Updates from: 03/16/2024 08:46:39
Category Microsoft Docs article Related commit history on GitHub Change details
enterprise Assessing Network Connectivity https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/assessing-network-connectivity.md
Title: "Assessing Microsoft 365 network connectivity"
Previously updated : 08/10/2020 Last updated : 03/15/2024 audience: ITPro
ms.localizationpriority: medium
- scotvorg - Ent_O365
+- must-keep
f1.keywords: - CSH
Microsoft 365 is designed to enable customers all over the world to connect to t
Customers planning to use Microsoft 365 should assess their existing and forecasted internet connectivity needs as a part of the deployment project. For enterprise class deployments reliable and appropriately sized internet connectivity is a critical part of consuming Microsoft 365 features and scenarios.
-Network evaluations can be performed by many different people and organizations depending on your size and preferences. The network scope of the assessment can also vary depending on where you're at in your deployment process. To help you get a better understanding of what it takes to perform a network assessment, we've produced a network assessment guide to help you understand the options available to you. This assessment will determine what steps and resources need to be added to the deployment project to enable you to successfully adopt Microsoft 365.
+Network evaluations can be performed by many different people and organizations depending on your size and preferences. The network scope of the assessment can also vary depending on where you're at in your deployment process. To help you get a better understanding of what it takes to perform a network assessment, we've produced a network assessment guide to help you understand the options available to you. This assessment determines what steps and resources need to be added to the deployment project to enable you to successfully adopt Microsoft 365.
-A comprehensive network assessment will provide possible solutions to networking design challenges along with implementation details. Some network assessments will show that optimal network connectivity to Microsoft 365 can be accommodated with minor configuration or design changes to the existing network and internet egress infrastructure.
+A comprehensive network assessment provides possible solutions to networking design challenges along with implementation details. Some network assessments show that optimal network connectivity to Microsoft 365 can be accommodated with minor configuration or design changes to the existing network and internet egress infrastructure.
-Some assessments will indicate network connectivity to Microsoft 365 will require additional investments in networking components. For example, enterprise networks that span branch offices and multiple geographic regions may require investments in SD-WAN solutions or optimized routing infrastructure to support internet connectivity to Microsoft 365. Occasionally an assessment will indicate network connectivity to Microsoft 365 is influenced by regulation or performance requirements for scenarios such as [Skype for Business Online media quality](https://support.office.com/article/Media-Quality-and-Network-Connectivity-Performance-in-Skype-for-Business-Online-5fe3e01b-34cf-44e0-b897-b0b2a83f0917). These additional requirements may lead to investments in internet connectivity infrastructure, routing optimization, and specialized direct connectivity.
+Some assessments indicate network connectivity to Microsoft 365 will require additional investments in networking components. For example, enterprise networks that span branch offices and multiple geographic regions might require investments in SD-WAN solutions or optimized routing infrastructure to support internet connectivity to Microsoft 365. Occasionally an assessment indicates network connectivity to Microsoft 365 is influenced by regulation or performance requirements for scenarios such as [Skype for Business Online media quality](https://support.office.com/article/Media-Quality-and-Network-Connectivity-Performance-in-Skype-for-Business-Online-5fe3e01b-34cf-44e0-b897-b0b2a83f0917). These additional requirements might lead to investments in internet connectivity infrastructure, routing optimization, and specialized direct connectivity.
Some resources to help you assess your network: - See [Microsoft 365 network connectivity overview](microsoft-365-networking-overview.md) for conceptual information about Microsoft 365 networking. - See [Microsoft 365 Network Connectivity Principles](./microsoft-365-network-connectivity-principles.md) to understand the connectivity principles for securely managing Microsoft 365 traffic and getting the best possible performance.-- Sign up for [Microsoft FastTrack](https://www.microsoft.com/fasttrack) for guided assistance with Microsoft 365 planning, design and deployment.-- See the [Microsoft 365 connectivity test](assessing-network-connectivity.md#the-microsoft-365-connectivity-test) section below to run basic connectivity tests that provide specific guidance about networking connectivity improvements that can be made between a given user location and Microsoft 365.
+- Sign up for [Microsoft FastTrack](https://www.microsoft.com/fasttrack) for guided assistance with Microsoft 365 planning, design, and deployment.
+- See the [Microsoft 365 connectivity test](assessing-network-connectivity.md#the-microsoft-365-connectivity-test) section to run basic connectivity tests that provide specific guidance about networking connectivity improvements that can be made between a given user location and Microsoft 365.
> [!NOTE] > Microsoft authorization is required to use ExpressRoute for Microsoft 365. Microsoft reviews every customer request and only authorizes ExpressRoute for Microsoft 365 usage when a customer's regulatory requirement mandates direct connectivity. If you have such requirements, please provide the text excerpt and web link to the regulation which you interpret to mean that direct connectivity is required in the [ExpressRoute for Microsoft 365 Request Form](https://aka.ms/O365ERReview) to begin a Microsoft review. Unauthorized subscriptions trying to create route filters for Microsoft 365 will receive an [error message](https://support.microsoft.com/kb/3181709).
Key points to consider when planning your network assessment for Microsoft 365:
- Microsoft 365 is a secure, reliable, high performance service that runs over the public internet. We continue to invest to enhance these aspects of the service. All Microsoft 365 services are available via internet connectivity. -- We are continually optimizing core aspects of Microsoft 365 such as availability, global reach, and performance for internet based connectivity. For example, many Microsoft 365 services leverage an expanding set of internet facing edge nodes. This edge network offers the best proximity and performance to connections coming over the internet.
+- We're continually optimizing core aspects of Microsoft 365 such as availability, global reach, and performance for internet based connectivity. For example, many Microsoft 365 services leverage an expanding set of internet facing edge nodes. This edge network offers the best proximity and performance to connections coming over the internet.
- When considering using Microsoft 365 for any of the included services such as Teams or Skype for Business Online voice, video, or meeting capabilities, customers should complete an end to end network assessment and meet connectivity requirements using [Microsoft FastTrack](https://www.microsoft.com/fasttrack).
-If you're evaluating Microsoft 365 and aren't sure where to begin with your network assessment or have found network design challenges that you need assistance to overcome, please work with your Microsoft account team.
+If you're evaluating Microsoft 365 and aren't sure where to begin with your network assessment or have found network design challenges that you need assistance to overcome, work with your Microsoft account team.
## The Microsoft 365 connectivity test
-The [Microsoft 365 connectivity test](https://aka.ms/netonboard) is a proof of concept (POC) network assessment tool that runs basic connectivity tests against your Microsoft 365 tenant and makes specific network design recommendations for optimal Microsoft 365 performance. The tool highlights common large enterprise network perimeter design choices which are useful for Internet web browsing but impact the performance of large SaaS applications such as Microsoft 365.
+The [Microsoft 365 connectivity test](https://aka.ms/netonboard) is a proof of concept (POC) network assessment tool that runs basic connectivity tests against your Microsoft 365 tenant and makes specific network design recommendations for optimal Microsoft 365 performance. The tool highlights common large enterprise network perimeter design choices that are useful for Internet web browsing but impact the performance of large SaaS applications such as Microsoft 365.
The Network Onboarding tool does the following: - Detects your location, or you can specify a location to test - Checks the location of your network egress - Tests the network path to the nearest Microsoft 365 service front door-- Provides advanced tests using a downloadable Windows 10 application that makes perimeter network design recommendations related to proxy servers, firewalls, and DNS. The tool also runs performance tests for Skype for Business Online, Microsoft Teams, SharePoint Online and Exchange Online.
+- Provides advanced tests using a downloadable Windows 10 application that makes perimeter network design recommendations related to proxy servers, firewalls, and DNS. The tool also runs performance tests for Skype for Business Online, Microsoft Teams, SharePoint and Exchange Online.
The tool has two components: a browser-based UI that collects basic connectivity information, and a downloadable Windows 10 application that runs advanced tests and returns additional assessment data.
The Advanced Tests downloadable application provides the following additional in
- Client DNS Server - Client DNS Recursive Resolver - Exchange Online DNS server
- - SharePoint Online DNS server
+ - SharePoint DNS server
- Proxy server identification - Media connectivity check - Media quality packet loss
You can read about the Microsoft 365 connectivity test and provide feedback at t
Here's a short link you can use to come back: [https://aka.ms/o365networkconnectivity.](./microsoft-365-network-connectivity-principles.md)
-## Related topics
+## Related articles
[Microsoft 365 Network Connectivity Overview](microsoft-365-networking-overview.md)
enterprise Azure Expressroute https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/azure-expressroute.md
Title: "Azure ExpressRoute for Microsoft 365"
Previously updated : 08/10/2020 Last updated : 03/15/2024 audience: ITPro
- scotvorg - Ent_O365 - Strat_O365_Enterprise
+- must-keep
f1.keywords: - CSH
search.appverid:
- MOE150 - BCS160 ms.assetid: 6d2534a2-c19c-4a99-be5e-33a0cee5d3bd
-description: Learn about Azure ExpressRoute with Microsoft 365 and plan the network implementation project if you are deploying with it.
+description: Learn about Azure ExpressRoute with Microsoft 365 and plan the network implementation project if you're deploying with it.
# Azure ExpressRoute for Microsoft 365
Learn how Azure ExpressRoute is used with Microsoft 365 and how to plan the netw
In addition to internet connectivity, you may choose to route a subset of your Microsoft 365 network traffic over Azure ExpressRoute.
-Regardless of whether you have an existing MPLS WAN, ExpressRoute can be added to your network architecture in one of three ways; through a supported cloud exchange co-location provider, an Ethernet point-to-point connection provider, or through an MPLS connection provider. See what [providers are available in your region](/azure/expressroute/expressroute-locations). The direct ExpressRoute connection will enable connectivity to the applications outlined in [What Microsoft 365 services are included?](#BKMK_WhatDoIGet) below. Network traffic for all other applications and services will continue to traverse the internet.
+Regardless of whether you have an existing MPLS WAN, ExpressRoute can be added to your network architecture in one of three ways; through a supported cloud exchange colocation provider, an Ethernet point-to-point connection provider, or through an MPLS connection provider. See what [providers are available in your region](/azure/expressroute/expressroute-locations). The direct ExpressRoute connection enables connectivity to the applications outlined in [What Microsoft 365 services are included?](#BKMK_WhatDoIGet). Network traffic for all other applications and services will continue to traverse the internet.
Consider the following high level network diagram, which shows a typical Microsoft 365 customer connecting to Microsoft's datacenters over the internet for access to all Microsoft applications such as Microsoft 365, Windows Update, and TechNet. Customers use a similar network path regardless of whether they're connecting from an on-premises network or from an independent internet connection.
The following table lists the Microsoft 365 services that are supported over Exp
|:--| |Exchange Online<sup>1</sup> <br/> Exchange Online Protection<sup>1</sup> <br/> Delve<sup>1</sup> <br/> | |Skype for Business Online<sup>1</sup> <br/> Microsoft Teams <sup>1</sup> <br/> |
-|SharePoint Online<sup>1</sup> <br/> OneDrive for Business<sup>1</sup> <br/> Project Online<sup>1</sup> <br/> |
+|SharePoint<sup>1</sup> <br/> OneDrive<sup>1</sup> <br/> Project Online<sup>1</sup> <br/> |
|Portal and shared<sup>1</sup> <br/> Microsoft Entra ID <sup>1</sup> <br/> Microsoft Entra Connect<sup>1</sup> <br/> Office<sup>1</sup> <br/> |
-<sup>1</sup> Each of these applications has internet connectivity requirements not supported over ExpressRoute, see the [Microsoft 365 endpoints article](./urls-and-ip-address-ranges.md) for more information.
+<sup>1</sup> Each of these applications has internet connectivity requirements not supported over ExpressRoute. See the [Microsoft 365 endpoints article](./urls-and-ip-address-ranges.md) for more information.
The services that aren't included with ExpressRoute for Microsoft 365 are Microsoft 365 Apps for enterprise client downloads, On-premises Identity Provider Sign-In, and Microsoft 365 (operated by 21 Vianet) service in China.
The services that aren't included with ExpressRoute for Microsoft 365 are Micros
## Implementing ExpressRoute for Microsoft 365
-Implementing ExpressRoute requires the involvement of network and application owners and requires careful planning to determine the new [network routing architecture](/azure/architecture/guide/networking/networking-start-here), bandwidth requirements, where security will be implemented, high availability, and so on. To implement ExpressRoute, you'll need to:
+Implementing ExpressRoute requires the involvement of network and application owners and requires careful planning to determine the new [network routing architecture](/azure/architecture/guide/networking/networking-start-here), bandwidth requirements, where security is implemented, high availability, and so on. To implement ExpressRoute, you'll need to:
-1. Fully understand the need ExpressRoute satisfies in your Microsoft 365 connectivity planning. Understand what applications will use the internet or ExpressRoute and fully plan your network capacity, security, and high availability needs in the context of using both the internet and ExpressRoute for Microsoft 365 traffic.
+1. Fully understand the need ExpressRoute satisfies in your Microsoft 365 connectivity planning. Understand what applications use the internet or ExpressRoute and fully plan your network capacity, security, and high availability needs in the context of using both the internet and ExpressRoute for Microsoft 365 traffic.
2. Determine the egress and peering locations for both internet and ExpressRoute traffic<sup>1</sup>.
Here's a short link you can use to come back: [https://aka.ms/expressrouteoffice
Ready to sign up for [ExpressRoute for Microsoft 365](https://aka.ms/ert)?
-## Related Topics
+## Related articles
[Assessing Microsoft 365 network connectivity](assessing-network-connectivity.md)
enterprise Best Practices For Using Office 365 On A Slow Network https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/best-practices-for-using-office-365-on-a-slow-network.md
Title: "Best practices for using Office 365 on a slow network"
Previously updated : 12/29/2016 Last updated : 03/15/2024 audience: End User
ms.localizationpriority: medium
- scotvorg - Ent_O365
+- must-keep
search.appverid: - MET150 - MET150
Although you don't have control over network performance itself, it helps to und
**Common issues**: Besides bandwidth and latency, other issues have an impact on network performance and are often unpredictable. Network performance can fluctuate based on the time of the day or your physical location. The network can become clogged when certain events occur that spike the use of the Internet, such as a natural disaster or a major public event. The size and complexity of the page being loaded and the number and size of files being transferred have a direct bearing on performance. A WiFi connection can temporarily degrade: for example, you poll a large conference meeting of thousands by requesting everyone to tweet at the same time.
- **Considerations for a satellite network**: A satellite network is useful when a terrestrial network is not feasible, such as the back country/region, a cruise ship, or a remote scientific area. These networks rely on satellites positioned in a geosynchronous orbit 22,000 miles above the equator. However, a transmission actually travels about 90,000 miles, and so a satellite network has a slower latency (500 ms or more) than a terrestrial network (20 to 50ms). Under the best of conditions, you may not notice this latency, but for downloading large files, streaming videos, and playing games, you probably will. Another issue is "rain fade" in which heavy weather, such as thunderstorms and blizzards, can temporarily interrupt satellite transmission.
+ **Considerations for a satellite network**: A satellite network is useful when a terrestrial network isn't feasible, such as the back country/region, a cruise ship, or a remote scientific area. These networks rely on satellites positioned in a geosynchronous orbit 22,000 miles above the equator. However, a transmission actually travels about 90,000 miles, and so a satellite network has a slower latency (500 ms or more) than a terrestrial network (20ms to 50ms). Under the best of conditions, you may not notice this latency, but for downloading large files, streaming videos, and playing games, you probably will. Another issue is "rain fade" in which heavy weather, such as thunderstorms and blizzards, can temporarily interrupt satellite transmission.
## Are you sure it's the network?
-Whenever you experience performance problems, first make sure that your device is not the root cause of the problem. There are two things you can do that might make a big improvement:
+Whenever you experience performance problems, first make sure that your device isn't the root cause of the problem. There are two things you can do that might make a significant improvement:
-- Make sure your device is running well and there is no malware on your computer.
+- Make sure your device is running well and there's no malware on your computer.
- If possible, buy more memory. Adding memory is the simplest and often most effective way to improve performance on your device. It's especially helpful when working with large files and videos.
Here are some suggestions for browsers in general:
Here are some suggestions for your specific browser: -- **Internet Explorer**: Upgrade to Internet Explorer Version 11 or later for substantial performance improvements over previous versions. For more information, see [Troubleshooting guide for Internet Explorer](https://support.microsoft.com/help/2437121/troubleshooting-guide-for-internet-explorer-when-you-access-office-365).
+- **Microsoft Edge**: For more information, see [Learn about performance features in Microsoft Edge](https://support.microsoft.com/en-us/topic/learn-about-performance-features-in-microsoft-edge-7b36f363-2119-448a-8de6-375cfd88ab25).
- **FireFox**: For more information, see [Firefox is slow or stops working](https://support.mozilla.org/products/firefox/fix-problems/slowness-or-hanging). - **Safari**: For more information, see [Apple - Safari](https://www.apple.com/safari/). - **Chrome**: For more information, see [Chrome Help](https://support.google.com/chrome/?hl=en). ## Best practices for using Outlook and Outlook Web App
-Reading, writing, and organizing email is a big part of everyone's day. Both Outlook and Outlook Web App (OWA) offer offline support. Using an email app on your smart phone is another useful alternative. Use the following options that best fit your needs:
+Reading, writing, and organizing email is a significant part of everyone's day. Both Outlook and Outlook Web App (OWA) offer offline support. Using an email app on your smart phone is another useful alternative. Use the following options that best fit your needs:
- Upgrade to the latest version of Outlook for substantial performance improvements over previous versions.
Reading, writing, and organizing email is a big part of everyone's day. Both Out
> [!NOTE] > Here is some guidance on when to use Outlook or OWA. If disk space is not an issue on your device, Outlook has a full set of features and might work best for you. If disk space is an issue on your device, consider using OWA which has a subset of features, but also works best in an online situation. Of course, you can use either because they work well together.
-## Best practices for using OneDrive for Business
+## Best practices for using OneDrive
-OneDrive for Business is designed from the ground up to work with your files online and offline. Once you set it up, synchronization of changes occurs automatically and reliably wherever and whenever you make them. If the network is slow, you can work with the offline version of the files.
+OneDrive is designed from the ground up to work with your files online and offline. Once you set it up, synchronization of changes occurs automatically and reliably wherever and whenever you make them. If the network is slow, you can work with the offline version of the files.
-The OneDrive for Business sync app comes with a SharePoint Online and Office 365 business subscription, or you can [download](https://support.microsoft.com/kb/2903984) the OneDrive for Business sync app for free. This app is also faster than using the **Open in Explorer** or **Upload** commands. For more information, see [Set up your computer to sync your OneDrive for Business files in Office 365](https://support.office.com/article/23e1f12b-d896-4cb1-a238-f91d19827a16).
+The OneDrive sync app comes with a SharePoint and Office 365 business subscription, or you can [download](https://support.microsoft.com/kb/2903984) the OneDrive sync app for free. This app is also faster than using the **Open in Explorer** or **Upload** commands. For more information, see [Set up your computer to sync your OneDrive files in Office 365](https://support.office.com/article/23e1f12b-d896-4cb1-a238-f91d19827a16).
-Here's some additional guidance for using the OneDrive for Business sync app:
+Here's some additional guidance for using the OneDrive sync app:
- If you're syncing a large library for the first time, start the sync during off hours, for example, overnight.-- You can use the [Stop syncing a library with the OneDrive for Business app](https://support.office.com/article/a7e41f1f-3a98-4ca7-9443-f10250688330) feature to temporarily stop syncing updates. However, use this feature for brief periods, such as a few hours at a time, to avoid queuing large numbers of updates, and to minimize the risk of merge conflicts if several people work on the same document.
+- You can use the [Stop syncing a library with the OneDrive app](https://support.office.com/article/a7e41f1f-3a98-4ca7-9443-f10250688330) feature to temporarily stop syncing updates. However, use this feature for brief periods, such as a few hours at a time, to avoid queuing large numbers of updates, and to minimize the risk of merge conflicts if several people work on the same document.
## Best practices for using OneNote
For more information, see the section "More about managing large lists" in [Mana
When you customize a web page, you may inadvertently cause poor performance with the page. A number of factors can have an impact, such as the complexity and size of the page, how many web parts are added, how many list or library items are initially displayed, and the way you code the page.
-For more information, see [Tune SharePoint Online performance](tune-sharepoint-online-performance.md).
+For more information, see [Tune SharePoint performance](tune-sharepoint-online-performance.md).
## Best practices for using Project Online The following guidelines can help improve network performance. -- Project Online and SharePoint Online require synchronization, which can be time consuming. If your project teams have low turnover, disable Project Site Sync to improve the Project Publish and Project Detail Pages performance. Limit Active Directory sync to groups of resources that actually need to use the system, and monitor any potential permission issues after the synchronization of large groups.
+- Project Online and SharePoint require synchronization, which can be time consuming. If your project teams have low turnover, disable Project Site Sync to improve the Project Publish and Project Detail Pages performance. Limit Active Directory sync to groups of resources that actually need to use the system, and monitor any potential permission issues after the synchronization of large groups.
- If your organization uses project sites, create them on demand rather than automatically. This speeds up the first publishing experience and avoids creating unnecessary sites and content. -- Project Detail Pages (PDP) can trigger a recalculation of the entire project and kick off workflow actions, both of which can be performance-intensive operations. To avoid triggering two update processes at the same time on the same PDP, avoid updating the calendar fields (Start date, Finish date, Status date, and Current date) and the non-scheduled fields (project name, description, and owner).
+- Project Detail Pages (PDP) can trigger a recalculation of the entire project and kick off workflow actions, both of which can be performance-intensive operations. To avoid triggering two update processes at the same time on the same PDP, avoid updating the calendar fields (Start date, Finish date, Status date, and Current date) and the nonscheduled fields (project name, description, and owner).
- Reduce the number of Web Parts and custom fields displayed on each PDP. Create a dedicated PDP with the only fields that require updating to improve load and save time.
enterprise Deploy Identity Solution Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/deploy-identity-solution-overview.md
f1.keywords:
Previously updated : 01/23/2018 Last updated : 03/15/2024 audience: ITPro
- m365solution-overview - zerotrust-solution - highpri
+- must-keep
- intro-overview description: Deploy your identity infrastructure for Microsoft 365.
Microsoft Entra ID provides a full suite of identity management and security cap
|||| |[Multifactor authentication (MFA)](/azure/active-directory/authentication/concept-mfa-howitworks)|MFA requires users to provide two forms of verification, such as a user password plus a notification from the Microsoft Authenticator app or a phone call. MFA greatly reduces the risk that stolen credentials can be used to access your environment. Microsoft 365 uses the Microsoft Entra multifactor authentication service for MFA-based sign-ins.|Microsoft 365 E3 or E5| |[Conditional Access](/azure/active-directory/conditional-access/overview)|Microsoft Entra ID evaluates the conditions of the user sign-in and uses Conditional Access policies to determine the allowed access. For example, in this guidance we show you how to create a Conditional Access policy to require device compliance for access to sensitive data. This greatly reduces the risk that a hacker with their own device and stolen credentials can access your sensitive data. It also protects sensitive data on the devices, because the devices must meet specific requirements for health and security.|Microsoft 365 E3 or E5|
-|[Microsoft Entra groups](/azure/active-directory/fundamentals/active-directory-manage-groups)|Conditional Access policies, device management with Intune, and even permissions to files and sites in your organization rely on the assignment to user accounts or Microsoft Entra groups. We recommend you create Microsoft Entra groups that correspond to the levels of protection you are implementing. For example, your executive staff are likely higher value targets for hackers. Therefore, it makes sense to add the user accounts of these employees to a Microsoft Entra group and assign this group to Conditional Access policies and other policies that enforce a higher level of protection for access.|Microsoft 365 E3 or E5|
+|[Microsoft Entra groups](/azure/active-directory/fundamentals/active-directory-manage-groups)|Conditional Access policies, device management with Intune, and even permissions to files and sites in your organization rely on the assignment to user accounts or Microsoft Entra groups. We recommend you create Microsoft Entra groups that correspond to the levels of protection you're implementing. For example, members of your executive staff are likely higher value targets for hackers. Therefore, it makes sense to add the user accounts of these employees to a Microsoft Entra group and assign this group to Conditional Access policies and other policies that enforce a higher level of protection for access.|Microsoft 365 E3 or E5|
|[Microsoft Entra ID Protection](/azure/active-directory/identity-protection/overview)|Enables you to detect potential vulnerabilities affecting your organization's identities and configure automated remediation policy to low, medium, and high sign-in risk and user risk. This guidance relies on this risk evaluation to apply Conditional Access policies for multifactor authentication. This guidance also includes a Conditional Access policy that requires users to change their password if high-risk activity is detected for their account.|Microsoft 365 E5, Microsoft 365 E3 with the E5 Security add-on, EMS E5, or Microsoft Entra ID P2 licenses| |[Self-service password reset (SSPR)](/azure/active-directory/authentication/concept-sspr-howitworks)|Allow your users to reset their passwords securely and without help-desk intervention, by providing verification of multiple authentication methods that the administrator can control.|Microsoft 365 E3 or E5| |[Microsoft Entra password protection](/azure/active-directory/authentication/concept-password-ban-bad)|Detect and block known weak passwords and their variants and additional weak terms that are specific to your organization. Default global banned password lists are automatically applied to all users in a Microsoft Entra tenant. You can define additional entries in a custom banned password list. When users change or reset their passwords, these banned password lists are checked to enforce the use of strong passwords.|Microsoft 365 E3 or E5|
To help ensure a secure and productive workforce, Microsoft provides a set of re
- [Prerequisites](../security/office-365-security/zero-trust-identity-device-access-policies-prereq.md) - [Common identity and device access policies](../security/office-365-security/zero-trust-identity-device-access-policies-common.md) >
+-->
enterprise Manage Skype For Business Online With Microsoft 365 Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/manage-skype-for-business-online-with-microsoft-365-powershell.md
Title: "Manage Skype for Business Online with PowerShell"
Previously updated : 07/17/2020 Last updated : 03/15/2024 audience: ITPro
ms.localizationpriority: medium
- scotvorg - Ent_O365
+- must-keep
f1.keywords: - NOCSH
Install the [Teams PowerShell module](/microsoftteams/teams-powershell-install).
2. In the **Windows PowerShell Credential Request** dialog box, type your administrator account name and password, and then select **OK**.
-## Connect using an admin account with multi-factor authentication
+## Connect using an admin account with multifactor authentication
1. Open a Windows PowerShell command prompt window, and run the following commands:
Install the [Teams PowerShell module](/microsoftteams/teams-powershell-install).
Connect-MicrosoftTeams ```
-2. When prompted enter your Skype for Business Online administrator account name.
+2. When prompted enter your Skype for Business Online administrator account name?
3. In the **Sign in to your account** dialog box, type your Skype for Business Online administrator password and select **Sign in**.
enterprise Network Planning And Performance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/network-planning-and-performance.md
Title: "Network planning and performance tuning for Microsoft 365"
Previously updated : 2/18/2022 Last updated : 03/15/2024 audience: Admin
ms.localizationpriority: medium
- scotvorg - Strat_O365_Enterprise
+- must-keep
f1.keywords: - CSH search.appverid:
ms.assetid: e5f1228c-da3c-4654-bf16-d163daee8848
- seo-marvel-apr2020 - Adm_O365
-description: "This article will help you plan your network bandwidth requirements for Microsoft 365, and fine tune and troubleshoot performance."
+description: "This article helps you plan your network bandwidth requirements for Microsoft 365, and fine tune and troubleshoot performance."
# Network planning and performance tuning for Microsoft 365
-Before you deploy for the first time or migrate to Microsoft 365, you can use the information in these topics to estimate the bandwidth you need and then to test and verify that you have enough bandwidth to deploy or migrate to Microsoft 365. For an overview, see: [Network and migration planning for Microsoft 365](network-and-migration-planning.md).
+Before you deploy for the first time or migrate to Microsoft 365, you can use the information in these articles to estimate the bandwidth you need and then to test and verify that you have enough bandwidth to deploy or migrate to Microsoft 365. For an overview, see: [Network and migration planning for Microsoft 365](network-and-migration-planning.md).
|Category |Description |Category |Description | |:--|:--|:--|:--| |**Network planning** <br/> ![Network.](../medi#calculators). <br/> | |**Best practices** <br/> ![Best practices.](../medi#NetReference). <br/> | |![See the Microsoft Cloud Networking for Enterprise Architects poster.](../medi) poster. <br/> |
-
+ ## Performance tuning and troubleshooting resources for Microsoft 365 <a name="apptuning"> </a>
-Once you have Microsoft 365 deployed, you can optimize your performance by using the topics in this section. If you experience performance degradation you can also use these topics to troubleshoot issues.
+Once you have Microsoft 365 deployed, you can optimize your performance by using the articles in this section. If you experience performance degradation you can also use these articles to troubleshoot issues.
**[Tune Office 365 performance](tune-microsoft-365-performance.md)**: For information about using network address translation with Office 365, see [NAT support with Office 365](nat-support-with-microsoft-365.md). Also, take a look at the [top 10 tips for optimizing and troubleshooting your Office 365 network connectivity](/archive/blogs/onthewire/top-10-tips-for-optimising-troubleshooting-your-office-365-network-connectivity).
Once you have Microsoft 365 deployed, you can optimize your performance by using
**[Tune Skype for Business Online performance](tune-skype-for-business-online-performance.md)**: Use these articles to fine tune Skype for Business Online performance.
- **[Tune SharePoint Online performance](tune-sharepoint-online-performance.md)**: Use these articles to fine tune SharePoint Online performance.
+ **[Tune SharePoint performance](tune-sharepoint-online-performance.md)**: Use these articles to fine tune SharePoint performance.
- **[Tune Project Online performance](https://support.office.com/article/12ba0ebd-c616-42e5-b9b6-cad570e8409c)**: Use this article to fine tune Project Online performance
+ **[Tune Project Online performance](https://support.office.com/article/12ba0ebd-c616-42e5-b9b6-cad570e8409c)**: Use this article to fine tune Project Online performance.
frontline Shifts For Teams Landing Page https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/shifts-for-teams-landing-page.md
appliesto:
- Microsoft Teams - Microsoft 365 for frontline workers Previously updated : 02/20/2024 Last updated : 03/15/2024 # Shifts for frontline workers Shifts, the schedule management tool in Teams, keeps your frontline workforce connected and in sync. It's built mobile first for fast and effective schedule management and communications. With Shifts, frontline managers and workers can seamlessly manage schedules and keep in touch.
-Managers can create, update, and manage shift schedules for their teams. They can assign shifts, add open shifts, and approve schedule requests from employees. Employees can view their own and their team's schedules, set their availability, request to swap or offer a shift, request time off, and clock in and out.
+Managers can create, update, and manage shift schedules for their teams. They can assign shifts, add open shifts, and approve schedule requests from employees. Workers can view their own and their team's schedules, set their availability, request to swap or offer a shift, request time off, and clock in and out.
> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE42FjP]
Use the following resources to help you set up and manage Shifts in your organiz
|&nbsp; |&nbsp; | ||| |:::image type="icon" source="/office/medi)** (Preview) Configure and manage Shifts settings centrally in the Teams admin center and deploy Shifts to your frontline teams at scale. |
-|:::image type="icon" source="/office/media/icons/administrator.png":::|**[Manage Shifts](/microsoftteams/expand-teams-across-your-org/shifts/manage-the-shifts-app-for-your-organization-in-teams?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json)** Get an overview of how to manage Shifts for your organization. Learn how to control access to Shifts, pin Shifts to the Teams app bar for easy access, enable shift-based tags, and more. |
-|:::image type="icon" source="/office/medi)** Learn how to use team owner and team member roles in Teams and the schedule owner role in Shifts to define your frontline managers and workers in Shifts. |
+|:::image type="icon" source="/office/media/icons/administrator-teams.png":::|**[Manage Shifts](/microsoftteams/expand-teams-across-your-org/shifts/manage-the-shifts-app-for-your-organization-in-teams?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json)** Get an overview of how to manage Shifts for your organization. Learn how to control access to Shifts, pin Shifts to the Teams app bar for easy access, enable shift-based tags, and more. |
+|:::image type="icon" source="/office/medi)** Learn how to use team owner and team member roles in Teams and the schedule owner role in Shifts to define your frontline managers and workers in Shifts. |
+|:::image type="icon" source="/office/medi)** Learn how to control the Shifts capabilities that are available to frontline managers for managing their team schedules, such as the Shifts settings that they can configure and whether they can create and manage schedule groups. |
|:::image type="icon" source="/office/media/icons/help.png":::| **[Shifts data FAQ](/microsoftteams/expand-teams-across-your-org/shifts/shifts-data-faq?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json)** Learn where Shifts data is stored and other topics related to Shifts data, including retention, retrieval, and encryption.| ## Shifts connectors
If you're using a third-party workforce management (WFM) system for scheduling,
|&nbsp;|&nbsp;| | - | - |
-|:::image type="icon" source="/office/media/icons/api.png":::| **[Shift Graph APIs](/graph/api/resources/shift)** Shifts Graph APIs allow you to integrate Shifts data with external WFM systems. You have the flexibility to build custom Shifts experiences in the back end, while giving users a rich, front-end experience in Teams. |
+|:::image type="icon" source="/office/media/icons/api-teams.png":::| **[Shift Graph APIs](/graph/api/resources/shift)** Shifts Graph APIs allow you to integrate Shifts data with external WFM systems. You have the flexibility to build custom Shifts experiences in the back end, while giving users a rich, front-end experience in Teams. |
|:::image type="icon" source="/office/media/icons/process-flow-teams.png":::| **[Shifts + Power Automate](https://github.com/OfficeDev/Microsoft-Teams-Shifts-Power-Automate-Templates)** Shifts + Power Automate lets you take info from Shifts and create custom workflows with other apps and perform operations at scale. Automate key processes with little to no code. The triggers and templates support various scenarios such as enabling auto-approvals for shift requests when a managerΓÇÖs approval isn't needed. | ## Featured training
security Android Configure Mam https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-configure-mam.md
End users also need to take steps to install Microsoft Defender for Endpoint on
Select **Included groups**. Then add the relevant groups.
- :::image type="content" source="images/assignment.png" alt-text="The Included groups pane in the Microsoft Defender portal." lightbox="images/assignment.png":::
+ :::image type="content" source="media/assignment.png" alt-text="The Included groups pane in the Microsoft Defender portal." lightbox="media/assignment.png":::
>[!NOTE] >If a config policy is to be targeted at unenrolled devices (MAM), the recommendation is to deploy the general app configuration settings in Managed Apps instead of using Managed Devices. >When deploying app configuration policies to devices, issues can occur when multiple policies have different values for the same configuration key and are targeted for the same app and user. These issues are due to the lack of a conflict resolution mechanism for resolving the differing values. You can prevent these issues by ensuring that only a single app configuration policy for devices is defined and targeted for the same app and user.
security Android Intune https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-intune.md
The device configuration profile is now assigned to the selected user group.
2. On the device, you can validate the onboarding status by going to the **work profile**. Confirm that Defender for Endpoint is available and that you are enrolled to the **Personally owned devices with work profile**. If you are enrolled to a **Corporate-owned, fully managed user device**, you will have a single profile on the device where you can confirm that Defender for Endpoint is available.
- :::image type="content" source="images/c2e647fc8fa31c4f2349c76f2497bc0e.png" alt-text="The application display pane" lightbox="images/c2e647fc8fa31c4f2349c76f2497bc0e.png":::
+ :::image type="content" source="media/c2e647fc8fa31c4f2349c76f2497bc0e.png" alt-text="The application display pane" lightbox="media/c2e647fc8fa31c4f2349c76f2497bc0e.png":::
3. When the app is installed, open the app and accept the permissions and then your onboarding should be successful.
Admins can go to the [Microsoft Endpoint Management admin center](https://endpoi
1. The selected configuration will be listed. Change the **configuration value to 1** to enable Microsoft Defender support personal profiles. A notification will appear informing the admin about the same. Click on **Next**. > [!div class="mx-imgBorder"]
- > ![Image of changing config value.](images/changeconfigvalue.png)
+ > ![Image of changing config value.](media/changeconfigvalue.png)
1. **Assign** the configuration policy to a group of users. **Review and create** the policy.
security Api Hello World https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/api-hello-world.md
For the Application registration stage, you must have a **Global administrator**
2. Navigate to **Microsoft Entra ID** \> **App registrations** \> **New registration**.
- :::image type="content" source="../images/atp-azure-new-app2.png" alt-text="The App registrations option under the Manage pane in the Microsoft Entra admin center" lightbox="../images/atp-azure-new-app2.png":::
+ :::image type="content" source="../media/atp-azure-new-app2.png" alt-text="The App registrations option under the Manage pane in the Microsoft Entra admin center" lightbox="../media/atp-azure-new-app2.png":::
3. In the registration form, choose a name for your application and then click **Register**.
security Exposed Apis Create App Nativeapp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/exposed-apis-create-app-nativeapp.md
This page explains how to create a Microsoft Entra application, get an access to
2. Navigate to **Microsoft Entra ID** \> **App registrations** \> **New registration**.
- :::image type="content" source="../images/atp-azure-new-app2.png" alt-text="The App registrations page in the Microsoft Azure portal" lightbox="../images/atp-azure-new-app2.png":::
+ :::image type="content" source="../media/atp-azure-new-app2.png" alt-text="The App registrations page in the Microsoft Azure portal" lightbox="../media/atp-azure-new-app2.png":::
3. When the **Register an application** page appears, enter your application's registration information: - **Name** - Enter a meaningful application name that will be displayed to users of the app.
security Exposed Apis Create App Partners https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/exposed-apis-create-app-partners.md
The following steps guide you how to create a Microsoft Entra application, get a
2. Navigate to **Microsoft Entra ID** \> **App registrations** \> **New registration**.
- :::image type="content" source="../images/atp-azure-new-app2.png" alt-text="The navigation to application registration pane" lightbox="../images/atp-azure-new-app2.png":::
+ :::image type="content" source="../media/atp-azure-new-app2.png" alt-text="The navigation to application registration pane" lightbox="../media/atp-azure-new-app2.png":::
3. In the registration form:
The following steps guide you how to create a Microsoft Entra application, get a
- Redirect URI - type: Web, URI: https://portal.azure.com
- :::image type="content" source="../images/atp-api-new-app-partner.png" alt-text="The Microsoft Azure partner application registration page" lightbox="../images/atp-api-new-app-partner.png":::
+ :::image type="content" source="../media/atp-api-new-app-partner.png" alt-text="The Microsoft Azure partner application registration page" lightbox="../media/atp-api-new-app-partner.png":::
4. Allow your Application to access Microsoft Defender for Endpoint and assign it with the minimal set of permissions required to complete the integration.
security Exposed Apis Create App Webapp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/exposed-apis-create-app-webapp.md
This article explains how to create a Microsoft Entra application, get an access
2. Navigate to **Microsoft Entra ID** \> **App registrations** \> **New registration**.
- :::image type="content" source="../images/atp-azure-new-app2.png" alt-text="The application registration pane" lightbox="../images/atp-azure-new-app2.png":::
+ :::image type="content" source="../media/atp-azure-new-app2.png" alt-text="The application registration pane" lightbox="../media/atp-azure-new-app2.png":::
3. In the registration form, choose a name for your application, and then select **Register**.
security Attack Surface Reduction Rules Deployment Implement https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-implement.md
search.appverid: met150
Implementing attack surface reduction rules move the first test ring into an enabled, functional state.
-> :::image type="content" source="images/asr-rules-implementation-steps.png" alt-text="The procedure to implement attack surface reduction rules" lightbox="images/asr-rules-implementation-steps.png":::
+> :::image type="content" source="media/asr-rules-implementation-steps.png" alt-text="The procedure to implement attack surface reduction rules" lightbox="media/asr-rules-implementation-steps.png":::
## Step 1: Transition attack surface reduction rules from Audit to Block
Implementing attack surface reduction rules move the first test ring into an ena
### How does Warn mode work?
-Warn mode is effectively a Block instruction, but with the option for the user to "Unblock" subsequent executions of the given flow or app. Warn mode unblocks on a per device, user, file and process combination. The warn mode information is stored locally and has a duration of 24 hours.
+Warn mode is effectively a Block instruction, but with the option for the user to "Unblock" subsequent executions of the given flow or app. Warn mode unblocks on a per device, user, file, and process combination. The warn mode information is stored locally and has a duration of 24 hours.
### Step 2: Expand deployment to ring n + 1
See the [attack surface reduction rules reference](attack-surface-reduction-rule
##### Use Group Policy to exclude files and folders
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx). Right-click the Group Policy Object you want to configure and select **Edit**.
-2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.
3. Expand the tree to **Windows components** \> **Microsoft Defender Antivirus** \> **Microsoft Defender Exploit Guard** \> **Attack surface reduction**.
security Attack Surface Reduction Rules Deployment Operationalize https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-operationalize.md
Consistent, regular review of reports is an essential aspect of maintaining your
One of the most powerful features of [Microsoft Defender XDR](https://security.microsoft.com) is advanced hunting. If you're not familiar with advanced hunting, see: [Proactively hunt for threats with advanced hunting](/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview).
-> :::image type="content" source="images/asr-defender365-advanced-hunting2.png" alt-text="The Advanced Hunting page in the Microsoft Defender portal. Microsoft Defender for Endpoint attack surface reduction rules used in advanced hunting" lightbox="images/asr-defender365-advanced-hunting2.png":::
+> :::image type="content" source="media/asr-defender365-advanced-hunting2.png" alt-text="The Advanced Hunting page in the Microsoft Defender portal. Microsoft Defender for Endpoint attack surface reduction rules used in advanced hunting" lightbox="media/asr-defender365-advanced-hunting2.png":::
Advanced hunting is a query-based (Kusto Query Language) threat-hunting tool that lets you explore up to 30 days of the captured data. Through advanced hunting, you can proactively inspect events in order to locate interesting indicators and entities. The flexible access to data facilitates unconstrained hunting for both known and potential threats.
DeviceEvents
``` > [!div class="mx-imgBorder"]
-> :::image type="content" source="images/asr-defender365-advanced-hunting4.png" alt-text="The Advanced hunting query results in the Microsoft Defender portal" lightbox="images/asr-defender365-advanced-hunting4.png":::
+> :::image type="content" source="media/asr-defender365-advanced-hunting4.png" alt-text="The Advanced hunting query results in the Microsoft Defender portal" lightbox="media/asr-defender365-advanced-hunting4.png":::
The above shows that 187 events were registered for AsrLsassCredentialTheft:
DeviceEvents
``` > [!div class="mx-imgBorder"]
-> :::image type="content" source="images/asr-defender365-advanced-hunting5b.png" alt-text="The Advanced hunting query focused results in the Microsoft Defender portal" lightbox="images/asr-defender365-advanced-hunting5b.png":::
+> :::image type="content" source="media/asr-defender365-advanced-hunting5b.png" alt-text="The Advanced hunting query focused results in the Microsoft Defender portal" lightbox="media/asr-defender365-advanced-hunting5b.png":::
The true benefit of advanced hunting is that you can shape the queries to your liking. By shaping your query you can see the exact story of what was happening, regardless of whether you want to pinpoint something on an individual machine, or you want to extract insights from your entire environment.
security Attack Surface Reduction Rules Deployment Plan https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-plan.md
search.appverid: met150
Before you test or enable attack surface reduction rules, you should plan your deployment. Careful planning helps you test your attack surface reduction rules deployment and get ahead of any rule exceptions. When planning to test attack surface reduction rules, make sure you start with the right business unit. Start with a small group of people in a specific business unit. You can identify some champions within a particular business unit who can provide feedback to help tune your implementation.
-> :::image type="content" source="images/asr-rules-planning-steps.png" alt-text="The attack surface reduction rules planning steps." lightbox="images/asr-rules-planning-steps.png":::
+> :::image type="content" source="media/asr-rules-planning-steps.png" alt-text="The attack surface reduction rules planning steps." lightbox="media/asr-rules-planning-steps.png":::
> [!IMPORTANT] >
security Attack Surface Reduction Rules Deployment Test https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-test.md
In this section of the attack surface reduction rules deployment guide, you'll l
Begin your attack surface reduction rules deployment with ring 1.
-> :::image type="content" source="images/asr-rules-testing-steps.png" alt-text="The Microsoft Defender for Endpoint attack surface reduction (ASR rules) test steps. Audit attack surface reduction rules, configure ASR rules exclusions. Configure ASR rules Intune. ASR rules exclusions. ASR rules event viewer." lightbox="images/asr-rules-testing-steps.png":::
+> :::image type="content" source="media/asr-rules-testing-steps.png" alt-text="The Microsoft Defender for Endpoint attack surface reduction (ASR rules) test steps. Audit attack surface reduction rules, configure ASR rules exclusions. Configure ASR rules Intune. ASR rules exclusions. ASR rules event viewer." lightbox="media/asr-rules-testing-steps.png":::
## Step 1: Test attack surface reduction rules using Audit
You can use Microsoft Intune Endpoint Security to configure custom attack surfac
4. In **Platform**, select **Windows 10, Windows 11, and Windows Server**, and in **Profile**, select **Attack surface reduction rules**. > [!div class="mx-imgBorder"]
- > :::image type="content" source="images/asr-mem-create-profile.png" alt-text="The profile creation page for ASR rules" lightbox="images/asr-mem-create-profile.png":::
+ > :::image type="content" source="media/asr-mem-create-profile.png" alt-text="The profile creation page for ASR rules" lightbox="media/asr-mem-create-profile.png":::
5. Select **Create**. 6. In the **Basics** tab of the **Create profile** pane, in **Name** add a name for your policy. In **Description** add a description for your attack surface reduction rules policy. 7. In the **Configuration settings** tab, under **Attack Surface Reduction Rules**, set all rules to **Audit mode**. > [!div class="mx-imgBorder"]
- > :::image type="content" source="images/asr-mem-configuration-settings.png" alt-text="The configuration of attack surface reduction rules to Audit mode" lightbox="images/asr-mem-configuration-settings.png":::
+ > :::image type="content" source="media/asr-mem-configuration-settings.png" alt-text="The configuration of attack surface reduction rules to Audit mode" lightbox="media/asr-mem-configuration-settings.png":::
> [!NOTE] > There are variations in some attack surface reduction rules mode listings; _Blocked_ and _Enabled_ provide the same functionality.
You can use Microsoft Intune Endpoint Security to configure custom attack surfac
10. Review your settings in the **Review + create** pane. Click **Create** to apply the rules. > [!div class="mx-imgBorder"]
- > :::image type="content" source="images/asr-mem-review-create.png" alt-text="The Create profile page" lightbox="images/asr-mem-review-create.png":::
+ > :::image type="content" source="media/asr-mem-review-create.png" alt-text="The Create profile page" lightbox="media/asr-mem-review-create.png":::
Your new attack surface reduction policy for attack surface reduction rules is listed in **Endpoint security | Attack surface reduction**. > [!div class="mx-imgBorder"]
- > :::image type="content" source="images/asr-mem-my-asr-rules.png" alt-text=" The Attack surface reduction page" lightbox="images/asr-mem-my-asr-rules.png":::
+ > :::image type="content" source="media/asr-mem-my-asr-rules.png" alt-text=" The Attack surface reduction page" lightbox="media/asr-mem-my-asr-rules.png":::
<a name='step-2-understand-the-asr-rules-reporting-page-in-the-microsoft-365-defender-portal'></a>
The attack surface reduction rules reporting page is found in **Microsoft Defend
Provides a 30-day timeline of detected audit and blocked events. > [!div class="mx-imgBorder"]
-> :::image type="content" source="images/attack-surface-reduction-rules-report-main-detections-card.png" alt-text="Graph that shows the attack surface reduction rules report summary detections card." lightbox="images/attack-surface-reduction-rules-report-main-detections-card.png":::
+> :::image type="content" source="media/attack-surface-reduction-rules-report-main-detections-card.png" alt-text="Graph that shows the attack surface reduction rules report summary detections card." lightbox="media/attack-surface-reduction-rules-report-main-detections-card.png":::
The attack surface reduction rules pane provides an overview of detected events on a per-rule basis. > [!NOTE] > There are some variations in attack surface reduction rules reports. Microsoft is in the process of updating the behavior of the attack surface reduction rules reports to provide a consistent experience. Select **View detections** to open the **Detections** tab.
->:::image type="content" source="images/attack-surface-reduction-rules-report-main-tabs-search.png" alt-text="Screenshot that shows the attack surface reduction rules report search feature." lightbox="images/attack-surface-reduction-rules-report-main-tabs-search.png":::
+>:::image type="content" source="media/attack-surface-reduction-rules-report-main-tabs-search.png" alt-text="Screenshot that shows the attack surface reduction rules report search feature." lightbox="media/attack-surface-reduction-rules-report-main-tabs-search.png":::
The **GroupBy** and **Filter** pane provide the following options:
The **GroupBy** returns results set to the following groups:
> [!NOTE] > When filtering by rule, the number of individual _detected_ items listed in the lower half of the report is currently limited to 200 rules. You can use **Export** to save the full list of detections to Excel. **Filter** opens the **Filter on rules** page, which enables you to scope the results to only the selected attack surface reduction rules: > [!div class="mx-imgBorder"]
-> :::image type="content" source="images/asr-defender365-filter.png" alt-text="The Attack surface reduction rules detections filter on rules" lightbox="images/asr-defender365-filter.png":::
+> :::image type="content" source="media/asr-defender365-filter.png" alt-text="The Attack surface reduction rules detections filter on rules" lightbox="media/asr-defender365-filter.png":::
> [!NOTE] > If you have a Microsoft Microsoft 365 Security E5 or A5, Windows E5 or A5 license, the following link opens the Microsoft Defender 365 Reports > [Attack surface reductions](https://security.microsoft.com/asr?viewid=detections) > Detections tab.
The **GroupBy** returns results set to the following groups:
ListsΓÇöon a per-computer basisΓÇöthe aggregate state of attack surface reduction rules: Off, Audit, Block.
->:::image type="content" source="images/attack-surface-reduction-rules-report-main-configuration-tab.png" alt-text="Screenshot that shows the attack surface reduction rules report main configuration tab." lightbox="images/attack-surface-reduction-rules-report-main-configuration-tab.png":::
+>:::image type="content" source="media/attack-surface-reduction-rules-report-main-configuration-tab.png" alt-text="Screenshot that shows the attack surface reduction rules report main configuration tab." lightbox="media/attack-surface-reduction-rules-report-main-configuration-tab.png":::
On the Configurations tab, you can check, on a per-device basis, which attack surface reduction rules are enabled, and in which mode, by selecting the device for which you want to review attack surface reduction rules.
->:::image type="content" source="images/attack-surface-reduction-rules-report-configuration-add-to-policy.png" alt-text="Screenshot that shows the ASR rules fly-out to add ASR rules to devices." lightbox="images/attack-surface-reduction-rules-report-configuration-add-to-policy.png":::
+>:::image type="content" source="media/attack-surface-reduction-rules-report-configuration-add-to-policy.png" alt-text="Screenshot that shows the ASR rules fly-out to add ASR rules to devices." lightbox="media/attack-surface-reduction-rules-report-configuration-add-to-policy.png":::
The **Get started** link opens the Microsoft Intune admin center, where you can create or modify an endpoint protection policy for attack surface reduction:
The **Get started** link opens the Microsoft Intune admin center, where you can
In Endpoint security | Overview, select **Attack surface reduction**: > [!div class="mx-imgBorder"]
-> :::image type="content" source="images/asr-defender365-05b-mem2.png" alt-text="The Attack surface reduction in Intune" lightbox="images/asr-defender365-05b-mem2.png":::
+> :::image type="content" source="media/asr-defender365-05b-mem2.png" alt-text="The Attack surface reduction in Intune" lightbox="media/asr-defender365-05b-mem2.png":::
The Endpoint Security | Attack surface reduction pane opens: > [!div class="mx-imgBorder"]
-> :::image type="content" source="images/asr-defender365-05b-mem3.png" alt-text="The Endpoint security Attack surface reduction pane" lightbox="images/asr-defender365-05b-mem3.png":::
+> :::image type="content" source="media/asr-defender365-05b-mem3.png" alt-text="The Endpoint security Attack surface reduction pane" lightbox="media/asr-defender365-05b-mem3.png":::
> [!NOTE] > If you have a Microsoft Defender 365 E5 (or Windows E5?) license, this link will open the Microsoft Defender 365 Reports > Attack surface reductions > [Configurations](https://security.microsoft.com/asr?viewid=configuration) tab.
This tab provides a method to select detected entities (for example, false posit
> Microsoft Defender Antivirus AV exclusions are honored by attack surface reduction rules. See [Configure and validate exclusions based on extension, name, or location](configure-extension-file-exclusions-microsoft-defender-antivirus.md). > [!div class="mx-imgBorder"]
-> :::image type="content" source="Images/asr-defender365-06d.png" alt-text="The pane for exclusion of the detected file" lightbox="Images/asr-defender365-06d.png":::
+> :::image type="content" source="media/asr-defender365-06d.png" alt-text="The pane for exclusion of the detected file" lightbox="media/asr-defender365-06d.png":::
> [!NOTE] > If you have a Microsoft Defender 365 E5 (or Windows E5?) license, this link will open the Microsoft Defender 365 Reports > Attack surface reductions > [Exclusions](https://security.microsoft.com/asr?viewid=exclusions) tab.
To configure specific rule exclusions:
5. At the bottom of the **Create profile** wizard, select **Next** and follow the wizard instructions.
->:::image type="content" source="images/attack-surface-reduction-rules-report-per-rule-exclusion.png" alt-text="Screenshot that shows the configuration settings for adding ASR per-rule exclusions." lightbox="images/attack-surface-reduction-rules-report-per-rule-exclusion.png":::
+>:::image type="content" source="media/attack-surface-reduction-rules-report-per-rule-exclusion.png" alt-text="Screenshot that shows the configuration settings for adding ASR per-rule exclusions." lightbox="media/attack-surface-reduction-rules-report-per-rule-exclusion.png":::
> [!TIP] > Use the checkboxes next to your list of exclusion entries to select items to **Delete**, **Sort**, **Import**, or **Export**.
security Attack Surface Reduction Rules Deployment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment.md
This deployment collection provides information about the following aspects of a
As with any new, wide-scale implementation, which could potentially impact your line-of-business operations, it's important to be methodical in your planning and implementation. Careful planning and deployment of attack surface reduction rules is necessary to ensure they work best for your unique customer workflows. To work in your environment, you need to plan, test, implement, and operationalize attack surface reduction rules carefully.
- :::image type="content" source="images/asr-rules-deployment-phases.png" alt-text="Plan Microsoft Defender for Endpoint attack surface reduction rules, test attack surface reduction rules, Enable attack surface reduction rules, maintain attack surface reduction rules." lightbox="images/asr-rules-deployment-phases.png":::
+ :::image type="content" source="media/asr-rules-deployment-phases.png" alt-text="Plan Microsoft Defender for Endpoint attack surface reduction rules, test attack surface reduction rules, Enable attack surface reduction rules, maintain attack surface reduction rules." lightbox="media/asr-rules-deployment-phases.png":::
## Important predeployment caveat
security Attack Surface Reduction Rules Report https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-report.md
To navigate to the summary cards for the attack surface reduction rules report
The summary report cards for ASR rules are shown in the following figure.
->:::image type="content" source="images/attack-surface-reduction-rules-report-summary.png" alt-text="Shows the ASR rules report summary cards" lightbox="images/attack-surface-reduction-rules-report-summary.png":::
+>:::image type="content" source="media/attack-surface-reduction-rules-report-summary.png" alt-text="Shows the ASR rules report summary cards" lightbox="media/attack-surface-reduction-rules-report-summary.png":::
## ASR rules report summary cards
Provides two 'action' buttons:
- View detections - opens the **Attack surface reduction rules** > main **Detections** tab - Add exclusions - Opens the **Attack surface reduction rules** > main **Exclusions** tab Clicking on the **ASR rules detections** link at the top of the card also opens the main [Attack surface reduction rules Detections tab](#attack-surface-reduction-rules-main-detections-tab).
Provides two 'action' buttons:
- View configuration - opens the **Attack surface reduction rules** > main **Detections** tab - Add exclusions - Opens the **Attack surface reduction rules** > main **Exclusions** tab Clicking on the **ASR rules configuration** link at the top of the card also opens the main [Attack surface reduction rules Configuration tab](#attack-surface-reduction-rules-main-configuration-tab).
While the ASR rules report summary cards are useful for getting quick summary of
Search capability is added to **Detection**, **Configuration**, and **Add exclusion** main tabs. With this capability, you can search by using device ID, file name, or process name.
->:::image type="content" source="images/attack-surface-reduction-rules-report-main-tabs-search.png" alt-text="Shows the ASR rules report search feature." lightbox="images/attack-surface-reduction-rules-report-main-tabs-search.png":::
+>:::image type="content" source="media/attack-surface-reduction-rules-report-main-tabs-search.png" alt-text="Shows the ASR rules report search feature." lightbox="media/attack-surface-reduction-rules-report-main-tabs-search.png":::
### Filtering
Filtering provides a way for you to specify what results are returned:
> [!TIP] > As the filter currently functions in this release, every time you want to "group by", you must first scroll down to last detection in the list to load the complete data set. After you have loaded the complete data set, you can then launch the "sort by" filtering. If you don't scroll down to last detection listed on every use or when changing filtering options (for example, the ASR rules applied to the current filter run), then results will be incorrect for any result that has more than one viewable page of listed detections.
->:::image type="content" source="images/attack-surface-reduction-rules-report-main-tabs-search-configuration-tab.png" alt-text="Screenshot that shows the ASR rules report search feature on the configuration tab." lightbox="images/attack-surface-reduction-rules-report-main-tabs-search-configuration-tab.png":::
+>:::image type="content" source="media/attack-surface-reduction-rules-report-main-tabs-search-configuration-tab.png" alt-text="Screenshot that shows the ASR rules report search feature on the configuration tab." lightbox="media/attack-surface-reduction-rules-report-main-tabs-search-configuration-tab.png":::
> [!div class="mx-imgBorder"]
-> :::image type="content" source="images/asr-defender365-filter.png" alt-text="Screenshot that shows the attack surface reduction rules detections filter on rules." lightbox="images/asr-defender365-filter.png":::
+> :::image type="content" source="media/asr-defender365-filter.png" alt-text="Screenshot that shows the attack surface reduction rules detections filter on rules." lightbox="media/asr-defender365-filter.png":::
### Attack surface reduction rules main detections tab
Filtering provides a way for you to specify what results are returned:
- **Blocked Detections** Shows how many threat detections were blocked by rules set in _Block_ mode. - **Large, consolidated graph** Shows blocked and audited detections.
->:::image type="content" source="images/attack-surface-reduction-rules-report-main-detections-tab.png" alt-text="Shows the ASR rules report main detections tab, with _Audit detections_ and _Blocked detections_ outlined." lightbox="images/attack-surface-reduction-rules-report-main-detections-tab.png":::
+>:::image type="content" source="media/attack-surface-reduction-rules-report-main-detections-tab.png" alt-text="Shows the ASR rules report main detections tab, with _Audit detections_ and _Blocked detections_ outlined." lightbox="media/attack-surface-reduction-rules-report-main-detections-tab.png":::
The graphs provide detection data over the displayed date range, with the capability to hover over a specific location to gather date-specific information.
For more information about ASR rule audit and block modes, see [Attack surface r
The "Detection" main page has a list of all detections (files/processes) in the last 30 days. Select on any of the detections to open with drill-down capabilities.
->:::image type="content" source="images/attack-surface-reduction-rules-report-main-detections-flyout.png" alt-text="Shows the ASR rules report main detections tab flyout" lightbox="images/attack-surface-reduction-rules-report-main-detections-flyout.png":::
+>:::image type="content" source="media/attack-surface-reduction-rules-report-main-detections-flyout.png" alt-text="Shows the ASR rules report main detections tab flyout" lightbox="media/attack-surface-reduction-rules-report-main-detections-flyout.png":::
The **Possible exclusion and impact** section provides impact of the selected file or process. You can:
The **Possible exclusion and impact** section provides impact of the selected fi
The following image illustrates how the Advanced Hunting query page opens from the link on the actionable flyout:
->:::image type="content" source="images/attack-surface-reduction-rules-report-main-detections-flyout-hunting.png" alt-text="Shows the attack surface reduction rules report main detections tab flyout link opening Advanced Hunting" lightbox="images/attack-surface-reduction-rules-report-main-detections-flyout-hunting.png":::
+>:::image type="content" source="media/attack-surface-reduction-rules-report-main-detections-flyout-hunting.png" alt-text="Shows the attack surface reduction rules report main detections tab flyout link opening Advanced Hunting" lightbox="media/attack-surface-reduction-rules-report-main-detections-flyout-hunting.png":::
For more information about Advanced hunting, see [Proactively hunt for threats with advanced hunting in Microsoft Defender XDR](advanced-hunting-overview.md)
The ASR rules main **Configuration** tab provides summary and per-device ASR rul
These elements are shown in the following figure.
->:::image type="content" source="images/attack-surface-reduction-rules-report-main-configuration-tab.png" alt-text="Shows the ASR rules report main configuration tab" lightbox="images/attack-surface-reduction-rules-report-main-configuration-tab.png":::
+>:::image type="content" source="media/attack-surface-reduction-rules-report-main-configuration-tab.png" alt-text="Shows the ASR rules report main configuration tab" lightbox="media/attack-surface-reduction-rules-report-main-configuration-tab.png":::
To enable ASR rules:
The **Configuration** tab and _add rule_ flyout are shown in the following image
> [NOTE!] > If you have devices that require that different ASR rules be applied, you should configure those devices individually.
->:::image type="content" source="images/attack-surface-reduction-rules-report-configuration-add-to-policy.png" alt-text="Shows the ASR rules fly-out to add ASR rules to devices" lightbox="images/attack-surface-reduction-rules-report-configuration-add-to-policy.png":::
+>:::image type="content" source="media/attack-surface-reduction-rules-report-configuration-add-to-policy.png" alt-text="Shows the ASR rules fly-out to add ASR rules to devices" lightbox="media/attack-surface-reduction-rules-report-configuration-add-to-policy.png":::
### Attack surface reduction rules Add exclusions tab
The **Add exclusions** tab presents a ranked list of detections by file name and
- **Detections** The total number of detected events for named file. Individual devices can trigger multiple ASR rules events. - **Devices** The number of devices on which the detection occurred.
->:::image type="content" source="images/attack-surface-reduction-rules-report-exclusion-tab.png" alt-text="Shows the ASR rules report add exclusions tab" lightbox="images/attack-surface-reduction-rules-report-exclusion-tab.png":::
+>:::image type="content" source="media/attack-surface-reduction-rules-report-exclusion-tab.png" alt-text="Shows the ASR rules report add exclusions tab" lightbox="media/attack-surface-reduction-rules-report-exclusion-tab.png":::
> [!IMPORTANT] > Excluding files or folders can severely reduce the protection provided by ASR rules. Excluded files are allowed to run, and no report or event will be recorded.
The Add exclusion page has two buttons for actions that can be used on any detec
- **Add exclusion** which will open Microsoft Intune ASR policy page. For more information, see: [Intune](enable-attack-surface-reduction.md) in "Enable ASR rules alternate configuration methods." - **Get exclusion paths** which will download file paths in a csv format
->:::image type="content" source="images/attack-surface-reduction-rules-report-main-add-exclusions-flyout.png" alt-text="Shows the ASR rules report add exclusions tab flyout impact summary" lightbox="images/attack-surface-reduction-rules-report-main-add-exclusions-flyout.png":::
+>:::image type="content" source="media/attack-surface-reduction-rules-report-main-add-exclusions-flyout.png" alt-text="Shows the ASR rules report add exclusions tab flyout impact summary" lightbox="media/attack-surface-reduction-rules-report-main-add-exclusions-flyout.png":::
## See also
security Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction.md
For a sequential, end-to-end process of how to manage attack surface reduction r
You can assess how an attack surface reduction rule might affect your network by opening the security recommendation for that rule in [Microsoft Defender Vulnerability Management](/windows/security/threat-protection/). In the recommendation details pane, check for user impact to determine what percentage of your devices can accept a new policy enabling the rule in blocking mode without adversely affecting productivity.
security Behavioral Blocking Containment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/behavioral-blocking-containment.md
With these capabilities, more threats can be prevented or blocked, even if they
The following image shows an example of an alert that was triggered by behavioral blocking and containment capabilities: ## Components of behavioral blocking and containment
Behavior-based device-learning models in Defender for Endpoint caught and stoppe
While the attack was detected and stopped, alerts, such as an "initial access alert," were triggered and appeared in the [Microsoft Defender portal](/microsoft-365/security/defender/microsoft-365-defender). This example shows how behavior-based device-learning models in the cloud add new layers of protection against attacks, even after they have started running.
security Configure Endpoints Gp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-gp.md
Get the current list of attack surface reduction rules GUIDs from [Attack surfac
This will set each up for audit only.
- :::image type="content" source="images/asr-guid.png" alt-text="The Attack surface reduction configuration" lightbox="images/asr-guid.png":::
+ :::image type="content" source="media/asr-guid.png" alt-text="The Attack surface reduction configuration" lightbox="media/asr-guid.png":::
Policy|Location|Setting ||
security Configure Proxy Internet https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-proxy-internet.md
The static proxy is configurable through group policy (GP), both the settings un
Set it to **Enabled** and select **Disable Authenticated Proxy usage**.
- :::image type="content" source="images/atp-gpo-proxy1.png" alt-text="The Group Policy setting1 status pane" lightbox="images/atp-gpo-proxy1.png":::
+ :::image type="content" source="media/atp-gpo-proxy1.png" alt-text="The Group Policy setting1 status pane" lightbox="media/atp-gpo-proxy1.png":::
- **Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure connected user experiences and telemetry**: Configure the proxy.
- :::image type="content" source="images/atp-gpo-proxy2.png" alt-text="The Group Policy setting2 status pane" lightbox="images/atp-gpo-proxy2.png":::
+ :::image type="content" source="media/atp-gpo-proxy2.png" alt-text="The Group Policy setting2 status pane" lightbox="media/atp-gpo-proxy2.png":::
| Group Policy | Registry key | Registry entry | Value |
security Configure Server Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-server-endpoints.md
The following steps are only applicable if you're using a third-party anti-malwa
- Type: `REG_DWORD` - Value: `1`
- :::image type="content" source="images/atp-verify-passive-mode.png" alt-text="The passive mode verification result" lightbox="images/atp-verify-passive-mode.png":::
+ :::image type="content" source="media/atp-verify-passive-mode.png" alt-text="The passive mode verification result" lightbox="media/atp-verify-passive-mode.png":::
#### Known issues and limitations in the new, unified solution package for Windows Server 2012 R2 and 2016
security Customize Controlled Folders https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/customize-controlled-folders.md
You can use the Windows Security app, Group Policy, PowerShell cmdlets, or mobil
``` 3. Repeat step 2 for each folder that you want to protect. Folders that are protected are visible in the Windows Security app.
- :::image type="content" source="images/cfa-allow-folder-ps.png" alt-text="The PowerShell window with cmdlet shown" lightbox="images/cfa-allow-folder-ps.png":::
+ :::image type="content" source="medilet shown" lightbox="media/cfa-allow-folder-ps.png":::
> [!IMPORTANT] > Use `Add-MpPreference` to append or add apps to the list and not `Set-MpPreference`. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
An allowed application or service only has write access to a controlled folder a
4. Select **Add an allowed app** and follow the prompts to add apps.
- :::image type="content" source="images/cfa-allow-app.png" alt-text="The Add an allowed app button" lightbox="images/cfa-allow-app.png":::
+ :::image type="content" source="media/cfa-allow-app.png" alt-text="The Add an allowed app button" lightbox="media/cfa-allow-app.png":::
### Use Group Policy to allow specific apps
An allowed application or service only has write access to a controlled folder a
Continue to use `Add-MpPreference -ControlledFolderAccessAllowedApplications` to add more apps to the list. Apps added using this cmdlet will appear in the Windows Security app.
- :::image type="content" source="images/cfa-allow-app-ps.png" alt-text="The PowerShell cmdlet to allow an application" lightbox="images/cfa-allow-app-ps.png":::
+ :::image type="content" source="medilet to allow an application" lightbox="media/cfa-allow-app-ps.png":::
> [!IMPORTANT] > Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
security Defender Endpoint False Positives Negatives https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-false-positives-negatives.md
When you're done reviewing and undoing actions that were taken as a result of fa
### Remove a file from quarantine across multiple devices > [!div class="mx-imgBorder"]
-> :::image type="content" source="images/autoir-quarantine-file-1.png" alt-text="The Quarantine file" lightbox="images/autoir-quarantine-file-1.png":::
+> :::image type="content" source="media/autoir-quarantine-file-1.png" alt-text="The Quarantine file" lightbox="media/autoir-quarantine-file-1.png":::
1. In the [Microsoft Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2077139), select **Actions & submissions** and then select **Action center**.
security Defender Endpoint Trial User Guide https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-trial-user-guide.md
This playbook is a simple guide to help you make the most of your free trial. Us
<table> <tr> <td><a href="microsoft-defender-endpoint.md#tvm"><center><img src="images/logo-mdvm.png" alt="Vulnerability Management"> <br><b> Core Defender Vulnerability Management</b></center></a></td>
-<td><a href="microsoft-defender-endpoint.md#asr"><center><img src="images/asr-icon.png" alt="Attack surface reduction"><br><b>Attack surface reduction</b></center></a></td>
+<td><a href="microsoft-defender-endpoint.md#asr"><center><img src="media/asr-icon.png" alt="Attack surface reduction"><br><b>Attack surface reduction</b></center></a></td>
<td><center><a href="microsoft-defender-endpoint.md#ngp"><img src="images/ngp-icon.png" alt="Next-generation protection"><br> <b>Next-generation protection</b></a></center></td> <td><center><a href="microsoft-defender-endpoint.md#edr"><img src="images/edr-icon.png" alt="Endpoint detection and response"><br> <b>Endpoint detection and response</b></a></center></td> <td><center><a href="microsoft-defender-endpoint.md#ai"><img src="media/air-icon.png" alt="Automated investigation and remediation"><br> <b>Automated investigation and remediation</b></a></center></td>
security Edr Detection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/edr-detection.md
After a few minutes, a detection should be raised in Microsoft Defender XDR.
12. Go to the **Alert** Queue.
- :::image type="content" source="images/b8db76c2-c368-49ad-970f-dcb87534d9be.png" alt-text="Screenshot that shows a macOS EDR test alert that shows severity, category, detection source, and a collapsed menu of actions":::
+ :::image type="content" source="media/b8db76c2-c368-49ad-970f-dcb87534d9be.png" alt-text="Screenshot that shows a macOS EDR test alert that shows severity, category, detection source, and a collapsed menu of actions":::
The macOS EDR test alert shows severity, category, detection source, and a collapsed menu of actions.
security Enable Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction.md
Example:
- 2: Audit (Evaluate how the attack surface reduction rule would impact your organization if enabled) - 6: Warn (Enable the attack surface reduction rule but allow the end-user to bypass the block)
- :::image type="content" source="images/asr-rules-gp.png" alt-text="attack surface reduction rules in Group Policy" lightbox="images/asr-rules-gp.png":::
+ :::image type="content" source="media/asr-rules-gp.png" alt-text="attack surface reduction rules in Group Policy" lightbox="media/asr-rules-gp.png":::
5. To exclude files and folders from attack surface reduction rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Select **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
security Investigate Behind Proxy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-behind-proxy.md
For more information, see [Enable network protection](enable-network-protection.
When network protection is turned on, you'll see that on a device's timeline the IP address keeps representing the proxy, while the real target address shows up. Other events triggered by the network protection layer are now available to surface the real domain names even behind a proxy. Event's information: ## Hunt for connection events using advanced hunting
DeviceNetworkEvents
| take 10 ``` You can also filter out events that are related to connection to the proxy itself.
security Investigate Files https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-files.md
This section shows all the cloud applications where the file is observed. It als
The **File names** tab lists all names the file has been observed to use, within your organizations. ## File content and capabilities
security Investigate Incidents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-incidents.md
When you investigate an incident, you'll see:
Click an incident to see the **Incident pane**. Select **Open incident page** to see the incident details and related information (alerts, devices, investigations, evidence, graph). ### Alerts
You can investigate the alerts and see how they were linked together in an incid
- Same file - The files associated with the alert are exactly the same - Same URL - The URL that triggered the alert is exactly the same You can also manage an alert and see alert metadata along with other information. For more information, see [Investigate alerts](investigate-alerts.md).
You can also manage an alert and see alert metadata along with other information
You can also investigate the devices that are part of, or related to, a given incident. For more information, see [Investigate devices](investigate-machines.md). ### Investigations Select **Investigations** to see all the automatic investigations launched by the system in response to the incident alerts. ## Going through the evidence
Microsoft Defender for Endpoint automatically investigates all the incidents' su
Each of the analyzed entities will be marked as infected, remediated, or suspicious. ## Visualizing associated cybersecurity threats
Microsoft Defender for Endpoint aggregates the threat information into an incide
The **Graph** tells the story of the cybersecurity attack. For example, it shows you what was the entry point, which indicator of compromise or activity was observed on which device. etc. You can click the circles on the incident graph to view the details of the malicious files, associated file detections, how many instances have there been worldwide, whether it's been observed in your organization, if so, how many instances. ## Related topics
security Investigate User https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-user.md
When you investigate a user account entity, you can see:
- Alerts related to this user - Observed in organization (devices logged on to) ### User details
security Ios Configure Features https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-configure-features.md
Follow the below steps for setting up MAM config for unenrolled devices for Netw
5. In the **Assignments** section, an admin can choose groups of users to include and exclude from the policy.
- :::image type="content" source="images/assigniosconfig.png" alt-text="Assign configuration." lightbox="images/assigniosconfig.png":::
+ :::image type="content" source="media/assigniosconfig.png" alt-text="Assign configuration." lightbox="media/assigniosconfig.png":::
6. Review and create the configuration policy.
security Linux Support Perf https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-support-perf.md
The XMDEClientAnalyzer support tool contains syntax that can be used to add Audi
AuditD exclusion ΓÇô support tool syntax help: **By initiator**
security Mac Install Manually https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-manually.md
To grant full disk access:
Starting with macOS 13, a user must explicitly allow an application to run in background. macOS will pop a prompt up, telling the user that Microsoft Defender can run in background. You can view applications permitted to run in background in System Settings => Login Items => Allow in the Background at any time: Make sure all Microsoft Defender and Microsoft Corporation items are enabled. If they are disabled then macOS will not start Microsoft Defender after a machine restart.
security Mac Jamfpro Enroll Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-jamfpro-enroll-devices.md
For a complete list, see [About Computer Enrollment](https://docs.jamf.com/9.9/c
2. Select **+ New**.
- :::image type="content" source="images/b6c7ad56d50f497c38fc14c1e315456c.png" alt-text="The close up of a logo description automatically generated" lightbox="images/b6c7ad56d50f497c38fc14c1e315456c.png":::
+ :::image type="content" source="media/b6c7ad56d50f497c38fc14c1e315456c.png" alt-text="The close up of a logo description automatically generated" lightbox="media/b6c7ad56d50f497c38fc14c1e315456c.png":::
3. In **Specify Recipients for the Invitation** > under **Email Addresses** enter the e-mail address(es) of the recipients.
For a complete list, see [About Computer Enrollment](https://docs.jamf.com/9.9/c
4. Configure the message for the invitation.
- :::image type="content" source="images/ce580aec080512d44a37ff8e82e5c2ac.png" alt-text="The configuration settings5" lightbox="images/ce580aec080512d44a37ff8e82e5c2ac.png":::
+ :::image type="content" source="media/ce580aec080512d44a37ff8e82e5c2ac.png" alt-text="The configuration settings5" lightbox="media/ce580aec080512d44a37ff8e82e5c2ac.png":::
:::image type="content" source="media/5856b765a6ce677caacb130ca36b1a62.png" alt-text="The configuration settings6" lightbox="media/5856b765a6ce677caacb130ca36b1a62.png":::
security Mac Jamfpro Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-jamfpro-policies.md
Note that you must use exact `com.microsoft.wdav` as the **Preference Domain**,
9. Select **Add**, then select **Save**.
- :::image type="content" source="images/cf30438b5512ac89af1d11cbf35219a6.png" alt-text="The page on which you can add the Configuration settings." lightbox="images/cf30438b5512ac89af1d11cbf35219a6.png":::
+ :::image type="content" source="media/cf30438b5512ac89af1d11cbf35219a6.png" alt-text="The page on which you can add the Configuration settings." lightbox="media/cf30438b5512ac89af1d11cbf35219a6.png":::
:::image type="content" source="media/6f093e42856753a3955cab7ee14f12d9.png" alt-text="The page on which you can save the Configuration settings." lightbox="media/6f093e42856753a3955cab7ee14f12d9.png":::
All you need to do to have updates is to download an updated schema, edit existi
15. Select **Add**, then select **Save**.
- :::image type="content" source="images/cf30438b5512ac89af1d11cbf35219a6.png" alt-text="The configuration settings addsav." lightbox="images/cf30438b5512ac89af1d11cbf35219a6.png":::
+ :::image type="content" source="media/cf30438b5512ac89af1d11cbf35219a6.png" alt-text="The configuration settings addsav." lightbox="media/cf30438b5512ac89af1d11cbf35219a6.png":::
:::image type="content" source="media/6f093e42856753a3955cab7ee14f12d9.png" alt-text="The notification of configuration settings." lightbox="media/6f093e42856753a3955cab7ee14f12d9.png":::
These steps are applicable on macOS 11 (Big Sur) or later.
- **Distribution Method**: Install Automatically *(default)* - **Level**: Computer Level *(default)*
- :::image type="content" source="images/c9820a5ff84aaf21635c04a23a97ca93.png" alt-text="The new macOS configuration profile page." lightbox="images/c9820a5ff84aaf21635c04a23a97ca93.png":::
+ :::image type="content" source="media/c9820a5ff84aaf21635c04a23a97ca93.png" alt-text="The new macOS configuration profile page." lightbox="media/c9820a5ff84aaf21635c04a23a97ca93.png":::
- Tab **Notifications**, click **Add**, and enter the following values: - **Bundle ID**: `com.microsoft.wdav.tray`
These steps are applicable on macOS 11 (Big Sur) or later.
14. Select **Done**.
- :::image type="content" source="images/ba44cdb77e4781aa8b940fb83e3c21f7.png" alt-text="The completion notification regarding the configuration settings." lightbox="images/ba44cdb77e4781aa8b940fb83e3c21f7.png":::
+ :::image type="content" source="media/ba44cdb77e4781aa8b940fb83e3c21f7.png" alt-text="The completion notification regarding the configuration settings." lightbox="media/ba44cdb77e4781aa8b940fb83e3c21f7.png":::
## Step 6: Grant full disk access to Microsoft Defender for Endpoint
These steps are applicable on macOS 11 (Big Sur) or later.
- Distribution method: Install Automatically - Level: Computer level
- :::image type="content" source="images/ba3d40399e1a6d09214ecbb2b341923f.png" alt-text="The configuration setting in general." lightbox="images/ba3d40399e1a6d09214ecbb2b341923f.png":::
+ :::image type="content" source="media/ba3d40399e1a6d09214ecbb2b341923f.png" alt-text="The configuration setting in general." lightbox="media/ba3d40399e1a6d09214ecbb2b341923f.png":::
4. In **Configure Privacy Preferences Policy Control** select **Configure**.
These steps are applicable on macOS 11 (Big Sur) or later.
6. Select **+ Add**.
- :::image type="content" source="images/bd93e78b74c2660a0541af4690dd9485.png" alt-text="The configuration setting add system policy all files option." lightbox="images/bd93e78b74c2660a0541af4690dd9485.png":::
+ :::image type="content" source="media/bd93e78b74c2660a0541af4690dd9485.png" alt-text="The configuration setting add system policy all files option." lightbox="media/bd93e78b74c2660a0541af4690dd9485.png":::
- Under App or service: Set to **SystemPolicyAllFiles**
Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint
4. Select your computer and click the gear icon at the top, then select **Computer Management**.
- :::image type="content" source="images/b6d671b2f18b89d96c1c8e2ea1991242.png" alt-text="The configuration settings - computer management." lightbox="images/b6d671b2f18b89d96c1c8e2ea1991242.png":::
+ :::image type="content" source="media/b6d671b2f18b89d96c1c8e2ea1991242.png" alt-text="The configuration settings - computer management." lightbox="media/b6d671b2f18b89d96c1c8e2ea1991242.png":::
5. In **Packages**, select **+ New**. :::image type="content" source="media/57aa4d21e2ccc65466bf284701d4e961.png" alt-text="The bird Description for an automatically generated package." lightbox="media/57aa4d21e2ccc65466bf284701d4e961.png":::
Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint
Select **Self-Service**, if you want users to install Microsoft Defender voluntarily, on demand.
- :::image type="content" source="images/c9f85bba3e96d627fe00fc5a8363b83a.png" alt-text="The Self Service tab for configuration settings." lightbox="images/c9f85bba3e96d627fe00fc5a8363b83a.png":::
+ :::image type="content" source="media/c9f85bba3e96d627fe00fc5a8363b83a.png" alt-text="The Self Service tab for configuration settings." lightbox="media/c9f85bba3e96d627fe00fc5a8363b83a.png":::
20. Select **Done**.
security Mac Support License https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-support-license.md
For scenarios where Microsoft Defender for Endpoint on macOS isn't up to date, y
1. Select the **Assign licenses** link.
- :::image type="content" source="images/assign-licenses-link.png" alt-text="Screenshot of the product page from which you can select the Assign licenses link.":::
+ :::image type="content" source="media/assign-licenses-link.png" alt-text="Screenshot of the product page from which you can select the Assign licenses link.":::
The following screen appears:
For scenarios where Microsoft Defender for Endpoint on macOS isn't up to date, y
The following screen appears, displaying the details of the chosen license assignee and a list of options.
- :::image type="content" source="images/assignee-details-and-options.png" alt-text="Screenshot of the page displaying the assignee's details and a list of options.":::
+ :::image type="content" source="media/assignee-details-and-options.png" alt-text="Screenshot of the page displaying the assignee's details and a list of options.":::
1. Check the checkboxes for **Microsoft 365 Advanced Auditing**, **Microsoft Defender XDR**, and **Microsoft Defender for Endpoint**. 1. Select **Save**.
security Manage Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-alerts.md
You can manage alerts by selecting an alert in the **Alerts queue**, or the **Al
Selecting an alert in either of those places brings up the **Alert management pane**. Watch this video to learn how to use the new Microsoft Defender for Endpoint alert page. > [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4yiO5]
security Manage Incidents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-incidents.md
Managing incidents is an important part of every cybersecurity operation. You ca
Selecting an incident from the **Incidents queue** brings up the **Incident management pane** where you can open the incident page for details. You can assign incidents to yourself, change the status and classification, rename, or comment on them to keep track of their progress.
You can assign incidents to yourself, change the status and classification, rena
> Incidents that existed prior the rollout of automatic incident naming will retain their names. > ## Assign incidents If an incident has not been assigned yet, you can select **Assign to me** to assign the incident to yourself. Doing so assumes ownership of not just the incident, but also all the alerts associated with it.
security Manage Sys Extensions Manual Deployment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-sys-extensions-manual-deployment.md
If you run systemextensionsctl list, the following screen appears:
4. From the resultant screen, check the **Microsoft Defender** checkbox.
- :::image type="content" source="images/checking-md-checkbox.png" alt-text="Checking the Microsoft Defender checkbox." lightbox="images/checking-md-checkbox.png":::
+ :::image type="content" source="medi-checkbox.png":::
### Full Disk Access
If you run systemextensionsctl list, the following screen appears:
1. Confirm that the Microsoft Defender extension has full disk access; if not, check the **Microsoft Defender** checkbox.
- :::image type="content" source="images/check-md-checkbox.png" alt-text="Checking the MD checkbox." lightbox="images/check-md-checkbox.png":::
+ :::image type="content" source="medi-checkbox.png":::
### Notifications
security Microsoft Defender Endpoint https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint.md
Defender for Endpoint uses the following combination of technology built into Wi
<table> <tr> <td><a href="#tvm"><center><img src="images/logo-mdvm.png" alt="Vulnerability Management"> <br><b> Core Defender Vulnerability Management</b></center></a></td>
-<td><a href="#asr"><center><img src="images/asr-icon.png" alt="Attack surface reduction"><br><b>Attack surface reduction</b></center></a></td>
+<td><a href="#asr"><center><img src="media/asr-icon.png" alt="Attack surface reduction"><br><b>Attack surface reduction</b></center></a></td>
<td><center><a href="#ngp"><img src="images/ngp-icon.png" alt="Next-generation protection"><br> <b>Next-generation protection</b></a></center></td> <td><center><a href="#edr"><img src="images/edr-icon.png" alt="Endpoint detection and response"><br> <b>Endpoint detection and response</b></a></center></td> <td><center><a href="#ai"><img src="media/air-icon.png" alt="Automated investigation and remediation"><br> <b>Automated investigation and remediation</b></a></center></td>
security Onboard Downlevel https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboard-downlevel.md
You can use either of the following methods:
2. Select the Defender for Endpoint workspace, and click **Remove**.
- :::image type="content" source="images/atp-mma.png" alt-text="The Workspaces pane" lightbox="images/atp-mma.png":::
+ :::image type="content" source="media/atp-mma.png" alt-text="The Workspaces pane" lightbox="media/atp-mma.png":::
#### Run a PowerShell command to remove the configuration
security Onboarding Endpoint Configuration Manager https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboarding-endpoint-configuration-manager.md
Microsoft Defender Antivirus is a built-in anti-malware solution that provides n
For more information, see [Windows Security configuration framework](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework).
- :::image type="content" source="images/cd7daeb392ad5a36f2d3a15d650f1e96.png" alt-text="The next-generation protection pane2" lightbox="images/cd7daeb392ad5a36f2d3a15d650f1e96.png":::
+ :::image type="content" source="media/cd7daeb392ad5a36f2d3a15d650f1e96.png" alt-text="The next-generation protection pane2" lightbox="media/cd7daeb392ad5a36f2d3a15d650f1e96.png":::
:::image type="content" source="media/36c7c2ed737f2f4b54918a4f20791d4b.png" alt-text="The next-generation protection pane3" lightbox="media/36c7c2ed737f2f4b54918a4f20791d4b.png":::
See [Optimize attack surface reduction rule deployment and detections](/microsof
3. Set the setting to **Audit** and select **Next**.
- :::image type="content" source="images/c039b2e05dba1ade6fb4512456380c9f.png" alt-text="The System Center Configuration Manager2" lightbox="images/c039b2e05dba1ade6fb4512456380c9f.png":::
+ :::image type="content" source="media/c039b2e05dba1ade6fb4512456380c9f.png" alt-text="The System Center Configuration Manager2" lightbox="media/c039b2e05dba1ade6fb4512456380c9f.png":::
4. Confirm the new Exploit Guard Policy by selecting **Next**.
security Onboarding Endpoint Manager https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboarding-endpoint-manager.md
In this section, we create a test group to assign your configurations on.
3. Enter details and create a new group. > [!div class="mx-imgBorder"]
- > :::image type="content" source="images/b1e0206d675ad07db218b63cd9b9abc3.png" alt-text="The Microsoft Intune admin center2" lightbox="images/b1e0206d675ad07db218b63cd9b9abc3.png":::
+ > :::image type="content" source="media/b1e0206d675ad07db218b63cd9b9abc3.png" alt-text="The Microsoft Intune admin center2" lightbox="media/b1e0206d675ad07db218b63cd9b9abc3.png":::
4. Add your test user or device.
Then, you continue by creating several different types of endpoint security poli
5. Select settings as required, then select **Next**. > [!div class="mx-imgBorder"]
- > :::image type="content" source="images/cea7e288b5d42a9baf1aef0754ade910.png" alt-text="The Microsoft Intune admin center6" lightbox="images/cea7e288b5d42a9baf1aef0754ade910.png":::
+ > :::image type="content" source="media/cea7e288b5d42a9baf1aef0754ade910.png" alt-text="The Microsoft Intune admin center6" lightbox="media/cea7e288b5d42a9baf1aef0754ade910.png":::
> [!NOTE] > In this instance, this has been auto populated as Defender for Endpoint has already been integrated with Intune. For more information on the integration, see [Enable Microsoft Defender for Endpoint in Intune](/mem/intune/protect/advanced-threat-protection-configure#to-enable-microsoft-defender-atp).
Then, you continue by creating several different types of endpoint security poli
4. Select **Windows 10 and Later - Web protection > Create**. > [!div class="mx-imgBorder"]
- > :::image type="content" source="images/cd7b5a1cbc16cc05f878cdc99ba4c27f.png" alt-text="The Microsoft Intune admin center26" lightbox="images/cd7b5a1cbc16cc05f878cdc99ba4c27f.png":::
+ > :::image type="content" source="media/cd7b5a1cbc16cc05f878cdc99ba4c27f.png" alt-text="The Microsoft Intune admin center26" lightbox="media/cd7b5a1cbc16cc05f878cdc99ba4c27f.png":::
5. Enter a name and description, then select **Next**.
To confirm that the configuration policy is applied to your test device, follow
1. Before applying the configuration, the Defender for Endpoint Protection service shouldn't be started. > [!div class="mx-imgBorder"]
- > [![Image of Services panel1.](images/b418a232a12b3d0a65fc98248dbb0e31.png)](images/b418a232a12b3d0a65fc98248dbb0e31.png#lightbox)
+ > [![Image of Services panel1.](media/b418a232a12b3d0a65fc98248dbb0e31.png)](media/b418a232a12b3d0a65fc98248dbb0e31.png#lightbox)
2. After the configuration is applied, the Defender for Endpoint Protection service should be started.
To confirm that the configuration policy is applied to your test device, follow
> > AttackSurfaceReductionRules_Ids:
- :::image type="content" source="images/cb0260d4b2636814e37eee427211fe71.png" alt-text="The command line-1" lightbox="images/cb0260d4b2636814e37eee427211fe71.png":::
+ :::image type="content" source="media/cb0260d4b2636814e37eee427211fe71.png" alt-text="The command line-1" lightbox="media/cb0260d4b2636814e37eee427211fe71.png":::
3. After applying the policy on a test device, open a PowerShell Windows and type `Get-MpPreference`.
To confirm that the configuration policy is applied to your test device, follow
4. You should see a response with a 1 as shown in the following image:
- :::image type="content" source="images/c06fa3bbc2f70d59dfe1e106cd9a4683.png" alt-text="The command line-4" lightbox="images/c06fa3bbc2f70d59dfe1e106cd9a4683.png":::
+ :::image type="content" source="media/c06fa3bbc2f70d59dfe1e106cd9a4683.png" alt-text="The command line-4" lightbox="media/c06fa3bbc2f70d59dfe1e106cd9a4683.png":::
[!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)]
security Onboarding Notification https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboarding-notification.md
You need to have access to:
2. Specify the start and time. 3. Specify the frequency. For example, every 5 minutes.
- :::image type="content" source="images/build-flow.png" alt-text="The notification flow" lightbox="images/build-flow.png":::
+ :::image type="content" source="media/build-flow.png" alt-text="The notification flow" lightbox="media/build-flow.png":::
4. Select the + button to add a new action. The new action is an HTTP request to the Defender for Endpoint devices API. You can also replace it with the out-of-the-box **WDATP Connector** (action: **Machines - Get list of machines**).
security Partner Applications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/partner-applications.md
Microsoft Defender for Endpoint seamlessly integrates with existing security sol
Logo|Partner name|Description :|:|:
-![Logo for AttackIQ.](images/attackiq-logo.png)|[AttackIQ Platform](https://go.microsoft.com/fwlink/?linkid=2103502)|AttackIQ Platform validates Defender for Endpoint is configured properly by launching continuous attacks safely on production assets
+![Logo for AttackIQ.](media/attackiq-logo.png)|[AttackIQ Platform](https://go.microsoft.com/fwlink/?linkid=2103502)|AttackIQ Platform validates Defender for Endpoint is configured properly by launching continuous attacks safely on production assets
![Logo for Microsoft Sentinel.](images/sentinel-logo.png)|[AzureSentinel](https://go.microsoft.com/fwlink/?linkid=2135705)|Stream alerts from Microsoft Defender for Endpoint into Microsoft Sentinel ![Logo for Cymulate.](images/cymulate-logo.png)|[Cymulate](https://go.microsoft.com/fwlink/?linkid=2135574)|Correlate Defender for Endpoint findings with simulated attacks to validate accurate detection and effective response actions ![Logo for Elastic security.](images/elastic-security-logo.png)|[Elastic Security](https://go.microsoft.com/fwlink/?linkid=2139303)|Elastic Security is a free and open solution for preventing, detecting, and responding to threats
Logo|Partner name|Description
Logo|Partner name|Description :|:|: ![Logo for Aruba ClearPass Policy Manager.](media/aruba-logo.png)|[Aruba ClearPass Policy Manager](https://go.microsoft.com/fwlink/?linkid=2127544)|Ensure Defender for Endpoint is installed and updated on each endpoint before allowing access to the network
-![Logo for Blue Hexagon for Network.](images/bluehexagon-logo.png)|[Blue Hexagon for Network](/training/modules/explore-malware-threat-protection/)|Blue Hexagon has built the industry's first real-time deep learning platform for network threat protection
+![Logo for Blue Hexagon for Network.](media/bluehexagon-logo.png)|[Blue Hexagon for Network](/training/modules/explore-malware-threat-protection/)|Blue Hexagon has built the industry's first real-time deep learning platform for network threat protection
![Logo for CyberMDX.](images/cybermdx-logo.png)|[CyberMDX](https://go.microsoft.com/fwlink/?linkid=2135620)|Cyber MDX integrates comprehensive healthcare assets visibility, threat prevention and repose into your Defender for Endpoint environment ![Logo for HYAS Protect.](images/hyas-logo.png)|[HYAS Protect](https://go.microsoft.com/fwlink/?linkid=2156763)|HYAS Protect utilizes authoritative knowledge of attacker infrastructure to proactively protect Microsoft Defender for Endpoint endpoints from cyberattacks ![Logo for Vectra Network Detection and Response (NDR).](images/vectra-logo.png)|[Vectra Network Detection and Response (NDR)](https://go.microsoft.com/fwlink/?linkid=866934)|Vectra applies AI & security research to detect and respond to cyber-attacks in real time
Logo|Partner name|Description
Logo|Partner name|Description :|:|:
-![Logo for Bitdefender.](images/bitdefender-logo.png)|[Bitdefender](https://go.microsoft.com/fwlink/?linkid=860032)|Bitdefender GravityZone is a layered next generation endpoint protection platform offering comprehensive protection against the full spectrum of sophisticated cyber threats
-![Logo for Better Mobile.](images/bettermobile-logo.png)|[Better Mobile](https://go.microsoft.com/fwlink/?linkid=2086214)|AI-based MTD solution to stop mobile threats & phishing. Private internet browsing to protect user privacy
+![Logo for Bitdefender.](media/bitdefender-logo.png)|[Bitdefender](https://go.microsoft.com/fwlink/?linkid=860032)|Bitdefender GravityZone is a layered next generation endpoint protection platform offering comprehensive protection against the full spectrum of sophisticated cyber threats
+![Logo for Better Mobile.](media/bettermobile-logo.png)|[Better Mobile](https://go.microsoft.com/fwlink/?linkid=2086214)|AI-based MTD solution to stop mobile threats & phishing. Private internet browsing to protect user privacy
![Logo for Corrata.](images/corrata-new.png)|[Corrata](https://go.microsoft.com/fwlink/?linkid=2081148)|Mobile solution - Protect your mobile devices with granular visibility and control from Corrata ![Logo for Lookout.](images/lookout-logo.png)|[Lookout](https://go.microsoft.com/fwlink/?linkid=866935)|Get Lookout Mobile Threat Protection telemetry for Android and iOS mobile devices ![Logo for Symantec Endpoint Protection Mobile.](images/symantec-logo.png)|[Symantec Endpoint Protection Mobile](https://go.microsoft.com/fwlink/?linkid=2090992)|SEP Mobile helps businesses predict, detect, and prevent security threats and vulnerabilities on mobile devices
security Production Deployment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/production-deployment.md
Checking for the license state and whether it was properly provisioned can be do
1. To view your licenses, go to the **Microsoft Azure portal** and navigate to the [Microsoft Azure portal license section](https://portal.azure.com/#blade/Microsoft_AAD_IAM/LicensesMenuBlade/Products).
- :::image type="content" source="images/atp-licensing-azure-portal.png" alt-text="The Azure Licensing page" lightbox="images/atp-licensing-azure-portal.png":::
+ :::image type="content" source="media/atp-licensing-azure-portal.png" alt-text="The Azure Licensing page" lightbox="media/atp-licensing-azure-portal.png":::
1. Alternately, in the admin center, navigate to **Billing** \> **Subscriptions**. On the screen, you'll see all the provisioned licenses and their current **Status**.
- :::image type="content" source="images/atp-billing-subscriptions.png" alt-text="The billing licenses page":::
+ :::image type="content" source="media/atp-billing-subscriptions.png" alt-text="The billing licenses page":::
## Cloud Service Provider validation
To gain access into which licenses are provisioned to your company, and to check
2. Clicking on the **Partner portal** link will open the **Admin on behalf** option and will give you access to the customer admin center.
- :::image type="content" source="images/atp-O365-admin-portal-customer.png" alt-text="The Office 365 admin portal" lightbox="images/atp-O365-admin-portal-customer.png":::
+ :::image type="content" source="media/atp-O365-admin-portal-customer.png" alt-text="The Office 365 admin portal" lightbox="media/atp-O365-admin-portal-customer.png":::
## Tenant Configuration
Configure a registry-based static proxy to allow only Microsoft Defender for End
2. Create a policy or edit an existing policy based off the organizational practices. 3. Edit the Group Policy and navigate to **Administrative Templates \> Windows Components \> Data Collection and Preview Builds \> Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service**.
- :::image type="content" source="images/atp-gpo-proxy1.png" alt-text="The options related to configuration of the usage policy" lightbox="images/atp-gpo-proxy1.png":::
+ :::image type="content" source="media/atp-gpo-proxy1.png" alt-text="The options related to configuration of the usage policy" lightbox="media/atp-gpo-proxy1.png":::
4. Select **Enabled**. 5. Select **Disable Authenticated Proxy usage**. 6. Navigate to **Administrative Templates \> Windows Components \> Data Collection and Preview Builds \> Configure connected user experiences and telemetry**.
- :::image type="content" source="images/atp-gpo-proxy2.png" alt-text="The options related to configuration of the connected user experience and telemetry" lightbox="images/atp-gpo-proxy2.png":::
+ :::image type="content" source="media/atp-gpo-proxy2.png" alt-text="The options related to configuration of the connected user experience and telemetry" lightbox="media/atp-gpo-proxy2.png":::
7. Select **Enabled**. 8. Enter the **Proxy Server Name**.
security Respond File Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/respond-file-alerts.md
This action takes effect on devices with Windows 10, version 1703 or later, and
2. Go to the top bar and select **Stop and Quarantine File**.
- :::image type="content" source="images/atp-stop-quarantine-file.png" alt-text="The stop and quarantine file action" lightbox="images/atp-stop-quarantine-file.png":::
+ :::image type="content" source="media/atp-stop-quarantine-file.png" alt-text="The stop and quarantine file action" lightbox="media/atp-stop-quarantine-file.png":::
3. Specify a reason, then select **Confirm**.
- :::image type="content" source="images/atp-stop-quarantine.png" alt-text="The stop and quarantine file page" lightbox="images/atp-stop-quarantine.png":::
+ :::image type="content" source="media/atp-stop-quarantine.png" alt-text="The stop and quarantine file page" lightbox="media/atp-stop-quarantine.png":::
The Action center shows the submission information:
- :::image type="content" source="images/atp-stopnquarantine-file.png" alt-text="The stop and quarantine file action center" lightbox="images/atp-stopnquarantine-file.png":::
+ :::image type="content" source="media/atp-stopnquarantine-file.png" alt-text="The stop and quarantine file action center" lightbox="media/atp-stopnquarantine-file.png":::
- **Submission time** - Shows when the action was submitted. - **Success** - Shows the number of devices where the file has been stopped and quarantined.
This action takes effect on devices with Windows 10, version 1703 or later, and
When the file is being removed from a device, the following notification is shown: In the device timeline, a new event is added for each device where a file was stopped and quarantined.
The **Download file** button can have the following states:
- Tenants with [role-based access (RBAC) permissions](../defender/manage-rbac.md) enabled ### Download quarantined files
security Respond Machine Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/respond-machine-alerts.md
Once you have selected **Restrict app execution** on the device page, type a com
When an app is restricted, the following notification is displayed to inform the user that an app is being restricted from running: > [!NOTE] > The notification is not available on Windows Server 2016 and Windows Server 2012 R2.
The minimum requirements for 'forcibly release device from isolation' feature ar
When a device is being isolated, the following notification is displayed to inform the user that the device is being isolated from the network: > [!NOTE] > The notification is not available on non-Windows platforms.
security Time Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/time-settings.md
Last updated 12/18/2020
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-settings-abovefoldlink) Use the **Time zone** menu to configure the time zone and view license information. ## Time zone settings
Microsoft Defender for Endpoint can display either Coordinated Universal Time (U
Your current time zone setting is shown in the Microsoft Defender for Endpoint menu. You can change the displayed time zone in the **Time zone** menu. ### UTC time zone
The Microsoft Defender for Endpoint time zone is set by default to UTC. Setting
To set the time zone: 1. Click the **Time zone** menu.
- :::image type="content" source="images/atp-time-zone.png" alt-text="The Time zone settings-3" lightbox="images/atp-time-zone.png":::
+ :::image type="content" source="media/atp-time-zone.png" alt-text="The Time zone settings-3" lightbox="media/atp-time-zone.png":::
1. Select the **Timezone UTC** indicator. 1. Select **Timezone UTC** or your local time zone, for example -7:00.
security Troubleshoot Asr Rules https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-asr-rules.md
The <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">
In <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender portal</a>, we offer you a complete look at the current attack surface reduction rules configuration and events in your estate. Your devices must be onboarded into the Microsoft Defender for Endpoint service for these reports to be populated. Here's a screenshot from the Microsoft Defender portal (under **Reports** \> **Devices** \> **Attack surface reduction**). At the device level, select **Configuration** from the **Attack surface reduction rules** pane. The following screen is displayed, where you can select a specific device and check its individual attack surface reduction rule configuration. ## Microsoft Defender for Endpoint - Advanced hunting
security Troubleshoot Onboarding Error Messages https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-onboarding-error-messages.md
Potential reasons:
For both cases, you should contact Microsoft support at [General Microsoft Defender for Endpoint Support](https://support.microsoft.com/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636419533611396913) or [Volume license support](https://www.microsoft.com/licensing/servicecenter/Help/Contact.aspx). ## Your subscription has expired
You can choose to renew or extend the license at any point in time. When accessi
> [!NOTE] > For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. ## You are not authorized to access the portal If you receive a **You are not authorized to access the portal**, be aware that Microsoft Defender for Endpoint is a security monitoring, incident investigation and response product, and as such, access to it is restricted and controlled by the user. For more information, see, [**Assign user access to the portal**](/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection). ## Data currently isn't available on some sections of the portal If the portal dashboard and other sections show an error message such as "Data currently isn't available": You'll need to allow the `security.windows.com` and all subdomains under it on your web browser. For example, `*.security.windows.com`.
security Troubleshoot Onboarding https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-onboarding.md
If the verification fails and your environment is using a proxy to connect to th
- You can also check the previous registry key values to verify that the policy is disabled, by opening the registry key `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender`.
- :::image type="content" source="images/atp-disableantispyware-regkey.png" alt-text="The registry key for Microsoft Defender Antivirus" lightbox="images/atp-disableantispyware-regkey.png":::
+ :::image type="content" source="media/atp-disableantispyware-regkey.png" alt-text="The registry key for Microsoft Defender Antivirus" lightbox="media/atp-disableantispyware-regkey.png":::
> [!NOTE] > All Windows Defender services (wdboot, wdfilter, wdnisdrv, wdnissvc, and windefend) should be in their default state. Changing the startup of these services is unsupported and may force you to reimage your system.
You might also need to check the following:
- Check that there's a Microsoft Defender for Endpoint Service running in the **Processes** tab in **Task Manager**. For example:
- :::image type="content" source="images/atp-task-manager.png" alt-text="The process view with Microsoft Defender for Endpoint Service running" lightbox="images/atp-task-manager.png":::
+ :::image type="content" source="media/atp-task-manager.png" alt-text="The process view with Microsoft Defender for Endpoint Service running" lightbox="media/atp-task-manager.png":::
- Check **Event Viewer** \> **Applications and Services Logs** \> **Operation Manager** to see if there are any errors. - In **Services**, check if the **Microsoft Monitoring Agent** is running on the server. For example,
- :::image type="content" source="images/atp-services.png" alt-text="The services" lightbox="images/atp-services.png":::
+ :::image type="content" source="media/atp-services.png" alt-text="The services" lightbox="media/atp-services.png":::
- In **Microsoft Monitoring Agent** \> **Azure Log Analytics (OMS)**, check the Workspaces and verify that the status is running.
- :::image type="content" source="images/atp-mma-properties.png" alt-text="The Microsoft Monitoring Agent Properties" lightbox="images/atp-mma-properties.png":::
+ :::image type="content" source="media/atp-mma-properties.png" alt-text="The Microsoft Monitoring Agent Properties" lightbox="media/atp-mma-properties.png":::
- Check to see that devices are reflected in the **Devices list** in the portal.
security View Incidents Queue https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/view-incidents-queue.md
On the top navigation you can:
- Apply filters - Customize and apply date ranges ## Sort and filter the incidents queue You can apply the following filters to limit the list of incidents and get a more focused view.
syntex Esignature Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/esignature-setup.md
Previously updated : 11/15/2023 Last updated : 03/15/2024 audience: admin
Before you can use SharePoint eSignature, you must first link your Azure subscri
You must have Global admin or SharePoint admin permissions to be able to access the Microsoft 365 admin center and set up SharePoint eSignature.
+### External recipients
+
+ If you will be requesting signatures from external recipients, you need to enable [Microsoft Entra B2B integration for SharePoint and OneDrive](/sharepoint/sharepoint-azureb2b-integration#enabling-the-integration). External recipients are people outside your organization and would be onboarded as guests into your tenant. Microsoft Entra B2B provides authentication and management of guests.
+ ## Set up SharePoint eSignature 1. In the Microsoft 365 admin center, select <a href="https://go.microsoft.com/fwlink/p/?linkid=2171997" target="_blank">**Setup**</a>, and then select **Use content AI with Microsoft Syntex**.
By default, SharePoint eSignature is turned on for libraries in all SharePoint s
2. If SharePoint eSignature is turned on, there will be a **Turn off** button visible. To turn off SharePoint eSignature, select **Turn off**.
+## External signers
+
+### Conditional access
+
+Certain [conditional access](/entra/identity/conditional-access/overview) might determine whether external recipients (signers outside of your organization or Microsoft 365 tenant) will be able sign a document. Depending on the admin setup, external signers might not be able to access and read the document for signing. In some other cases, they might be able to access the document for signing, but the signing operation will be unsuccessful. One common way to resolve this is to add the **Microsoft eSignature Service** to the list of approved apps via the Microsoft Entra admin center.
+
+### Microsoft Entra B2B
+
+Microsoft Entra B2B provides authentication and management of guests. External signers or recipients are considered as guests within your tenant. To be able to send requests to signers outside your organization, you need to enable [Microsoft Entra B2B integration for SharePoint and OneDrive](/sharepoint/sharepoint-azureb2b-integration#enabling-the-integration).
+
+### Authentication
+
+External recipients might need to authenticate before they're able to access a document for signing. The type of authentication required by the external recipients depends on the configuration for guest users at the SharePoint level or at the tenant level. Additionally, if the external user belongs to an organization with a Microsoft 365 tenant, it's possible for their organization's setup to affect their authentication experience when attempting to sign the document.
+ ## Document storage and retention ### Document storage
The working copy of the request is stored and retained for five years or in acco
Every email notification sent in relation to a signature request contains a URL link that allows the recipient to view, review, and sign the document. When a request reaches a terminal state (when the status is **Completed**, **Canceled**, or **Declined**), the recipient has 30 days to view, download, and store the document in a preferred location. After the link expires, it can no longer be used to access the document. For more protection, when a sender cancels a request, recipients immediately lose access to the request document. The email notification received by recipients won't contain a URL link to view the request.-
-## External signers
-
-### Conditional access
-
-Certain [conditional access](/entra/identity/conditional-access/overview) might determine whether external recipients (signers outside of your organization or Microsoft 365 tenant) will be able sign a document. Depending on the admin setup, external signers might not be able to access and read the document for signing. In some other cases, they might be able to access the document for signing, but the signing operation will be unsuccessful. One common way to resolve this is to add the **Microsoft eSignature Service** to the list of approved apps via the Microsoft Entra admin center.
-
-### Microsoft Entra B2B
-
-Microsoft Entra B2B provides authentication and management of guests. External signers are considered as guests within your tenant. To be able to send requests to signers outside your organization, you need to enable [Microsoft Entra B2B integration for SharePoint and OneDrive](/sharepoint/sharepoint-azureb2b-integration#enabling-the-integration).
-
-### Authentication
-
-External users might need to authenticate before they're able to access a document for signing. The type of authentication required by the external recipients depends on the configuration for guest users at the SharePoint level or at the tenant level. Additionally, if the external user belongs to an organization with a Microsoft 365 tenant, it's possible for their organization's setup to affect their authentication experience when attempting to sign the document.