+You can cancel your subscription at any time in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>. However, to receive a refund, you must meet certain refund eligibility requirements. For more information, see [Understand refund eligibility](#understand-refund-eligibility).

+The new **Reports** dashboard is the central location for viewing all communication compliance reports. Report widgets provide a quick view of insights most commonly needed for an overall assessment of the status of communication compliance activities. Information contained in the report widgets isn't exportable. Detailed reports provide in-depth information related to specific communication compliance areas and offer the ability to filter, group, sort, and export information while reviewing.

+### Report widgets

+- **Recent policy matches**: displays the number of matches by active policy over time.

+- **Resolved items by policy**: displays the number of policy match alerts resolved by policy over time.

+- **Users with most policy match**: displays the users (or anonymized usernames) and number of policy matches for a given period.

+- **Policy with most matches**: displays the policies and the number of matches for a given period, ranked highest to lowest for matches.

+- **Escalations by policy**: displays the number of escalations per policy over a given time.

+### Detailed reports

+Use the *Export* option to create a .csv file containing the report details for any detailed report.

+- **Policy settings and status**: provides a detailed look at policy configuration and settings, as well as the general status for each of the policy (matches and actions) on messages. Includes policy information and how policies are associated with users and groups, locations, review percentages, reviewers, status, and when the policy was last modified. Use the *Export* option to create a .csv file containing the report details.

+- **Items and actions per policy**: Review and export matching items and remediation actions per policy. Includes policy information and how policies are associated with:

+- **Item and actions per location**: Review and export matching items and remediation actions per Microsoft 365 location. Includes information about how workload platforms are associated with:

+- **Activity by user**: Review and export matching items and remediation actions per user. Includes information about how users are associated with:

+- **Sensitive information type per location** (preview): Review and export information about the detection of sensitive information types and the associated sources in communication compliance policies. Includes the overall total and the specific breakdown of sensitive information type instances in the sources configured in your organization. The values for each third-party source are displayed in separate columns in the .csv file. Examples are:

+ - **Other**: Sensitive information types used for internal system processing. Selecting or deselecting this source for the report won't affect any values.

+### Message details report (preview)

+Create custom reports and review details for messages contained in specific policies on the **Policies** tab. These reports can be used for all-up reviews of messages and for creating a report snapshot for the status of messages for a customizable time period. After creating a report, you can view and download the details report as a .csv file on the **Message details reports** tab.

+

+To create a new message details report, complete the following steps:

+1. Sign into the Microsoft 365 compliance center with an account that is a member of the *Communication Compliance Investigators* role group.

+2. Navigate to the **Policies** tab, select a policy, and then select **Create message details report**.

+3. On the **Create message details report** pane, enter a name for the report in the **Report name** field.

+4. In **Choose a date range**, select a *Start date* and *End date* for the report.

+5. Select **Create**.

+6. The report creation confirmation is displayed.

+Depending on the number of items in the report, it can take a few minutes to hours before the report is ready to be downloaded. You can check progress on the Message details reports tab. Report status is *In progress* or *Ready to download*. You can have up to 15 separate reports processing simultaneously. To download a report, select a report in the *Ready to download* state and select **Download report**.

+> [!NOTE]

+> If your selected time period doesn't return any message results in the report, there were not any messages for the selected time period. The report will be blank.

+Message details reports contain the following information for each message item in the policy:

+- **Match ID**: unique ID for the message in the policy.

+- **Sender**: the sender of the message.

+- **Recipients**: the recipients included for the message.

+- **Date Sent**: the date the message was sent.

+- **Match Date**: the date the message was a match for the policy conditions.

+- **Subject**: the subject of the message.

+- **Contains Attachments**: the status of any attachments for the message. Values are either Yes or No.

+- **Policy Name**: the name of the policy associated with the message. This value will be the same for all messages in the report.

+- **Item Status**: the status of the message item in the policy. Values are Pending or Resolved.

+- **Tags**: the tags assigned to the message. Values are Questionable, Compliant, or Non-compliant.

+- **Keyword Matches**: keyword matches for the message.

+- **Reviewers**: reviewers assigned to message.

+- **Pending for (days)**: the number of days the message has been in a pending state. For resolved messages, the value is 0.

+- **Comment for resolved**: the comments for the message entered when resolved.

+- **Resolved Date**: the date and time the message was resolved.

+- **Last Updated By**: the user name of the last updater.

+- **Last Updated On**: the date and time the message was last updated.

+- **History of comments**: list of all comments for the message alert, including comment author and date/time of the comment.

+ 4. In the **Recurrence** section, select **Repeat this stage's action…**, and then enter how often you want the action to reoccur.

+ 5. Choose **OK**.

+9. Under **Recurrence**, choose **Repeat this stage's action…** and enter how often you want the action to reoccur.

+ If you want to apply policies to multiple content types in a site collection, and you have a Managed Metadata Service configured, you can use Content Type Publishing to publish out information management policies to multiple site collections. See the section [Apply a policy across site collections](#apply-a-policy-across-site-collections) for more information.

+ By default, [all teams and all users are selected](retention-settings.md#a-policy-that-applies-to-entire-locations), but you can refine this by selecting the [**Choose** and **Exclude** options](retention-settings.md#a-policy-with-specific-inclusions-or-exclusions).

+> The Connectivity Analyzer tool is not compatible with attack surface reduction rule [Block process creations originating from PSExec and WMI commands](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference#block-process-creations-originating-from-psexec-and-wmi-commands). You will need to temporarily disable this rule to run the connectivity tool.

+|System extensions |[sysext.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/sysext.mobileconfig)

+ > - If you are running Office 365 - KB 4577063 is required.

+ > - If you are on Monthly Enterprise Channel of Microsoft 365 Apps versions 2004-2008, you need to update to version 2009 or later. See [Update history for Microsoft 365 Apps (listed by date)](/officeupdates/update-history-microsoft365-apps-by-date) for current versions. To learn more about known issue, see the Office Suite section of [Release notes for Current Channel releases in 2020](/officeupdates/current-channel#version-2010-october-27).

+Implementing Intune device compliance requires device enrollment. Managing devices allows you to ensure that they are healthy and compliant before allowing them access to resources in your environment. See [Enroll devices for management in Intune](/mem/intune/user-help/enroll-windows-10-device)

+ To check or change this setting, go to the **Records management** solution in the Microsoft 365 compliance center > **Records management** > **Records management settings** > **Retention labels** > **Deletion of items**. There are separate settings for SharePoint and OneDrive.

+

+ Alternatively, and if you don't have access to the **Records management** solution, you can use *AllowFilesWithKeepLabelToBeDeletedSPO* and *AllowFilesWithKeepLabelToBeDeletedODB* from [Get-PnPTenant](/powershell/module/sharepoint-pnp/get-pnptenant) and [Set-PnPTenant](/powershell/module/sharepoint-pnp/set-pnptenant).

+When you apply a retention policy to a location that includes OneNote content, or a retention label to a OneNote folder, behind the scenes, the different OneNote pages and sections are individual files that inherit the retention settings. This means that each section within a page will be individually retained and deleted, according to the retention settings you specify.

+Only pages and sections are impacted by the retention settings that you specify. For example, although you see a **Modified** date for each individual notebook, this date is not used by Microsoft 365 retention.

+After a retention policy is configured for chat and channel messages, a timer job from the Exchange service periodically evaluates items in the hidden mailbox folder where these Teams messages are stored. The timer job typically takes 1-7 days to run. When these items have expired their retention period, they are moved to the SubstrateHolds folderΓÇöanother hidden folder that's in every user or group mailbox to store "soft-deleted" items before they are permanently deleted.

+When messages are permanently deleted from the SubstrateHolds folder, a delete operation is communicated to the backend Azure chat service, that then relays the same operation to the Teams client app. Delays in this communication or caching can explain why, for a short period of time, users who are assigned the policy might still see these messages in their Teams app, but data from these messages isn't returned in eDiscovery searches.

+In this scenario where the Azure chat service receives a delete command because of a retention policy, the corresponding message in the Teams client app is deleted for all users in the conversation. Some of these users might be from another organization, have a retention policy with a longer retention period, or no retention policy assigned to them. For these users, copies of the messages are still stored in their mailboxes and remain searchable for eDiscovery until the messages are permanently deleted by another retention policy.

+> [!IMPORTANT]

+> Messages visible in the Teams app are not an accurate reflection of whether they are retained or permanently deleted for compliance requirements.

+> For additional information about using the advanced query builder, see the following webinars:

+> - [Building Advanced Queries for Users and Groups with Adaptive Policy Scopes](https://mipc.eventbuilder.com/event/52683/occurrence/49452/recording?rauth=853.3181650.1f2b6e8b4a05b4441f19b890dfeadcec24c4325e90ac492b7a58eb3045c546ea)

+> - [Building Advanced Queries for SharePoint Sites with Adaptive Policy Scopes](https://aka.ms/AdaptivePolicyScopes-AdvancedSharePoint)

+3. Select **Advanced deployment guides** and then select **All guides**.

+### Microsoft 365 setup guide

+The [Microsoft 365 setup guide](https://aka.ms/microsoft365setupguide) provides you with guidance when setting up productivity tools, security policies, and device management capabilities. With a Microsoft 365 Business Premium or Microsoft 365 for enterprise subscription, you can use this advisor to set up and configure your organization's devices.

+## Guides for authentication and access

+### Configure multifactor authentication (MFA)

+The [Configure multifactor authentication (MFA) guide](https://admin.microsoft.com/Adminportal/Home?source=applauncher#/featureexplorer/security/ConditionalAccess) provides information to secure your organization against breaches due to lost or stolen credentials. MFA immediately increases account security by prompting for multiple forms of verification to prove a user's identity when they sign in to an app or other company resource. This prompt could be to enter a code on the user's mobile device or to provide a fingerprint scan. MFA is enabled through Conditional Access, security defaults, or per-user MFA. This guide will provide the recommended MFA option for your org, based on your licenses and existing configuration.

+### Identity security for Teams

+The [Identity security for teams guide](https://admin.microsoft.com/Adminportal/Home?source=applauncher#/teamsidentity) helps you with some basic security steps you can take to ensure your users are safe and have the most productive time using **Teams**.

+### Add or sync users to Microsoft 365

+[This guide](https://admin.microsoft.com/Adminportal/Home?source=applauncher#/modernonboarding/identitywizard) will help streamline the process of getting your user accounts set up in **Microsoft 365**. Based on your environment and needs, you can choose to add users individually, migrate your on-premises directory with Azure AD cloud sync or Azure AD Connect, or troubleshoot existing sync problems when necessary.

+### Integrate a third-party cloud app with Azure AD

+[This guide](https://admin.microsoft.com/Adminportal/Home?source=applauncher#/azureadappintegration) helps IT admins to select and configure the App.

+### Microsoft 365 Apps setup guide

+The [Microsoft 365 Apps setup guide](https://aka.ms/OPPquickstartguide) helps you get your users' devices running the latest version of Office products like Word, Excel, PowerPoint, and OneNote. You'll get guidance on the various deployment methods that include easy self-install options to enterprise deployments with management tools. The instructions will help you assess your environment, figure out your specific deployment requirements, and implement the necessary support tools to ensure a successful installation.

+Microsoft Managed Desktop deploys the [Stable channel](/deployedge/microsoft-edge-channels#stable-channel) of Microsoft Edge, which is auto-updated about every six weeks. Updates on the Stable channel are rolled out [progressively](/deployedge/microsoft-edge-update-progressive-rollout) by the Microsoft Edge product group in order to ensure the best experience for customers.

+The security baseline for Microsoft Edge on Microsoft Managed Desktop devices sets two policies to disable all Chrome extensions and secure users. To enable and deploy extensions in your environment, see Settings you manage.

+Microsoft Managed Desktop sets this policy to prevent Chrome extensions from being installed on managed endpoints. There are known risks associated with the Chromium extension model including data loss protection, privacy, and other risks that can compromise devices.

+**Default value:** Automatically import all supported datatypes and settings from the default browser.

+With this policy applied, the First Run Experience will skip the import section, minimizing user interaction. The browser data from older versions of Microsoft Edge will always be silently migrated at the first run, regardless of this setting.

+description: How to deploy Microsoft 365 Apps, how they're updated, and how settings are managed

+> Microsoft Teams is deployed separately from Microsoft 365 Apps for enterprise and is not included in the base image.

+If a user doesn't have Microsoft 365 Apps on their device for any reason, you can use a package to return the device to its expected state. Add the user to the **Modern Workplace-Office-Office365_Install** group and the apps will become available to them in the Company Portal.

+Microsoft Managed Desktop doesn't support the deployment of the 32-bit version of Microsoft 365 Apps for enterprise.

+Microsoft Managed Desktop staggers each release to identify any potential issues in your environment. We complete the rollout 28 days after the release from the Microsoft 365 App product group. Microsoft Managed Desktop schedules update releases to different groups to allow time for validation and testing as follows:

+- Fast: three days

+- Broad: seven days

+During a release, Microsoft Managed Desktop monitors the error rates of all Microsoft 365 Apps. If we see a significant difference in quality between the new release and the previous release, we might contact you through the Microsoft Managed Desktop Admin portal.

+Depending on the severity, we'll either:

+- Ask if you want to pause the release, or

+- Inform you we've taken action to mitigate an issue.

+Delivery Optimization is a peer-to-peer distribution technology available in Windows 10. It allows devices to share content, such as updates, that the devices downloaded from Microsoft over the internet. Us Delivery Optimization can help reduce network bandwidth, because a device can get portions of the update from another device on its local network instead downloading the update completely from Microsoft.

+[Delivery Optimization](/deployoffice/delivery-optimization) is enabled by default on devices running the Windows 10 Enterprise or Windows 10 Education editions.

+Microsoft manages some settings as a part of the service. Microsoft Managed Desktop doesn't manage an Office Security baseline. However, you can set one yourself by following the guidance in the [Settings you manage](#settings-you-manage) section.

+| Setting | Default value | Description |

+| | | |

+| Set updates to occur automatically | Enabled | This policy is configured in order to ensure that all Office devices can be kept up to date from the cloud. |

+| Set a deadline when updates must be applied | Seven days | The **UpdateDeadline** policy is used to configure the grace period which users have before an update is enforced on the device. This deadline policy also triggers [notifications](/deployoffice/end-user-update-notifications-microsoft-365-apps#notifications-your-users-see-when-you-set-an-update-deadline-for-microsoft-365-apps) to the user to inform them of the changes required on their device. |

+| Defer updates on a device for a period | See description | This policy is configured differently for each update management device group. It's required for Microsoft Managed Desktop to meet its update targets: <ul> <li> Test: zero days </li> <li>First: zero days</li><li>Fast seven days</li><li>Broad: 21 days</li></ul> |

+| Update notification settings | False | The "hide update notifications" setting is set to **False** on Microsoft Managed Desktop devices to provide the best update experience for users by [notifying](/deployoffice/end-user-update-notifications-microsoft-365-apps#notifications-your-users-see-when-you-set-an-update-deadline-for-microsoft-365-apps) them when updates are required.|

+| Specify a location to look for updates | Monthly Enterprise Channel | A combination of the **UpdatePath** and **UpdateChannel** policies is used as needed to achieve the update schedule. These policies are set to ensure that all Office devices receive updates directly from the CDN for the Monthly Enterprise Channel.|

+| Specify the Target Version of Microsoft 365 Apps | See description | The Target Version policy is sometimes used by Microsoft Managed Desktop in order to roll back or pin a specific version of Office.|

+| Hide the option to enable or disable Office automatic updates | Enabled | This setting is required for Microsoft Managed Desktop to meet its update targets for Microsoft 365 Applications. |

+| First run settings | See description | There are several settings that affect the behavior the first time Office is run. |

+| Accept the license terms on behalf of the end user | Disabled | The first time a user opens a Microsoft 365 App, they're prompted to accept the license terms. If you want to accept the license terms on behalf of your users, file a support request with the Microsoft Managed Desktop Operations team, and ask for this setting to be enabled. |

+| Suppress Outlook mobile checkbox | Disabled | The first time a user opens Outlook, they're prompted to install Outlook Mobile. If you don't want your users to see that checkbox, file a support request with the Microsoft Managed Desktop Operations team, and ask for this setting to be enabled for your devices. |

+There are other Microsoft 365 App settings which Microsoft Managed Desktop can optionally configure on your behalf.

+| Setting | Default value | Description |

+| | | |

+| Disable personal OneDrive | Disabled | Some organizations are concerned about users having access to both corporate and personal files on their devices. You can file a support request with the Microsoft Managed Desktop Operations team and ask for this setting to be enabled. |

+There are many other policies which Microsoft Managed Desktop doesn't yet set as a part of our service. You can configure these policies by using Microsoft Intune, which uses the [Office Cloud Policy](/DeployOffice/overview-office-cloud-policy-service#how-the-policy-configuration-is-applied) service. To set these policies, follow these steps:

+1. Select **Apps**.

+1. Select **Policies for Office apps** then select **Create**.

+1. In the **Create policy** configuration page, do the following:

+ - Provide an optional description.

+ - Under **assignments**, choose whether this policy applies to all users of Microsoft 365 Apps for enterprise, or just to users who anonymously access documents using Office for the web.

+ - Select the **AAD-based security group** that is assigned to the policy configuration. Each policy configuration can only be assigned to one group. Each group can only be assigned one policy configuration.

+ - Configure the policy settings to be included in the policy configuration. You can search on the policy setting name to find the policy setting that you want to configure. You can also filter if the policy is a recommended security baseline, and if the policy has been configured. The platform column indicates whether the policy is applied to Microsoft 365 Apps for enterprise for Windows devices, Office for the web, or all.

+1. After you have made your selections, select **Create**.

+Microsoft Managed Desktop uses [OneDrive for Business](/onedrive/plan-onedrive-enterprise) as a cloud storage service for all Microsoft Managed Desktop devices. It ensures that the devices are as stateless as possible. Users will be able to find their files no matter which device they sign into. For example, if you replace a Microsoft Managed Desktop device with a new one, the files will automatically sync to the new device.

+| Feature | Description |

+| | |

+| Silent configuration | OneDrive is silently configured with the user account. It automatically signs in, without user interaction, to the user account that was used to sign into Windows. For more information, see [Silently configure user accounts - OneDrive](/onedrive/use-silent-account-configuration) |

+| Files-On-Demand | The Files-On-Demand feature enables users to access files from their cloud storage in OneDrive without having to use disk space unnecessarily. For more information, see [Save disk space with OneDrive Files On-Demand for Windows 10](https://support.microsoft.com/office/save-disk-space-with-onedrive-files-on-demand-for-windows-10-0e6860d3-d9f3-4971-b321-7092438fb38e). |

+| Known Folder Move | The Known Folder Move feature is enabled silently to back up usersΓÇÖ data in the cloud, which gives them access to their files from any device. For more information, see [Back up your Documents, Pictures, and Desktop folders with OneDrive](https://support.microsoft.com/office/back-up-your-documents-pictures-and-desktop-folders-with-onedrive-d61a7930-a6fb-4b95-b28a-6552e77c3057). <p> Users can't disable the Known Folder Move feature or change the location of known folders to ensure a consistent experience across Microsoft Managed Desktop devices.</p>|

+When Microsoft Managed Desktop users receive a new device, they go through a first-run experience, by entering their Azure credentials, while setting up the device. After this process is completed, they can access their desktop and have the OneDrive experience.

+1. The system tells users that OneDrive has been configured and that they've been automatically signed into OneDrive.

+3. To prevent duplicate icons on the desktop when devices are reset or reimaged, the system automatically removes Microsoft Edge and Microsoft Teams icons from the OneDrive sync. This information is shown in File Explorer.

+If you need to restrict the OneDrive sync, we recommend that you control access with an Azure Active Directory conditional access policy. For more information, see

+1. Sign in to the OneDrive admin center.

+1. In the left pane, select **Sync**.

+1. Select the **Allow syncing only on PCs joined to specific domains** checkbox, and then add the tenant ID to the list of domains. For more information, see [Allow syncing only on computers joined to specific domains](/onedrive/allow-syncing-only-on-specific-domains).

+> This guidance applies only to tenants in Microsoft Managed Desktop. There are other settings in use that aren't discussed in this article.

+[Teams](https://www.microsoft.com/microsoft-365/microsoft-teams/group-chat-software) is a [messaging app](https://support.microsoft.com/office/microsoft-teams-basics-6d5f52e6-5306-4096-ac24-c3082b79eaf0) that also provides a workspace for real-time collaboration and communication, meetings, and file and app sharing.

+Most hardware vendors don't yet include Teams as a part of their images. Microsoft Managed Desktop deploys Teams to your devices by using Microsoft Intune. All managed devices have the [Teams .msi package](/MicrosoftTeams/msi-deployment#how-the-microsoft-teams-msi-package-works) installed. The .msi package ensures all users, who sign in to a device, have Microsoft Teams ready to use. When the package first finishes installing, Teams automatically starts and adds a shortcut to the desktop.

+Microsoft Managed Desktop adds two applications to your Azure AD organization for Microsoft Teams. They're deployed to either 64-bit or 32-bit clients as appropriate for the device:

+Teams follows a separate update path from Microsoft 365 Apps for enterprise. The desktop client updates itself automatically. Teams checks for updates every few hours, downloads them, and then waits for the computer to be idle before silently installing the update.

+Individual users can also download updates. At the top right of the app, in the Profile dropdown, select **Check for updates**. If an update is available, it will be downloaded and silently installed when the computer is idle.

+Delivery optimization for Teams updates is turned on by default and requires no action from admins or users.

+You can submit support tickets or feedback requests to Microsoft using the Microsoft Managed Desktop Admin portal. Support requests are always prioritized over feedback submissions.

+Incident | You require the Microsoft Managed Desktop Operations team to investigate a user issue. For example, a widespread impact of a change or service outage.

+Email is the recommended approach to interact with our team. You can see the summary status of all your support requests. At any time, you can use the portal to see all Active support requests in the last six months.

+The initial response time is the period from when you submit your support request until a Microsoft Managed Desktop engineer contacts you, and starts working on your support request. The initial response time varies with the business impact of the request. It's based on the severity of the request.

+| **Severity A: <br> Critical Impact** | **Critical business impact** <br>Your business has significant loss or degradation of services and requires immediate attention.<p>**Major application compatibility impact**<br>Your entire business is experiencing financial impact due to devices not responding or loss of critical functionality. | **Initial:** < 1 hour <p> **Update**: 60 minutes <br> 24-hour support every day is available.</p> | When you select Severity A, you confirm that the issue has critical business impact, with severe loss and degradation of services. <p> The issue demands an immediate response, and you commit to continuous engagement every day with the Microsoft team until resolution. Otherwise, Microsoft can, at its discretion, decrease the Severity to level B.</p><p> You also ensure that Microsoft has your accurate contact information.</p>

+**Severity B: <br> Moderate Impact** | **Moderate business impact**<br>Your business has moderate loss or degradation of services, but work can reasonably continue in an impaired manner.<p>**Moderate application compatibility impact**<br>A specific business group is no longer productive, due to devices not responding or loss of critical functionality.| **Initial**: < 4 hours. <p> **Update**: 12 hours; 24 hours a day during admin support hours (Monday through Friday).| When you select Severity B, you confirm that the issue has moderate impact to your business with loss and degradation of services. However, workarounds enable reasonable, albeit temporary, business continuity. <p> The issue demands an urgent response. If you select all day every day support when you submit the support request, you commit to continuous engagement every day with the Microsoft team until resolution. Otherwise, Microsoft might, at its discretion, decrease the severity to level C. If you select admin support-hours support when you submit a Severity B incident, Microsoft will contact you during admin support hours only.</p> <p>You also ensure that Microsoft has your accurate contact information.</p>

+**Severity C: <br> Minimal Impact** | **Minimum business impact**<br> Your business is functioning with minor impediments of services.<p>**Minor application compatibility impact**<br>Potentially unrelated users experience minor compatibility issues that don't prevent productivity. | **Initial**: < 8 hours.<p> **Update**: 24 hours; Support 24 hours a day during admin support hours (Monday through Friday). | When you select Severity C, you confirm that the issue has minimum impact to your business with minor impediment of service.<p> For a Severity C incident, Microsoft will contact you during admin support hours only.</p> <p> You also ensure that Microsoft has your accurate contact information.</p>

+| Request condition | Description |

+| Application compatibility | For an application compatibility issue to be considered, there must be a reproducible error. The error must use the same version of the application, between the previous and current version of Windows, or Microsoft 365 Apps for enterprise. <p> To resolve application compatibility issues, we require a point of contact in your organization to work with. The contact must work directly with our Fast Track team to investigate and resolve the issue.</p> |

+| Customer response time | If you aren't able to meet the expected response requirements, we'll downgrade the request by one severity level to the minimum severity level (Severity C). <p> If you're unresponsive to requests for action, we'll mitigate and close the support request within 48 hours of the last request.</p> |

+This section includes information about your day-to-day life with the service:

+##### [ASR rules deployment guide]()

+###### [ASR rules deployment overview](attack-surface-reduction-rules-deployment.md)

+###### [Phase 1: Plan](attack-surface-reduction-rules-deployment-plan.md)

+###### [Phase 2: Test](attack-surface-reduction-rules-deployment-test.md)

+###### [Phase 3: Implement](attack-surface-reduction-rules-deployment-implement.md)

+###### [Phase 4: Operationalize](attack-surface-reduction-rules-deployment-operationalize.md)

+ Title: Attack surface reduction rules deployment Phase 3 - implement

+description: Provides guidance to implement your attack surface reduction rules deployment.

+keywords: Attack surface reduction rules deployment, ASR deployment, enable asr rules, configure ASR, host intrusion prevention system, protection rules, anti-exploit rules, anti-exploit, exploit rules, infection prevention rules, Microsoft Defender for Endpoint, configure ASR rules

+search.product: eADQiWindows 10XVcnh

+ms.mktglfcycl: manage

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+ms.technology: mde

+# Phase 3 - implement

+The implementation phase moves the ring from testing into functional state.

+> [!div class="mx-imgBorder"]

+> 

+## Step 1: Transition ASR Rules from Audit to Block

+1. After all exclusions are determined while in audit mode, start setting some ASR rules to "block" mode, starting with the rule that has the fewest triggered events. SeeΓÇ¥ [Enable attack surface reduction rules](enable-attack-surface-reduction.md).

+2. Review the reporting page in the Microsoft 365 Defender portal; see [Threat protection report in Microsoft Defender for Endpoint](threat-protection-reports.md). Also review feedback from your ASR champions.

+3. Refine exclusions or create new exclusions as determined necessary.

+4. Switch problematic rules back to Audit.

+ >[!Note]

+ >For problematic rules (rules creating too much noise), it is better to create exclusions than to turn rules off or switching back to Audit. You will have to determine what is best for your environment.

+ >[!Tip]

+ >When available, take advantage of the Warn mode setting in rules to limit disruptions. Enabling ASR rules in Warn mode enables you to capture triggered events and view their potential disruptions, without actually blocking end-user access. Learn more: [Warn mode for users](attack-surface-reduction.md#warn-mode-for-users).

+### How does Warn mode work?

+Warn mode is effectively a Block instruction, but with the option for the user to ΓÇ£UnblockΓÇ¥ subsequent executions of the given flow or app. Warn mode unblocks on a per device, user, file and process combination. The warn mode information is stored locally and has a duration of 24 hours.

+### Step 2: Expand deployment to ring n + 1

+When you are confident that you have correctly configured the ASR rules for ring 1, you can widen the scope of your deployment to the next ring (ring n + 1).

+The deployment process, steps 1 ΓÇô 3, is essentially the same for each subsequent ring:

+1. Test rules in Audit

+2. Review ASR-triggered audit events in the Microsoft 365 Defender portal

+3. Create exclusions

+4. Review: refine, add, or remove exclusions as necessary

+5. Set rules to ΓÇ£blockΓÇ¥

+6. Review the reporting page in the Microsoft 365 Defender portal.

+7. Create exclusions.

+8. Disable problematic rules or switch them back to Audit.

+#### Customize attack surface reduction rules

+As you continue to expand your attack surface reduction rules deployment, you may find it necessary or beneficial to customize the attack surface reduction rules that you have enabled.

+##### Exclude files and folders

+You can choose to exclude files and folders from being evaluated by attack surface reduction rules. When excluded, the file won't be blocked from running even if an attack surface reduction rule detects that the file contains malicious behavior.

+For example, consider the ransomware rule:

+The ransomware rule is designed to help enterprise customers reduce risks of ransomware attacks while ensuring business continuity. By default, the ransomware rule errors on the side of caution and protect against files that haven't yet attained sufficient reputation and trust. To reemphasize, the ransomware rule only triggers on files that have not gained enough positive reputation and prevalence, based on usage metrics of millions of our customers. Usually, the blocks are self resolved, because each file's "reputation and trust" values are incrementally upgraded as non-problematic usage increases.

+In cases in which blocks aren't self resolved in a timely manner, customers can - _at their own risk_ - make use of either the self-service mechanism or an Indicator of Compromise (IOC)-based "allow list" capability to unblock the files themselves.

+> [!WARNING]

+> Excluding or unblocking files or folders could potentially allow unsafe files to run and infect your devices. Excluding files or folders can severely reduce the protection provided by attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded.

+An exclusion applies to all rules that allow exclusions. You can specify an individual file, folder path, or the fully qualified domain name for a resource. However, you cannot limit an exclusion to a specific rule.

+An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.

+Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [use wildcards in the file name and folder path or extension exclusion lists](configure-extension-file-exclusions-microsoft-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).

+If you are encountering problems with rules detecting files that you believe should not be detected, [use audit mode to test the rule](evaluate-attack-surface-reduction.md).

+See the [attack surface reduction rules reference](attack-surface-reduction-rules-reference.md) topic for details on each rule.

+##### Use Group Policy to exclude files and folders

+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**.

+2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.

+3. Expand the tree to **Windows components** \> **Microsoft Defender Antivirus** \> **Microsoft Defender Exploit Guard** \> **Attack surface reduction**.

+4. Double-click the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Select **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.

+> [!WARNING]

+> Do not use quotes as they are not supported for either the **Value name** column or the **Value** column.

+##### Use PowerShell to exclude files and folders

+1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**.

+2. Enter the following cmdlet:

+ ```PowerShell

+ Add-MpPreference -AttackSurfaceReductionOnlyExclusions "<fully qualified path or resource>"

+ ```

+ Continue to use `Add-MpPreference -AttackSurfaceReductionOnlyExclusions` to add more folders to the list.

+ > [!IMPORTANT]

+ > Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.

+##### Use MDM CSPs to exclude files and folders

+Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions.

+##### Customize the notification

+You can customize the notification for when a rule is triggered and blocks an app or file. See the [Windows Security](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center#customize-notifications-from-the-windows-defender-security-center) article.

+## Additional topics in this deployment collection

+[ASR rules deployment overview](attack-surface-reduction-rules-deployment.md)

+[Phase 1: Plan](attack-surface-reduction-rules-deployment-plan.md)

+[Phase 2: Test](attack-surface-reduction-rules-deployment-test.md)

+[Phase 4: Operationalize](attack-surface-reduction-rules-deployment-operationalize.md)

+ Title: Attack surface reduction rules deployment Phase 4 - operationalize

+description: Provides guidance to operationalize your attack surface reduction rules deployment.

+keywords: Attack surface reduction rules deployment, ASR deployment, enable asr rules, configure ASR, host intrusion prevention system, protection rules, anti-exploit rules, anti-exploit, exploit rules, infection prevention rules, Microsoft Defender for Endpoint, configure ASR rules

+search.product: eADQiWindows 10XVcnh

+ms.mktglfcycl: manage

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+ms.technology: mde

+# Phase 4 - operationalize

+After you've fully deployed ASR rules, it's vital that you have processes in place to monitor and respond to ASR-related activities.

+## Manage false positives

+False positives/negatives can occur with any threat protection solution. False positives are cases in which an entity (such as a file or process) is detected and identified as malicious, although the entity isn't actually a threat. In contrast, a false negative is an entity that wasn't detected as a threat but is malicious. For more information about false positives and false negatives, see: [Address false positives/negatives in Microsoft Defender for Endpoint](defender-endpoint-false-positives-negatives.md)

+## Keeping up with reports

+Consistent, regular review of reports is an essential aspect of maintaining your ASR rules deployment and keeping abreast of newly emerging threats. Your organization should have scheduled reviews of ASR rules events on a cadence that will keep current with ASR rules-reported events. Depending on the size of your organization, reviews might be daily, hourly, or continuous monitoring.

+## Hunting

+One of the most powerful features of [Microsoft 365 Defender](https://security.microsoft.com) is advanced hunting. If you're not familiar with advanced hunting, see: [Proactively hunt for threats with advanced hunting](/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview).

+> [!div class="mx-imgBorder"]

+> 

+Advanced hunting is a query-based (Kusto Query Language) threat-hunting tool that lets you explore up to 30 days of the captured (raw) data that Microsoft Defender ATP Endpoint Detection and Response (EDR) collects from all your machines. Through advanced hunting, you can proactively inspect events in order to locate interesting indicators and entities. The flexible access to data facilitates unconstrained hunting for both known and potential threats.

+Through advanced hunting, it is possible to extract ASR rules information, create reports, and get in-depth information on the context of a given ASR rule audit or block event.

+ You can query ASR rules events from the DeviceEvents table in the advanced hunting section of the Microsoft 365 Defender portal. For example, a simple query such as the one below can report all the events that have ASR rules as data source, for the last 30 days, and will summarize them by the ActionType count, that in this case it will be the actual codename of the ASR rule.

+> [!div class="mx-imgBorder"]

+> 

+> [!div class="mx-imgBorder"]

+> 

+The above shows that 187 events were registered for AsrLsassCredentialTheft:

+- 102 for Blocked

+- 85 for Audited

+- 2 events for AsrOfficeChildProcess (1 for Audited and 1 for Block)

+- 8 events for AsrPsexecWmiChildProcessAudited

+If you want to focus on the AsrOfficeChildProcess rule and get details on the actual files and processes involved, change the filter for ActionType and replace the summarize line with a projection of the wanted fields (in this case they are DeviceName, FileName, FolderPath, etc.).

+> [!div class="mx-imgBorder"]

+> 

+> [!div class="mx-imgBorder"]

+> 

+The true benefit of advanced hunting is that you can shape the queries to your liking. By shaping your query you can see the exact story of what was happening, regardless of whether you want to pinpoint something on an individual machine, or you want to extract insights from your entire environment.

+For more information about hunting options, see: [Demystifying attack surface reduction rules - Part 3](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/demystifying-attack-surface-reduction-rules-part-3/ba-p/1360968).

+## Topics in this deployment collection

+[ASR rules deployment overview](attack-surface-reduction-rules-deployment.md)

+[Phase 1: Plan](attack-surface-reduction-rules-deployment-plan.md)

+[Phase 2: Test](attack-surface-reduction-rules-deployment-test.md)

+[Phase 3: Implement](attack-surface-reduction-rules-deployment-implement.md)

+ Title: Attack surface reduction rules deployment Phase 1 - plan

+description: Provides guidance to plan your attack surface reduction rules deployment.

+keywords: Attack surface reduction rules deployment, ASR deployment, enable asr rules, configure ASR, host intrusion prevention system, protection rules, anti-exploit rules, anti-exploit, exploit rules, infection prevention rules, Microsoft Defender for Endpoint, configure ASR rules

+search.product: eADQiWindows 10XVcnh

+ms.mktglfcycl: manage

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+ms.technology: mde

+# Phase 1: plan

+Starting to test ASR rules involves starting with the right business unit. YouΓÇÖll want to start with a small group of people in a specific business unit. You can identify some ASR champions within a particular business unit who can provide real-world impact to the ASR rules and help you tune your implementation.

+> [!div class="mx-imgBorder"]

+> 

+## Start with the right business unit

+How you select the business unit to roll out your ASR rules deployment will depend on factors such as:

+- Size of business unit

+- Availability of ASR rules champions

+- Distribution and usage of:

+ - Software

+ - Shared folders

+ - Use of scripts

+ - Office macros

+ - Other entities affected by ASR rules

+Depending on your business needs, you might decide to include multiple business units to get a broad sampling of software, shared folders, scripts, macros, etc. Conversely, you might decide to limit the scope of your first ASR rules rollout to a single business unit, then repeat the entire ASR rules rollout process to your other business units, one-at-a-time.

+## Identify ASR rules champions

+ASR rules champions are members in your organization that will help with your initial ASR rules rollout during the preliminary testing and implementation phases. Your champions are typically employees who are more technically adept, and who are not derailed by intermittent work-flow outages. The champions' involvement will continue throughout the broader expansion of ASR rules deployment to your organization. Your ASR rules champions will be first to experience each level of the ASR rules rollout.

+It is important to provide a feedback and response channel for your ASR rules champions to alert you to ASR rules-related work disruptions and receive ASR rules-rollout related communications.

+## Get inventory of line-of-business apps and understand the business unit processes

+Having a full understanding of the applications and per-business-unit processes that are used across your organization is critical to a successful ASR rules deployment. Additionally, it is imperative that you understand how those apps are used within the various business units in your organization.

+To start, you should get an inventory of the apps that are approved for use across the breadth of the organization. You can use tools such as the Microsoft 365 Apps admin center to help you inventory software applications. See: [Overview of inventory in the Microsoft 365 Apps admin center](/deployoffice/admincenter/inventory).

+## Define reporting and response team roles and responsibilities

+Clearly articulating roles and responsibilities of persons responsible for monitoring and communicating ASR rules status and activity is a core activity of ASR maintenance. Therefore, it is important to determine:

+- The person or team responsible for gathering reports

+- How and with whom reports are shared

+- How escalation is addressed for newly identified threats or unwanted blockages caused by ASR rules

+Typical roles and responsibilities include:

+- IT admins: Implement ASR rules, manage exclusions. Work with different business units on apps and processes. Assembling and sharing reports to stakeholders

+- Certified security operations center (CSOC) analyst: Responsible for investing high-priority, blocked processes, to determine wither the threat is valid or not

+- Chief information security officer (CISO): Responsible for the overall security posture and health of the organization

+## Ring deployment

+For large enterprises, Microsoft recommends deploying ASR rules in ΓÇ£rings.ΓÇ¥ Rings are groups of devices that are visually represented as concentric circles that radiate outward like non-overlapping tree rings. When the innermost ring is successfully deployed, you can transition the next ring into the testing phase. Thorough assessment of your business units, ASR rules champions, apps, and processes is imperative to defining your rings.

+In most cases, your organization will have designed deployment rings for phased rollouts of Windows updates. You can use your existing ring design to implement ASR rules.

+See: [Create a deployment plan for Windows](/windows/deployment/update/create-deployment-plan)

+## Additional topics in this deployment collection

+[ASR rules deployment overview](attack-surface-reduction-rules-deployment.md)

+[Phase 2: Test](attack-surface-reduction-rules-deployment-test.md)

+[Phase 3: Implement](attack-surface-reduction-rules-deployment-implement.md)

+[Phase 4: Operationalize](attack-surface-reduction-rules-deployment-operationalize.md)

+ Title: Attack surface reduction rules deployment Phase 2 - test

+description: Provides guidance to test your attack surface reduction rules deployment.

+keywords: Attack surface reduction rules deployment, ASR deployment, enable asr rules, configure ASR, host intrusion prevention system, protection rules, anti-exploit rules, anti-exploit, exploit rules, infection prevention rules, Microsoft Defender for Endpoint, configure ASR rules

+search.product: eADQiWindows 10XVcnh

+ms.mktglfcycl: manage

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+ms.technology: mde

+# Phase 2 - test

+Begin your ASR rules deployment with ring 1.

+> [!div class="mx-imgBorder"]

+> 

+## Step 1: Test ASR rules using Audit

+Begin the testing phase by turning on the ASR rules with the rules set to Audit, starting with your champion users or devices in ring 1. Typically, the recommendation is that you enable all the rules (in Audit) so that you can determine which rules are triggered during the testing phase. Note that rules that are set to Audit do not generally impact functionality of the entity or entities to which the rule is applied but do generate logged events for the evaluation; there is no effect on end users.

+### Configure ASR Rules using MEM

+You can use Microsoft Endpoint Manager (MEM) Endpoint Security to configure custom ASR rules.

+1. Open [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/#home)

+2. Go to **Endpoint Security** > **Attack surface reduction**.

+3. Select **Create Policy**.

+4. In **Platform**, select **Windows 10 and later**, and in **Profile**, select **Attack surface reduction rules**.

+

+ > [!div class="mx-imgBorder"]

+ > 

+5. Click **Create**.

+6. In the **Basics** tab of the **Create profile** pane, in **Name** add a name for your policy. In **Description** add a description for your ASR rules policy.

+7. In the **Configuration settings** tab, under **Attack Surface Reduction Rules**, set all rules to **Audit mode**.

+ > [!div class="mx-imgBorder"]

+ > 

+ >[!Note]

+ >There are variations in some ASR rules mode listings; _Blocked_ and _Enabled_ provide the same functionality.

+8. [Optional] In the **Scope tags** pane, you can add tag information to specific devices. You can also use role-based access control and scope tags to make sure that the right admins have the right access and visibility to the right Intune objects. Learn more: [Use role-based access control (RBAC) and scope tags for distributed IT in Intune](/mem/intune/fundamentals/scope-tags).

+9. In the **Assignments** pane, you can deploy or "assign" the profile to your user or device groups. Learn more: [Assign device profiles in Microsoft Intune](/mem/intune/configuration/device-profile-assign#exclude-groups-from-a-profile-assignment)

+10. Review your settings in the **Review + create** pane. Click **Create** to apply the rules.

+ > [!div class="mx-imgBorder"]

+ > 

+Your new attack surface reduction policy for ASR rules is listed in **Endpoint security | Attack surface reduction**.

+ > [!div class="mx-imgBorder"]

+ > 

+## Step 2: Understand the Attack surface reduction rules reporting page in the Microsoft 365 Defender portal

+The ASR rules reporting page is found in **Microsoft 365 Defender portal** > **Reports** > **Attack surface reduction rules**. This page has three tabs:

+- Detections

+- Configuration

+- Add exclusions

+### Detections tab

+Provides a 30-day timeline of detected audit and blocked events.

+> [!div class="mx-imgBorder"]

+> 

+The Attack Surface reduction rules pane provides an overview of detected events on a per-rule basis.

+>[!Note]

+>There are some variations in ASR rules reports. Microsoft is in the process of updating the behavior of the ASR rules reports to provide a consistent experience.

+> [!div class="mx-imgBorder"]

+> 

+Click **View detections** to open the **Detections** tab.

+> [!div class="mx-imgBorder"]

+> 

+The **GroupBy** and **Filter** pane provide the following options:

+The **GroupBy** returns results set to the following groups:

+- No grouping

+- Detected file

+- Audit or block

+- Rule

+- Source app

+- Device

+- User

+- Publisher

+> [!div class="mx-imgBorder"]

+> 

+**Filter** opens the **Filter on rules** page, which enables you to scope the results to only the selected ASR rules:

+> [!div class="mx-imgBorder"]

+> 

+>[!Note]

+>If you have a Microsoft Microsoft 365 Security E5 or A5, Windows E5 or A5 license, the following link opens the Microsoft Defender 365 Reports > [Attack surface reductions](https://security.microsoft.com/asr?viewid=detections) > Detections tab.

+### Configuration tab

+Lists ΓÇô on a per-computer basis ΓÇô the aggregate state of ASR rules: Off, Audit, Block.

+> [!div class="mx-imgBorder"]

+> 

+On the Configurations tab, you can check ΓÇô on a per-device basis ΓÇô which ASR rules are enabled, and in which mode, by selecting the device for which you want to review ASR rules.

+> [!div class="mx-imgBorder"]

+> 

+The **Get started** link opens the Microsoft Endpoint Manager admin center, where you can create or modify an endpoint protection policy for ASR:

+> [!div class="mx-imgBorder"]

+> 

+In Endpoint security | Overview, select **Attack surface reduction**:

+> [!div class="mx-imgBorder"]

+> 

+The Endpoint Security | Attack surface reduction pane opens:

+> [!div class="mx-imgBorder"]

+> 

+>[!Note]

+>If you have a Microsoft Defender 365 E5 (or Windows E5?) license, this link will open the Microsoft Defender 365 Reports > Attack surface reductions > [Configurations](https://security.microsoft.com/asr?viewid=configuration) tab.

+### Add exclusions

+This tab provides a method to select detected entities (for example, false positives) for exclusion. When exclusions are added, the report provides a summary of the expected impact.

+>[!Note]

+> Microsoft Defender Antivirus AV exclusions are honored by ASR rules. See [Configure and validate exclusions based on extension, name, or location](configure-extension-file-exclusions-microsoft-defender-antivirus.md).

+> [!div class="mx-imgBorder"]

+> 

+> [!Note]

+>If you have a Microsoft Defender 365 E5 (or Windows E5?) license, this link will open the Microsoft Defender 365 Reports > Attack surface reductions > [Exclusions](https://security.microsoft.com/asr?viewid=exclusions) tab.

+### Use PowerShell as an alternative method to enable ASR rules

+You can use PowerShell - as an alternative to MEM - to enable ASR rules in audit mode to view a record of apps that would have been blocked if the feature was fully enabled. You can also get an idea of how often the rules will fire during normal use.

+To enable an attack surface reduction rule in audit mode, use the following PowerShell cmdlet:

+```PowerShell

+Add-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions AuditMode

+```

+Where `<rule ID>` is a [GUID value of the attack surface reduction rule](attack-surface-reduction-rules-reference.md).

+To enable all the added attack surface reduction rules in audit mode, use the following PowerShell cmdlet:

+```PowerShell

+(Get-MpPreference).AttackSurfaceReductionRules_Ids | Foreach {Add-MpPreference -AttackSurfaceReductionRules_Ids $_ -AttackSurfaceReductionRules_Actions AuditMode}

+```

+> [!TIP]

+> If you want to fully audit how attack surface reduction rules will work in your organization, you'll need to use a management tool to deploy this setting to devices in your network(s).

+You can also use Group Policy, Intune, or mobile device management (MDM) configuration service providers (CSPs) to configure and deploy the setting. Learn more in the main [Attack surface reduction rules](attack-surface-reduction.md) article.

+## Use Windows Event Viewer Review as an alternative to the attack surface reduction rules reporting page in the Microsoft 365 Defender portal

+To review apps that would have been blocked, open Event Viewer and filter for Event ID 1121 in the Microsoft-Windows-Windows Defender/Operational log. The following table lists all network protection events.

+Event ID | Description

+-|-

+ 5007 | Event when settings are changed

+ 1121 | Event when an attack surface reduction rule fires in block mode

+ 1122 | Event when an attack surface reduction rule fires in audit mode

+## Additional topics in this deployment collection

+[ASR rules deployment overview](attack-surface-reduction-rules-deployment.md)

+[Phase 1: Plan](attack-surface-reduction-rules-deployment-plan.md)

+[Phase 3: Implement](attack-surface-reduction-rules-deployment-implement.md)

+[Phase 4: Operationalize](attack-surface-reduction-rules-deployment-operationalize.md)

+[Phase 1: Plan](attack-surface-reduction-rules-deployment-plan.md)

+[Phase 2: Test](attack-surface-reduction-rules-deployment-test.md)

+[Phase 3: Implement](attack-surface-reduction-rules-deployment-implement.md)

+[Phase 4: Operationalize](attack-surface-reduction-rules-deployment-operationalize.md)

+# Attack surface reduction rules overview

+Whenever an attack surface reduction rule is triggered, a notification is displayed on the device. You can [customize the notification](attack-surface-reduction-rules-deployment-implement.md#customize-attack-surface-reduction-rules) with your company details and contact information.

+- Windows Server 2012 R2 (Preview)

+- Windows Server 2016 (Preview)

+Get the current list of attack surface reduction rules GUIDs from [Attack surface reduction rules deployment phase 3: implement](attack-surface-reduction-rules-deployment-implement.md). For additional, per rules details, see [Attack surface reduction rules reference](attack-surface-reduction-rules-reference.md)

+|Spreadsheet of domains list| Description|

+|Microsoft Defender for Endpoint URL list for commercial customers| Spreadsheet of specific DNS records for service locations, geographic locations, and OS for commercial customers. <p> [Download the spreadsheet here.](https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx)

+| Microsoft Defender for Endpoint URL list for Gov/GCC/DoD customers | Spreadsheet of specific DNS records for service locations, geographic locations, and OS for Gov/GCC/DoD customers. <p> [Download the spreadsheet here.](https://download.microsoft.com/download/6/e-urls-gov.xlsx)

+> The Connectivity Analyzer tool's cloud connectivity checks are not compatible with Attack Surface Reduction rule [Block process creations originating from PSExec and WMI commands](attack-surface-reduction-rules-reference.md#block-process-creations-originating-from-psexec-and-wmi-commands). You will need to temporarily disable this rule, to run the connectivity tool. Alternatively, you can temporarily add [ASR exclusions](attack-surface-reduction-rules-deployment-implement.md#customize-attack-surface-reduction-rules) when running the analyzer.

+- Windows Server 2012 R2 does not automatically include Microsoft Defender Antivirus. When you onboard those servers to Defender for Endpoint, you will install Windows Defender Antivirus, and exclusions for operating system files are included by default. However, automatic exclusions for server roles don't work, and you should add exclusions as appropriate. To learn more, see [Onboard Windows servers to the Microsoft Defender for Endpoint service](configure-server-endpoints.md).

+Controlled folder access is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware). In a ransomware attack, your files can get encrypted and held hostage. With controlled folder access in place, a notification appears on the computer where an app attempted to make changes to a file in a protected folder. You can [customize the notification](attack-surface-reduction-rules-deployment-implement.md#customize-attack-surface-reduction-rules) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.

+You can query Microsoft Defender for Endpoint data by using [Advanced hunting](advanced-hunting-overview.md). If you're using [audit mode](audit-windows-defender.md), you can use [advanced hunting](advanced-hunting-overview.md) to see how controlled folder access settings would affect your environment if they were enabled.

+ \\\fileserver.fqdn\mdatp$\wdav-update

+You can customize the list of devices that are used to perform Standard discovery. You can either enable Standard discovery on all the onboarded devices that also support this capability (currently Windows 10 or later and Windows Server 2019 or later devices only) or select a subset or subsets of your devices by specifying their device tags. In this case, all other devices will be configured to run Basic discovery only. The configuration is available in the device discovery settings page.

+Onboarded devices running on Windows 10 version 1809 or later, Windows 11, Windows Server 2019, or Windows Server 2022 can perform discovery.

+By default, all onboarded devices running on Windows 10 version 1809 or later, Windows 11, Windows Server 2019, or Windows Server 2022 are capturing and analyzing the following protocols:

+ - In **OMA-URI**, type or paste the specific OMA-URI link for the rule that you are adding. Refer to the MDM section in this article for the OMA-URI to use for this example rule. For attack surface reduction rule GUIDS, see [Per rule descriptions](attack-surface-reduction-rules-reference.md#per-rule-descriptions) in the topic: Attack surface reduction rules.

+2. Choose the type of device to add. You can choose to add Windows 10, Windows 11, Windows Server 2019, Windows Server 2016, and Linux (Ubuntu).

+2. For **Windows devices**: save the RDP file and launch it by selecting **Connect**.<br>

+ For **Linux devices**: you'll need to use a local SSH client and the provided command.

+When a mitigation is found on the device, a notification will be displayed from the Action Center. You can [customize the notification](attack-surface-reduction-rules-deployment-implement.md#customize-attack-surface-reduction-rules) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.

+|Spreadsheet of domains list| Description|

+|||

+| Microsoft Defender for Endpoint URL list for Gov/GCC/DoD customers | Spreadsheet of specific DNS records for service locations, geographic locations, and OS for Gov/GCC/DoD customers. <p> [Download the spreadsheet here.](https://download.microsoft.com/download/6/e-urls-gov.xlsx)

+

+ If it is not enabled, execute the following command:

+

+ ```bash

+ mdatp config real-time-protection --value enabled

+ ```

+7. Copy the file SignatureDownloadCustomTask.ps1 to the folder you previously created, `C:\Tool\PS-Scripts\` .

+ > When the scheduled tasks are created, you can find these in the Task Scheduler under `Microsoft\Windows\Windows Defender`.

+9. Run each task manually and verify that you have data (`mpam-d.exe`, `mpam-fe.exe`, and `nis_full.exe`) in the following folders (you might have chosen different locations):

+ - `C:\Temp\TempSigs\x86`

+ - `C:\Temp\TempSigs\x64`

+10. Create a share pointing to `C:\Temp\TempSigs` (e.g., `\\server\updates`).

+ > At a minimum, authenticated users must have "Read" access. This requirement also applies to domain computers, the share, and NTFS (security).

+- [Microsoft Defender for Endpoint Plans 1 and 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+<summary>January-2022 (Platform: 4.18.2201.x | Engine: 1.1.18900.2)</summary>

+&ensp;Security intelligence update version: **1.357.8.0**<br/>

+&ensp;Released: **February 2, 2022**<br/>

+&ensp;Platform: **4.18.2201.x**<br/>

+&ensp;Engine: **1.1.18900.2**<br/>

+&ensp;Support phase: **Security and Critical Updates**<br/>

+Engine version: 1.1.18900.2 <br/>

+Security intelligence update version: 1.357.8.0 <br/>

+### What's new

+- Behavior monitoring improvements in filtering performance

+### Known Issues

+No known issues

+<br/><br/>

+</details><details>

+<summary>November-2021 (Platform: 4.18.2111.5 | Engine: 1.1.18800.4)</summary>

+<summary> October-2021 (Platform: 4.18.2110.6 | Engine: 1.1.18700.4)</summary>

+</details>

+### Previous version updates: Technical upgrade support only

+After a new package version is released, support for the previous two versions is reduced to technical support only. Versions older than that are listed in this section, and are provided for technical upgrade support only.<br/><br/>

+<details>

+&ensp;Support phase: **Technical upgrade support (only)**<br/>

+</details><details>

+> - [Attack surface reduction rules deployment phase 3: implement](attack-surface-reduction-rules-deployment-implement.md)

+|Spreadsheet of domains list| Description|

+|Microsoft Defender for Endpoint URL list for commercial customers | Spreadsheet of specific DNS records for service locations, geographic locations, and OS for commercial customers. <p> [Download the spreadsheet here.](https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx)

+| Microsoft Defender for Endpoint URL list for Gov/GCC/DoD customers| Spreadsheet of specific DNS records for service locations, geographic locations, and OS for Gov/GCC/DoD customers. <p> [Download the spreadsheet here.](https://download.microsoft.com/download/6/e-urls-gov.xlsx)

+|

+|Spreadsheet of domains list| Description|

+|Microsoft Defender for Endpoint URL list for commercial customers | Spreadsheet of specific DNS records for service locations, geographic locations, and OS for commercial customers. <p> [Download the spreadsheet here.](https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx)

+| Microsoft Defender for Endpoint URL list for Gov/GCC/DoD customers| Spreadsheet of specific DNS records for service locations, geographic locations, and OS for Gov/GCC/DoD customers. <p> [Download the spreadsheet here.](https://download.microsoft.com/download/6/e-urls-gov.xlsx)

+|

+When network protection blocks a connection, a notification is displayed from the Action Center. Your security operations team can [customize the notification](attack-surface-reduction-rules-deployment-implement.md#customize-attack-surface-reduction-rules) with your organization's details and contact information. In addition, individual attack surface reduction rules can be enabled and customized to suit certain techniques to monitor.

+The machine ID can be found in the URL when you select the device. Generally, it is a 40 digit alphanumeric number that can be found in the URL.

+| Audit applies to individual rules | [Step 1: Test ASR rules using Audit](attack-surface-reduction-rules-deployment-test.md#step-1-test-asr-rules-using-audit) | [Step 2: Understand the Attack surface reduction rules reporting page](attack-surface-reduction-rules-deployment-test.md#step-2-understand-the-attack-surface-reduction-rules-reporting-page-in-the-microsoft-365-defender-portal) |

+When you open the portal, you'll see the Navigation pane (select the horizontal lines at the top of the navigation pane to show or hide it).

+|Spreadsheet of domains list| Description|

+|Microsoft Defender for Endpoint URL list for commercial customers | Spreadsheet of specific DNS records for service locations, geographic locations, and OS for commercial customers. <p> [Download the spreadsheet here.](https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx)

+| Microsoft Defender for Endpoint URL list for Gov/GCC/DoD customers| Spreadsheet of specific DNS records for service locations, geographic locations, and OS for Gov/GCC/DoD customers. <p> [Download the spreadsheet here.](https://download.microsoft.com/download/6/e-urls-gov.xlsx)

+The Command Prompt window will close automatically. If successful, a new alert will appear in the portal for the onboarded device in about ten minutes.

+To add an exclusion, see [Customize Attack surface reduction](attack-surface-reduction-rules-deployment-implement.md#customize-attack-surface-reduction-rules).

+- Evaluation lab enhancements: You can now add Windows 11 and Linux devices to the lab.

+- [Jailbreak detection on iOS](/microsoft-365/security/defender-endpoint/ios-configure-features#conditional-access-with-defender-for-endpoint-on-ios) <br> Jailbreak detection capability in Microsoft Defender for Endpoint on iOS is now generally available. This adds to the phishing protection that already exists. For more information, see [Setup Conditional Access Policy based on device risk signals](/microsoft-365/security/defender-endpoint/ios-configure-features).

+ - **Exclude these users, groups, and domains**: To add exceptions for the internal recipients that the policy applies to (recipient exceptions), select this option and configure the exceptions. The settings and behavior are exactly like the conditions.

+This article recommends methods for enrolling devices into management using Intune. For more information about these methods and how to deploy each one, see [Deployment guidance: Enroll devices in Microsoft Intune](/mem/intune/fundamentals/deployment-guide-enrollment).

+## iOS and iPadOS enrollment

+2. Click **'Create'** to create a Test Base account.