixed.

- - Support for ICMP traffic inspection in BM.

- - Engine Update to `1.1.20100.6` and Signatures Ver: `1.385.68.0`.

- - Bug fixes.

- <summary> April-2023 (Build: 101.98.58 | Release version: 30.123022.19858.0)</summary>

- - Logging and error reporting improvements for auditd.

- - Handle failure in reload of auditd configuration.

- - Handling for empty auditd rule files during MDE install.

- - Engine Update to `1.1.20000.2` and Signatures Ver: `1.381.3067.0`.

- - Addressed a health issue in mdatp that occurs due to selinux denials.

- - Bug fixes.

-

- <summary> March-2023 (Build: 101.98.30 | Release version: 30.123012.19830.0)</summary>

-

- <summary> March-2023 (Build: 101.98.05 | Release version: 30.123012.19805.0)</summary>

-

-keywords: example, command, cli, remote, shell, connection, live, response, real-time, command, script, remediate, hunt, export, log, drop, download, file

-ms.sitesec: library

-ms.pagetype: security

-keywords: apis, graph api, supported apis, get, devices

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: remote, shell, connection, live, response, real-time, command, script, remediate, hunt, export, log, drop, download, file,

-ms.sitesec: library

-ms.pagetype: security

-keywords: microsoft, defender, endpoint, Microsoft Defender for Endpoint, mac, device, control, usb, removable, media, jamf, intune, faq,

-ms.sitesec: library

-ms.pagetype: security

-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, macOS, device, control, usb, removable, media, intune

-ms.sitesec: library

-ms.pagetype: security

-Now, you have 'groups' and 'rules' and 'settings', replace the mobileconfig file with those values and put it under the Device Control node, here is the demo file: [mdatp-devicecontrol/demo.mobileconfig at main - microsoft/mdatp-devicecontrol (github.com)](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/macOS/mobileconfig/demo.mobileconfig). Make sure validate your policy with the JSON schema to make sure your policy format is correct: [mdatp-devicecontrol/device_control_policy_schema.json at main - microsoft/mdatp-devicecontrol (github.com)](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/macOS/policy/device_control_policy_schema.json).

-keywords: microsoft, defender, endpoint, Microsoft Defender for Endpoint, mac, device, control, usb, removable, media, jamf

-ms.sitesec: library

-ms.pagetype: security

-keywords: microsoft, defender, endpoint, Microsoft Defender for Endpoint, mac, device, control, usb, removable, media

-ms.sitesec: library

-ms.pagetype: security

-This method is recommended for pre-production environments only. It is available starting with version 101.23082.0018.

-You can set a policy manually, only if it was not set via MDM (as a managed configuration).

-Now, you have 'groups' and 'rules' and 'settings', combine 'settings' and 'groups' and rules into one JSON, here is the demo file: [mdatp-devicecontrol/deny_removable_media_except_kingston.json at main - microsoft/mdatp-devicecontrol (github.com)](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/macOS/policy/examples/deny_removable_media_except_kingston.json). Make sure to validate your policy with the JSON schema so your policy format is correct: [mdatp-devicecontrol/device_control_policy_schema.json at main - microsoft/mdatp-devicecontrol (github.com)](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/macOS/policy/device_control_policy_schema.json).

-See [Device Control for macOS](mac-device-control-overview.md) for information about settings, rules and groups.

-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, macOS, device, control, usb, removable, media

-ms.sitesec: library

-ms.pagetype: security

-description: Log in to Jamf Pro

-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, installation, deploy, uninstallation, intune, jamfpro, macos, big sur, monterey, ventura, mde for mac

-ms.sitesec: library

-ms.pagetype: security

-# Log in to Jamf Pro

-3. You'll see the settings that are available.

-This topic describes how to deploy Microsoft Defender for Endpoint on macOS through Microsoft Intune. A successful deployment requires the completion of all of the following steps:

-

-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, installation, deploy, uninstallation, intune, jamfpro, macos, big sur, monterey, ventura, mde for mac

-ms.sitesec: library

-ms.pagetype: security

-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, installation, deploy, macos, big sur, monterey, ventura, mde or mac

-ms.sitesec: library

-ms.pagetype: security

-keywords: device, group, microsoft, defender, Microsoft Defender for Endpoint, mac, installation, deploy, uninstallation, intune, jamfpro, macos, big sur, monterey, ventura, mde for mac

-ms.sitesec: library

-ms.pagetype: security

-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, installation, deploy, uninstallation, intune, jamfpro, macos, big sur, monterey, ventura, mde for mac

-ms.sitesec: library

-ms.pagetype: security

-keywords: policies, microsoft, defender, Microsoft Defender for Endpoint, mac, installation, deploy, uninstallation, intune, jamfpro, macos, big sur, monterey, ventura, mde for mac

-ms.sitesec: library

-ms.pagetype: security

-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, management, preferences, enterprise, intune, jamf, macos, big sur, monterey, ventura, mde for mac

-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, privacy, diagnostic, big sur, monterey, ventura, mde for mac

-ms.sitesec: library

-ms.pagetype: security

-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, pua, pus, big sur, monterey, ventura, mde for mac

-ms.sitesec: library

-ms.pagetype: security

-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, installation, deploy, uninstallation, intune, jamf, macos, big sur, monterey, ventura, mde for mac

-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, scans, antivirus, big sur, monterey, ventura, mde for mac

-### Option 1: Schedule a quick scan using a _plist_

-The weekly configuration is set to run a quick scan on Wednesday at 880 minutes after midnight (2:40 p.m.).

-And it's set to ignore exclusions and run on a low priority scan.

-The following code shows the schema you need to use to schedule a quick scan.

- <key>interval</key>

- <string>0</string>

- <string>quick</string>

- </dict>

-### Option 2: Schedule a full scan using a _plist_

-1. Open a text editor and use this example for a full scan.

-> Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: [**Microsoft Defender for Endpoint Tech Community**](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/bd-p/MicrosoftDefenderATP).

-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, install, big sur, monterey, ventura, mde for mac

-ms.sitesec: library

-ms.pagetype: security

-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, performance, big sur, monterey, ventura, mde for mac

-ms.sitesec: library

-ms.pagetype: security

-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, performance, big sur, monterey, ventura, mde for mac

-ms.sitesec: library

-ms.pagetype: security

-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, performance, big sur, monterey, ventura, mde for mac

-ms.sitesec: library

-ms.pagetype: security

-healthy : false

-health_issues : ["no active event provider", "network event provider not running", "full disk access has not been granted"]

-real_time_protection_enabled : unavailable

-full_disk_access_enabled : false

-network_extension_installed : true

-endpoint_security_extension_ready : false

-endpoint_security_extension_installed : true

-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, kernel, system, extensions, big sur, monterey, ventura, mde for mac

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, install, mde for mac

-ms.sitesec: library

-ms.pagetype: security

-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, updates, deploy, big sur, monterey, ventura, mde for mac

-ms.sitesec: library

-ms.pagetype: security

-keywords: device groups, groups, remediation, level, rules, aad group, role, assign, rank

-keywords: tags, device tags, device groups, groups, remediation, level, rules, aad group, role, assign, rank

-ms.sitesec: library

-ms.pagetype: security

-keywords: sort, filter, export, csv, device name, domain, last seen, internal IP, health state, active alerts, active malware detections, threat category, review alerts, network, connection, malware, type, password stealer, ransomware, exploit, threat, general malware, unwanted software

-ms.sitesec: library

-ms.pagetype: security

-At a glance you'll see information such as domain, risk level, OS platform, and other details for easy identification of devices most at risk.

-The device inventory opens on the **Computers and Mobile** tab. At a glance you'll see information such as device name, domain, risk level, exposure level, OS platform, onboarding status, sensor health state, and other details for easy identification of devices most at risk.

-Use the **Onboarding Status** column to sort and filter by discovered devices, and those already onboarded to Microsoft Defender for Endpoint.

-From the **Network devices** and **IoT devices** tabs, you'll also see information such as vendor, model and device type:

-At the top of each device inventory tab, you can see the total number of devices, the number of devices that are not yet onboarded, and the number of devices that have been identified as a higher risk to your organization. You can use this information to help you prioritize devices for security posture improvements.

-**Exposure level** | The exposure level reflects the current exposure of the device based on the cumulative impact of its pending security recommendations. The possible levels are low, medium, and high. Low exposure means your devices are less vulnerable from exploitation. </br> </br> If the exposure level says "No data available," there are a few reasons why this may be the case:</br>- Device stopped reporting for more than 30 days. In that case it's considered inactive, and the exposure isn't computed.</br>- Device OS not supported - see [minimum requirements for Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/minimum-requirements).</br>- Device with stale agent (unlikely).

-**Device value** | Filter the list based on whether the device has been marked as high value or low value.

-**Exclusion state** | Filter the list based on whether the device has been excluded or not. For more information, see [Exclude devices](exclude-devices.md).

-**First seen** | Filter your view based on when the device was first seen in the network or when it was first reported by the Microsoft Defender for Endpoint sensor.</br></br>(_Computers and mobile and IoT devices only_)

-**Windows version** | Filter by the Windows versions you're interested in investigating. If 'future version' appears in the Windows version field, it can mean:</br></br> - This is a pre-release build for a future Windows release</br> - The build has no version name</br> - The build version name is not yet supported </br></br> In all these scenarios, where available, the full OS version can be seen in the device details page.</br></br> (_Computers and mobile only_)

-**Sensor health state** | Filter by the following sensor health states, for devices onboard to Microsoft Defender for Endpoint:</br> - **Active**: Devices that are actively reporting sensor data to the service.</br> - **Inactive**: Devices that have stopped sending signals for more than 7 days. </br> - **Misconfigured**: Devices that have impaired communications with service or are unable to send sensor data. </br> Misconfigured devices can further be classified to: </br> - No sensor data </br> - Impaired communications </br> For more information on how to address issues on misconfigured devices see, [Fix unhealthy sensors](/microsoft-365/security/defender-endpoint/fix-unhealthy-sensors).</br></br> (_Computers and mobile only_)

-**Onboarding status** | Onboarding status indicates whether the device is currently onboarded to Microsoft Defender for Endpoint or not. Note that device discovery must be enabled for this filter to appear. You can filter by the following states: </br> - **Onboarded**: The endpoint is onboarded to Microsoft Defender for Endpoint. </br> - **Can be onboarded**: The endpoint was discovered in the network as a supported device, but it's not currently onboarded. Microsoft highly recommends onboarding these devices. </br> - **Unsupported**: The endpoint was discovered in the network, but is not supported by Microsoft Defender for Endpoint. </br> - **Insufficient info**: The system couldn't determine the supportability of the device.</br></br> (_Computers and mobile only_)

-**Managed by** | Managed by indicates how the device is being managed. You can filter by:</br> - Microsoft Defender for Endpoint</br> - Microsoft Intune, including co-management with Microsoft Configuration Manager via tenant attach</br>- Microsoft Configuration manager (ConfigMgr)</br> - Unknown: This could be due the running an outdated Windows version, GPO management, or another third party MDM.</br></br> (_Computers and mobile only_)

-On the **Computer and Mobiles** tab, select **Customize columns** to see the columns available. The default values are checked in the image below:

-On the **Network devices** tab, select **Customize columns** to see the columns available. The default values are checked in the image below:

-On the **IoT devices** tab, select **Customize columns** to see the columns available. The default values are checked in the image below:

-keywords: manage alerts, manage, alerts, status, new, in progress, resolved, resolve alerts, suppress, supression, rules, context, history, comments, changes

-ms.sitesec: library

-ms.pagetype: security

-keywords: automation, file, uploads, content, analysis, file, extension, email, attachment

-ms.sitesec: library

-ms.pagetype: security

-keywords: manage, automation, exclusion, block, clean, malicious

-ms.sitesec: library

-ms.pagetype: security

-keywords: updates, protection, force updates, events, startup, check for latest, notifications

-ms.sitesec: library

-ms.pagetype: security

-description: Learn about the gradual update process and controls

-It is important to ensure that client components are up to date to deliver critical protection capabilities and prevent attacks.

-If your machines are receiving Defender updates from Windows Update, the gradual rollout process may result in some of your machines receiving Defender updates sooner than others. The following section explains how to define a strategy that will allow automatic updates to flow differently to specific groups of devices by leveraging update channel configuration.

-|Current Channel (Staged)|Get Current Channel updates later during gradual release|Devices will be offered updates later during the gradual release cycle. Suggested to apply to a small, representative part of your device population (~10%).|

-|Critical: Time Delay|Delay Defender updates|Devices will be offered updates with a 48-hour delay. Best for datacenter machines that only receive limited updates. Suggested for critical environments only.|

-|(default)||If you disable or do not configure this policy, the device will remain in Current Channel (Default): Stay up to date automatically during the gradual release cycle. Suitable for most devices.|

-You can also assign a machine to a channel to define the cadence in which it receives daily updates. Note that unlike the monthly process, there is no Beta channel and this gradual release cycle occurs multiple times a day.

-|Current Channel (Staged)|Get Current Channel updates later during gradual release|Devices will be offered updates later during the gradual release cycle. Suggested to apply to a small, representative part of your device population (~10%).|

-|(default)||If you disable or do not configure this policy, the device will remain in Current Channel (Default): Stay up to date automatically during the gradual release cycle. Suitable for most devices|

-In most cases, the recommended configuration when using Windows Update is to allow endpoints to receive and apply monthly Defender updates as they arrive. This provides the best balance between protection and possible impact associated with the changes they can introduce.

-For environments where there is a need for a more controlled gradual rollout of automatic Defender updates, consider an approach with deployment groups:

-3. Designate a group of machines that receive updates later during the gradual rollout from Staged channel. Typically, this would be a representative ~10% of the population.

-keywords: incidents, manage, assign, status, classification, true alert, false alert

-search.product: eADQiWindows 10XVcnh

-ms.sitesec: library

-ms.pagetype: security

-keywords: manage, allowed, blocked, block, clean, malicious, file hash, ip address, urls, domain

-description: Learn how to manage Microsoft Defender for Endpoint with Configuration Manager

-keywords: post-migration, manage, operations, maintenance, utilization, Configuration Manager, Microsoft Defender for Endpoint, edr

-ms.sitesec: library

-ms.pagetype: security

-# Manage Microsoft Defender for Endpoint with Configuration Manager

-**Applies to:**

-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

-We recommend using [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) or [Configuration Manager](/mem/configmgr/core/understand/introduction) (Configuration Manager) to manage your organization's threat protection features for devices (also referred to as endpoints).

-This article describes how to manage Defender for Endpoint settings with Configuration Manager, and lists various tasks you can perform.

-## Configure Microsoft Defender for Endpoint with Configuration Manager

-|Task|Resources to learn more|

-|||

-|**Install the Configuration Manager console** if you don't already have it <br/><br/> *If you don't already have the Configuration Manger console, use these resources to get the bits and install it.*|[Get the installation media](/mem/configmgr/core/servers/deploy/install/get-install-media) <br/><br/> [Install the Configuration Manager console](/mem/configmgr/core/servers/deploy/install/install-consoles)|

-|**Use Configuration Manager to onboard devices** to Microsoft Defender for Endpoint <br/><br/> *If you have devices (or endpoints) not already onboarded to Microsoft Defender for Endpoint, you can do that with Configuration Manager.*|[Onboard to Microsoft Defender for Endpoint with Configuration Manager](/mem/configmgr/protect/deploy-use/defender-advanced-threat-protection#about-onboarding-to-atp-with-configuration-manager)|

-|**Manage antimalware policies and Windows Firewall security** for client computers (endpoints) <br/><br/> *Configure endpoint protection features, including Microsoft Defender for Endpoint, exploit protection, application control, antimalware, firewall settings, and more.*|[Configuration

-|**Choose methods for updating antimalware updates** on your organization's devices <br/><br/> *With Endpoint Protection in Configuration Manager, you can choose from several methods to keep antimalware definitions up to date on your organization's devices.*|[Configure definition updates for Endpoint Protection](/mem/configmgr/protect/deploy-use/endpoint-definition-updates) <br/><br/> [Use Configuration Manager to deliver definition updates](/mem/configmgr/protect/deploy-use/endpoint-definitions-configmgr)|

-|**Enable Network Protection** to help prevent employees from using apps that malicious content on the Internet <br/><br/> *We recommend using [audit mode](/microsoft-365/security/defender-endpoint/evaluate-network-protection) at first for network protection in a test environment to see which apps would be blocked before rolling out.*|[Turn on network protection with Configuration Manager](/microsoft-365/security/defender-endpoint/enable-network-protection#microsoft-endpoint-configuration-manager)|

-|**Configure controlled folder access** to protect against ransomware <br/><br/> *Controlled folder access is also referred to as antiransomware protection.*|[Endpoint protection: Controlled folder access](/mem/intune/protect/endpoint-protection-windows-10#controlled-folder-access) <br/><br/> [Enable controlled folder access in Microsoft Endpoint Configuration Manage](/microsoft-365/security/defender-endpoint/enable-controlled-folders#microsoft-endpoint-configuration-manager)|

-<a name='configure-your-microsoft-365-defender-portal'></a>

-## Configure your Microsoft Defender portal

-If you haven't already done so, configure your Microsoft Defender portal to view alerts, configure threat protection features, and view detailed information about your organization's overall security posture. See While the attack was detected and stopped, alerts, such as an "initial access alert," were triggered and appeared in the [Microsoft Defender portal](/microsoft-365/security/defender/microsoft-365-defender). You can also configure whether and what features end users can see in the Microsoft Defender portal.

-## Next steps

-description: Learn how to manage Microsoft Defender for Endpoint with Group Policy Objects

-keywords: post-migration, manage, operations, maintenance, utilization, PowerShell, Microsoft Defender for Endpoint, edr

-ms.sitesec: library

-ms.pagetype: security

-# Manage Microsoft Defender for Endpoint with Group Policy Objects

-**Applies to:**

-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

-> [!NOTE]

-> We recommend using [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) or [Configuration Manager](/mem/configmgr/core/understand/introduction) to manage Defender for Endpoint settings. However, you can use Group Policy Objects in Microsoft Entra Domain Services to manage some of your Defender for Endpoint settings.

-## Configure Microsoft Defender for Endpoint with Group Policy Objects

-> [!NOTE]

-> If you're using [the new, unified Microsoft Defender for Endpoint solution for Windows Server 2012 R2 and 2016](/microsoft-365/security/defender-endpoint/configure-server-endpoints#new-functionality-in-the-modern-unified-solution-for-windows-server-2012-r2-and-2016-preview), please ensure you are using the latest ADMX files in your central store to get access to the correct Microsoft Defender for Endpoint policy options. Please reference [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) and download the latest files **for use with Windows 10**.

-The following table lists various tasks you can perform to configure Microsoft Defender for Endpoint with Group Policy Objects.

-|Task|Resources to learn more|

-|||

-|**Manage settings for user and computer objects** <br/><br/> *Customize built-in Group Policy Objects, or create custom Group Policy Objects and organizational units to suit your organizational needs.*|[Administer Group Policy in a Microsoft Entra Domain Services managed domain](/azure/active-directory-domain-services/manage-group-policy)|

-|**Configure Microsoft Defender Antivirus** <br/><br/> *Configure antivirus features & capabilities, including policy settings, exclusions, remediation, and scheduled scans on your organization's devices (also referred to as endpoints).*|[Use Group Policy settings to configure and manage Microsoft Defender Antivirus](/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus) <br/><br/> [Use Group Policy to enable cloud-delivered protection](/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus#use-group-policy-to-enable-cloud-delivered-protection)|

-|**Manage your organization's attack surface reduction rules** <br/><br/> *Customize your attack surface reduction rules by excluding files & folders, or by adding custom text to notification alerts that appear on users' devices.*|[Customize attack surface reduction rules with Group Policy Objects](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-implement)|

-|**Manage exploit protection settings** <br/><br/> *You can customize your exploit protection settings, import a configuration file, and then use Group Policy to deploy that configuration file.*|[Customize exploit protection settings](/microsoft-365/security/defender-endpoint/customize-exploit-protection) <br/><br/> [Import, export, and deploy exploit protection configurations](/microsoft-365/security/defender-endpoint/import-export-exploit-protection-emet-xml) <br/><br/> [Use Group Policy to distribute the configuration](/microsoft-365/security/defender-endpoint/import-export-exploit-protection-emet-xml#use-group-policy-to-distribute-the-configuration)|

-|**Enable Network Protection** to help prevent employees from using apps that malicious content on the Internet <br/><br/> *We recommend using [audit mode](/microsoft-365/security/defender-endpoint/evaluate-network-protection) at first for network protection in a test environment to see which apps would be blocked before rolling out.*|[Turn on network protection using Group Policy](/microsoft-365/security/defender-endpoint/enable-network-protection#group-policy)|

-|**Configure controlled folder access** to protect against ransomware <br/><br/> *[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders) is also referred to as antiransomware protection.*|[Enable controlled folder access using Group Policy](/microsoft-365/security/defender-endpoint/enable-controlled-folders#group-policy)|

-|**Configure Microsoft Defender SmartScreen** to protect against malicious sites and files on the internet.|[Configure Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings using Group Policy](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings#group-policy-settings)|

-|**Configure encryption and BitLocker** to protect information on your organization's devices running Windows|[BitLocker Group Policy settings](/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings)|

-|**Configure Microsoft Defender Credential Guard** to protect against credential theft attacks|[Enable Windows Defender Credential Guard by using Group Policy](/windows/security/identity-protection/credential-guard/credential-guard-manage#enable-windows-defender-credential-guard-by-using-group-policy)|

-<a name='configure-your-microsoft-365-defender-portal'></a>

-## Configure your Microsoft Defender portal

-If you haven't already done so, configure your Microsoft Defender portal to view alerts, configure threat protection features, and view detailed information about your organization's overall security posture. See [Microsoft Defender XDR](/microsoft-365/security/defender/microsoft-365-defender). You can also configure whether and what features end users can see in the Microsoft Defender portal.

-## Next steps

-description: Learn how to manage Microsoft Defender for Endpoint with Intune

-# Manage Microsoft Defender for Endpoint with Intune

-**Applies to:**

-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

-We recommend using Microsoft Intune to manage your organization's threat protection features for devices (also referred to as endpoints). This article describes how to find your Microsoft Defender for Endpoint settings in Intune, and lists various tasks you can perform.

-## Find your Microsoft Defender for Endpoint settings in Intune

-> [!IMPORTANT]

-> You must have either the global administrator or service administrator role assigned in Intune to configure the settings described in this article. To learn more, see **[Types of administrators (Intune)](/mem/intune/fundamentals/users-add#types-of-administrators)**.

-1. Go to the [Microsoft Intune admin center](https://endpoint.microsoft.com/#home) and sign in.

-2. In the navigation pane on the left, choose **Device configuration**, and then, under **Manage**, choose **Profiles**.

-3. Select an existing profile, or create a new one.

-> [!TIP]

-> Need help? See **[Using Microsoft Defender for Endpoint with Intune](/mem/intune/protect/advanced-threat-protection#example-of-using-microsoft-defender-atp-with-intune)**.

-## Configure Microsoft Defender for Endpoint with Intune

-The following table lists various tasks you can perform to configure Microsoft Defender for Endpoint with Intune. You don't have to configure everything all at once; choose a task, read the corresponding resources, and then proceed.

-|Task|Resources to learn more|

-|||

-|**Manage your organization's devices using Intune** to protect those devices and data stored on them|[Protect devices with Microsoft Intune](/mem/intune/protect/device-protect)|

-|**Integrate Microsoft Defender for Endpoint with Intune** as a Mobile Threat Defense solution <br/>*(for Android devices and devices running Windows 10 or Windows 11)*|[Enforce compliance for Microsoft Defender for Endpoint with Conditional Access in Intune](/mem/intune/protect/advanced-threat-protection)|

-|**Use Conditional Access** to control the devices and apps that can connect to your email and company resources|[Configure Conditional Access in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/configure-conditional-access)|

-|**Configure Microsoft Defender Antivirus settings** using the Policy configuration service provider ([Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider))|[Device restrictions: Microsoft Defender Antivirus](/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus) <br/><br/> [Policy CSP - Microsoft Defender for Endpoint](/windows/client-management/mdm/policy-csp-defender)|

-|**If necessary, specify exclusions for Microsoft Defender Antivirus** <br/><br/> *Generally, you shouldn't need to apply exclusions. Microsoft Defender Antivirus includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios.*|[Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows](https://support.microsoft.com/help/822158/virus-scanning-recommendations-for-enterprise-computers) <br/><br/> [Device restrictions: Microsoft Defender Antivirus Exclusions for Windows 10 and Windows 11 devices](/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions) <br/><br/> [Configure Microsoft Defender Antivirus exclusions on Windows Server 2016 or 2019 or 2022](/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus)|

-|**Configure your attack surface reduction rules** to target software behaviors that are often abused by attackers <br/><br/> *Configure your attack surface reduction rules in [audit mode](/microsoft-365/security/defender-endpoint/audit-windows-defender) at first (for at least one week and up to two months). You can monitor status using Power BI ([get our template](https://github.com/microsoft/MDATP-PowerBI-Templates/tree/master/Attack%20Surface%20Reduction%20rules)), and then set those rules to active mode when you're ready.*|[Audit mode in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/audit-windows-defender) <br/><br/> [Endpoint protection: Attack Surface Reduction](/mem/intune/protect/endpoint-protection-windows-10?toc=/intune/configuration/toc.json&bc=/intune/configuration/breadcrumb/toc.json#attack-surface-reduction) <br/><br/> [Learn more about attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction) <br/><br/> [Tech Community blog post: Demystifying attack surface reduction rules - Part 1](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/demystifying-attack-surface-reduction-rules-part-1/ba-p/1306420)|

-|**Configure your network filtering** to block outbound connections from any app to IP addresses or domains with low reputations <br/><br/> *Network filtering is also referred to as [network protection](/microsoft-365/security/defender-endpoint/network-protection).* <br/><br/> *Make sure that Windows 10 and Windows 11 devices have the latest [antimalware platform updates](https://support.microsoft.com/help/4052623/update-for-microsoft-defender-antimalware-platform) installed.*|[Endpoint protection: Network filtering](/mem/intune/protect/endpoint-protection-windows-10#network-filtering) <br/><br/> [Review network protection events in Windows Event Viewer](/microsoft-365/security/defender-endpoint/evaluate-network-protection#review-network-protection-events-in-windows-event-viewer)|

-|**Configure controlled folder access** to protect against ransomware <br/><br/> *[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders) is also referred to as antiransomware protection.*|[Endpoint protection: Controlled folder access](/mem/intune/protect/endpoint-protection-windows-10#controlled-folder-access) <br/><br/> [Enable controlled folder access in Intune](/microsoft-365/security/defender-endpoint/enable-controlled-folders#intune)|

-|**Configure exploit protection** to protect your organization's devices from malware that uses exploits to spread and infect other devices <br/><br/> *[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection) is also referred to as Exploit Guard.*|[Endpoint protection: Microsoft Defender Exploit Guard](/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-exploit-guard) <br/><br/> [Enable exploit protection in Intune](/microsoft-365/security/defender-endpoint/enable-exploit-protection#intune)|

-|**Configure Microsoft Defender SmartScreen** to protect against malicious sites and files on the internet. <br/><br/> *Microsoft Edge should be installed on your organization's devices. For protection on Google Chrome and FireFox browsers, configure exploit protection.*|[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview) <br/><br/> [Device restrictions: Microsoft Defender SmartScreen](/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-smartscreen) <br/><br/> [Policy settings for managing SmartScreen in Intune](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings#mdm-settings)|

-|**Configure Microsoft Defender Firewall** to block unauthorized network traffic flowing into or out of your organization's devices|[Endpoint protection: Microsoft Defender Firewall](/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-firewall) <br/><br/> [Microsoft Defender Firewall with Advanced Security](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)|

-|**Configure encryption and BitLocker** to protect information on your organization's devices running Windows|[Endpoint protection: Windows Encryption](/mem/intune/protect/endpoint-protection-windows-10#windows-encryption) <br/><br/> [BitLocker for Windows 10 and Windows 11 devices](/windows/security/information-protection/bitlocker/bitlocker-overview)|

-|**Configure Microsoft Defender Credential Guard** to protect against credential theft attacks|For Windows 10, Windows 11, Windows Server 2016, and Windows Server 2019, and Windows Server 2022, see [Endpoint protection: Microsoft Defender Credential Guard](/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-credential-guard) <br/><br/> For Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8.1, and Windows Server 2012 R2, see [Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft, Versions 1 and 2](https://www.microsoft.com/download/details.aspx?id=36036)|

-|**Configure Microsoft Defender Application Control** to choose whether to audit or trust apps on your organization's devices <br/><br/> *Microsoft Defender Application Control is also referred to as [AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview).*|[Deploy Microsoft Defender Application Control policies by using Microsoft Intune](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) <br/><br/> [Endpoint protection: Microsoft Defender Application Control](/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-application-control) <br/><br/> [AppLocker CSP](/windows/client-management/mdm/applocker-csp)|

-|**Configure device control and USB peripherals access** to help prevent threats in unauthorized peripherals from compromising your devices|[Control USB devices and other removable media using Microsoft Defender for Endpoint and Intune](/windows/security/threat-protection/device-control/control-usb-devices-using-intune)|

-<a name='configure-your-microsoft-365-defender-portal'></a>

-## Configure your Microsoft Defender portal

-If you haven't already done so, configure your Microsoft Defender portal to view alerts, configure threat protection features, and view detailed information about your organization's overall security posture. See [Microsoft Defender XDR](/microsoft-365/security/defender/microsoft-365-defender). You can also configure whether and what features end users can see in the Microsoft Defender portal.

-## Next steps

-description: Learn how to manage Microsoft Defender for Endpoint with PowerShell, WMI, and MPCmdRun.exe

-keywords: post-migration, manage, operations, maintenance, utilization, PowerShell, WMI, MPCmdRun.exe, Microsoft Defender for Endpoint, edr

-ms.sitesec: library

-ms.pagetype: security

-# Manage Microsoft Defender for Endpoint with PowerShell, WMI, and MPCmdRun.exe

-**Applies to:**

-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

-We recommend using [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) or [Microsoft Endpoint Configuration Manager](/mem/configmgr/core/understand/introduction) to manage Defender for Endpoint settings. However, you can use other tools to manage some settings, such as Microsoft Defender Antivirus, exploit protection, and customized attack surface reduction rules with:

-> [!IMPORTANT]

-> Threat protection features that you configure by using PowerShell, WMI, or MCPmdRun.exe can be overwritten by configuration settings that are deployed with Intune or Configuration Manager.

-## Configure Microsoft Defender for Endpoint with PowerShell

-You can use PowerShell to manage Microsoft Defender Antivirus, exploit protection, and your attack surface reduction rules.

-|Task|Resources to learn more|

-|||

-|**Manage Microsoft Defender Antivirus** <br/><br/> View status of antimalware protection, configure preferences for antivirus scans & updates, and make other changes to your antivirus protection.*|[Use PowerShell cmdlets to configure and manage Microsoft Defender Antivirus](/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus) <br/><br/> [Use PowerShell cmdlets to enable cloud-delivered protection](/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus#use-powershell-cmdlets-to-enable-cloud-delivered-protection)|

-|**Configure exploit protection** to mitigate threats on your organization's devices <br/><br/> *We recommend using exploit protection in [audit mode](/microsoft-365/security/defender-endpoint/evaluate-exploit-protection#powershell) at first. That way, you can see how exploit protection affects apps your organization is using.*|[Customize exploit protection](/microsoft-365/security/defender-endpoint/customize-exploit-protection) <br/><br/> [PowerShell cmdlets for exploit protection](/microsoft-365/security/defender-endpoint/customize-exploit-protection#powershell-reference)|

-|**Configure attack surface reduction rules** with PowerShell <br/><br/> *You can use PowerShell to exclude files and folders from attack surface reduction rules.*|[Customize attack surface reduction rules: Use PowerShell to exclude files & folders](/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction) <br/><br/> Also, see [Ant├│nio Vasconcelo's graphical user interface tool for setting attack surface reduction rules with PowerShell](https://github.com/anvascon/MDATP_PoSh_Scripts/tree/master/ASR%20GUI).|

-|**Enable Network Protection** with PowerShell <br/><br/> *You can use PowerShell to enable Network Protection.*|[Turn on Network Protection with PowerShell](/microsoft-365/security/defender-endpoint/enable-network-protection#powershell)|

-|**Configure controlled folder access** to protect against ransomware <br/><br/> *[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders) is also referred to as antiransomware protection.*|[Enable controlled folder access with PowerShell](/microsoft-365/security/defender-endpoint/enable-controlled-folders#powershell)|

-|**Configure Microsoft Defender Firewall** to block unauthorized network traffic flowing into or out of your organization's devices|[Microsoft Defender Firewall with Advanced Security Administration using Windows PowerShell](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell)|

-|**Configure encryption and BitLocker** to protect information on your organization's devices running Windows|[BitLocker PowerShell reference guide](/powershell/module/bitlocker/)|

-## Configure Microsoft Defender for Endpoint with Windows Management Instrumentation (WMI)

-WMI is a scripting interface that allows you to retrieve, modify, and update settings. To learn more, see [Using WMI](/windows/win32/wmisdk/using-wmi).

-|Task|Resources to learn more|

-|||

-|**Enable cloud-delivered protection** on a device|[Use Windows Management Instruction (WMI) to enable cloud-delivered protection](/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus#use-windows-management-instruction-wmi-to-enable-cloud-delivered-protection)|

-|**Retrieve, modify, and update settings** for Microsoft Defender Antivirus|[Use WMI to configure and manage Microsoft Defender Antivirus](/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus <br/><br/> [Review the list of available WMI classes and example scripts](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal) <br/><br/> Also see the archived [Windows Defender WMIv2 Provider reference information](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal?redirectedfrom=MSDN)|

-## Configure Microsoft Defender for Endpoint with Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe)

-On an individual device, you can run a scan, start diagnostic tracing, check for security intelligence updates, and more using the mpcmdrun.exe command-line tool. You can find the utility in `%ProgramFiles%\Windows Defender\MpCmdRun.exe`. Run it from a command prompt.

-To learn more, see [Configure and manage Microsoft Defender Antivirus with mpcmdrun.exe](/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus).

-<a name='configure-your-microsoft-365-defender-portal'></a>

-## Configure your Microsoft Defender portal

-If you haven't already done so, configure your <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender portal</a> to view alerts, configure threat protection features, and view detailed information about your organization's overall security posture.

-You can also configure whether and what features end users can see.

-## Next steps

-description: Now that you've made the switch to Microsoft Defender for Endpoint, your next step is to manage your threat protection features

-# Manage Microsoft Defender for Endpoint after initial setup or migration

-**Applies to:**

-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

-After you have set up and configured Microsoft Defender for Endpoint, your next step is to manage your features and capabilities. We recommend using [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) to manage your organization's devices and security settings. However, you can use other tools/methods, such as [Microsoft Configuration Manager](/mem/configmgr/core/understand/introduction) or [Group Policy Objects in Microsoft Entra Domain Services](/azure/active-directory-domain-services/manage-group-policy).

-The following table lists various tools/methods you can use, with links to learn more.

-|Tool/Method|Description|

-|||

-|**[Microsoft Defender Vulnerability Management dashboard insights](/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights)** in the [Microsoft Defender XDR](https://security.microsoft.com/) portal|The Defender Vulnerability Management dashboard provides actionable information that your security operations team can use to reduce exposure and improve your organization's security posture. <br/><br/> See [Defender Vulnerability Management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt) and [Overview of Microsoft Defender XDR](/microsoft-365/security/defender-endpoint/use).|

-|**[Microsoft Intune](/mem/intune/fundamentals/what-is-intune)** | Intune provides mobile device management (MDM) and mobile application management (MAM) capabilities. With Intune, you control how your organization's devices are used, including mobile phones, tablets, and laptops. You can also configure specific policies to control applications. <br/><br/> See [Manage Microsoft Defender for Endpoint using Intune](manage-mde-post-migration-intune.md).|

-|**[Microsoft Configuration Manager](/mem/configmgr/core/understand/introduction)**|Microsoft Configuration Manager, formerly known as System Center Configuration Manager, is a powerful tool to manage your users, devices, and software. <br/><br/> See [Manage Microsoft Defender for Endpoint with Configuration Manager](manage-mde-post-migration-configuration-manager.md).|

-|**[Group Policy Objects in Microsoft Entra Domain Services](/azure/active-directory-domain-services/manage-group-policy)**|[Microsoft Entra Domain Services](/azure/active-directory-domain-services/overview) includes built-in Group Policy Objects for users and devices. You can customize the built-in Group Policy Objects as needed for your environment, as well as create custom Group Policy Objects and organizational units (OUs). <br/><br/> See [Manage Microsoft Defender for Endpoint with Group Policy Objects](manage-mde-post-migration-group-policy-objects.md).|

-|**[PowerShell, WMI, and MPCmdRun.exe](manage-mde-post-migration-other-tools.md)**|*We recommend using Microsoft Intune or Configuration Manager to manage threat protection features on your organization's devices. However, you can configure some settings, such as Microsoft Defender Antivirus settings on individual devices (endpoints) with PowerShell, WMI, or the MPCmdRun.exe tool.* <br/><br/> You can use PowerShell to manage Microsoft Defender Antivirus, exploit protection, and your attack surface reduction rules. See [Configure Microsoft Defender for Endpoint with PowerShell](manage-mde-post-migration-other-tools.md#configure-microsoft-defender-for-endpoint-with-powershell). <br/><br/> You can use Windows Management Instrumentation (WMI) to manage Microsoft Defender Antivirus and exclusions. See [Configure Microsoft Defender for Endpoint with WMI](manage-mde-post-migration-other-tools.md#configure-microsoft-defender-for-endpoint-with-windows-management-instrumentation-wmi). <br/><br/> You can use the Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe) to manage Microsoft Defender Antivirus and exclusions, as well as validate connections between your network and the cloud. See [Configure Microsoft Defender for Endpoint with MPCmdRun.exe](manage-mde-post-migration-other-tools.md#configure-microsoft-defender-for-endpoint-with-microsoft-malware-protection-command-line-utility-mpcmdrunexe).|

-## See also

-keywords: updates, protection, out of date, outdated, old, catch-up

-ms.sitesec: library

-ms.pagetype: security

-keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, installation, SAp

-This article provides deployment guidance for Microsoft Defender for Endpoint on Linux for SAP. You'll learn about recommended SAP OSS(Online Services System) notes, the system requirements, prerequisites, important configuration settings, recommended antivirus exclusions, and guidance on scheduling antivirus scans.

-## Prerequisites for deploying Microsoft Defender for Endpoint for Linux on SAP VMs

-Endpoint Detection and Response (EDR) functionality is active whenever Microsoft Defender for Endpoint for Linux is installed. There is no simple way to disable EDR functionality through command line or configuration. For more information on troubleshooting EDR, see the sections [Useful Commands](#useful-commands) and [Useful Links](#useful-links).

-[Troubleshoot installation issues for Microsoft Defender for Endpoint on Linux | Microsoft Docs](linux-support-install.md#installation-failed)

-## Recommended Microsoft Defender for Endpoint AntiVirus Exclusions for SAP on Linux

-Enterprise Security Team must obtain a full list of AV exclusions from the SAP Administrators (typically the SAP Basis Team).

-Large SAP systems might have more than 20 SAP application servers each with a connection to the SAPMNT NFS share. Twenty or more application servers simultaneously scanning the same NFS server will likely overload the NFS server. By default Microsoft Defender for Endpoint for Linux won't scan NFS sources.

-If, during manual zypper installation on Suse an error ΓÇ£Nothing provides ΓÇÿpolicycoreutilsΓÇÖΓÇ¥ occurs, refer to:

-There are several command-line commands that can control the operation of mdatp. To enable the passive mode you can use the following command:

-These commands updates the mdatp software if needed:

- - Alma 9.2 and higher

- > Microsoft Defender for Endpoint on Red Hat Enterprise Linux and CentOS - 6.7 to 6.10 is a Kernel based solution. You must verify that the kernel version is supported before updating to a newer kernel version. See the list below for the list of supported kernels.

- > Microsoft Defender for Endpoint for all other supported distributions and versions is kernel-version-agnostic. With a minimal requirement for the kernel version to be at or above 3.10.0-327.

-|You've already migrated or onboarded to Defender for Endpoint. You want some help with next steps, such as managing your security settings, configuring more features, or fine-tuning your security policies.|[Manage Microsoft Defender for Endpoint, post-migration](manage-mde-post-migration.md)|

-The [Introduction to Microsoft Syntex](/training/modules/syntex-intro) learning path will teach how you can use unstructured, freeform, and unstructured document processing models to classify documents, extract text, and label your documents for quick and easy knowledge management.