+To note, Active users of Word, Excel and PowerPoint is incomplete prior to Jan 25, 2024. Active users of Outlook might be lower than expected if there are people in your organization using the Coach feature on Outlook Win32 over the selected time period. We are currently working on integrating this data into our reports and will notify you as soon as it becomes available.

+>[!NOTE]

+> All up last activity date and last activity date per app are reflecting different narratives now. All up last activity date is reflecting the historical last activity date no matter what period is selected on the page, while last activity date per app is reflecting the last activity date within the selected time period; hence, if there is no activity in selected time period, the last activity date per app will be empty. We are planning to make them consistent to reflect the historical last activity date narrative and will provide update once itΓÇÖs done.

+To ensure data quality, we perform daily data validation checks for the past three days and will fill any gaps detected. You may notice differences in historical data during the process.

+ For detailed syntax and parameter information, see [Remove-MgUserPhoto](/powershell/module/exchange/remove-userphoto).

+ For detailed syntax and parameter information, see [Remove-MgGroupPhoto](/powershell/module/exchange/remove-userphoto).

+> Please use a broadband internet connection to download this content and allow approximately 30 minutes for automatic provisioning. The lab environment requires a minimum of 16 GB of available memory and 150 GB of free disk space. For optimal performance, 32 GB of available memory and 300 GB of free space is recommended. The Windows client virtual machines expire 90 days after activation of the lab. New versions of the labs will be published on or before May 5, 2024.

+|Enable Loop components everywhere | **Create and view Loop files in Microsoft apps that support Loop** = Enabled<br/>[Teams-only] `Set-SPOTenant -IsLoopEnabled $true`, `Set-SPOTenant -IsCollabMeetingNotesFluidEnabled $true` |

+|Enable Loop components everywhere, but Disable integration in Communication app (Outlook, Teams) | **Create and view Loop files in Microsoft apps that support Loop** = Enabled<br/>**Create and view Loop files in Outlook** = Disabled<br/>[Teams-only] `Set-SPOTenant -IsLoopEnabled $false`, `Set-SPOTenant -IsCollabMeetingNotesFluidEnabled $false` |

+|Disable Loop components everywhere | **Create and view Loop files in Microsoft apps that support Loop** = Disabled<br/>[Teams-only] `Set-SPOTenant -IsLoopEnabled $false`, `Set-SPOTenant -IsCollabMeetingNotesFluidEnabled $false` |

+ - recall:

+ - this setting applies to:

+ - Outlook integration

+ - Word for the web integration

+ - Whiteboard integration

+ - this setting does **NOT** apply to:

+ - Loop workspaces (see [Manage Loop workspaces in SharePoint Embedded](/microsoft-365/loop/loop-workspaces-configuration))

+ - Teams integration (see [Settings management for Loop components in Teams](#settings-management-for-loop-functionality-in-teams))

+ - **Not configured**: Loop experience is available to the users.

+In case you create a new policy configuration or change the configuration for an existing policy, there can be a delay in the change being reflected as described below:

+ Title: "Configuring external data integrations for Loop experiences"

+recommendations: true

+audience: Admin

+f1.keywords:

+- NOCSH

+ms.localizationpriority: medium

+- Strat_SP_admin

+- Microsoft 365-collaboration

+- Tier3

+- essentials-compliance

+search.appverid:

+- SPO160

+- MET150

+description: "Learn about how to configure external data integrations for Loop experiences."

+# Configuring external data integrations for Loop experiences

+Microsoft enabled Jira, Trello, and GitHub integration experiences within [Microsoft Loop](https://www.microsoft.com/en-us/microsoft-loop). Tenant admins can use Cloud Policy to configure the data integration features. Tenant admins can Enable, Disable, or Not Configure various policy settings to control these integrations. The data integration policies are:

+- **Import, view, and edit, items from apps integrated with Loop**

+ - This is the primary policy to control all specific data integration policies. To configure a specific data integration differently than the primary setting, use one of the specific policies.

+- **Import, view, and edit, GitHub items from Loop**

+- **Import, view, and edit, Jira issues from Loop**

+- **Import, view, and edit, Trello boards from Loop**

+## User experience expectations when admin settings are configured

+When data integrations are Enabled, data from external sources synchronize into the Loop data file. Integration options appear in the Discover '/' menu. Integrations synchronize data when the user views or edits the Loop component in apps that support Loop such as Teams, Outlook, Loop app, etc.

+When data integrations are Disabled, data from these disabled external sources don't synchronize. No connections to these external sources can be established. All existing data stops synchronizing, and becomes read-only everywhere. The integration options still appear in the Discover '/' menu but users cannot activate or create new external data integrations.

+## Example policy configurations and user experience result

+|Primary Policy|Primary State|Specific Policy|Specific State|End User Outcome|

+|--|--|--|--|--|

+|Import, view, and edit, items from apps integrated with Loop|Not Configured|Import, view, and edit, **GitHub** items from Loop|Not Configured|✅Enabled for all data integrations|

+|Import, view, and edit, items from apps integrated with Loop|Not Configured|Import, view, and edit, **GitHub** items from Loop|✅Enabled|✅Enabled for all data integrations|

+|Import, view, and edit, items from apps integrated with Loop|Not Configured|Import, view, and edit, **GitHub** items from Loop|🚫Disabled|✅Enabled for all data integrations EXCEPT<br/>🚫Disabled for GitHub|

+|Import, view, and edit, items from apps integrated with Loop|✅Enabled|Import, view, and edit, **GitHub** items from Loop|Not Configured|✅Enabled for all data integrations|

+|Import, view, and edit, items from apps integrated with Loop|✅Enabled|Import, view, and edit, **GitHub** items from Loop|✅Enabled|✅Enabled for all data integrations|

+|Import, view, and edit, items from apps integrated with Loop|✅Enabled|Import, view, and edit, **GitHub** items from Loop|🚫Disabled|✅Enabled for all data integrations EXCEPT<br/>🚫Disabled for GitHub|

+|Import, view, and edit, items from apps integrated with Loop|🚫Disabled|Import, view, and edit, **GitHub** items from Loop|Not Configured|🚫Disabled for all data integrations|

+|Import, view, and edit, items from apps integrated with Loop|🚫Disabled|Import, view, and edit, **GitHub** items from Loop|✅Enabled|🚫Disabled for all data integrations|

+|Import, view, and edit, items from apps integrated with Loop|🚫Disabled|Import, view, and edit, **GitHub** items from Loop|🚫Disabled|🚫Disabled for all data integrations|

+## Settings management in Cloud Policy

+The Loop experiences check the following [Cloud Policy](/deployoffice/admincenter/overview-cloud-policy) settings:

+- **Import, view, and edit, items from apps integrated with Loop**

+ - This is the primary policy to control all specific data integration policies. To configure a specific data integration differently than the primary setting, use one of the specific policies.

+- **Import, view, and edit, GitHub items from Loop**

+- **Import, view, and edit, Jira issues from Loop**

+- **Import, view, and edit, Trello boards from Loop**

+1. Sign in to https://config.office.com/ with your Microsoft 365 admin credentials.

+1. Select **Customization** from the left pane.

+1. Select **Policy Management**.

+1. Create a new policy configuration or edit an existing one.

+1. From the **Choose the scope** dropdown list, choose either **All users**, or select the group for which you want to apply the policy. For more information, See [Microsoft 365 Groups for Cloud Policy](/microsoft-365/loop/loop-components-configuration#microsoft-365-groups-for-cloud-policy).

+1. In **Configure Settings**, choose one of the following settings:

+ - For **Import, view, and edit, items from apps integrated with Loop**:

+ - first, recall:

+ - This is the primary policy to control all specific data integration policies. To configure a specific data integration differently than the primary setting, use one of the specific policies.

+ - **Enabled**: All external data integrations in Loop are available to the users.

+ - **Disabled**: All external data integrations in Loop aren't available to the users.

+ - **Not configured**: All external data integrations in Loop are available to the users.

+ - For **Import, view, and edit, GitHub items from Loop**:

+ - **Enabled**: GitHub data integrations in Loop are available to the users.

+ - **Disabled**: GitHub data integrations in Loop aren't available to the users.

+ - **Not configured**: GitHub data integrations in Loop are available to the users.

+ - For **Import, view, and edit, Jira issues from Loop**:

+ - **Enabled**: Jira data integrations in Loop are available to the users.

+ - **Disabled**: Jira data integrations in Loop aren't available to the users.

+ - **Not configured**: Jira data integrations in Loop are available to the users.

+ - For **Import, view, and edit, Trello boards from Loop**:

+ - **Enabled**: Trello data integrations in Loop are available to the users.

+ - **Disabled**: Trello data integrations in Loop aren't available to the users.

+ - **Not configured**: Trello data integrations in Loop are available to the users.

+1. Save the policy configuration.

+1. Reassign priority for any security group, if necessary. (If two or more policy configurations are applicable to the same set of users, the one with the higher priority is applied.)

+In case you create a new policy configuration or change the configuration for an existing policy, there's a delay in the change being reflected:

+- If there were existing policy configurations before the change, then it will take 90 mins for the change to be reflected.

+- If there were no policy configurations before to the change, then it will take 24 hours for the change to be reflected.

+## Related topics

+- [Use Trello with Loop - Microsoft Support](https://support.microsoft.com/office/use-trello-with-loop-cd889fc9-bcf4-43f1-af70-36558dd1e0b0)

+- [Use Jira with Loop - Microsoft Support](https://support.microsoft.com/office/use-jira-with-loop-68e2ccce-5741-4b6d-a1fa-30a5df2e0479)

+- [Use GitHub with Loop - Microsoft Support](https://support.microsoft.com/office/use-github-with-loop-5a4d95d5-3c59-4de8-a208-c9c8ab05a4fb)

+ Title: "Anti-malware Scan Interface (AMSI) integration with Microsoft Defender Antivirus"

+description: Describes fileless malware and how Microsoft Defender Antivirus uses AMSI to protect against hidden threats.

+ms.localizationpriority:

+search.appverid: MET150

+f1.keywords:

+audience:

+ai-usage:

+- ai-assisted

+# Anti-malware Scan Interface (AMSI) integration with Microsoft Defender Antivirus

+__Applies to:__

+- Microsoft Defender XDR

+- Microsoft Defender Antivirus

+- Microsoft Defender for Endpoint P1 & P2

+- Microsoft Defender for Business

+- Microsoft Defender for Individuals

+__Platforms__

+- Windows 10 and newer

+- Windows Server 2016 and newer

+Microsoft Defender for Endpoint utilizes the anti-malware Scan Interface (AMSI) to enhance protection against fileless malware, dynamic script-based attacks, and other nontraditional cyber threats. This article describes the benefits of AMSI integration, the types of scripting languages it supports, and how to enable AMSI for improved security.

+## What is Fileless malware?

+Fileless malware plays a critical role in modern cyberattacks, using stealthy techniques to avoid detection. Several major ransomware outbreaks used fileless methods as part of their kill chains.

+Fileless malware uses existing tools that are already present on a compromised device, such as PowerShell.exe or wmic.exe. Malware can infiltrate a process, executing code within its memory space, and invoking these built-in tools. Attackers significantly reduce their footprint and evade traditional detection mechanisms.

+

+Because memory is volatile, and fileless malware doesn't place files on disk, establishing persistence by using fileless malware can be tricky. One example of how fileless malware achieved persistence was to create a registry run key that launches a ΓÇ£one-linerΓÇ¥ PowerShell cmdlet. This command launched an obfuscated PowerShell script that was stored in the registry BLOB. The obfuscated PowerShell script contained a reflective portable executable (PE) loader that loaded a Base64-encoded PE from the registry. The script stored in the registry ensured the malware persisted.

+Attackers use several fileless techniques that can make malware implants stealthy and evasive. These techniques include:

+- **Reflective DLL injection** Reflective DLL injection involves the manual loading of malicious DLLs into a process’ memory without the need for said DLLs to be on disk. The malicious DLL can be hosted on a remote attacker-controlled machine and delivered through a staged network channel (for example, Transport Layer Security (TLS) protocol), or embedded in obfuscated form inside infection vectors like macros and scripts. This results in the evasion of the OS mechanism that monitors and keeps track of loading executable modules. An example of malware that uses Reflective DLL injection is HackTool:Win32/Mikatz!dha.

+- **Memory exploits** Adversaries use fileless memory exploits to run arbitrary code remotely on victim machines. For example, the UIWIX threat uses the EternalBlue exploit, which was used by both Petya and WannaCry, to install the DoublePulsar backdoor, which lives entirely in the kernel’s memory (SMB Dispatch Table). Unlike Petya and Wannacry, UIWIX doesn't drop any files on disk.

+- **Script-based techniques** Scripting languages provide powerful means for delivering memory-only executable payloads. Script files can embed encoded shell codes or binaries that they can decrypt on the fly at run time and execute via .NET objects or directly with APIs without requiring them to be written to disk. The scripts themselves can be hidden in the registry, read from network streams, or run manually in the command-line by an attacker, without ever touching the disk.

+> [!NOTE]

+> Do not disable PowerShell as a means to block fileless malware. PowerShell is a powerful and secure management tool and is important for many system and IT functions. Attackers use malicious PowerShell scripts as post-exploitation technique that can only take place after an initial compromise has already occurred. Its misuse is a symptom of an attack that begins with other malicious actions like software exploitation, social engineering, or credential theft. The key is to prevent an attacker from getting into the position where they can misuse PowerShell.

+- **WMI persistence** Some attackers use the Windows Management Instrumentation (WMI) repository to store malicious scripts that are then invoked periodically using WMI bindings.

+Microsoft Defender Antivirus blocks most malware using generic, heuristic, and behavior-based detections, as well as local and cloud-based machine learning models. Microsoft Defender Antivirus protects against fileless malware through these capabilities:

+- Detecting script-based techniques by using AMSI, which provides the capability to inspect PowerShell and other script types, even with multiple layers of obfuscation

+- Detecting and remediating WMI persistence techniques by scanning the WMI repository, both periodically and whenever anomalous behavior is observed

+- Detecting reflective DLL injection through enhanced memory scanning techniques and behavioral monitoring

+## Why AMSI?

+AMSI provides a deeper level of inspection for malicious software that employs obfuscation and evasion techniques on Windows' built-in scripting hosts. By integrating AMSI, Microsoft Defender for Endpoint offers extra layers of protection against advanced threats.

+### Supported Scripting Languages

+- PowerShell

+- Jscript

+- VBScript

+- Windows Script Host (wscript.exe and cscript.exe)

+- .NET Framework 4.8 or newer (scanning of all assemblies)

+- Windows Management Instrumentation (WMI)

+If you use Microsoft Office 365, AMSI also supports JavaScript, VBA, and XLM.

+AMSI doesn't currently support Python or Perl.

+### Enabling AMSI

+To enable AMSI, you need to enable Script scanning. See [Configure scanning options for Microsoft Defender Antivirus](configure-advanced-scan-types-microsoft-defender-antivirus.md)

+Also see [Defender Policy CSP - Windows Client Management](/windows/client-management/mdm/policy-csp-defender)

+### AMSI resources

+[Anti-malware Scan Interface (AMSI) APIs](/windows/win32/amsi/antimalware-scan-interface-portal) are available for developers and antivirus vendors to implement.

+Other Microsoft products such as [Exchange](https://techcommunity.microsoft.com/t5/exchange-team-blog/more-about-amsi-integration-with-exchange-server/ba-p/2572371) and [Sharepoint](https://techcommunity.microsoft.com/t5/microsoft-sharepoint-blog/cyberattack-protection-by-default-and-other-enhancements-to/ba-p/3925641) also use AMSI

+integration.

+## More resources to protect against fileless attacks

+- [Windows Defender Application Control and AppLocker](/windows/security/application-security/application-control/windows-defender-application-control/wdac-and-applocker-overview). Enforces strong code Integrity policies and to allow only trusted applications to run. In the context of fileless malware, WDAC locks down PowerShell to Constrained Language Mode, which limits the extended language features that can lead to unverifiable code execution, such as direct .NET scripting, invocation of Win32 APIs via the Add-Type cmdlet, and interaction with COM objects. This essentially mitigates PowerShell-based reflective DLL injection attacks.

+- [Attack surface reduction](overview-attack-surface-reduction.md) helps admins protect against common attack vectors.

+- [Enable virtualization-based protection of code integrity](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity). Mitigates kernel-memory exploits through Hypervisor Code Integrity (HVCI), which makes it difficult to inject malicious code using kernel-mode software vulnerabilities.

+||||

+| Block rebooting machine in Safe Mode (preview) | | Yes |

+| Block use of copied or impersonated system tools (preview) | | Yes |

+||

+| [Block rebooting machine in Safe Mode (preview)](#block-rebooting-machine-in-safe-mode-preview) | Y | Y | Y | Y | Y |

+| [Block use of copied or impersonated system tools (preview)](#block-use-of-copied-or-impersonated-system-tools-preview) | Y | Y | Y | Y | Y |

+|[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | Y | | Y | Y |

+|[Block rebooting machine in Safe Mode (preview)](#block-rebooting-machine-in-safe-mode-preview) | Y | | Y | Y |

+|[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | Y |Y <br><br> CB 1802 | Y | Y |

+|[Block use of copied or impersonated system tools (preview)](#block-use-of-copied-or-impersonated-system-tools-preview) | Y | | Y | Y |

+|[Block Webshell creation for Servers](#block-webshell-creation-for-servers) | Y | | Y | Y |

+|[Block rebooting machine in Safe Mode (preview)](#block-rebooting-machine-in-safe-mode-preview) | | N | N |

+|[Block use of copied or impersonated system tools (preview)](#block-use-of-copied-or-impersonated-system-tools-preview) | | N | N |

+|[Block Webshell creation for Servers](#block-webshell-creation-for-servers) | | N | N |

+| Block rebooting machine in Safe Mode (preview) | 33ddedf1-c6e0-47cb-833e-de6133960387 |

+| Block use of copied or impersonated system tools (preview) | c0033c00-d16d-4114-a5a0-dc9b3a7d2ceb |

+Configuration Manager name: Not yet available

+Configuration Manager name: `Block Office applications from creating executable content`

+### Block rebooting machine in Safe Mode (preview)

+

+This rule prevents the execution of commands to restart machines in Safe Mode.

+

+Safe Mode is a diagnostic mode that only loads the essential files and drivers needed for Windows to run. However, in Safe Mode, many security products are either disabled or operate in a limited capacity, which allows attackers to further launch tampering commands, or simply execute and encrypt all files on the machine. This rule blocks such attacks by preventing processes from restarting machines in Safe Mode.

+

+> [!NOTE]

+> This capability is currently in preview. Additional upgrades to improve efficacy are under development.

+

+Intune Name: `[PREVIEW] Block rebooting machine in Safe Mode`

+Configuration Manager name: Not yet available

+

+GUID: `33ddedf1-c6e0-47cb-833e-de6133960387`

+

+Dependencies: Microsoft Defender Antivirus

+### Block use of copied or impersonated system tools (preview)

+

+This rule blocks the use of executable files that are identified as copies of Windows system tools. These files are either duplicates or impostors of the original system tools.

+

+Some malicious programs may try to copy or impersonate Windows system tools to avoid detection or gain privileges. Allowing such executable files can lead to potential attacks. This rule prevents propagation and execution of such duplicates and imposters of the system tools on Windows machines.

+> [!NOTE]

+> This capability is currently in preview. Additional upgrades to improve efficacy are under development.

+

+Intune Name: `[PREVIEW] Block use of copied or impersonated system tools`

+Configuration Manager name: Not yet available

+GUID: `c0033c00-d16d-4114-a5a0-dc9b3a7d2ceb`

+

+Dependencies: Microsoft Defender Antivirus

+Dependencies: Microsoft Defender Antivirus

+- Windows Server

+> [!TIP]

+> Using the `Send all samples automatically` option provides for better security, because phishing attacks are used for a high amount of [initial access attacks](https://attack.mitre.org/tactics/TA0001/).

+For information about configuration options using Intune, Configuration Manager, Group Policy, or PowerShell, see [Turn on cloud protection at Microsoft Defender Antivirus](enable-cloud-protection-microsoft-defender-antivirus.md).

+- Windows Server

+> [!TIP]

+> For the best experience, please choose 1 method for configuring the Microsoft Defender Antivirus policies.

+> [!IMPORTANT]

+> Group Policy (GPO) wins over Microsoft Configuration Manager wins over Microsoft Intune wins over Microsoft Defender for Endpoint Security Configuration Management or Powershell or WMI or MpCmdRun.exe.

+You can manage and configure Microsoft Defender Antivirus with the following tools:

+- [Microsoft Defender for Endpoint Security Configuration Management](/mem/intune/protect/mde-security-integration)

+- The [Microsoft Malware Protection Command Line Utility](./command-line-arguments-microsoft-defender-antivirus.md) (referred to as the *mpcmdrun.exe* utility)

+|[Manage Microsoft Defender Antivirus with Microsoft Defender for Endpoint Security Configuration Management](/mem/intune/protect/mde-security-integration)|Information about using the Microsoft Defender for Endpoint Security Configuration Management to configure, manage, and report, Microsoft Defender Antivirus|

+If running high CPU in Antimalware Service Executable | Microsoft Defender Antivirus Service | MsMpEng.exe, please review:

+- [Performance analyzer for Microsoft Defender Antivirus](tune-performance-defender-antivirus.md)

+- Microsoft Defender for Business

+- Microsoft Defender Antivirus

+- Microsoft Defender for individuals

+- [Microsoft Defender for Endpoint Security Policy Management](/mem/intune/protect/mde-security-integration)

+- [Microsoft Intune](/microsoft-365/security/defender-endpoint/use-intune-config-manager-microsoft-defender-antivirus)

+- [Microsoft Configuration Manager](/microsoft-365/security/defender-endpoint/manage-mde-post-migration-configuration-manager)

+- Microsoft Configuration Manager [Tenant attach](/mem/configmgr/tenant-attach/)

+- [Group Policy](/microsoft-365/security/defender-endpoint/use-group-policy-microsoft-defender-antivirus)

+- [PowerShell cmdlets](/microsoft-365/security/defender-endpoint/use-powershell-cmdlets-microsoft-defender-antivirus)

+- [Windows Management Instrumentation (WMI)](/microsoft-365/security/defender-endpoint/use-wmi-microsoft-defender-antivirus)

+You can configure how Microsoft Defender Antivirus uses these methods with [Microsoft Defender for Endpoint Security Configuration Management](/mem/intune/protect/mde-security-integration), [Microsoft Intune](/microsoft-365/security/defender-endpoint/use-intune-config-manager-microsoft-defender-antivirus), Microsoft Configuration Manager, [Group Policy](/microsoft-365/security/defender-endpoint/use-group-policy-microsoft-defender-antivirus), [PowerShell cmdlets](/microsoft-365/security/defender-endpoint/use-powershell-cmdlets-microsoft-defender-antivirus), and [Windows Management Instrumentation (WMI)](/microsoft-365/security/defender-endpoint/use-wmi-microsoft-defender-antivirus).

+- [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804)

+- Microsoft Defender for Business

+- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+- Microsoft Defender Antivirus

+Article | Description

+description: Learn how to use the client analyzer to collect data for complex troubleshooting scenarios.

+- Microsoft Defender for Business

+- Microsoft Defender Antivirus

+When collaborating with Microsoft support professionals, you might be asked to use the client analyzer to collect data for troubleshooting of more complex scenarios. The analyzer script supports other parameters for that purpose and can collect a specific log set based on the observed symptoms that need to be investigated.

+Run `MDEClientAnalyzer.cmd /?` to see the list of available parameters and their description:

+| Switch | Description | When to use| Process that you're troubleshooting. |

+|:|:|:|:|

+|`-h` |Calls into [Windows Performance Recorder](/windows-hardware/test/wpt/wpr-command-line-options) to collect a verbose general performance trace in addition to the standard log set. |Slow application start/launch. When clicking on a button on the app, taking x seconds longer. |One of the following: <br/>- `MSSense.exe`<br/>- `MsSenseS.exe`<br/>- `SenseIR.exe`<br/>- `SenseNdr.exe`<br/>- `SenseTVM.exe`<br/>- `SenseAadAuthenticator.exe`<br/>- `SenseGPParser.exe`<br/>- `SenseImdsCollector.exe`<br/>- `SenseSampleUploader.exe` <br/>- `MsMpEng.exe` <br/>- `NisSrv.exe` |

+|`-l`|Calls into built-in [Windows Performance Monitor](/windows-server/remote/remote-desktop-services/rds-rdsh-performance-counters) to collect a lightweight perfmon trace. This scenario can be useful when diagnosing slow performance degradation issues that occur over time but hard to reproduce on demand. |Troubleshooting application performance that could be slow to reproduce (manifest) itself. We recommend capturing up to three minutes (at most five minutes), because your data set could get too large.|One of the following: <br/>- `MSSense.exe` <br/>- `MsSenseS.exe` <br/>- `SenseIR.exe`<br/>- `SenseNdr.exe` <br/>- `SenseTVM.exe`<br/>- `SenseAadAuthenticator.exe`<br/>- `SenseGPParser.exe`<br/>- `SenseImdsCollector.exe`<br/>- `SenseSampleUploader.exe`<br/>- `MsMpEng.exe`<br/>- `NisSrv.exe` |

+|`-c`|Calls into [process monitor](/sysinternals/downloads/procmon) for advanced monitoring of real-time file system, registry, and process/thread activity. This is especially useful when troubleshooting various application compatibility scenarios. |Process Monitor (ProcMon) to initiate a boot trace when investigating a driver or service or application startup delay related issue. Or applications hosted on a network share that aren't using SMB Opportunistic Locking (Oplock) properly causing application compatibility problems.|One of the following: <br/>- `MSSense.exe`<br/>- `MsSenseS.exe`<br/>- `SenseIR.exe`<br/>- `SenseNdr.exe`<br/>- `SenseTVM.exe`<br/>- `SenseAadAuthenticator.exe`<br/>- `SenseGPParser.exe`<br/>- `SenseImdsCollector.exe`<br/>- `SenseSampleUploader.exe`<br/>- `MsMpEng.exe`<br/>- `NisSrv.exe` |

+|`-i`|Calls into built-in [netsh.exe](/windows/win32/winsock/netsh-exe) command to start a network and Windows Firewall trace that is useful when troubleshooting various network-related issues. |When troubleshooting network related issues such as Defender for Endpoint EDR telemetry or CnC data submission issues. Microsoft Defender Antivirus Cloud Protection (MAPS) reporting issues. Network protection related issues, and so forth. |One of the following processes: <br/>- `MSSense.exe`<br/>- `MsSenseS.exe`<br/>- `SenseIR.exe`<br/>- `SenseNdr.exe`<br/>- `SenseTVM.exe`<br/>- `SenseAadAuthenticator.exe`<br/>- `SenseGPParser.exe`<br/>- `SenseImdsCollector.exe`<br/>- `SenseSampleUploader.exe`<br/>- `MsMpEng.exe`<br/>- `NisSrv.exe` |

+|`-b`|Same as `-c` but the process monitor trace will be initiated during next boot and stopped only when the -b is used again. |Process Monitor (ProcMon) to initiate a boot trace when investigating a driver or service or application startup delay related issue. This scenario can also be used to investigate a slow boot or slow sign-in.|One of the following processes: <br/>- `MSSense.exe`<br/>- `MsSenseS.exe`<br/>- `SenseIR.exe`<br/>- `SenseNdr.exe`<br/>- `SenseTVM.exe` <br/>- `SenseAadAuthenticator.exe`<br/>- `SenseGPParser.exe`<br/>- `SenseImdsCollector.exe`<br/>- `SenseSampleUploader.exe`<br/>- `MsMpEng.exe`<br/>- `NisSrv.exe` |

+|`-e`|Calls into [Windows Performance Recorder](/windows-hardware/test/wpt/wpr-command-line-options) to collect Defender AV Client tracing (AM-Engine and AM-Service) for analysis of Antivirus cloud connectivity issues. |When troubleshooting Cloud Protection (MAPS) reporting failures.|MsMpEng.exe |

+|`-a`|Calls into [Windows Performance Recorder](/windows-hardware/test/wpt/wpr-command-line-options) to collect a verbose performance trace specific to analysis of high CPU issues related to the antivirus process (MsMpEng.exe). |When troubleshooting high cpu utilization with Microsoft Defender Antivirus (Antimalware Service Executable or MsMpEng.exe) if you already used the Microsoft Defender Antivirus [Performance Analyzer](/microsoft-365/security/defender-endpoint/tune-performance-defender-antivirus) to narrow down the /path/process or /path or file extension contributing to the high cpu utilization. This scenario enables further investigate what the application or service is doing to contribute to the high cpu utilization.|MsMpEng.exe |

+|`-v`|Uses antivirus [MpCmdRun.exe command line argument](/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus) with most verbose -trace flags. |Anytime an advanced troubleshooting is needed. Such as when troubleshooting Cloud Protection (MAPS) reporting failures, Platform Update failures, Engine update failures, Security Intelligence Update failures, False negatives, etc. Can also be used with `-b`, `-c`, `-h`, or `-l`.|`MsMpEng.exe` |

+|`-t` |Starts verbose trace of all client-side components relevant to Endpoint DLP, which is useful for scenarios where [DLP actions](/microsoft-365/compliance/endpoint-dlp-learn-about#endpoint-activities-you-can-monitor-and-take-action-on) aren't happening as expected for files. |When running into issues where the Microsoft Endpoint Data Loss Prevention (DLP) actions expected aren't occurring.|`MpDlpService.exe` |

+|`-q`|Calls into DLPDiagnose.ps1 script from the analyzer `Tools` directory that validates the basic configuration and requirements for Endpoint DLP. |Checks the basic configuration and requirements for Microsoft Endpoint DLP|`MpDlpService.exe`|

+|`-d`|Collects a memory dump of `MsSenseS.exe` (the sensor process on Windows Server 2016 or older OS) and related processes. - \* This flag can be used with above mentioned flags. - \*\* Capturing a memory dump of [PPL protected processes](/windows-hardware/drivers/install/early-launch-antimalware) such as `MsSense.exe` or `MsMpEng.exe` isn't supported by the analyzer at this time.|On Windows 7 SP1, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2 or Windows Server 2016 running w/ the MMA agent and having performance (high cpu or high memory usage) or application compatibility issues. |`MsSenseS.exe`|

+|`-z` |Configures registry keys on the machine to prepare it for full machine memory dump collection via [CrashOnCtrlScroll](/windows-hardware/drivers/debugger/forcing-a-system-crash-from-the-keyboard). This would be useful for analysis of computer freeze issues. \* Hold down the rightmost CTRL key, then press the SCROLL LOCK key twice. |Machine hanging or being unresponsive or slow. High memory usage (Memory leak): a) User mode: Private bytes b) Kernel mode: paged pool or nonaged pool memory, handle leaks.|`MSSense.exe` or `MsMpEng.exe` |

+|`-k` |Uses [NotMyFault](/sysinternals/downloads/notmyfault) tool to force the system to crash and generate a machine memory dump. This would be useful for analysis of various OS stability issues. |Same as above.|`MSSense.exe` or `MsMpEng.exe` |

+The analyzer, and all of the scenario flags listed in this article, can be initiated remotely by running `RemoteMDEClientAnalyzer.cmd`, which is also bundled into the analyzer toolset:

+> [!NOTE]

+> When any advanced troubleshooting parameter is used, the analyzer also calls into [MpCmdRun.exe](/microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus) to collect Microsoft Defender Antivirus related support logs.

+> You can use `-g` flag to validate URLs for a specific datacenter region even without being onboarded to that region<br>

+> For example, `MDEClientAnalyzer.cmd -g EU` forces the analyzer to test cloud URLs in Europe region.

+## A few points to keep in mind

+When you use `RemoteMDEClientAnalyzer.cmd`, it calls into `psexec` to download the tool from the configured file share and then run it locally via `PsExec.exe`.

+The CMD script uses the `-r` flag to specify that it is running remotely within SYSTEM context, and so no prompt is presented to the user.

+That same flag can be used with `MDEClientAnalyzer.cmd` to avoid a prompt to the user to specify the number of minutes for data collection. For example, consider `MDEClientAnalyzer.cmd -r -i -m 5`.

+- `-r` indicates that tool is being run from remote (or non-interactive context).

+- `-i` is the scenario flag for collection of network trace along with other related logs.

+- `-m #` denotes the number of minutes to run (we used 5 minutes in our example).

+When using `MDEClientAnalyzer.cmd`, the script checks for privileges using `net session`, which requires the service `Server` to be running. If it's not, you will get the error message _Script is running with insufficient privileges_. Run it with administrator privileges if ECHO is off.

+> Endpoint detection and response (EDR) in Defender for Endpoint does not adhere to the Microsoft Defender Antivirus Exclusions settings.

+For optimal protection, configure the following settings for devices that are onboarded to Defender for Endpoint, whether Microsoft Defender Antivirus is the active antimalware solution or not:

+- Security intelligence updates (which also updates the scan engine)

+- Platform Update updates

+For more information, see [Manage Microsoft Defender Antivirus updates and apply baselines](microsoft-defender-antivirus-updates.md).

+If an onboarded device is protected by a non-Microsoft anti-malware client, Microsoft Defender Antivirus goes into [passive mode](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility). In this scenario, Microsoft Defender Antivirus continues to receive updates, and the `msmpeng.exe` process is listed as a running a service. But, it doesn't perform real-time protection scans, scheduled scans, or on-demand scans, and and doesn't replace the running non-Microsoft antimalware client. The Microsoft Defender Antivirus user interface is disabled. Device users can't use Microsoft Defender Antivirus to perform on-demand scans or configure most options such as Attack Surface Reduction (ASR) rules, Network Protection, Indicators - File/IP address/URL/Certificates allow/block, Web Content Filtering, Controlled Folder Access, and so forth.

+ Title: Early Launch Antimalware (ELAM) and Microsoft Defender Antivirus

+description: How Microsoft Defender Antivirus incorporates Early Launch Antimalware (ELAM) for preventing rootkit and drivers with malware from loading before the antivirus service and drivers are loaded.

+ms.localizationpriority: medium

+search.appverid: MET150

+f1 keywords: NOCSH

+audience: ITPro

+# Early Launch Antimalware (ELAM) and Microsoft Defender Antivirus

+**Applies to:** 

+- [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804)

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037) 

+- Microsoft Defender for Business 

+- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037) 

+- Microsoft Defender for Individual 

+**Platforms:**

+- Windows 11, Windows 10, Windows 8.1, Windows 8 

+- Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012 

+Detecting malware that starts early in the boot cycle was a challenge before Windows 8. To combat early boot threats such as rootkits or malicious drivers that can hide from detection, as of August 1, 2012, Microsoft Defender Antivirus (MDAV) for Windows 8 and newer, or Windows Server 2012 and newer, incorporated a new feature called [Early Launch Antimalware (ELAM)](/windows/compatibility/early-launch-antimalware) driver. Microsoft Defender Antivirus uses Wdboot.sys driver that starts before other boot-start drivers, enables the evaluation of those drivers, and helps the Windows kernel decide whether they should be initialized. 

+### Where is the ELAM detection(s) logged?

+The ELAM detection is logged in the same location as the other Microsoft Defender Antivirus threats, such as [Event ID 1006](/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus).

+### How do I keep the MDAV ELAM driver up to date?

+The MDAV ELAM driver ships with the monthly ΓÇ£[Platform update](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-updates).ΓÇ¥

+### Can the Early Launch Antimalware (ELAM) policy be modified? 

+ELAM can be modified here: 

+**Computer Configuration > Administrative Templates > System > Early Launch Antimalware.**

+### How can I check that the MDAV ELAM driver is loaded?

+HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\EarlyLaunch 

+BackupPath (string) C:\Windows\\[ELAMBKUP](/windows-hardware/drivers/install/elam-driver-requirements)\WdBoot.sys (value)

+### How do I revert the MDAV ELAM driver to a previous version?

+C:\ProgramData\Microsoft\Windows Defender\Platform\<antimalware platform version>\MpCmdRun.exe -[RevertPlatform](/microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus)<br>

+For example:

+```C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24010.12-0\MpCmdRun.exe -RevertPlatform```

+ > [!IMPORTANT]

+ > **The Microsoft Defender for Endpoint evaluation lab was deprecated in January, 2024**.

+- Microsoft Defender for Individual

+> [!NOTE]

+> Cloud-delivered protection is applicable with any Enforcement level settings (real_time, on_demand, passive).

+- Microsoft Defender for Business

+Microsoft Defender Antivirus allows you to determine if updates should (or shouldn't) occur after certain events, such as at startup or after receiving specific reports from the cloud-delivered protection service.

+You can use Microsoft Defender for Endpoint Security Settings Management, Microsoft Intune, Microsoft Configuration Manager, Group Policy, PowerShell cmdlets, and WMI to force Microsoft Defender Antivirus to check and download protection updates before running a scheduled scan.

+### Use Microsoft Defender for Endpoint Security Settings Management to check for protection updates before running a scan

+1. On your Microsoft Defender for Endpoint console ([https://security.microsoft.com](https://security.microsoft.com)), go to **Endpoints** > **Configuration management** > **Endpoint security policies** > **Create new policy**.

+ - In the **Platform** list, select **Windows 10, Windows 11, and Windows Server**.

+ - In the **Select Templates** list, select **Microsoft Defender Antivirus**.

+2. Fill in the name and description, and then select **Next**>

+3. Go to the **Scheduled scans** section and set **Check For Signatures Before Running Scan** to **Enabled**.

+4. Deploy the updated policy as usual.

+### Use Microsoft Intune to check for protection updates before running a scan

+1. In the [Microsoft Intune admin center](https://intune.microsoft.com/), go to **Endpoints** > **Configuration management** > **Endpoint security policies**, and then select **Create new policy**.

+ - In the **Platform** list, select **Windows 10, Windows 11, and Windows Server**.

+ - In the **Select Templates** list, select **Microsoft Defender Antivirus**.

+2. Fill in the name and description, and then select **Next**.

+3. Go to the **Scheduled scans** section, and set **Check For Signatures Before Running Scan** to **Enabled**.

+4. Save and deploy the policy.

+1. On your Microsoft Configuration Manager console, open the antimalware policy you want to change (select **Assets and Compliance** in the navigation pane, then expand the tree to **Overview** \> **Endpoint Protection** \> **Antimalware Policies**).

+3. Select **OK**.

+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal).

+2. Right-click the Group Policy Object you want to configure, and then select **Edit**.

+3. Using the **Group Policy Management Editor** go to **Computer configuration**.

+4. Select **Policies** then **Administrative templates**.

+5. Expand the tree to **Windows components** \> **Microsoft Defender Antivirus** \> **Scan**.

+6. Double-click **Check for the latest virus and spyware definitions before running a scheduled scan** and set the option to **Enabled**.

+7. Select **OK**.

+1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and select **Edit**.

+3. Select **Policies** then **Administrative templates**.

+6. Select **OK**.

+You can also use Group Policy, PowerShell, or WMI to configure Microsoft Defender Antivirus to check for updates at startup even when it isn't running.

+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and select **Edit**.

+3. Select **Policies** then **Administrative templates**.

+6. Select **OK**.

+If you have enabled cloud-delivered protection, Microsoft Defender Antivirus sends files it's suspicious about to the Windows Defender cloud. If the cloud service reports that the file is malicious, and the file is detected in a recent protection update, you can use Group Policy to configure Microsoft Defender Antivirus to automatically receive that protection update. Other important protection updates can also be applied.

+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and select **Edit**.

+3. Select **Policies** then **Administrative templates**.

+5. Double-click **Allow real-time security intelligence updates based on reports to Microsoft MAPS** and set the option to **Enabled**. Then select **OK**.

+6. **Allow notifications to disable definitions-based reports to Microsoft MAPS** and set the option to **Enabled**. Then select **OK**.

+### January-2024 (Platform: 4.18.24010.12 | Engine: 1.1.24010.10)

+- Security intelligence update version: **1.405.702.0**

+- Release date: **February 27, 2024**

+- Platform: **4.18.24010.12**

+- Engine: **1.1.24010.10**

+- Support phase: **Security and Critical Updates**

+#### What's new

+- Microsoft Defender Antivirus now caches the Mark of the Web (MoTW) Alternative Data Stream (ADS) for better performance while scanning.

+- Fixed an issue that occurred in [attack surface reduction](attack-surface-reduction-rules-reference.md) in warn mode when removing scan results from the real-time protection cache.

+- Performance improvement added for `OneNote.exe`.

+- Cloud-based entries are regularly removed from the persistent user mode cache in Windows Defender to prevent a uncommon issue where a user could still add a certificate, based on an Indicator of compromise (IoC), to the cache after a file with that certificate had already been added via cloud signature.

+- The Sense onboarding event is now sent in passive mode for operating systems with the old Sense client.

+- Improved performance for logs created/accessed by powershell.

+- Improved performance for folders included in [Controlled folder access(CFA)](controlled-folders.md) when accessing network files.

+- Fixed a deadlock that occurred at shutdown for Data Loss Prevention (DLP) enabled devices.

+- Fixed an issue to remove a vulnerability in the Microsoft Defender Core service.

+- Fixed an onboarding issue in the Unified Agent installation script [install.ps1](https://github.com/microsoft/mdefordownlevelserver).

+- Fixed a memory leak that impacted some devices that received platform update `4.18.24010.7`

+- Security intelligence update version: **1.403.7.0**

+- Platform: **4.18.23110.3**

+- Support phase: **Security and Critical Updates**

+#### What's new

+## September-2023 (Platform: 4.18.23090.2008 | Engine: 1.1.23090.2007)

+

+- Security intelligence update version: **1.399.44.0**

+- Release date: **October 3, 2023 (Engine) | October 4, 2023 (Platform)**

+- Platform: **4.18.23090.2008**

+- Engine: **1.1.23090.2007**

+- Support phase: **Technical upgrade support (only)**

+

+### What's new

+- Fixed automatic remediation during on demand scans involving archives with multiple threats

+- Improved the performance of scanning files on network locations

+- Added support for domain computer SID for device control policies

+- Improved installer of unified agent to include legacy version of Windows Server 2012 (6.3.9600.17735)

+- Fixed issue in device control when querying Microsoft Entra group membership, which resulted in increased network traffic.

+- Improved parsing of attack surface reduction exclusions in the antimalware engine

+- Improved reliability in scanning PE files

+- Improved deployments safeguards for security intelligence updates

+### Known issues

+- None

+ > [!NOTE]

+ > On Windows devices, if you use the attack surface reduction rule [Block process creations originating from PSExec and WMI commands](attack-surface-reduction-rules-reference.md#block-process-creations-originating-from-psexec-and-wmi-commands), you might want to temporarily [configure an exclusion to the ASR rule](enable-attack-surface-reduction.md#exclude-files-and-folders-from-attack-surface-reduction-rules). Optionally, you can set the rule to **audit** or you can disable the rule. Making these configurations allows the analyzer to run connectivity checks to cloud without being blocked.

+- [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804)

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+- Microsoft Defender for Business

+- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+- Windows Server

+## 13 reasons to use Microsoft Defender Antivirus together with Microsoft Defender for Endpoint

+|5|Attack surface reduction|Your organization's security team can reduce your vulnerabilities (attack surfaces), giving attackers fewer ways to perform attacks. Attack surface reduction uses cloud protection for a number of rules. [Get an overview of attack surface reduction](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction).|

+|6|Network protection|Your organization's security team can protect your network by blocking specific URLs and IP addresses. [Protect your network](/microsoft-365/security/defender-endpoint/network-protection).|

+|7|Indicators, such as file, IP address, URL, and/or certificate allow or block indicators |Your organization's security team can import threat intel, which blocks known Indicators of Compromise (IoC's) [Get an overview of Indicator of compromise (IoC)](/microsoft-365/security/defender-endpoint/manage-indicators).|

+|8|File blocking|Your organization's security team can block specific files. [Stop and quarantine files in your network](/microsoft-365/security/defender-endpoint/respond-file-alerts#stop-and-quarantine-files-in-your-network).|

+|9|Auditing events|Auditing event signals are available in [endpoint detection and response capabilities](/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response). (These signals are not available with non-Microsoft antivirus solutions.)|

+|11|Controlled folder access |Your organization's security team can reduce malware from encrypting end-users data by preventing unknown applications or services being able to write to protected folders. [Get an overview of controlled folder access](/microsoft-365/security/defender-endpoint/enable-controlled-folders).|

+|12|Geographic data|Compliant with ISO 270001 and data retention, geographic data is provided according to your organization's selected geographic sovereignty. See [Compliance offerings: ISO/IEC 27001:2013 Information Security Management Standards](/microsoft-365/compliance/offering-iso-27001).|

+|13|Technical support|By using Microsoft Defender for Endpoint together with Microsoft Defender Antivirus, you have one company to call for technical support. [Troubleshoot service issues](/microsoft-365/security/defender-endpoint/troubleshoot-mdatp)and [review event logs and error codes with Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus/).|

+| 42360 | Fixed inaccuracy in GitHub vulnerabilities - CVE-2020-10519 and CVE-2021-22863 | 12-Feb-24

+| 44875 | Fixed inaccuracy in Zoom Meetings for macOS | 14-Feb-24

+| 45686 | Fixed inaccuracy in ConnectWise Control (Formerly known as ScreenConnect) | 14-Feb-24

+| 45559 | Added Microsoft Defender Vulnerability Management support to Forta GoAnyWhere MFT | 14-Feb-24

+| - | Added Microsoft Defender Vulnerability Management support to BeyondTrust Remote Support Jump Client | 14-Feb-24

+| - | Fixed inaccuracy in Ignite Real Time | 14-Feb-24

+| - | Added Microsoft Defender Vulnerability Management support to Ivanti (Pulse Secure) February released Vulnerabilities | 20-Feb-24

+| - | Defender Vulnerability Management doesn't currently support SAP GUI | 21-Feb-24

+| 46606 | Defender Vulnerability Management doesn't currently support Postgresql | 21-Feb-24

+| 47700 | Defender Vulnerability Management doesn't currently support Adobe Digital Editions | 21-Feb-24

+ Title: Block vulnerable applications.

+description: Use Microsoft Defender Vulnerability Management to block vulnerable applications.

+For both actions, you can customize the message the users see. For example, you can encourage them to install the latest version. Additionally, you can provide a custom URL the users navigate to when they select the notification. Note that the user must select the body of the toast notification in order to navigate to the custom URL. This can be used to provide additional details specific to the application management in your organization.

+7. Under **Mitigation action**, select **Block** or **Warn**. Once you submit a mitigation action, it's immediately applied.

+8. Review the selections you made and **Submit request**. On the final page, you can choose to go directly to the remediation page to view the progress of remediation activities and see the list of blocked applications.

+## When blocking isn't supported

+- Microsoft Store apps, which can't be blocked because they're signed by Microsoft

+If you try to block an application and it doesn't work, you might have reached the maximum indicator capacity. If so, you can delete old indicators [Learn more about indicators](../defender-endpoint/manage-indicators.md).

+When users try to access a blocked application, they receive a message informing them that the application was by their organization. This message is customizable.

+For applications where the warn mitigation option was applied, users receive a message informing them that the application has been blocked by their organization. The user has the option to bypass the block for subsequent launches, by choosing "Allow". This allow is only temporary, and the application will be blocked again after a while.

+ Title: Microsoft Defender for Cloud in the Microsoft Defender portal

+description: Learn about changes in the Microsoft Defender portal with the Microsoft Defender for Cloud integration.

+# Microsoft Defender for Cloud in the Microsoft Defender portal

+The Microsoft Defender portal combines protection, detection, investigation, and response capabilities to protect attacks on device, email, collaboration, identity, and cloud apps. The portal's detection and investigation capabilities are now extended to cloud entities, offering security operations teams a single pane of glass to significantly improve their operational efficiency.

+To ensure access to Defender for Cloud alerts in the Microsoft Defender portal, you must be subscribed to any of the plans listed in [Connect your Azure subscriptions](/azure/defender-for-cloud/connect-azure-subscription).

+The following section describes the detection and investigation experience in the Microsoft Defender portal with Defender for Cloud alerts.

+> Informational alerts from Defender for Cloud are not integrated to the Microsoft Defender portal to allow focus on the relevant and high severity alerts. This strategy streamlines management of incidents and reduces alert fatigue.

+> |Incidents|All Defender for Cloud incidents will be integrated to the Microsoft Defender portal.</br></br> - Searching for cloud resource assets in the [incident queue](incident-queue.md) is supported.</br> - The [attack story](investigate-incidents.md#attack-story) graph will show the cloud resource.</br> - The [assets tab](investigate-incidents.md#assets) in an incident page will show the cloud resource.</br> - Each virtual machine has its own device page containing all related alerts and activity.</br></br> There will be no duplication of incidents from other Defender workloads.|

+> |Alerts|All Defender for Cloud alerts, including multi-cloud, internal and external providers' alerts will be integrated to the Microsoft Defender portal. Defender for Cloud alerts will show on the the Microsoft Defender portal [alert queue](/microsoft-365/security/defender-endpoint/alerts-queue-endpoint-detection-response).</br></br> The *cloud resource* asset will show up in the Asset tab of an alert. Resources are clearly identified as an Azure, Amazon, or a Google Cloud resource.</br></br>Defender for Cloud alerts will automatically be associated with a tenant.</br></br>There will be no duplication of alerts from other Defender workloads.|

+- The action to relate alerts to the Microsoft Defender portal incidents is removed.

+ Title: Microsoft Defender for Endpoint in the Microsoft Defender portal

+description: Get an overview of what to expect when moving from the Microsoft Defender Security Center to the Microsoft Defender portal

+# Microsoft Defender for Endpoint in the Microsoft Defender portal

+This article describes the Defender for Endpoint experience in the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). Formerly, Defender for Endpoint customers used the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com) or [https://securitycenter.microsoft.com](https://securitycenter.microsoft.com)).

+The image and the table below lists the changes in navigation between the Microsoft Defender Security Center and the Microsoft Defender portal.

+| Microsoft Defender Security Center | the Microsoft Defender portal |

+The improved [Microsoft Defender portal](microsoft-365-defender-portal.md) at <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">https://security.microsoft.com</a> combines security capabilities that protect, detect, investigate, and respond to email, collaboration, identity, and device threats. This brings together functionality from existing Microsoft security portals, including Microsoft Defender Security Center and the Office 365 Security & Compliance center.

+If you're familiar with the Microsoft Defender Security Center, this article helps describe some of the changes and improvements in the Microsoft Defender portal. However there are some new and updated elements to be aware of.

+Historically, the [Microsoft Defender Security Center](/windows/security/threat-protection/microsoft-defender-atp/portal-overview) has been the home for Microsoft Defender for Endpoint. Enterprise security teams have used it to monitor and help responding to alerts of potential advanced persistent threat activity or data breaches. To help reduce the number of portals, the Microsoft Defender portal will be the home for monitoring and managing security across your Microsoft identities, data, devices, apps, and infrastructure.

+Microsoft Defender for Endpoint in the Microsoft Defender portal supports [granting access to managed security service providers (MSSPs)](/windows/security/threat-protection/microsoft-defender-atp/grant-mssp-access) in the same way [access is granted in the Microsoft Defender Security Center](mssp-access.md).

+> What you see in the Microsoft Defender portal depends on your current subscriptions. For example, if you don't have a license for Microsoft Defender for Office 365, then the Email & Collaboration section will not be shown.

+Take a look in the Microsoft Defender portal at <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">https://security.microsoft.com</a>.

+This table is a quick reference of the changes between the Microsoft Defender Security Center and the Microsoft Defender portal.

+| [Incidents & alerts](incidents-overview.md) | In the Microsoft Defender portal, you can manage incidents and alerts across all of your endpoints, email, and identities. We've converged the experience to help you find related events more easily. For more information, see [Incidents Overview](incidents-overview.md). |

+| [Hunting](advanced-hunting-overview.md) | Modifying custom detection rules created in Microsoft Defender for Endpoint to include identity and email tables automatically moves them to the Microsoft Defender portal. Their corresponding alerts will also appear in the Microsoft Defender portal. For more details about these changes, read [Migrate custom detection rules](advanced-hunting-migrate-from-mde.md#migrate-custom-detection-rules). <br><br>The `DeviceAlertEvents` table for advanced hunting isn't available in the Microsoft Defender portal. To query device-specific alert information in the Microsoft Defender portal, you can use the `AlertInfo` and `AlertEvidence` tables to accommodate even more information from a diverse set of sources. Craft your next device-related query by following [Write queries without DeviceAlertEvents](advanced-hunting-migrate-from-mde.md#write-queries-without-devicealertevents).|

+|[Action center](m365d-action-center.md) | Lists pending and completed actions that were taken following automated investigations and remediation actions. Formerly, the Action center in the Microsoft Defender Security Center listed pending and completed actions for remediation actions taken on devices only, while Automated investigations listed alerts and status. In the improved the Microsoft Defender portal, the Action center brings together remediation actions and investigations across email, devices, and usersΓÇöall in one location. |

+| Settings | Manage your settings for the Microsoft Defender portal, Endpoints, Email & collaboration, Identities, and Device discovery. |

+Action center shows you the investigations created by automated investigation and response capabilities. This automated, self-healing in the Microsoft Defender portal can help security teams by automatically responding to specific events.

+You can access threat analytics either from the upper left navigation bar in the Microsoft Defender portal, or from a dedicated dashboard card that shows the top threats for your organization.

+If you use the [Defender for Endpoint SIEM API](../defender-endpoint/enable-siem-integration.md), you can continue to do so. We've added new links on the API payload that point to the alert page or the incident page in the Microsoft 365 security portal. New API fields include LinkToMTP and IncidentLinkToMTP. For more information, see [Redirecting accounts from Microsoft Defender for Endpoint to The Microsoft Defender portal](./microsoft-365-security-mde-redirection.md).

+You can continue to use email alerts for Defender for Endpoint. We've added new links in the emails that point to the alert page or the incident page in The Microsoft Defender portal. For more information, see [Redirecting accounts from Microsoft Defender for Endpoint to The Microsoft Defender portal](./microsoft-365-security-mde-redirection.md).

+- [Microsoft Defender for Endpoint in The Microsoft Defender portal](microsoft-365-security-center-mde.md)

+- [Redirecting accounts from Microsoft Defender for Endpoint to The Microsoft Defender portal](microsoft-365-security-mde-redirection.md)

+ Title: Microsoft Defender for Identity in the Microsoft Defender portal

+description: Learn about changes from Microsoft Defender for Identity to The Microsoft Defender portal.

+# Microsoft Defender for Identity in the Microsoft Defender portal

+Microsoft Defender for Identity is now part of The Microsoft Defender portal, the home for monitoring and managing security across your Microsoft identities, data, devices, apps, and infrastructure. The Microsoft Defender portal allows security admins to perform their security tasks in one location, which simplifies workflows and integrating functionality from other Microsoft Defender XDR services.

+Microsoft Defender for Identity contributes identity focused information into the incidents and alerts that The Microsoft Defender portal presents. This information is key to providing context and correlating alerts from the other products within Microsoft Defender XDR.

+## Converged experiences in The Microsoft Defender portal

+The [Microsoft Defender portal](https://security.microsoft.com) combines security capabilities that protect, detect, investigate, and respond to email, collaboration, identity, and device threats, and now includes all functionality provided in the [legacy, classic Defender for Identity portal](/previous-versions/defender-for-identity).

+While data placement might differ from the classic Defender for Identity portal, your data is now integrated into The Microsoft Defender portal pages so that you can view your data across all of your monitored entities.

+The following sections describe enhanced Defender for Identity features found in The Microsoft Defender portal.

+> Customers using the classic Defender for Identity portal are now [automatically redirected to The Microsoft Defender portal](https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/leveraging-the-convergence-of-microsoft-defender-for-identity-in/ba-p/3856321), with no option to revert back to the classic portal.

+|**Manage action and directory service accounts** | You might want to respond to compromised users by disabling their accounts or resetting their password. When you take either of these actions, The Microsoft Defender portal is configured by default to use the *local system* account. Therefore, you'll only need to configure action and directory service account settings if you want to have more control, and define a different user account to perform user remediation actions.<br><br> For more information, see [Microsoft Defender for Identity action accounts](/defender-for-identity/manage-action-accounts). |

+|**Custom permission roles** | The Microsoft Defender portal supports custom permission roles. <br><br>For more information, see [Microsoft Defender XDR role-based access control (RBAC)](manage-rbac.md) |

+|**API** | Use any of the following Microsoft Defender XDR APIs with Defender for Identity: <br><br>- [Query activities via API](api-advanced-hunting.md) <br>- [Manage security alerts via API](api-incident.md) <br>- [Stream security alerts and activities to Microsoft Sentinel](streaming-api.md)<br><br>**Tip**: The Microsoft Defender portal only stores advanced hunting data for 30 days. If you need longer retention periods, stream the activities to Microsoft Sentinel or another partner security information and event management (SIEM) system. |

+| **Identities** area| In The Microsoft Defender portal, expand the **Identities** area to view a **Dashboard** of graphs and widgets with commonly used data, a **Health issues** page, listing all health issues for your Defender for Identity deployment, and a **Tools** page, with links to commonly used tools and documentation. <br><br>For more information, see [View the ITDR dashboard](/defender-for-identity/dashboard) and [Defender for Identity health issues](/defender-for-identity/health-alerts). |

+|**Identity page** | The Microsoft Defender portal identity details page provides inclusive data about each identity, such as: <br><br>- Any associated alerts <br>- Active Directory account control<br>- Risky lateral movement paths<br>- A timeline of activities and alerts<br>- Details about observed locations, devices, and groups. <br><br>For more information, see [Investigate users in The Microsoft Defender portal](investigate-users.md). |

+|**Device page** | The Microsoft Defender portal alert evidence lists all devices and users connected to each suspicious activity. Investigate further by selecting a specific device in an alert to access a device details page. <br><br>For more information, see [Investigate devices in the Microsoft Defender for Endpoint Devices list](../defender-endpoint/investigate-machines.md). |

+|**Advanced hunting** | The Microsoft Defender portal helps you proactively search for threats and malicious activity by using advanced hunting queries. These powerful queries can be used to locate and review threat indicators and entities for both known and potential threats. <br><br>Build custom detection rules from advanced hunting queries to help you proactively watch for events that might be indicative of breach activity and misconfigured devices. <br><br>For more information, see [Proactively hunt for threats with advanced hunting in the Microsoft Defender portal](advanced-hunting-overview.md). |

+|**Global search** | Use the search bar at the top of the Microsoft Defender portal page to search for any entity being monitored by Microsoft Defender XDR, including identities, endpoints, Office 365 data, Active Directory groups (Preview), and more. <br><br>Select results directly from the search drop-down, or select **All users** or **All devices** to see all entities associated with a given search term. |

+| **Lateral movement paths** | The Microsoft Defender portal provides lateral movement path data on the **Advanced hunting** page and the **Lateral movement paths** security assessment, in addition to the **Lateral movement paths** tab on the user details page. <br><br> For more information, see [Understand and investigate lateral movement paths (LMPs) with Microsoft Defender for Identity](/defender-for-identity/understand-lateral-movement-paths). |

+| **Alert and incident correlation** |Defender for Identity alerts is now included in the Microsoft Defender portal's alert queue, making them available to the automated incident correlation feature. <br><br>View all of your alerts in one place, and determine the scope of the breach even quicker than before. <br><br>For more information, see [Investigate Defender for Identity alerts in the Microsoft Defender portal](/defender-for-identity/manage-security-alerts). |

+| **Alert exclusions** |The Microsoft Defender portal's alert interface is more user friendly, and includes a search function and global exclusions, meaning you can exclude any entity from all alerts generated by Defender for Identity. <br><br>For more information, see [Configure Defender for Identity detection exclusions in Microsoft Defender XDR](/defender-for-identity/exclusions).|

+| **Remediation actions** |Defender for Identity remediation actions, such as disabling accounts or requiring password resets, are available from the Microsoft Defender portal user details page. <br><br>For more information, see [Remediation actions in Microsoft Defender for Identity](/defender-for-identity/remediation-actions).

+The following table lists the changes in navigation between Microsoft Defender for Identity and the Microsoft Defender portal.

+| **Defender for** Identity | **The Microsoft Defender portal** |

+| **Timeline** |- Microsoft Defender portal Alerts/Incidents queue |

+| **Reports** |The following types of reports are available from the **Reports** > **Identities** > **Report management** page in the Microsoft Defender portal, either for immediate download or scheduled for a periodic email delivery: <br><br>- A summary report of alerts and health issues you should take care of. <br>- A list of each time a modification is made to sensitive groups. <br>- A list of source computer and account passwords that are detected as being sent in clear text.<br>- A list of the sensitive accounts exposed in lateral movement paths. <br><br>For more information, see [Report management](/defender-for-identity/reports). |

+| **Identity page** | Microsoft Defender portal user details page |

+| **Device page** | Microsoft Defender portal device details page |

+| **Group page** | Microsoft Defender portal groups side pane |

+| **Alert page** | Microsoft Defender portal alert details page <br><br>**Tip**: Use [alert tuning](investigate-alerts.md#tune-an-alert) to optimize the alerts you see in the Microsoft Defender portal. |

+| **Search** | Microsoft Defender portal global search |

+| **Health issues** | Microsoft Defender portal **Identities > Health issues** |

+ Title: Microsoft Defender for Office 365 in the Microsoft Defender portal

+description: Learn about changes from the Security & Compliance Center to The Microsoft Defender portal.

+# Microsoft Defender for Office 365 in the Microsoft Defender portal

+This article describes the Defender for Office 365 experience in the Microsoft Defender portal. Formerly, Defender for Office 365 customers used the Office 365 Security & Compliance center ([https://protection.office.com](https://protection.office.com)).

+## Quick reference

+The table below lists the changes in navigation between the Security & Compliance Center and The Microsoft Defender portal.

+|[Security & Compliance Center](https://protection.office.com)|[The Microsoft Defender portal](https://security.microsoft.com)|[Microsoft Purview compliance portal](https://compliance.microsoft.com/homepage)|[Exchange admin center](https://admin.exchange.microsoft.com)|

+[The Microsoft Defender portal](./microsoft-365-defender.md) at <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank"><https://security.microsoft.com></a> combines security capabilities from existing Microsoft security portals, including the Security & Compliance Center. This improved center helps security teams protect their organization from threats more effectively and efficiently.

+If you're familiar with the Security & Compliance Center (protection.office.com), this article describes some of the changes and improvements in The Microsoft Defender portal.

+

+Action center shows you the investigations created by automated investigation and response capabilities. This automated, self-healing in The Microsoft Defender portal can help security teams by automatically responding to specific events.

+You can access Threat analytics either from the upper left navigation bar in The Microsoft Defender portal, or from a dedicated dashboard card that shows the top threats for your organization.

+

+> For Defender for Office 365 users, you can now *manage and rotate* DKIM keys in The Microsoft Defender portal at <https://security.microsoft.com/authentication?viewid=DKIM>.

+|[Alert queue](../../compliance/alert-policies.md)|The **View alerts** flyout pane in the Security & Compliance Center now includes links to The Microsoft Defender portal. Click on the **Open Alert Page** link and The Microsoft Defender portal opens. You can access the **View alerts** page by clicking on any Office 365 alert in the Alerts queue.|

+> All Exchange Online Protection (EOP) functions will be included in The Microsoft Defender portal, as EOP is a core element of Defender for Office 365.

+## The Microsoft Defender portal Home page

+- [Redirecting Security & Compliance Center to The Microsoft Defender portal](microsoft-365-security-mdo-redirection.md)

+ Title: Redirecting from the Microsoft Defender Security Center to the Microsoft Defender portal

+# Redirecting from the Microsoft Defender Security Center to the Microsoft Defender portal

+In alignment with Microsoft's cross-domain approach to threat protection with SIEM and Extended Detection and Response (XDR), we've rebranded Microsoft Defender Advanced Threat Protection as Microsoft Defender for Endpoint and unified it into a single integrated portal: the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)).

+This guide explains how to enable automatic redirection from the former Microsoft Defender Security Center (securitycenter.windows.com or securitycenter.microsoft.com), to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender portal</a>.

+> Microsoft Defender for Endpoint in the Microsoft Defender portal supports [granting access to managed security service providers (MSSPs)](/windows/security/threat-protection/microsoft-defender-atp/grant-mssp-access) in the same that way access is [granted in the former Microsoft Defender Security Center](./mssp-access.md).

+Once automatic redirection is enabled, accounts accessing the former Microsoft Defender Security Center at securitycenter.windows.com or securitycenter.microsoft.com are automatically routed to the Microsoft Defender portal at <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank"><security.microsoft.com></a>.

+Learn more about what's changed: [Microsoft Defender for Endpoint](microsoft-365-security-center-mde.md).

+These changes include redirection for direct access to the former portal via browser, including links pointing towards the former securitycenter.windows.com portal, such as links in email notifications, and links returned by SIEM API calls.

+External links from email notifications or SIEM APIs currently contain links to both portals. Once redirection is enabled, both links point to the new Microsoft Defender portal until the old link is eventually removed. We encourage you to adopt the new link pointing to the Microsoft Defender portal.

+Refer to the following table for more on links and routing.

+Once enabled, this update might take effect almost immediately for some accounts. But the redirection might take longer to propagate to every account in your organization. Accounts in active sessions while this setting is applied won't be ejected from their session and will only be routed to Microsoft Defender XDR after ending their current session and signing back in again.

+2. Sign in to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender portal</a>.

+4. Toggle the **Automatic redirection** setting to **On**.

+5. Select **Enable** to apply automatic redirection to the Microsoft Defender portal.

+> Enabling this setting doesn't terminate active user sessions. Accounts who are in an active session while this setting is applied are directed to the Microsoft Defender portal after ending their current session and signing in again.

+If something isn't working for you or if there's anything you're unable to complete through the Microsoft Defender portal, we want to hear about it. If you've encountered any issues with redirection, we encourage you to let us know by using the **Give feedback** submission form.

+To revert to the former Microsoft Defender Security Center:

+1. Sign in to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender portal</a> as a global administrator or using and account with security administrator permissions in Microsoft Entra ID.

+3. Toggle the **Automatic redirection** setting to **Off**.

+4. Select **Disable** & share feedback when prompted.

+Once disabled, accounts aren't routed to security.microsoft.com, and you'll have access to the former portal - securitycenter.windows.com or securitycenter.microsoft.com.

+ - usx-security

+- (GA) **Dark mode** is now available in the Microsoft Defender portal. In the Defender portal, on the top right-hand side of the homepage, select **Dark mode**. Select **Light mode** to change the color mode back to the default.

+The Microsoft 365 virus detection engine scans files asynchronously (at some time after upload). If a user tries to download a file in a web browser or from Teams that hasn't been scanned, a scan is triggered before the download is allowed. **All file types are not automatically scanned**. Heuristics determine the files to scan. When a file is found to contain a virus, the file is flagged.

+2. The user is shown a warning that a virus was detected in the file. The user is given the option to proceed with the download and attempt to clean it using anti-virus software on their device.

+SharePoint admins and global admins are allowed to do forensic file extractions of malware-infected files in SharePoint Online PowerShell with the [Get-SPOMalwareFileContent](/powershell/module/sharepoint-online/get-spomalwarefilecontent) cmdlet. Admins don't need access to the site that hosts the infected content. As long as the file is marked as malware, admins can use **Get-SPOMalwareFileContent** to extract the file.

+When a malicious file is uploaded to OneDrive, the file is synced to the local machine before being marked as malware. After the file is marked as malware, the user can't open the synced file from their local machine.

+5. In the message trace results, look for the following information:

+description: Learn the right way to migrate from third-party protection services or devices to Microsoft Defender for Office 365. For example, Google Postini, the Barracuda Spam and Virus Firewall, or Cisco IronPort.

+- You're beyond the investigation and consideration phase for protection by Defender for Office 365. If you need to evaluate Defender for Office 365 to decide whether it's right for your organization, we recommend the options described in [Try Microsoft Defender for Office 365](try-microsoft-defender-for-office-365.md).

+- You already purchased Defender for Office 365 licenses.

+Eliminating your existing protection service in favor of Defender for Office 365 is a significant step that you shouldn't take lightly, nor should you rush to make the change. The guidance in this migration guide helps you transition your protection in an orderly manner with minimal disruption to your users.

+In the IT industry, surprises are bad. Simply flipping your MX records to point to Microsoft 365 without prior and thoughtful testing will result in many surprises. For example:

+- You or your predecessors probably spent time and effort customizing your existing protection service for optimal mail delivery. In other words, blocking what needs to be blocked, and allowing what needs to be allowed. It's almost a guaranteed certainty that not every customization in your current protection service is required in Defender for Office 365. It's also possible that Defender for Office 365 will introduce new issues (allows or blocks) that didn't happen or weren't required in your current protection service.

+- Objective data from Defender for Office 365 that you can use to report on the progress and success of the migration to management.

+This migration guide gives you a plan for gradually "turning the dial". You can monitor and test how Defender for Office 365 affects users and their email so you can react quickly to any issues.

+This article attempts to explain the common error messages that you might receive as you try to [report messages, URLs, and email attachments to Microsoft](submissions-admin.md).

+ - If the message was blocked due to file-based filters, an allow entry for the file is created, and the entry appears on the **Files** tab in the Tenant Allow/Block List.

+| [Copilot with commercial data protection](/mem/intune/apps/manage-microsoft-office#copilot-with-commercial-data-protection) | Enable or disable Copilot in Microsoft 365 app by configuring the following setting in the Intune admin center. | com.microsoft.office.officemobile.BingChatEnterprise.IsAllowed |

+| [Data protection settings in M365 for Android](/mem/intune/apps/manage-microsoft-office#data-protection-settings-in-microsoft-365-office) | Enable or disable offline caching when **Save As to Local Storage** is blocked by the app protection policy. | com.microsoft.intune.mam.IntuneMAMOnly.AllowOfflineCachingWhenSaveAsBlocked |

+| [Copilot with commercial data protection](/mem/intune/apps/manage-microsoft-office#copilot-with-commercial-data-protection) | Enable or disable Copilot in Microsoft 365 app by configuring the following setting in the Intune admin center. | com.microsoft.office.officemobile.BingChatEnterprise.IsAllowed |

+| com.microsoft.intune.mam.managedbrowser.EdgeChatPageContext | You can choose whether Bing Chat Enterprise has access to page content. By default, this setting shows the **Page context** and **Show quick chat panel** options under the Bing co-pilot mode. For more information, see [Bing Chat Enterprise](/mem/intune/apps/manage-microsoft-edge#bing-chat-enterprise). |

+| com.microsoft.intune.mam.managedbrowser.AppProxyRedirection | On iOS and Android devices, you can enable Microsoft Entra application proxy redirection scenarios. By default, Microsoft Entra application proxy scenarios are prevented. For more information, see [Manage proxy configuration](/mem/intune/apps/manage-microsoft-edge#manage-proxy-configuration). |

+> Microsoft Purview features work seamlessly with archived content. For example, you can apply retention hold on archived content without needing to unarchive it. Likewise, you can also archive content in retention hold without needing to move or delete it from retention scope.

+- **Durability** ΓÇô All archived data is equally as durable as active SharePoint data.

+The affect of Microsoft 365 Archive on compliance offerings includes the following elements:

+- **Data lifecycle management and records management** ΓÇô Archived sites still honor the retention and deletion periods from any retention policies or retention labels. For more information, see [How retention works with Microsoft 365 Archive](/purview/retention-policies-sharepoint#how-retention-works-with-microsoft-365-archive).

+- **eDiscovery** ΓÇô eDiscovery still finds all content even if archived. However, eDiscovery won't be able to directly reactivate located files. Before exporting or viewing content of an eDiscovery case, the SharePoint admin has to reactivate the relevant sites.

+- **Permissions and access policies** ΓÇô These settings and policies are retained on the site throughout the archive and reactivation lifecycle (that is, archiving the site and then reactivating doesn't change the application of permissions or related access policies).