Updates from: 02/28/2024 06:19:49
Category Microsoft Docs article Related commit history on GitHub Change details
microsoft-365-copilot-enable-users Microsoft 365 Copilot Enable Users https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/copilot/microsoft-365-copilot-enable-users.md
You can also manage licenses from the Copilot page in the Microsoft 365 admin ce
Once you've assigned licenses, the Copilot experience will automatically appear for users in Microsoft 365 Apps. In some experiences, like Word, a Copilot dialog will appear when creating a new document. In other experiences, Copilot is quickly accessible on the Ribbon. - >[!NOTE] >For Education customers, the Copilot license is listed under **Microsoft 365 A3 Extra Features for faculty** or **Microsoft 365 A5 Extra Features for faculty**.
admin Microsoft 365 Copilot Usage https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/microsoft-365-copilot-usage.md
You can see the following summary charts in this report as default view:
The definitions for Enabled Users and Active Users metrics are the same as provided earlier.
+To note, Active users of Word, Excel and PowerPoint is incomplete prior to Jan 25, 2024. Active users of Outlook might be lower than expected if there are people in your organization using the Coach feature on Outlook Win32 over the selected time period. We are currently working on integrating this data into our reports and will notify you as soon as it becomes available.
+ >[!NOTE] > This report does not yet include Microsoft Copilot with Graph-grounded chat usage, but it will be available in this report soon. You'll be notified of this update through the Microsoft 365 message center.
Select **Choose columns** to add or remove columns from the table.
:::image type="content" alt-text="Screenshot showing the columns you can select for the Microsoft 365 Copilot usage report." source="../../media/copilot-usage-choose-columns.png":::
+>[!NOTE]
+> All up last activity date and last activity date per app are reflecting different narratives now. All up last activity date is reflecting the historical last activity date no matter what period is selected on the page, while last activity date per app is reflecting the last activity date within the selected time period; hence, if there is no activity in selected time period, the last activity date per app will be empty. We are planning to make them consistent to reflect the historical last activity date narrative and will provide update once itΓÇÖs done.
+ You can also export the report data into an Excel .csv file by selecting the Export link. This exports the Copilot for Microsoft 365 usage data of all users and enables you to do simple sorting, filtering, and searching for further analysis.
-To ensure data quality, we perform daily data validation checks for the past three days and will fill any gaps detected. You may notice differences in historical data during the process.
+To ensure data quality, we perform daily data validation checks for the past three days and will fill any gaps detected. You may notice differences in historical data during the process.
## User last activity table
admin Change User Profile Photos https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/change-user-profile-photos.md
f1.keywords:
- NOCSH -+ Last updated 9/29/2023 audience: Admin
If the user has no photo, the commands return the error: `Exception of type 'Mic
Remove-MgUserPhoto -UserId albertas@contoso.onmicrosoft.com ```
- For detailed syntax and parameter information, see [Remove-MgUserPhoto](/powershell/module/microsoft.graph.users/remove-mguserphoto).
+ For detailed syntax and parameter information, see [Remove-MgUserPhoto](/powershell/module/exchange/remove-userphoto).
- **Microsoft 365 Groups**:
If the user has no photo, the commands return the error: `Exception of type 'Mic
Remove-MgGroupPhoto -GroupId 173cd812-5563-439c-9da4-bc2715fa2aee ```
- For detailed syntax and parameter information, see [Remove-MgGroupPhoto](/powershell/module/microsoft.graph.groups/remove-mggroupphoto).
+ For detailed syntax and parameter information, see [Remove-MgGroupPhoto](/powershell/module/exchange/remove-userphoto).
enterprise Administering Exchange Online Multi Geo https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/administering-exchange-online-multi-geo.md
Last updated 6/29/2023 -+ audience: ITPro
enterprise Modern Desktop Deployment And Management Lab https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/modern-desktop-deployment-and-management-lab.md
Previously updated : 12/05/2023 Last updated : 02/27/2024 ms.audience: ITPro
Detailed lab guides take you through multiple deployment and management scenario
> [!NOTE]
-> Please use a broadband internet connection to download this content and allow approximately 30 minutes for automatic provisioning. The lab environment requires a minimum of 16 GB of available memory and 150 GB of free disk space. For optimal performance, 32 GB of available memory and 300 GB of free space is recommended. The Windows client virtual machines expire 90 days after activation of the lab. New versions of the labs will be published on or before February 20, 2024.
+> Please use a broadband internet connection to download this content and allow approximately 30 minutes for automatic provisioning. The lab environment requires a minimum of 16 GB of available memory and 150 GB of free disk space. For optimal performance, 32 GB of available memory and 300 GB of free space is recommended. The Windows client virtual machines expire 90 days after activation of the lab. New versions of the labs will be published on or before May 5, 2024.
## Additional guidance
enterprise Multi Geo Capabilities In Exchange Online https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/multi-geo-capabilities-in-exchange-online.md
Last updated 6/20/2023 -+ audience: ITPro
loop Loop Components Configuration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/loop/loop-components-configuration.md
There are several IT Admin settings provided to enable the Loop component experi
|Scenario |Policies Configured | |||
-|Enable Loop components everywhere | **Create and view Loop files in Microsoft apps that support Loop** = Enabled<br/>[Teams-only] `Set-SPOTenant -IsLoopEnabled $true` |
-|Enable Loop components everywhere, but Disable integration in Communication app (Outlook, Teams) | **Create and view Loop files in Microsoft apps that support Loop** = Enabled<br/>**Create and view Loop files in Outlook** = Disabled<br/>[Teams-only] `Set-SPOTenant -IsLoopEnabled $false` |
+|Enable Loop components everywhere | **Create and view Loop files in Microsoft apps that support Loop** = Enabled<br/>[Teams-only] `Set-SPOTenant -IsLoopEnabled $true`, `Set-SPOTenant -IsCollabMeetingNotesFluidEnabled $true` |
+|Enable Loop components everywhere, but Disable integration in Communication app (Outlook, Teams) | **Create and view Loop files in Microsoft apps that support Loop** = Enabled<br/>**Create and view Loop files in Outlook** = Disabled<br/>[Teams-only] `Set-SPOTenant -IsLoopEnabled $false`, `Set-SPOTenant -IsCollabMeetingNotesFluidEnabled $false` |
+|Disable Loop components everywhere | **Create and view Loop files in Microsoft apps that support Loop** = Disabled<br/>[Teams-only] `Set-SPOTenant -IsLoopEnabled $false`, `Set-SPOTenant -IsCollabMeetingNotesFluidEnabled $false` |
## User experience expectations when admin settings are configured
The Loop experiences (except for Microsoft Teams) check the following [Cloud Pol
1. From the **Choose the scope** dropdown list, choose either **All users** or select the group for which you want to apply the policy. For more information, See [Microsoft 365 Groups for Cloud Policy](#microsoft-365-groups-for-cloud-policy). 1. In **Configure Settings**, choose one of the following settings: - For **Create and view Loop files in Microsoft apps that support Loop**:
+ - recall:
+ - this setting applies to:
+ - Outlook integration
+ - Word for the web integration
+ - Whiteboard integration
+ - this setting does **NOT** apply to:
+ - Loop workspaces (see [Manage Loop workspaces in SharePoint Embedded](/microsoft-365/loop/loop-workspaces-configuration))
+ - Teams integration (see [Settings management for Loop components in Teams](#settings-management-for-loop-functionality-in-teams))
- **Enabled**: Loop experience is available to the users. - **Disabled**: Loop experience isn't available to the users.
- - **Not configured**: Loop experience is available to the users.
+ - **Not configured**: Loop experience is available to the users.
- For **Create and view Loop files in Outlook**: - **Enabled**: Loop experience is available to the users. - **Disabled**: Loop experience isn't available to the users.
The Loop experiences (except for Microsoft Teams) check the following [Cloud Pol
1. Save the policy configuration. 1. Reassign priority for any security group, if required. (If two or more policy configurations are applicable to the same set of users, the one with the higher priority is applied.)
-In case you create a new policy configuration or change the configuration for an existing policy, there will be a delay in the change being reflected as described below:
+In case you create a new policy configuration or change the configuration for an existing policy, there can be a delay in the change being reflected as described below:
- If there were existing policy configurations prior to the change, then it will take 90 mins for the change to be reflected. - If there were no policy configurations prior to the change, then it will take 24 hours for the change to be reflected.
loop Loop Data Integrations Configuration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/loop/loop-data-integrations-configuration.md
+ Last updated : 02/22/2024
+ Title: "Configuring external data integrations for Loop experiences"
++++
+recommendations: true
+audience: Admin
+f1.keywords:
+- NOCSH
+
+ms.localizationpriority: medium
++
+- Strat_SP_admin
+- Microsoft 365-collaboration
+- Tier3
+- essentials-compliance
+search.appverid:
+- SPO160
+- MET150
+description: "Learn about how to configure external data integrations for Loop experiences."
++
+# Configuring external data integrations for Loop experiences
+
+Microsoft enabled Jira, Trello, and GitHub integration experiences within [Microsoft Loop](https://www.microsoft.com/en-us/microsoft-loop). Tenant admins can use Cloud Policy to configure the data integration features. Tenant admins can Enable, Disable, or Not Configure various policy settings to control these integrations. The data integration policies are:
+
+- **Import, view, and edit, items from apps integrated with Loop**
+ - This is the primary policy to control all specific data integration policies. To configure a specific data integration differently than the primary setting, use one of the specific policies.
+- **Import, view, and edit, GitHub items from Loop**
+- **Import, view, and edit, Jira issues from Loop**
+- **Import, view, and edit, Trello boards from Loop**
+
+## User experience expectations when admin settings are configured
+
+When data integrations are Enabled, data from external sources synchronize into the Loop data file. Integration options appear in the Discover '/' menu. Integrations synchronize data when the user views or edits the Loop component in apps that support Loop such as Teams, Outlook, Loop app, etc.
+
+When data integrations are Disabled, data from these disabled external sources don't synchronize. No connections to these external sources can be established. All existing data stops synchronizing, and becomes read-only everywhere. The integration options still appear in the Discover '/' menu but users cannot activate or create new external data integrations.
+
+## Example policy configurations and user experience result
+
+|Primary Policy|Primary State|Specific Policy|Specific State|End User Outcome|
+|--|--|--|--|--|
+|Import, view, and edit, items from apps integrated with Loop|Not Configured|Import, view, and edit, **GitHub** items from Loop|Not Configured|✅Enabled for all data integrations|
+|Import, view, and edit, items from apps integrated with Loop|Not Configured|Import, view, and edit, **GitHub** items from Loop|✅Enabled|✅Enabled for all data integrations|
+|Import, view, and edit, items from apps integrated with Loop|Not Configured|Import, view, and edit, **GitHub** items from Loop|🚫Disabled|✅Enabled for all data integrations EXCEPT<br/>🚫Disabled for GitHub|
+|Import, view, and edit, items from apps integrated with Loop|✅Enabled|Import, view, and edit, **GitHub** items from Loop|Not Configured|✅Enabled for all data integrations|
+|Import, view, and edit, items from apps integrated with Loop|✅Enabled|Import, view, and edit, **GitHub** items from Loop|✅Enabled|✅Enabled for all data integrations|
+|Import, view, and edit, items from apps integrated with Loop|✅Enabled|Import, view, and edit, **GitHub** items from Loop|🚫Disabled|✅Enabled for all data integrations EXCEPT<br/>🚫Disabled for GitHub|
+|Import, view, and edit, items from apps integrated with Loop|🚫Disabled|Import, view, and edit, **GitHub** items from Loop|Not Configured|🚫Disabled for all data integrations|
+|Import, view, and edit, items from apps integrated with Loop|🚫Disabled|Import, view, and edit, **GitHub** items from Loop|✅Enabled|🚫Disabled for all data integrations|
+|Import, view, and edit, items from apps integrated with Loop|🚫Disabled|Import, view, and edit, **GitHub** items from Loop|🚫Disabled|🚫Disabled for all data integrations|
++
+## Settings management in Cloud Policy
+
+The Loop experiences check the following [Cloud Policy](/deployoffice/admincenter/overview-cloud-policy) settings:
+
+- **Import, view, and edit, items from apps integrated with Loop**
+ - This is the primary policy to control all specific data integration policies. To configure a specific data integration differently than the primary setting, use one of the specific policies.
+- **Import, view, and edit, GitHub items from Loop**
+- **Import, view, and edit, Jira issues from Loop**
+- **Import, view, and edit, Trello boards from Loop**
++
+1. Sign in to https://config.office.com/ with your Microsoft 365 admin credentials.
+1. Select **Customization** from the left pane.
+1. Select **Policy Management**.
+1. Create a new policy configuration or edit an existing one.
+1. From the **Choose the scope** dropdown list, choose either **All users**, or select the group for which you want to apply the policy. For more information, See [Microsoft 365 Groups for Cloud Policy](/microsoft-365/loop/loop-components-configuration#microsoft-365-groups-for-cloud-policy).
+1. In **Configure Settings**, choose one of the following settings:
+ - For **Import, view, and edit, items from apps integrated with Loop**:
+ - first, recall:
+ - This is the primary policy to control all specific data integration policies. To configure a specific data integration differently than the primary setting, use one of the specific policies.
+ - **Enabled**: All external data integrations in Loop are available to the users.
+ - **Disabled**: All external data integrations in Loop aren't available to the users.
+ - **Not configured**: All external data integrations in Loop are available to the users.
+ - For **Import, view, and edit, GitHub items from Loop**:
+ - **Enabled**: GitHub data integrations in Loop are available to the users.
+ - **Disabled**: GitHub data integrations in Loop aren't available to the users.
+ - **Not configured**: GitHub data integrations in Loop are available to the users.
+ - For **Import, view, and edit, Jira issues from Loop**:
+ - **Enabled**: Jira data integrations in Loop are available to the users.
+ - **Disabled**: Jira data integrations in Loop aren't available to the users.
+ - **Not configured**: Jira data integrations in Loop are available to the users.
+ - For **Import, view, and edit, Trello boards from Loop**:
+ - **Enabled**: Trello data integrations in Loop are available to the users.
+ - **Disabled**: Trello data integrations in Loop aren't available to the users.
+ - **Not configured**: Trello data integrations in Loop are available to the users.
+1. Save the policy configuration.
+1. Reassign priority for any security group, if necessary. (If two or more policy configurations are applicable to the same set of users, the one with the higher priority is applied.)
+
+In case you create a new policy configuration or change the configuration for an existing policy, there's a delay in the change being reflected:
+- If there were existing policy configurations before the change, then it will take 90 mins for the change to be reflected.
+- If there were no policy configurations before to the change, then it will take 24 hours for the change to be reflected.
++
+## Related topics
+
+- [Use Trello with Loop - Microsoft Support](https://support.microsoft.com/office/use-trello-with-loop-cd889fc9-bcf4-43f1-af70-36558dd1e0b0)
+- [Use Jira with Loop - Microsoft Support](https://support.microsoft.com/office/use-jira-with-loop-68e2ccce-5741-4b6d-a1fa-30a5df2e0479)
+- [Use GitHub with Loop - Microsoft Support](https://support.microsoft.com/office/use-github-with-loop-5a4d95d5-3c59-4de8-a208-c9c8ab05a4fb)
security Amsi On Mdav https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/amsi-on-mdav.md
+
+ Title: "Anti-malware Scan Interface (AMSI) integration with Microsoft Defender Antivirus"
+description: Describes fileless malware and how Microsoft Defender Antivirus uses AMSI to protect against hidden threats.
+++ Last updated : 02/27/2024 +++
+ms.localizationpriority:
+++
+search.appverid: MET150
+f1.keywords:
+audience:
+ai-usage:
+- ai-assisted
++
+# Anti-malware Scan Interface (AMSI) integration with Microsoft Defender Antivirus
+
+__Applies to:__
+
+- Microsoft Defender XDR
+- Microsoft Defender Antivirus
+- Microsoft Defender for Endpoint P1 & P2
+- Microsoft Defender for Business
+- Microsoft Defender for Individuals
++
+__Platforms__
+- Windows 10 and newer
+- Windows Server 2016 and newer
++
+Microsoft Defender for Endpoint utilizes the anti-malware Scan Interface (AMSI) to enhance protection against fileless malware, dynamic script-based attacks, and other nontraditional cyber threats. This article describes the benefits of AMSI integration, the types of scripting languages it supports, and how to enable AMSI for improved security.
+
+## What is Fileless malware?
+Fileless malware plays a critical role in modern cyberattacks, using stealthy techniques to avoid detection. Several major ransomware outbreaks used fileless methods as part of their kill chains.
+
+Fileless malware uses existing tools that are already present on a compromised device, such as PowerShell.exe or wmic.exe. Malware can infiltrate a process, executing code within its memory space, and invoking these built-in tools. Attackers significantly reduce their footprint and evade traditional detection mechanisms.
+
+Because memory is volatile, and fileless malware doesn't place files on disk, establishing persistence by using fileless malware can be tricky. One example of how fileless malware achieved persistence was to create a registry run key that launches a ΓÇ£one-linerΓÇ¥ PowerShell cmdlet. This command launched an obfuscated PowerShell script that was stored in the registry BLOB. The obfuscated PowerShell script contained a reflective portable executable (PE) loader that loaded a Base64-encoded PE from the registry. The script stored in the registry ensured the malware persisted.
+
+Attackers use several fileless techniques that can make malware implants stealthy and evasive. These techniques include:
+
+- **Reflective DLL injection** Reflective DLL injection involves the manual loading of malicious DLLs into a process’ memory without the need for said DLLs to be on disk. The malicious DLL can be hosted on a remote attacker-controlled machine and delivered through a staged network channel (for example, Transport Layer Security (TLS) protocol), or embedded in obfuscated form inside infection vectors like macros and scripts. This results in the evasion of the OS mechanism that monitors and keeps track of loading executable modules. An example of malware that uses Reflective DLL injection is HackTool:Win32/Mikatz!dha.
+
+- **Memory exploits** Adversaries use fileless memory exploits to run arbitrary code remotely on victim machines. For example, the UIWIX threat uses the EternalBlue exploit, which was used by both Petya and WannaCry, to install the DoublePulsar backdoor, which lives entirely in the kernel’s memory (SMB Dispatch Table). Unlike Petya and Wannacry, UIWIX doesn't drop any files on disk.
+
+- **Script-based techniques** Scripting languages provide powerful means for delivering memory-only executable payloads. Script files can embed encoded shell codes or binaries that they can decrypt on the fly at run time and execute via .NET objects or directly with APIs without requiring them to be written to disk. The scripts themselves can be hidden in the registry, read from network streams, or run manually in the command-line by an attacker, without ever touching the disk.
+
+> [!NOTE]
+> Do not disable PowerShell as a means to block fileless malware. PowerShell is a powerful and secure management tool and is important for many system and IT functions. Attackers use malicious PowerShell scripts as post-exploitation technique that can only take place after an initial compromise has already occurred. Its misuse is a symptom of an attack that begins with other malicious actions like software exploitation, social engineering, or credential theft. The key is to prevent an attacker from getting into the position where they can misuse PowerShell.
+
+- **WMI persistence** Some attackers use the Windows Management Instrumentation (WMI) repository to store malicious scripts that are then invoked periodically using WMI bindings.
+
+Microsoft Defender Antivirus blocks most malware using generic, heuristic, and behavior-based detections, as well as local and cloud-based machine learning models. Microsoft Defender Antivirus protects against fileless malware through these capabilities:
+
+- Detecting script-based techniques by using AMSI, which provides the capability to inspect PowerShell and other script types, even with multiple layers of obfuscation
+- Detecting and remediating WMI persistence techniques by scanning the WMI repository, both periodically and whenever anomalous behavior is observed
+- Detecting reflective DLL injection through enhanced memory scanning techniques and behavioral monitoring
+
+## Why AMSI?
+
+AMSI provides a deeper level of inspection for malicious software that employs obfuscation and evasion techniques on Windows' built-in scripting hosts. By integrating AMSI, Microsoft Defender for Endpoint offers extra layers of protection against advanced threats.
++
+### Supported Scripting Languages
+- PowerShell
+- Jscript
+- VBScript
+- Windows Script Host (wscript.exe and cscript.exe)
+- .NET Framework 4.8 or newer (scanning of all assemblies)
+- Windows Management Instrumentation (WMI)
+
+If you use Microsoft Office 365, AMSI also supports JavaScript, VBA, and XLM.
+
+AMSI doesn't currently support Python or Perl.
+
+### Enabling AMSI
+To enable AMSI, you need to enable Script scanning. See [Configure scanning options for Microsoft Defender Antivirus](configure-advanced-scan-types-microsoft-defender-antivirus.md)
+
+Also see [Defender Policy CSP - Windows Client Management](/windows/client-management/mdm/policy-csp-defender)
+
+### AMSI resources
+[Anti-malware Scan Interface (AMSI) APIs](/windows/win32/amsi/antimalware-scan-interface-portal) are available for developers and antivirus vendors to implement.
+
+Other Microsoft products such as [Exchange](https://techcommunity.microsoft.com/t5/exchange-team-blog/more-about-amsi-integration-with-exchange-server/ba-p/2572371) and [Sharepoint](https://techcommunity.microsoft.com/t5/microsoft-sharepoint-blog/cyberattack-protection-by-default-and-other-enhancements-to/ba-p/3925641) also use AMSI
+integration.
+
+## More resources to protect against fileless attacks
+
+- [Windows Defender Application Control and AppLocker](/windows/security/application-security/application-control/windows-defender-application-control/wdac-and-applocker-overview). Enforces strong code Integrity policies and to allow only trusted applications to run. In the context of fileless malware, WDAC locks down PowerShell to Constrained Language Mode, which limits the extended language features that can lead to unverifiable code execution, such as direct .NET scripting, invocation of Win32 APIs via the Add-Type cmdlet, and interaction with COM objects. This essentially mitigates PowerShell-based reflective DLL injection attacks.
+
+- [Attack surface reduction](overview-attack-surface-reduction.md) helps admins protect against common attack vectors.
+
+- [Enable virtualization-based protection of code integrity](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity). Mitigates kernel-memory exploits through Hypervisor Code Integrity (HVCI), which makes it difficult to inject malicious code using kernel-mode software vulnerabilities.
security Attack Surface Reduction Rules Reference https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference.md
- m365-security - tier2 - mde-asr Previously updated : 02/02/2024 Last updated : 02/23/2024 search.appverid: met150
This article provides information about Microsoft Defender for Endpoint attack s
- [ASR rule modes](#asr-rule-modes) - [Per-rule-descriptions](#per-rule-descriptions) + ## Attack surface reduction rules by type Attack surface reduction rules are categorized as one of two types:
Attack surface reduction rules are categorized as one of two types:
For the easiest method to enable the standard protection rules, see: [Simplified standard protection option](attack-surface-reduction-rules-report.md#simplified-standard-protection-option). | ASR rule name: | Standard protection rule? | Other rule? |
-|:|:|:|
+||||
| Block abuse of exploited vulnerable signed drivers| Yes | | | Block Adobe Reader from creating child processes | | Yes | | Block all Office applications from creating child processes | | Yes |
For the easiest method to enable the standard protection rules, see: [Simplified
| Block Office communication application from creating child processes | | Yes | | Block persistence through WMI event subscription | Yes | | | Block process creations originating from PSExec and WMI commands | | Yes |
+| Block rebooting machine in Safe Mode (preview) | | Yes |
| Block untrusted and unsigned processes that run from USB | | Yes |
+| Block use of copied or impersonated system tools (preview) | | Yes |
| Block Webshell creation for Servers | | Yes | | Block Win32 API calls from Office macros | | Yes | | Use advanced protection against ransomware | | Yes |
Microsoft Defender Antivirus exclusions apply to some Microsoft Defender for End
The following ASR rules DO NOT honor Microsoft Defender Antivirus exclusions: | ASR rules name: |
-|:|
+||
| [Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | | [Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | | [Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) |
The following table lists the supported operating systems for rules that are cur
| [Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) | Y | Y | Y | Y | Y | | [Block persistence through Windows Management Instrumentation (WMI) event subscription](#block-persistence-through-wmi-event-subscription) | Y <br> version 1903 (build 18362) or later <sup>[[3](#fn1)]<sup></sup> | Y | Y <br> version 1903 (build 18362) or later | N | Y | | [Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | Y <br> version 1803 or later <sup>[[3](#fn1)]<sup></sup> | Y | Y | Y | Y |
+| [Block rebooting machine in Safe Mode (preview)](#block-rebooting-machine-in-safe-mode-preview) | Y | Y | Y | Y | Y |
| [Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | Y | Y | Y | Y | Y |
+| [Block use of copied or impersonated system tools (preview)](#block-use-of-copied-or-impersonated-system-tools-preview) | Y | Y | Y | Y | Y |
| [Block Webshell creation for Servers](#block-webshell-creation-for-servers) | N | Y <br>Exchange Role Only | Y <br>Exchange Role Only | Y <br>Exchange Role Only | N | | [Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | Y | N | N | N | N | | [Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | Y <br> version 1803 or later <sup>[[3](#fn1)]<sup></sup> | Y | Y | Y | Y |
Links to information about configuration management system versions referenced i
|[Block Office applications from injecting code into other processes](#block-office-applications-from-injecting-code-into-other-processes) | Y |Y <br><br> CB 1710 | Y | Y | |[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) | Y |Y <br><br> CB 1710 | Y | Y | |[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) |Y | |Y | Y |
-|[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | Y | | Y | Y |
-|[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | Y |Y <br><br> CB 1802 | Y | Y |
-|[Block Webshell creation for Servers](#block-webshell-creation-for-servers) | Y | | Y | Y |
+|[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | Y | | Y | Y |
+|[Block rebooting machine in Safe Mode (preview)](#block-rebooting-machine-in-safe-mode-preview) | Y | | Y | Y |
+|[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | Y |Y <br><br> CB 1802 | Y | Y |
+|[Block use of copied or impersonated system tools (preview)](#block-use-of-copied-or-impersonated-system-tools-preview) | Y | | Y | Y |
+|[Block Webshell creation for Servers](#block-webshell-creation-for-servers) | Y | | Y | Y |
|[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | Y |Y <br><br> CB 1710 | Y | Y | |[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | Y |Y <br><br> CB 1802 | Y | Y |
For rules with the "Rule State" specified:
|[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) | | N | Y | |[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) | Audit&nbsp;\|&nbsp;Block | Y \| Y | N \| Y | |[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | | N | Y |
+|[Block rebooting machine in Safe Mode (preview)](#block-rebooting-machine-in-safe-mode-preview) | | N | N |
|[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | Audit&nbsp;\|&nbsp;Block | Y \| Y | N \| Y |
-|[Block Webshell creation for Servers](#block-webshell-creation-for-servers) | | | |
+|[Block use of copied or impersonated system tools (preview)](#block-use-of-copied-or-impersonated-system-tools-preview) | | N | N |
+|[Block Webshell creation for Servers](#block-webshell-creation-for-servers) | | N | N |
|[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | | N | Y | |[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | Audit&nbsp;\|&nbsp;Block | Y \| Y | N \| Y |
For rules with the "Rule State" specified:
| Block Office communication application from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 | | Block persistence through WMI event subscription <br>* File and folder exclusions not supported. | e6db77e5-3df2-4cf1-b95a-636979351e5b | | Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c |
+| Block rebooting machine in Safe Mode (preview) | 33ddedf1-c6e0-47cb-833e-de6133960387 |
| Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 |
+| Block use of copied or impersonated system tools (preview) | c0033c00-d16d-4114-a5a0-dc9b3a7d2ceb |
| Block Webshell creation for Servers | a8f5898e-1dc8-49a9-9878-85004b8a61e6 | | Block Win32 API calls from Office macros | 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b | | Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35 |
The **Block abuse of exploited vulnerable signed drivers** rule doesn't block a
Intune Name: `Block abuse of exploited vulnerable signed drivers`
+Configuration Manager name: Not yet available
+ GUID: `56a863a9-875e-4185-98a7-b882c64b5ce5` Advanced hunting action type:
Malware that abuses Office as a vector might attempt to break out of Office and
Intune name: `Office apps/macros creating executable content`
-SCCM name: `Block Office applications from creating executable content`
+Configuration Manager name: `Block Office applications from creating executable content`
GUID: `3b576869-a4ec-4529-8536-b80a7769e899`
Advanced hunting action type:
Dependencies: Microsoft Defender Antivirus
+### Block rebooting machine in Safe Mode (preview)
+
+This rule prevents the execution of commands to restart machines in Safe Mode.
+
+Safe Mode is a diagnostic mode that only loads the essential files and drivers needed for Windows to run. However, in Safe Mode, many security products are either disabled or operate in a limited capacity, which allows attackers to further launch tampering commands, or simply execute and encrypt all files on the machine. This rule blocks such attacks by preventing processes from restarting machines in Safe Mode.
+
+> [!NOTE]
+> This capability is currently in preview. Additional upgrades to improve efficacy are under development.
+
+Intune Name: `[PREVIEW] Block rebooting machine in Safe Mode`
+
+Configuration Manager name: Not yet available
+
+GUID: `33ddedf1-c6e0-47cb-833e-de6133960387`
+
+Dependencies: Microsoft Defender Antivirus
+ ### Block untrusted and unsigned processes that run from USB With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards. Blocked file types include executable files (such as .exe, .dll, or .scr)
Advanced hunting action type:
Dependencies: Microsoft Defender Antivirus
+### Block use of copied or impersonated system tools (preview)
+
+This rule blocks the use of executable files that are identified as copies of Windows system tools. These files are either duplicates or impostors of the original system tools.
+
+Some malicious programs may try to copy or impersonate Windows system tools to avoid detection or gain privileges. Allowing such executable files can lead to potential attacks. This rule prevents propagation and execution of such duplicates and imposters of the system tools on Windows machines.
+
+> [!NOTE]
+> This capability is currently in preview. Additional upgrades to improve efficacy are under development.
+
+Intune Name: `[PREVIEW] Block use of copied or impersonated system tools`
+
+Configuration Manager name: Not yet available
+
+GUID: `c0033c00-d16d-4114-a5a0-dc9b3a7d2ceb`
+
+Dependencies: Microsoft Defender Antivirus
+ ### Block Webshell creation for Servers This rule blocks web shell script creation on Microsoft Server, Exchange Role.
Intune name: `Block Webshell creation for Servers`
GUID: `a8f5898e-1dc8-49a9-9878-85004b8a61e6`
+Dependencies: Microsoft Defender Antivirus
+ ### Block Win32 API calls from Office macros This rule prevents VBA macros from calling Win32 APIs.
security Cloud Protection Microsoft Antivirus Sample Submission https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-antivirus-sample-submission.md
ms.localizationpriority: medium -+ Previously updated : 02/15/2024 Last updated : 02/18/2024 - m365-security - tier2
search.appverid: met150
- macOS - Linux
+- Windows Server
+ Microsoft Defender Antivirus uses many intelligent mechanisms for detecting malware. One of the most powerful capabilities is the ability to apply the power of the cloud to detect malware and perform rapid analysis. Cloud protection and automatic sample submission work together with Microsoft Defender Antivirus to help protect against new and emerging threats. If a suspicious or malicious file is detected, a sample is sent to the cloud service for analysis while Microsoft Defender Antivirus blocks the file. As soon as a determination is made, which happens quickly, the file is either released or blocked by Microsoft Defender Antivirus.
In addition to configuring your cloud protection level, you can configure your s
- **Send all samples automatically** - **Do not send samples**
-For information about configuration options using Intune, Configuration Manager, GPO, or PowerShell, see [Turn on cloud protection at Microsoft Defender Antivirus](enable-cloud-protection-microsoft-defender-antivirus.md).
+> [!TIP]
+> Using the `Send all samples automatically` option provides for better security, because phishing attacks are used for a high amount of [initial access attacks](https://attack.mitre.org/tactics/TA0001/).
+For information about configuration options using Intune, Configuration Manager, Group Policy, or PowerShell, see [Turn on cloud protection at Microsoft Defender Antivirus](enable-cloud-protection-microsoft-defender-antivirus.md).
## Examples of metadata sent to the cloud protection service
security Configuration Management Reference Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configuration-management-reference-microsoft-defender-antivirus.md
ms.localizationpriority: medium
Previously updated : 10/18/2021- Last updated : 02/18/2024+
search.appverid: met150
**Platforms** - Windows
+- Windows Server
-You can manage and configure Microsoft Defender Antivirus with the following tools:
+> [!TIP]
+> For the best experience, please choose 1 method for configuring the Microsoft Defender Antivirus policies.
-- [Performance analyzer for Microsoft Defender Antivirus](tune-performance-defender-antivirus.md)
+> [!IMPORTANT]
+> Group Policy (GPO) wins over Microsoft Configuration Manager wins over Microsoft Intune wins over Microsoft Defender for Endpoint Security Configuration Management or Powershell or WMI or MpCmdRun.exe.
+You can manage and configure Microsoft Defender Antivirus with the following tools:
+- [Microsoft Defender for Endpoint Security Configuration Management](/mem/intune/protect/mde-security-integration)
- [Microsoft Intune](/mem/intune/protect/endpoint-security-antivirus-policy) - [Microsoft Configuration Manager](/mem/configmgr/protect/deploy-use/endpoint-protection-configure) - [Group Policy](./use-group-policy-microsoft-defender-antivirus.md) - [PowerShell cmdlets](./use-powershell-cmdlets-microsoft-defender-antivirus.md) - [Windows Management Instrumentation (WMI)](./use-wmi-microsoft-defender-antivirus.md)-- The [Microsoft Malware Protection Command Line Utility](./command-line-arguments-microsoft-defender-antivirus.md) (referred to as the *mpcmdrun.exe* utility
+- The [Microsoft Malware Protection Command Line Utility](./command-line-arguments-microsoft-defender-antivirus.md) (referred to as the *mpcmdrun.exe* utility)
The following articles provide further information, links, and resources for using these tools to manage and configure Microsoft Defender Antivirus. |Article|Description| |:|:|
+|[Manage Microsoft Defender Antivirus with Microsoft Defender for Endpoint Security Configuration Management](/mem/intune/protect/mde-security-integration)|Information about using the Microsoft Defender for Endpoint Security Configuration Management to configure, manage, and report, Microsoft Defender Antivirus|
|[Manage Microsoft Defender Antivirus with Microsoft Intune and Microsoft Endpoint Configuration Manager](use-intune-config-manager-microsoft-defender-antivirus.md)|Information about using Intune and Configuration Manager to deploy, manage, report, and configure Microsoft Defender Antivirus| |[Manage Microsoft Defender Antivirus with Group Policy settings](use-group-policy-microsoft-defender-antivirus.md)|List of all Group Policy settings located in ADMX templates| |[Manage Microsoft Defender Antivirus with PowerShell cmdlets](use-powershell-cmdlets-microsoft-defender-antivirus.md)|Instructions for using PowerShell cmdlets to manage Microsoft Defender Antivirus, plus links to documentation for all cmdlets and allowed parameters| |[Manage Microsoft Defender Antivirus with Windows Management Instrumentation (WMI)](use-wmi-microsoft-defender-antivirus.md)|Instructions for using WMI to manage Microsoft Defender Antivirus, plus links to documentation for the WMIv2 APIs (including all classes, methods, and properties)| |[Manage Microsoft Defender Antivirus with the MpCmdRun.exe command-line tool](command-line-arguments-microsoft-defender-antivirus.md)|Instructions on using the dedicated command-line tool to manage and use Microsoft Defender Antivirus|
+If running high CPU in Antimalware Service Executable | Microsoft Defender Antivirus Service | MsMpEng.exe, please review:
+- [Performance analyzer for Microsoft Defender Antivirus](tune-performance-defender-antivirus.md)
> [!TIP] > If you're looking for Antivirus related information for other platforms, see: > - [Set preferences for Microsoft Defender for Endpoint on macOS](mac-preferences.md)
security Configure Contextual File Folder Exclusions Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-contextual-file-folder-exclusions-microsoft-defender-antivirus.md
ms.localizationpriority: medium Previously updated : 12/07/2023 Last updated : 02/18/2024 audience: ITPro
search.appverid: met150
- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+- Microsoft Defender for Business
+
+- Microsoft Defender Antivirus
+
+- Microsoft Defender for individuals
+ This article/section describes the contextual file and folder exclusions capability for Microsoft Defender Antivirus on Windows. This capability allows you to be more specific when you define under which context Microsoft Defender Antivirus shouldn't scan a file or folder, by applying restrictions. ## Overview
security Configure Microsoft Defender Antivirus Features https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-microsoft-defender-antivirus-features.md
-+ - m365-security - tier2 - mde-ngp search.appverid: met150 Previously updated : 04/08/2021 Last updated : 02/18/2024 # Configure Microsoft Defender Antivirus features
Last updated 04/08/2021
You can configure Microsoft Defender Antivirus with a number of tools, such as: -- Microsoft Intune-- Microsoft Configuration Manager-- Group Policy-- PowerShell cmdlets-- Windows Management Instrumentation (WMI)-- [Tenant attach](/mem/configmgr/tenant-attach/)
+- [Microsoft Defender for Endpoint Security Policy Management](/mem/intune/protect/mde-security-integration)
+- [Microsoft Intune](/microsoft-365/security/defender-endpoint/use-intune-config-manager-microsoft-defender-antivirus)
+- [Microsoft Configuration Manager](/microsoft-365/security/defender-endpoint/manage-mde-post-migration-configuration-manager)
+- Microsoft Configuration Manager [Tenant attach](/mem/configmgr/tenant-attach/)
+- [Group Policy](/microsoft-365/security/defender-endpoint/use-group-policy-microsoft-defender-antivirus)
+- [PowerShell cmdlets](/microsoft-365/security/defender-endpoint/use-powershell-cmdlets-microsoft-defender-antivirus)
+- [Windows Management Instrumentation (WMI)](/microsoft-365/security/defender-endpoint/use-wmi-microsoft-defender-antivirus)
The following broad categories of features can be configured: - Cloud-delivered protection. See [Cloud-delivered protection and Microsoft Defender Antivirus](cloud-protection-microsoft-defender-antivirus.md)
security Configure Protection Features Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-protection-features-microsoft-defender-antivirus.md
-+ - m365-security - tier2 - mde-ngp search.appverid: met150 Previously updated : 04/08/2021 Last updated : 02/18/2024 # Configure behavioral, heuristic, and real-time protection
Microsoft Defender Antivirus uses several methods to provide threat protection:
- Always-on scanning, using file and process behavior monitoring and other heuristics (also known as "real-time protection") - Dedicated protection updates based on machine learning, human and automated big-data analysis, and in-depth threat resistance research
-You can configure how Microsoft Defender Antivirus uses these methods with Group Policy, System Center Configuration Manage, PowerShell cmdlets, and Windows Management Instrumentation (WMI).
+You can configure how Microsoft Defender Antivirus uses these methods with [Microsoft Defender for Endpoint Security Configuration Management](/mem/intune/protect/mde-security-integration), [Microsoft Intune](/microsoft-365/security/defender-endpoint/use-intune-config-manager-microsoft-defender-antivirus), Microsoft Configuration Manager, [Group Policy](/microsoft-365/security/defender-endpoint/use-group-policy-microsoft-defender-antivirus), [PowerShell cmdlets](/microsoft-365/security/defender-endpoint/use-powershell-cmdlets-microsoft-defender-antivirus), and [Windows Management Instrumentation (WMI)](/microsoft-365/security/defender-endpoint/use-wmi-microsoft-defender-antivirus).
This section covers configuration for always-on scanning, including how to detect and block apps that are deemed unsafe, but may not be detected as malware.
security Customize Run Review Remediate Scans Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/customize-run-review-remediate-scans-microsoft-defender-antivirus.md
Title: Run and customize scheduled and on-demand scans description: Customize and initiate Microsoft Defender Antivirus scans on endpoints across your network
-search.product: eADQiWindows 10XVcnh
ms.localizationpriority: medium Previously updated : 09/03/2018- Last updated : 02/27/2024+
search.appverid: met150
**Applies to:** -- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+- [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804)
- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+- Microsoft Defender for Business
+- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+- Microsoft Defender Antivirus
You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure Microsoft Defender Antivirus scans.
-## In this section
-
-Topic | Description
+Article | Description
| [Configure and validate file, folder, and process-opened file exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) | You can exclude files (including files modified by specified processes) and folders from on-demand scans, scheduled scans, and always-on real-time protection monitoring and scanning [Configure Microsoft Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md) | You can configure Microsoft Defender Antivirus to include certain types of email storage files, back-up or reparse points, and archived files (such as .zip files) in scans. You can also enable network file scanning
security Data Collection Analyzer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/data-collection-analyzer.md
Title: Data collection for advanced troubleshooting on Windows
-description: Learn how to use the client analyzer to collect data for complex troubleshooting scenarios
+description: Learn how to use the client analyzer to collect data for complex troubleshooting scenarios.
f1.keywords: - NOCSH
search.appverid: met150 Previously updated : 03/23/2021 Last updated : 02/27/2024 # Data collection for advanced troubleshooting on Windows
Last updated 03/23/2021
- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)
-When collaborating with Microsoft support professionals, you may be asked to use the client analyzer to collect data for troubleshooting of more complex scenarios. The analyzer script supports other parameters for that purpose and can collect a specific log set based on the observed symptoms that need to be investigated.
+- Microsoft Defender for Business
-Run '**MDEClientAnalyzer.cmd /?**' to see the list of available parameters and their description:
+- Microsoft Defender Antivirus
-
-> [!NOTE]
-> When any advanced troubleshooting parameter is used, the analyzer also calls into [MpCmdRun.exe](/microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus) to collect Microsoft Defender Antivirus related support logs.
--
-> [!NOTE]
-> You can use '-g' flag to validate URLs for a specific datacenter region even without being onboarded to that region<br>
-> For example:<br>
-> 'MDEClientAnalyzer.cmd -g EU' will force the analyzer to test cloud URLs in Europe region.
-
-**-h** - Calls into [Windows Performance Recorder](/windows-hardware/test/wpt/wpr-command-line-options) to collect a verbose general performance trace in addition to the standard log set.
-
-**-l** - Calls into built-in [Windows Performance Monitor](/windows-server/remote/remote-desktop-services/rds-rdsh-performance-counters) to collect a lightweight perfmon trace. This may be useful when diagnosing slow performance degradation issues that occur over time but hard to reproduce on demand.
-
-**-c** - Calls into [process monitor](/sysinternals/downloads/procmon) for advanced monitoring of real-time file system, registry, and process/thread activity. This is especially useful when troubleshooting various application compatibility scenarios.
+When collaborating with Microsoft support professionals, you might be asked to use the client analyzer to collect data for troubleshooting of more complex scenarios. The analyzer script supports other parameters for that purpose and can collect a specific log set based on the observed symptoms that need to be investigated.
-**-i** - Calls into built-in [netsh.exe](/windows/win32/winsock/netsh-exe) command to start a network and windows firewall trace that is useful when troubleshooting various network-related issues.
+Run `MDEClientAnalyzer.cmd /?` to see the list of available parameters and their description:
-**-b** - Same as '-c' but the process monitor trace will be initiated during next boot and stopped only when the -b is used again.
-
-**-e** - Calls into [Windows Performance Recorder](/windows-hardware/test/wpt/wpr-command-line-options) to collect Defender AV Client tracing (AM-Engine and AM-Service) for analysis of Antivirus cloud connectivity issues.
-
-**-a** - Calls into [Windows Performance Recorder](/windows-hardware/test/wpt/wpr-command-line-options) to collect a verbose performance trace specific to analysis of high CPU issues related to the antivirus process (MsMpEng.exe).
-
-**-v** - Uses antivirus [MpCmdRun.exe command line argument](/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus) with most verbose -trace flags.
-**-t** - Starts verbose trace of all client-side components relevant to Endpoint DLP. This is useful for scenarios where [DLP actions](/microsoft-365/compliance/endpoint-dlp-learn-about#endpoint-activities-you-can-monitor-and-take-action-on) are not happening as expected for files.
+| Switch | Description | When to use| Process that you're troubleshooting. |
+|:|:|:|:|
+|`-h` |Calls into [Windows Performance Recorder](/windows-hardware/test/wpt/wpr-command-line-options) to collect a verbose general performance trace in addition to the standard log set. |Slow application start/launch. When clicking on a button on the app, taking x seconds longer. |One of the following: <br/>- `MSSense.exe`<br/>- `MsSenseS.exe`<br/>- `SenseIR.exe`<br/>- `SenseNdr.exe`<br/>- `SenseTVM.exe`<br/>- `SenseAadAuthenticator.exe`<br/>- `SenseGPParser.exe`<br/>- `SenseImdsCollector.exe`<br/>- `SenseSampleUploader.exe` <br/>- `MsMpEng.exe` <br/>- `NisSrv.exe` |
+|`-l`|Calls into built-in [Windows Performance Monitor](/windows-server/remote/remote-desktop-services/rds-rdsh-performance-counters) to collect a lightweight perfmon trace. This scenario can be useful when diagnosing slow performance degradation issues that occur over time but hard to reproduce on demand. |Troubleshooting application performance that could be slow to reproduce (manifest) itself. We recommend capturing up to three minutes (at most five minutes), because your data set could get too large.|One of the following: <br/>- `MSSense.exe` <br/>- `MsSenseS.exe` <br/>- `SenseIR.exe`<br/>- `SenseNdr.exe` <br/>- `SenseTVM.exe`<br/>- `SenseAadAuthenticator.exe`<br/>- `SenseGPParser.exe`<br/>- `SenseImdsCollector.exe`<br/>- `SenseSampleUploader.exe`<br/>- `MsMpEng.exe`<br/>- `NisSrv.exe` |
+|`-c`|Calls into [process monitor](/sysinternals/downloads/procmon) for advanced monitoring of real-time file system, registry, and process/thread activity. This is especially useful when troubleshooting various application compatibility scenarios. |Process Monitor (ProcMon) to initiate a boot trace when investigating a driver or service or application startup delay related issue. Or applications hosted on a network share that aren't using SMB Opportunistic Locking (Oplock) properly causing application compatibility problems.|One of the following: <br/>- `MSSense.exe`<br/>- `MsSenseS.exe`<br/>- `SenseIR.exe`<br/>- `SenseNdr.exe`<br/>- `SenseTVM.exe`<br/>- `SenseAadAuthenticator.exe`<br/>- `SenseGPParser.exe`<br/>- `SenseImdsCollector.exe`<br/>- `SenseSampleUploader.exe`<br/>- `MsMpEng.exe`<br/>- `NisSrv.exe` |
+|`-i`|Calls into built-in [netsh.exe](/windows/win32/winsock/netsh-exe) command to start a network and Windows Firewall trace that is useful when troubleshooting various network-related issues. |When troubleshooting network related issues such as Defender for Endpoint EDR telemetry or CnC data submission issues. Microsoft Defender Antivirus Cloud Protection (MAPS) reporting issues. Network protection related issues, and so forth. |One of the following processes: <br/>- `MSSense.exe`<br/>- `MsSenseS.exe`<br/>- `SenseIR.exe`<br/>- `SenseNdr.exe`<br/>- `SenseTVM.exe`<br/>- `SenseAadAuthenticator.exe`<br/>- `SenseGPParser.exe`<br/>- `SenseImdsCollector.exe`<br/>- `SenseSampleUploader.exe`<br/>- `MsMpEng.exe`<br/>- `NisSrv.exe` |
+|`-b`|Same as `-c` but the process monitor trace will be initiated during next boot and stopped only when the -b is used again. |Process Monitor (ProcMon) to initiate a boot trace when investigating a driver or service or application startup delay related issue. This scenario can also be used to investigate a slow boot or slow sign-in.|One of the following processes: <br/>- `MSSense.exe`<br/>- `MsSenseS.exe`<br/>- `SenseIR.exe`<br/>- `SenseNdr.exe`<br/>- `SenseTVM.exe` <br/>- `SenseAadAuthenticator.exe`<br/>- `SenseGPParser.exe`<br/>- `SenseImdsCollector.exe`<br/>- `SenseSampleUploader.exe`<br/>- `MsMpEng.exe`<br/>- `NisSrv.exe` |
+|`-e`|Calls into [Windows Performance Recorder](/windows-hardware/test/wpt/wpr-command-line-options) to collect Defender AV Client tracing (AM-Engine and AM-Service) for analysis of Antivirus cloud connectivity issues. |When troubleshooting Cloud Protection (MAPS) reporting failures.|MsMpEng.exe |
+|`-a`|Calls into [Windows Performance Recorder](/windows-hardware/test/wpt/wpr-command-line-options) to collect a verbose performance trace specific to analysis of high CPU issues related to the antivirus process (MsMpEng.exe). |When troubleshooting high cpu utilization with Microsoft Defender Antivirus (Antimalware Service Executable or MsMpEng.exe) if you already used the Microsoft Defender Antivirus [Performance Analyzer](/microsoft-365/security/defender-endpoint/tune-performance-defender-antivirus) to narrow down the /path/process or /path or file extension contributing to the high cpu utilization. This scenario enables further investigate what the application or service is doing to contribute to the high cpu utilization.|MsMpEng.exe |
+|`-v`|Uses antivirus [MpCmdRun.exe command line argument](/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus) with most verbose -trace flags. |Anytime an advanced troubleshooting is needed. Such as when troubleshooting Cloud Protection (MAPS) reporting failures, Platform Update failures, Engine update failures, Security Intelligence Update failures, False negatives, etc. Can also be used with `-b`, `-c`, `-h`, or `-l`.|`MsMpEng.exe` |
+|`-t` |Starts verbose trace of all client-side components relevant to Endpoint DLP, which is useful for scenarios where [DLP actions](/microsoft-365/compliance/endpoint-dlp-learn-about#endpoint-activities-you-can-monitor-and-take-action-on) aren't happening as expected for files. |When running into issues where the Microsoft Endpoint Data Loss Prevention (DLP) actions expected aren't occurring.|`MpDlpService.exe` |
+|`-q`|Calls into DLPDiagnose.ps1 script from the analyzer `Tools` directory that validates the basic configuration and requirements for Endpoint DLP. |Checks the basic configuration and requirements for Microsoft Endpoint DLP|`MpDlpService.exe`|
+|`-d`|Collects a memory dump of `MsSenseS.exe` (the sensor process on Windows Server 2016 or older OS) and related processes. - \* This flag can be used with above mentioned flags. - \*\* Capturing a memory dump of [PPL protected processes](/windows-hardware/drivers/install/early-launch-antimalware) such as `MsSense.exe` or `MsMpEng.exe` isn't supported by the analyzer at this time.|On Windows 7 SP1, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2 or Windows Server 2016 running w/ the MMA agent and having performance (high cpu or high memory usage) or application compatibility issues. |`MsSenseS.exe`|
+|`-z` |Configures registry keys on the machine to prepare it for full machine memory dump collection via [CrashOnCtrlScroll](/windows-hardware/drivers/debugger/forcing-a-system-crash-from-the-keyboard). This would be useful for analysis of computer freeze issues. \* Hold down the rightmost CTRL key, then press the SCROLL LOCK key twice. |Machine hanging or being unresponsive or slow. High memory usage (Memory leak): a) User mode: Private bytes b) Kernel mode: paged pool or nonaged pool memory, handle leaks.|`MSSense.exe` or `MsMpEng.exe` |
+|`-k` |Uses [NotMyFault](/sysinternals/downloads/notmyfault) tool to force the system to crash and generate a machine memory dump. This would be useful for analysis of various OS stability issues. |Same as above.|`MSSense.exe` or `MsMpEng.exe` |
+
+The analyzer, and all of the scenario flags listed in this article, can be initiated remotely by running `RemoteMDEClientAnalyzer.cmd`, which is also bundled into the analyzer toolset:
-**-q** - Calls into DLPDiagnose.ps1 script from the analyzer 'Tools' directory that validates the basic configuration and requirements for Endpoint DLP.
-**-d** - Collects a memory dump of MsSense**S**.exe (the sensor process on Windows Server 2016 or older OS) and related processes.
+> [!NOTE]
+> When any advanced troubleshooting parameter is used, the analyzer also calls into [MpCmdRun.exe](/microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus) to collect Microsoft Defender Antivirus related support logs.
+> You can use `-g` flag to validate URLs for a specific datacenter region even without being onboarded to that region<br>
+> For example, `MDEClientAnalyzer.cmd -g EU` forces the analyzer to test cloud URLs in Europe region.
-- \* This flag can be used in conjunction with above mentioned flags.-- \*\* Capturing a memory dump of [PPL protected processes](/windows-hardware/drivers/install/early-launch-antimalware) such as MsSense.exe or MsMpEng.exe is not supported by the analyzer at this time.
+## A few points to keep in mind
-**-z** - Configures registry keys on the machine to prepare it for full machine memory dump collection via [CrashOnCtrlScroll](/windows-hardware/drivers/debugger/forcing-a-system-crash-from-the-keyboard). This would be useful for analysis of computer freeze issues.
+When you use `RemoteMDEClientAnalyzer.cmd`, it calls into `psexec` to download the tool from the configured file share and then run it locally via `PsExec.exe`.
-\* Hold down the rightmost CTRL key, then press the SCROLL LOCK key twice.
+The CMD script uses the `-r` flag to specify that it is running remotely within SYSTEM context, and so no prompt is presented to the user.
-**-k** - Uses [NotMyFault](/sysinternals/downloads/notmyfault) tool to force the system to crash and generate a machine memory dump. This would be useful for analysis of various OS stability issues.
+That same flag can be used with `MDEClientAnalyzer.cmd` to avoid a prompt to the user to specify the number of minutes for data collection. For example, consider `MDEClientAnalyzer.cmd -r -i -m 5`.
-The analyzer and all the above scenario flags can be initiated remotely by running 'RemoteMDEClientAnalyzer.cmd', which is also bundled into the analyzer toolset:
+- `-r` indicates that tool is being run from remote (or non-interactive context).
+- `-i` is the scenario flag for collection of network trace along with other related logs.
+- `-m #` denotes the number of minutes to run (we used 5 minutes in our example).
+When using `MDEClientAnalyzer.cmd`, the script checks for privileges using `net session`, which requires the service `Server` to be running. If it's not, you will get the error message _Script is running with insufficient privileges_. Run it with administrator privileges if ECHO is off.
-> [!NOTE]
->
-> - When using RemoteMDEClientAnalyzer.cmd it calls into psexec to download the tool from the configured file share and then run it locally via PsExec.exe.
- The CMD script uses '-r' flag to specify that it is running remotely within SYSTEM context and so no prompt to the user will be presented.
-> - That same flag can be used with MDEClientAnalyzer.cmd to avoid a prompt to user that requests to specify the number of minutes for data collection. For example:
->
-> **MDEClientAnalyzer.cmd -r -i -m 5**
->
-> - **-r** - Indicates that tool is being run from remote (or non-interactive context)
-> - **-i** - Scenario flag for collection of network trace along with other related logs
-> - **-m** \# - The number of minutes to run (5 minutes in the above example)
->
-> - When using MDEClientAnalyzer.cmd the script checks for privileges using "net session" which requires the service "Server" to be running. If it is not, you will get the error message _Script is running with insufficient privileges_. Run it with administrator privileges if ECHO is off.
[!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)]
security Defender Compatibility https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-compatibility.md
- tier2 - mde-ngp Previously updated : 05/06/2021 Last updated : 02/18/2024
The Microsoft Defender for Endpoint agent depends on Microsoft Defender Antivirus for some capabilities such as file scanning. > [!IMPORTANT]
-> Defender for Endpoint does not adhere to the Microsoft Defender Antivirus Exclusions settings.
+> Endpoint detection and response (EDR) in Defender for Endpoint does not adhere to the Microsoft Defender Antivirus Exclusions settings.
-You must configure Security intelligence updates on the Defender for Endpoint devices whether Microsoft Defender Antivirus is the active anti-malware or not. For more information, see [Manage Microsoft Defender Antivirus updates and apply baselines](microsoft-defender-antivirus-updates.md).
+For optimal protection, configure the following settings for devices that are onboarded to Defender for Endpoint, whether Microsoft Defender Antivirus is the active antimalware solution or not:
-If an onboarded device is protected by a third-party anti-malware client, Microsoft Defender Antivirus on that endpoint will enter into passive mode.
+- Security intelligence updates (which also updates the scan engine)
+- Platform Update updates
-Microsoft Defender Antivirus will continue to receive updates, and the *msmpeng.exe* process will be listed as a running a service. But, it won't perform scans and doesn't replace the running third-party anti-malware client.
+For more information, see [Manage Microsoft Defender Antivirus updates and apply baselines](microsoft-defender-antivirus-updates.md).
-The Microsoft Defender Antivirus interface will be disabled. Users on the device won't be able to use Microsoft Defender Antivirus to perform on-demand scans or configure most options.
+If an onboarded device is protected by a non-Microsoft anti-malware client, Microsoft Defender Antivirus goes into [passive mode](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility). In this scenario, Microsoft Defender Antivirus continues to receive updates, and the `msmpeng.exe` process is listed as a running a service. But, it doesn't perform real-time protection scans, scheduled scans, or on-demand scans, and and doesn't replace the running non-Microsoft antimalware client. The Microsoft Defender Antivirus user interface is disabled. Device users can't use Microsoft Defender Antivirus to perform on-demand scans or configure most options such as Attack Surface Reduction (ASR) rules, Network Protection, Indicators - File/IP address/URL/Certificates allow/block, Web Content Filtering, Controlled Folder Access, and so forth.
For more information, see the [Microsoft Defender Antivirus and Defender for Endpoint compatibility topic](microsoft-defender-antivirus-compatibility.md).+ [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)]
security Device Health Microsoft Defender Antivirus Health https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-health-microsoft-defender-antivirus-health.md
localization_priority: Normal Previously updated : 09/06/2022 Last updated : 02/18/2024 audience: ITPro
- mde-ngp -+ # Device health, Microsoft Defender Antivirus health report
security Elam On Mdav https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/elam-on-mdav.md
+
+ Title: Early Launch Antimalware (ELAM) and Microsoft Defender Antivirus
+description: How Microsoft Defender Antivirus incorporates Early Launch Antimalware (ELAM) for preventing rootkit and drivers with malware from loading before the antivirus service and drivers are loaded.
++++++ Last updated : 02/26/2024+
+ms.localizationpriority: medium
+
+search.appverid: MET150
+f1 keywords: NOCSH
+audience: ITPro
++
+# Early Launch Antimalware (ELAM) and Microsoft Defender Antivirus
+
+**Applies to:** 
+
+- [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804)
+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037) 
+- Microsoft Defender for Business 
+- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037) 
+- Microsoft Defender for Individual 
+
+**Platforms:**
+- Windows 11, Windows 10, Windows 8.1, Windows 8 
+- Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012 
+
+Detecting malware that starts early in the boot cycle was a challenge before Windows 8. To combat early boot threats such as rootkits or malicious drivers that can hide from detection, as of August 1, 2012, Microsoft Defender Antivirus (MDAV) for Windows 8 and newer, or Windows Server 2012 and newer, incorporated a new feature called [Early Launch Antimalware (ELAM)](/windows/compatibility/early-launch-antimalware) driver. Microsoft Defender Antivirus uses Wdboot.sys driver that starts before other boot-start drivers, enables the evaluation of those drivers, and helps the Windows kernel decide whether they should be initialized. 
+
+### Where is the ELAM detection(s) logged?
+The ELAM detection is logged in the same location as the other Microsoft Defender Antivirus threats, such as [Event ID 1006](/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus).
+
+### How do I keep the MDAV ELAM driver up to date?
+The MDAV ELAM driver ships with the monthly ΓÇ£[Platform update](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-updates).ΓÇ¥
+
+### Can the Early Launch Antimalware (ELAM) policy be modified? 
+ELAM can be modified here: 
+**Computer Configuration > Administrative Templates > System > Early Launch Antimalware.**
+
+### How can I check that the MDAV ELAM driver is loaded?
+HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\EarlyLaunch 
+BackupPath (string) C:\Windows\\[ELAMBKUP](/windows-hardware/drivers/install/elam-driver-requirements)\WdBoot.sys (value)
+
+### How do I revert the MDAV ELAM driver to a previous version?
+C:\ProgramData\Microsoft\Windows Defender\Platform\<antimalware platform version>\MpCmdRun.exe -[RevertPlatform](/microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus)<br>
+For example:
+```C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24010.12-0\MpCmdRun.exe -RevertPlatform```
+
security Evaluation Lab https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/evaluation-lab.md
description: Learn about Microsoft Defender for Endpoint capabilities, run attac
+ ms.localizationpriority: medium audience: ITPro
- tier1 search.appverid: met150 Previously updated : 11/02/2023 Last updated : 02/27/2024 # Microsoft Defender for Endpoint evaluation lab
+ > [!IMPORTANT]
+ > **The Microsoft Defender for Endpoint evaluation lab was deprecated in January, 2024**.
+ [!INCLUDE [Microsoft Defender XDR rebranding](../../includes/microsoft-defender.md)] **Applies to:**
security Limited Periodic Scanning Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/limited-periodic-scanning-microsoft-defender-antivirus.md
Previously updated : 02/02/2024- Last updated : 02/18/2024+
search.appverid: met150
- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037) - Microsoft Defender Antivirus
+- Microsoft Defender for Individual
+ **Platforms** - Windows
security Linux Preferences https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-preferences.md
When this feature is enabled, Defender for Endpoint will scan network socket eve
The *cloudService* entry in the configuration profile is used to configure the cloud-driven protection feature of the product.
+> [!NOTE]
+> Cloud-delivered protection is applicable with any Enforcement level settings (real_time, on_demand, passive).
+ |Description|Value| ||| |**Key**|cloudService|
security Manage Event Based Updates Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-event-based-updates-microsoft-defender-antivirus.md
Previously updated : 09/17/2018 Last updated : 02/27/2024
search.appverid: met150
**Applies to:** - [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+- Microsoft Defender for Business
+ - Microsoft Defender Antivirus **Platforms** - Windows
-Microsoft Defender Antivirus allows you to determine if updates should (or should not) occur after certain events, such as at startup or after receiving specific reports from the cloud-delivered protection service.
+Microsoft Defender Antivirus allows you to determine if updates should (or shouldn't) occur after certain events, such as at startup or after receiving specific reports from the cloud-delivered protection service.
## Check for protection updates before running a scan
-You can use Microsoft Configuration Manager, Group Policy, PowerShell cmdlets, and WMI to force Microsoft Defender Antivirus to check and download protection updates before running a scheduled scan.
+You can use Microsoft Defender for Endpoint Security Settings Management, Microsoft Intune, Microsoft Configuration Manager, Group Policy, PowerShell cmdlets, and WMI to force Microsoft Defender Antivirus to check and download protection updates before running a scheduled scan.
+
+### Use Microsoft Defender for Endpoint Security Settings Management to check for protection updates before running a scan
+
+1. On your Microsoft Defender for Endpoint console ([https://security.microsoft.com](https://security.microsoft.com)), go to **Endpoints** > **Configuration management** > **Endpoint security policies** > **Create new policy**.
+
+ - In the **Platform** list, select **Windows 10, Windows 11, and Windows Server**.
+ - In the **Select Templates** list, select **Microsoft Defender Antivirus**.
+
+2. Fill in the name and description, and then select **Next**>
+
+3. Go to the **Scheduled scans** section and set **Check For Signatures Before Running Scan** to **Enabled**.
+
+4. Deploy the updated policy as usual.
+
+### Use Microsoft Intune to check for protection updates before running a scan
+
+1. In the [Microsoft Intune admin center](https://intune.microsoft.com/), go to **Endpoints** > **Configuration management** > **Endpoint security policies**, and then select **Create new policy**.
+
+ - In the **Platform** list, select **Windows 10, Windows 11, and Windows Server**.
+ - In the **Select Templates** list, select **Microsoft Defender Antivirus**.
+
+2. Fill in the name and description, and then select **Next**.
+
+3. Go to the **Scheduled scans** section, and set **Check For Signatures Before Running Scan** to **Enabled**.
+
+4. Save and deploy the policy.
### Use Configuration Manager to check for protection updates before running a scan
-1. On your Microsoft Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** \> **Endpoint Protection** \> **Antimalware Policies**)
+1. On your Microsoft Configuration Manager console, open the antimalware policy you want to change (select **Assets and Compliance** in the navigation pane, then expand the tree to **Overview** \> **Endpoint Protection** \> **Antimalware Policies**).
2. Go to the **Scheduled scans** section and set **Check for the latest security intelligence updates before running a scan** to **Yes**.
-3. Click **OK**.
+3. Select **OK**.
4. [Deploy the updated policy as usual](/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers). ### Use Group Policy to check for protection updates before running a scan
-1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal).
-2. Using the **Group Policy Management Editor** go to **Computer configuration**.
+2. Right-click the Group Policy Object you want to configure, and then select **Edit**.
-3. Click **Policies** then **Administrative templates**.
+3. Using the **Group Policy Management Editor** go to **Computer configuration**.
-4. Expand the tree to **Windows components** \> **Microsoft Defender Antivirus** \> **Scan**.
+4. Select **Policies** then **Administrative templates**.
-5. Double-click **Check for the latest virus and spyware definitions before running a scheduled scan** and set the option to **Enabled**.
+5. Expand the tree to **Windows components** \> **Microsoft Defender Antivirus** \> **Scan**.
-6. Click **OK**.
+6. Double-click **Check for the latest virus and spyware definitions before running a scheduled scan** and set the option to **Enabled**.
+
+7. Select **OK**.
### Use PowerShell cmdlets to check for protection updates before running a scan
For more information, see [Windows Defender WMIv2 APIs](/previous-versions/windo
You can use Group Policy to force Microsoft Defender Antivirus to check and download protection updates when the machine is started.
-1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and select **Edit**.
2. Using the **Group Policy Management Editor** go to **Computer configuration**.
-3. Click **Policies** then **Administrative templates**.
+3. Select **Policies** then **Administrative templates**.
4. Expand the tree to **Windows components** \> **Microsoft Defender Antivirus** \> **Security Intelligence Updates**. 5. Double-click **Check for the latest virus and spyware definitions on startup** and set the option to **Enabled**.
-6. Click **OK**.
+6. Select **OK**.
-You can also use Group Policy, PowerShell, or WMI to configure Microsoft Defender Antivirus to check for updates at startup even when it is not running.
+You can also use Group Policy, PowerShell, or WMI to configure Microsoft Defender Antivirus to check for updates at startup even when it isn't running.
### Use Group Policy to download updates when Microsoft Defender Antivirus is not present
-1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and select **Edit**.
2. Using the **Group Policy Management Editor**, go to **Computer configuration**.
-3. Click **Policies** then **Administrative templates**.
+3. Select **Policies** then **Administrative templates**.
4. Expand the tree to **Windows components** \> **Microsoft Defender Antivirus** \> **Security Intelligence Updates**. 5. Double-click **Initiate security intelligence update on startup** and set the option to **Enabled**.
-6. Click **OK**.
+6. Select **OK**.
### Use PowerShell cmdlets to download updates when Microsoft Defender Antivirus is not present
For more information, see [Windows Defender WMIv2 APIs](/previous-versions/windo
Microsoft Defender Antivirus can make changes to its protection based on cloud-delivered protection. Such changes can occur outside of normal or scheduled protection updates.
-If you have enabled cloud-delivered protection, Microsoft Defender Antivirus will send files it is suspicious about to the Windows Defender cloud. If the cloud service reports that the file is malicious, and the file is detected in a recent protection update, you can use Group Policy to configure Microsoft Defender Antivirus to automatically receive that protection update. Other important protection updates can also be applied.
+If you have enabled cloud-delivered protection, Microsoft Defender Antivirus sends files it's suspicious about to the Windows Defender cloud. If the cloud service reports that the file is malicious, and the file is detected in a recent protection update, you can use Group Policy to configure Microsoft Defender Antivirus to automatically receive that protection update. Other important protection updates can also be applied.
### Use Group Policy to automatically download recent updates based on cloud-delivered protection
-1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and select **Edit**.
2. Using the **Group Policy Management Editor** go to **Computer configuration**.
-3. Click **Policies** then **Administrative templates**.
+3. Select **Policies** then **Administrative templates**.
4. Expand the tree to **Windows components** \> **Microsoft Defender Antivirus** \> **Security Intelligence Updates**.
-5. Double-click **Allow real-time security intelligence updates based on reports to Microsoft MAPS** and set the option to **Enabled**. Then click **OK**.
+5. Double-click **Allow real-time security intelligence updates based on reports to Microsoft MAPS** and set the option to **Enabled**. Then select **OK**.
-6. **Allow notifications to disable definitions-based reports to Microsoft MAPS** and set the option to **Enabled**. Then click **OK**.
+6. **Allow notifications to disable definitions-based reports to Microsoft MAPS** and set the option to **Enabled**. Then select **OK**.
> [!NOTE] > **Allow notifications to disable definitions based reports** enables Microsoft MAPS to disable those definitions known to cause false-positive reports. You must configure your computer to join Microsoft MAPS for this function to work.
If you have enabled cloud-delivered protection, Microsoft Defender Antivirus wil
- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) - [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md) - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)+ [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)]
security Microsoft Defender Antivirus Updates https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-updates.md
Title: Microsoft Defender Antivirus security intelligence and product updates
description: Manage how Microsoft Defender Antivirus receives protection and product updates. ms.localizationpriority: high Previously updated : 12/06/2023 Last updated : 02/27/2024 audience: ITPro
search.appverid: met150
# Microsoft Defender Antivirus security intelligence and product updates **Applies to:**+ - [Microsoft Defender for Endpoint Plans 1 and 2](https://go.microsoft.com/fwlink/p/?linkid=2154037) - Microsoft Defender Antivirus **Platforms**+ - Windows Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques. Update your antivirus protection, even if Microsoft Defender Antivirus is running in [passive mode](microsoft-defender-antivirus-compatibility.md). This article includes information about the two types of updates for keeping Microsoft Defender Antivirus current:
All our updates contain
- Serviceability improvements - Integration improvements (Cloud, [Microsoft Defender XDR](/microsoft-365/security/defender/microsoft-365-defender))
+### January-2024 (Platform: 4.18.24010.12 | Engine: 1.1.24010.10)
+
+- Security intelligence update version: **1.405.702.0**
+- Release date: **February 27, 2024**
+- Platform: **4.18.24010.12**
+- Engine: **1.1.24010.10**
+- Support phase: **Security and Critical Updates**
+
+#### What's new
+
+- Microsoft Defender Antivirus now caches the Mark of the Web (MoTW) Alternative Data Stream (ADS) for better performance while scanning.
+- Fixed an issue that occurred in [attack surface reduction](attack-surface-reduction-rules-reference.md) in warn mode when removing scan results from the real-time protection cache.
+- Performance improvement added for `OneNote.exe`.
+- Cloud-based entries are regularly removed from the persistent user mode cache in Windows Defender to prevent a uncommon issue where a user could still add a certificate, based on an Indicator of compromise (IoC), to the cache after a file with that certificate had already been added via cloud signature.
+- The Sense onboarding event is now sent in passive mode for operating systems with the old Sense client.
+- Improved performance for logs created/accessed by powershell.
+- Improved performance for folders included in [Controlled folder access(CFA)](controlled-folders.md) when accessing network files.
+- Fixed a deadlock that occurred at shutdown for Data Loss Prevention (DLP) enabled devices.
+- Fixed an issue to remove a vulnerability in the Microsoft Defender Core service.
+- Fixed an onboarding issue in the Unified Agent installation script [install.ps1](https://github.com/microsoft/mdefordownlevelserver).
+- Fixed a memory leak that impacted some devices that received platform update `4.18.24010.7`
+ ### November-2023 (Platform: 4.18.23110.3 | Engine: 1.1.23110.2) -- Security intelligence update version: **1.403.7.0**
+- Security intelligence update version: **1.403.7.0**
- Release date:ΓÇ»**December 5, 2023 (Platform)** / **December 6, 2023 (Engine)**-- Platform: **4.18.23110.3**
+- Platform: **4.18.23110.3**
- Engine: **1.1.23110.2**-- Support phase: **Security and Critical Updates**
+- Support phase: **Security and Critical Updates**
-#### What's new
+#### What's new
- Fixed PowerShell cmdlet [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus) to show the correct date/time for `AntivirusSignatureLastUpdated` - Resolved deadock issue that occurred on systems with multiple filter drivers reading a file when the file is copied
All our updates contain
- None
-### September-2023 (Platform: 4.18.23090.2008 | Engine: 1.1.23090.2007)
-
-- Security intelligence update version: **1.399.44.0**-- Release date: **October 3, 2023 (Engine) | October 4, 2023 (Platform)**-- Platform: **4.18.23090.2008**-- Engine: **1.1.23090.2007**-- Support phase: **Security and Critical Updates**
-
-#### What's new
--- Fixed automatic remediation during on demand scans involving archives with multiple threats-- Improved the performance of scanning files on network locations-- Added support for domain computer SID for device control policies-- Improved installer of unified agent to include legacy version of Windows Server 2012 (6.3.9600.17735)-- Fixed issue in device control when querying Microsoft Entra group membership, which resulted in increased network traffic.-- Improved parsing of attack surface reduction exclusions in the antimalware engine-- Improved reliability in scanning PE files-- Improved deployments safeguards for security intelligence updates-
-#### Known issues
--- None- ### Previous version updates: Technical upgrade support only After a new package version is released, support for the previous two versions is reduced to technical support only. For more information about previous versions, see [Microsoft Defender Antivirus updates: Previous versions for technical upgrade support](msda-updates-previous-versions-technical-upgrade-support.md).
security Msda Updates Previous Versions Technical Upgrade Support https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/msda-updates-previous-versions-technical-upgrade-support.md
ms.localizationpriority: medium Previously updated : 12/05/2023 Last updated : 02/27/2024 audience: ITPro
search.appverid: met150
Microsoft regularly releases [security intelligence updates and product updates for Microsoft Defender Antivirus](microsoft-defender-antivirus-updates.md). It's important to keep Microsoft Defender Antivirus up to date. When a new package version is released, support for the previous two versions is reduced to technical support only. Versions that are older than the previous two versions are listed in this article and are provided for technical upgrade support only.
+## September-2023 (Platform: 4.18.23090.2008 | Engine: 1.1.23090.2007)
+
+- Security intelligence update version: **1.399.44.0**
+- Release date: **October 3, 2023 (Engine) | October 4, 2023 (Platform)**
+- Platform: **4.18.23090.2008**
+- Engine: **1.1.23090.2007**
+- Support phase: **Technical upgrade support (only)**
+
+### What's new
+
+- Fixed automatic remediation during on demand scans involving archives with multiple threats
+- Improved the performance of scanning files on network locations
+- Added support for domain computer SID for device control policies
+- Improved installer of unified agent to include legacy version of Windows Server 2012 (6.3.9600.17735)
+- Fixed issue in device control when querying Microsoft Entra group membership, which resulted in increased network traffic.
+- Improved parsing of attack surface reduction exclusions in the antimalware engine
+- Improved reliability in scanning PE files
+- Improved deployments safeguards for security intelligence updates
+
+### Known issues
+
+- None
+ ## August-2023 (Platform: 4.18.23080.2006 | Engine: 1.1.23080.2005) - Security intelligence update version: **1.397.59.0**
security Overview Client Analyzer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/overview-client-analyzer.md
search.appverid: met150 Previously updated : 03/23/2021 Last updated : 02/27/2024 # Troubleshoot sensor health using Microsoft Defender for Endpoint Client Analyzer
For more information about our privacy statement, see [Microsoft Privacy Stateme
- For Windows devices, if you are running the analyzer directly on specific machines and not remotely via [Live Response](/microsoft-365/security/defender-endpoint/troubleshoot-collect-support-log), then SysInternals [PsExec.exe](/sysinternals/downloads/psexec) should be allowed (at least temporarily) to run. The analyzer calls into PsExec.exe tool to run cloud connectivity checks as Local System and emulate the behavior of the SENSE service.
- > [!NOTE]
- > On Windows devices, if you use attack surface reduction rule [Block process creations originating from PSExec and WMI commands](attack-surface-reduction-rules-reference.md#block-process-creations-originating-from-psexec-and-wmi-commands), then may want to temporarily disable the rule or [configure an exclusion to the ASR rule](enable-attack-surface-reduction.md#exclude-files-and-folders-from-attack-surface-reduction-rules) to allow the analyzer to run connectivity checks to cloud as expected.
+ > [!NOTE]
+ > On Windows devices, if you use the attack surface reduction rule [Block process creations originating from PSExec and WMI commands](attack-surface-reduction-rules-reference.md#block-process-creations-originating-from-psexec-and-wmi-commands), you might want to temporarily [configure an exclusion to the ASR rule](enable-attack-surface-reduction.md#exclude-files-and-folders-from-attack-surface-reduction-rules). Optionally, you can set the rule to **audit** or you can disable the rule. Making these configurations allows the analyzer to run connectivity checks to cloud without being blocked.
+ [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)]
security Schedule Antivirus Scans Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/schedule-antivirus-scans-powershell.md
search.appverid: met150
# Schedule antivirus scans using PowerShell **Applies to:**-- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/?linkid=2154037)-- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037)
+- [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804)
+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+- Microsoft Defender for Business
+- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- Microsoft Defender Antivirus **Platforms** - Windows
+- Windows Server
This article describes how to configure scheduled scans using PowerShell cmdlets. To learn more about scheduling scans and about scan types, see [Configure scheduled quick or full Microsoft Defender Antivirus scans](schedule-antivirus-scans.md).
security Why Use Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/why-use-microsoft-defender-antivirus.md
-+
- tier2 - mde-ngp search.appverid: met150 Previously updated : 04/08/2021 Last updated : 02/18/2024 # Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint
Microsoft Defender Antivirus is the next-generation protection component of [Mic
Although you can use a non-Microsoft antivirus solution with Microsoft Defender for Endpoint, there are advantages to using Microsoft Defender Antivirus together with Defender for Endpoint. Not only is Microsoft Defender Antivirus an excellent next-generation antivirus solution, but combined with other Defender for Endpoint capabilities, such as [endpoint detection and response](/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response) and [automated investigation and remediation](/microsoft-365/security/defender-endpoint/automated-investigations), you get better protection that's coordinated across products and services.
-## 11 reasons to use Microsoft Defender Antivirus together with Microsoft Defender for Endpoint
+## 13 reasons to use Microsoft Defender Antivirus together with Microsoft Defender for Endpoint
|#|Advantage|Why it matters| |--|--|--|
Although you can use a non-Microsoft antivirus solution with Microsoft Defender
|2|Threat analytics and your score for devices|Microsoft Defender Antivirus collects underlying system data used by [threat analytics](/microsoft-365/security/defender-endpoint/threat-analytics) and [Microsoft Secure Score for Devices](/microsoft-365/security/defender-endpoint/tvm-microsoft-secure-score-devices). This provides your organization's security team with more meaningful information, such as recommendations and opportunities to improve your organization's security posture.| |3|Performance|Microsoft Defender for Endpoint is designed to work with Microsoft Defender Antivirus, so you get better performance when you use these offerings together. [Evaluate Microsoft Defender Antivirus](evaluate-microsoft-defender-antivirus.md) and [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/evaluate-mde).| |4|Details about blocked malware|More details and actions for blocked malware are available with Microsoft Defender Antivirus and Microsoft Defender for Endpoint. [Understand malware & other threats](/windows/security/threat-protection/intelligence/understanding-malware).|
-|5|Network protection|Your organization's security team can protect your network by blocking specific URLs and IP addresses. [Protect your network](/microsoft-365/security/defender-endpoint/network-protection).|
-|6|File blocking|Your organization's security team can block specific files. [Stop and quarantine files in your network](/microsoft-365/security/defender-endpoint/respond-file-alerts#stop-and-quarantine-files-in-your-network).|
-|7|Attack Surface Reduction|Your organization's security team can reduce your vulnerabilities (attack surfaces), giving attackers fewer ways to perform attacks. Attack surface reduction uses cloud protection for a number of rules. [Get an overview of attack surface reduction](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction).|
-|8|Auditing events|Auditing event signals are available in [endpoint detection and response capabilities](/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response). (These signals are not available with non-Microsoft antivirus solutions.)|
-|9|Geographic data|Compliant with ISO 270001 and data retention, geographic data is provided according to your organization's selected geographic sovereignty. See [Compliance offerings: ISO/IEC 27001:2013 Information Security Management Standards](/microsoft-365/compliance/offering-iso-27001).|
+|5|Attack surface reduction|Your organization's security team can reduce your vulnerabilities (attack surfaces), giving attackers fewer ways to perform attacks. Attack surface reduction uses cloud protection for a number of rules. [Get an overview of attack surface reduction](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction).|
+|6|Network protection|Your organization's security team can protect your network by blocking specific URLs and IP addresses. [Protect your network](/microsoft-365/security/defender-endpoint/network-protection).|
+|7|Indicators, such as file, IP address, URL, and/or certificate allow or block indicators |Your organization's security team can import threat intel, which blocks known Indicators of Compromise (IoC's) [Get an overview of Indicator of compromise (IoC)](/microsoft-365/security/defender-endpoint/manage-indicators).|
+|8|File blocking|Your organization's security team can block specific files. [Stop and quarantine files in your network](/microsoft-365/security/defender-endpoint/respond-file-alerts#stop-and-quarantine-files-in-your-network).|
+|9|Auditing events|Auditing event signals are available in [endpoint detection and response capabilities](/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response). (These signals are not available with non-Microsoft antivirus solutions.)|
|10|File recovery via OneDrive|If you are using Microsoft Defender Antivirus together with [Office 365](/Office365/Enterprise), and your device is attacked by ransomware, your files are protected and recoverable. [OneDrive Files Restore and Windows Defender take ransomware protection one step further](https://techcommunity.microsoft.com/t5/Microsoft-OneDrive-Blog/OneDrive-Files-Restore-and-Windows-Defender-takes-ransomware/ba-p/188001).|
-|11|Technical support|By using Microsoft Defender for Endpoint together with Microsoft Defender Antivirus, you have one company to call for technical support. [Troubleshoot service issues](/microsoft-365/security/defender-endpoint/troubleshoot-mdatp)and [review event logs and error codes with Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus/).|
+|11|Controlled folder access |Your organization's security team can reduce malware from encrypting end-users data by preventing unknown applications or services being able to write to protected folders. [Get an overview of controlled folder access](/microsoft-365/security/defender-endpoint/enable-controlled-folders).|
+|12|Geographic data|Compliant with ISO 270001 and data retention, geographic data is provided according to your organization's selected geographic sovereignty. See [Compliance offerings: ISO/IEC 27001:2013 Information Security Management Standards](/microsoft-365/compliance/offering-iso-27001).|
+|13|Technical support|By using Microsoft Defender for Endpoint together with Microsoft Defender Antivirus, you have one company to call for technical support. [Troubleshoot service issues](/microsoft-365/security/defender-endpoint/troubleshoot-mdatp)and [review event logs and error codes with Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus/).|
> [!TIP] > If you're looking for Antivirus related information for other platforms, see:
security Fixed Reported Inaccuracies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/fixed-reported-inaccuracies.md
The following tables present the relevant vulnerability information organized by
Inaccuracy report ID |Description |Fix date | |:|:|:| | - | Fixed inaccuracy in Snow Inventory Agent | 06-Feb-24
-| 42360 | Fixed inaccuracy in GitHub vulnerabilities - CVE-2020-10519 & CVE-2021-22863 | 12-Feb-24
+| 42360 | Fixed inaccuracy in GitHub vulnerabilities - CVE-2020-10519 and CVE-2021-22863 | 12-Feb-24
+| 44875 | Fixed inaccuracy in Zoom Meetings for macOS | 14-Feb-24
+| 45686 | Fixed inaccuracy in ConnectWise Control (Formerly known as ScreenConnect) | 14-Feb-24
+| 45559 | Added Microsoft Defender Vulnerability Management support to Forta GoAnyWhere MFT | 14-Feb-24
+| - | Added Microsoft Defender Vulnerability Management support to BeyondTrust Remote Support Jump Client | 14-Feb-24
+| - | Fixed inaccuracy in Ignite Real Time | 14-Feb-24
+| - | Added Microsoft Defender Vulnerability Management support to Ivanti (Pulse Secure) February released Vulnerabilities | 20-Feb-24
+| - | Defender Vulnerability Management doesn't currently support SAP GUI | 21-Feb-24
+| 46606 | Defender Vulnerability Management doesn't currently support Postgresql | 21-Feb-24
+| 47700 | Defender Vulnerability Management doesn't currently support Adobe Digital Editions | 21-Feb-24
## January 2024
security Tvm Block Vuln Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-block-vuln-apps.md
Title: Block vulnerable applications
-description: Use Microsoft Defender Vulnerability Management to block vulnerable applications
+ Title: Block vulnerable applications.
+description: Use Microsoft Defender Vulnerability Management to block vulnerable applications.
ms.pagetype: security ms.localizationpriority: medium-+ audience: ITPro - m365-security
The **block action** is intended to block all installed vulnerable versions of t
The **warn action** is intended to send a warning to your users when they open vulnerable versions of the application. Users can choose to bypass the warning and access the application for subsequent launches.
-For both actions, you can customize the message the users see. For example, you can encourage them to install the latest version. Additionally, you can provide a custom URL the users will navigate to when they select the notification. Note that the user must click the body of the toast notification in order to navigate to the custom URL. This can be used to provide additional details specific to the application management in your organization.
+For both actions, you can customize the message the users see. For example, you can encourage them to install the latest version. Additionally, you can provide a custom URL the users navigate to when they select the notification. Note that the user must select the body of the toast notification in order to navigate to the custom URL. This can be used to provide additional details specific to the application management in your organization.
> [!NOTE] > The block and warn actions are typically enforced within a couple of minutes but can take up to 3 hours.
For both actions, you can customize the message the users see. For example, you
4. Select whether you want to apply the remediation and mitigation to all device groups or only a few. 5. Select the remediation options on the **Remediation request** page. The remediation options are software update, software uninstall, and attention required. 6. Pick a **Remediation due date** and select **Next**.
-7. Under **Mitigation action**, select **Block** or **Warn**. Once you submit a mitigation action, it is immediately applied.
+7. Under **Mitigation action**, select **Block** or **Warn**. Once you submit a mitigation action, it's immediately applied.
:::image type="content" alt-text="Mitigation action" source="../../media/defender-vulnerability-management/mitigation-action.png" lightbox="../../media/defender-vulnerability-management/mitigation-action.png":::
-8. Review the selections you made and **Submit request**. On the final page you can choose to go directly to the remediation page to view the progress of remediation activities and see the list of blocked applications.
-
-> [!NOTE]
->If you're using the premium Defender Vulnerability Management capabilities as part of a Microsoft Defender for Servers Plan 2 license block vulnerable applications is not currently available. In this scenario, this feature is only available for client devices that are eligible for the Defender Vulnerability Management add-on.
+8. Review the selections you made and **Submit request**. On the final page, you can choose to go directly to the remediation page to view the progress of remediation activities and see the list of blocked applications.
> [!IMPORTANT] > Based on the available data, the block action will take effect on endpoints in the organization that have Microsoft Defender Antivirus. Microsoft Defender for Endpoint will make a best attempt effort of blocking the applicable vulnerable application or version from running. If additional vulnerabilities are found on a different version of an application, you get a new security recommendation, asking you to update the application, and you can choose to also block this different version.
-## When blocking is not supported
+## When blocking isn't supported
If you don't see the mitigation option while requesting a remediation, it's because the ability to block the application is currently not supported. Recommendations that don't include mitigation actions include:
If you don't see the mitigation option while requesting a remediation, it's beca
- Recommendations related to operating systems - Recommendations related to apps for macOS and Linux - Apps where Microsoft doesn't have sufficient information or a high confidence to block-- Microsoft Store apps, which cannot be blocked because they are signed by Microsoft
+- Microsoft Store apps, which can't be blocked because they're signed by Microsoft
-If you try to block an application and it doesn't work, you may have reached the maximum indicator capacity. If so, you can delete old indicators [Learn more about indicators](../defender-endpoint/manage-indicators.md).
+If you try to block an application and it doesn't work, you might have reached the maximum indicator capacity. If so, you can delete old indicators [Learn more about indicators](../defender-endpoint/manage-indicators.md).
## View remediation activities
After you've unblocked an application, refresh the page to see it removed from t
## Users experience for blocked applications
-When users try to access a blocked application, they receive a message informing them that the application has been blocked by their organization. This message is customizable.
+When users try to access a blocked application, they receive a message informing them that the application was by their organization. This message is customizable.
-For applications where the warn mitigation option was applied, users receive a message informing them that the application has been blocked by their organization, but the user has the option to bypass the block for subsequent launches, by choosing "Allow". This allow is only temporary, and the application will be blocked again after a while.
+For applications where the warn mitigation option was applied, users receive a message informing them that the application has been blocked by their organization. The user has the option to bypass the block for subsequent launches, by choosing "Allow". This allow is only temporary, and the application will be blocked again after a while.
> [!NOTE] > If your organization has deployed the DisableLocalAdminMerge group policy, you may experience instances where allowing an application does not take effect. This behavior will be fixed in an upcoming release.
security Microsoft 365 Security Center Defender Cloud https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-security-center-defender-cloud.md
Title: Microsoft Defender for Cloud in Microsoft Defender XDR
-description: Learn about changes in Microsoft Defender XDR with the Microsoft Defender for Cloud integration.
-keywords: Getting started with Microsoft Defender XDR, Microsoft Defender for Cloud
+ Title: Microsoft Defender for Cloud in the Microsoft Defender portal
+description: Learn about changes in the Microsoft Defender portal with the Microsoft Defender for Cloud integration.
ms.localizationpriority: medium f1.keywords: - NOCSH Previously updated : 01/15/2024 Last updated : 02/14/2024 audience: ITPro search.appverid:
-# Microsoft Defender for Cloud in Microsoft Defender XDR
+# Microsoft Defender for Cloud in the Microsoft Defender portal
[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
[Microsoft Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction) is now part of Microsoft Defender XDR. Security teams can now access Defender for Cloud alerts and incidents within the Microsoft Defender portal, providing richer context to investigations that span cloud resources, devices, and identities. In addition, security teams can get the complete picture of an attack, including suspicious and malicious events that happen in their cloud environment, through immediate correlations of alerts and incidents.
-Microsoft Defender XDR combines protection, detection, investigation, and response capabilities to protect attacks on device, email, collaboration, identity, and cloud apps. The portal's detection and investigation capabilities are now extended to cloud entities, offering security operations teams a single pane of glass to significantly improve their operational efficiency.
+The Microsoft Defender portal combines protection, detection, investigation, and response capabilities to protect attacks on device, email, collaboration, identity, and cloud apps. The portal's detection and investigation capabilities are now extended to cloud entities, offering security operations teams a single pane of glass to significantly improve their operational efficiency.
Moreover, the Defender for Cloud incidents and alerts are now part of [Microsoft Defender XDR's public API](api-overview.md). This integration allows exporting of security alerts data to any system using a single API. ## Prerequisite
-To ensure access to Defender for Cloud alerts in Microsoft Defender XDR, you must be subscribed to any of the plans listed in [Connect your Azure subscriptions](/azure/defender-for-cloud/connect-azure-subscription).
+To ensure access to Defender for Cloud alerts in the Microsoft Defender portal, you must be subscribed to any of the plans listed in [Connect your Azure subscriptions](/azure/defender-for-cloud/connect-azure-subscription).
### Required permissions
You must be a global administrator or a security administrator in Azure Active D
## Investigation experience in the Microsoft Defender portal
-The following section describes the detection and investigation experience in Microsoft Defender XDR with Defender for Cloud alerts.
+The following section describes the detection and investigation experience in the Microsoft Defender portal with Defender for Cloud alerts.
> [!NOTE]
-> Informational alerts from Defender for Cloud are not integrated to Microsoft Defender XDR to allow focus on the relevant and high severity alerts. This strategy streamlines management of incidents and reduces alert fatigue.
+> Informational alerts from Defender for Cloud are not integrated to the Microsoft Defender portal to allow focus on the relevant and high severity alerts. This strategy streamlines management of incidents and reduces alert fatigue.
> [!div class="mx-tdCol2BreakAl"] > |Area |Description | > |-|--|
-> |Incidents|All Defender for Cloud incidents will be integrated to Microsoft Defender XDR.</br></br> - Searching for cloud resource assets in the [incident queue](incident-queue.md) is supported.</br> - The [attack story](investigate-incidents.md#attack-story) graph will show the cloud resource.</br> - The [assets tab](investigate-incidents.md#assets) in an incident page will show the cloud resource.</br> - Each virtual machine has its own device page containing all related alerts and activity.</br></br> There will be no duplication of incidents from other Defender workloads.|
-> |Alerts|All Defender for Cloud alerts, including multi-cloud, internal and external providers' alerts will be integrated to Microsoft Defender XDR. Defender for Cloud alerts will show on the Microsoft Defender XDR [alert queue](/microsoft-365/security/defender-endpoint/alerts-queue-endpoint-detection-response).</br></br> The *cloud resource* asset will show up in the Asset tab of an alert. Resources are clearly identified as an Azure, Amazon, or a Google Cloud resource.</br></br>Defender for Cloud alerts will automatically be associated with a tenant.</br></br>There will be no duplication of alerts from other Defender workloads.|
+> |Incidents|All Defender for Cloud incidents will be integrated to the Microsoft Defender portal.</br></br> - Searching for cloud resource assets in the [incident queue](incident-queue.md) is supported.</br> - The [attack story](investigate-incidents.md#attack-story) graph will show the cloud resource.</br> - The [assets tab](investigate-incidents.md#assets) in an incident page will show the cloud resource.</br> - Each virtual machine has its own device page containing all related alerts and activity.</br></br> There will be no duplication of incidents from other Defender workloads.|
+> |Alerts|All Defender for Cloud alerts, including multi-cloud, internal and external providers' alerts will be integrated to the Microsoft Defender portal. Defender for Cloud alerts will show on the the Microsoft Defender portal [alert queue](/microsoft-365/security/defender-endpoint/alerts-queue-endpoint-detection-response).</br></br> The *cloud resource* asset will show up in the Asset tab of an alert. Resources are clearly identified as an Azure, Amazon, or a Google Cloud resource.</br></br>Defender for Cloud alerts will automatically be associated with a tenant.</br></br>There will be no duplication of alerts from other Defender workloads.|
> |Alert and incident correlation|Alerts and incidents are automatically correlated, providing robust context to security operations teams to understand the complete attack story in their cloud environment.| > |Threat detection|Accurate matching of virtual entities to device entities to ensure precision and effective threat detection.| > |Unified API|Defender for Cloud alerts and incidents are now included in [Microsoft Defender XDR's public API](api-overview.md), allowing customers to export their security alerts data into other systems using one API.|
Microsoft Sentinel customers [integrating Microsoft Defender XDR incidents](/azu
The following change should also be noted: -- The action to relate alerts to Microsoft Defender XDR incidents is removed.
+- The action to relate alerts to the Microsoft Defender portal incidents is removed.
Learn more at [Ingest Microsoft Defender for Cloud incidents with Microsoft Defender XDR integration](/azure/sentinel/ingest-defender-for-cloud-incidents).
security Microsoft 365 Security Center Mde https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-security-center-mde.md
Title: Microsoft Defender for Endpoint in Microsoft Defender XDR
-description: Learn about changes from the Microsoft Defender Security Center to Microsoft Defender XDR
-keywords: Getting started with Microsoft Defender XDR, Microsoft Defender for Office 365, Microsoft Defender for Endpoint, MDO, MDE, security portal, defender security portal
+ Title: Microsoft Defender for Endpoint in the Microsoft Defender portal
+description: Get an overview of what to expect when moving from the Microsoft Defender Security Center to the Microsoft Defender portal
ms.localizationpriority: medium f1.keywords: - NOCSH Previously updated : 11/14/2022 Last updated : 02/27/2024 audience: ITPro search.appverid:
-# Microsoft Defender for Endpoint in Microsoft Defender XDR
+# Microsoft Defender for Endpoint in the Microsoft Defender portal
[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
- [Microsoft Defender XDR](microsoft-365-defender.md) - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+This article describes the Defender for Endpoint experience in the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). Formerly, Defender for Endpoint customers used the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com) or [https://securitycenter.microsoft.com](https://securitycenter.microsoft.com)).
+ ## Quick reference
-The image and the table below lists the changes in navigation between the Microsoft Defender Security Center and Microsoft Defender XDR.
+The image and the table below lists the changes in navigation between the Microsoft Defender Security Center and the Microsoft Defender portal.
> [!div class="mx-imgBorder"] > :::image type="content" source="../../medie-m3d-security-center.png":::
-| Microsoft Defender Security Center | Microsoft Defender XDR |
+| Microsoft Defender Security Center | the Microsoft Defender portal |
||| | Dashboards <ul><li>Security Operations</li><li>Threat Analytics</li></ul> |Home <ul><li>Threat analytics</li></ul> | | Incidents | Incidents & alerts |
The image and the table below lists the changes in navigation between the Micros
| Configuration management | Configuration management | | Settings | Settings |
-The improved [Microsoft Defender XDR](microsoft-365-defender-portal.md) at <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">https://security.microsoft.com</a> combines security capabilities that protect, detect, investigate, and respond to email, collaboration, identity, and device threats. This brings together functionality from existing Microsoft security portals, including Microsoft Defender Security Center and the Office 365 Security & Compliance center.
+The improved [Microsoft Defender portal](microsoft-365-defender-portal.md) at <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">https://security.microsoft.com</a> combines security capabilities that protect, detect, investigate, and respond to email, collaboration, identity, and device threats. This brings together functionality from existing Microsoft security portals, including Microsoft Defender Security Center and the Office 365 Security & Compliance center.
-If you're familiar with the Microsoft Defender Security Center, this article helps describe some of the changes and improvements in Microsoft Defender XDR. However there are some new and updated elements to be aware of.
+If you're familiar with the Microsoft Defender Security Center, this article helps describe some of the changes and improvements in the Microsoft Defender portal. However there are some new and updated elements to be aware of.
-Historically, the [Microsoft Defender Security Center](/windows/security/threat-protection/microsoft-defender-atp/portal-overview) has been the home for Microsoft Defender for Endpoint. Enterprise security teams have used it to monitor and help responding to alerts of potential advanced persistent threat activity or data breaches. To help reduce the number of portals, Microsoft Defender XDR will be the home for monitoring and managing security across your Microsoft identities, data, devices, apps, and infrastructure.
+Historically, the [Microsoft Defender Security Center](/windows/security/threat-protection/microsoft-defender-atp/portal-overview) has been the home for Microsoft Defender for Endpoint. Enterprise security teams have used it to monitor and help responding to alerts of potential advanced persistent threat activity or data breaches. To help reduce the number of portals, the Microsoft Defender portal will be the home for monitoring and managing security across your Microsoft identities, data, devices, apps, and infrastructure.
-Microsoft Defender for Endpoint in Microsoft Defender XDR supports [granting access to managed security service providers (MSSPs)](/windows/security/threat-protection/microsoft-defender-atp/grant-mssp-access) in the same way [access is granted in the Microsoft Defender Security Center](mssp-access.md).
+Microsoft Defender for Endpoint in the Microsoft Defender portal supports [granting access to managed security service providers (MSSPs)](/windows/security/threat-protection/microsoft-defender-atp/grant-mssp-access) in the same way [access is granted in the Microsoft Defender Security Center](mssp-access.md).
> [!IMPORTANT]
-> What you see in Microsoft Defender XDR depends on your current subscriptions. For example, if you don't have a license for Microsoft Defender for Office 365, then the Email & Collaboration section will not be shown.
+> What you see in the Microsoft Defender portal depends on your current subscriptions. For example, if you don't have a license for Microsoft Defender for Office 365, then the Email & Collaboration section will not be shown.
> [!Note] > Microsoft Defender XDR is not fully available for:
Microsoft Defender for Endpoint in Microsoft Defender XDR supports [granting acc
>- All US government institutions with commercial licenses >- See availability for the above environments here: [Microsoft Defender for Endpoint for US Government customers](/microsoft-365/security/defender-endpoint/gov?view=o365-worldwide&preserve-view=true)
-Take a look in Microsoft Defender XDR at <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">https://security.microsoft.com</a>.
+Take a look in the Microsoft Defender portal at <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">https://security.microsoft.com</a>.
Learn more about the benefits: [Overview of Microsoft Defender XDR](microsoft-365-defender.md) ## What's changed
-This table is a quick reference of the changes between the Microsoft Defender Security Center and Microsoft Defender XDR.
+This table is a quick reference of the changes between the Microsoft Defender Security Center and the Microsoft Defender portal.
### Alerts and actions | Area | Description of change | |||
-| [Incidents & alerts](incidents-overview.md) | In Microsoft Defender XDR, you can manage incidents and alerts across all of your endpoints, email, and identities. We've converged the experience to help you find related events more easily. For more information, see [Incidents Overview](incidents-overview.md). |
-| [Hunting](advanced-hunting-overview.md) | Modifying custom detection rules created in Microsoft Defender for Endpoint to include identity and email tables automatically moves them to Microsoft Defender XDR. Their corresponding alerts will also appear in Microsoft Defender XDR. For more details about these changes, read [Migrate custom detection rules](advanced-hunting-migrate-from-mde.md#migrate-custom-detection-rules). <br><br>The `DeviceAlertEvents` table for advanced hunting isn't available in Microsoft Defender XDR. To query device-specific alert information in Microsoft Defender XDR, you can use the `AlertInfo` and `AlertEvidence` tables to accommodate even more information from a diverse set of sources. Craft your next device-related query by following [Write queries without DeviceAlertEvents](advanced-hunting-migrate-from-mde.md#write-queries-without-devicealertevents).|
-|[Action center](m365d-action-center.md) | Lists pending and completed actions that were taken following automated investigations and remediation actions. Formerly, the Action center in the Microsoft Defender Security Center listed pending and completed actions for remediation actions taken on devices only, while Automated investigations listed alerts and status. In the improved Microsoft Defender XDR, the Action center brings together remediation actions and investigations across email, devices, and usersΓÇöall in one location. |
+| [Incidents & alerts](incidents-overview.md) | In the Microsoft Defender portal, you can manage incidents and alerts across all of your endpoints, email, and identities. We've converged the experience to help you find related events more easily. For more information, see [Incidents Overview](incidents-overview.md). |
+| [Hunting](advanced-hunting-overview.md) | Modifying custom detection rules created in Microsoft Defender for Endpoint to include identity and email tables automatically moves them to the Microsoft Defender portal. Their corresponding alerts will also appear in the Microsoft Defender portal. For more details about these changes, read [Migrate custom detection rules](advanced-hunting-migrate-from-mde.md#migrate-custom-detection-rules). <br><br>The `DeviceAlertEvents` table for advanced hunting isn't available in the Microsoft Defender portal. To query device-specific alert information in the Microsoft Defender portal, you can use the `AlertInfo` and `AlertEvidence` tables to accommodate even more information from a diverse set of sources. Craft your next device-related query by following [Write queries without DeviceAlertEvents](advanced-hunting-migrate-from-mde.md#write-queries-without-devicealertevents).|
+|[Action center](m365d-action-center.md) | Lists pending and completed actions that were taken following automated investigations and remediation actions. Formerly, the Action center in the Microsoft Defender Security Center listed pending and completed actions for remediation actions taken on devices only, while Automated investigations listed alerts and status. In the improved the Microsoft Defender portal, the Action center brings together remediation actions and investigations across email, devices, and usersΓÇöall in one location. |
| [Threat analytics](threat-analytics.md) | Moved to the top of the navigation bar for easier discovery and use. Now includes threat information for both endpoints and email and collaboration. | ### Endpoints
This table is a quick reference of the changes between the Microsoft Defender Se
||| | Reports | See reports for endpoints and email & collaboration, including Threat protection, Device health and compliance, and Vulnerable devices. | | Health | Currently links out to the "Service health" page in the [Microsoft 365 admin center](https://admin.microsoft.com/). |
-| Settings | Manage your settings for Microsoft Defender XDR, Endpoints, Email & collaboration, Identities, and Device discovery. |
+| Settings | Manage your settings for the Microsoft Defender portal, Endpoints, Email & collaboration, Identities, and Device discovery. |
## Microsoft 365 security navigation and capabilities
Proactively search for threats, malware, and malicious activity across your endp
### Action center
-Action center shows you the investigations created by automated investigation and response capabilities. This automated, self-healing in Microsoft Defender XDR can help security teams by automatically responding to specific events.
+Action center shows you the investigations created by automated investigation and response capabilities. This automated, self-healing in the Microsoft Defender portal can help security teams by automatically responding to specific events.
[Learn more about the Action center](m365d-action-center.md).
Get threat intelligence from expert Microsoft security researchers. Threat Analy
- Incidents view related to the threats. - Enhanced experience for quickly identifying and using actionable information in the reports.
-You can access threat analytics either from the upper left navigation bar in Microsoft Defender XDR, or from a dedicated dashboard card that shows the top threats for your organization.
+You can access threat analytics either from the upper left navigation bar in the Microsoft Defender portal, or from a dedicated dashboard card that shows the top threats for your organization.
Learn more about how to [track and respond to emerging threats with threat analytics](./threat-analytics.md).
View reports, change your settings, and modify user roles.
### SIEM API connections
-If you use the [Defender for Endpoint SIEM API](../defender-endpoint/enable-siem-integration.md), you can continue to do so. We've added new links on the API payload that point to the alert page or the incident page in the Microsoft 365 security portal. New API fields include LinkToMTP and IncidentLinkToMTP. For more information, see [Redirecting accounts from Microsoft Defender for Endpoint to Microsoft Defender XDR](./microsoft-365-security-mde-redirection.md).
+If you use the [Defender for Endpoint SIEM API](../defender-endpoint/enable-siem-integration.md), you can continue to do so. We've added new links on the API payload that point to the alert page or the incident page in the Microsoft 365 security portal. New API fields include LinkToMTP and IncidentLinkToMTP. For more information, see [Redirecting accounts from Microsoft Defender for Endpoint to The Microsoft Defender portal](./microsoft-365-security-mde-redirection.md).
### Email alerts
-You can continue to use email alerts for Defender for Endpoint. We've added new links in the emails that point to the alert page or the incident page in Microsoft Defender XDR. For more information, see [Redirecting accounts from Microsoft Defender for Endpoint to Microsoft Defender XDR](./microsoft-365-security-mde-redirection.md).
+You can continue to use email alerts for Defender for Endpoint. We've added new links in the emails that point to the alert page or the incident page in The Microsoft Defender portal. For more information, see [Redirecting accounts from Microsoft Defender for Endpoint to The Microsoft Defender portal](./microsoft-365-security-mde-redirection.md).
### Managed Security Service Providers (MSSP)
Logging in to multiple tenants simultaneously in the same browsing session is cu
## Related information - [Microsoft Defender XDR](microsoft-365-defender.md)-- [Microsoft Defender for Endpoint in Microsoft Defender XDR](microsoft-365-security-center-mde.md)-- [Redirecting accounts from Microsoft Defender for Endpoint to Microsoft Defender XDR](microsoft-365-security-mde-redirection.md)
+- [Microsoft Defender for Endpoint in The Microsoft Defender portal](microsoft-365-security-center-mde.md)
+- [Redirecting accounts from Microsoft Defender for Endpoint to The Microsoft Defender portal](microsoft-365-security-mde-redirection.md)
+ [!INCLUDE [Microsoft Defender XDR rebranding](../../includes/defender-m3d-techcommunity.md)]
security Microsoft 365 Security Center Mdi https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-security-center-mdi.md
Title: Microsoft Defender for Identity in Microsoft Defender XDR
-description: Learn about changes from the Microsoft Defender for Identity to Microsoft Defender XDR
-keywords: Getting started with Microsoft Defender XDR, Microsoft Defender for Identity, MDI
+ Title: Microsoft Defender for Identity in the Microsoft Defender portal
+description: Learn about changes from Microsoft Defender for Identity to The Microsoft Defender portal.
ms.mktglfcycl: deploy ms.localizationpriority: medium
f1.keywords:
Previously updated : 12/28/2023 Last updated : 02/14/2024 audience: ITPro search.appverid:
-# Microsoft Defender for Identity in Microsoft Defender XDR
+# Microsoft Defender for Identity in the Microsoft Defender portal
[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
- [Microsoft Defender XDR](microsoft-365-defender.md) - [Microsoft Defender for Identity](/defender-for-identity/)
-Microsoft Defender for Identity is now part of Microsoft Defender XDR, the home for monitoring and managing security across your Microsoft identities, data, devices, apps, and infrastructure. The Microsoft Defender portal allows security admins to perform their security tasks in one location, which simplifies workflows and integrating functionality from other Microsoft Defender XDR services.
+Microsoft Defender for Identity is now part of The Microsoft Defender portal, the home for monitoring and managing security across your Microsoft identities, data, devices, apps, and infrastructure. The Microsoft Defender portal allows security admins to perform their security tasks in one location, which simplifies workflows and integrating functionality from other Microsoft Defender XDR services.
-Microsoft Defender for Identity contributes identity focused information into the incidents and alerts that Microsoft Defender XDR presents. This information is key to providing context and correlating alerts from the other products within Microsoft Defender XDR.
+Microsoft Defender for Identity contributes identity focused information into the incidents and alerts that The Microsoft Defender portal presents. This information is key to providing context and correlating alerts from the other products within Microsoft Defender XDR.
<a name='converged-experiences-in-microsoft-365-defender'></a>
-## Converged experiences in Microsoft Defender XDR
+## Converged experiences in The Microsoft Defender portal
-[Microsoft Defender XDR](https://security.microsoft.com) combines security capabilities that protect, detect, investigate, and respond to email, collaboration, identity, and device threats, and now includes all functionality provided in the [legacy, classic Defender for Identity portal](/previous-versions/defender-for-identity).
+The [Microsoft Defender portal](https://security.microsoft.com) combines security capabilities that protect, detect, investigate, and respond to email, collaboration, identity, and device threats, and now includes all functionality provided in the [legacy, classic Defender for Identity portal](/previous-versions/defender-for-identity).
-While data placement might differ from the classic Defender for Identity portal, your data is now integrated into Microsoft Defender XDR pages so that you can view your data across all of your monitored entities.
+While data placement might differ from the classic Defender for Identity portal, your data is now integrated into The Microsoft Defender portal pages so that you can view your data across all of your monitored entities.
-The following sections describe enhanced Defender for Identity features found in Microsoft Defender XDR.
+The following sections describe enhanced Defender for Identity features found in The Microsoft Defender portal.
> [!NOTE]
-> Customers using the classic Defender for Identity portal are now [automatically redirected to Microsoft Defender XDR](https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/leveraging-the-convergence-of-microsoft-defender-for-identity-in/ba-p/3856321), with no option to revert back to the classic portal.
+> Customers using the classic Defender for Identity portal are now [automatically redirected to The Microsoft Defender portal](https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/leveraging-the-convergence-of-microsoft-defender-for-identity-in/ba-p/3856321), with no option to revert back to the classic portal.
### Configuration and posture
The following sections describe enhanced Defender for Identity features found in
|Area |Description | ||| |**Global exclusions** | Global exclusions allow you to define certain entities, such as IP addresses, devices, or domains, to be excluded across all Defender for Identity detections. For example, if you only exclude a device, the exclusion applies only to detections that have a *device* identification as part of the detection. <br><br> For more information, see [Global excluded entities](/defender-for-identity/exclusions). |
-|**Manage action and directory service accounts** | You might want to respond to compromised users by disabling their accounts or resetting their password. When you take either of these actions, Microsoft Defender XDR is configured by default to use the *local system* account. Therefore, you'll only need to configure action and directory service account settings if you want to have more control, and define a different user account to perform user remediation actions.<br><br> For more information, see [Microsoft Defender for Identity action accounts](/defender-for-identity/manage-action-accounts). |
-|**Custom permission roles** | Microsoft Defender XDR supports custom permission roles. <br><br>For more information, see [Microsoft Defender XDR role-based access control (RBAC)](manage-rbac.md) |
+|**Manage action and directory service accounts** | You might want to respond to compromised users by disabling their accounts or resetting their password. When you take either of these actions, The Microsoft Defender portal is configured by default to use the *local system* account. Therefore, you'll only need to configure action and directory service account settings if you want to have more control, and define a different user account to perform user remediation actions.<br><br> For more information, see [Microsoft Defender for Identity action accounts](/defender-for-identity/manage-action-accounts). |
+|**Custom permission roles** | The Microsoft Defender portal supports custom permission roles. <br><br>For more information, see [Microsoft Defender XDR role-based access control (RBAC)](manage-rbac.md) |
|**Microsoft Secure Score** | Defender for Identity security posture assessments is available in [Microsoft Secure Score](https://security.microsoft.com/securescore). Each assessment is a downloadable report with instructions for use and tools to build an action plan for remediating or resolving the issue. Filter Microsoft Secure Score by **Identity** to view Defender for Identity assessments. <br><br> For more information, see [Microsoft Defender for Identity's security posture assessments](/defender-for-identity/security-assessment). |
-|**API** | Use any of the following Microsoft Defender XDR APIs with Defender for Identity: <br><br>- [Query activities via API](api-advanced-hunting.md) <br>- [Manage security alerts via API](api-incident.md) <br>- [Stream security alerts and activities to Microsoft Sentinel](streaming-api.md)<br><br>**Tip**: Microsoft Defender XDR only stores advanced hunting data for 30 days. If you need longer retention periods, stream the activities to Microsoft Sentinel or another partner security information and event management (SIEM) system. |
+|**API** | Use any of the following Microsoft Defender XDR APIs with Defender for Identity: <br><br>- [Query activities via API](api-advanced-hunting.md) <br>- [Manage security alerts via API](api-incident.md) <br>- [Stream security alerts and activities to Microsoft Sentinel](streaming-api.md)<br><br>**Tip**: The Microsoft Defender portal only stores advanced hunting data for 30 days. If you need longer retention periods, stream the activities to Microsoft Sentinel or another partner security information and event management (SIEM) system. |
| **Onboarding** | Defender for Identity onboarding is now automatic for new customers, with no need to configure a workspace. <br><br>If you need to delete your instance, open a Microsoft support case. | ### Investigation
The following sections describe enhanced Defender for Identity features found in
|Area |Description | |||
-| **Identities** area| In Microsoft Defender XDR, expand the **Identities** area to view a **Dashboard** of graphs and widgets with commonly used data, a **Health issues** page, listing all health issues for your Defender for Identity deployment, and a **Tools** page, with links to commonly used tools and documentation. <br><br>For more information, see [View the ITDR dashboard](/defender-for-identity/dashboard) and [Defender for Identity health issues](/defender-for-identity/health-alerts). |
-|**Identity page** | The Microsoft Defender XDR identity details page provides inclusive data about each identity, such as: <br><br>- Any associated alerts <br>- Active Directory account control<br>- Risky lateral movement paths<br>- A timeline of activities and alerts<br>- Details about observed locations, devices and groups. <br><br>For more information, see [Investigate users in Microsoft Defender XDR](investigate-users.md). |
-|**Device page** | Microsoft Defender XDR alert evidence lists all devices and users connected to each suspicious activity. Investigate further by selecting a specific device in an alert to access a device details page. <br><br>For more information, see [Investigate devices in the Microsoft Defender for Endpoint Devices list](../defender-endpoint/investigate-machines.md). |
-|**Advanced hunting** | Microsoft Defender XDR helps you proactively search for threats and malicious activity by using advanced hunting queries. These powerful queries can be used to locate and review threat indicators and entities for both known and potential threats. <br><br>Build custom detection rules from advanced hunting queries to help you proactively watch for events that might be indicative of breach activity and misconfigured devices. <br><br>For more information, see [Proactively hunt for threats with advanced hunting in Microsoft Defender XDR](advanced-hunting-overview.md). |
-|**Global search** | Use the search bar at the top of the Microsoft Defender XDR page to search for any entity being monitored by Microsoft Defender XDR, including identities, endpoints, Office 365 data, Active Directory groups (Preview), and more. <br><br>Select results directly from the search drop-down, or select **All users** or **All devices** to see all entities associated with a given search term. |
-| **Lateral movement paths** | Microsoft Defender XDR provides lateral movement path data on the **Advanced hunting** page and the **Lateral movement paths** security assessment, in addition to the **Lateral movement paths** tab on the user details page. <br><br> For more information, see [Understand and investigate lateral movement paths (LMPs) with Microsoft Defender for Identity](/defender-for-identity/understand-lateral-movement-paths). |
+| **Identities** area| In The Microsoft Defender portal, expand the **Identities** area to view a **Dashboard** of graphs and widgets with commonly used data, a **Health issues** page, listing all health issues for your Defender for Identity deployment, and a **Tools** page, with links to commonly used tools and documentation. <br><br>For more information, see [View the ITDR dashboard](/defender-for-identity/dashboard) and [Defender for Identity health issues](/defender-for-identity/health-alerts). |
+|**Identity page** | The Microsoft Defender portal identity details page provides inclusive data about each identity, such as: <br><br>- Any associated alerts <br>- Active Directory account control<br>- Risky lateral movement paths<br>- A timeline of activities and alerts<br>- Details about observed locations, devices, and groups. <br><br>For more information, see [Investigate users in The Microsoft Defender portal](investigate-users.md). |
+|**Device page** | The Microsoft Defender portal alert evidence lists all devices and users connected to each suspicious activity. Investigate further by selecting a specific device in an alert to access a device details page. <br><br>For more information, see [Investigate devices in the Microsoft Defender for Endpoint Devices list](../defender-endpoint/investigate-machines.md). |
+|**Advanced hunting** | The Microsoft Defender portal helps you proactively search for threats and malicious activity by using advanced hunting queries. These powerful queries can be used to locate and review threat indicators and entities for both known and potential threats. <br><br>Build custom detection rules from advanced hunting queries to help you proactively watch for events that might be indicative of breach activity and misconfigured devices. <br><br>For more information, see [Proactively hunt for threats with advanced hunting in the Microsoft Defender portal](advanced-hunting-overview.md). |
+|**Global search** | Use the search bar at the top of the Microsoft Defender portal page to search for any entity being monitored by Microsoft Defender XDR, including identities, endpoints, Office 365 data, Active Directory groups (Preview), and more. <br><br>Select results directly from the search drop-down, or select **All users** or **All devices** to see all entities associated with a given search term. |
+| **Lateral movement paths** | The Microsoft Defender portal provides lateral movement path data on the **Advanced hunting** page and the **Lateral movement paths** security assessment, in addition to the **Lateral movement paths** tab on the user details page. <br><br> For more information, see [Understand and investigate lateral movement paths (LMPs) with Microsoft Defender for Identity](/defender-for-identity/understand-lateral-movement-paths). |
### Detection and response |Area |Description | |||
-| **Alert and incident correlation** |Defender for Identity alerts is now included in Microsoft Defender XDR's alert queue, making them available to the automated incident correlation feature. <br><br>View all of your alerts in one place, and determine the scope of the breach even quicker than before. <br><br>For more information, see [Investigate Defender for Identity alerts in Microsoft Defender XDR](/defender-for-identity/manage-security-alerts). |
-| **Alert exclusions** |Microsoft Defender XDR's alert interface is more user friendly, and includes a search function and global exclusions, meaning you can exclude any entity from all alerts generated by Defender for Identity. <br><br>For more information, see [Configure Defender for Identity detection exclusions in Microsoft Defender XDR](/defender-for-identity/exclusions).|
+| **Alert and incident correlation** |Defender for Identity alerts is now included in the Microsoft Defender portal's alert queue, making them available to the automated incident correlation feature. <br><br>View all of your alerts in one place, and determine the scope of the breach even quicker than before. <br><br>For more information, see [Investigate Defender for Identity alerts in the Microsoft Defender portal](/defender-for-identity/manage-security-alerts). |
+| **Alert exclusions** |The Microsoft Defender portal's alert interface is more user friendly, and includes a search function and global exclusions, meaning you can exclude any entity from all alerts generated by Defender for Identity. <br><br>For more information, see [Configure Defender for Identity detection exclusions in Microsoft Defender XDR](/defender-for-identity/exclusions).|
| **Alert tuning** |Alert tuning, previously known as *alert suppression*, allows you to adjust and optimize your alerts. Alert tuning reduces false positives, allowing your SOC teams to focus on high-priority alerts, and improves threat detection coverage across your system.<br><br> In Microsoft Defender XDR, create rule conditions based on evidence types, and then apply your rule on any rule type that matches your conditions. For more information, see [Tune an alert](investigate-alerts.md#tune-an-alert).|
-| **Remediation actions** |Defender for Identity remediation actions, such as disabling accounts or requiring password resets, are available from the Microsoft Defender XDR user details page. <br><br>For more information, see [Remediation actions in Microsoft Defender for Identity](/defender-for-identity/remediation-actions).
+| **Remediation actions** |Defender for Identity remediation actions, such as disabling accounts or requiring password resets, are available from the Microsoft Defender portal user details page. <br><br>For more information, see [Remediation actions in Microsoft Defender for Identity](/defender-for-identity/remediation-actions).
## Quick reference
-The table below lists the changes in navigation between Microsoft Defender for Identity and Microsoft Defender XDR.
+The following table lists the changes in navigation between Microsoft Defender for Identity and the Microsoft Defender portal.
-| **Defender for** Identity | **Microsoft Defender XDR** |
+| **Defender for** Identity | **The Microsoft Defender portal** |
| -- | |
-| **Timeline** |- Microsoft Defender XDR Alerts/Incidents queue |
-| **Reports** |The following types of reports are available from the **Reports** > **Identities** > **Report management** page in Microsoft Defender XDR, either for immediate download or scheduled for a periodic email delivery: <br><br>- A summary report of alerts and health issues you should take care of. <br>- A list of each time a modification is made to sensitive groups. <br>- A list of source computer and account passwords that are detected as being sent in clear text.<br>- A list of the sensitive accounts exposed in lateral movement paths. <br><br>For more information, see [Report management](/defender-for-identity/reports). |
-| **Identity page** | Microsoft Defender XDR user details page |
-| **Device page** | Microsoft Defender XDR device details page |
-| **Group page** | Microsoft Defender XDR groups side pane |
-| **Alert page** | Microsoft Defender XDR alert details page <br><br>**Tip**: Use [alert tuning](investigate-alerts.md#tune-an-alert) to optimize the alerts you see in Microsoft Defender XDR. |
-| **Search** | Microsoft Defender XDR global search |
-| **Health issues** | Microsoft Defender XDR **Identities > Health issues** |
+| **Timeline** |- Microsoft Defender portal Alerts/Incidents queue |
+| **Reports** |The following types of reports are available from the **Reports** > **Identities** > **Report management** page in the Microsoft Defender portal, either for immediate download or scheduled for a periodic email delivery: <br><br>- A summary report of alerts and health issues you should take care of. <br>- A list of each time a modification is made to sensitive groups. <br>- A list of source computer and account passwords that are detected as being sent in clear text.<br>- A list of the sensitive accounts exposed in lateral movement paths. <br><br>For more information, see [Report management](/defender-for-identity/reports). |
+| **Identity page** | Microsoft Defender portal user details page |
+| **Device page** | Microsoft Defender portal device details page |
+| **Group page** | Microsoft Defender portal groups side pane |
+| **Alert page** | Microsoft Defender portal alert details page <br><br>**Tip**: Use [alert tuning](investigate-alerts.md#tune-an-alert) to optimize the alerts you see in the Microsoft Defender portal. |
+| **Search** | Microsoft Defender portal global search |
+| **Health issues** | Microsoft Defender portal **Identities > Health issues** |
| **Entity activities** | - **Advanced hunting** <br>- Device page > **Timeline** <br>- Identity page > **Timeline** tab <br>- **Group** pane > **Timeline** tab | | **Settings** | **Settings** -> **Identities** | | **Users and accounts** | **Assets** -> **Identities** |
For more information, see:
- [Related videos for Microsoft Defender for Identity](https://www.microsoft.com/videoplayer/embed/RE4HcEU) - [Microsoft Defender XDR](microsoft-365-defender.md) - [Microsoft Defender for Identity](/defender-for-identity/)+ [!INCLUDE [Microsoft Defender XDR rebranding](../../includes/defender-m3d-techcommunity.md)]
security Microsoft 365 Security Center Mdo https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-security-center-mdo.md
Title: Microsoft Defender for Office 365 in Microsoft Defender XDR
-description: Learn about changes from the Security & Compliance Center to Microsoft Defender XDR.
-keywords: Microsoft 365 security, Getting started with Microsoft Defender XDR, Microsoft Defender for Office 365, Microsoft Defender for Endpoint, MDO, MDE, new defender security portal
Previously updated : 11/22/2022
+ Title: Microsoft Defender for Office 365 in the Microsoft Defender portal
+description: Learn about changes from the Security & Compliance Center to The Microsoft Defender portal.
Last updated : 02/27/2024
-# Microsoft Defender for Office 365 in Microsoft Defender XDR
+# Microsoft Defender for Office 365 in the Microsoft Defender portal
[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
- [Microsoft Defender XDR](microsoft-365-defender.md) - [Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/defender-for-office-365)
-## Quick reference
+This article describes the Defender for Office 365 experience in the Microsoft Defender portal. Formerly, Defender for Office 365 customers used the Office 365 Security & Compliance center ([https://protection.office.com](https://protection.office.com)).
-The table below lists the changes in navigation between the Security & Compliance Center and Microsoft Defender XDR.
+## Quick reference
-****
+The table below lists the changes in navigation between the Security & Compliance Center and The Microsoft Defender portal.
-|[Security & Compliance Center](https://protection.office.com)|[Microsoft Defender XDR](https://security.microsoft.com)|[Microsoft Purview compliance portal](https://compliance.microsoft.com/homepage)|[Exchange admin center](https://admin.exchange.microsoft.com)|
+|[Security & Compliance Center](https://protection.office.com)|[The Microsoft Defender portal](https://security.microsoft.com)|[Microsoft Purview compliance portal](https://compliance.microsoft.com/homepage)|[Exchange admin center](https://admin.exchange.microsoft.com)|
||||| |Alerts|<ul><li>[Alert Policies](https://security.microsoft.com/alertpolicies)</li><li>[Incidents & alerts](https://security.microsoft.com/alerts)</li></ul>|[Alerts page](https://compliance.microsoft.com/homepage)|| |Classification||See [Microsoft Purview compliance portal](https://compliance.microsoft.com/homepage)||
The table below lists the changes in navigation between the Security & Complianc
|Supervision||See [Microsoft Purview compliance portal](https://compliance.microsoft.com/homepage)|| |eDiscovery||See [Microsoft Purview compliance portal](https://compliance.microsoft.com/homepage)||
-[Microsoft Defender XDR](./microsoft-365-defender.md) at <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank"><https://security.microsoft.com></a> combines security capabilities from existing Microsoft security portals, including the Security & Compliance Center. This improved center helps security teams protect their organization from threats more effectively and efficiently.
+[The Microsoft Defender portal](./microsoft-365-defender.md) at <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank"><https://security.microsoft.com></a> combines security capabilities from existing Microsoft security portals, including the Security & Compliance Center. This improved center helps security teams protect their organization from threats more effectively and efficiently.
-If you're familiar with the Security & Compliance Center (protection.office.com), this article describes some of the changes and improvements in Microsoft Defender XDR.
+If you're familiar with the Security & Compliance Center (protection.office.com), this article describes some of the changes and improvements in The Microsoft Defender portal.
Learn more about the benefits: [Overview of Microsoft Defender XDR](microsoft-365-defender.md)
The left navigation, or quick launch bar, will look familiar. However, there are
With the unified Microsoft Defender XDR solution, you can stitch together the threat signals and determine the full scope and impact of the threat, and how it's currently impacting the organization.
-![The Microsoft Defender XDR converged experience.](../../media/mdo-m36d-nav-collapsed.png)
+![The The Microsoft Defender portal converged experience.](../../media/mdo-m36d-nav-collapsed.png)
Defender for Office 365 safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools.
Here's an [example on advanced hunting](advanced-hunting-example.md) in Microsof
### Action center
-Action center shows you the investigations created by automated investigation and response capabilities. This automated, self-healing in Microsoft Defender XDR can help security teams by automatically responding to specific events.
+Action center shows you the investigations created by automated investigation and response capabilities. This automated, self-healing in The Microsoft Defender portal can help security teams by automatically responding to specific events.
Learn more about [Action center](m365d-action-center.md).
Get threat intelligence from expert Microsoft security researchers. Threat Analy
- Incidents view related to the threats. - Enhanced experience for quickly identifying and using actionable information in the reports.
-You can access Threat analytics either from the upper left navigation bar in Microsoft Defender XDR, or from a dedicated dashboard card that shows the top threats for your organization.
+You can access Threat analytics either from the upper left navigation bar in The Microsoft Defender portal, or from a dedicated dashboard card that shows the top threats for your organization.
Learn more about how to [track and respond to emerging threats with threat analytics](./threat-analytics.md).
The [Email entity page](../office-365-security/mdo-email-entity-page.md) *unifie
View reports, change your settings, and modify user roles.
-![The quick launch menu for Microsoft Defender XDR permissions and reporting, on the left navigation pane in the Microsoft Defender portal.](../../media/m365d-settings-nav.png)
+![The quick launch menu for The Microsoft Defender portal permissions and reporting, on the left navigation pane in the Microsoft Defender portal.](../../media/m365d-settings-nav.png)
> [!NOTE]
-> For Defender for Office 365 users, you can now *manage and rotate* DKIM keys in Microsoft Defender XDR at <https://security.microsoft.com/authentication?viewid=DKIM>.
+> For Defender for Office 365 users, you can now *manage and rotate* DKIM keys in The Microsoft Defender portal at <https://security.microsoft.com/authentication?viewid=DKIM>.
> > For more information, see [Use DKIM to validate outbound email sent from your custom domain](/microsoft-365/security/office-365-security/email-authentication-dkim-configure).
This table is a quick reference of Threat management where change has occurred b
|Area|Description of change| ||| |[Investigation](../office-365-security/air-about.md#the-overall-flow-of-air) |Brings together AIR capabilities in [Defender for Office 365](/microsoft-365/security/office-365-security/defender-for-office-365) and [Defender for Endpoint](../defender-endpoint/automated-investigations.md). With these updates and improvements, your security operations team will be able to view details about automated investigations and remediation actions across your email, collaboration content, user accounts, and devices, all in one place.|
-|[Alert queue](../../compliance/alert-policies.md)|The **View alerts** flyout pane in the Security & Compliance Center now includes links to Microsoft Defender XDR. Click on the **Open Alert Page** link and Microsoft Defender XDR opens. You can access the **View alerts** page by clicking on any Office 365 alert in the Alerts queue.|
+|[Alert queue](../../compliance/alert-policies.md)|The **View alerts** flyout pane in the Security & Compliance Center now includes links to The Microsoft Defender portal. Click on the **Open Alert Page** link and The Microsoft Defender portal opens. You can access the **View alerts** page by clicking on any Office 365 alert in the Alerts queue.|
|[Attack Simulation training](../office-365-security/attack-simulation-training-insights.md)|Use Attack Simulation training to run realistic attack scenarios in your organization. These simulated attacks can help train your workforce before a real attack impacts your organization. Attack simulation training includes, more options, enhanced reports, and improved training flows help make your attack simulation and training scenarios easier to deliver and manage.| No changes to these areas:
Also, check the **Related Information** section at the bottom of this article.
> The <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender portal</a> combines security features in <https://securitycenter.windows.com>, and <https://protection.office.com>. However, what you see will depend on your subscription. If you only have Microsoft Defender for Office 365 Plan 1 or 2, as standalone subscriptions, for example, you won't see capabilities around Security for Endpoints and Defender for Office Plan 1 customers won't see items such as Threat Analytics. > [!TIP]
-> All Exchange Online Protection (EOP) functions will be included in Microsoft Defender XDR, as EOP is a core element of Defender for Office 365.
+> All Exchange Online Protection (EOP) functions will be included in The Microsoft Defender portal, as EOP is a core element of Defender for Office 365.
<a name='microsoft-365-defender-home-page'></a>
-## Microsoft Defender XDR Home page
+## The Microsoft Defender portal Home page
The Home page of the portal surfaces important summary information about the security status of your Microsoft 365 environment.
Also included is a link to the Security & Compliance Center for comparison. The
## Related information -- [Redirecting Security & Compliance Center to Microsoft Defender XDR](microsoft-365-security-mdo-redirection.md)
+- [Redirecting Security & Compliance Center to The Microsoft Defender portal](microsoft-365-security-mdo-redirection.md)
- [The Action center](./m365d-action-center.md) - [Email & collaboration alerts](../../compliance/alert-policies.md#default-alert-policies) - [Custom detection rules](/microsoft-365/security/defender-endpoint/custom-detection-rules) - [Create a phishing attack simulation](../office-365-security/attack-simulation-training-simulations.md) and [create a payload for training your people](../office-365-security/attack-simulation-training-payloads.md)+ [!INCLUDE [Microsoft Defender XDR rebranding](../../includes/defender-m3d-techcommunity.md)]
security Microsoft 365 Security Mde Redirection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-security-mde-redirection.md
Title: Redirecting accounts from Microsoft Defender for Endpoint to Microsoft Defender XDR
+ Title: Redirecting from the Microsoft Defender Security Center to the Microsoft Defender portal
description: How to redirect accounts and sessions from the Defender for Endpoint to Microsoft Defender XDR.
-keywords: Microsoft Defender XDR, Getting started with Microsoft Defender XDR, security center redirection
-search.product: eADQiWindows 10XVcnh
ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
f1.keywords: - NOCSH
- tier3 Previously updated : 02/16/2021 Last updated : 02/14/2024
-# Redirecting accounts from Microsoft Defender for Endpoint to Microsoft Defender XDR
+# Redirecting from the Microsoft Defender Security Center to the Microsoft Defender portal
[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
Last updated 02/16/2021
- Microsoft Defender XDR - Defender for Endpoint
-In alignment with Microsoft's cross-domain approach to threat protection with SIEM and Extended detection and response (XDR), we've rebranded Microsoft Defender Advanced Threat Protection as Microsoft Defender for Endpoint and unified it into a single integrated portal: Microsoft Defender XDR.
+In alignment with Microsoft's cross-domain approach to threat protection with SIEM and Extended Detection and Response (XDR), we've rebranded Microsoft Defender Advanced Threat Protection as Microsoft Defender for Endpoint and unified it into a single integrated portal: the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)).
-This guide explains how to route accounts to Microsoft Defender XDR by enabling automatic redirection from the former Microsoft Defender for Endpoint portal (securitycenter.windows.com or securitycenter.microsoft.com), to <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender XDR</a>.
+This guide explains how to enable automatic redirection from the former Microsoft Defender Security Center (securitycenter.windows.com or securitycenter.microsoft.com), to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender portal</a>.
> [!NOTE]
-> Microsoft Defender for Endpoint in Microsoft Defender XDR supports [granting access to managed security service providers (MSSPs)](/windows/security/threat-protection/microsoft-defender-atp/grant-mssp-access) in the same that way access is [granted in the Microsoft Defender Security Center](./mssp-access.md).
+> Microsoft Defender for Endpoint in the Microsoft Defender portal supports [granting access to managed security service providers (MSSPs)](/windows/security/threat-protection/microsoft-defender-atp/grant-mssp-access) in the same that way access is [granted in the former Microsoft Defender Security Center](./mssp-access.md).
## What to expect
-Once automatic redirection is enabled, accounts accessing the former Microsoft Defender for Endpoint portal at securitycenter.windows.com or securitycenter.microsoft.com, will be automatically routed to Microsoft Defender portal at <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank"><security.microsoft.com></a>.
+Once automatic redirection is enabled, accounts accessing the former Microsoft Defender Security Center at securitycenter.windows.com or securitycenter.microsoft.com are automatically routed to the Microsoft Defender portal at <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank"><security.microsoft.com></a>.
-Learn more about what's changed: [Microsoft Defender for Endpoint in Microsoft Defender XDR](microsoft-365-security-center-mde.md).
+Learn more about what's changed: [Microsoft Defender for Endpoint](microsoft-365-security-center-mde.md).
-This includes redirection for direct access to the former portal via browser, including links pointing towards the former securitycenter.windows.com portal - such as links in email notifications, and links returned by SIEM API calls.
+These changes include redirection for direct access to the former portal via browser, including links pointing towards the former securitycenter.windows.com portal, such as links in email notifications, and links returned by SIEM API calls.
- External links from email notifications or SIEM APIs currently contain links to both portals. Once redirection is enabled, both links will point to Microsoft Defender XDR until the old link is eventually removed. We encourage you to adopt the new link pointing to Microsoft Defender XDR.
+External links from email notifications or SIEM APIs currently contain links to both portals. Once redirection is enabled, both links point to the new Microsoft Defender portal until the old link is eventually removed. We encourage you to adopt the new link pointing to the Microsoft Defender portal.
+
+Refer to the following table for more on links and routing.
-Refer to the table below for more on links and routing.
## SIEM API routing | Property | Destination when redirection is OFF | Destination when redirection is ON |
Refer to the table below for more on links and routing.
## When does this take effect?
-Once enabled, this update might take effect almost immediately for some accounts. But the redirection might take longer to propagate to every account in your organization. Accounts in active sessions while this setting is applied will not be ejected from their session and will only be routed to Microsoft Defender XDR after ending their current session and signing back in again.
+Once enabled, this update might take effect almost immediately for some accounts. But the redirection might take longer to propagate to every account in your organization. Accounts in active sessions while this setting is applied won't be ejected from their session and will only be routed to Microsoft Defender XDR after ending their current session and signing back in again.
### Set up portal redirection
To start routing accounts to Microsoft Defender XDR:
1. Make sure you're a global administrator or have security administrator permissions in Microsoft Entra ID.
-2. Sign in to <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender XDR</a>.
+2. Sign in to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender portal</a>.
3. Navigate to **Settings** \> **Endpoints** \> **General** \> **Portal redirection** or [click here](https://security.microsoft.com/preferences2/portal_redirection).
-4. Toggle the Automatic redirection setting to **On**.
+4. Toggle the **Automatic redirection** setting to **On**.
-5. Click **Enable** to apply automatic redirection to Microsoft Defender XDR.
+5. Select **Enable** to apply automatic redirection to the Microsoft Defender portal.
> [!IMPORTANT]
-> Enabling this setting will not terminate active user sessions. Accounts who are in an active session while this setting is applied will only be directed to Microsoft Defender XDR after ending their current session and signing in again.
-
-> [!NOTE]
-> You must be a global administrator or have security administrator permissions in Microsoft Entra ID to enable or disable this setting.
+> Enabling this setting doesn't terminate active user sessions. Accounts who are in an active session while this setting is applied are directed to the Microsoft Defender portal after ending their current session and signing in again.
## Can I go back to using the former portal?
-If something isn't working for you or if there's anything you're unable to complete through Microsoft Defender XDR, we want to hear about it. If you've encountered any issues with redirection, we encourage you to let us know by using the Give feedback submission form.
+If something isn't working for you or if there's anything you're unable to complete through the Microsoft Defender portal, we want to hear about it. If you've encountered any issues with redirection, we encourage you to let us know by using the **Give feedback** submission form.
-To revert to the former Microsoft Defender for Endpoint portal:
+To revert to the former Microsoft Defender Security Center:
-1. Sign in to <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender XDR</a> as a global administrator or using and account with security administrator permissions in Microsoft Entra ID.
+1. Sign in to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender portal</a> as a global administrator or using and account with security administrator permissions in Microsoft Entra ID.
2. Navigate to **Settings** \> **Endpoints** \> **General** \> **Portal redirection** or [open the page here](https://security.microsoft.com/preferences2/portal_redirection).
-3. Toggle the Automatic redirection setting to **Off**.
+3. Toggle the **Automatic redirection** setting to **Off**.
-4. Click **Disable** & share feedback when prompted.
+4. Select **Disable** & share feedback when prompted.
This setting can be enabled again at any time.
-Once disabled, accounts will no longer be routed to security.microsoft.com, and you will once again have access to the former portal - securitycenter.windows.com or securitycenter.microsoft.com.
+Once disabled, accounts aren't routed to security.microsoft.com, and you'll have access to the former portal - securitycenter.windows.com or securitycenter.microsoft.com.
## Related information
Once disabled, accounts will no longer be routed to security.microsoft.com, and
- [Microsoft delivers unified SIEM and XDR to modernize security operations](https://www.microsoft.com/security/blog/?p=91813) - [About Microsoft Defender XDR](https://www.microsoft.com/microsoft-365/security/microsoft-365-defender) - [Microsoft security portals and admin centers](portals.md)+ [!INCLUDE [Microsoft Defender XDR rebranding](../../includes/defender-m3d-techcommunity.md)]
security Microsoft Sentinel Onboard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-sentinel-onboard.md
- m365solution-getstarted - highpri - tier1
+ - usx-security
search.appverid: - MOE150
security Whats New https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/whats-new.md
You can also get product updates and important notifications through the [messag
## February 2024+
+- (GA) **Dark mode** is now available in the Microsoft Defender portal. In the Defender portal, on the top right-hand side of the homepage, select **Dark mode**. Select **Light mode** to change the color mode back to the default.
- (GA) **Assigning severity to incidents**, **assigning an incident to a group**, and the ***go hunt*** option from the attack story graph are now generally available. Guides to learn how to [assign or change incident severity](manage-incidents.md#assign-or-change-incident-severity) and [assign an incident to a group](manage-incidents.md#assign-an-incident) are in the [Manage incidents](manage-incidents.md) page. Learn how you can use the *go hunt* option by exploring [attack story](investigate-incidents.md#attack-story). - (Preview) **[Custom detection rules in Microsoft Graph security API](/graph/api/resources/security-api-overview?view=graph-rest-beta&preserve-view=true#custom-detections)** are now available. Create advanced hunting custom detection rules specific to your org to proactively monitor for threats and take action.
security Mdo Trial Banner https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/includes/mdo-trial-banner.md
Title: Microsoft Defender for Office 365 90-day trial banner for content
description: Customers learn they can sign-up for a free trial of Defender for Office 365. Last updated 05/20/2022-+
security Anti Malware Protection For Spo Odfb Teams About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-malware-protection-for-spo-odfb-teams-about.md
Title: Built-in virus protection in SharePoint Online, OneDrive, and Microsoft Teams f1.keywords: - NOCSH---+++ audience: Admin ms.localizationpriority: medium
Microsoft 365 uses a common virus detection engine for scanning files that users
## What happens if an infected file is uploaded to SharePoint Online?
-The Microsoft 365 virus detection engine scans files asynchronously (at some time after upload). If a file has not yet been scanned by the asynchronous virus detection process, and a user tries to download the file from the browser or from Teams, a scan on download is triggered by SharePoint before the download is allowed. **All file types are not automatically scanned**. Heuristics determine the files to scan. When a file is found to contain a virus, the file is flagged.
+The Microsoft 365 virus detection engine scans files asynchronously (at some time after upload). If a user tries to download a file in a web browser or from Teams that hasn't been scanned, a scan is triggered before the download is allowed. **All file types are not automatically scanned**. Heuristics determine the files to scan. When a file is found to contain a virus, the file is flagged.
Here's what happens:
Here's what happens:
By default, users can download infected files from SharePoint Online. Here's what happens: 1. In a web browser, a user tries to download a file from SharePoint Online that happens to be infected.
-2. The user is shown a warning that a virus has been detected in the file. The user is given the option to proceed with the download and attempt to clean it using anti-virus software on their device.
+2. The user is shown a warning that a virus was detected in the file. The user is given the option to proceed with the download and attempt to clean it using anti-virus software on their device.
To change this behavior so users can't download infected files, even from the anti-virus warning window, admins can use the *DisallowInfectedFileDownload* parameter on the **[Set-SPOTenant](/powershell/module/sharepoint-online/Set-SPOTenant)** cmdlet in SharePoint Online PowerShell. The value $true for the *DisallowInfectedFileDownload* parameter completely blocks access to detected/blocked files for users.
For instructions, see [Use SharePoint Online PowerShell to prevent users from do
## Can admins bypass *DisallowInfectedFileDownload* and extract infected files?
-SharePoint admins and global admins are allowed to do forensic file extractions of malware-infected files in SharePoint Online PowerShell with the [Get-SPOMalwareFileContent](/powershell/module/sharepoint-online/get-spomalwarefilecontent) cmdlet. Admins don't need access to the site that hosts the infected content. As long as the file has been marked as malware, admins can use **Get-SPOMalwareFileContent** to extract the file.
+SharePoint admins and global admins are allowed to do forensic file extractions of malware-infected files in SharePoint Online PowerShell with the [Get-SPOMalwareFileContent](/powershell/module/sharepoint-online/get-spomalwarefilecontent) cmdlet. Admins don't need access to the site that hosts the infected content. As long as the file is marked as malware, admins can use **Get-SPOMalwareFileContent** to extract the file.
For more information about the infected file, admins can use the **[Get-SPOMalwareFile](/powershell/module/sharepoint-online/get-spomalwarefile)** cmdlet to see the type of malware that was detected and the status of the infection. ## What happens when the OneDrive sync client tries to sync an infected file?
-When a malicious file is uploaded to OneDrive, it will be synced to the local machine before it's marked as malware. After it's marked as malware, the user can't open the synced file anymore from their local machine.
+When a malicious file is uploaded to OneDrive, the file is synced to the local machine before being marked as malware. After the file is marked as malware, the user can't open the synced file from their local machine.
## Extended capabilities with Microsoft Defender for Office 365
security Configure Junk Email Settings On Exo Mailboxes https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-junk-email-settings-on-exo-mailboxes.md
Title: Configure junk email settings on Exchange Online mailboxes -+ audience: Admin ms.localizationpriority: medium
security Connection Filter Policies Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/connection-filter-policies-configure.md
f1.keywords:
- NOCSH -+ audience: ITPro ms.localizationpriority: medium
security Connectors Detect Respond To Compromise https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/connectors-detect-respond-to-compromise.md
Title: Respond to a compromised connector in Microsoft 365 f1.keywords: - NOCSH---+++ audience: ITPro ms.localizationpriority: medium
In [Microsoft Defender for Office 365 Plan 1](defender-for-office-365.md) or [Ex
:::image type="content" source="../../media/connector-compromise-new-message-trace.png" alt-text="New message trace flyout" lightbox="../../media/connector-compromise-new-message-trace.png":::
-4. In the message trace results, look for the following information:
+5. In the message trace results, look for the following information:
- A significant number of messages were recently marked as **FilteredAsSpam**. This result clearly indicates that a compromised connector was used to send spam. - Whether it's reasonable for the message recipients to receive email from senders in your organization
security Connectors Mail Flow Intelligence https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/connectors-mail-flow-intelligence.md
Title: Mail flow intelligence f1.keywords: - NOCSH---+++ audience: ITPro
security Connectors Remove Blocked https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/connectors-remove-blocked.md
Title: Remove blocked connectors from the Restricted entities page in Microsoft 365 f1.keywords: - NOCSH---+++ audience: ITPro ms.localizationpriority: medium
security Create Block Sender Lists In Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/create-block-sender-lists-in-office-365.md
f1.keywords:
- NOCSH -+ audience: ITPro
security Create Safe Sender Lists In Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/create-safe-sender-lists-in-office-365.md
f1.keywords:
- NOCSH -+ audience: ITPro
security Defender For Office 365 Whats New https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/defender-for-office-365-whats-new.md
description: Learn about the new features and functionality available in the lat
keywords: what's new in Microsoft Defender for Office 365, ga, generally available, capabilities, available, new search.appverid: met150 f1.keywords: NOCSH--++ ms.localizationpriority: medium Last updated 2/2/2024-+ audience: ITPro - m365-security
security Email Authentication Spf Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/email-authentication-spf-configure.md
f1.keywords:
- CSH -+ Last updated 1/29/2024 audience: ITPro
security Eop About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/eop-about.md
f1.keywords:
- NOCSH -+ Last updated 10/3/2023 audience: ITPro
security External Senders Mail Flow Troubleshooting https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/external-senders-mail-flow-troubleshooting.md
f1.keywords:
- NOCSH -+ audience: ITPro ms.localizationpriority: medium
security External Senders Microsoft 365 Services https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/external-senders-microsoft-365-services.md
f1.keywords:
- NOCSH -+ audience: ITPro ms.localizationpriority: medium
security External Senders Policies Practices Guidelines https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/external-senders-policies-practices-guidelines.md
f1.keywords:
- NOCSH -+ audience: ITPro ms.localizationpriority: medium
security How Policies And Protections Are Combined https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/how-policies-and-protections-are-combined.md
f1.keywords:
- NOCSH -+ audience: ITPro ms.localizationpriority: medium
security Mail Flow About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mail-flow-about.md
f1.keywords:
- NOCSH -+ audience: ITPro ms.localizationpriority: medium
security Mdo About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-about.md
Title: Why do I need Microsoft Defender for Office 365?---+++ audience: Admin ms.localizationpriority: high
security Mdo Deployment Guide https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-deployment-guide.md
f1.keywords:
- NOCSH -+ audience: Admin ms.localizationpriority: medium
security Mdo Portal Permissions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-portal-permissions.md
f1.keywords:
- NOCSH -+ ms.audience: Admin audience: Admin
security Mdo Sec Ops Guide https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-sec-ops-guide.md
f1.keywords:
- NOCSH -+ audience: Admin ms.localizationpriority: medium
security Mdo Sec Ops Manage Incidents And Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-sec-ops-manage-incidents-and-alerts.md
f1.keywords:
- NOCSH -+ audience: Admin ms.localizationpriority: medium
security Mdo Security Comparison https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-security-comparison.md
Title: Office 365 Security including Microsoft Defender for Office 365 and Exchange Online Protection---+++ audience: Admin ms.localizationpriority: high
security Mdo Support Teams About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-support-teams-about.md
f1.keywords:
- NOCSH -+ audience: Admin ms.localizationpriority: medium
security Message Headers Eop Mdo https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/message-headers-eop-mdo.md
f1.keywords:
- NOCSH -+ audience: ITPro
security Message Trace Defender Portal https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/message-trace-defender-portal.md
f1.keywords:
- NOCSH -+ audience: ITPro
security Migrate To Defender For Office 365 Onboard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/migrate-to-defender-for-office-365-onboard.md
f1.keywords:
- NOCSH -+ audience: Admin ms.localizationpriority: medium
security Migrate To Defender For Office 365 Prepare https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/migrate-to-defender-for-office-365-prepare.md
f1.keywords:
- NOCSH -+ audience: Admin ms.localizationpriority: medium
security Migrate To Defender For Office 365 Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/migrate-to-defender-for-office-365-setup.md
f1.keywords:
- NOCSH -+ audience: Admin ms.localizationpriority: medium
security Migrate To Defender For Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/migrate-to-defender-for-office-365.md
f1.keywords:
- NOCSH -+ audience: Admin ms.localizationpriority: medium
- highpri - tier1
-description: Learn the right way to migrate from third-party protection services or devices like Google Postini, the Barracuda Spam and Virus Firewall, or Cisco IronPort to Microsoft Defender for Office 365 protection.
+description: Learn the right way to migrate from third-party protection services or devices to Microsoft Defender for Office 365. For example, Google Postini, the Barracuda Spam and Virus Firewall, or Cisco IronPort.
Last updated 6/15/2023
This guide provides specific and actionable steps for your migration, and assume
:::image type="content" source="../../medio-migration-before.png"::: -- You're beyond the investigation and consideration phase for protection by Defender for Office 365. If you need to evaluate Defender for Office 365 to decide whether it's right for your organization, we recommend that you consider the options described in [Try Microsoft Defender for Office 365](try-microsoft-defender-for-office-365.md).
+- You're beyond the investigation and consideration phase for protection by Defender for Office 365. If you need to evaluate Defender for Office 365 to decide whether it's right for your organization, we recommend the options described in [Try Microsoft Defender for Office 365](try-microsoft-defender-for-office-365.md).
-- You've already purchased Defender for Office 365 licenses.
+- You already purchased Defender for Office 365 licenses.
- You need to retire your existing third-party protection service, which means you ultimately need to point the MX records for your email domains to Microsoft 365. When you're done, mail from the internet flows directly into Microsoft 365 and is protected exclusively by Exchange Online Protection (EOP) and Defender for Office 365. :::image type="content" source="../../medio-migration-after.png":::
-Eliminating your existing protection service in favor of Defender for Office 365 is a big step that you shouldn't take lightly, nor should you rush to make the change. The guidance in this migration guide will help you transition your protection in an orderly manner with minimal disruption to your users.
+Eliminating your existing protection service in favor of Defender for Office 365 is a significant step that you shouldn't take lightly, nor should you rush to make the change. The guidance in this migration guide helps you transition your protection in an orderly manner with minimal disruption to your users.
The high-level migration steps are illustrated in the following diagram. The actual steps are listed in the section named [The migration process](#the-migration-process) later in this article.
The high-level migration steps are illustrated in the following diagram. The act
## Why use the steps in this guide?
-In the IT industry, surprises are generally bad. Simply flipping your MX records to point to Microsoft 365 without prior and thoughtful testing will result in many surprises. For example:
+In the IT industry, surprises are bad. Simply flipping your MX records to point to Microsoft 365 without prior and thoughtful testing will result in many surprises. For example:
-- You or your predecessors have likely spent a lot of time and effort customizing your existing protection service for optimal mail delivery (in other words, blocking what needs to be blocked, and allowing what needs to be allowed). It's almost a guaranteed certainty that not every customization in your current protection service is required in Defender for Office 365. It's also possible that Defender for Office 365 will introduce new issues (allows or blocks) that didn't happen or weren't required in your current protection service.
+- You or your predecessors probably spent time and effort customizing your existing protection service for optimal mail delivery. In other words, blocking what needs to be blocked, and allowing what needs to be allowed. It's almost a guaranteed certainty that not every customization in your current protection service is required in Defender for Office 365. It's also possible that Defender for Office 365 will introduce new issues (allows or blocks) that didn't happen or weren't required in your current protection service.
- Your help desk and security personnel need to know what to do in Defender for Office 365. For example, if a user complains about a missing message, does your help desk know where or how to look for it? They're likely familiar with the tools in your existing protection service, but what about the tools in Defender for Office 365? In contrast, if you follow the steps in this migration guide, you get the following tangible benefits for your migration: - Minimal disruption to users.-- Objective data from Defender for Office 365 that you can use as you report on the progress and success of the migration to management.
+- Objective data from Defender for Office 365 that you can use to report on the progress and success of the migration to management.
- Early involvement and instruction for help desk and security personnel. The more you familiarize yourself with how Defender for Office 365 will affect your organization, the better the transition will be for users, help desk personnel, security personnel, and management.
-This migration guide gives you a plan for gradually "turning the dial" so you can monitor and test how Defender for Office 365 affects users and their email so you can react quickly to any issues that you encounter.
+This migration guide gives you a plan for gradually "turning the dial". You can monitor and test how Defender for Office 365 affects users and their email so you can react quickly to any issues.
## The migration process
security Outbound Spam High Risk Delivery Pool About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/outbound-spam-high-risk-delivery-pool-about.md
f1.keywords:
- NOCSH -+ audience: ITPro ms.localizationpriority: medium
security Outbound Spam Policies Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/outbound-spam-policies-configure.md
f1.keywords:
- NOCSH -+ audience: ITPro ms.localizationpriority: medium
security Outbound Spam Policies External Email Forwarding https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/outbound-spam-policies-external-email-forwarding.md
Title: Configuring and controlling external email forwarding in Microsoft 365 f1.keywords: - NOCSH---+++ Last updated 06/19/2023 audience: ITPro
security Outbound Spam Protection About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/outbound-spam-protection-about.md
f1.keywords:
- NOCSH -+ audience: Admin ms.localizationpriority: medium
security Outbound Spam Restore Restricted Users https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/outbound-spam-restore-restricted-users.md
f1.keywords:
- NOCSH -+ audience: ITPro f1_keywords:
security Preset Security Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/preset-security-policies.md
f1.keywords:
- NOCSH -+ audience: ITPro ms.localizationpriority: medium
security Priority Accounts Security Recommendations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/priority-accounts-security-recommendations.md
f1.keywords:
- NOCSH -+ audience: Admin ms.localizationpriority: medium
security Priority Accounts Turn On Priority Account Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/priority-accounts-turn-on-priority-account-protection.md
Title: Configure and review priority account protection in Microsoft Defender for Office 365 f1.keywords: - NOCSH---+++ Last updated 6/19/2023 audience: ITPro
security Quarantine About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-about.md
f1.keywords:
- NOCSH -+ audience: Admin ms.localizationpriority: medium
security Quarantine Admin Manage Messages Files https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-admin-manage-messages-files.md
Title: Manage quarantined messages and files as an admin -+ audience: Admin ms.localizationpriority: medium
security Quarantine End User https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-end-user.md
f1.keywords:
- NOCSH -+ audience: Consumer/IW ms.localizationpriority: high
security Quarantine Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-policies.md
Title: Quarantine policies -+ audience: ITPro
security Quarantine Quarantine Notifications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-quarantine-notifications.md
f1.keywords:
- NOCSH -+ audience: Admin ms.localizationpriority: medium
security Quarantine Shared Mailbox Messages https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-shared-mailbox-messages.md
Title: View and release quarantined messages from shared mailboxes -+ audience: ITPro
security Recommended Settings For Eop And Office365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365.md
f1.keywords:
- NOCSH -+ audience: ITPro ms.localizationpriority: medium
security Reports Defender For Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/reports-defender-for-office-365.md
f1.keywords:
- CSH -+ audience: ITPro ms.localizationpriority: medium
security Reports Email Security https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/reports-email-security.md
f1.keywords:
- NOCSH -+ audience: ITPro ms.localizationpriority: medium
security Responding To A Compromised Email Account https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account.md
f1.keywords:
- Compromised account -+ audience: ITPro
security Safe Attachments About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-attachments-about.md
f1.keywords:
- NOCSH -+ audience: Admin ms.localizationpriority: medium
security Safe Attachments For Spo Odfb Teams About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-about.md
f1.keywords:
- NOCSH -+ audience: Admin ms.localizationpriority: medium
security Safe Attachments For Spo Odfb Teams Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-configure.md
Title: Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams f1.keywords: - NOCSH---+++ audience: ITPro ms.localizationpriority: medium
security Safe Attachments Policies Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-attachments-policies-configure.md
f1.keywords:
- NOCSH -+ audience: Admin ms.localizationpriority: medium
security Safe Documents In E5 Plus Security About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-documents-in-e5-plus-security-about.md
Title: Safe Documents in Microsoft Defender for Office 365 -+ audience: ITPro
security Safe Links About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-links-about.md
f1.keywords:
- NOCSH -+ audience: Admin f1_keywords:
security Safe Links Policies Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-links-policies-configure.md
f1.keywords:
- NOCSH -+ audience: Admin ms.localizationpriority: medium
security Scc Permissions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/scc-permissions.md
f1.keywords:
- NOCSH -+ audience: Admin f1_keywords:
security Secure By Default https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/secure-by-default.md
f1.keywords:
- NOCSH -+ Last updated 01/19/2024 audience: ITPro
security Submissions Admin Review User Reported Messages https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-admin-review-user-reported-messages.md
Title: Admin review for user reported messages f1.keywords: - NOCSH---+++ audience: Admin ms.localizationpriority: medium
security Submissions Admin https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-admin.md
Title: Manage submissions f1.keywords: - NOCSH---+++ audience: ITPro ms.localizationpriority: medium
security Submissions Error Messages https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-error-messages.md
f1.keywords:
- NOCSH -+ audience: Admin ms.localizationpriority: medium
appliesto:
[!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)]
-This article attempts to explain the common error messages that you might receive as you try to [report messages, URLs, and email attachments to Microsoft](submissions-admin.md)
+This article attempts to explain the common error messages that you might receive as you try to [report messages, URLs, and email attachments to Microsoft](submissions-admin.md).
## This message didn't pass through our mail flow system, or the message metadata isn't available yet error
security Submissions Outlook Report Messages https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-outlook-report-messages.md
Title: Report phishing and suspicious emails in Outlook for admins f1.keywords: - NOCSH---+++ audience: Admin ms.localizationpriority: medium
security Submissions Report Messages Files To Microsoft https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-report-messages-files-to-microsoft.md
Title: Report spam, non-spam, phishing, suspicious emails and files to Microsoft f1.keywords: - NOCSH---+++ Last updated 11/9/2023 audience: ITPro
security Submissions Submit Files To Microsoft https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-submit-files-to-microsoft.md
Title: Submit malware and good files to Microsoft for analysis f1.keywords: - NOCSH---+++ audience: ITPro ms.localizationpriority: medium
security Submissions Teams https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-teams.md
f1.keywords:
- NOCSH -+ audience: ITPro ms.localizationpriority: medium
security Submissions User Reported Messages Custom Mailbox https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-user-reported-messages-custom-mailbox.md
f1.keywords:
- NOCSH -+ audience: ITPro ms.localizationpriority: medium
security Submissions Users Report Message Add In Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-users-report-message-add-in-configure.md
Title: Enable the Report Message or the Report Phishing add-ins f1.keywords: - NOCSH---+++ audience: Admin
security Tenant Allow Block List About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-allow-block-list-about.md
f1.keywords:
- NOCSH -+ audience: ITPro ms.localizationpriority: medium
The following list describes what happens in the Tenant Allow/Block List when yo
- **Email**: If a message was blocked by the EOP or Defender for Office 365 filtering stack, an allow entry might be created in the Tenant Allow/Block List: - If the message was blocked by [spoof intelligence](anti-spoofing-spoof-intelligence.md), an allow entry for the sender is created, and the entry appears on the **Spoofed senders** tab in the Tenant Allow/Block List. - If the message was blocked by [user (or graph) impersonation protection in Defender for Office 365](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365), an allow entry isn't created in the Tenant Allow/Block List. Instead, the domain or sender is added to the **Trusted senders and domains section** in the [anti-phishing policy](anti-phishing-policies-mdo-configure.md#use-the-microsoft-defender-portal-to-modify-anti-phishing-policies) that detected the message.
- - If the message was blocked due to file-based filers, an allow entry for the file is created, and the entry appears on the **Files** tab in the Tenant Allow/Block List.
+ - If the message was blocked due to file-based filters, an allow entry for the file is created, and the entry appears on the **Files** tab in the Tenant Allow/Block List.
- If the message was blocked due to URL-based filters, an allow entry for the URL is created, and the entry appears on the **URL** tab in the Tenant Allow/Block List. - If the message was blocked for any other reason, an allow entry for the sender email address or domain is created, and the entry appears on the **Domains & addresses** tab in the Tenant Allow/Block List. - If the message wasn't blocked due to filtering, no allow entries are created anywhere.
security Tenant Allow Block List Email Spoof Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-allow-block-list-email-spoof-configure.md
f1.keywords:
- NOCSH -+ audience: ITPro ms.localizationpriority: medium
security Tenant Allow Block List Files Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-allow-block-list-files-configure.md
f1.keywords:
- NOCSH -+ audience: ITPro ms.localizationpriority: medium
solutions Apps Config Step 3 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/apps-config-step-3.md
Microsoft 365 (Office) for iOS/iPadOS supports the following configuration setti
| [Set add-ins preference](/mem/intune/apps/manage-microsoft-office#set-add-ins-preference) | Enable or disable office add-in platform and/or the Office store portion of the platform. | com.microsoft.office.OfficeWebAddinDisableAllCatalogs<br>com.microsoft.office.OfficeWebAddinDisableOMEXCatalog | | [Manage Teams apps running on Office](/mem/intune/apps/manage-microsoft-office#manage-teams-apps-running-on-office-for-ios-and-android) | Enable or disable Teams apps on Office. | com.microsoft.office.officemobile.TeamsApps.IsAllowed | | [Microsoft 365 Feed for iOS and Android](/mem/intune/apps/manage-microsoft-office#enable-or-disable-microsoft-365-feed-for-ios-and-android) | Enable or disable the Microsoft 365 Feed. | com.microsoft.office.officemobile.Feed.IsAllowed |
+| [Copilot with commercial data protection](/mem/intune/apps/manage-microsoft-office#copilot-with-commercial-data-protection) | Enable or disable Copilot in Microsoft 365 app by configuring the following setting in the Intune admin center. | com.microsoft.office.officemobile.BingChatEnterprise.IsAllowed |
You can use the [configuration designer](/mem/intune/apps/app-configuration-policies-use-ios#use-configuration-designer) to add configuration settings for iOS app configuration policies.
Microsoft 365 (Office) for Android supports the following configuration settings
| [Set add-ins preference](/mem/intune/apps/manage-microsoft-office#set-add-ins-preference) | Enable or disable office add-in platform and/or the Office store portion of the platform. | com.microsoft.office.OfficeWebAddinDisableAllCatalogs<br>com.microsoft.office.OfficeWebAddinDisableOMEXCatalog | | [Manage Teams apps running on Office](/mem/intune/apps/manage-microsoft-office#manage-teams-apps-running-on-office-for-ios-and-android) | Enable or disable Teams apps on Office. | com.microsoft.office.officemobile.TeamsApps.IsAllowed | | [Microsoft 365 Feed for iOS and Android](/mem/intune/apps/manage-microsoft-office#enable-or-disable-microsoft-365-feed-for-ios-and-android) | Enable or disable the Microsoft 365 Feed. | com.microsoft.office.officemobile.Feed.IsAllowed |
+| [Data protection settings in M365 for Android](/mem/intune/apps/manage-microsoft-office#data-protection-settings-in-microsoft-365-office) | Enable or disable offline caching when **Save As to Local Storage** is blocked by the app protection policy. | com.microsoft.intune.mam.IntuneMAMOnly.AllowOfflineCachingWhenSaveAsBlocked |
+| [Copilot with commercial data protection](/mem/intune/apps/manage-microsoft-office#copilot-with-commercial-data-protection) | Enable or disable Copilot in Microsoft 365 app by configuring the following setting in the Intune admin center. | com.microsoft.office.officemobile.BingChatEnterprise.IsAllowed |
You can use the [configuration designer](/mem/intune/apps/app-configuration-policies-use-ios#use-configuration-designer) to add configuration settings for iOS app configuration policies.
solutions Apps Config Step 4 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/apps-config-step-4.md
Microsoft Edge provides several different configuration settings that allow you
| com.microsoft.intune.mam.managedbrowser.SmartScreenEnabled | Microsoft Defender SmartScreen is a feature that helps users avoid malicious sites and downloads. For more information, see [Microsoft Defender SmartScreen](/mem/intune/apps/manage-microsoft-edge#microsoft-defender-smartscreen). | | com.microsoft.intune.mam.managedbrowser.OpeningExternalApps | When a web page requests to open an external app, users will see a pop-up asking them to open the external app or not. Organizations can manage the behavior. For more information, see [Block opening external apps](/mem/intune/apps/manage-microsoft-edge#block-opening-external-apps). | | com.microsoft.intune.mam.managedbrowser.Chat | You can choose to hide or show the Bing button in the bottom bar of Edge as part of Bing Chat Enterprise. For more information, see [Bing Chat Enterprise](/mem/intune/apps/manage-microsoft-edge#bing-chat-enterprise). |
-| com.microsoft.intune.mam.managedbrowser.ChatPageContext | You can choose whether Bing Chat Enterprise has access to page content. By default, this setting shows the **Page context** and **Show quick chat panel** options under the Bing co-pilot mode. For more information, see [Bing Chat Enterprise](/mem/intune/apps/manage-microsoft-edge#bing-chat-enterprise). |
+| com.microsoft.intune.mam.managedbrowser.EdgeChatPageContext | You can choose whether Bing Chat Enterprise has access to page content. By default, this setting shows the **Page context** and **Show quick chat panel** options under the Bing co-pilot mode. For more information, see [Bing Chat Enterprise](/mem/intune/apps/manage-microsoft-edge#bing-chat-enterprise). |
| EdgeLockedViewModeEnabled | Edge for iOS and Android can be enabled as locked view mode with MDM policy `EdgeLockedViewModeEnabled`. This policy, which is disabled by default, allows organizations to restrict various browser functionalities, providing a controlled and focused browsing experience. The locked view mode is often used together with MAM policy **com.microsoft.intune.mam.managedbrowser.NewTabPage.CustomURL** or MDM policy **EdgeNewTabPageCustomURL**, which allow organizations to configure a specific web page that is automatically launched when Edge is opened. Users are restricted to this web page and cannot navigate to other websites, providing a controlled environment for specific tasks or content consumption. | ### Data protection configuration settings
Microsoft Edge provides several different configuration settings that allow you
| com.microsoft.intune.mam.managedbrowser.AllowTransitionOnBlock | You can choose to allow managed users (work or school account) to switch to their personal account to view a website. Personal accounts must not be disabled. Users are prompted to either switch to the personal context to open the restricted site, or to add a personal account. For more information, see [Manage restricted web sites](/mem/intune/apps/manage-microsoft-edge#manage-restricted-web-sites). | | com.microsoft.intune.mam.managedbrowser.openInPrivateIfBlocked | You can choose to allow restricted sites to be opened in the Microsoft Entra account's InPrivate context. If the Microsoft Entra account is the only account configured in Edge, the restricted site is opened automatically in the InPrivate context. For more information, see [Manage restricted web sites](/mem/intune/apps/manage-microsoft-edge#manage-restricted-web-sites). | | com.microsoft.intune.mam.managedbrowser.durationOfOpenInPrivateSnackBar | You can choose the number of seconds that an end user sees the snack bar notification "Access to this site is blocked by your organization. WeΓÇÖve opened it in InPrivate mode for you to access the site." For more information, see [Manage restricted web sites](/mem/intune/apps/manage-microsoft-edge#manage-restricted-web-sites). |
-| com.microsoft.intune.mam.managedbrowser.AppProxyRedirection | On iOS devices, you can enable Microsoft Entra application proxy redirection scenarios. By default, Microsoft Entra application proxy scenarios are prevented. For more information, see [Manage proxy configuration](/mem/intune/apps/manage-microsoft-edge#manage-proxy-configuration). |
+| com.microsoft.intune.mam.managedbrowser.AppProxyRedirection | On iOS and Android devices, you can enable Microsoft Entra application proxy redirection scenarios. By default, Microsoft Entra application proxy scenarios are prevented. For more information, see [Manage proxy configuration](/mem/intune/apps/manage-microsoft-edge#manage-proxy-configuration). |
| com.microsoft.intune.mam.managedbrowser.NTLMSSOURLs | You can choose a list of internal (intranet) websites that enable NTLM credential caching. The end users must enter credentials and successfully authenticate when attempting to access a URL in the list. NTLM is a Windows network authentication protocol. For more information, see [Manage NTLM single sign-on sites](/mem/intune/apps/manage-microsoft-edge#manage-ntlm-single-sign-on-sites). | | com.microsoft.intune.mam.managedbrowser.durationOfNTLMSSO | You can enter the number of hours to cache credentials when using NTLM credential caching. NTLM is a Windows network authentication protocol. For more information, see [Manage NTLM single sign-on sites](/mem/intune/apps/manage-microsoft-edge#manage-ntlm-single-sign-on-sites). | | com.microsoft.intune.mam.managedbrowser.MicrosoftRootStoreEnabled | Microsoft Edge for Android verifies server certificates using the built-in certificate verifier and the Microsoft Root Store as the source of public trust. Organizations can switch to system certificate verifier and system root certificates. For more information, see [Manage NTLM single sign-on sites](/mem/intune/apps/manage-microsoft-edge#open-external-apps). | | com.microsoft.intune.mam.managedbrowser.SSLErrorOverrideAllowed | You can configure whether end users can click through SSL warning pages. For more information, see [SSL warning page control](/mem/intune/apps/manage-microsoft-edge#ssl-warning-page-control). | - For more information about configuring Microsoft Edge, see [Manage Microsoft Edge on iOS and Android with Intune](/mem/intune/apps/manage-microsoft-edge). ## Next step
syntex Archive Compliance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/archive/archive-compliance.md
description: Learn about compliance features for archived sites in Microsoft 365
# Compliance features in Microsoft 365 Archive (Preview) > [!NOTE]
-> This feature is currently in preview and subject to change. The feature is currently rolling out and might not yet be fully available to all organizations.
+> Microsoft Purview features work seamlessly with archived content. For example, you can apply retention hold on archived content without needing to unarchive it. Likewise, you can also archive content in retention hold without needing to move or delete it from retention scope.
Archived SharePoint sites, just like active SharePoint sites, maintain a baseline level of data promises. These promises include the following considerations: -- **Durability** ΓÇô All archived data is equally as durable as active SharePoint Online data.
+- **Durability** ΓÇô All archived data is equally as durable as active SharePoint data.
- **Security** ΓÇô Archived sites or data have the same level of security as active sites or data.
Archived SharePoint sites, just like active SharePoint sites, maintain a baselin
- **Microsoft EU data boundary** ΓÇô All archived data complies with the EU data boundary promise.
-The impact of Microsoft 365 Archive on compliance offerings includes the following:
+The affect of Microsoft 365 Archive on compliance offerings includes the following elements:
-- **Data lifecycle management and records management** ΓÇô Archived sites will still honor the retention and deletion periods from any retention policies or retention labels. For more information, see [How retention works with Microsoft 365 Archive](/purview/retention-policies-sharepoint#how-retention-works-with-microsoft-365-archive).
+- **Data lifecycle management and records management** ΓÇô Archived sites still honor the retention and deletion periods from any retention policies or retention labels. For more information, see [How retention works with Microsoft 365 Archive](/purview/retention-policies-sharepoint#how-retention-works-with-microsoft-365-archive).
-- **eDiscovery** ΓÇô eDiscovery will still be able to find all content even if archived. However, eDiscovery won't be able to directly reactivate located files. Before exporting or viewing content of an eDiscovery case, the SharePoint admin will have to reactivate the relevant sites.
+- **eDiscovery** ΓÇô eDiscovery still finds all content even if archived. However, eDiscovery won't be able to directly reactivate located files. Before exporting or viewing content of an eDiscovery case, the SharePoint admin has to reactivate the relevant sites.
- **Bring your own key (BYOK)** ΓÇô All archived content will comply with the BYOK promises, for any tenant who already uses the BYOK feature or enables it after archiving sites. -- **Permissions and access policies** ΓÇô These settings and policies will be retained on the site throughout the archive and reactivation lifecycle (that is, archiving the site and then reactivating doesn't change the application of permissions or related access policies).
+- **Permissions and access policies** ΓÇô These settings and policies are retained on the site throughout the archive and reactivation lifecycle (that is, archiving the site and then reactivating doesn't change the application of permissions or related access policies).