Updates from: 02/22/2024 07:11:02
Category Microsoft Docs article Related commit history on GitHub Change details
admin Manage Addins In The Admin Center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/manage-addins-in-the-admin-center.md
As an organization you may wish to manage the download of Office add-ins from th
2. Select **User owned apps and services**.
-3. Check or clear the option to allow or prevent users access the Office store.
+3. Check or clear the option to allow or prevent users to access the Office store.
+
+Options available in non-educational tenants:
- ![Let user access office store settings](../../media/user-owned-apps-and-services.png)
+ ![Let user access office store settings](../../media/user-owned-apps-and-services.png)
+Options available in educational tenants:
+
+ ![Let user access office store settings for EDU](../../media/user-owned-apps-and-services-edu.png)
+
+The userΓÇÖs license information is used to define whether a user is a faculty/staff or a student along with the Age Group property to check whether the student is an adult or not.ΓÇ»
+
+> [!NOTE]
+> For more information see:
+>- [Learn how to review the user's license type and assign or unassign licenses as required](assign-licenses-to-users.md)
+>- [Understand how to configure the Age Group property in the Microsoft Encarta admin center](/entra/fundamentals/how-to-manage-user-profile-info)
+ This will control all users' ability to acquire the following add-ins from the store. - Add-ins for Word, Excel, and PowerPoint 2016:
admin Office Addins https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/office-addins.md
Managing how users can install and use Office add-ins means that you decide who
1. To manage usersΓÇÖ ability to self-install and use Office add-ins from the Word, Excel and PowerPoint stores, visit the Microsoft 365 Admin Center. 2. Choose **Settings** and the select **Org Settings**. 3. Scroll down and select **User owned apps and services**.
-4. Make changes to the checkbox **Let users access the Office Store**.
- - Activating the checkbox turns on access to all Word, Excel and PowerPoint add-ins for all users in your organization.
- - Deactivating the checkbox turns off access to all Word, Excel and PowerPoint add-ins for all users in your organization.
+4. Check or clear the option to allow or prevent users to access all Word, Excel, and PowerPoint add-ins.
+
+Options available in non-educational tenants:
+
+ ![Let user access office store settings](../../media/user-owned-apps-and-services.png)
+
+Options available in educational tenants:
+
+ ![Let user access office store settings for EDU](../../media/user-owned-apps-and-services-edu.png)
+
+The userΓÇÖs license information is used to define whether a user is a faculty/staff or a student along with the Age Group property to check whether the student is an adult or not.ΓÇ»
+
+> [!NOTE]
+> For more information see:
+>- [Learn how to review the user's license type and assign or unassign licenses as required](assign-licenses-to-users.md)
+>- [Understand how to configure the Age Group property in the Microsoft Encarta admin center](/entra/fundamentals/how-to-manage-user-profile-info)
> [!NOTE] > This setting does not impact any deployed Office add-ins on Word, Excel, and PowerPoint. You can continue to deploy Office add-ins to users in your organization, even if the above setting is turned off.
commerce Understand Your Invoice2 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/understand-your-invoice2.md
- AdminTemplateSet search.appverid: MET150 description: "Learn how to interpret the charges on your invoice for your Microsoft business subscription with an MOSA billing account." Previously updated : 08/08/2023 Last updated : 02/21/2024 # Understand your invoice for your Microsoft MOSA billing account
Check out this video and others on our [YouTube channel](https://go.microsoft.co
## How often and when am I billed?
-Depending on the billing frequency that you chose when you bought your subscription, you receive an invoice either monthly or annually. The amount of time since the last invoice date is called the *Billing Period* and shown on page one of the invoice. This time period represents the date range during which charges accrue for the current invoice. If you made a change to your subscription outside of this date range, like adding or removing licenses, the associated charges appear on the invoice for the next billing period.
+Depending on the billing frequency that you chose when you bought your subscription, you receive an invoice either monthly or yearly. The amount of time since the last invoice date is called the *Billing Period* and shown on page one of the invoice. This time period represents the date range during which charges accrue for the current invoice. If you made a change to your subscription outside of this date range, like adding or removing licenses, the associated charges appear on the invoice for the next billing period.
> [!NOTE] > You can change the billing frequency for a subscription by following the steps in [Change the billing frequency for your Microsoft business subscription](change-payment-frequency.md).
commerce Volume Licensing Invoices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/licenses/volume-licensing-invoices.md
search.appverid: MET150 description: "Learn how to access your non-Azure volume licensing invoices in the Microsoft 365 admin center." Previously updated : 09/29/2023 Last updated : 02/21/2024 # Microsoft volume licensing invoices
The invoice recon file is a CSV file that includes the same information as the I
|Product Family|The logical categorization of products.| |License Type|Reflects the terms of buying the product.| |Price Level|The price categorization of product.|
-|Billing Option|How frequently the customer is billed. The frequency options are upfront, monthly, quarterly, semi-annually, or annually.|
+|Billing Option|How frequently the customer is billed. The frequency options are upfront, monthly, every three months, every six months, or yearly.|
|Taxable|Indicates whether the product is taxable.| |Pool|The classification of the product into a system, server, or application.| |Service Period Start Date, Service Period End Date|Indicates the eligible service period.|
Only the **Bill To contact** participant on the agreement can view the correspon
## How often and when am I billed?
-Depending on the billing frequency you choose when you bought your subscription, you receive an invoice either upfront, monthly, quarterly, semi-annually, or annually. The amount of time since the last invoice date is the **Billing Period** and is on page one of the invoice. This time represents the date range during which charges accrue for the current invoice. If you made a change to your subscription outside of this date range, like adding or removing licenses, the associated charges appear on the invoice for the next billing period.
+Depending on the billing frequency you choose when you bought your subscription, you receive an invoice either upfront, monthly, every three months, every six months, or yearly. The amount of time since the last invoice date is the **Billing Period** and is on page one of the invoice. This time represents the date range during which charges accrue for the current invoice. If you made a change to your subscription outside of this date range, like adding or removing licenses, the associated charges appear on the invoice for the next billing period.
## Why is my total due different from last billing period?
enterprise Diagnosing Performance Issues With Sharepoint Online https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/diagnosing-performance-issues-with-sharepoint-online.md
Title: "Diagnosing performance issues with SharePoint Online"
+ Title: "Diagnosing performance issues with SharePoint"
Previously updated : 11/19/2021 Last updated : 02/21/2024 audience: Admin
- scotvorg - Ent_O365 - SPO_Content
+- must-keep
f1.keywords: - CSH
search.appverid:
- SPO160 - MET150 ms.assetid: 3c364f9e-b9f6-4da4-a792-c8e8c8cd2e86
-description: "This article shows you how you can diagnose common issues with your SharePoint Online site using Internet Explorer developer tools."
+description: "This article shows you how you can diagnose common issues with your SharePoint site using Internet Explorer developer tools."
-# Diagnosing performance issues with SharePoint Online
+# Diagnosing performance issues with SharePoint
-This article shows you how you can diagnose common issues with your SharePoint Online site using Internet Explorer developer tools.
+This article shows you how you can diagnose common issues with your SharePoint site using Internet Explorer developer tools.
-There are four different ways that you can identify that a page on a SharePoint Online site has a performance problem with the customizations.
+There are four different ways that you can identify that a page on a SharePoint site has a performance problem with the customizations.
-- The Site and Page performance diagnostic
+- The Page Diagnostics for SharePoint tool
- The F12 tool bar network monitor -- Comparison to a non-customized baseline
+- Comparison to a noncustomized baseline
-- SharePoint Online response header metrics
+- SharePoint response header metrics
-This topic describes how to use each of these methods to diagnose performance issues. Once you've figured out the cause of the problem, you can work toward a solution using the articles about improving SharePoint performance that you can find on https://aka.ms/tune.
+This article describes how to use each of these methods to diagnose performance issues. Once you've figured out the cause of the problem, you can work toward a solution using the articles about improving SharePoint performance that you can find on https://aka.ms/tune.
-## Use the Site and Page performance diagnostic from the Microsoft 365 Admin Center
+## Use the Page Diagnostics for SharePoint tool
-> [!NOTE]
-> If you're an administrator, and you're having trouble with performance in SharePoint, select **Run Tests** below, which will populate the Site and Page Performance diagnostic in the Microsoft 365 Admin Center. These tests will check your configuration and quickly recommend next steps to help improve SharePoint performance for your tenant.
->> [!div class="nextstepaction"]
->> [Run Tests: Check SharePoint Performance](https://aka.ms/PillarSiteandPagePerf)
+The Page Diagnostics for SharePoint tool is a browser extension for Microsoft Edge (https://www.microsoft.com/edge) and Chrome browsers that analyzes both SharePoint modern portal and classic publishing site pages.
-> [!NOTE]
-> This feature is not available for Microsoft 365 Government, Microsoft 365 operated by 21Vianet, or Microsoft 365 Germany.
+> [!IMPORTANT]
+> This tool only works for SharePoint in Microsoft 365, and canΓÇÖt be used on a SharePoint system page or on a SharePoint App page. The App page type is designed to be used for specific business applications within SharePoint and not for portals. The tool is designed to optimize portal pages and Teams site pages.
+
+The tool generates a report for each analyzed page showing how the page performs against a predefined set of rules and displays detailed information when results for a test fall outside the baseline value. SharePoint administrators and designers can use the tool to troubleshoot performance issues and to ensure that new pages are optimized prior to publishing.
+
+For more information about how to install and use the tool, see [Page Diagnostics for SharePoint tool](page-diagnostics-for-spo.md).
-## Using the F12 tool bar to diagnose performance in SharePoint Online
+## Using the F12 tool bar to diagnose performance in SharePoint
<a name="F12ToolInfo"> </a>
-In this article, we use Internet Explorer 11. Versions of the F12 developer tools on other browsers have similar features though they may look slightly different. For information on the F12 developer tools, see:
+In this article, we use Internet Explorer 11. Versions of the F12 developer tools on other browsers have similar features though they might look slightly different. For information on the F12 developer tools, see:
- [What's new in F12 Tools](/previous-versions/windows/internet-explorer/ie-developer/dev-guides/bg182632(v=vs.85))
You can also see the download times of the files on the right side as shown in t
This gives you a visual representation of how long the file took to load. The green line represents when the page is ready to be rendered by the browser. This can give you a quick view of the different files that might be causing slow page loads on your site.
-## Setting up a non-customized baseline for SharePoint Online
+## Setting up a noncustomized baseline for SharePoint
<a name="F12ToolInfo"> </a>
-The best way to determine your site's performance weak points is to set up a completely out-of-the-box site collection in SharePoint Online. This way you can compare all the various aspects of your site with what you would get with no customization on the page. The OneDrive for Business home page is a good example of a separate site collection that is unlikely to have any customizations.
+The best way to determine your site's performance weak points is to set up a completely out-of-the-box site collection in SharePoint. This way you can compare all the various aspects of your site with what you would get with no customization on the page. The OneDrive for Business home page is a good example of a separate site collection that is unlikely to have any customizations.
## Viewing SharePoint response header information <a name="F12ToolInfo"> </a>
-In SharePoint Online, you can access the information that is sent back to the browser in the response header for each file. The most useful value for diagnosing performance issues is **SPRequestDuration**, which displays the amount of time that the request took on the server to be processed. This can help determine if the request is heavy and resource intensive. This is the best insight you have into how much work the server is doing to serve the page.
+In SharePoint, you can access the information that is sent back to the browser in the response header for each file. The most useful value for diagnosing performance issues is **SPRequestDuration**, which displays the amount of time that the request took on the server to be processed. This can help determine if the request is heavy and resource intensive. This is the best insight you have into how much work the server is doing to serve the page.
### To view SharePoint response header information
In SharePoint Online, you can access the information that is sent back to the br
![Diagram showing the URL of the response header.](../media/efc7076e-447e-447e-882a-ae3aa721e2c3.png)
-## What's causing performance issues in SharePoint Online?
+## What's causing performance issues in SharePoint?
<a name="F12ToolInfo"> </a>
-The article [Navigation options for SharePoint Online](navigation-options-for-sharepoint-online.md) shows an example of using the SPRequestDuration value to determine that the complicated structural navigation was causing the page to take a long time to process on the server. By taking a value for a baseline site (without customization), it's possible to determine if any given file is taking a long time to load. The example used in [Navigation options for SharePoint Online](navigation-options-for-sharepoint-online.md) is the main .aspx file. That file contains most of the ASP.NET code that runs for your page load. Depending on the site template you use, this could be start.aspx, home.aspx, default.aspx, or another name if you customize the home page. If this number is considerably higher than your baseline site, then it's a good indication that there's something complex going on in your page that is causing performance issues.
+The article [Navigation options for SharePoint](navigation-options-for-sharepoint-online.md) shows an example of using the SPRequestDuration value to determine that the complicated structural navigation was causing the page to take a long time to process on the server. By taking a value for a baseline site (without customization), it's possible to determine if any given file is taking a long time to load. The example used in [Navigation options for SharePoint](navigation-options-for-sharepoint-online.md) is the main .aspx file. That file contains most of the ASP.NET code that runs for your page load. Depending on the site template you use, this could be start.aspx, home.aspx, default.aspx, or another name if you customize the home page. If this number is considerably higher than your baseline site, then it's a good indication that there's something complex going on in your page that is causing performance issues.
Once you've identified that an issue specific to your site, the recommended way to figure out what is causing poor performance is to eliminate all of the possible causes, like page customizations, and then add them back to the site one by one. Once you have removed enough customizations that the page is performing well, you can then add back specific customizations one by one.
-For example, if you have a complex navigation try changing the navigation to not show sub-sites then check the developer tools to see if this makes a difference. Or if you have a large amount of content roll-ups try removing them from your page and see if this improves things. If you eliminate all of the possible causes and add them back in one at a time, you can easily identify which features are the biggest problem and then work towards a solution.
+For example, if you have a complex navigation try changing the navigation to not show subsites then check the developer tools to see if this makes a difference. Or if you have a large number of content roll-ups try removing them from your page and see if this improves things. If you eliminate all of the possible causes and add them back in one at a time, you can easily identify which features are the biggest problem and then work towards a solution.
enterprise Office 365 Network Mac Perf Onboarding Tool https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/office-365-network-mac-perf-onboarding-tool.md
description: "Microsoft 365 network connectivity test tool"
The Microsoft 365 network connectivity test tool is located at <https://connectivity.office.com>. It's an adjunct tool to the network assessment and network insights available in the Microsoft 365 admin center under the **Health | Connectivity** menu.
+> [!NOTE]
+> This document mentions the URL (<https://connectivity.office.com>) for the Global version of this tool. For other versions, please refer to the table below for the corresponding URLs.
++
+|Feature|Global service <https://connectivity.office.com>|US Government L4| US Government L5 (DOD) | China operated by 21Vianet <https://connectivity.sovcloud.cn>|
+|:--|:--|:--|:--|:--|
+|Anonymous test|✅|✖️|✖️|✅|
+|Print report | ✅|✖️|✖️|✅|
+|Login| ✅|✖️|✖️|✖️|
+|Save report | ✅|✖️|✖️|✖️|
+|View report | ✅|✖️|✖️|✖️|
+|Share report in tenant | ✅|✖️|✖️|✖️|
+|Share report to public | ✅|✖️|✖️|✖️|
+|Network health status | ✅|✖️|✖️|✅|
+|Multi-languages support: English,Chinese Simplified,Chinese Tranditional,Japanese| ✅|✖️|✖️|✅|
+|Testing from the command line| ✅|✖️|✖️|✖️|
+|FAQ| ✅|✖️|✖️|✅|
+|Community forum| ✅|✖️|✖️|✅|
++ > [!IMPORTANT] > It's important to sign in to your Microsoft 365 tenant as all test reports are shared with your administrator and uploaded to the tenant while you are signed in. > [!div class="mx-imgBorder"] > ![Connectivity test tool.](../media/m365-mac-perf/m365-mac-perf-test-tool-page.png)
->[!NOTE]
->The network connectivity test tool supports tenants in WW Commercial but not GCC Moderate, GCC High, DoD or China.
- Network insights in the Microsoft 365 Admin Center are based on regular in-product measurements for your Microsoft 365 tenant, aggregated each day. In comparison, network insights from the Microsoft 365 network connectivity test are run locally in the tool. In-product testing is limited, and running tests local to the user collects more data resulting in deeper insights. Network insights in the Microsoft 365 Admin Center show that there's a networking problem at a specific office location. The Microsoft 365 connectivity test can help to identify the root cause of that problem and provide a targeted performance improvement action.
Where an TLS/SSL certificate is found that isn't provided by Microsoft, we show
This section shows the results of an ICMP traceroute to the Exchange Online service front door, the SharePoint Online service front door, and the Microsoft Teams service front door. It's provided for information only and there's no associated network insight. There are three traceroutes provided. A traceroute to _outlook.office365.com_, a traceroute to the customers SharePoint front end or to _microsoft.sharepoint.com_ if one wasn't provided, and a traceroute to _world.tr.teams.microsoft.com_.
+> [!NOTE]
+> In reports generated in different versions, the addresses you see above may also vary slightly.
+ ## Connectivity reports When you're signed in you can review previous reports that you have run. You can also share them or delete them from the list.
enterprise Request Fasttrack Assistance Microsoft 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/request-fasttrack-assistance-microsoft-365.md
# Request FastTrack assistance for Microsoft 365
-The FastTrack request for assistance (RFA) form is now available in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2226341" target="_blank">Microsoft 365 admin center</a>. Tenant admins use this form to request help from FastTrack specialists on their deployment and migration efforts. FastTrack assistance is available for tenants with 150 or more licenses from one of the [eligible plans](/microsoft-365/fasttrack/eligibility) for the following Microsoft product families: Microsoft 365, Office 365, Microsoft Viva, Enterprise Mobility + Security, and Windows 10/11.
+The FastTrack request for assistance (RFA) form is now available in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2226341" target="_blank">Microsoft 365 admin center</a> and the <a href="https://setup.microsoft.com/" target="_blank">Microsoft 365 Setup portal</a>. Submit this form to request guidance from FastTrack specialists with your Microsoft 365 deployment and migration efforts. FastTrack assistance is available for tenants with 150 or more licenses for the following Microsoft product families: Microsoft 365, Office 365, Microsoft Viva, Enterprise Mobility + Security, and Windows 10/11. See <a href="https://learn.microsoft.com/microsoft-365/fasttrack/eligibility" target="_blank">eligible plans</a> for details.
-## How to submit an RFA in the admin center
+## Submit an RFA in the Microsoft 365 admin center
-1. In the Microsoft 365 admin center, open the <a href="https://go.microsoft.com/fwlink/p/?linkid=2226341" target="_blank">Advanced deployment guides & assistance</a> page. On the **FastTrack assistance** tab, select **Submit a new request**:
+1. Go to the Microsoft admin center at <a href="https://admin.microsoft.com" target="_blank">https://admin.microsoft.com</a>.
-1. Read the overview to see what information is needed for an RFA, and select **Next**.
+1. Select <a href="https://go.microsoft.com/fwlink/?linkid=2226341" target="_blank">Advanced deployment guides & assistance</a> on the home page.
+
+1. Select the **FastTrack assistance** tab and then select **Submit a new request**
+
+ a. After submission, receipt is confirmed with an RFA ID number, and the option to provide feedback about your experience.
+
+1. Select **Done**.
++
+## Submit an RFA at the MIcrosoft 365 Setup portal
-1. Select the products for FastTrack assistance, your planned deployment date, and whether you would like assistance with any more options (if applicable), and select **Next**.
+1. Go to the Microsoft 365 Setup portal at <a href="https://setup.microsoft.com" target="_blank">https://setup.microsoft.com</a>.
+
+1. Select Microsoft 365 deployment assistance.
+
+1. Select **submit a request for assistance**.
+
+1. Sign in with your work or school account.
+
+1. Select **Submit a new request**
+
+ a. After submission, receipt is confirmed with an RFA ID number, and the option to provide feedback about your experience.
+
+1. Select **Done**.
++
+## View RFA details and status
+
+You can check the status of a submitted RFA in the Microsoft 365 admin center or the Microsoft 365 Setup portal.
+
+For tenant admins:
-1. On the **Customer details** page, enter a unique project name, your organization's service location, your preferred language, and any comments about the project, and select **Next**.
+1. Go to the Microsoft admin center at <a href="https://admin.microsoft.com" target="_blank">https://admin.microsoft.com</a>.
-1. On the **Contacts** page, enter your phone number and confirm your title, and select **Next**.
+1. Go to <a href="https://go.microsoft.com/fwlink/?linkid=2226341" target="_blank">Advanced deployment guides & assistance</a>.
-1. Enter the primary contact and business sponsor for the request. If youΓÇÖre also the primary contact, select the **Same as the requester** checkbox, and select **Next**.
+1. Select the **FastTrack assistance** tab to view your FastTrack request for assistance history.
-1. On the **Review** page, view your request's information and make edits, if needed. Select the checkbox next to the acknowledgment message, and select **Submit**. 
+1. Select an RFA from the status and history list to view details about the request.
-1. After submission, receipt of your request will be confirmed, your RFA ID will be provided, and you'll be given the option to provide feedback about your experience. Select **Done**.
+For non-admins:
-## How to find RFA details and status updates
+1. Go to <a href="https://setup.microsoft.com/microsoft-365-fasttrack-assistance" target="_blank">setup.microsoft.com/microsoft-365-fasttrack-assistance</a>.
-1. After you submit your RFA, you can find your tenant's RFA history on the **FastTrack assistance** tab of the <a href="https://go.microsoft.com/fwlink/p/?linkid=2226341" target="_blank">Advanced deployment guides & assistance</a> page at the Microsoft 365 admin center.
+1. Select **Sign in** and choose **I'm not an admin** before entering your work or school account.
-2. Under **Request for assistance status and history**, you can find a list of all historical submissions for your tenant with the request name, requested products, status, submission date, and who submitted the request.
+1. Select an RFA from the status and history list to view details about the request.
-3. Select an RFA to open a details pane with the request details and status history.
+A list of all submitted RFAs can be viewed with details on the requester, contacts, selected products, RFA status, and submission date.
security Auto Investigation Action Center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/auto-investigation-action-center.md
Title: Visit the Action center to see remediation actions description: Use the action center to view details and results following an automated investigation
-keywords: action, center, autoir, automated, investigation, response, remediation
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
search.appverid: met150 Previously updated : 12/18/2020 Last updated : 02/21/2024 # Visit the Action center to see remediation actions
security Autoir Investigation Results https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/autoir-investigation-results.md
Title: View the details and results of an automated investigation description: During and after an automated investigation, you can view the results and key findings
-keywords: automated, investigation, results, analyze, details, remediation, autoair
search.appverid: met150
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
- autoir - admindeeplinkDEFENDER Previously updated : 03/15/2021 Last updated : 02/21/2024 # View the details and results of an automated investigation
security Basic Permissions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/basic-permissions.md
Title: Use basic permissions to access the portal description: Learn how to use basic permissions to access the Microsoft Defender for Endpoint portal.
-keywords: assign user roles, assign read and write access, assign read only access, user, user roles, roles
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium
- - has-azure-ad-ps-ref, azure-ad-ref-level-one-done
-
+ - has-azure-ad-ps-ref
+ - azure-ad-ref-level-one-done
+ audience: ITPro - m365-security - tier2 search.appverid: met150 Previously updated : 01/18/2024 Last updated : 02/21/2024 # Use basic permissions to access the portal
security Cloud Protection Microsoft Antivirus Sample Submission https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-antivirus-sample-submission.md
Previously updated : 02/24/2022 Last updated : 02/15/2024 - m365-security - tier2
search.appverid: met150
**Platforms** - Windows
+- macOS
+- Linux
Microsoft Defender Antivirus uses many intelligent mechanisms for detecting malware. One of the most powerful capabilities is the ability to apply the power of the cloud to detect malware and perform rapid analysis. Cloud protection and automatic sample submission work together with Microsoft Defender Antivirus to help protect against new and emerging threats.
Microsoft Defender Antivirus and cloud protection automatically block most new,
3. High-precision antivirus, detecting common malware through generic and heuristic techniques.
-4. Advanced cloud-based protection is provided for cases when Microsoft Defender Antivirus running on the endpoint needs more intelligence to verify the intent of a suspicious file.
+1. Advanced cloud-based protection is provided for cases when Microsoft Defender Antivirus running on the endpoint needs more intelligence to verify the intent of a suspicious file.
1. In the event Microsoft Defender Antivirus can't make a clear determination, file metadata is sent to the cloud protection service. Often within milliseconds, the cloud protection service can determine based on the metadata as to whether the file is malicious or not a threat.
Microsoft Defender Antivirus and cloud protection automatically block most new,
- Can be synchronous or asynchronous. For synchronous, the file won't open until the cloud renders a verdict. For asynchronous, the file opens while cloud protection performs its analysis. - Metadata can include PE attributes, static file attributes, dynamic and contextual attributes, and more (see [Examples of metadata sent to the cloud protection service](#examples-of-metadata-sent-to-the-cloud-protection-service)).
- 2. After examining the metadata, if Microsoft Defender Antivirus cloud protection can't reach a conclusive verdict, it can request a sample of the file for further inspection. This request honors the settings configuration for sample submission:
-
+ 1. After examining the metadata, if Microsoft Defender Antivirus cloud protection can't reach a conclusive verdict, it can request a sample of the file for further inspection. This request honors the settings configuration for sample submission:
+
1. **Send safe samples automatically** - Safe samples are samples considered to not commonly contain PII data like: .bat, .scr, .dll, .exe. - If file is likely to contain PII, the user gets a request to allow file sample submission. - This option is the default on Windows, macOS, and Linux.
- 2. **Always Prompt**
+ 1. **Always Prompt**
- If configured, the user is always prompted for consent before file submission
- - This setting isn't available in macOS cloud protection
-
+ - This setting isn't available in macOS and Linux cloud protection
+
3. **Send all samples automatically** - If configured, all samples are sent automatically - If you would like sample submission to include macros embedded in Word docs, you must choose "Send all samples automatically" - This setting isn't available on macOS cloud protection
- 4. **Do not send**
+ 1. **Do not send**
- Prevents "block at first sight" based on file sample analysis
- - "Don't send" is the equivalent to the "Disabled" setting in macOS policy
+ - "Don't send" is the equivalent to the "Disabled" setting in macOS policy and "None" setting in Linux policy.
- Metadata is sent for detections even when sample submission is disabled
- 3. After metadata and/or files are submitted to cloud protection, you can use **samples**, **detonation**, or **big data analysis** machine-learning models to reach a verdict. Turning off cloud-delivered protection limits analysis to only what the client can provide through local machine-learning models, and similar functions.
-
+ 1. After files are submitted to cloud protection, the submitted files can be **scanned**, **detonated**, and processed through **big data analysis** **machine-learning** models to reach a verdict. Turning off cloud-delivered protection limits analysis to only what the client can provide through local machine-learning models, and similar functions.
+
> [!IMPORTANT] > [Block at first sight (BAFS)](configure-block-at-first-sight-microsoft-defender-antivirus.md) provides detonation and analysis to determine whether a file or process is safe. BAFS can delay the opening of a file momentarily until a verdict is reached. If you disable sample submission, BAFS is also disabled, and file analysis is limited to metadata only. We recommend keeping sample submission and BAFS enabled. To learn more, see [What is "block at first sight"?](configure-block-at-first-sight-microsoft-defender-antivirus.md#what-is-block-at-first-sight)
security Device Health Microsoft Defender Antivirus Health https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-health-microsoft-defender-antivirus-health.md
Title: Device health Microsoft Defender Antivirus health report
description: Use the Microsoft Defender Antivirus report to track antivirus status and Microsoft Defender Antivirus engine, intelligence, and platform versions. search.appverid: met150 --++ localization_priority: Normal Last updated 09/06/2022-+ audience: ITPro - m365-security
security Device Health Reports https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-health-reports.md
localization_priority: Normal Last updated 09/06/2022 -+ audience: ITPro - m365-security
security Device Health Sensor Health Os https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-health-sensor-health-os.md
Title: Device health Sensor health & OS report description: Use the device health report to track device health, OS platforms, and Windows 10 versions.
-keywords: health state, antivirus, os platform, windows 10 version, version, health, compliance, state
-search.product: eADQiWindows 10XVcnh
search.appverid: met150
-ms.sitesec: library
-ms.pagetype: security
--++ localization_priority: Normal Last updated 09/06/2022 -+ audience: ITPro - m365-security
security Device Timeline Event Flag https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-timeline-event-flag.md
ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Download Client Analyzer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/download-client-analyzer.md
Title: Download the Microsoft Defender for Endpoint client analyzer description: Learn how to download the Microsoft Defender for Endpoint Client Analyzer on Windows, macOS, or Linux.
-keywords: download, client analyzer, troubleshoot sensor, analyzer, mdeanalyzer
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
search.appverid: met150 Previously updated : 03/23/2021 Last updated : 02/21/2024 # Download the Microsoft Defender for Endpoint client analyzer
security Edr Detection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/edr-detection.md
Title: EDR detection test for verifying device's onboarding and reporting service description: EDR detection test to verify the device's proper onboarding and reporting to the service.
-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, installation, deploy, uninstallation, intune, jamf, macos, big sur, monterey, ventura, mde for mac
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Edr In Block Mode https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/edr-in-block-mode.md
Title: Endpoint detection and response in block mode description: Learn about endpoint detection and response in block mode----++++ audience: ITPro
security Enable Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction.md
ms.localizationpriority: medium
audience: ITPro -+
security Enable Cloud Protection Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus.md
Title: Turn on cloud protection in Microsoft Defender Antivirus description: Turn on cloud protection to benefit from fast and advanced protection features.
-keywords: Microsoft Defender Antivirus, antimalware, security, cloud, block at first sight
-ms.sitesec: library
ms.localizationpriority: medium---+++ Last updated 05/24/2023 -+
security Enable Controlled Folders https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-controlled-folders.md
ms.localizationpriority: medium audience: ITPro----++++ - m365-security
security Enable Exploit Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-exploit-protection.md
description: Learn how to enable exploit protection in Windows. Exploit protecti
ms.localizationpriority: medium audience: ITPro--++ -+
security Enable Network Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-network-protection.md
Title: Turn on network protection description: Enable network protection with Group Policy, PowerShell, or Mobile Device Management and Configuration Manager.
-keywords: Network protection, exploits, malicious website, ip, domain, domains, enable, turn on
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium Last updated 10/18/2022 -+ - m365-security
security Enable Troubleshooting Mode https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-troubleshooting-mode.md
Title: Get started with troubleshooting mode in Microsoft Defender for Endpoint
description: Turn on the Microsoft Defender for Endpoint troubleshooting mode to address various antivirus issues. search.appverid: met150 --++ ms.localizationpriority: medium-+ audience: ITPro
security Enable Update Mdav To Latest Ws https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-update-mdav-to-latest-ws.md
Title: Enable and update Microsoft Defender Antivirus on Windows Server description: Learn how to enable and update Microsoft Defender Antivirus on Windows Server
-keywords: Windows Server, Defender Antivirus
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: high Last updated 01/31/2024-+ audience: ITPro - m365-security
security Endpoint Attack Notifications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/endpoint-attack-notifications.md
Title: Endpoint Attack Notifications description: Endpoint Attack Notifications provides proactive hunting for the most important threats to your network.
-keywords: Endpoint Attack Notification, managed threat hunting, managed detection and response (MDR) service, MTE, Microsoft Threat Experts, endpoint attack notification, Ask Defender Experts, experts on demand
-search.product: Windows 10
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Evaluate Controlled Folder Access https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/evaluate-controlled-folder-access.md
Title: Evaluate controlled folder access
-description: See how controlled folder access can help protect files from being changed by malicious apps.
-keywords: Exploit protection, windows 10, windows 11, windows defender, ransomware, protect, evaluate, test, demo, try
+description: See how controlled folder access can help protect files from malicious apps.
-ms.sitesec: library
ms.localizationpriority: medium audience: ITPro ----++++ - m365-security
This article helps you evaluate controlled folder access. It explains how to ena
## Use audit mode to measure impact
-Enable the controlled folder access in audit mode to see a record of what *would* have happened if it was fully enabled. Test how the feature will work in your organization to ensure it doesn't affect your line-of-business apps. You can also get an idea of how many suspicious file modification attempts generally occur over a certain period of time.
+Enable the controlled folder access in audit mode to see a record of what could occur if it were enabled. Test how the feature works in your organization to ensure it doesn't affect your line-of-business apps. You can also get an idea of how many suspicious attempts to modify files generally occur over a certain period of time.
To enable audit mode, use the following PowerShell cmdlet:
You can also use Group Policy, Intune, mobile device management (MDM), or Micros
The following controlled folder access events appear in Windows Event Viewer under Microsoft/Windows/Windows Defender/Operational folder.
-Event ID | Description
--|-
- 5007 | Event when settings are changed
- 1124 | Audited controlled folder access event
- 1123 | Blocked controlled folder access event
+| Event ID | Description |
+| --|--|
+| 5007 | Event when settings are changed |
+| 1124 | Audited controlled folder access event |
+| 1123 | Blocked controlled folder access event |
> [!TIP] > You can configure a [Windows Event Forwarding subscription](/windows/win32/wec/setting-up-a-source-initiated-subscription) to collect the logs centrally. ## Customize protected folders and apps
-During your evaluation, you may wish to add to the list of protected folders, or allow certain apps to modify files.
+During your evaluation, you might want to add to the list of protected folders, or allow certain apps to modify files.
See [Protect important folders with controlled folder access](controlled-folders.md) for configuring the feature with management tools, including Group Policy, PowerShell, and MDM configuration service providers (CSPs).
See [Protect important folders with controlled folder access](controlled-folders
- [Protect important folders with controlled folder access](controlled-folders.md) - [Evaluate Microsoft Defender for Endpoint](evaluate-mde.md) - [Use audit mode](audit-windows-defender.md)+ [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)]
security Evaluate Exploit Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/evaluate-exploit-protection.md
Title: See how Exploit protection works in a demo description: See how Exploit Protection can prevent suspicious behaviors from occurring on specific apps.
-keywords: Exploit protection, exploits, kernel, events, evaluate, demo, try, mitigation
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium audience: ITPro--++ -+
security Evaluate Mde https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/evaluate-mde.md
Title: Evaluate Microsoft Defender for Endpoint description: Evaluate the different security capabilities in Microsoft Defender for Endpoint.
-keywords: attack surface reduction, evaluate, next, generation, protection
-search.product: eADQiWindows 10XVcnh
search.appverid: met150
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Evaluate Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/evaluate-microsoft-defender-antivirus.md
Title: Evaluate Microsoft Defender Antivirus description: Businesses of all sizes can use this guide to evaluate and test the protection offered by Microsoft Defender Antivirus in Windows.
-keywords: Microsoft Defender Antivirus, cloud protection, cloud, antimalware, security, defender, evaluate, test, protection, compare, real-time protection
-ms.sitesec: library
ms.localizationpriority: medium --++ Last updated 10/18/2018 -+ - m365-security
security Evaluate Network Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/evaluate-network-protection.md
Title: Evaluate network protection description: See how network protection works by testing common scenarios that it protects against.
-keywords: Network protection, exploits, malicious website, ip, domain, domains, evaluate, test, demo
-ms.sitesec: library
ms.localizationpriority: medium audience: ITPro --++ -+ - m365-security
Last updated 12/18/2020
- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804)
-[Network protection](network-protection.md) helps prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
+[Network protection](network-protection.md) helps prevent employees from using any application to access dangerous domains that might host phishing scams, exploits, and other malicious content on the Internet.
-This article helps you evaluate network protection by enabling the feature and guiding you to a testing site. The sites in this evaluation article aren't malicious. They're specially created websites that pretend to be malicious. The site will replicate the behavior that would happen if a user visited a malicious site or domain.
+This article helps you evaluate network protection by enabling the feature and guiding you to a testing site. The sites in this evaluation article aren't malicious. They're specially created websites that pretend to be malicious. The site replicates the behavior that would happen if a user visited a malicious site or domain.
## Enable network protection in audit mode
-Enable network protection in audit mode to see which IP addresses and domains would have been blocked. You can make sure it doesn't affect line-of-business apps, or get an idea of how often blocks occur.
+Enable network protection in audit mode to see which IP addresses and domains might be blocked. You can make sure it doesn't affect line-of-business apps, or get an idea of how often blocks occur.
1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator** 2. Enter the following cmdlet:
Enable network protection in audit mode to see which IP addresses and domains wo
2. Go to [https://smartscreentestratings2.net](https://smartscreentestratings2.net).
- The network connection will be allowed and a test message will be displayed.
+ The network connection is allowed and a test message displays.
:::image type="content" source="images/np-notif.png" alt-text="The connection blockage notification" lightbox="images/np-notif.png":::
To review apps that would have been blocked, open Event Viewer and filter for Ev
- [Enable network protection](enable-network-protection.md) - [Troubleshoot network protection](troubleshoot-np.md)+ [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)]
security Evaluation Lab https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/evaluation-lab.md
Title: Microsoft Defender for Endpoint evaluation lab description: Learn about Microsoft Defender for Endpoint capabilities, run attack simulations, and see how it prevents, detects, and remediates threats. --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Event Error Codes https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/event-error-codes.md
Title: Review events and errors using Event Viewer description: Get descriptions and further troubleshooting steps (if necessary) for all events reported by the Microsoft Defender for Endpoint service.
-keywords: troubleshoot, event viewer, log summary, failure code, failed, Microsoft Defender for Endpoint service, can't start, broken, can't start
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
search.appverid: met150
## View events in the Defender for Endpoint service event log
-You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/library/aa745633(v=bts.10).aspx) on individual devices. This can help when, for example, a device isn't appearing in the Devices list. In this scenario, you can look for event IDs on the device and then use the table below to determine further troubleshooting steps based on the corresponding event ID.
+You can review event IDs in the [Event Viewer](/shows/inside/event-viewer) on individual devices. This can help when, for example, a device isn't appearing in the Devices list. In this scenario, you can look for event IDs on the device and then use the table below to determine further troubleshooting steps based on the corresponding event ID.
To open the Defender for Endpoint service event log:
To open the Defender for Endpoint service event log:
> [!NOTE] > SENSE is the internal name used to refer to the behavioral sensor that powers Microsoft Defender for Endpoint.
-3. Events recorded by the service will appear in the log.
+3. Events recorded by the service appear in the log.
See the following table for a list of events recorded by the service.
See the following table for a list of events recorded by the service.
|1|Microsoft Defender for Endpoint service started (Version `variable`).|Occurs during system startup, shut down, and during onboarding.|Normal operating notification; no action required.| |2|Microsoft Defender for Endpoint service shutdown.|Occurs when the device is shut down or offboarded.|Normal operating notification; no action required.| |3|Microsoft Defender for Endpoint service failed to start. Failure code: `variable`.|Service didn't start.|Review other messages to determine possible cause and troubleshooting steps.|
- |4|Microsoft Defender for Endpoint service contacted the server at `variable`.|Variable = URL of the Defender for Endpoint processing servers. <p> This URL will match that seen in the Firewall or network activity.|Normal operating notification; no action required.|
- |5|Microsoft Defender for Endpoint service failed to connect to the server at `variable`.|Variable = URL of the Defender for Endpoint processing servers. <p> The service couldn't contact the external processing servers at that URL.|Check the connection to the URL. See [Configure proxy and Internet connectivity](configure-proxy-internet.md).|
- |6|Microsoft Defender for Endpoint service isn't onboarded and no onboarding parameters were found.|The device didn't onboard correctly and won't be reporting to the portal.|Onboarding must be run before starting the service. <p> Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. <p> See [Onboard Windows client devices](configure-endpoints.md).|
- |7|Microsoft Defender for Endpoint service failed to read the onboarding parameters. Failure: `variable`.|Variable = detailed error description. The device didn't onboard correctly and won't be reporting to the portal.|Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. <p> See [Onboard Windows client devices](configure-endpoints.md).|
- |8|Microsoft Defender for Endpoint service failed to clean its configuration. Failure code: `variable`.|**During onboarding:** The service failed to clean its configuration during the onboarding. The onboarding process continues. <p> **During offboarding:** The service failed to clean its configuration during the offboarding. The offboarding process finished but the service keeps running.|**Onboarding:** No action required. <p> **Offboarding:** Reboot the system. <p> See [Onboard Windows client devices](configure-endpoints.md).|
- |9|Microsoft Defender for Endpoint service failed to change its start type. Failure code: `variable`.|**During onboarding:** The device didn't onboard correctly and won't be reporting to the portal. <p>**During offboarding:** Failed to change the service start type. The offboarding process continues. |Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. <p> See [Onboard Windows client devices](configure-endpoints.md).|
- |10|Microsoft Defender for Endpoint service failed to persist the onboarding information. Failure code: `variable`.|The device didn't onboard correctly and won't be reporting to the portal.|Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. <p> See [Onboard Windows client devices](configure-endpoints.md).|
- |11|Onboarding or re-onboarding of Defender for Endpoint service completed.|The device onboarded correctly.|Normal operating notification; no action required. <p> It may take several hours for the device to appear in the portal.|
+ |4|Microsoft Defender for Endpoint service contacted the server at `variable`.|Variable = URL of the Defender for Endpoint processing servers. <br/><br/> This URL matches that seen in the Firewall or network activity.|Normal operating notification; no action required.|
+ |5|Microsoft Defender for Endpoint service failed to connect to the server at `variable`.|Variable = URL of the Defender for Endpoint processing servers. <br/><br/> The service couldn't contact the external processing servers at that URL.|Check the connection to the URL. See [Configure proxy and Internet connectivity](configure-proxy-internet.md).|
+ |6|Microsoft Defender for Endpoint service isn't onboarded and no onboarding parameters were found.|The device didn't onboard correctly and isn't reporting to the portal.|Onboarding must be run before starting the service. <br/><br/> Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. <br/><br/> See [Onboard Windows client devices](configure-endpoints.md).|
+ |7|Microsoft Defender for Endpoint service failed to read the onboarding parameters. Failure: `variable`.|Variable = detailed error description. The device didn't onboard correctly and isn't reporting to the portal.|Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. <br/><br/> See [Onboard Windows client devices](configure-endpoints.md).|
+ |8|Microsoft Defender for Endpoint service failed to clean its configuration. Failure code: `variable`.|**During onboarding:** The service failed to clean its configuration during the onboarding. The onboarding process continues. <br/><br/> **During offboarding:** The service failed to clean its configuration during the offboarding. The offboarding process finished but the service keeps running.|**Onboarding:** No action required. <br/><br/> **Offboarding:** Reboot the system. <br/><br/> See [Onboard Windows client devices](configure-endpoints.md).|
+ |9|Microsoft Defender for Endpoint service failed to change its start type. Failure code: `variable`.|**During onboarding:** The device didn't onboard correctly and isn't reporting to the portal. <br/><br/>**During offboarding:** Failed to change the service start type. The offboarding process continues. |Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. <br/><br/> See [Onboard Windows client devices](configure-endpoints.md).|
+ |10|Microsoft Defender for Endpoint service failed to persist the onboarding information. Failure code: `variable`.|The device didn't onboard correctly and isn't reporting to the portal.|Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. <br/><br/> See [Onboard Windows client devices](configure-endpoints.md).|
+ |11|Onboarding or reonboarding of Defender for Endpoint service completed.|The device onboarded correctly.|Normal operating notification; no action required. <br/><br/> It might take several hours for the device to appear in the portal.|
|12|Microsoft Defender for Endpoint failed to apply the default configuration.|Service was unable to apply the default configuration.|This error should resolve after a short period of time.| |13|Microsoft Defender for Endpoint device ID calculated: `variable`.|Normal operating process.|Normal operating notification; no action required.|
- |15|Microsoft Defender for Endpoint cannot start command channel with URL: `variable`.|Variable = URL of the Defender for Endpoint processing servers. <p> The service couldn't contact the external processing servers at that URL.|Check the connection to the URL. See [Configure proxy and Internet connectivity](configure-proxy-internet.md).|
- |17|Microsoft Defender for Endpoint service failed to change the Connected User Experiences and Telemetry service location. Failure code: `variable`.|An error occurred with the Windows telemetry service.|[Ensure the diagnostic data service is enabled](troubleshoot-onboarding.md#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy)">Ensure the diagnostic data service is enabled. <p> Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. <p> See [Onboard Windows client devices](configure-endpoints.md).|
+ |15|Microsoft Defender for Endpoint can't start command channel with URL: `variable`.|Variable = URL of the Defender for Endpoint processing servers. <br/><br/> The service couldn't contact the external processing servers at that URL.|Check the connection to the URL. See [Configure proxy and Internet connectivity](configure-proxy-internet.md).|
+ |17|Microsoft Defender for Endpoint service failed to change the Connected User Experiences and Telemetry service location. Failure code: `variable`.|An error occurred with the Windows telemetry service.|[Ensure the diagnostic data service is enabled](troubleshoot-onboarding.md#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy)">Ensure the diagnostic data service is enabled. <br/><br/> Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. <br/><br/> See [Onboard Windows client devices](configure-endpoints.md).|
|18|OOBE (Windows Welcome) is completed.|Service will only start after any Windows updates have finished installing.|Normal operating notification; no action required.|
- |19|OOBE (Windows Welcome) has not yet completed.|Service will only start after any Windows updates have finished installing.|Normal operating notification; no action required. <p> If this error persists after a system restart, ensure all Windows updates have full installed.|
- |20|Cannot wait for OOBE (Windows Welcome) to complete. Failure code: `variable`.|Internal error.|If this error persists after a system restart, ensure all Windows updates have full installed.|
- |25|Microsoft Defender for Endpoint service failed to reset health status in the registry. Failure code: `variable`.|The device didn't onboard correctly. It will report to the portal, however the service may not appear as registered in SCCM or the registry.|Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. <p> See [Onboard Windows client devices](configure-endpoints.md).|
- |26|Microsoft Defender for Endpoint service failed to set the onboarding status in the registry. Failure code: `variable`.|The device didn't onboard correctly. <p> It will report to the portal, however the service may not appear as registered in SCCM or the registry.|Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. <p> See [Onboard Windows client devices](configure-endpoints.md).|
- |27|Microsoft Defender for Endpoint service failed to enable SENSE aware mode in Microsoft Defender Antivirus. Onboarding process failed. Failure code: `variable`.|Normally, Microsoft Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the device, and the device is reporting to Defender for Endpoint.|Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. <p> See [Onboard Windows client devices](configure-endpoints.md). <p> Ensure real-time antimalware protection is running properly.|
- |28|Microsoft Defender for Endpoint Connected User Experiences and Telemetry service registration failed. Failure code: `variable`.|An error occurred with the Windows telemetry service.|[Ensure the diagnostic data service is enabled](troubleshoot-onboarding.md#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy). <p> Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. <p> See [Onboard Windows client devices](configure-endpoints.md).|
- |29|Failed to read the offboarding parameters. Error type: %1, Error code: %2, Description: %3|This event occurs when the system can't read the offboarding parameters.|Ensure the device has Internet access, then run the entire offboarding process again. Ensure the offboarding package hasn't expired.|
- |30|Microsoft Defender for Endpoint service failed to disable SENSE aware mode in Microsoft Defender Antivirus. Failure code: `variable`.|Normally, Microsoft Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the device, and the device is reporting to Defender for Endpoint.|Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. <p> See [Onboard Windows client devices](configure-endpoints.md). <p> Ensure real-time antimalware protection is running properly.|
+ |19|OOBE (Windows Welcome) hasn't yet completed.|Service will only start after any Windows updates finish installing.|Normal operating notification; no action required. <br/><br/> If this error persists after a system restart, ensure all Windows updates have full installed.|
+ |20|Can't wait for OOBE (Windows Welcome) to complete. Failure code: `variable`.|Internal error.|If this error persists after a system restart, ensure all Windows updates are installed.|
+ |25|Microsoft Defender for Endpoint service failed to reset health status in the registry. Failure code: `variable`.|The device didn't onboard correctly. It reports to the portal; however, the service might not appear as registered in SCCM or the registry.|Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. <br/><br/> See [Onboard Windows client devices](configure-endpoints.md).|
+ |26|Microsoft Defender for Endpoint service failed to set the onboarding status in the registry. Failure code: `variable`.|The device didn't onboard correctly. <br/><br/> It reports to the portal; however the service may not appear as registered in SCCM or the registry.|Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. <br/><br/> See [Onboard Windows client devices](configure-endpoints.md).|
+ |27|Microsoft Defender for Endpoint service failed to enable SENSE aware mode in Microsoft Defender Antivirus. Onboarding process failed. Failure code: `variable`.|Normally, Microsoft Defender Antivirus enters a special passive state if another real-time antimalware product is running properly on the device, and the device is reporting to Defender for Endpoint.|Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. <br/><br/> See [Onboard Windows client devices](configure-endpoints.md). <br/><br/> Ensure real-time antimalware protection is running properly.|
+ |28|Microsoft Defender for Endpoint Connected User Experiences and Telemetry service registration failed. Failure code: `variable`.|An error occurred with the Windows telemetry service.|[Ensure the diagnostic data service is enabled](troubleshoot-onboarding.md#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy). <br/><br/> Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. <br/><br/> See [Onboard Windows client devices](configure-endpoints.md).|
+ |29|Failed to read the offboarding parameters. Error type: %1, Error code: %2, Description: %3|This event occurs when the system can't read the offboarding parameters.|Ensure the device has Internet access, then run the entire offboarding process again. Ensure the offboarding package isn't expired.|
+ |30|Microsoft Defender for Endpoint service failed to disable SENSE aware mode in Microsoft Defender Antivirus. Failure code: `variable`.|Normally, Microsoft Defender Antivirus enters a special passive state if another real-time antimalware product is running properly on the device, and the device is reporting to Defender for Endpoint.|Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. <br/><br/> See [Onboard Windows client devices](configure-endpoints.md). <br/><br/> Ensure real-time antimalware protection is running properly.|
|31|Microsoft Defender for Endpoint Connected User Experiences and Telemetry service unregistration failed. Failure code: `variable`.|An error occurred with the Windows telemetry service during onboarding. The offboarding process continues.|[Check for errors with the Windows telemetry service](troubleshoot-onboarding.md#ensure-the-diagnostic-data-service-is-enabled).| |32|Microsoft Defender for Endpoint service failed to request to stop itself after offboarding process. Failure code: %1|An error occurred during offboarding.|Reboot the device.|
- |33|Microsoft Defender for Endpoint service failed to persist SENSE GUID. Failure code: `variable`.|A unique identifier is used to represent each device that is reporting to the portal. <p> If the identifier doesn't persist, the same device might appear twice in the portal.|Check registry permissions on the device to ensure the service can update the registry.|
- |34|Microsoft Defender for Endpoint service failed to add itself as a dependency on the Connected User Experiences and Telemetry service, causing onboarding process to fail. Failure code: `variable`.|An error occurred with the Windows telemetry service.|[Ensure the diagnostic data service is enabled](troubleshoot-onboarding.md#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy). <p> Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. <p> See [Onboard Windows client devices](configure-endpoints.md).|
+ |33|Microsoft Defender for Endpoint service failed to persist SENSE GUID. Failure code: `variable`.|A unique identifier is used to represent each device that is reporting to the portal. <br/><br/> If the identifier doesn't persist, the same device might appear twice in the portal.|Check registry permissions on the device to ensure the service can update the registry.|
+ |34|Microsoft Defender for Endpoint service failed to add itself as a dependency on the Connected User Experiences and Telemetry service, causing onboarding process to fail. Failure code: `variable`.|An error occurred with the Windows telemetry service.|[Ensure the diagnostic data service is enabled](troubleshoot-onboarding.md#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy). <br/><br/> Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. <br/><br/> See [Onboard Windows client devices](configure-endpoints.md).|
|35| Communication quotas are updated. Disk quota in MB: `variable`, daily upload quota in MB: `variable`| Variable = disk quota in MB. |Normal operating notification; no action required.| |36|Microsoft Defender for Endpoint Connected User Experiences and Telemetry service registration succeeded. Completion code: `variable`.|Registering Defender for Endpoint with the Connected User Experiences and Telemetry service completed successfully.|Normal operating notification; no action required.|
- |37|Microsoft Defender for Endpoint A module is about to exceed its quota. Module: %1, Quota: {%2} {%3}, Percentage of quota utilization: %4.|The device has almost used its allocated quota of the current 24-hour window. It's about to be throttled.|Normal operating notification; no action required.|
- |38|Network connection is identified as low. Microsoft Defender for Endpoint will contact the server every %1 minutes. Metered connection: %2, internet available: %3, free network available: %4.|The device is using a metered/paid network and will be contacting the server less frequently.|Normal operating notification; no action required.|
- |39|Network connection is identified as normal. Microsoft Defender for Endpoint will contact the server every %1 minutes. Metered connection: %2, internet available: %3, free network available: %4.|The device isn't using a metered/paid connection and will contact the server as usual.|Normal operating notification; no action required.|
- |40|Battery state is identified as low. Microsoft Defender for Endpoint will contact the server every %1 minutes. Battery state: %2.|The device has low battery level and will contact the server less frequently.|Normal operating notification; no action required.|
- |41|Battery state is identified as normal. Microsoft Defender for Endpoint will contact the server every %1 minutes. Battery state: %2.|The device doesn't have low battery level and will contact the server as usual.|Normal operating notification; no action required.|
+ |37|Microsoft Defender for Endpoint A module is about to exceed its quota. Module: %1, Quota: {%2} {%3}, Percentage of quota utilization: %4.|The device is near its allocated quota of the current 24-hour window. It's about to be throttled.|Normal operating notification; no action required.|
+ |38|Network connection is identified as low. Microsoft Defender for Endpoint contacts the server every %1 minutes. Metered connection: %2, internet available: %3, free network available: %4.|The device is using a metered/paid network and contacts the server less frequently.|Normal operating notification; no action required.|
+ |39|Network connection is identified as normal. Microsoft Defender for Endpoint contacts the server every %1 minutes. Metered connection: %2, internet available: %3, free network available: %4.|The device isn't using a metered/paid connection and contacts the server as usual.|Normal operating notification; no action required.|
+ |40|Battery state is identified as low. Microsoft Defender for Endpoint contacts the server every %1 minutes. Battery state: %2.|The device has low battery level and contacts the server less frequently.|Normal operating notification; no action required.|
+ |41|Battery state is identified as normal. Microsoft Defender for Endpoint contacts the server every %1 minutes. Battery state: %2.|The device doesn't have low battery level and contacts the server as usual.|Normal operating notification; no action required.|
|42|Microsoft Defender for Endpoint component failed to perform action. Component: %1, Action: %2, Exception Type: %3, Exception message: %4|Internal error. The service failed to start.|If this error persists, contact Support.| |43|Microsoft Defender for Endpoint component failed to perform action. Component: %1, Action: %2, Exception Type: %3, Exception Error: %4, Exception message: %5|Internal error. The service failed to start.|If this error persists, contact Support.| |44|Offboarding of Defender for Endpoint service completed.|The service was offboarded.|Normal operating notification; no action required.| |45|Failed to register and to start the event trace session [%1]. Error code: %2|An error occurred on service startup while creating ETW session. This caused service start-up failure.|If this error persists, contact Support.|
- |46|Failed to register and start the event trace session [%1] due to lack of resources. Error code: %2. This is most likely because there are too many active event trace sessions. The service will retry in 1 minute.|An error occurred on service startup while creating ETW session due to lack of resources. The service started and is running, but won't report any sensor event until the ETW session is started.|Normal operating notification; no action required. The service will try to start the session every minute.|
+ |46|Failed to register and start the event trace session [%1] due to lack of resources. Error code: %2. This is most likely because there are too many active event trace sessions. The service retries in 1 minute.|An error occurred on service startup while creating ETW session due to lack of resources. The service is running, but doesn't report sensor events until the ETW session starts.|Normal operating notification; no action required. The service tries to start the session every minute.|
|47|Successfully registered and started the event trace session - recovered after previous failed attempts.|This event follows the previous event after successfully starting of the ETW session.|Normal operating notification; no action required.|
- |48|Failed to add a provider [%1] to event trace session [%2]. Error code: %3. This means that events from this provider will not be reported.|Failed to add a provider to ETW session. As a result, the provider events aren't reported.|Check the error code. If the error persists contact Support.|
+ |48|Failed to add a provider [%1] to event trace session [%2]. Error code: %3. This means that events from this provider aren't reported.|Failed to add a provider to ETW session. As a result, the provider events aren't reported.|Check the error code. If the error persists contact Support.|
|49|Invalid cloud configuration command received and ignored. Version: %1, status: %2, error code: %3, message: %4|Received an invalid configuration file from the cloud service that was ignored.|If this error persists, contact Support.| |50|New cloud configuration applied successfully. Version: %1.|Successfully applied a new configuration from the cloud service.|Normal operating notification; no action required.| |51|New cloud configuration failed to apply, version: %1. Successfully applied the last known good configuration, version %2.|Received a bad configuration file from the cloud service. Last known good configuration was applied successfully.|If this error persists, contact Support.| |52|New cloud configuration failed to apply, version: %1. Also failed to apply last known good configuration, version %2. Successfully applied the default configuration.|Received a bad configuration file from the cloud service. Failed to apply the last known good configuration - and the default configuration was applied.|The service will attempt to download a new configuration file within 5 minutes. If you don't see event #50 - contact Support.| |53|Cloud configuration loaded from persistent storage, version: %1.|The configuration was loaded from persistent storage on service startup.|Normal operating notification; no action required.|
- |54| Global (per-pattern) state changed. State: %1, pattern: %2 | If state = 0: Cyber-data reporting rule has reached its defined capping quota and won't send more data until the capping quota expires. If state = 1: The capping quota expired and the rule will resume sending data. | Normal operating notification; no action required. |
+ |54| Global (per-pattern) state changed. State: %1, pattern: %2 | If state = 0: Cyber-data reporting rule has reached its defined capping quota and doesn't send more data until the capping quota expires. If state = 1: The capping quota expired and the rule will resume sending data. | Normal operating notification; no action required. |
|55|Failed to create the Secure ETW autologger. Failure code: %1|Failed to create the secure ETW logger.|Reboot the device. If this error persists, contact Support.| |56|Failed to remove the Secure ETW autologger. Failure code: %1|Failed to remove the secure ETW session on offboarding.|Contact Support.| |57|Capturing a snapshot of the machine for troubleshooting purposes.|An investigation package, also known as forensics package, is being collected.|Normal operating notification; no action required.| |59|Starting command: %1|Starting response command execution.|Normal operating notification; no action required.| |60|Failed to run command %1, error: %2.|Failed to execute response command.|If this error persists, contact Support.| |61|Data collection command parameters are invalid: SasUri: %1, compressionLevel: %2.|Failed to read or parse the data collection command arguments (invalid arguments).|If this error persists, contact Support.|
- |62|Failed to start Connected User Experiences and Telemetry service. Failure code: %1|Connected User Experiences and Telemetry (diagtrack) service failed to start. Non-Microsoft Defender for Endpoint telemetry won't be sent from this machine.|Look for more troubleshooting hints in the event log: Microsoft-Windows-UniversalTelemetryClient/Operational.|
+ |62|Failed to start Connected User Experiences and Telemetry service. Failure code: %1|Connected User Experiences and Telemetry (diagtrack) service failed to start. Non-Microsoft Defender for Endpoint telemetry isn't sent from this machine.|Look for more troubleshooting hints in the event log: Microsoft-Windows-UniversalTelemetryClient/Operational.|
|63|Updating the start type of external service. Name: %1, actual start type: %2, expected start type: %3, exit code: %4|Updated start type of the external service.|Normal operating notification; no action required.| |64|Starting stopped external service. Name: %1, exit code: %2|Starting an external service.|Normal operating notification; no action required.| |65|Failed to load Microsoft Security Events Component Minifilter driver. Failure code: %1|Failed to load MsSecFlt.sys filesystem minifilter.|Reboot the device. If this error persists, contact Support.|
See the following table for a list of events recorded by the service.
|87|Cannot start the external service. Name: %1|Failed to start the external service.|Contact Support.| |88|Updating the start type of external service again. Name: %1, actual start type: %2, expected start type: %3, exit code: %4|Updated the start type of the external service.|Normal operating notification; no action required.| |89|Cannot update the start type of external service. Name: %1, actual start type: %2, expected start type: %3|Can't update the start type of the external service.|Contact Support.|
- |90|Failed to configure System Guard Runtime Monitor to connect to cloud service in geo-region %1. Failure code: %2|System Guard Runtime Monitor won't send attestation data to the cloud service.|Check the permissions on register path: "HKLM\Software\Microsoft\Windows\CurrentVersion\Sgrm". If no issues spotted, contact Support.|
- |91|Failed to remove System Guard Runtime Monitor geo-region information. Failure code: %1|System Guard Runtime Monitor won't send attestation data to the cloud service.|Check the permissions on register path: "HKLM\Software\Microsoft\Windows\CurrentVersion\Sgrm". If no issues spotted, contact Support.|
+ |90|Failed to configure System Guard Runtime Monitor to connect to cloud service in geo-region %1. Failure code: %2|System Guard Runtime Monitor doesn't send attestation data to the cloud service.|Check the permissions on register path: "HKLM\Software\Microsoft\Windows\CurrentVersion\Sgrm". If no issues spotted, contact Support.|
+ |91|Failed to remove System Guard Runtime Monitor geo-region information. Failure code: %1|System Guard Runtime Monitor doesn't send attestation data to the cloud service.|Check the permissions on register path: "HKLM\Software\Microsoft\Windows\CurrentVersion\Sgrm". If no issues spotted, contact Support.|
|92|Stopping sending sensor cyber data quota because data quota is exceeded. Will resume sending once quota period passes. State Mask: %1|Exceed throttling limit.|Normal operating notification; no action required.| |93|Resuming sending sensor cyber data. State Mask: %1|Resume cyber data submission.|Normal operating notification; no action required.| |94|Microsoft Defender for Endpoint executable has started|The SenseCE executable has started.|Normal operating notification; no action required.|
See the following table for a list of events recorded by the service.
|110 |Failed to remove MDEContain WFP filters. | Occurs during offboarding. | Contact support. | |307| Failed to update driver permissions Failure code: %1. |Occurs during onboarding. |Contact support. | |308 | Failed to ACL on Folder %1 Failure code: %2. |Occurs during onboarding. | Contact support. |
- |401 | Microsoft Defender for Endpoint service failed to generate key. Failure code: %1. | Failed to create crypto key.|If machine is not reporting, contact support. Otherwise, no action required. |
- |402 |Microsoft Defender for Endpointservice failed to persist authentication state. Failure code: %1.| Failed to persist authentication state. | If machine is not reporting, contact support. Otherwise, no action required. |
+ |401 | Microsoft Defender for Endpoint service failed to generate key. Failure code: %1. | Failed to create crypto key.|If machine isn't reporting, contact support. Otherwise, no action required. |
+ |402 |Microsoft Defender for Endpoint service failed to persist authentication state. Failure code: %1.| Failed to persist authentication state. | If a device isn't reporting, contact support. Otherwise, no action required. |
|403|Registration of Microsoft Defender for Endpoint service completed.|Successful registration to authentication service.|Normal operating notification; no action required.| |404 |Microsoft Defender for Endpoint service successfully generated a key. |Successful crypto key generation. |Normal operating notification; no action required.| |405|Failed to communicate with authentication service. %1 request failed, hresult: %2, HTTP error code: %3. |Failed to send request to authentication service.|Normal operating notification; no action required.| |406|Request for %1 rejected by authentication service. Hresult: %2, error code: %3. | Request returned undesired response. |Normal operating notification; no action required. | |407|Microsoft Defender for Endpoint service failed to sign message (authentication). Failure code: %1. |Failed to sign request. |Normal operating notification; no action required. |
- |408|Microsoft Defender for Endpoint service failed to remove persist authentication state. State: %1, Failure code: %2. |Failed to persist authentication state. |If machine is not reporting, contact support. Otherwise, no action required.|
- |409| Microsoft Defender for Endpoint service failed to open key. Failure code: %1. |Failed to open crypto key.|If machine is not reporting, contact support. Otherwise, no action required.|
- |410|Registration is required as part of re-onboarding of Microsoft Defender for Endpoint service. |Occurs during reonboarding. |Normal operating notification; no action required.|
+ |408|Microsoft Defender for Endpoint service failed to remove persist authentication state. State: %1, Failure code: %2. |Failed to persist authentication state. |If a device isn't reporting, contact support. Otherwise, no action required.|
+ |409| Microsoft Defender for Endpoint service failed to open key. Failure code: %1. |Failed to open crypto key.|If a device isn't reporting, contact support. Otherwise, no action required.|
+ |410|Registration is required as part of reonboarding of Microsoft Defender for Endpoint service. |Occurs during reonboarding. |Normal operating notification; no action required.|
|411|Cyber telemetry upload has been suspended for Microsoft Defender for Endpoint service due to invalid/expired token.|Cyber upload temporarily suspended.|Normal operating notification; no action required.| |412|Cyber telemetry upload been resumed for Microsoft Defender for Endpoint service due to newly refreshed token.|Cyber upload successfully resumed.|Normal operating notification; no action required.| |1800| CSP: Get `Node&apos;s` Value. NodeId: (%1), TokenName: (%2). | An operation of Get is about to start. | Contact support. |
security Exclude Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/exclude-devices.md
Title: Exclude devices in Microsoft Defender for Endpoint description: Exclude devices from the device inventory list
-keywords: exclude
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Experts On Demand https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/experts-on-demand.md
Title: Experts on Demand description: You can partner with Microsoft Defender Experts who can be engaged directly from within the Microsoft Defender portal for their response
-keywords: Ask Defender Experts, experts on demand, managed threat hunting, managed detection and response (MDR) service, MTE, Microsoft Threat Experts, endpoint attack notification, Endpoint Attack Notification
-search.product: Windows 10
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium-+ audience: ITPro - m365-security-compliance
security Exploit Protection Reference https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/exploit-protection-reference.md
Title: Exploit protection reference
-keywords: mitigations, vulnerabilities, vulnerability, mitigation, exploit, exploits, emet
description: Details on how the exploit protection feature works in Windows ms.localizationpriority: medium audience: ITPro--++ -+
security Exploit Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/exploit-protection.md
Title: Apply mitigations to help prevent attacks through vulnerabilities
-keywords: mitigations, vulnerabilities, vulnerability, mitigation, exploit, exploits, emet
description: Protect devices against exploits with Windows 10 or Windows 11. Windows has advanced exploit protection capabilities, building upon and improving the settings available in Enhanced Mitigation Experience Toolkit (EMET).
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: high audience: ITPro--++ -+
security Feedback Loop Blocking https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/feedback-loop-blocking.md
Title: Feedback-loop blocking
description: Feedback-loop blocking, also called rapid protection, is part of behavioral blocking and containment capabilities in Microsoft Defender for Endpoint keywords: behavioral blocking, rapid protection, feedback blocking, Microsoft Defender for Endpoint ms.pagetype: security---+++ audience: ITPro
security Find Defender Malware Name https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/find-defender-malware-name.md
Title: Find malware detection names for Microsoft Defender for Endpoint
description: How to find the names for the latest malware detections in Defender for Endpoint --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Fix Unhealthy Sensors https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/fix-unhealthy-sensors.md
Title: Fix unhealthy sensors in Microsoft Defender for Endpoint description: Fix device sensors that are reporting as misconfigured or inactive so that the service receives data from the device.
-keywords: misconfigured, inactive, fix sensor, sensor health, no sensor data, sensor data, impaired communications, communication
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Get Started Partner Integration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-started-partner-integration.md
Title: Become a Microsoft Defender for Endpoint partner
-description: Learn the steps and requirements to integrate your solution with Microsoft Defender for Endpoint and be a partner
-keywords: partner, integration, solution validation, certification, requirements, member, misa, application portal
+description: Learn the steps and requirements to integrate your solution with Microsoft Defender for Endpoint and be a partner.
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
Last updated 12/18/2020
- [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804)
-To become a Defender for Endpoint solution partner, you'll need to follow and complete the following steps.
+To become a Defender for Endpoint solution partner, complete steps outlined in this article.
## Step 1: Subscribe to a Microsoft Defender for Endpoint license
Want to experience Defender for Endpoint? [Sign up for a free trial.](https://si
The best way for technology partners to certify that their integration works is to have a joint customer approve the suggested integration design in the [Partner Application page](https://security.microsoft.com/interoperability/partnersapps) in Microsoft Defender XDR and have it tested and demoed to the Microsoft Defender for Endpoint team.
-Once the Microsoft Defender for Endpoint team has reviewed and approves the integration, we'll direct you to be included as a partner at the Microsoft Intelligent Security Association.
+Once the Microsoft Defender for Endpoint team reviews and approves the integration, we direct you to be included as a partner at the Microsoft Intelligent Security Association.
## Step 3: Get listed in the Microsoft Defender for Endpoint partner application portal
-Microsoft Defender for Endpoint supports third-party applications discovery and integration using the in-product [partner page](partner-applications.md) that is embedded within the Microsoft Defender for Endpoint management portal.
+Microsoft Defender for Endpoint supports non-Microsoft applications discovery and integration using the in-product [partner page](partner-applications.md) that is embedded within the Microsoft Defender for Endpoint management portal.
-To have your company listed as a partner in the in-product partner page, you'll need to provide the following information:
+To have your company listed as a partner in the in-product partner page, provide the following information:
-1. A square logo (SVG).
-2. Name of the product to be presented.
-3. Provide a 15-word product description.
-4. Link to the landing page for the customer to complete the integration or blog post that includes sufficient information for customers. Any press release including the Microsoft Defender for Endpoint product name should be reviewed by the marketing and engineering teams. Wait for at least 10 days for the review process to be done.
-5. If you use a multi-tenant Microsoft Entra ID approach, we need the Microsoft Entra application name to track usage of the application.
-6. Include the User-Agent field in each API call made to Microsoft Defender for Endpoint public set of APIs or Graph Security APIs. This is used for statistical purposes, troubleshooting, and partner recognition. In addition, this step is a requirement for membership in Microsoft Intelligent Security Association (MISA).
+- A square logo (SVG)
+- Name of the product to be presented
+- A 15-word product description
+- A link to the landing page for the customer to complete the integration or blog post that includes sufficient information for customers. Any press release including the Microsoft Defender for Endpoint product name should be reviewed by the marketing and engineering teams. Wait for at least 10 days for the review process to be done.
+- If you use a multi-tenant Microsoft Entra ID approach, we need the Microsoft Entra application name to track usage of the application.
+- The User-Agent field in each API call to the Defender for Endpoint public set of APIs or Graph Security APIs. This is used for statistical purposes, troubleshooting, and partner recognition. In addition, this step is a requirement for membership in Microsoft Intelligent Security Association (MISA).
Follow these steps:
To have your company listed as a partner in the in-product partner page, you'll
- For more information, see [RFC 2616 section-14.43](https://tools.ietf.org/html/rfc2616#section-14.43).
-Partnerships with Microsoft Defender for Endpoint help our mutual customers to further streamline, integrate, and orchestrate defenses. We're happy that you chose to become a Microsoft Defender for Endpoint partner and to achieve our common goal of effectively protecting customers and their assets by preventing and responding to modern threats together.
+Partnerships with Microsoft Defender for Endpoint help our mutual customers to further streamline, integrate, and orchestrate defenses. Thank you for choosing to become a Microsoft Defender for Endpoint partner and to achieve our common goal of effectively protecting customers and their assets by preventing and responding to modern threats together.
## MISA nomination + Managed security service providers (MSSP) and independent software vendors (ISV) can be nominated to the Microsoft Intelligent Security Association (MISA). For more information, see [MISA information page](https://www.microsoft.com/security/business/intelligent-security-association).
-## Related topics
+## Related articles
- [Technical partner opportunities](partner-integration.md)+ [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)]
security Gov https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/gov.md
Title: Microsoft Defender for Endpoint for US Government customers description: Learn about the Microsoft Defender for Endpoint for US Government customers requirements and capabilities available
-keywords: government, gcc, high, requirements, capabilities, defender, Microsoft Defender for Endpoint, endpoint, dod
-search.product: eADQiWindows 10XVcnh
search.appverid: met150
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium Last updated 11/29/2023-+ audience: ITPro - m365-security
security Grant Mssp Access https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/grant-mssp-access.md
Title: Grant access to managed security service provider (MSSP)
-description: Take the necessary steps to configure MSSP integration with the Microsoft Defender for Endpoint
-keywords: managed security service provider, mssp, configure, integration
+description: Take the necessary steps to configure MSSP integration with the Microsoft Defender for Endpoint.
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
Last updated 12/18/2020
> [!IMPORTANT] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-To implement a multi-tenant delegated access solution, take the following steps:
+To implement a multitenant delegated access solution, take the following steps:
1. Enable [role-based access control](rbac.md) in Defender for Endpoint and connect with Active Directory (AD) groups.
To implement a multi-tenant delegated access solution, take the following steps:
1. **Create access groups for MSSP resources in Customer AAD: Groups**
- These groups will be linked to the Roles you create in Defender for Endpoint. To do so, in the customer AD tenant, create three groups. In our example approach, we create the following groups:
+ These groups are linked to the Roles you create in Defender for Endpoint. To do so, in the customer AD tenant, create three groups. In our example approach, we create the following groups:
- Tier 1 Analyst - Tier 2 Analyst
To implement a multi-tenant delegated access solution, take the following steps:
1. **Add MSSP as Connected Organization in Customer AAD: Identity Governance**
- Adding the MSSP as a connected organization will allow the MSSP to request and have accesses provisioned.
+ Adding the MSSP as a connected organization allows the MSSP to request and have accesses provisioned.
To do so, in the customer AD tenant, access Identity Governance: Connected organization. Add a new organization and search for your MSSP Analyst tenant via Tenant ID or Domain. We suggest creating a separate AD tenant for your MSSP Analysts.
To implement a multi-tenant delegated access solution, take the following steps:
Resource catalogs are a logical collection of access packages, created in the customer AD tenant.
- To do so, in the customer AD tenant, access Identity Governance: Catalogs, and add **New Catalog**. In our example, we will call it **MSSP Accesses**.
+ To do so, in the customer AD tenant, access Identity Governance: Catalogs, and add **New Catalog**. In our example, it's called, **MSSP Accesses**.
:::image type="content" source="images/goverance-catalog.png" alt-text="The new catalog page" lightbox="images/goverance-catalog.png":::
To implement a multi-tenant delegated access solution, take the following steps:
3. **Create access packages for MSSP resources Customer AAD: Identity Governance**
- Access packages are the collection of rights and accesses that a requestor will be granted upon approval.
+ Access packages are the collection of rights and accesses that a requestor is granted upon approval.
To do so, in the customer AD tenant, access Identity Governance: Access Packages, and add **New Access Package**. Create an access package for the MSSP approvers and each analyst tier. For example, the following Tier 1 Analyst configuration creates an access package that:
security Health Status https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/health-status.md
Title: Investigate agent health issues description: Learn about the values returned when running the mdatp health command
-keywords: mdatp health, command, health, status, command, onboarding status
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Host Firewall Reporting https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/host-firewall-reporting.md
Title: Host firewall reporting in Microsoft Defender for Endpoint description: Host and view firewall reporting in Microsoft Defender portal.
-keywords: windows defender, firewall
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium Last updated 01/31/2023 audience: ITPro ---+++ - m365-security
security Import Export Exploit Protection Emet Xml https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/import-export-exploit-protection-emet-xml.md
ms.localizationpriority: medium audience: ITPro --++ -+ - m365-security
security Indicator Certificates https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/indicator-certificates.md
Title: Create indicators based on certificates description: Create indicators based on certificates that define the detection, prevention, and exclusion of entities.
-keywords: ioc, certificate, certificates, manage, allowed, blocked, block, clean, malicious, file hash, ip address, urls, domain
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Indicator File https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/indicator-file.md
Title: Create indicators for files description: Create indicators for a file hash that define the detection, prevention, and exclusion of entities.
-keywords: file, hash, manage, allowed, blocked, block, clean, malicious, file hash, ip address, urls, domain
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium Last updated 08/10/2022-+ audience: ITPro - m365-security
security Indicator Ip Domain https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/indicator-ip-domain.md
Title: Create indicators for IPs and URLs/domains
description: Create indicators for IPs and URLs/domains that define the detection, prevention, and exclusion of entities. --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Indicator Manage https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/indicator-manage.md
Title: Manage indicators description: Manage indicators for a file hash, IP address, URLs, or domains that define the detection, prevention, and exclusion of entities.
-keywords: import, indicator, list, ioc, csv, manage, allowed, blocked, block, clean, malicious, file hash, ip address, urls, domain
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
Last updated 12/18/2020
2. Select the tab of the entity type you'd like to manage.
-3. Update the details of the indicator and click **Save** or click the **Delete** button if you'd like to remove the entity from the list.
+3. Update the details of the indicator and select **Save** or select the **Delete** button if you'd like to remove the entity from the list.
## Import a list of IoCs
Download the sample CSV to know the supported column attributes.
3. Select **Import** \> **Choose file**.
-4. Select **Import**. Do this for all the files you'd like to import.
+4. Select **Import**. Repeat for all the files you'd like to import.
5. Select **Done**.
Download the sample CSV to know the supported column attributes.
The following table shows the supported parameters.
-Parameter|Type|Description
-:|:|:
-indicatorType|Enum|Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url". **Required**
-indicatorValue|String|Identity of the [Indicator](ti-indicator.md) entity. **Required**
-action|Enum|The action that will be taken if the indicator will be discovered in the organization. Possible values are: "Allowed", "Audit", "BlockAndRemediate", "Warn", and "Block". **Required**
-title|String|Indicator alert title. **Required**
-description|String| Description of the indicator. **Required**
-expirationTime|DateTimeOffset|The expiration time of the indicator in the following format YYYY-MM-DDTHH:MM:SS.0Z. The indicator gets deleted if the expiration time passes and whatever happens at the expiration time occurs at the seconds (SS) value. **Optional**
-severity|Enum|The severity of the indicator. Possible values are: "Informational", "Low", "Medium" and "High". **Optional**
-recommendedActions|String|TI indicator alert recommended actions. **Optional**
-rbacGroups|String|Comma-separated list of RBAC groups the indicator would be applied to. **Optional**
-category|String|Category of the alert. Examples include: Execution and credential access. **Optional**
-mitretechniques|String|MITRE techniques code/id (comma separated). For more information, see [Enterprise tactics](https://attack.mitre.org/tactics/enterprise/). **Optional** It is recommended to add a value in category when a MITRE technique.
-GenerateAlert|String|Whether the alert should be generated. Possible Values are: True or False. **Optional**
+| Parameter|Type|Description |
+| | | |
+| indicatorType|Enum|Type of the indicator. Possible values are: *FileSha1*, *FileSha256*, *IpAddress*, *DomainName*, and *Url*. **Required** |
+| indicatorValue|String|Identity of the [Indicator](ti-indicator.md) entity. **Required** |
+| action|Enum|The action that is taken if the indicator is discovered in the organization. Possible values are: *Allowed*, *Audit*, *BlockAndRemediate*, *Warn*, and *Block*. **Required** |
+| title|String|Indicator alert title. **Required** |
+| description|String| Description of the indicator. **Required** |
+| expirationTime|DateTimeOffset|The expiration time of the indicator in the following format YYYY-MM-DDTHH:MM:SS.0Z. The indicator gets deleted if the expiration time passes and whatever happens at the expiration time occurs at the seconds (SS) value. **Optional** |
+| severity|Enum|The severity of the indicator. Possible values are: *Informational*, *Low*, *Medium*, and *High*. **Optional** |
+| recommendedActions|String|TI indicator alert recommended actions. **Optional** |
+| rbacGroups|String|Comma-separated list of RBAC groups the indicator would be applied to. **Optional** |
+| category|String|Category of the alert. Examples include: Execution and credential access. **Optional** |
+| mitretechniques|String|MITRE techniques code/id (comma separated). For more information, see [Enterprise tactics](https://attack.mitre.org/tactics/enterprise/). **Optional** It's recommended to add a value in category when a MITRE technique. |
+| GenerateAlert|String|Whether the alert should be generated. Possible Values are: True or False. **Optional** |
> [!NOTE] > Classless Inter-Domain Routing (CIDR) notation for IP addresses is not supported.
security Information Protection Investigation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/information-protection-investigation.md
Title: Use Microsoft Defender for Endpoint sensitivity labels to protect your data and prioritize security incident response
-description: Learn how to use Defender for Endpoint sensitivity labels to protect, prioritize, and investigate incidents that involve data loos, dlp, security incidents.
+description: Learn how to use Defender for Endpoint sensitivity labels to protect, prioritize, and investigate incidents that involve data loss, dlp, security incidents.
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
Last updated 12/18/2020
A typical advanced persistent threat lifecycle (or APT) involves some data exfiltration -- the point at which data is *taken* from the organization. In those situations, sensitivity labels can tell security operations where to start by spelling out what data is highest priority to protect.
-Defender for Endpoint helps to make prioritization of security incidents simpler with the use of sensitivity labels too. For example, sensitivity labels quickly identify incidents that may involve devices with sensitive information on them (such as confidential information).
+Defender for Endpoint helps to make prioritization of security incidents simpler with the use of sensitivity labels too. For example, sensitivity labels quickly identify incidents that can involve devices with sensitive information on them (such as confidential information).
Here's how to use sensitivity labels in Defender for Endpoint.
Learn how to use data sensitivity labels to prioritize incident investigation.
1. In Microsoft Defender portal, select **Incidents & alerts** \> **Incidents**.
-2. Scroll to the right to see the **Data sensitivity** column. This column reflects sensitivity labels that have been observed on devices related to the incidents providing an indication of whether sensitive files may be impacted by the incident.
+2. Scroll over to see the **Data sensitivity** column. This column reflects sensitivity labels that are observed on devices related to the incidents providing an indication of whether sensitive files are impacted by the incident.
:::image type="content" source="images/data-sensitivity-column.png" alt-text="The Highly confidential option in the data sensitivity column" lightbox="images/data-sensitivity-column.png":::
Learn how to use data sensitivity labels to prioritize incident investigation.
:::image type="content" source="images/investigate-devices-tab.png" alt-text="The Device tab" lightbox="images/investigate-devices-tab.png":::
-5. Select the devices that store sensitive data and search through the timeline to identify which files may be impacted then take appropriate action to ensure that data is protected.
+5. Select the devices that store sensitive data and search through the timeline to identify which files might be impacted then take appropriate action to ensure that data is protected.
- You can narrow down the events shown on the device timeline by searching for data sensitivity labels. Doing this will show only events associated with files that have said label name.
+ You can narrow down the events shown on the device timeline by searching for data sensitivity labels. Doing this shows only events associated with files that the label name.
:::image type="content" source="images/machine-timeline-labels.png" alt-text="The device timeline with narrowed down search results based on label" lightbox="images/machine-timeline-labels.png":::
security Internet Facing Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/internet-facing-devices.md
ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Investigate Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-alerts.md
Title: Investigate Microsoft Defender for Endpoint alerts description: Use the investigation options to get details on alerts are affecting your network, what they mean, and how to resolve them.
-keywords: investigate, investigation, devices, device, alerts queue, dashboard, IP address, file, submit, submissions, deep analysis, timeline, search, domain, URL, IP
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Investigate Behind Proxy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-behind-proxy.md
Title: Investigate connection events that occur behind forward proxies description: Learn how to use advanced HTTP level monitoring through network protection in Microsoft Defender for Endpoint, which surfaces a real target, instead of a proxy.
-keywords: proxy, network protection, forward proxy, network events, audit, block, domain names, domain
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Investigate Domain https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-domain.md
Title: Investigate domains and URLs associated with an alert description: Use the investigation options to see if devices and servers have been communicating with malicious domains.
-keywords: investigate domain, domain, malicious domain, Microsoft Defender for Endpoint, alert, URL
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Investigate Files https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-files.md
Title: Investigate Microsoft Defender for Endpoint files description: Use the investigation options to get details on files associated with alerts, behaviors, or events.
-keywords: investigate, investigation, file, malicious activity, attack motivation, deep analysis, deep analysis report
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium-+ audience: ITPro - m365-security
The File content tab lists information about portable executable (PE) files, inc
:::image type="content" source="../../media/investigate-files/investigatefiles-filecontent.png" alt-text="Screenshot of a file's content" lightbox="../../media/investigate-files/investigatefiles-filecontent.png":::
-The file capabilities view lists a file's activities as mapped to the MITRE ATT&CKΓäó techniques.
+The file capabilities view lists a file's activities as mapped to the MITRE ATT&CK&trade; techniques.
:::image type="content" source="../../media/investigate-files/investigatefiles-filecapabilities.png" alt-text="Screenshot of a file's capabilities" lightbox="../../media/investigate-files/investigatefiles-filecapabilities.png":::
security Investigate Incidents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-incidents.md
Title: Investigate incidents in Microsoft Defender for Endpoint
description: See associated alerts, manage the incident, and see alert metadata to help you investigate an incident search.appverid: met150 --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Investigate Ip https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-ip.md
Title: Investigate an IP address associated with an alert description: Use the investigation options to examine possible communication between devices and external IP addresses.
-keywords: investigate, investigation, IP address, alert, Microsoft Defender for Endpoint, external IP
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Investigate Machines https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-machines.md
Title: Investigate devices in the Defender for Endpoint Devices list description: Investigate affected devices by reviewing alerts, network connection information, adding device tags and groups, and checking the service health.
-keywords: devices, tags, groups, endpoint, alerts queue, alerts, device name, domain, last seen, internal IP, active alerts, threat category, filter, sort, review alerts, network, connection, type, password stealer, ransomware, exploit, threat, low severity, service health
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
search.appverid: met150 Previously updated : 06/19/2023 Last updated : 02/21/2024 # Investigate devices in the Microsoft Defender for Endpoint Devices list
Investigate the details of an alert raised on a specific device to identify othe
> [!NOTE] > As part of the investigation or response process, you can collect an investigation package from a device. Here's how: [Collect investigation package from devices](/microsoft-365/security/defender-endpoint/respond-machine-alerts#collect-investigation-package-from-devices).
-You can click on affected devices whenever you see them in the portal to open a detailed report about that device. Affected devices are identified in the following areas:
+You can select on affected devices whenever you see them in the portal to open a detailed report about that device. Affected devices are identified in the following areas:
- [Devices list](investigate-machines.md) - [Alerts queue](alerts-queue.md)
You can click on affected devices whenever you see them in the portal to open a
- Any individual file details view - Any IP address or domain details view
-When you investigate a specific device, you'll see:
+When you investigate a specific device, you see:
- Device details - Response actions
When you investigate a specific device, you'll see:
## Device details
-The device details section provides information such as the domain, OS, and health state of the device. If there's an investigation package available on the device, you'll see a link that allows you to download the package.
+The device details section provides information such as the domain, OS, and health state of the device. If there's an investigation package available on the device, you see a link that allows you to download the package.
## Response actions
More details about certain events are provided in the **Additional information**
- Remediation successful - the detected threat was stopped and cleaned - Warning bypassed by user - the Windows Defender SmartScreen warning was dismissed and overridden by a user - Suspicious script detected - a potentially malicious script was found running-- The alert category - if the event led to the generation of an alert, the alert category ("Lateral Movement", for example) is provided
+- The alert category - if the event led to the generation of an alert, the alert category (**Lateral Movement**, for example) is provided
#### Event details Select an event to view relevant details about that event. A panel displays to show general event information. When applicable and data is available, a graph showing related entities and their relationships are also shown.
-To further inspect the event and related events, you can quickly run an [advanced hunting](advanced-hunting-overview.md) query by selecting **Hunt for related events**. The query will return the selected event and the list of other events that occurred around the same time on the same endpoint.
+To further inspect the event and related events, you can quickly run an [advanced hunting](advanced-hunting-overview.md) query by selecting **Hunt for related events**. The query returns the selected event and the list of other events that occurred around the same time on the same endpoint.
:::image type="content" source="images/event-details.png" alt-text="The event details panel" lightbox="images/event-details.png"::: ### Security recommendations
-**Security recommendations** are generated from Microsoft Defender for Endpoint's [Vulnerability Management](tvm-dashboard-insights.md) capability. Selecting a recommendation will show a panel where you can view relevant details such as description of the recommendation and the potential risks associated with not enacting it. See [Security recommendation](tvm-security-recommendation.md) for details.
+**Security recommendations** are generated from Microsoft Defender for Endpoint's [Vulnerability Management](tvm-dashboard-insights.md) capability. Selecting a recommendation shows a panel where you can view relevant details such as description of the recommendation and the potential risks associated with not enacting it. See [Security recommendation](tvm-security-recommendation.md) for details.
### Security policies
-The **Security policies** tab shows the endpoint security policies that are applied on the device. You'll see a list of policies, type, status, and last check-in time. Selecting the name of a policy, will take you to the policy details page where you can see the policy settings status, applied devices, and assigned groups.
+The **Security policies** tab shows the endpoint security policies that are applied on the device. You see a list of policies, type, status, and last check-in time. Selecting the name of a policy takes you to the policy details page where you can see the policy settings status, applied devices, and assigned groups.
:::image type="content" source="images/security-policies-tab.png" alt-text="The Security policies tab" lightbox="images/security-policies-tab.png":::
The **Security policies** tab shows the endpoint security policies that are appl
### Software inventory
-The **Software inventory** tab lets you view software on the device, along with any weaknesses or threats. Selecting the name of the software will take you to the software details page where you can view security recommendations, discovered vulnerabilities, installed devices, and version distribution. See [Software inventory](tvm-software-inventory.md) for details
+The **Software inventory** tab lets you view software on the device, along with any weaknesses or threats. Selecting the name of the software takes you to the software details page where you can view security recommendations, discovered vulnerabilities, installed devices, and version distribution. See [Software inventory](tvm-software-inventory.md) for details.
:::image type="content" source="images/software-inventory-device.png" alt-text="The Software inventory tab" lightbox="images/software-inventory-device.png"::: ### Discovered vulnerabilities
-The **Discovered vulnerabilities** tab shows the name, severity, and threat insights of discovered vulnerabilities on the device. Selecting specific vulnerabilities will show a description and details.
+The **Discovered vulnerabilities** tab shows the name, severity, and threat insights of discovered vulnerabilities on the device. If you select a specific vulnerability, you see a description and details.
:::image type="content" source="images/discovered-vulnerabilities-device.png" alt-text="The Discovered vulnerabilities tab" lightbox="images/discovered-vulnerabilities-device.png":::
The **Missing KBs** tab lists the missing security updates for the device.
### Active alerts
-The **Azure Advanced Threat Protection** card will display a high-level overview of alerts related to the device and their risk level, if you have enabled the Microsoft Defender for Identity feature, and there are any active alerts. More information is available in the "Alerts" drill down.
+The **Azure Advanced Threat Protection** card displays a high-level overview of alerts related to the device and their risk level, if you're using the Microsoft Defender for Identity feature, and there are any active alerts. More information is available in the **Alerts** drill down.
:::image type="content" source="images/risk-level-small.png" alt-text="The active alerts card" lightbox="images/risk-level-small.png":::
The **Azure Advanced Threat Protection** card will display a high-level overview
### Logged on users
-The **Logged on users** card shows how many users have logged on in the past 30 days, along with the most and least frequent users. Selecting the "See all users" link opens the details pane, which displays information such as user type, log on type, and when the user was first and last seen. For more information, see [Investigate user entities](investigate-user.md).
+The **Logged on users** card shows how many users have logged on in the past 30 days, along with the most and least frequent users. Selecting the **See all users** link opens the details pane, which displays information such as user type, sign-in type, and when the user was first and last seen. For more information, see [Investigate user entities](investigate-user.md).
:::image type="content" source="images/logged-on-users.png" alt-text="The user details pane" lightbox="images/logged-on-users.png"::: > [!NOTE] > The 'Most frequent' user value is calculated only based on evidence of users who successfully logged on interactively.
-> However, the "All users" side-pane calculates all sorts of user logons so it is expected to see more frequent users in the side-pane, given that those users may not be interactive.
+> However, the **All users** side-pane calculates all sorts of user logons so it is expected to see more frequent users in the side-pane, given that those users may not be interactive.
### Security assessments
The **Security assessments** card shows the overall exposure level, security rec
The **Device health status** card shows a summarized health report for the specific device. One of the following messages is displayed at the top of the card to indicate the overall status of the device (listed in order of highest to lowest priority): - Defender Antivirus not active-- Security intelligence is not up to date-- Engine is not up to date
+- Security intelligence isn't up to date
+- Engine isn't up to date
- Quick scan failed - Full scan failed-- Platform is not up to date
+- Platform isn't up to date
- Security intelligence update status is unknown - Engine update status is unknown - Quick scan status is unknown
The **Device health status** card shows a summarized health report for the speci
- Device is up to date - Status not available for macOS & Linux
-Other information in the card include: the last full scan, last quick scan, security intelligence update version, engine update version, platform update version, and Defender Antivirus mode.
+Other information in the card includes: the last full scan, last quick scan, security intelligence update version, engine update version, platform update version, and Defender Antivirus mode.
-Please note that a grey circle indicates that the data is unknown.
+Note that a grey circle indicates that the data is unknown.
> [!NOTE] > The overall status message for macOS and Linux devices currently shows up as 'Status not available for macOS & Linux'. Currently, the status summary is only available for Windows devices. All other information in the table is up to date to show the individual states of each device health signal for all supported platforms.
To gain an in-depth view of the device health report, you can go to **Reports >
:::image type="content" source="images/device-health-status.png" alt-text="The device health status card" lightbox="images/device-health-status.png":::
-## Related topics
+## Related articles
- [View and organize the Microsoft Defender for Endpoint Alerts queue](alerts-queue.md) - [Manage Microsoft Defender for Endpoint alerts](manage-alerts.md)
To gain an in-depth view of the device health report, you can go to **Reports >
- [Investigate a user account in Defender for Endpoint](investigate-user.md) - [Security recommendation](tvm-security-recommendation.md) - [Software inventory](tvm-software-inventory.md)+ [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)]
security Investigate User https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-user.md
Title: Investigate a user account in Microsoft Defender for Endpoint description: Investigate a user account for potential compromised credentials or pivot on the associated user account during an investigation.
-keywords: investigate, account, user, user entity, alert, Microsoft Defender for Endpoint
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Ios Configure Features https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-configure-features.md
Title: Configure Microsoft Defender for Endpoint on iOS features description: Describes how to deploy Microsoft Defender for Endpoint on iOS features.
-keywords: microsoft, defender, Microsoft Defender for Endpoint, ios, configure, features, ios
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
Want to experience Defender for Endpoint? [Sign up for a free trial.](https://si
## Conditional Access with Defender for Endpoint on iOS
-Microsoft Defender for Endpoint on iOS along with Microsoft Intune and Microsoft Entra ID enables enforcing Device compliance and Conditional Access policies based on device risk score. Defender for Endpoint is a Mobile Threat Defense (MTD) solution that you can deploy to leverage this capability via Intune.
+Microsoft Defender for Endpoint on iOS along with Microsoft Intune and Microsoft Entra ID enables enforcing Device compliance and Conditional Access policies based on device risk score. Defender for Endpoint is a Mobile Threat Defense (MTD) solution that you can deploy to use this capability via Intune.
For more information about how to set up Conditional Access with Defender for Endpoint on iOS, see [Defender for Endpoint and Intune](/mem/intune/protect/advanced-threat-protection). ## Web Protection and VPN
-By default, Defender for Endpoint on iOS includes and enables the web protection feature. [Web protection](web-protection-overview.md) helps to secure devices against web threats and protect users from phishing attacks. Note that Anti-phishing and custom indicators (URL and Domain) are supported as part of Web Protection. IP based custom indicators are currently not supported on iOS. Web Content Filtering is currently not supported on mobile platforms (Android and iOS).
+By default, Defender for Endpoint on iOS includes and enables the web protection feature. [Web protection](web-protection-overview.md) helps to secure devices against web threats and protect users from phishing attacks. Anti-phishing and custom indicators (URL and Domain) are supported as part of Web Protection. IP based custom indicators are currently not supported on iOS. Web Content Filtering is currently not supported on mobile platforms (Android and iOS).
-Defender for Endpoint on iOS uses a VPN in order to provide this capability. Please note this is a local VPN and unlike traditional VPN, network traffic is not sent outside the device.
+Defender for Endpoint on iOS uses a VPN in order to provide this capability. Note that the VPN is local, and unlike traditional VPN, network traffic isn't sent outside the device.
-While enabled by default, there might be some cases that require you to disable VPN. For example, you want to run some apps that do not work when a VPN is configured. In such cases, you can choose to disable VPN from the app on the device by following the steps below:
+While enabled by default, there might be some cases that require you to disable VPN. For example, you want to run some apps that don't work when a VPN is configured. In such cases, you can choose to disable VPN from the app on the device by following these steps:
-1. On your iOS device, open the **Settings** app, click or tap **General** and then **VPN**.
+1. On your iOS device, open the **Settings** app, select **General** and then **VPN**.
-2. Click or tap the "i" button for Microsoft Defender for Endpoint.
+2. Select the **i** button for Microsoft Defender for Endpoint.
3. Toggle off **Connect On Demand** to disable VPN. :::image type="content" source="images/ios-vpn-config.png" alt-text="The toggle button for the VPN config Connect on demand option" lightbox="images/ios-vpn-config.png"::: > [!NOTE]
-> Web Protection will not be available when VPN is disabled. To re-enable Web Protection, open the Microsoft Defender for Endpoint app on the device and click or tap **Start VPN**.
+> Web Protection isn't available when VPN is disabled. To re-enable Web Protection, open the Microsoft Defender for Endpoint app on the device and click or tap **Start VPN**.
## Disable Web Protection
-Web Protection is one of the key features of Defender for Endpoint and it requires a VPN to provide that capability. The VPN used is a local/loopback VPN and not a traditional VPN, however there are several reasons for which customers might not prefer the VPN. Customers who do not want to set up a VPN, there is an option to disable **Web Protection** and deploy Defender for Endpoint without that feature. Other Defender for Endpoint features will continue to work.
+Web Protection is one of the key features of Defender for Endpoint and it requires a VPN to provide that capability. The VPN used is a local/loopback VPN and not a traditional VPN, however there are several reasons for which customers might not prefer the VPN. Customers who don't want to set up a VPN, there's an option to disable **Web Protection** and deploy Defender for Endpoint without that feature. Other Defender for Endpoint features continue to work.
-This configuration is available for both the enrolled (MDM) devices as well as unenrolled (MAM) devices. For customers with MDM, admins can configure the **Web Protection** through Managed devices in the App Config. For customers without enrollment, using MAM, admins can configure the **Web Protection** through Managed apps in the App Config.
+This configuration is available for both the enrolled (MDM) devices and unenrolled (MAM) devices. For customers with MDM, admins can configure the **Web Protection** through Managed devices in the App Config. For customers without enrollment, using MAM, admins can configure the **Web Protection** through Managed apps in the App Config.
### Configure Web Protection
This configuration is available for both the enrolled (MDM) devices as well as u
- In Settings page, select Use configuration designer and add **WebProtection** as the key and value type as **String**. - By default, **WebProtection= true**. - Admin needs to make **WebProtection = false** to switch off the web protection.
- - Defender will send the heartbeat to the Microsoft Defender portal whenever user opens the app.
- - Click Next and assign this profile to targeted devices/users.
+ - Defender sends the heartbeat to the Microsoft Defender portal whenever user opens the app.
+ - Select **Next** and assign this profile to targeted devices/users.
1. **Disable Web Protection(MAM)** Use the following steps to disable **Web Protection** for unenrolled devices.
This configuration is available for both the enrolled (MDM) devices as well as u
- In Settings page, under the General Configuration Settings, add **WebProtection** as the key and value as **false**. - By default, **WebProtection= true**. - Admin needs to make **WebProtection = false** to switch off the web protection.
- - Defender will send the heartbeat to the Microsoft Defender portal whenever user opens the app.
- - Click Next and assign this profile to targeted devices/users.
+ - Defender sends the heartbeat to the Microsoft Defender portal whenever user opens the app.
+ - Select **Next** and assign this profile to targeted devices/users.
## Configure Network Protection
Network protection in Microsoft Defender for endpoint is disabled by default. Ad
> [!NOTE] > Only one policy should be created for Network Protection, either MDM or MAM.
-**For enrolled devices (MDM)**:
+### For enrolled devices (MDM)
Follow the below steps for setting up MDM configuration for enrolled devices for Network protection. 1. In the Microsoft Intune admin center, navigate to **Apps** \> **App configuration policies** \> **Add** \> **Managed devices**.
-1. Provide name and description for the policy. In Platform choose **iOS/iPad**.
-1. In targeted app choose **Microsoft Defender for Endpoint**.
-1. In the Settings page, choose configuration settings format **Use configuration designer**.
-1. Add 'DefenderNetworkProtectionEnable' as the configuration key, value type as 'String' and value as 'true' to enable Network Protection. (Network protection is disabled by default.)
- :::image type="content" source="images/np-mdmconfig-key.png" alt-text="Screenshot that shows the add mdm configuration policy." lightbox="images/np-mdmconfig-key.png":::
-1. For other configurations related to Network protection, add the following keys, choose the corresponding value type and value.
- | Key | Value Type | Default (true-enable, false-disable) | Description |
- | | | | |
- | `DefenderOpenNetworkDetection` | Integer | 0 | 1 - Audit, 0 - Disable(default), 2 - Enable. This setting is managed by an IT Admin to audit, disable, or enable open network detection, respectively. In 'Audit' mode, alerts will be sent only to the ATP portal with no end-user experience. For end-user experience, set the config to 'Enable' mode.|
- | `DefenderEndUserTrustFlowEnable` | String | false | true - enable, false - disable; This setting is used by IT admins to enable or disable the end user in-app experience to trust and untrust the unsecure and suspicious networks. |
- | `DefenderNetworkProtectionAutoRemediation` | String | true | true - enable, false - disable; This setting is used by the IT admin to enable or disable the remediation alerts that are sent when a user performs remediation activities like switching to safer WIFI access points or deleting suspicious certificates detected by Defender. |
- | `DefenderNetworkProtectionPrivacy` | String | true | true - enable, false - disable; This setting is managed by IT admin to enable or disable privacy in network protection. |
+2. Provide name and description for the policy. Under **Platform**, choose **iOS/iPad**.
-1. In the Assignments section, admin can choose groups of users to include and exclude from the policy.
-1. Review and create the configuration policy.
+3. In the targeted app, choose **Microsoft Defender for Endpoint**.
-**For unenrolled devices (MAM)**:
+4. In the Settings page, choose configuration settings format **Use configuration designer**.
-Follow the below steps for setting up MAM config for unenrolled devices for Network protection (Authenticator device registration is required for MAM configuration) in iOS devices. Network Protection initialization will require the end user to open the app once.
+5. Add 'DefenderNetworkProtectionEnable' as the configuration key, value type as 'String' and value as 'true' to enable Network Protection. (Network protection is disabled by default.)
+
+ :::image type="content" source="images/np-mdmconfig-key.png" alt-text="Screenshot that shows the mdm configuration policy." lightbox="images/np-mdmconfig-key.png":::
+
+6. For other configurations related to Network protection, add the following keys, choose the corresponding value type and value.
+
+ | Key | Value Type | Default (true-enable, false-disable) | Description |
+ | | | | |
+ | `DefenderOpenNetworkDetection` | Integer | 0 | 1 - Audit, 0 - Disable(default), 2 - Enable. This setting is managed by an IT Admin to audit, disable, or enable open network detection, respectively. In 'Audit' mode, alerts is sent only to the ATP portal with no end-user experience. For end-user experience, set the config to 'Enable' mode.|
+ | `DefenderEndUserTrustFlowEnable` | String | false | true - enable, false - disable; This setting is used by IT admins to enable or disable the end user in-app experience to trust and untrust the unsecure and suspicious networks. |
+ | `DefenderNetworkProtectionAutoRemediation` | String | true | true - enable, false - disable; This setting is used by the IT admin to enable or disable the remediation alerts that are sent when a user performs remediation activities like switching to safer WIFI access points or deleting suspicious certificates detected by Defender. |
+ | `DefenderNetworkProtectionPrivacy` | String | true | true - enable, false - disable; This setting is managed by IT admin to enable or disable privacy in network protection. |
+
+7. In the Assignments section, admin can choose groups of users to include and exclude from the policy.
+
+8. Review and create the configuration policy.
+
+### For unenrolled devices (MAM)
+
+Follow the below steps for setting up MAM config for unenrolled devices for Network protection (Authenticator device registration is required for MAM configuration) in iOS devices. Network Protection initialization requires the end user to open the app once.
1. In the Microsoft Intune admin center, navigate to **Apps** \> **App configuration policies** \> **Add** \> **Managed apps** \> **Create a new App configuration policy**. :::image type="content" source="images/addiosconfig.png" alt-text="Add configuration policy." lightbox="images/addiosconfig.png"::: 2. Provide a name and description to uniquely identify the policy. Then select **Select Public apps**, and choose **Microsoft Defender for Platform iOS/iPadOS**.+ :::image type="content" source="images/nameiosconfig.png" alt-text="Name the configuration." lightbox="images/nameiosconfig.png"::: 3. On the Settings page, add **DefenderNetworkProtectionEnable** as the key and the value as `true` to enable network protection. (Network protection is disabled by default.)
Follow the below steps for setting up MAM config for unenrolled devices for Netw
|Key| Default (true - enable, false - disable)|Description| ||||
- |`DefenderOpenNetworkDetection`|0| 1 - Audit, 0 - Disable (default), 2 - Enable. This setting is managed by an IT admin to enable, audit, or disable open network detection. In Audit mode, alerts will be sent only to the ATP portal with no user side experience. For user experience, set the config to "Enable" mode.|
+ |`DefenderOpenNetworkDetection`|0| 1 - Audit, 0 - Disable (default), 2 - Enable. This setting is managed by an IT admin to enable, audit, or disable open network detection. In Audit mode, alerts are sent only to the ATP portal with no user side experience. For user experience, set the config to "Enable" mode.|
|`DefenderEndUserTrustFlowEnable`| false | true - enable, false - disable; This setting is used by IT admins to enable or disable the end user in-app experience to trust and untrust the unsecure and suspicious networks.| |`DefenderNetworkProtectionAutoRemediation`| true |true - enable, false - disable; This setting is used by the IT admin to enable or disable the remediation alerts that are sent when a user performs remediation activities like switching to safer WIFI access points or deleting suspicious certificates detected by Defender.| |`DefenderNetworkProtectionPrivacy`| true |true - enable, false - disable; This setting is managed by IT admin to enable or disable privacy in network protection.|
Follow the below steps for setting up MAM config for unenrolled devices for Netw
6. Review and create the configuration policy.
-## Co-existence of multiple VPN profiles
+## Coexistence of multiple VPN profiles
-Apple iOS does not support multiple device-wide VPNs to be active simultaneously. While multiple VPN profiles can exist on the device, only one VPN can be active at a time.
+Apple iOS doesn't support multiple device-wide VPNs to be active simultaneously. While multiple VPN profiles can exist on the device, only one VPN can be active at a time.
## Configure Microsoft Defender for Endpoint risk signal in app protection policy (MAM)
Microsoft Defender for Endpoint on iOS enables the App Protection Policy scenari
Microsoft Defender for Endpoint can be configured to send threat signals to be used in App Protection Policies (APP, also known as MAM) on iOS/iPadOS. With this capability, you can use Microsoft Defender for Endpoint to protect access to corporate data from unenrolled devices as well.
-Follow the steps in the link below to set up app protection policies with Microsoft Defender for Endpoint [Configure Defender risk signals in app protection policy (MAM)](ios-install-unmanaged.md)
+Follow the steps in the following link to set up app protection policies with Microsoft Defender for Endpoint [Configure Defender risk signals in app protection policy (MAM)](ios-install-unmanaged.md)
For more details on MAM or app protection policy, see [iOS app protection policy settings](/mem/intune/apps/app-protection-policy-settings-ios). ## Privacy Controls
-Microsoft Defender for Endpoint on iOS enables Privacy Controls for both the Admins and the End Users. This includes the controls for enrolled (MDM) as well as unenrolled (MAM) devices.
+Microsoft Defender for Endpoint on iOS enables Privacy Controls for both the Admins and the End Users. This includes the controls for enrolled (MDM) and unenrolled (MAM) devices.
For Customers with MDM, admins can configure the Privacy Controls through Managed devices in the App Config. For Customers without enrollment, using MAM, admins can configure the Privacy Controls through Managed apps in the App Config. End Users will also have the ability to configure the Privacy Settings from the Defender App settings. ### Configure privacy in phish alert report
-Customers can now enable privacy control for the phish report sent by Microsoft Defender for Endpoint on iOS. This will ensure that the domain name is not sent as part of the phish alert whenever a phish website is detected and blocked by Microsoft Defender for Endpoint.
+Customers can now enable privacy control for the phish report sent by Microsoft Defender for Endpoint on iOS so that the domain name isn't included as part of a phish alert whenever a phish website is detected and blocked by Microsoft Defender for Endpoint.
1. **Admin Privacy Controls (MDM)** Use the following steps to enable privacy and not collect the domain name as part of the phish alert report for enrolled devices.
- - In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Apps** \> **App configuration policies** \> **Add** \> **Managed devices**.
+ 1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Apps** \> **App configuration policies** \> **Add** \> **Managed devices**.
- - Give the policy a name, **Platform \> iOS/iPadOS**, select the profile type.
+ 2. Give the policy a name, **Platform \> iOS/iPadOS**, select the profile type.
- - Select **Microsoft Defender for Endpoint** as the target app.
+ 3. Select **Microsoft Defender for Endpoint** as the target app.
- - On the Settings page, select **Use configuration designer** and add **DefenderExcludeURLInReport** as the key and value type as **Boolean**.
+ 4. On the Settings page, select **Use configuration designer** and add **DefenderExcludeURLInReport** as the key and value type as **Boolean**.
- To enable privacy and not collect the domain name, enter the value as `true` and assign this policy to users. By default, this value is set to `false`.
+ - For users with key set as `true`, the phish alert doesn't contain the domain name information whenever a malicious site is detected and blocked by Defender for Endpoint.
- - For users with key set as `true`, the phish alert will not contain the domain name information whenever a malicious site is detected and blocked by Defender for Endpoint.
-
- - Select **Next** and assign this profile to targeted devices/users.
+ 5. Select **Next** and assign this profile to targeted devices/users.
-1. **Admin Privacy Controls (MAM)** Use the following steps to enable privacy and not collect the domain name as part of the phish alert report for unenrolled devices.
+2. **Admin Privacy Controls (MAM)** Use the following steps to enable privacy and not collect the domain name as part of the phish alert report for unenrolled devices.
- - In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Apps** \> **App configuration policies** \> **Add** \> **Managed apps**.
+ 1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Apps** \> **App configuration policies** \> **Add** \> **Managed apps**.
- - Give the policy a name.
+ 2. Give the policy a name.
- - Under **Select Public Apps**, choose **Microsoft Defender for Endpoint** as the target app.
+ 3. Under **Select Public Apps**, choose **Microsoft Defender for Endpoint** as the target app.
- - On the Settings page, under the **General Configuration Settings**, add **DefenderExcludeURLInReport** as the key and value as `true`.
+ 4. On the Settings page, under the **General Configuration Settings**, add **DefenderExcludeURLInReport** as the key and value as `true`.
- To enable privacy and not collect the domain name, enter the value as `true` and assign this policy to users. By default, this value is set to `false`.
+ - For users with key set as `true`, the phish alert doesn't contain the domain name information whenever a malicious site is detected and blocked by Defender for Endpoint.
- - For users with key set as `true`, the phish alert will not contain the domain name information whenever a malicious site is detected and blocked by Defender for Endpoint.
+ 5. Select **Next** and assign this profile to targeted devices/users.
- - Select **Next** and assign this profile to targeted devices/users.
+3. **End User Privacy Controls** These controls help the end user to configure the information shared to their organization.
+
+ For Supervised devices, End User controls aren't visible. Your admin decides and controls the settings. However, for Unsupervised devices, the control is displayed under the **Settings \> Privacy**.
-1. **End User Privacy Controls** These controls help the end user to configure the information shared to their organization.
- - For Supervised devices, End User controls will not be visible. Admin will decide and controls the settings.
- - However, for Unsupervised devices, the control will be displayed under the **Settings \> Privacy**.
- - Users will see a toggle for **Unsafe Site Info**.
- - This toggle is only visible if Admin has set **DefenderExcludeURLInReport = true**.
- - If enabled by Admin, Users can decide if they want to send the unsafe site info to their Organization or not.
- - By default, it's set to `false`. The unsafe site information will not be sent.
- - If user toggles it to `true`, the unsafe site details will be sent.
+ - Users see a toggle for **Unsafe Site Info**.
+ - This toggle is only visible if Admin has set **DefenderExcludeURLInReport = true**.
+ - If enabled by an Admin, Users can decide if they want to send the unsafe site info to their Organization or not.
+ - By default, it's set to `false`. The unsafe site information isn't sent.
+ - If user toggles it to `true`, the unsafe site details are sent.
-Turning the above privacy controls on or off will not impact the device compliance check or conditional access.
+Turning the above privacy controls on or off doesn't impact the device compliance check or conditional access.
> [!NOTE]
-> On Supervised devices with the configuration profile, Microsoft Defender for Endpoint can access the entire URL and if it is found to be phishing, it will be blocked.
+> On Supervised devices with the configuration profile, Microsoft Defender for Endpoint can access the entire URL and if it is found to be phishing, it is blocked.
> On an Unsupervised device, Microsoft Defender for Endpoint has access to only the domain name, and if the domain is not a phishing URL, it won't be blocked. ## Optional Permissions
Microsoft Defender for Endpoint on iOS enables **Optional Permissions** in the o
- On the Settings page, select **Use configuration designer** and add **DefenderOptionalVPN** as the key and value type as **Boolean**. - To enable optional VPN permission, enter value as `true` and assign this policy to users. By default, this value is set to `false`.
- - For users with key set as `true`, the users will be able to onboard the app without giving the VPN permission.
+ - For users with key set as `true`, the users are able to onboard the app without giving the VPN permission.
- Select **Next** and assign this profile to targeted devices/users.
-1. **End User flow** - User will install and open the app to start the onboarding.
+1. **End User flow** - User installs and opens the app to start the onboarding.
- If an admin has set up optional permissions, then the user can **Skip** VPN permission and complete onboarding.
- - Even if the user has skipped VPN, the device will be able to onboard, and a heartbeat will be sent.
- - If VPN is disabled, web protection will not be active.
- - Later, the user can enable web protection from within the app. This will install the VPN configuration on the device.
+ - Even if the user has skipped VPN, the device is able to onboard, and a heartbeat is sent.
+ - If VPN is disabled, web protection isn't active.
+ - Later, the user can enable web protection from within the app, which installs the VPN configuration on the device.
> [!NOTE] > **Optional Permission** is different from **Disable Web Protection**. Optional VPN Permission only helps to skip the permission during onboarding but its available for the end user to later review and enable it. While **Disable Web Protection** allows users to onboard the Defender for Endpoint app without the Web Protection. It cannot be enabled later. ## Jailbreak detection
-Microsoft Defender for Endpoint has the capability of detecting unmanaged and managed devices that are jailbroken. These jailbreak checks are done periodically. If a device is detected to be jailbroken,
+Microsoft Defender for Endpoint has the capability of detecting unmanaged and managed devices that are jailbroken. These jailbreak checks are done periodically. If a device is detected as jailbroken, these events occur:
-1. A **High**-risk alert will be reported to the Microsoft Defender portal. If device Compliance and Conditional Access is set up based on device risk score, then the device will be blocked from accessing corporate data.
-1. User data on app will be cleared. When user opens the app after jailbreaking the VPN profile also will be deleted and no web protection will be offered.
+- **High**-risk alert is reported to the Microsoft Defender portal. If device Compliance and Conditional Access is set up based on device risk score, then the device is blocked from accessing corporate data.
+- User data on app is cleared. When user opens the app after jailbreaking the VPN profile also is deleted and no web protection is offered.
### Configure compliance policy against jailbroken devices
To protect corporate data from being accessed on jailbroken iOS devices, we reco
Follow the steps below to create a compliance policy against jailbroken devices.
-1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** \> **Compliance policies** \> **Create Policy**. Select "iOS/iPadOS" as platform and click **Create**.
+1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** \> **Compliance policies** \> **Create Policy**. Select "iOS/iPadOS" as platform and select **Create**.
:::image type="content" source="images/ios-jb-policy.png" alt-text="The Create Policy tab" lightbox="images/ios-jb-policy.png":::
-1. Specify a name of the policy, for example "Compliance Policy for Jailbreak".
+2. Specify a name of the policy, such as *Compliance Policy for Jailbreak*.
-1. In the compliance settings page, click to expand **Device Health** section and click **Block** for **Jailbroken devices** field.
+3. In the compliance settings page, select to expand **Device Health** section and select **Block** for **Jailbroken devices** field.
:::image type="content" source="images/ios-jb-settings.png" alt-text="The Compliance settings tab" lightbox="images/ios-jb-settings.png":::
-1. In the **Actions for noncompliance** section, select the actions as per your requirements and select **Next**.
+4. In the **Actions for noncompliance** section, select the actions as per your requirements and select **Next**.
:::image type="content" source="images/ios-jb-actions.png" alt-text="The Actions for noncompliance tab" lightbox="images/ios-jb-actions.png":::
-1. In the **Assignments** section, select the user groups that you want to include for this policy and then select **Next**.
+5. In the **Assignments** section, select the user groups that you want to include for this policy and then select **Next**.
-1. In the **Review+Create** section, verify that all the information entered is correct and then select **Create**.
+6. In the **Review+Create** section, verify that all the information entered is correct and then select **Create**.
## Configure custom indicators
Defender for Endpoint on iOS supports vulnerability assessments of OS and apps.
1. Once the config is applied, end-user will need to open the app to **Approve** the privacy setting. - Privacy approval screen will come only for unsupervised devices.
- - Only if end-user approves the privacy, the app information will be sent to the Defender for Endpoint console.
+ - Only if end-user approves the privacy, the app information is sent to the Defender for Endpoint console.
:::image type="content" source="images/tvm-user-privacy2.png" alt-text="Screenshot of the end user privacy screen." lightbox="images/tvm-user-privacy2.png":::
Use the following steps to configure the option to send feedback data to Microso
- To remove the ability of end-users to provide feedback, set the value as `false` and assign this policy to users. By default, this value is set to `true`. For US Government customers, the default value is set to 'false'.
- - For users with key set as `true`, there will be an option to send Feedback data to Microsoft within the app (**Menu** \> **Help & Feedback** \> **Send Feedback to Microsoft**).
+ - For users with key set as `true`, there is an option to send Feedback data to Microsoft within the app (**Menu** \> **Help & Feedback** \> **Send Feedback to Microsoft**).
1. Select **Next** and assign this profile to targeted devices/users.
security Ios Install Unmanaged https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-install-unmanaged.md
Title: Deploy Microsoft Defender for Endpoint on iOS with Mobile Application Management description: Describes how to deploy Microsoft Defender for Endpoint on unenrolled iOS devices.
-keywords: microsoft, defender, Microsoft Defender for Endpoint, ios, configure, features, ios
-ms.sitesec: library
-ms.pagetype: security
--+++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Ios Install https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-install.md
Title: Deploy Microsoft Defender for Endpoint on iOS with Microsoft Intune description: Describes how to deploy Microsoft Defender for Endpoint on iOS using an app.
-keywords: microsoft, defender, Microsoft Defender for Endpoint, ios, app, installation, deploy, uninstallation, intune
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Ios Privacy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-privacy.md
Title: Privacy information - Microsoft Defender for Endpoint on iOS description: Describes privacy information for Microsoft Defender for Endpoint on iOS
-keywords: microsoft, defender, Microsoft Defender for Endpoint, ios, policy, overview
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Ios Troubleshoot https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-troubleshoot.md
Title: Troubleshoot issues and find answers on FAQs related to Microsoft Defender for Endpoint on iOS description: Troubleshooting and FAQ - Microsoft Defender for Endpoint on iOS
-keywords: microsoft, defender, Microsoft Defender for Endpoint, ios, troubleshoot, faq, how to
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Ios Whatsnew https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-whatsnew.md
Title: What's new in Microsoft Defender for Endpoint on iOS description: Learn about the major changes for previous versions of Microsoft Defender for Endpoint on iOS.
-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, installation, macos, whatsnew
-ms.sitesec: library
-ms.pagetype: security
--+++ ms.localizationpriority: medium Last updated 1/5/2024-+ audience: ITPro - m365-security
security Limited Periodic Scanning Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/limited-periodic-scanning-microsoft-defender-antivirus.md
Title: Enable the limited periodic Microsoft Defender Antivirus scanning feature description: Limited periodic scanning lets you use Microsoft Defender Antivirus in addition to your other installed AV providers
-ms.sitesec: library
ms.localizationpriority: medium --++ Last updated 02/02/2024 -+ - m365-security
security Linux Deploy Defender For Endpoint With Chef https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-deploy-defender-for-endpoint-with-chef.md
Title: How to Deploy Defender for Endpoint on Linux with Chef
-description: Learn how to deploy Defender for Endpoint on Linux with Chef
-keywords: microsoft, defender, atp, linux, scans, antivirus, microsoft defender for endpoint (linux)
+description: Learn how to deploy Defender for Endpoint on Linux with Chef.
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
Last updated 04/07/2021
Before you begin: Install unzip if it's not already installed.
-The Chef components are already installed and a Chef repository exists (chef generate repo \<reponame\>) to store the cookbook that will be used to deploy to Defender for Endpoint on Chef managed Linux servers.
+The Chef components are already installed and a Chef repository exists (chef generate repo \<reponame\>) to store the cookbook that's used to deploy to Defender for Endpoint on Chef managed Linux servers.
You can create a new cookbook in your existing repository by running the following command from inside the cookbooks folder that is in your chef repository:
You can create a new cookbook in your existing repository by running the followi
chef generate cookbook mdatp ```
-This command will create a new folder structure for the new cookbook called mdatp. You can also use an existing cookbook if you already have one you'd like to use to add the MDE deployment into.
+This command creates a new folder structure for the new cookbook called mdatp. You can also use an existing cookbook if you already have one you'd like to use to add the Defender for Endpoint deployment into.
After the cookbook is created, create a files folder inside the cookbook folder that just got created: ```bash
when 'rhel'
end ```
-You'll need to modify the version number, distribution, and repo name to match the version you're deploying to and the channel you'd like to deploy.
+You need to modify the version number, distribution, and repo name to match the version you're deploying to and the channel you'd like to deploy.
Next you should create an onboard_mdatp.rb file in the mdatp/recipies folder. Add the following text to that file: ```powershell
end
``` Make sure to update the path name to the location of the onboarding file.
-To test deploy it on the Chef workstation, just run ``sudo chef-client -z -o mdatp``.
-After your deployment you should consider creating and deploying a configuration file to the servers based on [Set preferences for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-preferences).
-After you've created and tested your configuration file, you can place it into the cookbook/mdatp/files folder where you also placed the onboarding package. Then you can create a settings_mdatp.rb file in the mdatp/recipies folder and add this text:
+To test deploy it on the Chef workstation, run ``sudo chef-client -z -o mdatp``.
+After your deployment, you should consider creating and deploying a configuration file to the servers based on [Set preferences for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-preferences).
+After creating and testing your configuration file, you can put it into the `cookbook/mdatp/files` folder where you also placed the onboarding package. Then you can create a settings_mdatp.rb file in the mdatp/recipies folder and add this text:
```powershell #Copy the configuration file
cookbook_file '/etc/opt/microsoft/mdatp/managed/mdatp_managed.json' do
end ```
-To include this step as part of the recipe just add include_recipe ':: settings_mdatp' to your default.rb file within the recipe folder.
+To include this step as part of the recipe just add `include_recipe ':: settings_mdatp` to your default.rb file within the recipe folder.
+ You can also use crontab to schedule automatic updates [Schedule an update of the Microsoft Defender for Endpoint (Linux)](linux-update-MDE-Linux.md). Uninstall MDATP cookbook:
security Linux Exclusions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-exclusions.md
Title: Configure and validate exclusions for Microsoft Defender for Endpoint on Linux description: Provide and validate exclusions for Microsoft Defender for Endpoint on Linux. Exclusions can be set for files, folders, and processes.
-keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, exclusions, scans, antivirus
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
search.appverid: met150 Previously updated : 12/18/2020 Last updated : 02/21/2024 # Configure and validate exclusions for Microsoft Defender for Endpoint on Linux
security Linux Install Manually https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-install-manually.md
Title: Deploy Microsoft Defender for Endpoint on Linux manually
description: Describes how to deploy Microsoft Defender for Endpoint on Linux manually from the command line. --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
search.appverid: met150 Previously updated : 12/01/2023 Last updated : 02/21/2024 # Deploy Microsoft Defender for Endpoint on Linux manually
Read more [here](https://github.com/microsoft/mdatp-xplat/tree/master/linux/inst
|Distro & version|Package| |||
+ |For Alma 8.4 and higher|<https://packages.microsoft.com/config/alma/8/prod.repo>|
|For Alma 9.2 and higher|<https://packages.microsoft.com/config/alma/9/prod.repo>|
+ |For RHEL/Centos/Oracle 9.0-9.8|<https://packages.microsoft.com/config/rhel/9/prod.repo>|
|For RHEL/Centos/Oracle 8.0-8.8|<https://packages.microsoft.com/config/rhel/8/prod.repo>| |For RHEL/Centos/Oracle 7.2-7.9 & Amazon Linux 2 |<https://packages.microsoft.com/config/rhel/7.2/prod.repo>| |For Amazon Linux 2023 |<https://packages.microsoft.com/config/amazonlinux/2023/prod.repo>| |For Fedora 33|<https://packages.microsoft.com/config/fedora/33/prod.repo>| |For Fedora 34|<https://packages.microsoft.com/config/fedora/34/prod.repo>| |For Rocky 8.7 and higher|<https://packages.microsoft.com/config/rocky/8/prod.repo>|
+ |For Rocky 9.2 and higher|<https://packages.microsoft.com/config/rocky/9/prod.repo>|
<!--|For RHEL/Centos 6.7-6.10|<https://packages.microsoft.com/config/rhel/6/[channel].repo>|-->
security Linux Install With Ansible https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-install-with-ansible.md
Title: Deploy Microsoft Defender for Endpoint on Linux with Ansible description: Describes how to deploy Microsoft Defender for Endpoint on Linux using Ansible.
-keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos, fedora, amazon linux 2
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Linux Install With Puppet https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-install-with-puppet.md
Title: Deploy Microsoft Defender for Endpoint on Linux with Puppet description: Describes how to deploy Microsoft Defender for Endpoint on Linux using Puppet.
-keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos, fedora, amazon linux 2
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Linux Install With Saltack https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-install-with-saltack.md
Title: Deploy Microsoft Defender for Endpoint on Linux with SaltStack-+ description: Describes how to deploy Microsoft Defender for Endpoint on Linux using Saltstack.
-keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, installation, deploy, uninstallation, puppet, saltstack, linux, redhat, ubuntu, debian, sles, suse, centos, fedora, amazon linux 2
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
search.appverid: met150 Previously updated : 1/26/2024 Last updated : 02/21/2024 # Deploy Microsoft Defender for Endpoint on Linux with Saltstack
This article describes how to deploy Defender for Endpoint on Linux using Saltst
- [Download the onboarding package](#download-the-onboarding-package) - [Create Saltstack state files](#create-saltstack-state-files) - [Deployment](#deployment)-- [References](#references)
+- [Reference](#reference)
[!INCLUDE [Microsoft Defender for Endpoint third-party tool support](../../includes/support.md)]
For more information on how to find the automatically generated log that's creat
When upgrading your operating system to a new major version, you must first uninstall Defender for Endpoint on Linux, install the upgrade, and finally reconfigure Defender for Endpoint on Linux on your device.
-## References
+## Reference
-- [Add or remove YUM repositories](https://docs.Saltstack.com/Saltstack/latest/collections/Saltstack/builtin/yum_repository_module.html)-- [Manage packages with the dnf package manager](https://docs.Saltstack.com/Saltstack/latest/collections/Saltstack/builtin/dnf_module.html)-- [Add and remove APT repositories](https://docs.Saltstack.com/Saltstack/latest/collections/Saltstack/builtin/apt_repository_module.html)-- [Manage apt-packages](https://docs.Saltstack.com/Saltstack/latest/collections/Saltstack/builtin/apt_module.html)
+- [SALT Project documentation](https://docs.saltproject.io/en/latest/topics/about_salt_project.html)
## See also
security Linux Preferences https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-preferences.md
Title: Set preferences for Microsoft Defender for Endpoint on Linux
description: Describes how to configure Microsoft Defender for Endpoint on Linux in enterprises. --++ ms.localizationpriority: medium Last updated 07/07/2023-+ audience: ITPro - m365-security
The following configuration profile contains entries for all settings described
"scanAfterDefinitionUpdate":true, "scanArchives":true, "scanHistoryMaximumItems": 10000,
- "scanResultsRetentionDays": 90,
+ "scanResultsRetentionDays": 90,
"maximumOnDemandScanThreads":2, "exclusionsMergePolicy":"merge", "exclusions":[
security Linux Privacy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-privacy.md
Title: Privacy for Microsoft Defender for Endpoint on Linux description: Privacy controls, how to configure policy settings that impact privacy and information about the diagnostic data that is collected in Microsoft Defender for Endpoint on Linux.
-keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, privacy, diagnostic
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Linux Pua https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-pua.md
Title: Detect and block potentially unwanted applications with Microsoft Defender for Endpoint on Linux description: Detect and block Potentially Unwanted Applications (PUA) using Microsoft Defender for Endpoint on Linux.
-keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, pua, pus
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Linux Resources https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-resources.md
Title: Microsoft Defender for Endpoint on Linux resources description: Describes resources for Microsoft Defender for Endpoint on Linux, including how to uninstall it, how to collect diagnostic logs, CLI commands, and known issues with the product.
-keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Linux Schedule Scan Mde https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-schedule-scan-mde.md
Title: How to schedule scans with Microsoft Defender for Endpoint (Linux) description: Learn how to schedule an automatic scanning time for Microsoft Defender for Endpoint (Linux) to better protect your organization's assets.
-keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, scans, antivirus, microsoft defender for endpoint (linux)
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
Last updated 10/22/2021
To run a scan for Linux, see [Supported Commands](/microsoft-365/security/defender-endpoint/linux-resources#supported-commands).
-Linux (and Unix) have a tool called **crontab** (similar to Task Scheduler) to be able to run scheduled tasks.
+For Linux (and Unix), you can use a tool called **crontab** (similar to Task Scheduler in Windows) to run scheduled tasks.
-## Pre-requisite
+## Prerequisite
> [!NOTE] > To get a list of all the time zones, run the following command:
sudo grep mdatp /var/log/cron
sudo nano mdatp_cron_job.log ```
-## For those who use Ansible, Chef, Puppet, or SaltStack
+## If you're using Ansible, Chef, Puppet, or SaltStack
Use the following commands:
Use the following commands:
cron - Manage cron.d and crontab entries ```
-See [https://docs.ansible.com/ansible/latest/modules/cron_module.html](https://docs.ansible.com/ansible/latest/modules/cron_module.html) for more information.
+For more information, see [Ansible documentation](https://docs.ansible.com/ansible/latest/modules/cron_module.html).
### To set crontabs in Chef
See [https://docs.ansible.com/ansible/latest/modules/cron_module.html](https://d
cron resource ```
-See <https://docs.chef.io/resources/cron/> for more information.
+For more information, see [Chef documentation](https://docs.chef.io/resources/cron).
### To set cron jobs in Puppet
See <https://puppet.com/docs/puppet/5.5/types/cron.html> for more information.
**Automating with Puppet: Cron jobs and scheduled tasks**
-See [https://puppet.com/blog/automating-puppet-cron-jobs-and-scheduled-tasks/](https://puppet.com/blog/automating-puppet-cron-jobs-and-scheduled-tasks/) for more information.
+For more information, see [Puppet documentation about jobs and scheduled tasks](https://puppet.com/blog/automating-puppet-cron-jobs-and-scheduled-tasks/).
### To manage cron jobs in SaltStack
mdatp scan quick > /tmp/mdatp_scan_log.log:
- special: '@hourly' ```
-See <https://docs.saltproject.io/en/latest/ref/states/all/salt.states.cron.html> for more information.
+For more information, see the [Salt.States.Cron documentation](https://docs.saltproject.io/en/latest/ref/states/all/salt.states.cron.html).
## Additional information
security Linux Static Proxy Configuration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-static-proxy-configuration.md
Title: Microsoft Defender for Endpoint on Linux static proxy discovery description: Describes how to configure Microsoft Defender for Endpoint on Linux, for static proxy discovery.
-keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, installation, proxy
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Linux Support Connectivity https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-support-connectivity.md
Title: Troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint on Linux
-description: Learn how to troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint on Linux
-keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, cloud, connectivity, communication
+description: Learn how to troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint on Linux.
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
To test if Defender for Endpoint on Linux can communicate to the cloud with the
mdatp connectivity test ```
-expected output:
+Expected output:
```output Testing connection with https://cdn.x.cp.wd.microsoft.com/ping ... [OK]
Testing connection with https://v20.events.data.microsoft.com/ping ... [OK]
If the connectivity test fails, check if the device has Internet access and if [any of the endpoints required by the product](microsoft-defender-endpoint-linux.md#network-connections) are blocked by a proxy or firewall.
-Failures with curl error 35 or 60, indicate certificate pinning rejection. Please check if the connection is under SSL or HTTPS inspection. If so, add Microsoft Defender for Endpoint to the allow list.
+Failures with curl error 35 or 60, indicate certificate pinning rejection. Check to see if the connection is under SSL or HTTPS inspection. If so, add Microsoft Defender for Endpoint to the allowlist.
## Troubleshooting steps for environments without proxy or with transparent proxy
-To test that a connection is not blocked in an environment without a proxy or with a transparent proxy, run the following command in the terminal:
+To test that a connection isn't blocked in an environment without a proxy or with a transparent proxy, run the following command in the terminal:
```bash curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
security Linux Support Ebpf https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-support-ebpf.md
Title: Use eBPF-based sensor for Microsoft Defender for Endpoint on Linux description: eBPF-based sensor deployment in Microsoft Defender for Endpoint on Linux. --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
Post reboot, run the below command to check if audit rules got cleared.
% sudo auditctl -l ```
-The output of above command should show no rules or any user added rules. In case the rules didn't get removed, then perform the following steps to clear the audit rules file.
+The output of above command should show no rules or any user added rules. In case the rules didn't get removed, then perform the following steps to clear the audit rules file.
1. Switch to ebpf mode 2. Remove the file /etc/audit/rules.d/mdatp.rules
You can check the agent health status by running the **mdatp** health command. M
```bash uname -a ```
-Using Oracle Linux 8.8 with kernel version **5.15.0-0.30.20.el8uek.x86_64, 5.15.0-0.30.20.1.el8uek.x86_64** might result into kernel hang issues.
-Following steps can be taken to mitigate this issue:
+#### Known Issues
-1. Use a kernel version higher or lower than **5.15.0-0.30.20.el8uek.x86_64, 5.15.0-0.30.20.1.el8uek.x86_64** on Oracle Linux 8.8, if you want to use eBPF as supplementary subsystem provider. Note, min kernel version for Oracle Linux is RHCK 3.10.0 and Oracle Linux UEK is 5.4.
+1. Enabling eBPF on RHEL 8.1 version with SAP might result in kernel panic. To mitigate this issue you can take one of the following steps:
-2. Switch to auditd mode if customer needs to use the same kernel version
+ - Use a distro version higher than RHEL 8.1.
+ - Switch to auditd mode if you need to use RHEL 8.1 version
+
+2. Using Oracle Linux 8.8 with kernel version **5.15.0-0.30.20.el8uek.x86_64, 5.15.0-0.30.20.1.el8uek.x86_64** might result in kernel panic. To mitigate this issue you can take one of the following steps:
+
+ - Use a kernel version higher or lower than **5.15.0-0.30.20.el8uek.x86_64, 5.15.0-0.30.20.1.el8uek.x86_64** on Oracle Linux 8.8 if you want to use eBPF as supplementary subsystem provider. Note that the minimum kernel version for Oracle Linux is RHCK 3.10.0 and Oracle Linux UEK is 5.4
+ - Switch to auditd mode if you need to use the same kernel version
```bash sudo mdatp config ebpf-supplementary-event-provider --value disabled
security Linux Support Events https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-support-events.md
Title: Troubleshoot missing events or alerts issues for Microsoft Defender for Endpoint on Linux description: Troubleshoot missing events or alerts issues in Microsoft Defender for Endpoint on Linux.
-keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, events
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Linux Support Install https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-support-install.md
Title: Troubleshoot installation issues for Microsoft Defender for Endpoint on Linux
-description: Troubleshoot installation issues for Microsoft Defender for Endpoint on Linux
-keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, installation
+description: Troubleshoot installation issues for Microsoft Defender for Endpoint on Linux.
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
Last updated 12/18/2020
## Verify that the installation succeeded
-An error in installation may or may not result in a meaningful error message by the package manager. To verify if the installation succeeded, obtain and check the installation logs using:
+An error in installation might or might not result in a meaningful error message by the package manager. To verify if the installation succeeded, obtain and check the installation logs using:
```bash sudo journalctl --no-pager|grep 'microsoft-mdatp' > installation.log
Also check the [Client configuration](linux-install-manually.md#client-configura
## Make sure you have the correct package
-Verify that the package you are installing matches the host distribution and version.
+Verify that the package you're installing matches the host distribution and version.
<br>
Verify that the package you are installing matches the host distribution and ver
|mdatp.Linux.x86_64.deb|Debian and Ubuntu 16.04, 18.04 and 20.04| |
-For [manual deployment](linux-install-manually.md), make sure the correct distro and version had been chosen.
+For [manual deployment](linux-install-manually.md), make sure the correct distro and version are selected.
## Installation failed due to dependency error
-If the Microsoft Defender for Endpoint installation fails due to missing dependencies errors, you can manually download the pre-requisite dependencies.
+If the Microsoft Defender for Endpoint installation fails due to missing dependencies errors, you can manually download the prerequisite dependencies.
The following external package dependencies exist for the mdatp package: -- The mdatp RPM package requires "glibc >= 2.17", "audit", "policycoreutils", "semanage", "selinux-policy-targeted", "mde-netfilter" -- For RHEL6 the mdatp RPM package requires "audit", "policycoreutils", "libselinux", "mde-netfilter" -- For DEBIAN the mdatp package requires "libc6 >= 2.23", "uuid-runtime", "auditd", "mde-netfilter"
+- The mdatp RPM package requires `glibc >= 2.17`, `audit`, `policycoreutils`, `semanage`, `selinux-policy-targeted`, `mde-netfilter`
+- For RHEL6 the mdatp RPM package requires `audit`, `policycoreutils`, `libselinux`, `mde-netfilter`
+- For DEBIAN the mdatp package requires `libc6 >= 2.23`, `uuid-runtime`, `auditd`, `mde-netfilter`
The mde-netfilter package also has the following package dependencies: -- For DEBIAN the mde-netfilter package requires "libnetfilter-queue1", "libglib2.0-0" -- For RPM the mde-netfilter package requires "libmnl", "libnfnetlink", "libnetfilter_queue", "glib2"
+- For DEBIAN the mde-netfilter package requires `libnetfilter-queue1`, `libglib2.0-0`
+- For RPM the mde-netfilter package requires `libmnl`, `libnfnetlink`, `libnetfilter_queue`, `glib2`
## Installation failed
service mdatp status
## Steps to troubleshoot if the mdatp service isn't running
-1. Check if "mdatp" user exists:
+1. Check to see if `mdatp` user exists:
```bash id "mdatp"
service mdatp status
sudo cp /opt/microsoft/mdatp/conf/mdatp.service <systemd_path> ```
- where `<systemd_path>` is `/lib/systemd/system` for Ubuntu and Debian distributions and /usr/lib/systemd/system` for Rhel, CentOS, Oracle and SLES. Then rerun step 2.
+ where `<systemd_path>` is `/lib/systemd/system` for Ubuntu and Debian distributions and /usr/lib/systemd/system` for Rhel, CentOS, Oracle, and SLES. Then rerun step 2.
-4. If the above steps don't work, check if SELinux is installed and in enforcing mode. If so, try setting it to permissive (preferably) or disabled mode. It can be done by setting the parameter `SELINUX` to "permissive" or "disabled" in `/etc/selinux/config` file, followed by reboot. Check the man-page of selinux for more details.
+4. If the above steps don't work, check if SELinux is installed and in enforcing mode. If so, try setting it to permissive (preferably) or disabled mode. It can be done by setting the parameter `SELINUX` to `permissive` or `disabled` in `/etc/selinux/config` file, followed by reboot. Check the man-page of selinux for more details.
Now try restarting the mdatp service using step 2. Revert the configuration change immediately though for security reasons after trying it and reboot. 5. If `/opt` directory is a symbolic link, create a bind mount for `/opt/microsoft`.
Now try restarting the mdatp service using step 2. Revert the configuration chan
and retry running step 2.
-7. Ensure that the file system containing wdavdaemon isn't mounted with "noexec".
+7. Ensure that the file system containing wdavdaemon isn't mounted with `noexec`.
## If the Defender for Endpoint service is running, but the EICAR text file detection doesn't work
Now try restarting the mdatp service using step 2. Revert the configuration chan
findmnt -T <path_of_EICAR_file> ```
- Currently supported file systems for on-access activity are listed [here](microsoft-defender-endpoint-linux.md#system-requirements). Any files outside these file systems won't be scanned.
+ Currently supported file systems for on-access activity are listed [here](microsoft-defender-endpoint-linux.md#system-requirements). Any files outside these file systems aren't scanned.
-## Command-line tool "mdatp" isn't working
+## Command-line tool mdatp isn't working
1. If running the command-line tool `mdatp` gives an error `command not found`, run the following command:
Now try restarting the mdatp service using step 2. Revert the configuration chan
Diagnostic file created: <path to file> ```
- Path to a zip file that contains the logs will be displayed as an output. Reach out to our customer support with these logs.
+ Path to a zip file that contains the logs are displayed as an output. Reach out to our customer support with these logs.
[!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)]
security Linux Support Perf https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-support-perf.md
Title: Troubleshoot performance issues for Microsoft Defender for Endpoint on Linux description: Troubleshoot performance issues in Microsoft Defender for Endpoint on Linux.
-keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, performance, AuditD, XMDEClientAnalyzer, installation, deploy, uninstallation
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium Last updated 01/18/2023-+ audience: ITPro - m365-security
security Linux Support Rhel https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-support-rhel.md
Title: Troubleshoot issues for Microsoft Defender for Endpoint on Linux RHEL6 description: Troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint on Linux
-keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, cloud, connectivity, communication
search.appverid: met150
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Linux Update Mde Linux https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-update-mde-linux.md
Title: How to schedule an update of the Microsoft Defender for Endpoint (Linux) description: Learn how to schedule an update of the Microsoft Defender for Endpoint (Linux) to better protect your organization's assets. --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Linux Updates https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-updates.md
Title: Deploy updates for Microsoft Defender for Endpoint on Linux
description: Describes how to deploy updates for Microsoft Defender for Endpoint on Linux in enterprise environments. --++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Linux Whatsnew https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-whatsnew.md
Title: What's new in Microsoft Defender for Endpoint on Linux description: List of major changes for Microsoft Defender for Endpoint on Linux.
-keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, whatsnew, release
--++ ms.localizationpriority: medium Last updated 02/12/2024-+ audience: ITPro - m365-security
There are multiple fixes and new changes in this release:
</details> <details>
- <summary> November-2023 (Build: 101.23102.0003 | Release version: 30.123102.0003.0)</summary>
+ <summary> November-2023 (Build: 101.23102.0003 | Release version: 30.123102.0003.0)</summary>
## November-2023 Build: 101.23102.0003 | Release version: 30.123102.0003.0
There are multiple fixes and new changes in this release:
</details> <details>
- <summary> November-2023 (Build: 101.23092.0012 | Release version: 30.123092.0012.0)</summary>
+ <summary> November-2023 (Build: 101.23092.0012 | Release version: 30.123092.0012.0)</summary>
## November-2023 Build: 101.23092.0012 | Release version: 30.123092.0012.0
There are multiple fixes and new changes in this release:
</details> <details>
- <summary> November-2023 (Build: 101.23082.0011 | Release version: 30.123082.0011.0)</summary>
+ <summary> November-2023 (Build: 101.23082.0011 | Release version: 30.123082.0011.0)</summary>
## November-2023 Build: 101.23082.0011 | Release version: 30.123082.0011.0
sudo systemctl disable mdatp
</details> <details>
- <summary> October-2023 (Build: 101.23082.0009 | Release version: 30.123082.0009.0)</summary>
+ <summary> October-2023 (Build: 101.23082.0009 | Release version: 30.123082.0009.0)</summary>
sudo systemctl disable mdatp
</details> <details>
- <summary> October-2023 (Build: 101.23082.0006 | Release version: 30.123082.0006.0)</summary>
+ <summary> October-2023 (Build: 101.23082.0006 | Release version: 30.123082.0006.0)</summary>
sudo systemctl disable mdatp
</details> <details>
- <summary> September-2023 (Build: 101.23072.0021 | Release version: 30.123072.0021.0)</summary>
+ <summary> September-2023 (Build: 101.23072.0021 | Release version: 30.123072.0021.0)</summary>
sudo systemctl disable mdatp
**What's new** - There are multiple fixes and new changes in this release
- - In mde_installer.sh v0.6.3, users can use the `--channel` argument to provide the channel of the configured repository during cleanup. For example, `sudo ./mde_installer --clean --channel prod`
- - The Network Extension can now be reset by administrators using `mdatp network-protection reset`.
- - Other performance improvements
- - Bug Fixes
+ - In mde_installer.sh v0.6.3, users can use the `--channel` argument to provide the channel of the configured repository during cleanup. For example, `sudo ./mde_installer --clean --channel prod`
+ - The Network Extension can now be reset by administrators using `mdatp network-protection reset`.
+ - Other performance improvements
+ - Bug Fixes
**Known issues**
sudo systemctl disable mdatp
</details> <details>
- <summary> July-2023 (Build: 101.23062.0010 | Release version: 30.123062.0010.0)</summary>
+ <summary> July-2023 (Build: 101.23062.0010 | Release version: 30.123062.0010.0)</summary>
sudo systemctl disable mdatp
**What's new** - There are multiple fixes and new changes in this release
- - If a proxy is set for Defender for Endpoint, then it's visible in the `mdatp health` command output
- - With this release we provided two options in mdatp diagnostic hot-event-sources:
+ - If a proxy is set for Defender for Endpoint, then it's visible in the `mdatp health` command output
+ - With this release we provided two options in mdatp diagnostic hot-event-sources:
1. Files 2. Executables
- - Network Protection: Connections that are blocked by Network Protection and have the block overridden by users are now correctly reported to Microsoft Defender XDR
- - Improved logging in Network Protection block and audit events for debugging
+ - Network Protection: Connections that are blocked by Network Protection and have the block overridden by users are now correctly reported to Microsoft Defender XDR
+ - Improved logging in Network Protection block and audit events for debugging
- Other fixes and improvements - From this version, enforcementLevel are in passive mode by default giving admins more control over where they want 'RTP on' within their estate - This change only applies to fresh MDE deployments, for example, servers where Defender for Endpoint is being deployed for the first time. In update scenarios, servers that have Defender for Endpoint deployed with RTP ON, continue operating with RTP ON even post update to version 101.23062.0010
sudo systemctl disable mdatp
</details> <details>
- <summary> July-2023 (Build: 101.23052.0009 | Release version: 30.123052.0009.0)</summary>
+ <summary> July-2023 (Build: 101.23052.0009 | Release version: 30.123052.0009.0)</summary>
sudo systemctl disable mdatp
**What's new** - There are multiple fixes and new changes in this release
- - The build version schema is updated from this release. While the major version number remains same as 101, the minor version number now has five digits followed by four digit patch number that is, `101.xxxxx.yyy`
- - Improved Network Protection memory consumption under stress
- - Updated the engine version to `1.1.20300.5` and signature version to `1.391.2837.0`.
- - Bug fixes.
+ - The build version schema is updated from this release. While the major version number remains same as 101, the minor version number now has five digits followed by four digit patch number that is, `101.xxxxx.yyy`
+ - Improved Network Protection memory consumption under stress
+ - Updated the engine version to `1.1.20300.5` and signature version to `1.391.2837.0`.
+ - Bug fixes.
**Known issues**
sudo systemctl disable mdatp
</details> <details>
- <summary> June-2023 (Build: 101.98.89 | Release version: 30.123042.19889.0)</summary>
+ <summary> June-2023 (Build: 101.98.89 | Release version: 30.123042.19889.0)</summary>
sudo systemctl disable mdatp
**What's new** - There are multiple fixes and new changes in this release
- - Improved Network Protection Proxy handling.
- - In Passive mode, Defender for Endpoint no longer scans when Definition update happens.
- - Devices continue to be protected even after Defender for Endpoint agent has expired. We recommend upgrading the Defender for Endpoint Linux agent to the latest available version to receive bug fixes, features and performance improvements.
- - Removed semanage package dependency.
- - Engine Update to `1.1.20100.7` and Signatures Ver: `1.385.1648.0`.
- - Bug fixes.
+ - Improved Network Protection Proxy handling.
+ - In Passive mode, Defender for Endpoint no longer scans when Definition update happens.
+ - Devices continue to be protected even after Defender for Endpoint agent has expired. We recommend upgrading the Defender for Endpoint Linux agent to the latest available version to receive bug fixes, features and performance improvements.
+ - Removed semanage package dependency.
+ - Engine Update to `1.1.20100.7` and Signatures Ver: `1.385.1648.0`.
+ - Bug fixes.
**Known issues**
sudo systemctl disable mdatp
</details> <details>
- <summary> May-2023 (Build: 101.98.64 | Release version: 30.123032.19864.0)</summary>
+ <summary> May-2023 (Build: 101.98.64 | Release version: 30.123032.19864.0)</summary>
sudo systemctl disable mdatp
**What's new** - There are multiple fixes and new changes in this release
- - Health message improvements to capture details about auditd failures.
- - Improvements to handle augenrules, which was causing installation failure.
- - Periodic memory cleanup in engine process.
- - Fix for memory issue in mdatp audisp plugin.
- - Handled missing plugin directory path during installation.
- - When conflicting application is using blocking fanotify, with default configuration mdatp health shows unhealthy. This is now fixed.
- - Support for ICMP traffic inspection in BM.
- - Engine Update to `1.1.20100.6` and Signatures Ver: `1.385.68.0`.
- - Bug fixes.
+ - Health message improvements to capture details about auditd failures.
+ - Improvements to handle augenrules, which was causing installation failure.
+ - Periodic memory cleanup in engine process.
+ - Fix for memory issue in mdatp audisp plugin.
+ - Handled missing plugin directory path during installation.
+ - When conflicting application is using blocking fanotify, with default configuration mdatp health shows unhealthy. This is now fixed.
+ - Support for ICMP traffic inspection in BM.
+ - Engine Update to `1.1.20100.6` and Signatures Ver: `1.385.68.0`.
+ - Bug fixes.
**Known issues**
sudo systemctl disable mdatp
</details> <details>
- <summary> April-2023 (Build: 101.98.58 | Release version: 30.123022.19858.0)</summary>
+ <summary> April-2023 (Build: 101.98.58 | Release version: 30.123022.19858.0)</summary>
sudo systemctl disable mdatp
**What's new** - There are multiple fixes and new changes in this release
- - Logging and error reporting improvements for auditd.
- - Handle failure in reload of auditd configuration.
- - Handling for empty auditd rule files during MDE install.
- - Engine Update to `1.1.20000.2` and Signatures Ver: `1.381.3067.0`.
- - Addressed a health issue in mdatp that occurs due to selinux denials.
- - Bug fixes.
+ - Logging and error reporting improvements for auditd.
+ - Handle failure in reload of auditd configuration.
+ - Handling for empty auditd rule files during MDE install.
+ - Engine Update to `1.1.20000.2` and Signatures Ver: `1.381.3067.0`.
+ - Addressed a health issue in mdatp that occurs due to selinux denials.
+ - Bug fixes.
**Known issues**
augenrules --load
There are two ways to mitigate this upgrade issue: 1. Use your package manager to uninstall the `101.75.43` or `101.78.13` mdatp version.
-
+
Example: ```bash sudo apt purge mdatp
sudo systemctl disable mdatp
</details> <details>
- <summary> March-2023 (Build: 101.98.30 | Release version: 30.123012.19830.0)</summary>
+ <summary> March-2023 (Build: 101.98.30 | Release version: 30.123012.19830.0)</summary>
sudo systemctl disable mdatp
&ensp;Signature version: **1.379.1299.0**<br/> **What's new** - This new release is build over March 2023 release (`101.98.05``) with a fix for Live response commands failing for one of our customers. There's no change for other customers and upgrade is optional.
-
+
**Known issues** - With mdatp version 101.98.30 you might see a health false issue in some of the cases, because SELinux rules aren't defined for certain scenarios. The health warning could look something like this:
In case the issue reappears with some different denials. We need to run the miti
</details> <details>
- <summary> March-2023 (Build: 101.98.05 | Release version: 30.123012.19805.0)</summary>
+ <summary> March-2023 (Build: 101.98.05 | Release version: 30.123012.19805.0)</summary>
## March-2023 (Build: 101.98.05 | Release version: 30.123012.19805.0)
There are multiple fixes and new changes in this release.
- `2.6.32-754.43.1.el6.x86_64` - `2.6.32-754.49.1.el6.x86_64` - Other fixes
-
+
**Known issues** - While upgrading mdatp to version 101.94.13, you might notice that health is false, with health_issues as "no active supplementary event provider". This can happen due to misconfigured/conflicting auditd rules on existing machines. To mitigate the issue, the auditd rules on the existing machines need to be fixed. The following steps can help you to identify such auditd rules (these commands need to be run as super user). Make sure to back up following file: `/etc/audit/rules.d/audit.rules`` as these steps are only to identify failures.
security Live Response Command Examples https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/live-response-command-examples.md
Title: Live response command examples description: Learn to run basic or advanced live response commands for Microsoft Defender for Endpoint, and see examples on how they're used.
-keywords: example, command, cli, remote, shell, connection, live, response, real-time, command, script, remediate, hunt, export, log, drop, download, file
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Live Response Library Methods https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/live-response-library-methods.md
Title: Live response library methods and properties description: Learn how to use the live response library methods and properties.
-keywords: apis, graph api, supported apis, get, devices
-search.product: eADQiWindows 10XVcnh
search.appverid: met150
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Live Response https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/live-response.md
Title: Investigate entities on devices using live response in Microsoft Defender for Endpoint description: Access a device using a secure remote shell connection to do investigative work and take immediate response actions on a device in real time.
-keywords: remote, shell, connection, live, response, real-time, command, script, remediate, hunt, export, log, drop, download, file,
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Mac Device Control Faq https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-device-control-faq.md
Title: macOS Device control policies frequently asked questions (FAQ) description: Get answers to common questions about device control policies using JAMF or Intune.
-keywords: microsoft, defender, endpoint, Microsoft Defender for Endpoint, mac, device, control, usb, removable, media, jamf, intune, faq,
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Mac Device Control Intune https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-device-control-intune.md
Title: Deploy and manage Device Control using Intune description: Learn how to deploy and manage device control policies using Intune.
-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, macOS, device, control, usb, removable, media, intune
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
Before you get started with Removable Storage Access Control, you must confirm y
### Step 1: Build mobileconfig file
-Now, you have 'groups' and 'rules' and 'settings', replace the mobileconfig file with those values and put it under the Device Control node, here is the demo file: [mdatp-devicecontrol/demo.mobileconfig at main - microsoft/mdatp-devicecontrol (github.com)](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/macOS/mobileconfig/demo.mobileconfig). Make sure validate your policy with the JSON schema to make sure your policy format is correct: [mdatp-devicecontrol/device_control_policy_schema.json at main - microsoft/mdatp-devicecontrol (github.com)](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/macOS/policy/device_control_policy_schema.json).
+Now, you have `groups`, `rules`, and `settings`, replace the mobileconfig file with those values and put it under the Device Control node. Here's the demo file: [mdatp-devicecontrol/demo.mobileconfig at main - microsoft/mdatp-devicecontrol (github.com)](https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/mobileconfig/demo.mobileconfig). Make sure validate your policy with the JSON schema and make sure your policy format is correct: [mdatp-devicecontrol/device_control_policy_schema.json at main - microsoft/mdatp-devicecontrol (github.com)](https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/device_control_policy_schema.json).
> [!NOTE] > See [Device Control for macOS](mac-device-control-overview.md) for information about settings, rules and groups.
You can deploy the mobileconfig file through [**https://endpoint.microsoft.com/*
- [Device Control for macOS](mac-device-control-overview.md) - [Deploy and manage Device Control using jamf](mac-device-control-jamf.md) - [macOS Device Control frequently asked questions (FAQ)](mac-device-control-faq.md)+ [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)]
security Mac Device Control Jamf https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-device-control-jamf.md
Title: Deploy and manage device control using JAMF description: Learn how to use device control policies using JAMF.
-keywords: microsoft, defender, endpoint, Microsoft Defender for Endpoint, mac, device, control, usb, removable, media, jamf
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Mac Device Control Manual https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-device-control-manual.md
Title: Deploy and manage device control manually description: Learn how to use device control policies manually.
-keywords: microsoft, defender, endpoint, Microsoft Defender for Endpoint, mac, device, control, usb, removable, media
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
Before you get started with Removable Storage Access Control, you must confirm y
## Deploy policy manually
-This method is recommended for pre-production environments only. It is available starting with version 101.23082.0018.
+This method is recommended for preproduction environments only. It's available starting with version 101.23082.0018.
You can create a policy JSON and try it on a single machine before deploying it via MDM to all users. Microsoft recommends using MDM for production environment.
-You can set a policy manually, only if it was not set via MDM (as a managed configuration).
+You can set a policy manually, only if it wasn't set via MDM (as a managed configuration).
### Step 1: Create policy JSON
-Now, you have 'groups' and 'rules' and 'settings', combine 'settings' and 'groups' and rules into one JSON, here is the demo file: [mdatp-devicecontrol/deny_removable_media_except_kingston.json at main - microsoft/mdatp-devicecontrol (github.com)](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/macOS/policy/examples/deny_removable_media_except_kingston.json). Make sure to validate your policy with the JSON schema so your policy format is correct: [mdatp-devicecontrol/device_control_policy_schema.json at main - microsoft/mdatp-devicecontrol (github.com)](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/macOS/policy/device_control_policy_schema.json).
+Now, you have `groups`, `rules`, `settings`, combine them into one JSON. Here's the demo file: [mdatp-devicecontrol/deny_removable_media_except_kingston.json at main - microsoft/mdatp-devicecontrol (github.com)](https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/samples/deny_removable_media_except_kingston.md). Make sure to validate your policy with the JSON schema so your policy format is correct: [mdatp-devicecontrol/device_control_policy_schema.json at main - microsoft/mdatp-devicecontrol (github.com)](https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/device_control_policy_schema.json).
-See [Device Control for macOS](mac-device-control-overview.md) for information about settings, rules and groups.
+See [Device Control for macOS](mac-device-control-overview.md) for information about settings, rules, and groups.
### Step 2: Apply policy
security Mac Device Control Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-device-control-overview.md
Title: Device control for macOS description: Learn how to configure Microsoft Defender for Endpoint on Mac to reduce threats from removable storage such as USB devices.
-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, macOS, device, control, usb, removable, media
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Mac Exclusions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-exclusions.md
ms.pagetype: security
ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Mac Install Jamfpro Login https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-jamfpro-login.md
Title: Log in to Jamf Pro
-description: Log in to Jamf Pro
-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, installation, deploy, uninstallation, intune, jamfpro, macos, big sur, monterey, ventura, mde for mac
+ Title: Sign in to Jamf Pro
+description: Sign in to Jamf Pro.
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
search.appverid: met150
Last updated 12/18/2020
-# Log in to Jamf Pro
+# Sign in to Jamf Pro
[!INCLUDE [Microsoft Defender XDR rebranding](../../includes/microsoft-defender.md)]
Last updated 12/18/2020
:::image type="content" source="images/jamf-pro-dashboard.png" alt-text="The Jamf Pro dashboard2" lightbox="images/jamf-pro-dashboard.png":::
-3. You'll see the settings that are available.
+3. You see the settings that are available.
:::image type="content" source="images/jamfpro-settings.png" alt-text="The Jamf Pro dashboard3" lightbox="images/jamfpro-settings.png"::: ## Next step+ [Setup the device groups in Jamf Pro](mac-jamfpro-device-groups.md) [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)]
security Mac Install Manually https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-manually.md
ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Mac Install With Intune https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-with-intune.md
ms.pagetype: security
ms.localizationpriority: medium-+ audience: ITPro - m365-security
Last updated 12/18/2020
- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft Defender for business](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-business)
-This topic describes how to deploy Microsoft Defender for Endpoint on macOS through Microsoft Intune. A successful deployment requires the completion of all of the following steps:
+This article describes how to deploy Microsoft Defender for Endpoint on macOS through Microsoft Intune. A successful deployment requires the completion of all of the following steps:
1. [Approve system extension](#step-1-approve-system-extensions) 1. [Network Filter](#step-2-network-filter)
Download [notif.mobileconfig](https://raw.githubusercontent.com/microsoft/mdatp-
To turn off notifications for the end users, you can change '**Show NotificationCenter**' from 'true' to 'false' in [notif.mobileconfig](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/notif.mobileconfig).
-![Screen shot of notif.mobileconfig that shows "ShowNotificationCenter" set to "true".](image.png)
To configure notifications:
security Mac Install With Jamf https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-with-jamf.md
Title: Deploying Microsoft Defender for Endpoint on macOS with Jamf Pro description: Deploying Microsoft Defender for Endpoint on macOS with Jamf Pro
-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, installation, deploy, uninstallation, intune, jamfpro, macos, big sur, monterey, ventura, mde for mac
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Mac Install With Other Mdm https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-with-other-mdm.md
Title: Deployment with a different Mobile Device Management (MDM) system for Microsoft Defender for Endpoint on Mac description: Install Microsoft Defender for Endpoint on Mac on other management solutions.
-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, installation, deploy, macos, big sur, monterey, ventura, mde or mac
-ms.sitesec: library
-ms.pagetype: security
--+++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Mac Jamfpro Device Groups https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-jamfpro-device-groups.md
Title: Set up device groups in Jamf Pro description: Learn how to set up device groups in Jamf Pro for Microsoft Defender for Endpoint on macOS
-keywords: device, group, microsoft, defender, Microsoft Defender for Endpoint, mac, installation, deploy, uninstallation, intune, jamfpro, macos, big sur, monterey, ventura, mde for mac
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Mac Jamfpro Enroll Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-jamfpro-enroll-devices.md
Title: Enroll Microsoft Defender for Endpoint on macOS devices into Jamf Pro description: Enroll Microsoft Defender for Endpoint on macOS devices into Jamf Pro
-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, installation, deploy, uninstallation, intune, jamfpro, macos, big sur, monterey, ventura, mde for mac
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security - tier3 - mde-macos-+ search.appverid: met150 Last updated 12/18/2020
security Mac Jamfpro Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-jamfpro-policies.md
Title: Set up the Microsoft Defender for Endpoint on macOS policies in Jamf Pro description: Learn how to set up the Microsoft Defender for Endpoint on macOS policies in Jamf Pro
-keywords: policies, microsoft, defender, Microsoft Defender for Endpoint, mac, installation, deploy, uninstallation, intune, jamfpro, macos, big sur, monterey, ventura, mde for mac
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Mac Preferences https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-preferences.md
Title: Set preferences for Microsoft Defender for Endpoint on Mac description: Configure Microsoft Defender for Endpoint on Mac in enterprise organizations.
-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, management, preferences, enterprise, intune, jamf, macos, big sur, monterey, ventura, mde for mac
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security - tier3 - mde-macos-+ search.appverid: met150 Last updated 06/22/2023
security Mac Privacy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-privacy.md
Title: Privacy for Microsoft Defender for Endpoint on Mac description: Privacy controls, how to configure policy settings that impact privacy and information about the diagnostic data collected in Microsoft Defender for Endpoint on Mac.
-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, privacy, diagnostic, big sur, monterey, ventura, mde for mac
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Mac Pua https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-pua.md
Title: Detect and block potentially unwanted applications with Microsoft Defender for Endpoint on Mac description: Detect and block Potentially Unwanted Applications (PUA) using Microsoft Defender for Endpoint on macOS.
-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, pua, pus, big sur, monterey, ventura, mde for mac
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Mac Resources https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-resources.md
Title: Resources for Microsoft Defender for Endpoint on Mac description: Resources for Microsoft Defender for Endpoint on Mac, including how to uninstall it, how to collect diagnostic logs, CLI commands, and known issues with the product.
-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, installation, deploy, uninstallation, intune, jamf, macos, big sur, monterey, ventura, mde for mac
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Mac Schedule Scan https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-schedule-scan.md
Title: How to schedule scans with Microsoft Defender for Endpoint on macOS description: Learn how to schedule an automatic scanning time for Microsoft Defender for Endpoint in macOS to better protect your organization's assets.
-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, scans, antivirus, big sur, monterey, ventura, mde for mac
--++ ms.localizationpriority: medium Last updated 02/12/2024-+ audience: ITPro - m365-security
search.appverid: met150
While you can start a threat scan at any time with Microsoft Defender for Endpoint, your enterprise might benefit from scheduled or timed scans. For example, you can schedule a scan to run at the beginning of every workday or week.
+There are three types of scheduled scans that are configurable: hourly, daily, and weekly scans. Hourly and daily scheduled scans are always run as quick scans, weekly scans can be configured to be either quick or full scans. It is possible to have all three types of scheduled scans at the same time. See the samples below.
**Pre-requisites:** - Platform Update version: [101.23122.0005](mac-whatsnew.md#jan-2024-build-101231220005release-version-2012312250) or newer
The following sample shows the daily and/or weekly configuration for the schedul
Your scheduled scan runs at the date, time, and frequency you defined in your _plist_.
-### Option 1: Schedule a quick scan using a _plist_
+### Example 1: Schedule a daily quick scan and weekly full scan using a _plist_
In the following example, the daily quick scan configuration is set to run at 885 minutes after midnight (2:45 p.m.).<br>
-The weekly configuration is set to run a quick scan on Wednesday at 880 minutes after midnight (2:40 p.m.).
-And it's set to ignore exclusions and run on a low priority scan.
+The weekly configuration is set to run a full scan on Wednesday at 880 minutes after midnight (2:40 p.m.).
+And it's set to ignore exclusions and run a low priority scan.
-The following code shows the schema you need to use to schedule a quick scan.
+The following code shows the schema you need to use to schedule scans according to the requirements above.
1. Open a text editor and use this example as a guide for your own scheduled scan file.
The following code shows the schema you need to use to schedule a quick scan.
<dict> <key>timeOfDay</key> <integer>885</integer>
- <key>interval</key>
- <string>0</string>
</dict> <key>weeklyConfiguration</key> <dict>
The following code shows the schema you need to use to schedule a quick scan.
<key>timeOfDay</key> <integer>880</integer> <key>scanType</key>
- <string>quick</string>
- </dict>
+ <string>full</string>
</dict> </dict>
+</dict>
</plist> ``` 2. Save the file as _com.microsoft.wdav.plist_.
-### Option 2: Schedule a full scan using a _plist_
+### Example 2: Schedule an hourly quick scan, a daily quick scan, and weekly full scan using a _plist_
-1. Open a text editor and use this example for a full scan.
+In the following example, an hourly quick scan will run every 6 hours, a daily quick scan configuration is set to run at 885 minutes after midnight (2:45 p.m.), and a weekly full scan will run on Wednesdays at 880 minutes after midnight (2:40 p.m).
+1. Open a text editor and use this example.
```XML <?xml version="1.0" encoding="UTF-8"?>
Use the following command:
> If the device is turned off, the scan will run at the next scheduled scan time. > [!TIP]
-> Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: [**Microsoft Defender for Endpoint Tech Community**](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/bd-p/MicrosoftDefenderATP).
+> Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: [**Microsoft Defender for Endpoint Tech Community**](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/bd-p/MicrosoftDefenderATP).
security Mac Support Install https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-support-install.md
Title: Troubleshoot installation issues for Microsoft Defender for Endpoint on Mac description: Troubleshoot installation issues in Microsoft Defender for Endpoint on Mac.
-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, install, big sur, monterey, ventura, mde for mac
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Mac Support License https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-support-license.md
Title: Troubleshoot license issues for Microsoft Defender for Endpoint on Mac description: Troubleshoot license issues in Microsoft Defender for Endpoint on Mac.
-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, performance, big sur, monterey, ventura, mde for mac
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Mac Support Perf https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-support-perf.md
Title: Troubleshoot performance issues for Microsoft Defender for Endpoint on macOS description: Troubleshoot performance issues in Microsoft Defender for Endpoint on macOS.
-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, performance, big sur, monterey, ventura, mde for mac
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Mac Support Sys Ext https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-support-sys-ext.md
Title: Troubleshoot system extension issues for Microsoft Defender for Endpoint on macOS description: Troubleshoot system extension issues in Microsoft Defender for Endpoint on macOS.
-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, performance, big sur, monterey, ventura, mde for mac
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
mdatp health
The output on running **mdatp health** is: ```Output
-healthy : false
-health_issues : ["no active event provider", "network event provider not running", "full disk access has not been granted"]
+healthy : false
+health_issues : ["no active event provider", "network event provider not running", "full disk access has not been granted"]
...
-real_time_protection_enabled : unavailable
+real_time_protection_enabled : unavailable
real_time_protection_available: unavailable ...
-full_disk_access_enabled : false
+full_disk_access_enabled : false
``` The output report displayed on running **mdatp health** is shown in the following screenshot:
You'll get the following output:
```OutputCopy network_extension_enabled : false
-network_extension_installed : true
-endpoint_security_extension_ready : false
-endpoint_security_extension_installed : true
+network_extension_installed : true
+endpoint_security_extension_ready : false
+endpoint_security_extension_installed : true
``` This output is shown in the following screenshot:
security Mac Sysext Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-sysext-policies.md
Title: New configuration profiles for macOS Big Sur and newer versions of macOS description: This topic describes the changes that are must be made in order to benefit from the system extensions, which are a replacement for kernel extensions on macOS Big Sur and newer versions of macOS.
-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, kernel, system, extensions, big sur, monterey, ventura, mde for mac
-search.product: eADQiWindows 10XVcnh
search.appverid: met150
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Mac Troubleshoot Mode https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-troubleshoot-mode.md
Title: Troubleshooting mode in Microsoft Defender for Endpoint on macOS description: This article describes how to enable the troubleshooting mode in Microsoft Defender for Endpoint on macOS.
-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, install, mde for mac
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Mac Updates https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-updates.md
Title: Deploy updates for Microsoft Defender for Endpoint on Mac description: Control updates for Microsoft Defender for Endpoint on Mac in enterprise environments.
-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, updates, deploy, big sur, monterey, ventura, mde for mac
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Mac Whatsnew https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-whatsnew.md
Title: What's new in Microsoft Defender for Endpoint on Mac description: Learn about the major changes for previous versions of Microsoft Defender for Endpoint on Mac. --++ ms.localizationpriority: medium Last updated 09/28/2023-+ audience: ITPro - m365-security
security Machine Groups https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/machine-groups.md
Title: Create and manage device groups in Microsoft Defender for Endpoint description: Create device groups and set automated remediation levels on them by confirming the rules that apply on the group
-keywords: device groups, groups, remediation, level, rules, aad group, role, assign, rank
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Machine Tags https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/machine-tags.md
Title: Create and manage device tags description: Use device tags to group devices to capture context and enable dynamic list creation as part of an incident
-keywords: tags, device tags, device groups, groups, remediation, level, rules, aad group, role, assign, rank
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Machines View Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/machines-view-overview.md
Title: Device inventory description: Learn about the available features that you can use from the Devices list such as sorting, filtering, and exporting the list to enhance investigations.
-keywords: sort, filter, export, csv, device name, domain, last seen, internal IP, health state, active alerts, active malware detections, threat category, review alerts, network, connection, malware, type, password stealer, ransomware, exploit, threat, general malware, unwanted software
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium-+ audience: ITPro - m365-security
Last updated 12/18/2020
The **Device inventory** shows a list of the devices in your network where alerts were generated. By default, the queue displays devices seen in the last 30 days.
-At a glance you'll see information such as domain, risk level, OS platform, and other details for easy identification of devices most at risk.
+At a glance you see information such as domain, risk level, OS platform, and other details for easy identification of devices most at risk.
> [!NOTE] > The device inventory is available in different Microsoft Defender XDR services. The information available to you will differ depending on your license. You'll get the most complete set of capabilities when using [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037).
You can apply the following filters to limit the list of alerts and get a more f
During the Microsoft Defender for Endpoint onboarding process, devices onboarded to MDE are gradually populated into the device inventory as they begin to report sensor data. Following this, the device inventory is populated by devices that are discovered in your network through the device discovery process. The device inventory has three tabs that list devices by: -- **Computers and Mobile**: Enterprise endpoints (workstations, servers and mobile devices)
+- **Computers and Mobile**: Enterprise endpoints (workstations, servers, and mobile devices)
- **Network devices**: Devices like routers and switches - **IoT devices**: Devices like printers and cameras
Access the device inventory page by selecting **Devices** from the **Assets** na
## Device inventory overview
-The device inventory opens on the **Computers and Mobile** tab. At a glance you'll see information such as device name, domain, risk level, exposure level, OS platform, onboarding status, sensor health state, and other details for easy identification of devices most at risk.
+The device inventory opens on the **Computers and Mobile** tab. At a glance you see information such as device name, domain, risk level, exposure level, OS platform, onboarding status, sensor health state, and other details for easy identification of devices most at risk.
-Use the **Onboarding Status** column to sort and filter by discovered devices, and those already onboarded to Microsoft Defender for Endpoint.
+Use the **Onboarding Status** column to sort and filter by discovered devices, and devices that are already onboarded to Microsoft Defender for Endpoint.
:::image type="content" alt-text="Image of devices list with list of devices." source="images/device-inventory.png" lightbox="images/device-inventory.png":::
-From the **Network devices** and **IoT devices** tabs, you'll also see information such as vendor, model and device type:
+From the **Network devices** and **IoT devices** tabs, you'll also see information such as vendor, model, and device type:
:::image type="content" alt-text="Image of network devices list." source="images/device-inventory-networkdevices.png" lightbox="images/device-inventory-networkdevices.png":::
From the **Network devices** and **IoT devices** tabs, you'll also see informati
> > When Defender for IoT is configured, you also can view the devices there. See [Manage your IoT devices with the device inventory for organizations](/azure/defender-for-iot/organizations/how-to-manage-device-inventory-for-organizations).
-At the top of each device inventory tab, you can see the total number of devices, the number of devices that are not yet onboarded, and the number of devices that have been identified as a higher risk to your organization. You can use this information to help you prioritize devices for security posture improvements.
+At the top of each device inventory tab, you can see the total number of devices, the number of devices that aren't yet onboarded, and the number of devices that are identified as a higher risk to your organization. You can use this information to help you prioritize devices for security posture improvements.
The **Newly discovered** device count for network devices and IoT devices tabs, shows the number of new devices discovered, in the last 7 days, listed in the current view.
The counts on the top of each tab will be updated based on the current view.
Filter | Description :|: **Risk level** | The risk level reflects the overall risk assessment of the device based on a combination of factors, including the types and severity of active alerts on the device. Resolving active alerts, approving remediation activities, and suppressing subsequent alerts can lower the risk level.
-**Exposure level** | The exposure level reflects the current exposure of the device based on the cumulative impact of its pending security recommendations. The possible levels are low, medium, and high. Low exposure means your devices are less vulnerable from exploitation. </br> </br> If the exposure level says "No data available," there are a few reasons why this may be the case:</br>- Device stopped reporting for more than 30 days. In that case it's considered inactive, and the exposure isn't computed.</br>- Device OS not supported - see [minimum requirements for Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/minimum-requirements).</br>- Device with stale agent (unlikely).
+**Exposure level** | The exposure level reflects the current exposure of the device based on the cumulative impact of its pending security recommendations. The possible levels are low, medium, and high. Low exposure means your devices are less vulnerable from exploitation. </br> </br> If the exposure level says "No data available," there are a few reasons why:</br>- Device stopped reporting for more than 30 days. In that case it's considered inactive, and the exposure isn't computed.</br>- Device OS not supported - see [minimum requirements for Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/minimum-requirements).</br>- Device with stale agent (unlikely).
**Tags** | Filter the list based on the grouping and tagging that you've added to individual devices. See [Create and manage device tags](machine-tags.md).
-**Device value** | Filter the list based on whether the device has been marked as high value or low value.
-**Exclusion state** | Filter the list based on whether the device has been excluded or not. For more information, see [Exclude devices](exclude-devices.md).
+**Device value** | Filter the list based on whether the device is marked as high value or low value.
+**Exclusion state** | Filter the list based on whether or not the device is excluded. For more information, see [Exclude devices](exclude-devices.md).
**OS Platform** | Filter by the OS platforms you're interested in investigating </br></br>(_Computers and mobile and IoT devices only_)
-**First seen** | Filter your view based on when the device was first seen in the network or when it was first reported by the Microsoft Defender for Endpoint sensor.</br></br>(_Computers and mobile and IoT devices only_)
-**Windows version** | Filter by the Windows versions you're interested in investigating. If 'future version' appears in the Windows version field, it can mean:</br></br> - This is a pre-release build for a future Windows release</br> - The build has no version name</br> - The build version name is not yet supported </br></br> In all these scenarios, where available, the full OS version can be seen in the device details page.</br></br> (_Computers and mobile only_)
-**Sensor health state** | Filter by the following sensor health states, for devices onboard to Microsoft Defender for Endpoint:</br> - **Active**: Devices that are actively reporting sensor data to the service.</br> - **Inactive**: Devices that have stopped sending signals for more than 7 days. </br> - **Misconfigured**: Devices that have impaired communications with service or are unable to send sensor data. </br> Misconfigured devices can further be classified to: </br> - No sensor data </br> - Impaired communications </br> For more information on how to address issues on misconfigured devices see, [Fix unhealthy sensors](/microsoft-365/security/defender-endpoint/fix-unhealthy-sensors).</br></br> (_Computers and mobile only_)
-**Onboarding status** | Onboarding status indicates whether the device is currently onboarded to Microsoft Defender for Endpoint or not. Note that device discovery must be enabled for this filter to appear. You can filter by the following states: </br> - **Onboarded**: The endpoint is onboarded to Microsoft Defender for Endpoint. </br> - **Can be onboarded**: The endpoint was discovered in the network as a supported device, but it's not currently onboarded. Microsoft highly recommends onboarding these devices. </br> - **Unsupported**: The endpoint was discovered in the network, but is not supported by Microsoft Defender for Endpoint. </br> - **Insufficient info**: The system couldn't determine the supportability of the device.</br></br> (_Computers and mobile only_)
+**First seen** | Filter your view based on when the device was first seen in the network or when it's first reported by the Microsoft Defender for Endpoint sensor.</br></br>(_Computers and mobile and IoT devices only_)
+**Windows version** | Filter by the Windows versions you're interested in investigating. If 'future version' appears in the Windows version field, it can mean:</br></br> - This is a prerelease build for a future Windows release</br> - The build has no version name</br> - The build version name isn't yet supported </br></br> In all these scenarios, where available, the full OS version can be seen in the device details page.</br></br> (_Computers and mobile only_)
+**Sensor health state** | Filter by the following sensor health states, for devices onboard to Microsoft Defender for Endpoint:</br> - **Active**: Devices that are actively reporting sensor data to the service.</br> - **Inactive**: Devices that stopped sending signals for more than seven days. </br> - **Misconfigured**: Devices that have impaired communications with service or are unable to send sensor data. </br> Misconfigured devices can further be classified to: </br> - No sensor data </br> - Impaired communications </br> For more information on how to address issues on misconfigured devices, see, [Fix unhealthy sensors](/microsoft-365/security/defender-endpoint/fix-unhealthy-sensors).</br></br> (_Computers and mobile only_)
+**Onboarding status** | Onboarding status indicates whether the device is currently onboarded to Microsoft Defender for Endpoint or not. Device discovery must be enabled for this filter to appear. You can filter by the following states: </br> - **Onboarded**: The endpoint is onboarded to Microsoft Defender for Endpoint. </br> - **Can be onboarded**: The endpoint was discovered in the network as a supported device, but it's not currently onboarded. Microsoft highly recommends onboarding these devices. </br> - **Unsupported**: The endpoint was discovered in the network, but isn't supported by Microsoft Defender for Endpoint. </br> - **Insufficient info**: The system couldn't determine the supportability of the device.</br></br> (_Computers and mobile only_)
**Antivirus status** | Filter the view based on whether the antivirus status is disabled, not updated or unknown.</br></br> (_Computers and mobile only_) **Group** | Filter the list based on the group you're interested in investigating. </br></br> (_Computers and mobile only_)
-**Managed by** | Managed by indicates how the device is being managed. You can filter by:</br> - Microsoft Defender for Endpoint</br> - Microsoft Intune, including co-management with Microsoft Configuration Manager via tenant attach</br>- Microsoft Configuration manager (ConfigMgr)</br> - Unknown: This could be due the running an outdated Windows version, GPO management, or another third party MDM.</br></br> (_Computers and mobile only_)
+**Managed by** | Managed by indicates how the device is being managed. You can filter by:</br> - Microsoft Defender for Endpoint</br> - Microsoft Intune, including co-management with Microsoft Configuration Manager via tenant attach</br>- Microsoft Configuration manager (ConfigMgr)</br> - Unknown: This issue could be due the running an outdated Windows version, GPO management, or another non-Microsoft MDM.</br></br> (_Computers and mobile only_)
**Device Type** | Filter by the device type you're interested in investigating.</br></br> (_IoT devices only_) **Mitigation status** | Filter by isolation or containment status of a device.
Filter | Description
You can add or remove columns from the view and sort the entries by clicking on an available column header.
-On the **Computer and Mobiles** tab, select **Customize columns** to see the columns available. The default values are checked in the image below:
+On the **Computer and Mobiles** tab, select **Customize columns** to see the columns available. The default values are checked in the following image:
:::image type="content" alt-text="Image of computers and mobiles" source="images/computerandmobilescolumns.png":::
-On the **Network devices** tab, select **Customize columns** to see the columns available. The default values are checked in the image below:
+On the **Network devices** tab, select **Customize columns** to see the columns available. The default values are checked in the following image:
:::image type="content" alt-text="Image of network device columns" source="images/networkdevicescolumns.png":::
-On the **IoT devices** tab, select **Customize columns** to see the columns available. The default values are checked in the image below:
+On the **IoT devices** tab, select **Customize columns** to see the columns available. The default values are checked in the following image:
:::image type="content" alt-text="Image of IoT device columns" source="images/iotdevicescolumns.png":::
security Manage Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-alerts.md
Title: Manage Microsoft Defender for Endpoint alerts description: Change the status of alerts, create suppression rules to hide alerts, submit comments, and review change history for individual alerts with the Manage Alert menu.
-keywords: manage alerts, manage, alerts, status, new, in progress, resolved, resolve alerts, suppress, supression, rules, context, history, comments, changes
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Manage Auto Investigation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-auto-investigation.md
Title: Review remediation actions following automated investigations description: Review and approve (or reject) remediation actions following an automated investigation. --++ ms.localizationpriority: medium Last updated 07/13/2023-+ audience: ITPro - m365-security
security Manage Automation File Uploads https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-automation-file-uploads.md
Title: Manage automation file uploads description: Enable content analysis and configure the file extension and email attachment extensions that will be submitted for analysis
-keywords: automation, file, uploads, content, analysis, file, extension, email, attachment
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Manage Automation Folder Exclusions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-automation-folder-exclusions.md
Title: Manage automation folder exclusions description: Add automation folder exclusions to control the files that are excluded from an automated investigation.
-keywords: manage, automation, exclusion, block, clean, malicious
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Manage Event Based Updates Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-event-based-updates-microsoft-defender-antivirus.md
Title: Apply Microsoft Defender Antivirus updates after certain events description: Manage how Microsoft Defender Antivirus applies security intelligence updates after startup or receiving cloud-delivered detection reports.
-keywords: updates, protection, force updates, events, startup, check for latest, notifications
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium --++ Last updated 09/17/2018 -+ - m365-security
security Manage Gradual Rollout https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-gradual-rollout.md
Title: Manage the gradual rollout process for Microsoft Defender updates
-description: Learn about the gradual update process and controls
+description: Learn about the gradual update process and controls.
f1.keywords: - NOCSH--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
Last updated 01/12/2024
- Microsoft Defender Antivirus **Platforms**+ - Windows
-It is important to ensure that client components are up to date to deliver critical protection capabilities and prevent attacks.
+It's important to ensure that client components are up to date to deliver critical protection capabilities and prevent attacks.
Capabilities are provided through several components:
Our engineers continuously monitor impact and escalate any issues to create a fi
## How to customize your internal deployment process
-If your machines are receiving Defender updates from Windows Update, the gradual rollout process may result in some of your machines receiving Defender updates sooner than others. The following section explains how to define a strategy that will allow automatic updates to flow differently to specific groups of devices by leveraging update channel configuration.
+If your machines are receiving Defender updates from Windows Update, the gradual rollout process can result in some of your devices receiving Defender updates sooner than others. The following section explains how to define a strategy that will allow automatic updates to flow differently to specific groups of devices by using update channel configuration.
> [!NOTE] > When planning for your own gradual release, please make sure to always have a selection of devices subscribed to the preview and staged channels. This will provide your organization as well as Microsoft the opportunity to prevent or find and fix issues specific to your environment.
The following update channels are available:
|||| |Beta Channel - Prerelease|Test updates before others|Devices set to this channel will be the first to receive new monthly updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in test environments only.| |Current Channel (Preview)|Get Current Channel updates **earlier** during gradual release|Devices set to this channel will be offered updates earliest during the gradual release cycle. Suggested for pre-production/validation environments.|
-|Current Channel (Staged)|Get Current Channel updates later during gradual release|Devices will be offered updates later during the gradual release cycle. Suggested to apply to a small, representative part of your device population (~10%).|
+|Current Channel (Staged)|Get Current Channel updates later during gradual release|Devices are offered updates later during the gradual release cycle. Suggested to apply to a small, representative part of your device population (~10%).|
|Current Channel (Broad)|Get updates at the end of gradual release|Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).|
-|Critical: Time Delay|Delay Defender updates|Devices will be offered updates with a 48-hour delay. Best for datacenter machines that only receive limited updates. Suggested for critical environments only.|
-|(default)||If you disable or do not configure this policy, the device will remain in Current Channel (Default): Stay up to date automatically during the gradual release cycle. Suitable for most devices.|
+|Critical: Time Delay|Delay Defender updates|Devices are offered updates with a 48-hour delay. Best for datacenter machines that only receive limited updates. Suggested for critical environments only.|
+|(default)||If you disable or don't configure this policy, the device remains in Current Channel (Default): Stay up to date automatically during the gradual release cycle. Suitable for most devices.|
### Update channels for daily updates
-You can also assign a machine to a channel to define the cadence in which it receives daily updates. Note that unlike the monthly process, there is no Beta channel and this gradual release cycle occurs multiple times a day.
+You can also assign a machine to a channel to define the cadence in which it receives daily updates. Unlike the monthly process, there's no Beta channel and this gradual release cycle occurs multiple times a day.
|Channel name|Description|Application| ||||
-|Current Channel (Staged)|Get Current Channel updates later during gradual release|Devices will be offered updates later during the gradual release cycle. Suggested to apply to a small, representative part of your device population (~10%).|
+|Current Channel (Staged)|Get Current Channel updates later during gradual release|Devices are offered updates later during the gradual release cycle. Suggested to apply to a small, representative part of your device population (~10%).|
|Current Channel (Broad)|Get updates at the end of gradual release|Devices will be offered updates after the gradual release cycle. Best for datacenter machines that only receive limited updates. Note: this setting applies to all Defender updates.|
-|(default)||If you disable or do not configure this policy, the device will remain in Current Channel (Default): Stay up to date automatically during the gradual release cycle. Suitable for most devices|
+|(default)||If you disable or don't configure this policy, the device remains in Current Channel (Default): Stay up to date automatically during the gradual release cycle. Suitable for most devices|
> [!NOTE] > In case you wish to force an update to the newest signature instead of leveraging the time delay, you will need to remove this policy first. ## Update guidance
-In most cases, the recommended configuration when using Windows Update is to allow endpoints to receive and apply monthly Defender updates as they arrive. This provides the best balance between protection and possible impact associated with the changes they can introduce.
+In most cases, the recommended configuration when using Windows Update is to allow endpoints to receive and apply monthly Defender updates as they arrive. This option provides the best balance between protection and possible impact associated with the changes they can introduce.
-For environments where there is a need for a more controlled gradual rollout of automatic Defender updates, consider an approach with deployment groups:
+For environments where there's a need for a more controlled gradual rollout of automatic Defender updates, consider an approach with deployment groups:
1. Participate in the Windows Insider program or assign a group of devices to the Beta Channel. 2. Designate a pilot group that opts-in to Preview Channel, typically validation environments, to receive new updates early.
-3. Designate a group of machines that receive updates later during the gradual rollout from Staged channel. Typically, this would be a representative ~10% of the population.
+3. Designate a group of machines that receive updates later during the gradual rollout from Staged channel. Typically, this group would be a representative ~10% of the population.
4. Designate a group of machines that receive updates after the gradual release cycle completes. These are typically important production systems.
security Manage Incidents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-incidents.md
Title: Manage Microsoft Defender for Endpoint incidents description: Manage incidents by assigning it, updating its status, or setting its classification.
-keywords: incidents, manage, assign, status, classification, true alert, false alert
-search.product: eADQiWindows 10XVcnh
search.appverid: met150
-ms.sitesec: library
-ms.pagetype: security
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Manage Indicators https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-indicators.md
Title: Create indicators description: Create indicators for a file hash, IP address, URLs, or domains that define the detection, prevention, and exclusion of entities.
-keywords: manage, allowed, blocked, block, clean, malicious, file hash, ip address, urls, domain
ms.localizationpriority: medium-+ audience: ITPro
security Manage Mde Post Migration Configuration Manager https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-mde-post-migration-configuration-manager.md
- Title: Manage Microsoft Defender for Endpoint using Configuration Manager
-description: Learn how to manage Microsoft Defender for Endpoint with Configuration Manager
-keywords: post-migration, manage, operations, maintenance, utilization, Configuration Manager, Microsoft Defender for Endpoint, edr
-
-ms.sitesec: library
-ms.pagetype: security
------ m365-security-- tier2- Previously updated : 01/27/2023---
-# Manage Microsoft Defender for Endpoint with Configuration Manager
-
-**Applies to:**
-- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/?linkid=2154037)-- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037)-- [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804)-
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-We recommend using [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) or [Configuration Manager](/mem/configmgr/core/understand/introduction) (Configuration Manager) to manage your organization's threat protection features for devices (also referred to as endpoints).
-
-This article describes how to manage Defender for Endpoint settings with Configuration Manager, and lists various tasks you can perform.
-
-## Configure Microsoft Defender for Endpoint with Configuration Manager
-
-|Task|Resources to learn more|
-|||
-|**Install the Configuration Manager console** if you don't already have it <br/><br/> *If you don't already have the Configuration Manger console, use these resources to get the bits and install it.*|[Get the installation media](/mem/configmgr/core/servers/deploy/install/get-install-media) <br/><br/> [Install the Configuration Manager console](/mem/configmgr/core/servers/deploy/install/install-consoles)|
-|**Use Configuration Manager to onboard devices** to Microsoft Defender for Endpoint <br/><br/> *If you have devices (or endpoints) not already onboarded to Microsoft Defender for Endpoint, you can do that with Configuration Manager.*|[Onboard to Microsoft Defender for Endpoint with Configuration Manager](/mem/configmgr/protect/deploy-use/defender-advanced-threat-protection#about-onboarding-to-atp-with-configuration-manager)|
-|**Manage antimalware policies and Windows Firewall security** for client computers (endpoints) <br/><br/> *Configure endpoint protection features, including Microsoft Defender for Endpoint, exploit protection, application control, antimalware, firewall settings, and more.*|[Configuration
-|**Choose methods for updating antimalware updates** on your organization's devices <br/><br/> *With Endpoint Protection in Configuration Manager, you can choose from several methods to keep antimalware definitions up to date on your organization's devices.*|[Configure definition updates for Endpoint Protection](/mem/configmgr/protect/deploy-use/endpoint-definition-updates) <br/><br/> [Use Configuration Manager to deliver definition updates](/mem/configmgr/protect/deploy-use/endpoint-definitions-configmgr)|
-|**Enable Network Protection** to help prevent employees from using apps that malicious content on the Internet <br/><br/> *We recommend using [audit mode](/microsoft-365/security/defender-endpoint/evaluate-network-protection) at first for network protection in a test environment to see which apps would be blocked before rolling out.*|[Turn on network protection with Configuration Manager](/microsoft-365/security/defender-endpoint/enable-network-protection#microsoft-endpoint-configuration-manager)|
-|**Configure controlled folder access** to protect against ransomware <br/><br/> *Controlled folder access is also referred to as antiransomware protection.*|[Endpoint protection: Controlled folder access](/mem/intune/protect/endpoint-protection-windows-10#controlled-folder-access) <br/><br/> [Enable controlled folder access in Microsoft Endpoint Configuration Manage](/microsoft-365/security/defender-endpoint/enable-controlled-folders#microsoft-endpoint-configuration-manager)|
-
-<a name='configure-your-microsoft-365-defender-portal'></a>
-
-## Configure your Microsoft Defender portal
-
-If you haven't already done so, configure your Microsoft Defender portal to view alerts, configure threat protection features, and view detailed information about your organization's overall security posture. See While the attack was detected and stopped, alerts, such as an "initial access alert," were triggered and appeared in the [Microsoft Defender portal](/microsoft-365/security/defender/microsoft-365-defender). You can also configure whether and what features end users can see in the Microsoft Defender portal.
--- [Overview of Microsoft Defender XDR](/microsoft-365/security/defender-endpoint/use)-- [Endpoint protection: Microsoft Defender XDR](/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-security-center)-
-## Next steps
--- [Get an overview of Defender Vulnerability Management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt)
security Manage Mde Post Migration Group Policy Objects https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-mde-post-migration-group-policy-objects.md
- Title: Manage Microsoft Defender for Endpoint using Group Policy Objects
-description: Learn how to manage Microsoft Defender for Endpoint with Group Policy Objects
-keywords: post-migration, manage, operations, maintenance, utilization, PowerShell, Microsoft Defender for Endpoint, edr
-
-ms.sitesec: library
-ms.pagetype: security
-- Previously updated : 01/27/2023---- m365-security-- tier2----
-# Manage Microsoft Defender for Endpoint with Group Policy Objects
-
-**Applies to:**
-- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/?linkid=2154037)-- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037)-- [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804)-
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-> [!NOTE]
-> We recommend using [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) or [Configuration Manager](/mem/configmgr/core/understand/introduction) to manage Defender for Endpoint settings. However, you can use Group Policy Objects in Microsoft Entra Domain Services to manage some of your Defender for Endpoint settings.
-
-## Configure Microsoft Defender for Endpoint with Group Policy Objects
-
-> [!NOTE]
-> If you're using [the new, unified Microsoft Defender for Endpoint solution for Windows Server 2012 R2 and 2016](/microsoft-365/security/defender-endpoint/configure-server-endpoints#new-functionality-in-the-modern-unified-solution-for-windows-server-2012-r2-and-2016-preview), please ensure you are using the latest ADMX files in your central store to get access to the correct Microsoft Defender for Endpoint policy options. Please reference [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) and download the latest files **for use with Windows 10**.
-
-The following table lists various tasks you can perform to configure Microsoft Defender for Endpoint with Group Policy Objects.
-
-|Task|Resources to learn more|
-|||
-|**Manage settings for user and computer objects** <br/><br/> *Customize built-in Group Policy Objects, or create custom Group Policy Objects and organizational units to suit your organizational needs.*|[Administer Group Policy in a Microsoft Entra Domain Services managed domain](/azure/active-directory-domain-services/manage-group-policy)|
-|**Configure Microsoft Defender Antivirus** <br/><br/> *Configure antivirus features & capabilities, including policy settings, exclusions, remediation, and scheduled scans on your organization's devices (also referred to as endpoints).*|[Use Group Policy settings to configure and manage Microsoft Defender Antivirus](/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus) <br/><br/> [Use Group Policy to enable cloud-delivered protection](/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus#use-group-policy-to-enable-cloud-delivered-protection)|
-|**Manage your organization's attack surface reduction rules** <br/><br/> *Customize your attack surface reduction rules by excluding files & folders, or by adding custom text to notification alerts that appear on users' devices.*|[Customize attack surface reduction rules with Group Policy Objects](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-implement)|
-|**Manage exploit protection settings** <br/><br/> *You can customize your exploit protection settings, import a configuration file, and then use Group Policy to deploy that configuration file.*|[Customize exploit protection settings](/microsoft-365/security/defender-endpoint/customize-exploit-protection) <br/><br/> [Import, export, and deploy exploit protection configurations](/microsoft-365/security/defender-endpoint/import-export-exploit-protection-emet-xml) <br/><br/> [Use Group Policy to distribute the configuration](/microsoft-365/security/defender-endpoint/import-export-exploit-protection-emet-xml#use-group-policy-to-distribute-the-configuration)|
-|**Enable Network Protection** to help prevent employees from using apps that malicious content on the Internet <br/><br/> *We recommend using [audit mode](/microsoft-365/security/defender-endpoint/evaluate-network-protection) at first for network protection in a test environment to see which apps would be blocked before rolling out.*|[Turn on network protection using Group Policy](/microsoft-365/security/defender-endpoint/enable-network-protection#group-policy)|
-|**Configure controlled folder access** to protect against ransomware <br/><br/> *[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders) is also referred to as antiransomware protection.*|[Enable controlled folder access using Group Policy](/microsoft-365/security/defender-endpoint/enable-controlled-folders#group-policy)|
-|**Configure Microsoft Defender SmartScreen** to protect against malicious sites and files on the internet.|[Configure Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings using Group Policy](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings#group-policy-settings)|
-|**Configure encryption and BitLocker** to protect information on your organization's devices running Windows|[BitLocker Group Policy settings](/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings)|
-|**Configure Microsoft Defender Credential Guard** to protect against credential theft attacks|[Enable Windows Defender Credential Guard by using Group Policy](/windows/security/identity-protection/credential-guard/credential-guard-manage#enable-windows-defender-credential-guard-by-using-group-policy)|
-
-<a name='configure-your-microsoft-365-defender-portal'></a>
-
-## Configure your Microsoft Defender portal
-
-If you haven't already done so, configure your Microsoft Defender portal to view alerts, configure threat protection features, and view detailed information about your organization's overall security posture. See [Microsoft Defender XDR](/microsoft-365/security/defender/microsoft-365-defender). You can also configure whether and what features end users can see in the Microsoft Defender portal.
--- [Overview of Microsoft Defender XDR](/microsoft-365/security/defender-endpoint/use)-- [Endpoint protection: Microsoft Defender XDR](/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-security-center)-
-## Next steps
--- [Get an overview of Defender Vulnerability Management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt)
security Manage Mde Post Migration Intune https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-mde-post-migration-intune.md
- Title: Manage Microsoft Defender for Endpoint using Intune
-description: Learn how to manage Microsoft Defender for Endpoint with Intune
------- m365-security-- tier2- Previously updated : 09/12/2023---
-# Manage Microsoft Defender for Endpoint with Intune
-
-**Applies to:**
-- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/?linkid=2154037)-- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037)-- [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804)--
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-We recommend using Microsoft Intune to manage your organization's threat protection features for devices (also referred to as endpoints). This article describes how to find your Microsoft Defender for Endpoint settings in Intune, and lists various tasks you can perform.
-
-## Find your Microsoft Defender for Endpoint settings in Intune
-
-> [!IMPORTANT]
-> You must have either the global administrator or service administrator role assigned in Intune to configure the settings described in this article. To learn more, see **[Types of administrators (Intune)](/mem/intune/fundamentals/users-add#types-of-administrators)**.
-
-1. Go to the [Microsoft Intune admin center](https://endpoint.microsoft.com/#home) and sign in.
-
-2. In the navigation pane on the left, choose **Device configuration**, and then, under **Manage**, choose **Profiles**.
-
-3. Select an existing profile, or create a new one.
-
-> [!TIP]
-> Need help? See **[Using Microsoft Defender for Endpoint with Intune](/mem/intune/protect/advanced-threat-protection#example-of-using-microsoft-defender-atp-with-intune)**.
-
-## Configure Microsoft Defender for Endpoint with Intune
-
-The following table lists various tasks you can perform to configure Microsoft Defender for Endpoint with Intune. You don't have to configure everything all at once; choose a task, read the corresponding resources, and then proceed.
-
-|Task|Resources to learn more|
-|||
-|**Manage your organization's devices using Intune** to protect those devices and data stored on them|[Protect devices with Microsoft Intune](/mem/intune/protect/device-protect)|
-|**Integrate Microsoft Defender for Endpoint with Intune** as a Mobile Threat Defense solution <br/>*(for Android devices and devices running Windows 10 or Windows 11)*|[Enforce compliance for Microsoft Defender for Endpoint with Conditional Access in Intune](/mem/intune/protect/advanced-threat-protection)|
-|**Use Conditional Access** to control the devices and apps that can connect to your email and company resources|[Configure Conditional Access in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/configure-conditional-access)|
-|**Configure Microsoft Defender Antivirus settings** using the Policy configuration service provider ([Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider))|[Device restrictions: Microsoft Defender Antivirus](/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus) <br/><br/> [Policy CSP - Microsoft Defender for Endpoint](/windows/client-management/mdm/policy-csp-defender)|
-|**If necessary, specify exclusions for Microsoft Defender Antivirus** <br/><br/> *Generally, you shouldn't need to apply exclusions. Microsoft Defender Antivirus includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios.*|[Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows](https://support.microsoft.com/help/822158/virus-scanning-recommendations-for-enterprise-computers) <br/><br/> [Device restrictions: Microsoft Defender Antivirus Exclusions for Windows 10 and Windows 11 devices](/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions) <br/><br/> [Configure Microsoft Defender Antivirus exclusions on Windows Server 2016 or 2019 or 2022](/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus)|
-|**Configure your attack surface reduction rules** to target software behaviors that are often abused by attackers <br/><br/> *Configure your attack surface reduction rules in [audit mode](/microsoft-365/security/defender-endpoint/audit-windows-defender) at first (for at least one week and up to two months). You can monitor status using Power BI ([get our template](https://github.com/microsoft/MDATP-PowerBI-Templates/tree/master/Attack%20Surface%20Reduction%20rules)), and then set those rules to active mode when you're ready.*|[Audit mode in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/audit-windows-defender) <br/><br/> [Endpoint protection: Attack Surface Reduction](/mem/intune/protect/endpoint-protection-windows-10?toc=/intune/configuration/toc.json&bc=/intune/configuration/breadcrumb/toc.json#attack-surface-reduction) <br/><br/> [Learn more about attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction) <br/><br/> [Tech Community blog post: Demystifying attack surface reduction rules - Part 1](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/demystifying-attack-surface-reduction-rules-part-1/ba-p/1306420)|
-|**Configure your network filtering** to block outbound connections from any app to IP addresses or domains with low reputations <br/><br/> *Network filtering is also referred to as [network protection](/microsoft-365/security/defender-endpoint/network-protection).* <br/><br/> *Make sure that Windows 10 and Windows 11 devices have the latest [antimalware platform updates](https://support.microsoft.com/help/4052623/update-for-microsoft-defender-antimalware-platform) installed.*|[Endpoint protection: Network filtering](/mem/intune/protect/endpoint-protection-windows-10#network-filtering) <br/><br/> [Review network protection events in Windows Event Viewer](/microsoft-365/security/defender-endpoint/evaluate-network-protection#review-network-protection-events-in-windows-event-viewer)|
-|**Configure controlled folder access** to protect against ransomware <br/><br/> *[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders) is also referred to as antiransomware protection.*|[Endpoint protection: Controlled folder access](/mem/intune/protect/endpoint-protection-windows-10#controlled-folder-access) <br/><br/> [Enable controlled folder access in Intune](/microsoft-365/security/defender-endpoint/enable-controlled-folders#intune)|
-|**Configure exploit protection** to protect your organization's devices from malware that uses exploits to spread and infect other devices <br/><br/> *[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection) is also referred to as Exploit Guard.*|[Endpoint protection: Microsoft Defender Exploit Guard](/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-exploit-guard) <br/><br/> [Enable exploit protection in Intune](/microsoft-365/security/defender-endpoint/enable-exploit-protection#intune)|
-|**Configure Microsoft Defender SmartScreen** to protect against malicious sites and files on the internet. <br/><br/> *Microsoft Edge should be installed on your organization's devices. For protection on Google Chrome and FireFox browsers, configure exploit protection.*|[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview) <br/><br/> [Device restrictions: Microsoft Defender SmartScreen](/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-smartscreen) <br/><br/> [Policy settings for managing SmartScreen in Intune](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings#mdm-settings)|
-|**Configure Microsoft Defender Firewall** to block unauthorized network traffic flowing into or out of your organization's devices|[Endpoint protection: Microsoft Defender Firewall](/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-firewall) <br/><br/> [Microsoft Defender Firewall with Advanced Security](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)|
-|**Configure encryption and BitLocker** to protect information on your organization's devices running Windows|[Endpoint protection: Windows Encryption](/mem/intune/protect/endpoint-protection-windows-10#windows-encryption) <br/><br/> [BitLocker for Windows 10 and Windows 11 devices](/windows/security/information-protection/bitlocker/bitlocker-overview)|
-|**Configure Microsoft Defender Credential Guard** to protect against credential theft attacks|For Windows 10, Windows 11, Windows Server 2016, and Windows Server 2019, and Windows Server 2022, see [Endpoint protection: Microsoft Defender Credential Guard](/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-credential-guard) <br/><br/> For Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8.1, and Windows Server 2012 R2, see [Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft, Versions 1 and 2](https://www.microsoft.com/download/details.aspx?id=36036)|
-|**Configure Microsoft Defender Application Control** to choose whether to audit or trust apps on your organization's devices <br/><br/> *Microsoft Defender Application Control is also referred to as [AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview).*|[Deploy Microsoft Defender Application Control policies by using Microsoft Intune](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) <br/><br/> [Endpoint protection: Microsoft Defender Application Control](/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-application-control) <br/><br/> [AppLocker CSP](/windows/client-management/mdm/applocker-csp)|
-|**Configure device control and USB peripherals access** to help prevent threats in unauthorized peripherals from compromising your devices|[Control USB devices and other removable media using Microsoft Defender for Endpoint and Intune](/windows/security/threat-protection/device-control/control-usb-devices-using-intune)|
-
-<a name='configure-your-microsoft-365-defender-portal'></a>
-
-## Configure your Microsoft Defender portal
-
-If you haven't already done so, configure your Microsoft Defender portal to view alerts, configure threat protection features, and view detailed information about your organization's overall security posture. See [Microsoft Defender XDR](/microsoft-365/security/defender/microsoft-365-defender). You can also configure whether and what features end users can see in the Microsoft Defender portal.
--- [Overview of Microsoft Defender XDR](/microsoft-365/security/defender-endpoint/use)-- [Endpoint protection: Microsoft Defender XDR](/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-security-center)-
-## Next steps
--- [Get an overview of Defender Vulnerability Management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt)-
security Manage Mde Post Migration Other Tools https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-mde-post-migration-other-tools.md
- Title: Manage Microsoft Defender for Endpoint using PowerShell, WMI, and MPCmdRun.exe
-description: Learn how to manage Microsoft Defender for Endpoint with PowerShell, WMI, and MPCmdRun.exe
-keywords: post-migration, manage, operations, maintenance, utilization, PowerShell, WMI, MPCmdRun.exe, Microsoft Defender for Endpoint, edr
--
-ms.sitesec: library
-ms.pagetype: security
------ m365-security-- tier2-- mde-ngp-- -- Previously updated : 10/22/2021--
-# Manage Microsoft Defender for Endpoint with PowerShell, WMI, and MPCmdRun.exe
-
-**Applies to:**
-- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/?linkid=2154037)-- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037)-- [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804)-
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-We recommend using [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) or [Microsoft Endpoint Configuration Manager](/mem/configmgr/core/understand/introduction) to manage Defender for Endpoint settings. However, you can use other tools to manage some settings, such as Microsoft Defender Antivirus, exploit protection, and customized attack surface reduction rules with:
--- [PowerShell](#configure-microsoft-defender-for-endpoint-with-powershell);-- [Windows Management Instrumentation](#configure-microsoft-defender-for-endpoint-with-windows-management-instrumentation-wmi) (WMI); and-- The [Microsoft Malware Protection Command Line Utility](#configure-microsoft-defender-for-endpoint-with-microsoft-malware-protection-command-line-utility-mpcmdrunexe) (MPCmdRun.exe). -
-> [!IMPORTANT]
-> Threat protection features that you configure by using PowerShell, WMI, or MCPmdRun.exe can be overwritten by configuration settings that are deployed with Intune or Configuration Manager.
-
-## Configure Microsoft Defender for Endpoint with PowerShell
-
-You can use PowerShell to manage Microsoft Defender Antivirus, exploit protection, and your attack surface reduction rules.
-
-|Task|Resources to learn more|
-|||
-|**Manage Microsoft Defender Antivirus** <br/><br/> View status of antimalware protection, configure preferences for antivirus scans & updates, and make other changes to your antivirus protection.*|[Use PowerShell cmdlets to configure and manage Microsoft Defender Antivirus](/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus) <br/><br/> [Use PowerShell cmdlets to enable cloud-delivered protection](/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus#use-powershell-cmdlets-to-enable-cloud-delivered-protection)|
-|**Configure exploit protection** to mitigate threats on your organization's devices <br/><br/> *We recommend using exploit protection in [audit mode](/microsoft-365/security/defender-endpoint/evaluate-exploit-protection#powershell) at first. That way, you can see how exploit protection affects apps your organization is using.*|[Customize exploit protection](/microsoft-365/security/defender-endpoint/customize-exploit-protection) <br/><br/> [PowerShell cmdlets for exploit protection](/microsoft-365/security/defender-endpoint/customize-exploit-protection#powershell-reference)|
-|**Configure attack surface reduction rules** with PowerShell <br/><br/> *You can use PowerShell to exclude files and folders from attack surface reduction rules.*|[Customize attack surface reduction rules: Use PowerShell to exclude files & folders](/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction) <br/><br/> Also, see [Ant├│nio Vasconcelo's graphical user interface tool for setting attack surface reduction rules with PowerShell](https://github.com/anvascon/MDATP_PoSh_Scripts/tree/master/ASR%20GUI).|
-|**Enable Network Protection** with PowerShell <br/><br/> *You can use PowerShell to enable Network Protection.*|[Turn on Network Protection with PowerShell](/microsoft-365/security/defender-endpoint/enable-network-protection#powershell)|
-|**Configure controlled folder access** to protect against ransomware <br/><br/> *[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders) is also referred to as antiransomware protection.*|[Enable controlled folder access with PowerShell](/microsoft-365/security/defender-endpoint/enable-controlled-folders#powershell)|
-|**Configure Microsoft Defender Firewall** to block unauthorized network traffic flowing into or out of your organization's devices|[Microsoft Defender Firewall with Advanced Security Administration using Windows PowerShell](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell)|
-|**Configure encryption and BitLocker** to protect information on your organization's devices running Windows|[BitLocker PowerShell reference guide](/powershell/module/bitlocker/)|
-
-## Configure Microsoft Defender for Endpoint with Windows Management Instrumentation (WMI)
-
-WMI is a scripting interface that allows you to retrieve, modify, and update settings. To learn more, see [Using WMI](/windows/win32/wmisdk/using-wmi).
-
-|Task|Resources to learn more|
-|||
-|**Enable cloud-delivered protection** on a device|[Use Windows Management Instruction (WMI) to enable cloud-delivered protection](/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus#use-windows-management-instruction-wmi-to-enable-cloud-delivered-protection)|
-|**Retrieve, modify, and update settings** for Microsoft Defender Antivirus|[Use WMI to configure and manage Microsoft Defender Antivirus](/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus <br/><br/> [Review the list of available WMI classes and example scripts](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal) <br/><br/> Also see the archived [Windows Defender WMIv2 Provider reference information](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal?redirectedfrom=MSDN)|
-
-## Configure Microsoft Defender for Endpoint with Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe)
-
-On an individual device, you can run a scan, start diagnostic tracing, check for security intelligence updates, and more using the mpcmdrun.exe command-line tool. You can find the utility in `%ProgramFiles%\Windows Defender\MpCmdRun.exe`. Run it from a command prompt.
-
-To learn more, see [Configure and manage Microsoft Defender Antivirus with mpcmdrun.exe](/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus).
-
-<a name='configure-your-microsoft-365-defender-portal'></a>
-
-## Configure your Microsoft Defender portal
-
-If you haven't already done so, configure your <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender portal</a> to view alerts, configure threat protection features, and view detailed information about your organization's overall security posture.
-
-You can also configure whether and what features end users can see.
--- [Endpoint protection: Microsoft Defender Security Center](/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-security-center)-
-## Next steps
--- [Get an overview of Defender Vulnerability Management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt)
security Manage Mde Post Migration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-mde-post-migration.md
- Title: Manage Microsoft Defender for Endpoint after initial setup or migration
-description: Now that you've made the switch to Microsoft Defender for Endpoint, your next step is to manage your threat protection features
-------- m365-security-- tier2-- essentials-manage- Previously updated : 04/17/2023---
-# Manage Microsoft Defender for Endpoint after initial setup or migration
-
-**Applies to:**
-- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/?linkid=2154037)-- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037)-- [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804)-
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-After you have set up and configured Microsoft Defender for Endpoint, your next step is to manage your features and capabilities. We recommend using [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) to manage your organization's devices and security settings. However, you can use other tools/methods, such as [Microsoft Configuration Manager](/mem/configmgr/core/understand/introduction) or [Group Policy Objects in Microsoft Entra Domain Services](/azure/active-directory-domain-services/manage-group-policy).
-
-The following table lists various tools/methods you can use, with links to learn more.
-
-|Tool/Method|Description|
-|||
-|**[Microsoft Defender Vulnerability Management dashboard insights](/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights)** in the [Microsoft Defender XDR](https://security.microsoft.com/) portal|The Defender Vulnerability Management dashboard provides actionable information that your security operations team can use to reduce exposure and improve your organization's security posture. <br/><br/> See [Defender Vulnerability Management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt) and [Overview of Microsoft Defender XDR](/microsoft-365/security/defender-endpoint/use).|
-|**[Microsoft Intune](/mem/intune/fundamentals/what-is-intune)** | Intune provides mobile device management (MDM) and mobile application management (MAM) capabilities. With Intune, you control how your organization's devices are used, including mobile phones, tablets, and laptops. You can also configure specific policies to control applications. <br/><br/> See [Manage Microsoft Defender for Endpoint using Intune](manage-mde-post-migration-intune.md).|
-|**[Microsoft Configuration Manager](/mem/configmgr/core/understand/introduction)**|Microsoft Configuration Manager, formerly known as System Center Configuration Manager, is a powerful tool to manage your users, devices, and software. <br/><br/> See [Manage Microsoft Defender for Endpoint with Configuration Manager](manage-mde-post-migration-configuration-manager.md).|
-|**[Group Policy Objects in Microsoft Entra Domain Services](/azure/active-directory-domain-services/manage-group-policy)**|[Microsoft Entra Domain Services](/azure/active-directory-domain-services/overview) includes built-in Group Policy Objects for users and devices. You can customize the built-in Group Policy Objects as needed for your environment, as well as create custom Group Policy Objects and organizational units (OUs). <br/><br/> See [Manage Microsoft Defender for Endpoint with Group Policy Objects](manage-mde-post-migration-group-policy-objects.md).|
-|**[PowerShell, WMI, and MPCmdRun.exe](manage-mde-post-migration-other-tools.md)**|*We recommend using Microsoft Intune or Configuration Manager to manage threat protection features on your organization's devices. However, you can configure some settings, such as Microsoft Defender Antivirus settings on individual devices (endpoints) with PowerShell, WMI, or the MPCmdRun.exe tool.* <br/><br/> You can use PowerShell to manage Microsoft Defender Antivirus, exploit protection, and your attack surface reduction rules. See [Configure Microsoft Defender for Endpoint with PowerShell](manage-mde-post-migration-other-tools.md#configure-microsoft-defender-for-endpoint-with-powershell). <br/><br/> You can use Windows Management Instrumentation (WMI) to manage Microsoft Defender Antivirus and exclusions. See [Configure Microsoft Defender for Endpoint with WMI](manage-mde-post-migration-other-tools.md#configure-microsoft-defender-for-endpoint-with-windows-management-instrumentation-wmi). <br/><br/> You can use the Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe) to manage Microsoft Defender Antivirus and exclusions, as well as validate connections between your network and the cloud. See [Configure Microsoft Defender for Endpoint with MPCmdRun.exe](manage-mde-post-migration-other-tools.md#configure-microsoft-defender-for-endpoint-with-microsoft-malware-protection-command-line-utility-mpcmdrunexe).|
--
-## See also
--- [Address false positives/negatives in Microsoft Defender for Endpoint](defender-endpoint-false-positives-negatives.md)
security Manage Outdated Endpoints Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-outdated-endpoints-microsoft-defender-antivirus.md
Title: Apply Microsoft Defender Antivirus protection updates to out of date endpoints description: Define when and how updates should be applied for endpoints that haven't updated in a while.
-keywords: updates, protection, out of date, outdated, old, catch-up
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium --++ -+ - m365-security
security Manage Profiles Approve Sys Extensions Intune https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-profiles-approve-sys-extensions-intune.md
ms.pagetype: security
ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Manage Protection Update Schedule Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-protection-update-schedule-microsoft-defender-antivirus.md
-+ - m365-security
security Manage Protection Updates Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-protection-updates-microsoft-defender-antivirus.md
-+
security Manage Security Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-security-policies.md
ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Manage Suppression Rules https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-suppression-rules.md
ms.pagetype: security
ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Manage Sys Extensions Manual Deployment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-sys-extensions-manual-deployment.md
ms.pagetype: security
ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Manage Sys Extensions Using Jamf https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-sys-extensions-using-jamf.md
ms.pagetype: security
ms.localizationpriority: medium-+ audience: ITPro - m365-security
security Manage Tamper Protection Configuration Manager https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-tamper-protection-configuration-manager.md
Title: Manage tamper protection using tenant attach with Configuration Manager, version 2006 -+ description: Turn tamper protection on or off using tenant attach with Configuration Manager. ms.localizationpriority: medium
security Manage Tamper Protection Individual Device https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-tamper-protection-individual-device.md
Title: Manage tamper protection on an individual device -+ description: Turn tamper protection on or off for an individual device. ms.localizationpriority: medium
security Manage Tamper Protection Intune https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-tamper-protection-intune.md
Title: Manage tamper protection for your organization using Microsoft Intune -+ description: Turn tamper protection on or off for your organization in Microsoft Intune. ms.localizationpriority: medium
security Manage Tamper Protection Microsoft 365 Defender https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-tamper-protection-microsoft-365-defender.md
Title: Manage tamper protection for your organization using Microsoft Defender XDR -+ description: Turn tamper protection on or off for your tenant using the Microsoft Defender portal. ms.localizationpriority: medium
security Manage Updates Mobile Devices Vms Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md
-+ - m365-security
security Mde Linux Deployment On Sap https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mde-linux-deployment-on-sap.md
Title: Deployment guidance for Microsoft Defender for Endpoint on Linux for SAP description: Deployment guidance for Microsoft Defender for Endpoint on Linux for SAP
-keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, installation, SAp
--++ ms.localizationpriority: medium-+ audience: ITPro - m365-security
Last updated 01/10/2024
- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)
-This article provides deployment guidance for Microsoft Defender for Endpoint on Linux for SAP. You'll learn about recommended SAP OSS(Online Services System) notes, the system requirements, prerequisites, important configuration settings, recommended antivirus exclusions, and guidance on scheduling antivirus scans.
+This article provides deployment guidance for Microsoft Defender for Endpoint on Linux for SAP. This article includes recommended SAP OSS (Online Services System) notes, the system requirements, prerequisites, important configuration settings, recommended antivirus exclusions, and guidance on scheduling antivirus scans.
Conventional security defenses that have been commonly used to protect SAP systems such as isolating infrastructure behind firewalls and limiting interactive operating system logons are no longer considered sufficient to mitigate modern sophisticated threats. It's essential to deploy modern defenses to detect and contain threats in real-time. SAP applications unlike most other workloads require basic assessment and validation before deploying Microsoft Defender for Endpoint. The Enterprise Security administrators should contact the SAP Basis Team prior to deploying Defender for Endpoint. The SAP Basis Team should be cross trained with a basic level of knowledge about Defender for Endpoint.
Conventional security defenses that have been commonly used to protect SAP syste
## SAP Applications on Linux -- SAP only supports Suse, Redhat and Oracle Linux. Other distributions aren't supported for SAP S4 or NetWeaver applications.
+- SAP only supports Suse, Redhat, and Oracle Linux. Other distributions aren't supported for SAP S4 or NetWeaver applications.
- Suse 15.x, Redhat 8.x or 9.x and Oracle Linux 8.x are strongly recommended.-- Suse 12.x, Redhat 7.x and Oracle Linux 7.x are technically supported but haven't been extensively tested.-- Suse 11.x, Redhat 6.x and Oracle Linux 6.x might not be supported and haven't been tested.-- Suse and Redhat offer tailored distributions for SAP. These ΓÇ£for SAPΓÇ¥ versions of Suse and Redhat might have different packages preinstalled and possibly different kernels.
+- Suse 12.x, Redhat 7.x and Oracle Linux 7.x are technically supported but weren't extensively tested.
+- Suse 11.x, Redhat 6.x and Oracle Linux 6.x might not be supported and weren't tested.
+- Suse and Redhat offer tailored distributions for SAP. These "for SAP" versions of Suse and Redhat might have different packages preinstalled and possibly different kernels.
- SAP only supports certain Linux File systems. In general, XFS and EXT3 are used. Oracle Automatic Storage Management (ASM) filesystem is sometimes used for Oracle DBMS and can't be read by Defender for Endpoint.-- Some SAP applications use ΓÇ£standalone enginesΓÇ¥ such as TREX, Adobe Document Server, Content Server and LiveCache. These engines require specific configuration and file exclusions.
+- Some SAP applications use "standalone engines" such as TREX, Adobe Document Server, Content Server and LiveCache. These engines require specific configuration and file exclusions.
- SAP applications often have Transport and Interface directories with many thousands of small files. If the number of files is larger than 100,000, it might and affect performance. It's recommended to archive files.-- It's strongly recommended to deploy Defender for Endpoint to non-productive SAP landscapes for several weeks before deploying to production. The SAP Basis Team should use tools such as sysstat, KSAR and nmon to verify if CPU and other performance parameters are impacted.
+- It's strongly recommended to deploy Defender for Endpoint to nonproductive SAP landscapes for several weeks before deploying to production. The SAP Basis Team should use tools such as sysstat, KSAR, and nmon to verify if CPU and other performance parameters are impacted.
-## Prerequisites for deploying Microsoft Defender for Endpoint for Linux on SAP VMs
+## Prerequisites for deploying Microsoft Defender for Endpoint on Linux on SAP VMs
- Microsoft Defender for Endpoint [version](./linux-whatsnew.md) >= 101.23082.0009 | Release version: 30.123082.0009 or higher must be deployed.-- Microsoft Defender for Endpoint for Linux supports all the [Linux releases](microsoft-defender-endpoint-linux.md#system-requirements) used by SAP applications.-- Microsoft Defender for Endpoint for Linux requires connectivity to [specific Internet endpoints](microsoft-defender-endpoint-linux.md#network-connections) from VMs to update AV Definitions.-- Microsoft Defender for Endpoint for Linux requires some crontab (or other task scheduler) entries to schedule scans, log rotation, and Microsoft Defender for Endpoint updates. Enterprise Security team will normally manage these entries. Refer to [How to schedule an update of the Microsoft Defender for Endpoint (Linux) | Microsoft Learn](linux-update-mde-linux.md).
+- Microsoft Defender for Endpoint on Linux supports all the [Linux releases](microsoft-defender-endpoint-linux.md#system-requirements) used by SAP applications.
+- Microsoft Defender for Endpoint on Linux requires connectivity to [specific Internet endpoints](microsoft-defender-endpoint-linux.md#network-connections) from VMs to update antivirus Definitions.
+- Microsoft Defender for Endpoint on Linux requires some crontab (or other task scheduler) entries to schedule scans, log rotation, and Microsoft Defender for Endpoint updates. Enterprise Security teams normally manage these entries. Refer to [How to schedule an update of the Microsoft Defender for Endpoint (Linux) | Microsoft Learn](linux-update-mde-linux.md).
The default configuration option for deployment as an Azure Extension for AntiVirus (AV) will be Passive Mode. This means that the AV component of Microsoft Defender for Endpoint won't intercept IO calls. It's recommended to run Microsoft Defender for Endpoint in Passive Mode on all SAP applications and to schedule a scan once per day. In this mode: -- **Real-time protection is turned off**: Threats are not remediated by Microsoft Defender Antivirus.
+- **Real-time protection is turned off**: Threats aren't remediated by Microsoft Defender Antivirus.
- **On-demand scanning is turned on**: Still use the scan capabilities on the endpoint.-- **Automatic threat remediation is turned off**: No files will be moved and the security administrator is expected to take required action.-- **Security intelligence updates are turned on**: Alerts will be available on security administrator's tenant.
+- **Automatic threat remediation is turned off**: No files are moved and the security administrator is expected to take required action.
+- **Security intelligence updates are turned on**: Alerts are available on security administrator's tenant.
The Linux crontab is typically used to schedule Microsoft Defender for Endpoint AV scan and log rotation tasks: [How to schedule scans with Microsoft Defender for Endpoint (Linux) | Microsoft Learn](linux-schedule-scan-mde.md)
-Endpoint Detection and Response (EDR) functionality is active whenever Microsoft Defender for Endpoint for Linux is installed. There is no simple way to disable EDR functionality through command line or configuration. For more information on troubleshooting EDR, see the sections [Useful Commands](#useful-commands) and [Useful Links](#useful-links).
+Endpoint Detection and Response (EDR) functionality is active whenever Microsoft Defender for Endpoint on Linux is installed. There's no simple way to disable EDR functionality through command line or configuration. For more information on troubleshooting EDR, see the sections [Useful Commands](#useful-commands) and [Useful Links](#useful-links).
## Important Configuration Settings for Microsoft Defender for Endpoint on SAP on Linux
It's recommended to check the installation and configuration of Defender for End
The key parameters recommended for SAP applications are: - healthy = true-- release_ring = Production. Pre-release and insider rings shouldn't be used with SAP Applications.-- real_time_protection_enabled = false. Real-time protection is off in passive mode which is the default mode and will prevent real-time IO interception.
+- release_ring = Production. Prerelease and insider rings shouldn't be used with SAP Applications.
+- real_time_protection_enabled = false. Real-time protection is off in passive mode, which is the default mode and prevents real-time IO interception.
- automatic_definition_update_enabled = true-- definition_status = ΓÇ£up_to_dateΓÇ¥. Run a manual update if a new value is identified.-- edr_early_preview_enabled = ΓÇ£disabledΓÇ¥. If enabled on SAP systems it might lead to system instability.
+- definition_status = "up_to_date". Run a manual update if a new value is identified.
+- edr_early_preview_enabled = "disabled". If enabled on SAP systems it might lead to system instability.
- conflicting_applications = [ ]. Other AV or security software installed on a VM such as Clam.-- supplementary_events_subsystem = "ebpf". Do not proceed if ebpf is not displayed. Contact the security admin team.
+- supplementary_events_subsystem = "ebpf". Don't proceed if ebpf isn't displayed. Contact the security admin team.
This article has some useful hints on troubleshooting installation issues for Microsoft Defender for Endpoint:
-[Troubleshoot installation issues for Microsoft Defender for Endpoint on Linux | Microsoft Docs](linux-support-install.md#installation-failed)
+[Troubleshoot installation issues for Microsoft Defender for Endpoint on Linux](linux-support-install.md#installation-failed)
-## Recommended Microsoft Defender for Endpoint AntiVirus Exclusions for SAP on Linux
+## Recommended Microsoft Defender for Endpoint Antivirus Exclusions for SAP on Linux
-Enterprise Security Team must obtain a full list of AV exclusions from the SAP Administrators (typically the SAP Basis Team).
+Enterprise Security Team must obtain a full list of antivirus exclusions from the SAP Administrators (typically the SAP Basis Team).
It's recommended to initially exclude: - DBMS data files, log files and temp files, including disks containing backup files
It's recommended to initially exclude:
- The entire contents of the SAPLOC directory - The entire contents of the TRANS directory - The entire contents of directories for standalone engines such as TREX-- Hana ΓÇô exclude /hana/shared, /hana/data and /hana/log - see Note 1730930
+- Hana ΓÇô exclude /hana/shared, /hana/data, and /hana/log - see Note 1730930
- SQL Server ΓÇô [Configure antivirus software to work with SQL Server - SQL Server | Microsoft Learn](/troubleshoot/sql/database-engine/security/antivirus-and-sql-server) - Oracle ΓÇô See How To Configure Anti-Virus On Oracle Database Server (Doc ID 782354.1) - DB2 ΓÇô [https://www.ibm.com/support/pages/which-db2-directories-exclude-linux-anti-virus-software](https://www.ibm.com/support/pages/which-db2-directories-exclude-linux-anti-virus-software)
The recommended configuration for SAP applications disables real-time intercepti
The following link details how to schedule a scan: [How to schedule scans with Microsoft Defender for Endpoint (Linux) | Microsoft Learn](linux-schedule-scan-mde.md).
-Large SAP systems might have more than 20 SAP application servers each with a connection to the SAPMNT NFS share. Twenty or more application servers simultaneously scanning the same NFS server will likely overload the NFS server. By default Microsoft Defender for Endpoint for Linux won't scan NFS sources.
+Large SAP systems might have more than 20 SAP application servers each with a connection to the SAPMNT NFS share. Twenty or more application servers simultaneously scanning the same NFS server will likely overload the NFS server. By default, Defender for Endpoint on Linux doesn't scan NFS sources.
If there's a requirement to scan SAPMNT then this scan should be configured on one or two VMs only.
Scheduled scans for SAP ECC, BW, CRM, SCM, Solution Manager, and other component
## Useful Commands
-If, during manual zypper installation on Suse an error ΓÇ£Nothing provides ΓÇÿpolicycoreutilsΓÇÖΓÇ¥ occurs, refer to:
+If, during manual zypper installation on Suse an error "Nothing provides 'policycoreutils'" occurs, refer to:
[Troubleshoot installation issues for Microsoft Defender for Endpoint on Linux](linux-support-install.md).
-There are several command-line commands that can control the operation of mdatp. To enable the passive mode you can use the following command:
+There are several command-line commands that can control the operation of mdatp. To enable passive mode, you can use the following command:
```bash mdatp config passive-mode --value enabled
This command tests whether mdatp can connect to the cloud-based endpoints via th
mdatp connectivity test ```
-These commands updates the mdatp software if needed:
+These commands update the mdatp software, if needed:
```bash yum update mdatp
security Microsoft Defender Endpoint Linux https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-linux.md
In general you need to take the following steps:
- SUSE Linux Enterprise Server 12 or higher - Oracle Linux 7.2 or higher - Oracle Linux 8.x
+ - Oracle Linux 9.x
- Amazon Linux 2 - Amazon Linux 2023 - Fedora 33 or higher - Rocky 8.7 and higher
- - Alma 9.2 and higher
+ - Alma 8.4 and higher
- Mariner 2 > [!NOTE]
In general you need to take the following steps:
- List of supported kernel versions > [!NOTE]
- > Microsoft Defender for Endpoint on Red Hat Enterprise Linux and CentOS - 6.7 to 6.10 is a Kernel based solution. You must verify that the kernel version is supported before updating to a newer kernel version. See the list below for the list of supported kernels.
- > Microsoft Defender for Endpoint for all other supported distributions and versions is kernel-version-agnostic. With a minimal requirement for the kernel version to be at or above 3.10.0-327.
+ > Microsoft Defender for Endpoint on Red Hat Enterprise Linux and CentOS - 6.7 to 6.10 is a Kernel based solution. You must verify that the kernel version is supported before updating to a newer kernel version.
+ > Microsoft Defender for Endpoint for all other supported distributions and versions is kernel-version-agnostic. With a minimal requirement for the kernel version to be at or greater than 3.10.0-327.
- The `fanotify` kernel option must be enabled - Red Hat Enterprise Linux 6 and CentOS 6:
In general you need to take the following steps:
> [!NOTE] > Please make sure that you have free disk space in /var. -- Below is the list of supported filesystems for RTP, Quick, Full and Custom Scan.
+- List of supported filesystems for RTP, Quick, Full and Custom Scan.
|RTP, Quick, Full Scan| Custom Scan| |||
security Migration Guides https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/migration-guides.md
Title: Migration and setup guides to move to Microsoft Defender for Endpoint description: Learn how to make the switch from a non-Microsoft Defender XDR solution to Microsoft Defender for Endpoint---+++ audience: ITPro
If you're considering moving to Defender for Endpoint, we have guidance to help.
|You don't have an endpoint protection solution in place yet, and you want to know more about Defender for Endpoint. You want to see how Defender for Endpoint works before rolling it out in your environment.|[Microsoft Defender for Endpoint evaluation lab](evaluation-lab.md)| |You already have Defender for Endpoint, and you want some help getting everything set up and configured.|[Microsoft Defender for Endpoint deployment guide](deployment-phases.md)| |You're planning to switch from a non-Microsoft endpoint protection solution to Defender for Endpoint, which includes Microsoft Defender Antivirus. You want to get an overview of the migration process and how to make the switch.|[Make the switch to Microsoft Defender for Endpoint](switch-to-mde-overview.md)|
-|You've already migrated or onboarded to Defender for Endpoint. You want some help with next steps, such as managing your security settings, configuring more features, or fine-tuning your security policies.|[Manage Microsoft Defender for Endpoint, post-migration](manage-mde-post-migration.md)|
+|You've already migrated or onboarded to Defender for Endpoint. You want some help with next steps, such as managing your security settings, configuring more features, or fine-tuning your security policies.| [Configure general Defender for Endpoint settings](preferences-setup.md) |
| You were previously using Microsoft Defender for Endpoint Server, and now you're moving your servers to Microsoft Defender for Cloud. | [Migrating servers from Microsoft Defender for Endpoint to Microsoft Defender for Cloud](migrating-mde-server-to-cloud.md) |
Let us know what you think! Submit your feedback at the bottom of the page. We'l
- [Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/defender-for-office-365) - [Microsoft 365 Business Premium](../../business-premium/m365bp-overview.md) - [Microsoft Defender for Business](../defender-business/mdb-overview.md)+ [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)]
security Switch To Mde Phase 3 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-mde-phase-3.md
To learn more, see [Device inventory](machines-view-overview.md).
**Congratulations**! You have completed your [migration to Defender for Endpoint](switch-to-mde-overview.md#the-migration-process)! -- [Manage Defender for Endpoint, post migration](manage-mde-post-migration.md).
+- [Configure your Defender for Endpoint settings](preferences-setup.md).
+ [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)]
syntex Content Assembly Map Fields https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/content-assembly-map-fields.md
audience: admin Previously updated : 03/14/2023 Last updated : 02/21/2024
syntex Create A Classifier https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/create-a-classifier.md
Previously updated : 03/14/2023 Last updated : 02/21/2024 audience: admin
syntex Create An Extractor https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/create-an-extractor.md
Previously updated : 03/02/2023 Last updated : 02/21/2024 audience: admin
syntex Discover Other Trained Models https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/discover-other-trained-models.md
Previously updated : 03/02/2023 Last updated : 02/21/2024 audience: admin
syntex Document Understanding Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/document-understanding-overview.md
Previously updated : 07/12/2022 Last updated : 01/16/2024 audience: admin
syntex Model Usage Analytics https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/model-usage-analytics.md
Previously updated : 12/15/2023 Last updated : 02/21/2024 audience: admin
syntex Site Templates https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/site-templates.md
audience: admin Previously updated : 04/03/2023 Last updated : 02/21/2024 search.appverid:
syntex Solution Manage Contracts In Microsoft 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/solution-manage-contracts-in-microsoft-365.md
audience: admin Previously updated : 12/15/2023 Last updated : 02/14/2024 - m365solution-managecontracts
This article describes how to create a contracts management solution for your or
The first step in planning your contract management system is to understand the problem you're trying to solve. For this solution, four key issues need to be addressed: -- **Identify contracts**. Your organization works with many documents, such as invoices, contracts, statements of work, and so on. Some are digital assets sent through email, and some are paper assets sent through traditional mail. You need a way to identify all customer contracts from all other documents, and then classifying them as such.
+- **Identify contracts**. Your organization works with many documents, such as invoices, contracts, statements of work, and so on. Some are digital assets sent through email, and some are paper assets sent through traditional mail. You need a way to identify all customer contracts from all other documents, and then classifying them as such.
-- **Track the history of contract approvals**. Your organization needs a reliable way to find whether contracts have been either approved or rejected, and whether payment has been processed.
+- **Track the history of contract approvals**. Your organization needs a reliable way to find whether contracts have been either approved or rejected, and whether payment has been processed.
- **Site to manage contract approvals**. Your organization needs to set up a collaborative site in which all required stakeholders can easily review contracts. Stakeholders should be able to review the whole contract if needed, but mostly care about seeing several key fields from each contract (for example, customer name, PO number, and total cost). Stakeholders should be able to easily approve or reject incoming contracts. -- **Route reviewed contracts**. Approved and rejected contracts need to be routed through a specific workflow. Approved contracts need to be routed to a third-party application for payment processing. Rejected contracts need to be routed for additional review.
+- **Route reviewed contracts**. Approved and rejected contracts need to be routed through a specific workflow. Approved contracts need to be routed to a partner application for payment processing. Rejected contracts need to be routed for additional review.
## Overview of the solution
This solution relies on the following functionality, all available as part of a
New to Microsoft Syntex? Learn how to use Syntex to manage content using AI.
-The [Introduction to Microsoft Syntex](/training/modules/syntex-intro) learning path will teach how you can use unstructured, freeform, and unstructured document processing models to classify documents, extract text, and label your documents for quick and easy knowledge management.
+The [Introduction to Microsoft Syntex](/training/modules/syntex-intro) learning path teaches how you can use unstructured, freeform, and unstructured document processing models to classify documents, extract text, and label your documents for quick and easy knowledge management.
## Create the solution
syntex Solution Manage Contracts Step1 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/solution-manage-contracts-step1.md
audience: admin Previously updated : 12/15/2023 Last updated : 02/14/2024 search.appverid: ms.localizationpriority: medium
syntex Solution Manage Contracts Step2 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/solution-manage-contracts-step2.md
audience: admin Previously updated : 12/15/2023 Last updated : 02/14/2024 search.appverid: ms.localizationpriority: medium
syntex Solution Manage Contracts Step3 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/solution-manage-contracts-step3.md
audience: admin Previously updated : 12/15/2023 Last updated : 02/14/2024 search.appverid: ms.localizationpriority: medium
syntex Train Freeform Document Processing Model https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/train-freeform-document-processing-model.md
Previously updated : 03/12/2023 Last updated : 02/21/2024 audience: admin
- m365initiative-syntex ms.localizationpriority: medium+ description: Learn how to train a freeform document processing model in Microsoft Syntex.