Updates from: 03/21/2024 09:14:24
Category Microsoft Docs article Related commit history on GitHub Change details
admin Microsoft 365 Copilot Organizational Messages https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/microsoft-365-copilot-organizational-messages.md
Title: "Microsoft 365 Copilot features adoption using organizational messages"
+ Title: "Copilot for Microsoft 365 features adoption using organizational messages"
search.appverid:
- MET150 - MOE150
-description: "Learn how you can use organizational messages to help with the adoption of Microsoft 365 Copilot."
+description: "Learn how you can use organizational messages to help with the adoption of Copilot for Microsoft 365."
-# Microsoft 365 Copilot features adoption using organizational messages
+# Copilot for Microsoft 365 features adoption using organizational messages
Organizational messages enable Enterprise administrators to deliver clear, actionable in-product messages to users of Microsoft 365 experiences. To learn more about organizational messages, see [Organizational Messages in Adoption Score](../adoption/organizational-messages.md) and [Organizational Messages in Intune](/mem/intune/remote-actions/organizational-messages-prerequisites).
-To help with the adoption of Microsoft 365 Copilot features, organizational messages in Microsoft 365 usage analytics report enable admins to send messages to their Microsoft 365 licensed users who haven't recently used any Copilot features. In the pipeline, we're planning to expand organizational messages across platforms like Teams, Outlook, Excel, PowerPoint, and Word to further enhance the adoption of specific Copilot features.
+To help with the adoption of Copilot for Microsoft 365 features, organizational messages in Microsoft 365 usage analytics report enable admins to send messages to their Microsoft 365 licensed users who haven't recently used any Copilot features. In the pipeline, we're planning to expand organizational messages across platforms like Teams, Outlook, Excel, PowerPoint, and Word to further enhance the adoption of specific Copilot features.
## Who can use the feature?
-To preview organizational messages in the Microsoft 365 Copilot usage report, you need to have one of the following admin roles:
+To preview organizational messages in the Copilot for Microsoft 365 usage report, you need to have one of the following admin roles:
- Global administrator
There are certain policies, if not configured properly, that can block the deliv
In the Microsoft 365 admin center, go to **Reports** > **Usage > Copilot for Microsoft 365**. Select **Schedule message** within the recommendation card and follow these steps to create an Organizational message: ### Step 1: Select message content
-Within the Message section of the Organizational messages panel, you can choose from a set of pre-made content. Each pre-made message includes a 'title,' a 'message,' and a 'link' for your users to visit when they interact with the message. You can then review what the message will look like to your targeted users within the Preview section.
+Within the **Message** section of the Organizational messages panel, choose one from the set of the pre-made content, each containing a title, message, and link for your users to visit when they interact with the message. You can then review what the message will look like to your targeted users within the **Preview** section. In the preview, we support the Windows 11 notification and Teaching popover in new Teams.
++
+*The users see the Windows 11 notification recommending they use Copilot for Microsoft 365.*
>[!NOTE] > Messages will align with your computer's system language settings. We currently support 15 languages. If your language is not among them, we will default to the nearest available option. [Check the appendix to see which languages are supported](#appendix). +
+*The users see Teams in-product Teaching Popovers in the new Teams recommending they use Copilot in Teams.*
+
+>[!NOTE]
+> Organizational messages will only show up in the new Teams.
+ ### Step 2: Select the recipients
-For this Copilot awareness scenario, the recipients of your message are, by default, selected based on their activities. Accordingly, within the Recipients section, your messages' recipient list will, at minimum, include users in your tenant who have Microsoft 365 licenses but have not actively used any Microsoft 365 Copilot features in the past month. You can further restrict the message to be seen only by members of the Microsoft 365 group you specify with the **Filter by Microsoft 365 Group** component.
+For this Copilot awareness scenario, the recipients of your message are, by default, selected based on their activities. Accordingly, within the Recipients section, your messages' recipient list will, at minimum, include users in your tenant who have Microsoft 365 licenses but have not actively used any Copilot for Microsoft 365 features in the past month. You can further restrict the message to be seen only by members of the Microsoft 365 group you specify with the **Filter by Microsoft 365 Group** component.
### Step 3: Schedule a time window and frequency for delivery of the messages Within the Schedule section, you must select a start date and an end date for your selected message. Additionally, you'll choose a frequency, which determines how often the message can be shown to the same targeted user within the scheduled timeframe. It's important to note that your message can be delivered to a user according to your set schedule and frequency. However, if the user takes the recommendation or dismisses the message, the message won't reappear to that user unless your team creates a subsequent message using this experience. + ### Step 4: Acknowledge and complete Once you're satisfied with the configuration of your message, check the acknowledgment box and then select **Schedule message**. This causes the message to be registered for delivery according to your selections. - ## WhatΓÇÖs next?
admin Sign Up For Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/admin-overview/sign-up-for-office-365.md
audience: Admin + ms.localizationpriority: medium - Tier1
admin What Subscription Do I Have https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/admin-overview/what-subscription-do-i-have.md
audience: Admin + ms.localizationpriority: medium - Tier1
admin Organizational Messages https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/adoption/organizational-messages.md
The organizational message writer role is the new built-in role that allows assi
## Where will the messages appear?
-In this preview, we support the teaching call-out and business bars in Word, Excel, PowerPoint, and Outlook Desktop Apps.
+In this preview, we support the teaching call-out and business bars in Word, Excel, PowerPoint, Outlook Desktop Apps, and new Teams.
Business bars are supported by Microsoft 365 Consumer subscribers, Office 2019, Office 2016, Office 2013, and Office 2010. :::image type="content" source="../../media/org-message-location-bar-expanded.jpg" alt-text="In-product notification recommending to use Teams messages" lightbox="../../media/org-message-location-bar-expanded.jpg":::
The desktop teaching call-out is supported by Microsoft 365 Consumer and Commerc
*The user sees an in-product notification recommending they save to OneDrive more.* +
+*The user sees an in-product notification recommending they use interactive features during Teams meetings.*
+ ## How to enable Adoption Score Organizational Messages To enable Adoption Score Organizational Messages, the global administrator needs to enable Adoption Score first:
-1. Sign in to the [admin center](https://admin.microsoft.com/) as a global administrator and go to **Reports** \> **Adoption Score**
+1. Sign in to the [admin center](https://admin.microsoft.com/) as a global administrator and go to **Reports** \> **Adoption Score**.
1. Select **Enable Adoption Score**. It can take up to 24 hours for insights to become available.
-1. Under the **Organizational Messages** tab, select **Allow approved admins to send in-product recommendations to specified users**
+1. Under the **Organizational Messages** tab, select **Allow approved admins to send in-product recommendations to specified users**.
> [!NOTE] > Only a global administrator can enable Adoption Score. The organizational message writer role can only opt in for Adoption Score Organizational Messages.
As global administrator or organizational message writer role, you can do any of
1. Under the **Recipients** tab, the recipients are by default selected based on their activities. For example, targeted users who aren't actively using OneDrive or SharePoint with the apps enabled for the past 28 days.
-2. Select **Apply filter** \> **Choose organizational attribute**
+2. Select **Apply filter** \> **Choose organizational attribute**.
- **Groups**: In addition to the default recipients, you can send messages to specific Microsoft Entra user groups
Once messages have been created, you'll see the reporting in the table under the
## FAQs
-### Q: Why does the total number of messages seen differ from the expected number?
+### Why does the total number of messages seen differ from the expected number?
A: For any given message, not every user **in its selected audience** (selected as message recipients) will receive the message. This is expected behavior because the message delivery depends on other factors that affect a message's reach, including:
A: For any given message, not every user **in its selected audience** (selected
- **System protections to prevent over-messaging and user dissatisfaction**: some communication channels have message frequency limits if too many messages are live at a given time (for example, a Teaching call-out won't appear more than twice to each user).
-### Q: How can I test the messages before sending them to users of my entire company?
+### How can I test the messages before sending them to users of my entire company?
-A: You can send messages to specific Microsoft Entra groups, such as your IT department. See [Select the recipients](#step-2-select-the-recipients) for details.
+You can send messages to specific Microsoft Entra groups, such as your IT department. See [Select the recipients](#step-2-select-the-recipients) for details.
-### Q: What is the recommended time frame window for the messages?
+### What is the recommended time frame window for the messages?
-A: As the frequency of the messages is at most once a week, the recommended minimum duration is one month. The recommended length of the time window is 12 months. The recipient's list is refreshed daily. Your messages will always be sent to users who haven't adopted the recommended practices in the last 28 days. Messages won't repeatedly send to users who have already adopted.
+As the frequency of the messages is at most once a week, the recommended minimum duration is one month. The recommended length of the time window is 12 months. The recipient's list is refreshed daily. Your messages will always be sent to users who haven't adopted the recommended practices in the last 28 days. Messages won't repeatedly send to users who have already adopted.
-### Q: Will I be able to customize the text in the messages?
+### Will I be able to customize the text in the messages?
-A: Not currently, but additional customization options will be enabled in future releases.
+Not currently, but additional customization options will be enabled in future releases.
## Organizational Messages in Microsoft Intune
admin Assign Licenses To Users https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/assign-licenses-to-users.md
audience: Admin + ms.localizationpriority: medium - Tier1
admin Change Address Contact And More https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/change-address-contact-and-more.md
audience: Admin + ms.localizationpriority: medium - Tier1
admin Find Your Partner Or Reseller https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/find-your-partner-or-reseller.md
audience: Admin + ms.localizationpriority: medium - Tier1
admin Add Partner https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/misc/add-partner.md
audience: Admin + ms.localizationpriority: medium - Tier1
admin Self Service Sign Up https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/misc/self-service-sign-up.md
audience: Admin + ms.localizationpriority: medium - Tier1
admin Download Software Licenses Csp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/setup/download-software-licenses-csp.md
audience: Admin + ms.localizationpriority: medium - Tier1
commerce About Registration Numbers https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/about-registration-numbers.md
audience: Admin + ms.localizationpriority: medium - Tier1
commerce Add Storage Space https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/add-storage-space.md
audience: Admin + ms.localizationpriority: medium - Tier1
- Adm_O365 - SPO_Content -- commerce_purchase
+- commerce_billing
- MAX_CampaignID - okr_SMB - AdminSurgePortfolio
commerce Change Payment Frequency https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/change-payment-frequency.md
audience: Admin + ms.localizationpriority: medium - Tier1
commerce Change Your Billing Addresses https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/change-your-billing-addresses.md
audience: Admin + ms.localizationpriority: medium - Tier1
commerce Manage Billing Notifications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/manage-billing-notifications.md
audience: Admin + ms.localizationpriority: medium - Tier1
commerce Manage Billing Profiles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/manage-billing-profiles.md
audience: Admin + ms.localizationpriority: medium - Tier1
commerce Manage Multi Tenant Billing https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/manage-multi-tenant-billing.md
audience: Admin + ms.localizationpriority: medium - Tier1
commerce Manage Payment Methods https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/manage-payment-methods.md
audience: Admin + ms.localizationpriority: high - Tier1
commerce Mexico Billing Info https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/mexico-billing-info.md
audience: Admin + ms.localizationpriority: medium -- Tier2
+- Tier1
- scotvorg - M365-subscription-management - Adm_O365
commerce Pay For Your Subscription https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/pay-for-your-subscription.md
audience: Admin + ms.localizationpriority: high - Tier1
commerce Tax Information https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/tax-information.md
audience: Admin + ms.localizationpriority: medium - Tier1
commerce Understand Your Invoice https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/understand-your-invoice.md
audience: Admin + ms.localizationpriority: medium - Tier1
commerce Understand Your Invoice2 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/understand-your-invoice2.md
audience: Admin + ms.localizationpriority: medium - Tier1
commerce View Your Bill Or Invoice https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/view-your-bill-or-invoice.md
audience: Admin + ms.localizationpriority: medium - Tier1
commerce Withholding Tax Credit Global https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/withholding-tax-credit-global.md
audience: Admin + ms.localizationpriority: medium - Tier1
commerce Billing Experience Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-experience-overview.md
audience: Admin + ms.localizationpriority: medium - Tier1
commerce Buy Or Edit An Add On https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/buy-or-edit-an-add-on.md
audience: Admin + ms.localizationpriority: medium - Tier1
commerce Close Your Account https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/close-your-account.md
audience: Admin + ms.localizationpriority: medium - Tier1
commerce Enter Your Product Key https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/enter-your-product-key.md
audience: Admin + ms.localizationpriority: medium - Tier1
commerce Buy Licenses https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/licenses/buy-licenses.md
audience: Admin + ms.localizationpriority: medium - Tier1
commerce E3 Extra Features Licenses https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/licenses/e3-extra-features-licenses.md
audience: Admin + ms.localizationpriority: medium -- Tier2
+- Tier1
- scotvorg - Adm_o365+
+- commerce_licensing
+- empty
search.appverid: MET150 description: "Learn about Microsoft 365 E3 and E5 Extra Features and how to assign licenses for it to your users." Last updated 01/25/2024
commerce Manage Auto Claim Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/licenses/manage-auto-claim-policies.md
audience: Admin + ms.localizationpriority: medium - Tier1
commerce Manage License Requests https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/licenses/manage-license-requests.md
audience: Admin + ms.localizationpriority: medium - Tier1
commerce Manage Licenses For Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/licenses/manage-licenses-for-devices.md
audience: Admin + ms.localizationpriority: medium - Tier1
commerce Manage Third Party App Licenses https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/licenses/manage-third-party-app-licenses.md
audience: Admin + ms.localizationpriority: medium - Tier1
commerce Subscriptions And Licenses https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/licenses/subscriptions-and-licenses.md
audience: Admin + ms.localizationpriority: medium - Tier1
commerce Volume Licensing Invoices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/licenses/volume-licensing-invoices.md
audience: Admin + ms.localizationpriority: medium -- Tier3
+- Tier2
- scotvorg - commerce_vl
commerce Manage Billing Accounts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/manage-billing-accounts.md
audience: Admin -++ ms.localizationpriority: medium - Tier1
commerce Manage Partners https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/manage-partners.md
audience: Admin + ms.localizationpriority: medium - Tier1
- M365-subscription-management - Adm_O365 -- commerce_subscriptions
+- commerce_purchase
- AdminSurgePortfolio - admindeeplinkMAC search.appverid: MET150
commerce Manage Saas Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/manage-saas-apps.md
audience: Admin + ms.localizationpriority: medium - Tier1
commerce No Billing Account Found https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/no-billing-account-found.md
audience: Admin -++ ms.localizationpriority: medium - Tier1
commerce Product Key Errors And Solutions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/product-key-errors-and-solutions.md
audience: Admin + ms.localizationpriority: medium - Tier1
commerce Review Partner Admin Privileges https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/review-partner-admin-privileges.md
audience: Admin + ms.localizationpriority: medium -- Tier2
+- Tier1
- scotvorg - M365-subscription-management - Adm_O365
commerce Allowselfservicepurchase Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/allowselfservicepurchase-powershell.md
f1.keywords:
-+ audience: Admin + ms.localizationpriority: medium -- Tier2
+- Tier1
- scotvorg - M365-subscription-management - Adm_O365
commerce Cancel Your Subscription https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/cancel-your-subscription.md
audience: Admin + ms.localizationpriority: high - Tier1
commerce Manage Pay As You Go Services https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/manage-pay-as-you-go-services.md
audience: Admin -++ ms.localizationpriority: medium - Tier1
commerce Manage Self Service Purchases Admins https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/manage-self-service-purchases-admins.md
audience: Admin -++ ms.localizationpriority: medium - Tier1
commerce Manage Self Service Purchases Users https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/manage-self-service-purchases-users.md
f1.keywords:
-+ audience: Admin -++ ms.localizationpriority: medium - Tier1
commerce Manage Self Service Signup Subscriptions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/manage-self-service-signup-subscriptions.md
audience: Admin + ms.localizationpriority: medium - Tier1
commerce Move Users Different Subscription https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/move-users-different-subscription.md
audience: Admin + ms.localizationpriority: medium - Tier1
You must be a Global, License, or User admin to assign licenses. For more inform
## Back up data before changing Microsoft 365 for business plans
-If you plan to move a user to another subscription that has fewer data-related services, or a user leaves the organization, you can download a copy of their data stored in Microsoft 365 before they are switched to the new subscription.
+If you plan to move a user to another subscription that has fewer data-related services, or a user leaves the organization, you can download a copy of their data stored in Microsoft 365 before they're switched to the new subscription.
If you're moving a user to a subscription that has the same or more services, you don't need to back up user data.
If users have Outlook, they can [export or backup email, contacts, and calendar
After the switch to the new plan is finished, users can [Import email, contacts, and calendar from an Outlook .pst file](https://support.microsoft.com/office/431a8e9a-f99f-4d5f-ae48-ded54b3440ac).
-### Save files stored in OneDrive for Business
+### Save files stored in OneDrive
-Before being switched to a different subscription, users can [download files and folders from OneDrive or SharePoint](https://support.microsoft.com/office/5c7397b7-19c7-4893-84fe-d02e8fa5df05) to a different location, such as a folder on their computer's hard drive, or a file share on the organization's network.
+Before you switch user to a different subscription, they can [download files and folders from OneDrive or SharePoint](https://support.microsoft.com/office/5c7397b7-19c7-4893-84fe-d02e8fa5df05) to a different location, such as a folder on their computer's hard drive, or a file share on the organization's network.
### Save Viva Engage information
Admins can export all messages, notes, files, topics, users, and groups to a .zi
If a user is switched from a subscription that has SharePoint Online to one that doesn't have it, the **SharePoint** tile no longer appears in their Microsoft 365 menu.
-However, as long as the new subscription is within the same organization as the one they are switched from, users can still access the SharePoint team site. They can view and update notebooks, documents, tasks, and calendars by using the direct URL to the team site.
+However, as long as the new subscription is within the same organization as the one they're switched from, users can still access the SharePoint team site. They can view and update notebooks, documents, tasks, and calendars by using the direct URL to the team site.
> [!TIP] > We recommend that users go to the team site before their subscription is switched and save the URL as a favorite or bookmark in their browser.
-By default, the URL of the team website is in this form:
-
-```html
-https://<orgDomain>/_layouts/15/start.aspx#/SitePages/Home.aspx
-```
-
-where _\<orgDomain\>_ is the organization's URL.
+By default, the URL of the team website is in the form
+`https://<orgDomain>/_layouts/15/start.aspx#/SitePages/Home.aspx`, where _\<orgDomain\>_ is the organization's URL.
For example, if the domain of the organization is contoso.onmicrosoft.com, then the direct URL to the team site would be `https://contoso.onmicrosoft.com/_layouts/15/start.aspx#/SitePages/Home.aspx`.
-Of course, users can also download SharePoint Online documents from the SharePoint team site to their local computer or to another location at any time.
+Users can also download SharePoint Online documents from the SharePoint team site to their local computer or to another location at any time.
## Next steps
commerce Reactivate Your Subscription https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/reactivate-your-subscription.md
audience: Admin + ms.localizationpriority: medium - Tier1
commerce Renew Your Subscription https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/renew-your-subscription.md
audience: Admin + ms.localizationpriority: medium - Tier1
commerce Understand Eos Products https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/understand-eos-products.md
audience: Admin + ms.localizationpriority: medium -- Tier2
+- Tier1
- scotvorg - M365-subscription-management - Adm_O365
commerce Upgrade To Different Plan https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/upgrade-to-different-plan.md
audience: Admin + ms.localizationpriority: medium - Tier1
commerce Verify Academic Eligibility https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/verify-academic-eligibility.md
audience: Admin + ms.localizationpriority: medium -- Tier2
+- Tier1
- scotvorg - M365-subscription-management - Adm_O365 -- commerce_subscriptions
+- commerce_signup
- AdminSurgePortfolio - admindeeplinkMAC search.appverid: MET150
commerce What If My Subscription Expires https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/what-if-my-subscription-expires.md
audience: Admin + ms.localizationpriority: medium - Tier1
commerce Try Or Buy Microsoft 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/try-or-buy-microsoft-365.md
audience: Admin + ms.localizationpriority: medium - Tier1
commerce Understand Proposal Workflow https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/understand-proposal-workflow.md
audience: Admin + ms.localizationpriority: medium - Tier1
- M365-subscription-management - Adm_O365 -- commerce_purchase
+- commerce_subscriptions
- AdminSurgePortfolio search.appverid: MET150 description: "Learn about the proposal workflow used when you buy Microsoft business products and services. Discover how to review and approve proposals."
commerce Use A Promo Code https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/use-a-promo-code.md
audience: Admin + ms.localizationpriority: medium - Tier1
commerce Use Cost Mgmt https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/use-cost-mgmt.md
audience: Admin + ms.localizationpriority: medium - Tier1
- Adm_O365 - Adm_TOC -- commerce_subscriptions
+- commerce_billing
- AdminTemplateSet search.appverid: MET150 description: "Learn how to use the cost management feature in the Microsoft 365 admin center to view, analyze, and manage costs for your organization."
security Android Support Signin https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-support-signin.md
This article provides solutions to help address the sign-on issues.
**Sign in failed:** *Unexpected error, try later* **Message:**
security Device Discovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-discovery.md
Search for "SSH" related security recommendations to find SSH vulnerabilities th
You can use advanced hunting queries to gain visibility on discovered devices. Find details about discovered devices in the DeviceInfo table, or network-related information about those devices, in the DeviceNetworkInfo table. ### Query discovered devices details
security Device Timeline Event Flag https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-timeline-event-flag.md
The Defender for Endpoint device timeline helps you research and investigate ano
- Process tree experience ΓÇô event side panel:
- :::image type="content" source="images/event-side-panel.png" alt-text="Screenshot of the event side panel." lightbox="images/event-side-panel.png":::
+ :::image type="content" source="media/event-side-panel.png" alt-text="Screenshot of the event side panel." lightbox="media/event-side-panel.png":::
- All MITRE techniques are shown when there's more than one related technique:
security Exclude Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/exclude-devices.md
You can choose to exclude a single device or multiple devices at the same time.
1. Go to the **Device inventory** page and select the device to exclude. 2. Select **Exclude** from the action bar on the device inventory page or from the actions menu in the device flyout.
- ![Image of exclude device menu option.](images/exclude-devices-menu.png)
+ ![Image of exclude device menu option.](media/exclude-devices-menu.png)
3. Select a justification:
You can choose to exclude a single device or multiple devices at the same time.
4. Type a note and select **Exclude device**.
-![Image of exclude device.](images/exclude-device.png)
+![Image of exclude device.](media/exclude-device.png)
You can also exclude a device from its device page.
Excluded devices are still visible in the Device inventory list. You can manage
- Adding the **Exclusion state** column to the device inventory view. - Using the **Exclusion state** filter to view the relevant list of devices.
-![Image of exclusion state.](images/exclusion-state.png)
+![Image of exclusion state.](media/exclusion-state.png)
### Bulk device exclusion
You can also choose to exclude multiple devices at the same time:
If you select multiple devices in the device list with different exclusion statuses, the exclude selected devices flyout will provide you details on how many of the selected devices are already excluded. You can exclude the devices again, but the justification and notes will be overridden.
-![Image of bulk exclude](images/exclude-device-bulk.png)
+![Image of bulk exclude](media/exclude-device-bulk.png)
Once a device is excluded, if you go to the device page of an excluded device, you won't be able to see data for discovered vulnerabilities, software inventory or security recommendations. The data also won't show up in vulnerability management pages, related advanced hunting tables and the vulnerable devices report.
You'll be able to stop excluding a device at any time. Once devices are no longe
1. Go to the Device inventory, select the excluded device to open the flyout, and then select **Exclusion details** 2. Select **Stop exclusion**
-![Image of exclusion details](images/exclusion-details.png)
+![Image of exclusion details](media/exclusion-details.png)
## See also
security Indicator File https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/indicator-file.md
Title: Create indicators for files-+ description: Create indicators for a file hash that define the detection, prevention, and exclusion of entities. ms.localizationpriority: medium Previously updated : 08/10/2022 Last updated : 03/20/2024 audience: ITPro
There are three ways you can create indicators for files:
- By creating a contextual indicator using the add indicator button from the file details page - By creating an indicator through the [Indicator API](ti-indicator.md)
+> [!NOTE]
+> For this feature to work on Windows Server 2016 and Windows Server 2012 R2, those devices must be onboarded using the instructions in [Onboard Windows servers](configure-server-endpoints.md#windows-server-2012-r2-and-windows-server-2016).
+> Custom file indicators with the Allow, Block and Remediate actions are now also available in the [enhanced antimalware engine capabilities for macOS and Linux](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/enhanced-antimalware-engine-capabilities-for-linux-and-macos/ba-p/3292003).
+ ## Before you begin
-It's important to understand the following prerequisites prior to creating indicators for files:
+Understand the following prerequisites before you create indicators for files:
-- This feature is available if your organization uses **Microsoft Defender Antivirus (in active mode)** and **Cloud-based protection is enabled**. For more information, see [Manage cloud-based protection](/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).
+- This feature is available if your organization uses [Microsoft Defender Antivirus](microsoft-defender-antivirus-windows.md) (in active mode)
+- [Behavior Monitoring is enabled](/microsoft-365/security/defender-endpoint/behavior-monitor)
-- The Antimalware client version must be 4.18.1901.x or later. See [Monthly platform and engine versions](microsoft-defender-antivirus-updates.md#monthly-platform-and-engine-versions)
+- [Cloud-based protection is turned on](/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).
-- Supported on devices with Windows 10, version 1703 or later, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, and Windows Server 2022.
-
- > [!NOTE]
- > Windows Server 2016 and Windows Server 2012 R2 will need to be onboarded using the instructions in [Onboard Windows servers](configure-server-endpoints.md#windows-server-2012-r2-and-windows-server-2016) for this feature to work.
- > Custom file indicators with the Allow, Block and Remediate actions are now also available in the [enhanced antimalware engine capabilities for macOS and Linux](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/enhanced-antimalware-engine-capabilities-for-linux-and-macos/ba-p/3292003).
+- [Cloud Protection network connectivity is functional](/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus)
-- To start blocking files, you first need to [turn on the "block or allow" feature](advanced-features.md) in Settings.
+- The Antimalware client version must be `4.18.1901.x` or later. See [Monthly platform and engine versions](microsoft-defender-antivirus-updates.md#monthly-platform-and-engine-versions)
-This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including .exe and .dll files. The coverage will be extended over time.
+- This feature is supported on devices running Windows 10, version 1703 or later, Windows 11, Windows Server 2012 R2, Windows Server 2016 or later, Windows Server 2019, or Windows Server 2022.
+
+- In `Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MpEngine\`, the file hash computation feature should be set to **Enabled**
+
+- To start blocking files, [turn on the "block or allow" feature](advanced-features.md) in Settings (in the [Microsoft Defender portal](https://security.microsoft.com), go to **Settings** > **Endpoints** > **General** > **Advanced features** > **Allow or block file**).
+
+This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including `.exe` and `.dll` files. Coverage is extended over time.
> [!IMPORTANT] > In Defender for Endpoint Plan 1 and Defender for Business, you can create an indicator to block or allow a file. In Defender for Business, your indicator is applied across your environment and cannot be scoped to specific devices.
This feature is designed to prevent suspected malware (or potentially malicious
3. Select **Add item**. 4. Specify the following details:
- - Indicator - Specify the entity details and define the expiration of the indicator.
- - Action - Specify the action to be taken and provide a description.
- - Scope - Define the scope of the device group (scoping isn't available in [Defender for Business](../defender-business/mdb-overview.md)).
- > [!NOTE]
- > Device Group creation is supported in both Defender for Endpoint Plan 1 and Plan 2
+
+ - Indicator: Specify the entity details and define the expiration of the indicator.
+ - Action: Specify the action to be taken and provide a description.
+ - Scope: Define the scope of the device group (scoping isn't available in [Defender for Business](../defender-business/mdb-overview.md)).
+
+ > [!NOTE]
+ > Device Group creation is supported in both Defender for Endpoint Plan 1 and Plan 2
5. Review the details in the Summary tab, then select **Save**.
One of the options when taking [response actions on a file](respond-file-alerts.
Files automatically blocked by an indicator won't show up in the file's Action center, but the alerts will still be visible in the Alerts queue.
-## Public Preview: Alerting on file blocking actions
+## Alerting on file blocking actions (preview)
> [!IMPORTANT] > Information in this section (**Public Preview for Automated investigation and remediation engine**) relates to prerelease product which might be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Choose if to Generate an alert on the file block event and define the alerts set
> > For more information on configuring this feature on Defender for Endpoint on Linux and macOS, see [Configure file hash computation feature on Linux](linux-preferences.md#configure-file-hash-computation-feature) and [Configure file hash computation feature on macOS](mac-preferences.md#configure-file-hash-computation-feature).
-## Public Preview: Advanced hunting capabilities
+## Advanced hunting capabilities (preview)
> [!IMPORTANT] > Information in this section (**Public Preview for Automated investigation and remediation engine**) relates to prerelease product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-You can query the response action activity in advance hunting. Below is a sample advance hunting query:
+Currently in preview, you can query the response action activity in advance hunting. Below is a sample advance hunting query:
```console search in (DeviceFileEvents, DeviceProcessEvents, DeviceEvents, DeviceRegistryEvents, DeviceNetworkEvents, DeviceImageLoadEvents, DeviceLogonEvents)
Below are other thread names that can be used in the sample query from above:
Files: -- EUS:Win32/CustomEnterpriseBlock!cl-- EUS:Win32/CustomEnterpriseNoAlertBlock!cl
+- `EUS:Win32/CustomEnterpriseBlock!cl`
+- `EUS:Win32/CustomEnterpriseNoAlertBlock!cl`
Certificates: -- EUS:Win32/CustomCertEnterpriseBlock!cl
+- `EUS:Win32/CustomCertEnterpriseBlock!cl`
The response action activity can also be viewable in the device timeline. ## Policy conflict handling
-Cert and File IoC policy handling conflict will follow the below order:
--- If the file isn't allowed by Windows Defender Application Control and AppLocker enforce mode policy/policies, then **Block**-- Else if the file is allowed by the Microsoft Defender Antivirus exclusion, then **Allow**-- Else if the file is blocked or warned by a block or warn file IoC, then **Block/Warn**-- Else if the file is blocked by SmartScreen, then **Block**--- Else if the file is allowed by an allow file IoC policy, then **Allow**--- Else if the file is blocked by ASR rules, CFA, AV, then **Block**
+Cert and File IoC policy handling conflicts follow this order:
-- Else **Allow** (passes Windows Defender Application Control & AppLocker policy, no IoC rules apply to it)
+1. If the file isn't allowed by Windows Defender Application Control and AppLocker enforce mode policies, then **Block**.
+2. Else, if the file is allowed by the Microsoft Defender Antivirus exclusions, then **Allow**.
+3. Else, if the file is blocked or warned by a block or warn file IoCs, then **Block/Warn**.
+4. Else, if the file is blocked by SmartScreen, then **Block**.
+5. Else, if the file is allowed by an allow file IoC policy, then **Allow**.
+6. Else, if the file is blocked by attack surface reduction rules, controlled folder access, or antivirus protection, then **Block**.
+7. Else, **Allow** (passes Windows Defender Application Control & AppLocker policy, no IoC rules apply to it).
> [!NOTE]
-> In situations when Microsoft Defender Antivirus is set to **Block**, but Defender for Endpoint - Indicators - File hash or Certificate is set to **Allow**, the policy will default to **Allow**.
+> In situations when Microsoft Defender Antivirus is set to **Block**, but Defender for Endpoint indicators for file hash or certificates are set to **Allow**, the policy defaults to **Allow**.
-If there are conflicting file IoC policies with the same enforcement type and target, the policy of the more secure (meaning longer) hash will be applied. For example, an SHA-256 file hash IoC policy will win over an MD5 file hash IoC policy if both hash types define the same file.
+If there are conflicting file IoC policies with the same enforcement type and target, the policy of the more secure (meaning longer) hash is applied. For example, an SHA-256 file hash IoC policy takes precedence over an MD5 file hash IoC policy if both hash types define the same file.
> [!WARNING] > Policy conflict handling for files and certs differ from policy conflict handling for domains/URLs/IP addresses.
-Microsoft Defender Vulnerability Management's block vulnerable application features uses the file IoCs for enforcement and will follow the above conflict handling order.
+Microsoft Defender Vulnerability Management's block vulnerable application features uses the file IoCs for enforcement and follows the conflict handling order described earlier in this section.
### Examples
security Linux Install Manually https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-install-manually.md
This article describes how to deploy Microsoft Defender for Endpoint on Linux ma
- [Prerequisites and system requirements](#prerequisites-and-system-requirements) - [Configure the Linux software repository](#configure-the-linux-software-repository)
- - [RHEL and variants (CentOS, Fedora, Oracle Linux, Amazon Linux 2, Rocky and Alma)](#rhel-and-variants-centos-fedora-oracle-linux-amazon-linux-2-rocky-and-alma-1)
+ - [RHEL and variants (CentOS, Fedora, Oracle Linux, Amazon Linux 2, Rocky, and Alma)](#rhel-and-variants-centos-fedora-oracle-linux-amazon-linux-2-rocky-and-alma-1)
- [SLES and variants](#sles-and-variants-1) - [Ubuntu and Debian systems](#ubuntu-and-debian-systems-1) - [Mariner](#mariner)
Read more [here](https://github.com/microsoft/mdatp-xplat/tree/master/linux/inst
|For Alma 8.4 and higher|<https://packages.microsoft.com/config/alma/8/prod.repo>| |For Alma 9.2 and higher|<https://packages.microsoft.com/config/alma/9/prod.repo>| |For RHEL/Centos/Oracle 9.0-9.8|<https://packages.microsoft.com/config/rhel/9/prod.repo>|
- |For RHEL/Centos/Oracle 8.0-8.8|<https://packages.microsoft.com/config/rhel/8/prod.repo>|
+ |For RHEL/Centos/Oracle 8.0-8.9|<https://packages.microsoft.com/config/rhel/8/prod.repo>|
|For RHEL/Centos/Oracle 7.2-7.9 & Amazon Linux 2 |<https://packages.microsoft.com/config/rhel/7.2/prod.repo>| |For Amazon Linux 2023 |<https://packages.microsoft.com/config/amazonlinux/2023/prod.repo>| |For Fedora 33|<https://packages.microsoft.com/config/fedora/33/prod.repo>|
Read more [here](https://github.com/microsoft/mdatp-xplat/tree/master/linux/inst
sudo apt-get install gpg ```
- If `gpg` is not available, then install `gnupg`.
+ If `gpg` isn't available, then install `gnupg`.
```bash sudo apt-get install gnupg
curl -sSL https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor | su
## Application installation
-### RHEL and variants (CentOS, Fedora, Oracle Linux, Amazon Linux 2, Rocky and Alma)
+### RHEL and variants (CentOS, Fedora, Oracle Linux, Amazon Linux 2, Rocky, and Alma)
```bash sudo yum install mdatp
Download the onboarding package from Microsoft Defender portal.
> [!NOTE] > To onboard a device that was previously offboarded you must remove the mdatp_offboard.json file located at /etc/opt/microsoft/mdatp.
- If you're running RHEL 8.x or Ubuntu 20.04 or higher, you'll need to use `python3`.
+ If you're running RHEL 8.x or Ubuntu 20.04 or higher, you need to use `python3`.
```bash sudo python3 MicrosoftDefenderATPOnboardingLinuxServer.py ```
- For the rest of distros and versions, you'll need to use `python`.
+ For the rest of distros and versions, you need to use `python`.
```bash sudo python MicrosoftDefenderATPOnboardingLinuxServer.py
Download the onboarding package from Microsoft Defender portal.
curl -o /tmp/eicar.com.txt https://secure.eicar.org/eicar.com.txt ```
- - The file should have been quarantined by Defender for Endpoint on Linux. Use the following command to list all the detected threats:
+ - The file should be quarantined by Defender for Endpoint on Linux. Use the following command to list all the detected threats:
```bash mdatp threat list
The following external package dependencies exist for the mdatp package:
The mde-netfilter package also has the following package dependencies: -- For DEBIAN the mde-netfilter package requires "libnetfilter-queue1", "libglib2.0-0"-- For RPM the mde-netfilter package requires "libmnl", "libnfnetlink", "libnetfilter_queue", "glib2"-- For Mariner the mde-netfilter package requires "libnfnetlink", "libnetfilter_queue"
+- For DEBIAN, the mde-netfilter package requires "libnetfilter-queue1", "libglib2.0-0"
+- For RPM, the mde-netfilter package requires "libmnl", "libnfnetlink", "libnetfilter_queue", "glib2"
+- For Mariner, the mde-netfilter package requires "libnfnetlink", "libnetfilter_queue"
If the Microsoft Defender for Endpoint installation fails due to missing dependencies errors, you can manually download the prerequisite dependencies.
security Linux Install With Ansible https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-install-with-ansible.md
search.appverid: met150 Previously updated : 12/18/2020 Last updated : 3/20/2024 # Deploy Microsoft Defender for Endpoint on Linux with Ansible
Create a subtask or role files that contribute to a playbook or task.
In the following commands, replace *[distro]* and *[version]* with the information you've identified. > [!NOTE]
- > In case of Oracle Linux and Amazon Linux 2, replace *[distro]* with "rhel". For Amazon Linux 2, replace *[version]* with "7". For Oracle utilize, replace *[version]* with the version of Oracle Linux.
+ > In case of Oracle Linux and Amazon Linux 2, replace *[distro]* with "rhel". For Amazon Linux 2, replace *[version]* with "7". For Oracle Linux, replace *[version]* with the version of Oracle Linux.
```bash - name: Add Microsoft APT key
security Linux Support Ebpf https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-support-ebpf.md
You can also update the mdatp_managed.json file:
Refer to the link for detailed sample json file - [Set preferences for Microsoft Defender for Endpoint on Linux.](linux-preferences.md) > [!IMPORTANT] > If you disable eBPF, the supplementary event provider switches back to auditd.
-> In the event eBPF doesn't become enabled or is not supported on any specific kernel, it will automatically switch back to auditd and retain all auditd custom rules. You can also check the status of eBPF (enabled/disabled) on your linux endpoints using the advanced hunting query on the Security Portal. Steps are as follows-
+> In the event eBPF doesn't become enabled or is not supported on any specific kernel, it will automatically switch back to auditd and retain all auditd custom rules.
+
+You can also check the status of eBPF (enabled/disabled) on your linux endpoints using advanced hunting in the Microsoft Defender Portal. Steps are as follows:
1. Go to the [Microsoft Defender portal](https://security.microsoft.com) and sign in.
security Mac Support Perf https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-support-perf.md
search.appverid: met150 Previously updated : 02/29/2024 Last updated : 03/20/2024 # Troubleshoot performance issues for Microsoft Defender for Endpoint on macOS [!INCLUDE [Microsoft Defender XDR rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804)-- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)-- [Microsoft Defender for Endpoint on macOS](microsoft-defender-endpoint-mac.md)-- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+- [Microsoft Defender for Endpoint Plan 1 and Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft Defender for Individuals](https://www.microsoft.com/microsoft-365/microsoft-defender-for-individuals) > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)
-This topic provides some general steps that can be used to narrow down performance issues related to Microsoft Defender for Endpoint on macOS.
-
+This article provides some general steps that can be used to narrow down performance issues related to Defender for Endpoint on macOS.
-Depending on the applications that you're running and your device characteristics, you may experience suboptimal performance when running Microsoft Defender for Endpoint on macOS. In particular, applications or system processes that access many resources over a short timespan can lead to performance issues in Microsoft Defender for Endpoint on macOS.
+Depending on the applications that you're running and your device characteristics, you might experience suboptimal performance when running Microsoft Defender for Endpoint on macOS. In particular, applications or system processes that access many resources over a short timespan can lead to performance issues in Defender for Endpoint on macOS.
> [!WARNING]
-> Before starting, please make sure that other security products are not currently running on the device. Multiple security products may conflict and impact the host performance.
+> Before you perform the procedures described in this article, make sure that other security products are not currently running on the device. Multiple security products can conflict and impact the host performance.
-## Troubleshoot performance issues using Real-time Protection Statistics
+## Troubleshoot performance issues using real-time protection statistics
**Applies to:** -- Only performance issues related to AV (wdavdaemon_unpriviliged)
+- Only performance issues related to Microsoft Defender Antivirus (`wdavdaemon_unpriviliged`).
Real-time protection (RTP) is a feature of Defender for Endpoint on macOS that continuously monitors and protects your device against threats. It consists of file and process monitoring and other heuristics.
-The following steps can be used to troubleshoot and mitigate these issues:
+Prerequisites:
-1. Disable real-time protection using one of the following methods and observe whether the performance improves. This approach helps narrow down whether Microsoft Defender for Endpoint on macOS is contributing to the performance issues.
+- Microsoft Defender for Endpoint version (Platform Update) 100.90.70 or newer
+- If you have [Tamper protection](tamperprotection-macos.md) turned on in block mode, use [Troubleshooting mode](mac-troubleshoot-mode.md) to capture real-time-protection-statistics. Otherwise, you will get null results.
- If your device is not managed by your organization, real-time protection can be disabled using one of the following options:
+To troubleshoot and mitigate such issues, follow these steps:
- - From the user interface. Open Microsoft Defender for Endpoint on macOS and navigate to **Manage settings**.
+1. Disable real-time protection by using one of the methods in the following table, and then observe whether performance improves. This approach helps narrow down whether Microsoft Defender for Endpoint on macOS is contributing to the performance issues.
- :::image type="content" source="images/mdatp-36-rtp.png" alt-text=" The Manage real-time protection page" lightbox="images/mdatp-36-rtp.png":::
+ | Device management | Method |
+ ||--|
+ | Device isn't managed by organization | **User interface**: Open Microsoft Defender for Endpoint on macOS and navigate to **Manage settings**. |
+ | Device isn't managed by organization | **Terminal**: In Terminal, run the following command: `mdatp config real-time-protection --value disabled` |
+ | Device is managed by organization | See [Set preferences for Microsoft Defender for Endpoint on macOS](mac-preferences.md). |
- - From the Terminal. For security purposes, this operation requires elevation.
+ If the performance problem persists while real-time protection is off, the origin of the problem could be the endpoint detection and response component. In this case, contact customer support for further instructions and mitigation.
- ```bash
- mdatp config real-time-protection --value disabled
- ```
+2. Open Finder and navigate to **Applications** > **Utilities**. Open **Activity Monitor** and analyze which applications are using the resources on your system. Typical examples include software updaters and compilers.
- If your device is managed by your organization, real-time protection can be disabled by your administrator using the instructions in [Set preferences for Microsoft Defender for Endpoint on macOS](mac-preferences.md).
+3. This feature requires real-time protection to be enabled. To check the status of real-time protection, run the following command:
- If the performance problem persists while real-time protection is off, the origin of the problem could be the endpoint detection and response component. In this case, please contact customer support for further instructions and mitigation.
+ ```bash
+ mdatp health --field real_time_protection_enabled
+ ```
-2. Open Finder and navigate to **Applications** \> **Utilities**. Open **Activity Monitor** and analyze which applications are using the resources on your system. Typical examples include software updaters and compilers.
+ Verify that the **real_time_protection_enabled** entry is *true*. Otherwise, run the following command to enable it:
-3. To find the applications that are triggering the most scans, you can use real-time statistics gathered by Defender for Endpoint on Mac.
+ ```bash
+ mdatp config real-time-protection --value enabled
+ ```
-> [!NOTE]
-> This feature is available in version 100.90.70 or newer.
-> This feature is enabled by default on the **Dogfood** and **InsiderFast** channels. If you're using a different update channel, this feature can be enabled from the command line:
+ ```output
+ Configuration property updated
+ ```
+
+4. To find the applications that are triggering the most scans, you can use real-time statistics gathered by Defender for Endpoint on macOS. Run the following command:
+
+ ```bash
+ mdatp config real-time-protection-statistics --value enabled.
+ ```
+
+ This feature requires real-time protection to be enabled. To check the status of real-time protection, run the following command:
+
+ ```bash
+ mdatp diagnostic real-time-protection-statistics --output json > real_time_protection.json
+ ```
+
+ > [!NOTE]
+ > Using `--output json` (note the double dash) ensures that the output format is ready for parsing. The output of this command will show all processes and their associated scan activity.
+
+5. On your Mac system, download the sample Python parser `high_cpu_parser.py` using the command:
-> [!TIP]
-> If you have [Tamper Protection in block mode](/microsoft-365/security/defender-endpoint/tamperprotection-macos), you need to use [Troubleshooting mode](/microsoft-365/security/defender-endpoint/mac-troubleshoot-mode) to capture real-time-protection-statistics. Otherwise, you will get null results.
-
-```bash
-mdatp config real-time-protection-statistics --value enabled
- ```
+ ```bash
+ curl -O https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/linux/diagnostic/high_cpu_parser.py
+ ```
-This feature requires real-time protection to be enabled. To check the status of real-time protection, run the following command:
+ The output of this command should be similar to the following:
-```bash
-mdatp health --field real_time_protection_enabled
-```
+ ```Output
+ --2020-11-14 11:27:27-- https://raw.githubusercontent.com/microsoft.
+ mdatp-xplat/master/linus/diagnostic/high_cpu_parser.py
+ Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.xxx.xxx
+ Connecting to raw.githubusercontent.com (raw.githubusercontent.com)| 151.101.xxx.xxx| :443... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 1020 [text/plain]
+ Saving to: 'high_cpu_parser.py'
+ 100%[===========================================>] 1,020 --.-K/s in
+ 0s
+ ```
-Verify that the **real_time_protection_enabled** entry is true. Otherwise, run the following command to enable it:
+6. Type the following commands:
-```bash
-mdatp config real-time-protection --value enabled
-```
+ ```bash
+ chmod +x high_cpu_parser.py
+ ```
-```output
-Configuration property updated
-```
+ ```bash
+ cat real_time_protection.json | python high_cpu_parser.py > real_time_protection.log
+ ```
- To collect current statistics, run:
+ The output should be a list of the top contributors to performance issues. The first column is the process identifier (PID), the second column is the process name, and the last column is the number of scanned files, sorted by impact. Here's an example:
-```bash
-mdatp diagnostic real-time-protection-statistics --output json > real_time_protection.json
-```
+ ```output
+ ... > python ~/repo/mdatp-xplat/linux/diagnostic/high_cpu_parser.py <~Downloads/output.json | head -n 10
+ 27432 None 76703
+ 73467 actool 1249
+ 73914 xcodebuild 1081
+ 73873 bash 1050
+ 27475 None 836
+ 1 launchd 407
+ 73468 ibtool 344
+ 549 telemetryd_v1 325
+ 4764 None 228
+ 125 CrashPlanService 164
+ ```
+
+7. To improve the performance of Defender for Endpoint on Mac, locate the one with the highest number under the **Total files scanned** row, and then add an exclusion for it. For more information, see [Configure and validate exclusions for Defender for Endpoint on macOS](mac-exclusions.md).
+
+ > [!NOTE]
+ > The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off are not counted. Additionally, only events which triggered scans are counted.
+
+7. Configure Microsoft Defender for Endpoint on macOS with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection.
+
+ See [Configure and validate exclusions for Microsoft Defender for Endpoint on macOS](mac-exclusions.md).
+
+## Troubleshoot performance issues using Microsoft Defender for Endpoint Client Analyzer
+
+The Microsoft Defender for Endpoint Client Analyzer (MDECA) can collect traces, logs, and diagnostic information in order to troubleshoot performance issues on [onboarded devices](/microsoft-365/security/defender-endpoint/onboard-configure) on macOS.
+
+To run the client analyzer for troubleshooting performance issues, see [Run the client analyzer on macOS and Linux](run-analyzer-macos-linux.md).
> [!NOTE]
-> Using **--output json** (note the double dash) ensures that the output format is ready for parsing.
-The output of this command will show all processes and their associated scan activity.
+>
+> - The Microsoft Defender for Endpoint Client Analyzer tool is regularly used by Microsoft Customer Support Services (CSS) to collect information such as (but not limited to) IP addresses, PC names that will help troubleshoot issues you may be experiencing with Microsoft Defender for Endpoint. For more information about our privacy statement, see [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement).
+> - As a general best practice, it is recommended to update the [Microsoft Defender for Endpoint agent to latest available version](linux-whatsnew.md) and confirming that the issue still persists before investigating further.
++
security Microsoft Defender Antivirus Updates https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-updates.md
Title: Microsoft Defender Antivirus security intelligence and product updates
description: Manage how Microsoft Defender Antivirus receives protection and product updates. ms.localizationpriority: high Previously updated : 03/12/2024 Last updated : 03/20/2024 audience: ITPro
All our updates contain
#### Known issues -- None
+- For [device control](device-control-overview.md) customers using removable media policies with disk/device-level access only (masks that include the values 1, 2, 3, 4, and 7), enforcement might not work as expected. In such situations, we recommend customers roll back to the previous version of the Defender platform.
### January-2024 (Platform: 4.18.24010.12 | Engine: 1.1.24010.10)
security Onboarding Endpoint Configuration Manager https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboarding-endpoint-configuration-manager.md
Below are more steps to verify whether attack surface reduction rules are correc
4. Select **Configuration** tab in Attack surface reduction rules reports. It shows attack surface reduction rules configuration overview and attack surface reduction rules status on each device.
- :::image type="content" source="images/f91f406e6e0aae197a947d3b0e8b2d0d.png" alt-text="The attack surface reduction rules reports1" lightbox="images/f91f406e6e0aae197a947d3b0e8b2d0d.png":::
+ :::image type="content" source="media/f91f406e6e0aae197a947d3b0e8b2d0d.png" alt-text="The attack surface reduction rules reports1" lightbox="media/f91f406e6e0aae197a947d3b0e8b2d0d.png":::
5. Select each device shows configuration details of attack surface reduction rules.
security Overview Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction.md
Title: Understand and use attack surface reduction-+ description: Learn about the attack surface reduction capabilities of Microsoft Defender for Endpoint.
- m365-security - tier2 - mde-asr Previously updated : 01/16/2023 Last updated : 03/20/2024 search.appverid: met150
To configure attack surface reduction in your environment, follow these steps:
1. [Enable hardware-based isolation for Microsoft Edge](/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard).
-2. [Enable attack surface reduction rules](attack-surface-reduction-rules-deployment.md)
+2. [Enable attack surface reduction rules](attack-surface-reduction-rules-deployment.md).
3. Enable application control. 1. Review base policies in Windows. See [Example Base Policies](/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies).+ 2. See the [Windows Defender Application Control design guide](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide).+ 3. Refer to [Deploying Windows Defender Application Control (WDAC) policies](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide). 4. [Enable controlled folder access](enable-controlled-folders.md).
-5. Enable [removable storage protection](device-control-overview.md)
+5. Enable [removable storage protection](device-control-overview.md).
6. [Turn on network protection](enable-network-protection.md).
-7. Enable [Web protection](web-protection-overview.md)
+7. Enable [Web protection](web-protection-overview.md).
8. [Enable exploit protection](enable-exploit-protection.md). 9. Set up your network firewall. 1. Get an overview of [Windows Firewall with advanced security](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security).+ 2. Use the [Windows Firewall design guide](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide) to decide how you want to design your firewall policies.+ 3. Use the [Windows Firewall deployment guide](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide) to set up your organization's firewall with advanced security. > [!TIP]
You can also manually navigate to the event area that corresponds to the feature
#### Import an existing XML custom view 1. Create an empty .txt file and copy the XML for the custom view you want to use into the .txt file. Do this for each of the custom views you want to use. Rename the files as follows (ensure you change the type from .txt to .xml):
- - Controlled folder access events custom view: *cfa-events.xml*
- - Exploit protection events custom view: *ep-events.xml*
- - Attack surface reduction events custom view: *asr-events.xml*
- - Network/ protection events custom view: *np-events.xml*
+
+ - Controlled folder access events custom view: *cfa-events.xml*
+ - Exploit protection events custom view: *ep-events.xml*
+ - Attack surface reduction events custom view: *asr-events.xml*
+ - Network/ protection events custom view: *np-events.xml*
2. Type **event viewer** in the Start menu and open **Event Viewer**. 3. Select **Action** \> **Import Custom View...** > [!div class="mx-imgBorder"]
- > ![Animation highlighting Import custom view on the left of the Even viewer window.](images/events-import.gif)
+ > ![Animation highlighting Import custom view on the left of the Even viewer window.](media/events-import.gif)
4. Navigate to where you extracted the XML file for the custom view you want and select it.
You can also manually navigate to the event area that corresponds to the feature
2. On the left panel, under **Actions**, select **Create Custom View...** > [!div class="mx-imgBorder"]
- > ![Animation highlighting the create custom view option on the Event viewer window.](images/events-create.gif)
+ > ![Animation highlighting the create custom view option on the Event viewer window.](media/events-create.gif)
3. Go to the XML tab and select **Edit query manually**. You see a warning that you can't edit the query using the **Filter** tab if you use the XML option. Select **Yes**.
All attack surface reduction events are located under **Applications and Service
You can access these events in Windows Event viewer: 1. Open the **Start** menu and type **event viewer**, and then select the **Event Viewer** result.+ 2. Expand **Applications and Services Logs > Microsoft > Windows** and then go to the folder listed under **Provider/source** in the table below.
-3. Double-click on the sub item to see events. Scroll through the events to find the one you're looking.
- ![Animation showing using Event Viewer.](images/event-viewer.gif)
+3. Double-click on the sub item to see events. Scroll through the events to find the one you're looking.
-<br>
+ ![Animation showing using Event Viewer.](media/event-viewer.gif)
-****
|Feature|Provider/source|Event ID|Description| |||::||
security Troubleshoot Asr Rules https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-asr-rules.md
attack surface reduction rule events can be viewed within the Windows Defender l
To access it, open Windows Event Viewer, and browse to **Applications and Services Logs** \> **Microsoft** \> **Windows** \> **Windows Defender** \> **Operational**. ## Microsoft Defender Antimalware Protection Logs
security Tune Performance Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tune-performance-defender-antivirus.md
For more information on command-line parameters and options, see the [New-MpPerf
Based on the query, the user is able to view data for scan counts, duration (total/min/average/max/median), path, process, and **reason for scan**. The following image shows sample output for a simple query of the top 10 files for scan impact. ## Additional functionality: exporting and converting to CSV and JSON
security Audit Log Search Defender Portal https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/audit-log-search-defender-portal.md
In Microsoft 365 organizations with mailboxes in Exchange Online or standalone E
## What do you need to know before you begin? - You need to be assigned permissions before you can do the procedures in this article. You have the following options:
- - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Security operations \ Security data \ Security data basics (read)**.
- [Exchange Online permissions](/exchange/permissions-exo/permissions-exo): Membership in the **Organization Management** or **Compliance Management** role groups. - [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership in the **Global Administrator** or **Compliance Administrator** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.
security Outbound Spam Policies Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/outbound-spam-policies-configure.md
You can configure outbound spam policies in the Microsoft Defender portal or in
- **Notifications** section: Use the settings in the section to configure additional recipients who should receive copies and notifications of suspicious outbound email messages:
- - **Send a copy of suspicious outbound that exceed these limits to these users and groups**: This setting adds the specified recipients to the Bcc field of suspicious outbound messages.
+ - **Send a copy of suspicious outbound that exceed these limits to these users and groups**: This setting adds the specified recipients to the Bcc field of suspicious outbound messages that were marked as spam, phishing, or malware.
> [!NOTE] > This setting works only in the default outbound spam policy. It doesn't work in custom outbound spam policies that you create.