+> Administrative options for an active user under the OneDrive tab in the Microsoft 365 admin center are currently not supported for multi-geo tenants.

+ Profile videos are stored in a userΓÇÖs OneDrive for Business, in the **Apps\Microsoft People Cards Service\Live Persona Card** folder.

+ No, if a user deletes their profile video it can't be recovered.

+## March 2023

+- **Mobile threat defense (preview) is added to Defender for Business**. The ability to [onboard iOS and Android devices](../security/defender-business/mdb-onboard-devices.md) to the standalone version of Defender for Business is now in preview! These capabilities provide OS-level threat and vulnerability management, web protection, and app security to help you and employees stay more secure on the go. See [Mobile threat defense capabilities in Microsoft Defender for Business](../security/defender-business/mdb-mtd.md).

+- **Monthly security summary report (preview) is added to Defender for Business** (preview). The new monthly security summary report shows how secure your organization is across identity, devices, information, and apps. You can view threats detected (and blocked) by Defender for Business together with your current status from Microsoft Secure Score. Recommendations to improve your security are also provided. See [Reports in Microsoft Defender for Business](../security/defender-business/mdb-reports.md).

+- **Device exposure score is now visible in Microsoft 365 Lighthouse** (preview). Microsoft Cloud Solution Providers (CSPs) who are using [Microsoft 365 Lighthouse](../lighthouse/m365-lighthouse-overview.md) can now view and manage device exposure scores across customer tenants. These capabilities enable partners to discover which customers' devices are at risk because of vulnerabilities. See [Microsoft 365 Lighthouse and Microsoft Defender for Business](../security/defender-business/mdb-lighthouse-integration.md).

+- **Attack surface reduction capabilities are rolling out**. [Attack surface reduction capabilities in Defender for Business](../security/defender-business/mdb-asr.md) include attack surface reduction rules and a new attack surface reduction rules report. Attack surface reduction rules target certain behaviors that are considered risky because they're commonly abused by attackers through malware. In the Microsoft 365 Defender portal ([https://security.microsoft.com/](https://security.microsoft.com/)), you can now view a report showing detections and configuration information for attack surface reduction rules. In the navigation pane, choose **Reports**, and under **Endpoints**, choose **Attack surface reduction rules**.

+- [Onboard mobile devices using the Microsoft Defender app](#onboard-mobile-devices-using-the-microsoft-defender-app) (Mobile threat defense capabilities are currently in preview!)

+- [What about servers?](#what-about-servers)

+## Onboard mobile devices using the Microsoft Defender app

+If you have opted in to receive preview features, you can now onboard Android and iOS devices using the Microsoft Defender app. With [mobile threat defense capabilities in Defender for Business](../security/defender-business/mdb-mtd.md), users download the Microsoft Defender app from Google Play or the Apple App Store, sign in, and complete onboarding steps.

+For detailed instructions, see the **Mobile devices** tab in [Onboard devices to Microsoft Defender for Business](../security/defender-business/mdb-onboard-devices.md).

+To learn more about mobile threat defense, see [Mobile threat defense capabilities in Microsoft Defender for Business](../security/defender-business/mdb-mtd.md).

+After the command has run, the Command Prompt window closes automatically. If successful, the detection test is marked as completed, and a new alert appears in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) for the newly onboarded device in about ten minutes.

+The following screenshot shows a summary of the label settings when you create the Product Specification retention label in the Microsoft Purview compliance portal. You can create the *Product Cessation* event type before you create the retention label, or during. See the procedure in the following section.

+

+1. On the **Define the retention period** page of the Create retention label configuration, after **Start the retention period based on**, select **Create new event type**:

+ 

+4. Back on the **Define the retention period** page, for **Start the retention period based on**, use the dropdown box to select the **Product Cessation** event type that you created.

+5. On the **Choose what happens during the retention period** page, select **Mark items as a record**.

+6. On the **Choose what happens after the retention period** page, keep the default of **Delete items automatically**.

+6. On the **Review and finish** page, select **Create label**. On the next page when you see the options to publish the label, auto-apply the label, or just save the label: Select **Do Nothing**, and then select **Done**.

+2. In the Create auto-labeling policy configuration, on the **Name your auto-labeling policy** page, enter a name such as **Auto-apply Product Specification label**, and an optional description. Then select **Next**.

+ [  ](../media/spo-scenario-policy-conditions.png#lightbox)

+5. On the **Choose the type of retention policy to create** page, select **Static**.

+6. On the **Choose where to automatically apply the label** page, you select the content locations that you want to apply the policy to. For this scenario, we apply the policy only to **SharePoint classic and communication sites**. Toggle the status for **Exchange mailboxes**, **OneDrive accounts**, and **Microsoft 365 Group mailboxes & sites** to **Off**:

+ 

+ > Instead of applying the policy to all SharePoint sites, you can select **Edit** for the **Included** column, and add the URLs for specific SharePoint sites.

+8. On the **Decide whether to test or run your policy** page, keep the default of **Turn on policy**.

+9. Review your settings:

+ 

+Because the retention labels were auto-applied to documents, those documents are protected from deletion because the retention label was configured to mark items as records. As an example of this protection, we get the following error message when we try to delete one of these documents:

+Select the event to view the details on the flyout pane. Notice that even though the event is created, the event status shows that no SharePoint sites or documents have been processed.

+### Supported processors

+macOS devices with x64 and M1 (ARM64) processors are supported.

+- **Segments** are sets of groups or users that are defined in the compliance portal or by using PowerShell that uses selected group or user account attributes.

+- **Hidden/disabled user and guest accounts**. For hidden/disabled user and guest accounts in your organization, the *HiddenFromAddressListEnabled* parameter is automatically set to *True* when user accounts are hidden or disabled, or when a guest is created. When the organization mode is *Legacy* for IB-enabled organizations, these accounts are prevented from communicating with all other user accounts. Administrators can disable this default behavior by manually setting the *HiddenFromAddressListEnabled* parameter to *False*.

+ - **For organizations in *SingleSegment* or *MultiSegment* mode**: Information barriers is no longer based on Exchange Online Address Book Policies (ABPs). Organizations using ABPs won't have any impact to the existing ABPs when enabling information barriers.

+The Microsoft 365 Multi-Geo Capabilities add-on provides customers with the ability to expand their Microsoft 365 presence to multiple geographic regions or countries within a single existing Microsoft 365 _Tenant_. Multi-Geo enables customers to manage data-at-rest locations at a granular level for their users, SharePoint sites, Microsoft 365 Groups, and Microsoft Teams teams level. Multi-Geo is targeted to customers who have a need to store customer data in multiple geographies at the same time to satisfy their data residency requirements and whose needs may change over time.

+ Title: Microsoft Teams SMS notifications usage report

+audience: Admin

+f1.keywords:

+- NOCSH

+ms.localizationpriority: high

+search.appverid: MET150

+ - M365-collaboration

+ - m365-frontline

+ - m365initiative-meetings

+description: Learn how to use the SMS notifications usage report in the Microsoft Teams admin center to get an overview of SMS notifications usage in your organization.

+appliesto:

+ - Microsoft Teams

+ - Microsoft 365 for frontline workers

+# Microsoft Teams SMS notifications usage report

+ **This feature requires [Teams Premium](/microsoftteams/teams-add-on-licensing/licensing-enhance-teams).**

+The SMS notifications usage report in the Microsoft Teams admin center gives you an overview of SMS notifications usage in your organization.

+You can track key data for confirmation and reminder text messages sent to external attendees in virtual appointments scheduled by your staff. The report provides information such as date and time sent, notification type, delivery status, and distribution details.

+To access the report, you must be a Global admin, Teams admin, Global reader, or Report reader.

+## View the report

+1. In the left navigation of the Teams admin center, choose **Analytics & reports** > **Usage reports**. On the **View reports** tab, under **Report**, select **SMS notifications usage**.

+2. Under **Date range**, select a date range of 7 days, 30 days, or 90 days. Then, choose **Run report**.

+ The report contains the following information:

+

+ |Tab |Description |

+ |||

+ |**[Distribution](#distribution)** |Shows a breakdown of the number of SMS notifications sent in Bookings appointments and in Teams Electronic Health Record (EHR)-integrated appointments.|

+## Interpret the report

+Here's what you'll see on each tab of the report.

+### Distribution

+|Callout |Description |

+|--|-|

+|**1** |Each report has a date for when the report was generated. The reports usually reflect a 24 to 48-hour latency from time of activity. |

+|**2** |The X axis is the selected date range for the report, by month. The Y axis is the number of SMS notifications.<br>Hover over the dot on a given date to see the number of SMS notifications sent on that date.|

+|**3** |You can filter what you see on the chart by selecting an item. For example, select **SMS sent in EHR** or **SMS sent in Bookings** to see only the info related to each one. Changing this selection doesnΓÇÖt change the information in the table.|

+|**4** |The table gives you detailed information about each SMS notification that was sent during the selected date range. <ul><li>**Sent time (UTC)** is the date and time when the notification was sent.</li> <li>**Sent from** indicates the source of the notification.</li> <li>**SMS notification type** shows whether the notification is an appointment reminder or confirmation.</li> <li>**Product type** indicates whether the virtual appointment was scheduled through Bookings or the Teams EHR connector.</li> <li>**Status** shows the delivery status.</li></ul> |

+## Related articles

+- [Virtual Appointments usage report](virtual-appointments-usage-report.md)

+- [Advanced Virtual Appointments activity report](advanced-virtual-appointments-activity-report.md)

+- [Teams Premium licensing](/microsoftteams/teams-add-on-licensing/licensing-enhance-teams)

+You can use the [SMS notifications usage report](sms-notifications-usage-report.md) to gain insight into how your workforce is using SMS notifications with virtual appointments.

+ Title: "Overview of the Vulnerability management page in Microsoft 365 Lighthouse"

+f1.keywords: NOCSH

+audience: Admin

+ms.localizationpriority: medium

+- Tier1

+- scotvorg

+- M365-subscription-management

+- Adm_O365

+- AdminSurgePortfolio

+- M365-Lighthouse

+search.appverid: MET150

+description: "For Managed Service Providers (MSPs) using Microsoft 365 Lighthouse, learn about the Vulnerability management page."

+# Overview of the Vulnerability management page in Microsoft 365 Lighthouse

+Microsoft 365 Lighthouse provides a multi-tenant view of exposure score and recommendations from Microsoft Defender Vulnerability Management in Microsoft Defender for Business and Microsoft Defender for Endpoint. The exposure score from Microsoft Defender Vulnerability Management reflects how vulnerable tenants are to cybersecurity threats. Microsoft Defender Vulnerability Management helps proactively identify and build a secure foundation for devices through the remediation of software vulnerabilities and misconfigurations in customer environments.

+To learn more about vulnerability management, see [What is Microsoft Defender Vulnerability Management](/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management).

+You can access the Vulnerability management page in Lighthouse from the **Microsoft Defender for Business exposure score** card on the **Home** page or from the left navigation pane by selecting **Devices** > **Vulnerability management**. You'll see a multi-tenant view of the exposure and vulnerabilities detected for all tenants that have devices onboarded to Microsoft Defender for Business or Microsoft Defender for Endpoint.

+## Overview tab

+The overview tab provides multi-tenant insights into the exposure score, the number of exposed devices, vulnerabilities, and recommendations for tenants to lower their exposure. You can filter the list by exposure score, tenant name, or tenant tag. Select a tenant from the list to be taken to the Vulnerability Management dashboard page for that tenant in the Microsoft 365 Defender portal. To export exposure score data to an Excel comma-separated values (.csv) file, select **Export**.

+## Related content

+[What is Microsoft Defender Vulnerability Management](/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management) (article)\

+[Exposure score in Defender Vulnerability Management](/microsoft-365/security/defender-vulnerability-management/tvm-exposure-score) (article)\

+[Overview of the Device security page in Microsoft 365 Lighthouse](/microsoft-365/lighthouse/m365-lighthouse-device-security-overview) (article)

+| **[Defender for Business](mdb-overview.md)** (standalone) | **Antivirus, antimalware, and ransomware protection for devices**<br/>- [Next-generation protection](../defender-endpoint/microsoft-defender-antivirus-in-windows-10.md) (antivirus/antimalware protection on devices together with cloud protection)<br/>- [Attack surface reduction](../defender-endpoint/overview-attack-surface-reduction.md) (network protection, firewall, and attack surface reduction rules) (see note 1 below)<br/>- [Endpoint detection and response](../defender-endpoint/overview-endpoint-detection-response.md) (behavior-based detection and manual response actions)<br/>- [Automated investigation and response](../defender/m365d-autoir.md) (with self-healing for detected threats)<br/>- [Microsoft Defender Vulnerability Management](mdb-view-tvm-dashboard.md) (view exposed devices and recommendations)<br/>- [Cross-platform support for devices](mdb-onboard-devices.md) (Windows, Mac, iOS, and Android) (see note 2 below)<br/>- [Centralized management and reporting](mdb-get-started.md) (Microsoft 365 Defender portal)<br/>- [APIs for integration](../defender-endpoint/management-apis.md) (for Microsoft partners or your custom tools and apps) |

+| **[Microsoft 365 Business Premium](../../business-premium/index.md)** | **Defender for Business plus productivity and additional security capabilities**<br/>- [Microsoft 365 Business Standard](../../admin/admin-overview/what-is-microsoft-365-for-business.md) (Office apps and services, and Microsoft Teams)<br/>- [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) (device onboarding and management)<br/>- [Shared computer activation](/deployoffice/overview-shared-computer-activation) (for deploying Microsoft 365 Apps)<br/>- [Windows 10/11 Business](../../business-premium/m365bp-upgrade-windows-10-pro.md) (upgrade from previous versions of Windows Pro)<br/>- [Windows Autopilot](/mem/autopilot/windows-autopilot) (for setting up and configuring Windows devices)<br/>- [Exchange Online Protection](../office-365-security/eop-about.md) (antiphishing, antispam, antimalware, and spoof intelligence for email)<br/>- [Microsoft Defender for Office 365 Plan 1](/microsoft-365/security/office-365-security/defender-for-office-365) (advanced antiphishing, real-time detections, Safe Attachments, and Safe Links)<br/>- [Auto-expanding archiving](../../compliance/autoexpanding-archiving.md) (for email)<br/>- [Azure Active Directory Premium Plan 1](/azure/active-directory/fundamentals/active-directory-whatis) (identity management)<br/>- [Azure Information Protection Premium Plan 1](/azure/information-protection/what-is-information-protection) (protection for sensitive information)<br/>- [Azure Virtual Desktop](/azure/virtual-desktop/overview) (centrally managed, secure virtual machines in the cloud) |

+> [!NOTE]

+> 1. Microsoft Intune is required to modify or customize attack surface reduction rules. Intune can be added on to the standalone version of Defender for Business. Intune is included in Microsoft 365 Business Premium.

+>

+> 2. You can use *either* mobile threat defense (preview) *or* Microsoft Intune to onboard iOS and Android devices. See [Onboard devices to Microsoft Defender for Business](mdb-onboard-devices.md).

+|[Centralized management](../defender-endpoint/manage-atp-post-migration.md)<br/>(see note 1 below) | :::image type="icon" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::|

+|[Attack surface reduction capabilities](../defender-endpoint/overview-attack-surface-reduction.md) <br/>(see note 2 below)|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::|

+|[Endpoint detection and response](../defender-endpoint/overview-endpoint-detection-response.md) <br/>(see note 3 below) |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: | |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::|

+|[Automated investigation and response](../defender-endpoint/automated-investigations.md) <br/>(see note 4 below) |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: ||:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::|

+|[Threat hunting](../defender-endpoint/advanced-hunting-overview.md) and six months of data retention | | |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::|

+|[Threat analytics](../defender-endpoint/threat-analytics.md) <br/>(see note 5 below) |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: | |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::|

+|[Cross-platform support](../defender-endpoint/minimum-requirements.md) <br/>Windows, Mac, iOS, and Android OS<br/>(For Windows Server and Linux, see note 6 below) |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false"::: |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included" border="false":::|

+> [!NOTE]

+> 1. Onboard and manage devices in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) or by using Microsoft Intune ([https://intune.microsoft.com](https://intune.microsoft.com)).

+>

+> 2. Intune is required to configure and manage [ASR rules](../defender-endpoint/attack-surface-reduction.md).

+>

+> 3. Endpoint detection and response (EDR) capabilities in Defender for Business include behavior-based detection and the following manual response actions:

+>

+> - Run antivirus scan

+> - Isolate device

+> - Add an indicator to block or allow a file

+>

+> 4. In Defender for Business, automated investigation and response is turned on by default, tenant wide. Turning off automated investigation and response affects real-time protection. See [Review settings for advanced features](mdb-configure-security-settings.md#review-settings-for-advanced-features).

+>

+> 5. In Defender for Business, threat analytics are optimized for small and medium-sized businesses.

+>

+> 6. To onboard servers, another license is required. See the following articles:

+>

+> - [Onboard devices to Defender for Business](mdb-onboard-devices.md)

+> - [Onboard devices and configure Microsoft Defender for Endpoint capabilities](../defender-endpoint/onboard-configure.md)

+ Title: Mobile threat defense capabilities in Microsoft Defender for Business

+description: Get an overview of mobile threat defense in Defender for Business. Learn about what's included and how to onboard devices.

+ms.localizationpriority: medium

+- SMB

+- m365-security

+- m365-initiative-defender-business

+- tier1

+search.appverid: MET150

+f1.keywords: NOCSH

+audience: Admin

+# Mobile threat defense capabilities in Microsoft Defender for Business

+Microsoft Defender for Business provides advanced threat protection capabilities for devices, such as Windows and Mac clients. **Defender for Business capabilities now include mobile threat defense (preview)**! Mobile threat defense capabilities help protect Android and iOS devices, without requiring you to use Microsoft Intune to onboard mobile devices.

+In addition, mobile threat defense capabilities integrate with [Microsoft 365 Lighthouse](../../lighthouse/m365-lighthouse-overview.md), where Cloud Solution Providers (CSPs) can view information about vulnerable devices and help mitigate detected threats.

+## What's included in mobile threat defense?

+The following table summarizes the capabilities that are included in mobile threat defense (preview) in Defender for Business:

+| Capability | Android | iOS |

+|:|:|:|

+| **Web Protection** <br/>Anti-phishing, blocking unsafe network connections, and support for custom indicators. <br/>Web protection is turned on by default with [web content filtering](mdb-configure-security-settings.md#set-up-web-content-filtering). | :::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included checkmark."::: | :::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included checkmark."::: |

+| **Malware protection** (Android-only) <br/>Scanning for malicious apps. | :::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included checkmark."::: | No |

+| **Jailbreak detection** (iOS-only) <br/>Detection of jailbroken devices. | No | :::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included checkmark."::: |

+| **Microsoft Defender Vulnerability Management**<br/>Vulnerability assessment of onboarded mobile devices. Includes vulnerability assessments for operating systems and apps for Android and iOS. <br/>See [Use your vulnerability management dashboard in Microsoft Defender for Business](mdb-view-tvm-dashboard.md). | :::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included checkmark."::: | See note 1 (below) |

+| **Network Protection** <br/>Protection against rogue Wi-Fi related threats and rogue certificates. <br/>Network protection is turned on by default with [next-generation protection](mdb-configure-security-settings.md#view-or-edit-your-next-generation-protection-policies). <br/>As part of mobile threat defense, network protection also includes the ability to allow root certification authority and private root certification authority certificates in Intune. It also establishes trust with endpoints. | See note 2 (below) | See note 2 (below) |

+| **Unified alerting** <br/>Alerts from all platforms are listed in the unified Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). In the navigation pane, choose **Incidents**). <br/>See [View and manage incidents in Microsoft Defender for Business](mdb-view-manage-incidents.md) | :::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included checkmark."::: | :::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included checkmark."::: |

+| **Conditional Access** and **conditional launch** <br/>[Conditional Access](/mem/intune/protect/conditional-access) and [conditional launch](/mem/intune/apps/app-protection-policies-access-actions) block risky devices from accessing corporate resources.<br/>- Conditional Access policies require certain criteria to be met before a user can access company data on their mobile device. <br/>- Conditional launch policies enable your security team to block access or wipe devices that don't meet certain criteria.<br/>Defender for Business risk signals can also be added to app protection policies. | Requires Intune <br/>(see note 3 below) | Requires Intune <br/>(see note 3 below) |

+| **Privacy controls** <br/>Configure privacy in threat reports by controlling the data sent by Defender for Business. Privacy controls are available for admin and end users, and for both enrolled and unenrolled devices. | Requires Intune (see note 3 below) | Requires Intune (see note 3 below) |

+| **Integration with Microsoft Tunnel** <br/>Integration with [Microsoft Tunnel](/mem/intune/protect/microsoft-tunnel-overview), a VPN gateway solution for Intune. | Requires Intune VPN Tunnel <br/>(see note 4 below) | Requires Intune VPN Tunnel <br/>(see note 4 below) |

+> [!NOTE]

+> 1. Intune is required for software/app vulnerabilities to be reported. Operating system vulnerabilities are included by default.

+>

+> 2. Intune is required to configure or manage an allow list of root certification authority and private root certification authority certificates.

+>

+> 3. Intune is included in [Microsoft 365 Business Premium](../../business-premium/index.md). Intune can be added on to Defender for Business.

+>

+> 4. See [Prerequisites for the Microsoft Tunnel in Intune](/mem/intune/protect/microsoft-tunnel-prerequisites).

+>

+## How to get mobile threat defense capabilities

+Mobile threat defense capabilities are currently in preview for [Defender for Business](get-defender-business.md) customers. Here's how to get these capabilities for your organization:

+1. Make sure your organization has signed up to receive preview features for your tenant. See [Microsoft Defender for Business preview features](mdb-preview.md).

+2. Make sure that Defender for Business has finished provisioning. In the [Microsoft 365 Defender portal](https://security.microsoft.com), go to **Assets** > **Devices**.

+ - If you see a message that says, "Hang on! We're preparing new spaces for your data and connecting them," it means that Defender for Business hasn't finished provisioning. This process is happening now, and can take up to 24 hours to complete.

+ - If you see a list of devices, or you're prompted to onboard devices, it means Defender for Business provisioning has completed.

+3. Review, and if necessary, edit your [next-generation protection policies](mdb-configure-security-settings.md#view-or-edit-your-next-generation-protection-policies).

+4. Review, and if necessary, edit your [firewall policies and custom rules](mdb-configure-security-settings.md#view-or-edit-your-firewall-policies-and-custom-rules).

+5. Review, and if necessary, edit your [web content filtering](mdb-configure-security-settings.md#set-up-web-content-filtering) policy.

+6. To onboard mobile devices, see the "Use the Microsoft Defender app" procedures in [Onboard devices to Microsoft Defender for Business](mdb-onboard-devices.md).

+## See also

+- [Set up and configure Microsoft Defender for Business](mdb-setup-configuration.md)

+- [View and edit security policies and settings in Microsoft Defender for Business](mdb-configure-security-settings.md)

+- [What's new in Microsoft 365 Business Premium and Microsoft Defender for Business](../../business-premium/m365bp-mdb-whats-new.md)

+ - **Mobile** (new capabilities are in preview for iOS and Android devices!)

+ - **Servers** (Windows Server or Linux Server)

+3. [View a list of onboarded devices](#view-a-list-of-onboarded-devices).

+4. [Run a phishing test on a device](#run-a-phishing-test-on-a-device).

+5. Proceed to your [next steps](#next-steps).

+> For more information, see [Microsoft Defender for Business requirements](mdb-requirements.md).

+After the command runs, the Command Prompt window closes automatically. If successful, the detection test is marked as completed, and a new alert appears in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) for the newly onboarded device within about 10 minutes.

+When you run the local script on Mac, it creates a trust with Azure Active Directory if that trust doesn't already exist. It enrolls the Mac in Microsoft Intune if it isn't already enrolled, and then onboards the Mac to Defender for Business. We recommend that you onboard up to 10 devices at a time using this method.

+9. You're prompted to allow installation of a driver from Microsoft (either "System Extension Blocked" or "Installation is on hold", or both). You must allow the driver installation: Select **Open Security Preferences** or **Open System Preferences** > **Security & Privacy**, and then select **Allow**.

+## [**Mobile devices**](#tab/mobiles)

+## Mobile devices

+You can use the following methods to onboard mobile devices, such as Android and iOS devices:

+- [Use the Microsoft Defender app (preview)](#use-the-microsoft-defender-app-preview)

+- [Use Microsoft Intune](#use-microsoft-intune)

+### Use the Microsoft Defender app (preview)

+[Mobile threat defense capabilities](mdb-mtd.md) are now available to Defender for Business customers who have opted in to receive [preview](mdb-preview.md) features. With these capabilities, you can now onboard mobile devices (such as Android and iOS) by using the Microsoft Defender app. With this method, users download the app from Google Play or the Apple App Store, sign in, and complete onboarding steps.

+> [!IMPORTANT]

+> Make sure that all of the following requirements are met before onboarding mobile devices:

+> 1. Your organization has signed up to receive preview features for your tenant. See [Microsoft Defender for Business preview features](mdb-preview.md).

+> 2. Defender for Business has finished provisioning. In the [Microsoft 365 Defender portal](https://security.microsoft.com), go to **Assets** > **Devices**.<br/>- If you see a message that says, "Hang on! We're preparing new spaces for your data and connecting them," it means that Defender for Business hasn't finished provisioning. This process is happening now, and can take up to 24 hours to complete. <br/>- If you see a list of devices, or you're prompted to onboard devices, it means Defender for Business provisioning has completed.

+> 3. Users have downloaded the Microsoft Authenticator app on their device, and have registered their device using their work or school account for Microsoft 365.

+| Device | Procedure |

+|:|:|

+| Android | 1. On the device, go to the Google Play store.<br/><br/>2. If you haven't already done so, download and install the Microsoft Authenticator app. Sign in, and register your device in the Microsoft Authenticator app. <br/><br/>3. In the Google Play store, search for the Microsoft Defender app. <br/><br/>4. On the app page, scroll down and select **Join the beta** > **Join**.<br/><br/>5. Wait for the process to complete. It might take a few hours for the process of joining the beta program to complete. You'll see text that says, “Joining the beta…”<br/><br/>6. After you've enrolled into the beta, verify that the beta version of the app looks like `1.0.xxxx.0201`, and then install the app.<br/><br/>7. Open the app, sign in, and complete the onboarding process. |

+| iOS | 1. On the device, go to the Apple App Store. <br/><br/>2. If you haven't already done so, download and install the Microsoft Authenticator app. Sign in, and register your device in the Microsoft Authenticator app.<br/><br/>3. In the Apple App Store, search for the Microsoft Defender app.<br/><br/>4. Sign in and install the app. <br/><br/>5. Agree to the terms of use to continue. <br/><br/>6. Allow the Microsoft Defender app to set up a VPN connection and add VPN configurations. <br/><br/>7. Choose whether to allow notifications (such as alerts). |

+> [!TIP]

+> After you have onboarded mobile devices using the Microsoft Defender app, proceed to [run a phishing test on a device](#run-a-phishing-test-on-a-device).

+### Use Microsoft Intune

+If your subscription includes Microsoft Intune, you can use it to onboard mobile devices, such as Android and iOS/iPadOS devices. See the following resources to get help enrolling these devices into Intune:

+- [Enroll Android devices](/mem/intune/enrollment/android-enroll)

+- [Enroll iOS or iPadOS devices](/mem/intune/enrollment/ios-enroll)

+After a device is enrolled in Intune, you can add it to a device group. [Learn more about device groups in Defender for Business](mdb-create-edit-device-groups.md).

+> [!NOTE]

+> The standalone version of Defender for Business does not include the Intune license that is required to onboard iOS and Android devices in the Intune admin center. However, if your tenant is receiving [preview features](mdb-preview.md), you can now use the [Microsoft Defender app method](#use-the-microsoft-defender-app-preview). Or, you can add Intune to your Defender for Business subscription. Intune is included in Microsoft 365 Business Premium.

+ If you select **Windows Server 2012 R2 and 2016**, you have two packages to download and run: an installation package and an onboarding package. The installation package contains an MSI file that installs the Defender for Business agent. The onboarding package contains the script to onboard your Windows Server endpoint to Defender for Business.

+After the command runs, the Command Prompt window will close automatically. If successful, the detection test is marked as completed, and a new alert appears in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) for the newly onboarded device within about 10 minutes.

+## View a list of onboarded devices

+To view the list of devices that are onboarded to Defender for Business, go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). In the navigation pane, go to **Assets** > **Devices**.

+## Run a phishing test on a device

+After you've onboarded a device, you can run a quick phishing test to make sure the device is connected and that alerts are generated as expected.

+1. On a device, go to [https://smartscreentestratings2.net](https://smartscreentestratings2.net). Defender for Business should block that URL on the user's device.

+2. As a member of your organization's security team, go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.

+3. In the navigation pane, go to **Incidents**. You should see an informational alert that indicates a device tried to access a phishing site.

+## What's included with Defender for Business?

+Defender for Business includes a full range of device protection capabilities, as shown in the following diagram:

+ - [Learn about new mobile threat defense capabilities (preview)](mdb-mtd.md).

+Several reports are available in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). These reports enable your security team to view information about detected threats, device status, and more.

+This article describes these reports, how you can use them, and how to find them.

+## Monthly security summary (preview)

+The monthly security summary report (currently in preview) shows:

+- Threats that were detected and prevented by Defender for Business, so you can see how the service is working for you.

+- Your current status from [Microsoft Secure Score](../defender/microsoft-secure-score.md), which gives you an indication of your organization's security posture.

+- Recommended actions you can take to improve your score and your security posture.

+To access this report, in the navigation pane, choose **Reports** > **Endpoints** > **Monthly Security Summary**.

+## License report

+The license report provides information about licenses your organization has purchased and is using.

+To access this report, in the navigation pane, choose **Settings** > **Endpoints** > **Licenses**.

+## Security report

+The security report provides information about your company's identities, devices, and apps.

+To access this report, in the navigation pane, choose **Reports** > **General** > **Security report**.

+> [!TIP]

+> You can view similar information on the home page of your Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)).

+## Threat protection report

+The threat protection report provides information about alerts and alert trends.

+- Use the **Alert trends** column to view information about alerts that were triggered over the last 30 days.

+- Use the **Alert status** column to view current snapshot information about alerts, such as categories of unresolved alerts and their classification.

+To access this report, in the navigation pane, choose **Reports** > **Endpoints** > **Threat protection**.

+## Incidents view

+You can use the **Incidents** list to view information about alerts. To learn more, see [View and manage incidents in Defender for Business](mdb-view-manage-incidents.md).

+To access this report, in the navigation pane, choose **Incidents** to view and manage current incidents.

+## Device health report

+The device health report provides information about device health and trends. You can use this report to determine whether Defender for Business sensors are working correctly on devices and the current status of Microsoft Defender Antivirus.

+To access this report, in the navigation pane, choose **Reports** > **Endpoints** > **Device health**.

+## Device inventory list

+You can use the **Devices** list to view information about your company's devices. To learn more, see [Manage devices in Defender for Business](mdb-manage-devices.md).

+To access this report, in the navigation pane, go to **Assets** > **Devices**.

+## Vulnerable devices report

+The vulnerable devices report provides information about devices and trends.

+- Use the **Trends** column to view information about devices that had alerts over the last 30 days.

+- Use the **Status** column to view current snapshot information about devices that have alerts.

+To access this report, in the navigation pane, choose **Reports** > **Endpoints** > **Vulnerable devices**.

+## Web protection report

+The web protection report shows attempts to access phishing sites, malware vectors, exploit sites, untrusted or low-reputation sites, and sites that are explicitly blocked. Categories of blocked sites include adult content, leisure sites, legal liability sites, and more.

+To access this report, in the navigation pane, choose **Reports** > **Endpoints** > **Web protection**.

+> [!NOTE]

+> If you haven't yet configured web protection for your company, choose the **Settings** button in a report view. Then, under **Rules**, choose **Web content filtering**. To learn more about web content filtering, see [Web content filtering](../defender-endpoint/web-content-filtering.md).

+## Firewall report

+When firewall protection is configured, the firewall report shows blocked inbound, outbound, and app connections. This report also shows remote IPs connected by multiple devices, and remote IPs with the most connection attempts.

+To access this report, in the navigation pane, choose **Reports** > **Endpoints** > **Firewall**.

+> [!NOTE]

+> If your firewall report has no data, it might be because you haven't configured your firewall protection yet. In the navigation pane, choose **Endpoints** > **Configuration management** > **Device configuration**. To learn more, see [Firewall in Defender for Business](mdb-firewall.md).

+## Device control report

+The device control report shows information about media usage, such as the use of removable storage devices in your organization.

+To access this report, in the navigation pane, choose **Reports** > **Endpoints** > **Device control**.

+## Attack surface reduction rules report

+The attack surface reduction rules report has three tabs:

+- **Detections** to show blocked or audited detections;

+- **Configuration** enabling you to filter on standard protection rules or additional attack surface reduction rules; and

+- **Add exclusions** enabling you to define exclusions, if needed.

+To learn more, see [Attack surface reduction capabilities in Microsoft Defender for Business](mdb-asr.md).

+To access this report, in the navigation pane, choose **Reports** > **Endpoints** > **Attack surface reduction rules**.

+| Subscription | Microsoft 365 Business Premium or Defender for Business (standalone). <br/>See [How to get Defender for Business](get-defender-business.md). |

+| Browser | Microsoft Edge or Google Chrome |

+| Client computer operating system | To manage devices in the Microsoft 365 Defender portal, your devices must be running one of the following operating systems: <br/>- Windows 10 or 11 Business <br/>- Windows 10 or 11 Professional <br/>- Windows 10 or 11 Enterprise <br/>- Mac (the three most-current releases are supported) <br/><br/>Make sure that [KB5006738](https://support.microsoft.com/topic/october-26-2021-kb5006738-os-builds-19041-1320-19042-1320-and-19043-1320-preview-ccbce6bf-ae00-4e66-9789-ce8e7ea35541) is installed on the Windows devices. |

+| Mobile devices | To onboard mobile devices, such as iOS or Android OS, you can use [Mobile threat defense capabilities (preview)](mdb-mtd.md) or Microsoft Intune (see note 1 below).<br/><br/>For more details about onboarding devices, including requirements for mobile threat defense (preview), see [Onboard devices to Microsoft Defender for Business](mdb-onboard-devices.md). |

+| Server license | To onboard a device running Windows Server or Linux Server, you'll need an additional license, such as [Microsoft Defender for Business servers](get-defender-business-servers.md) (see note 2 below). |

+| Additional server requirements | Windows Server endpoints must meet the [requirements for Defender for Endpoint](/microsoft-365/security/defender-endpoint/minimum-requirements#hardware-and-software-requirements), and enforcement scope must be turned on.<br/>1. In the Microsoft 365 Defender portal, go to **Settings** > **Endpoints** > **Configuration management** > **Enforcement scope**. <br/>2. Select **Use MDE to enforce security configuration settings from MEM**, select **Windows Server**. <br/>3. Select **Save**.<br/><br/>Linux Server endpoints must meet the [prerequisites for Microsoft Defender for Endpoint on Linux](../defender-endpoint/microsoft-defender-endpoint-linux.md#prerequisites). |

+> 1. Microsoft Intune is not included in the standalone version of Defender for Business, but Intune can be added on. Intune is included in Microsoft 365 Business Premium.

+>

+> 2. To onboard servers, we recommend using [Microsoft Defender for Business servers](get-defender-business-servers.md). Alternately, you could use [Microsoft Defender for Servers Plan 1 or Plan 2](/azure/defender-for-cloud/plan-defender-for-servers). To learn more, see [What happens if I have a mix of Microsoft endpoint security subscriptions?](mdb-faq.yml#what-happens-if-i-have-a-mix-of-microsoft-endpoint-security-subscriptions) and [Onboard devices to Microsoft Defender for Business](mdb-onboard-devices.md).

+>

+> 3. [Azure Active Directory (Azure AD)](/azure/active-directory/fundamentals/active-directory-whatis) is used to manage user permissions and device groups. Azure AD is included in your Defender for Business subscription.

+> - If you don't have a Microsoft 365 subscription before you start your trial, Azure AD will be provisioned for you during the activation process.

+> - If you do have another Microsoft 365 subscription when you start your Defender for Business trial, you can use your existing Azure AD service.

+> 4. Security defaults are included in Defender for Business. If you prefer to use Conditional Access policies instead, you'll need Azure AD Premium Plan 1 (included in [Microsoft 365 Business Premium](../../business-premium/index.md)). To learn more, see [Multi-factor authentication](../../business-premium/m365bp-conditional-access.md).

+ :::image type="content" source="../../medib-device-inventory.png" alt-text="Screenshot of device inventory":::

+ Title: Add or remove a tag for a machine

+# Add or remove a tag for a machine

+Adds or removes a tag for a specific [Machine](machine.md).

+Here is an example of a request that adds a machine tag.

+ Title: Add or remove a tag for multiple machines

+description: Learn how to use the Add or Remove machine tags API to add or remove a tag for multiple devices in Microsoft Defender for Endpoint.

+keywords: apis, graph api, supported apis, tags, machine tags

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+- m365-security

+- tier3

+search.appverid: met150

+# Add or remove a tag for multiple machines

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

+## API description

+Adds or removes a tag for the specified set of machines.

+## Limitations

+1. You can post on machines last seen according to your configured retention period.

+2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.

+3. We can add or remove tag a for up to 500 machines per API call.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Defender for Endpoint APIs](apis-intro.md).

+Permission type|Permission|Permission display name

+:|:|:

+Application|Machine.ReadWrite.All|'Read and write all machine information'

+Delegated (work or school account)|Machine.ReadWrite|'Read and write machine information'

+> [!NOTE]

+> When obtaining a token using user credentials:

+>

+> - The user needs to have at least the following role permission: 'Manage security setting'. For more (See [Create and manage roles](user-roles.md) for more information).

+> - The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information).

+## HTTP request

+```http

+POST https://api.securitycenter.microsoft.com/api/machines/AddOrRemoveTagForMultipleMachines

+```

+## Request headers

+Name|Type|Description

+:|:|:

+Authorization|String|Bearer {token}. **Required**.

+Content-Type|string|application/json. **Required**.

+## Request body

+In the request body, supply a JSON object with the following parameters:

+Parameter|Type|Description

+:|:|:

+Value|String|The tag name. **Required**.

+Action|Enum|Add or Remove. Allowed values are: 'Add' or 'Remove'. **Required**.

+MachineIds|List (String)|List of machine ids to update. Required.|

+## Response

+If successful, this method returns 200 - Ok response code and the updated machines in the response body.

+## Example Request

+Here is an example of a request that adds a tag to multiple machines.

+```http

+POST https://api.securitycenter.microsoft.com/api/machines/AddOrRemoveTagForMultipleMachines

+```

+```json

+{

+ "Value" : "Tag",

+ "Action": "Add",

+ "MachineIds": ["34e83ca3feea4dae2353006ba389262c033a025e",

+ "2a398439b4975924e87a65943972bc702469b329",

+ "a610c00c65fdf79960cc0077d9d8c569d23f09a5"]

+}

+```

+To remove machine tags, set the Action to 'Remove' instead of 'Add' in the request body.

+Microsoft Defender Antivirus is installed as a core part of Windows 10 and 11, and is included in Windows Server 2016 and later (Windows Server 2012 requires Microsoft Defender for Endpoint). You can manage and report on Microsoft Defender Antivirus using one of several tools, such as:

+- [Microsoft Intune](#microsoft-intune)

+- [Configuration Manager](#configuration-manager)

+- [PowerShell](#powershell)

+- [Group Policy and Azure Active Directory](#powershell)

+- [Windows Management Instrumentation](#windows-management-instrumentation)

+This article describes these options for deployment, management, and reporting.

+## Microsoft Intune

+With Intune, you can manage device security through policies, such as a policy to configure Microsoft Defender Antivirus and other security capabilities in Defender for Endpoint. To learn more, see [Use policies to manage device security](/mem/intune/protect/endpoint-security#use-policies-to-manage-device-security).

+For reporting, you can choose from several options:

+- [Use the Microsoft 365 Defender portal](../defender/microsoft-365-defender-portal.md), which includes a [device inventory list](/microsoft-365/security/defender-endpoint/machines-view-overview). To access the device inventory, in the Microsoft 365 Defender portal ([https://security.microsoft.com/](https://security.microsoft.com/)), go to **Assets** > **Devices**. The device inventory list displays onboarded devices along with their health state and risk level.

+- [Manage devices with Intune](/mem/intune/remote-actions/device-management), which includes the ability to view detailed information about devices and take action. [Available actions](/mem/intune/remote-actions/device-management#available-device-actions) include starting an antivirus scan, restarting a device, locating a device, wiping a device, and more.

+## Configuration Manager

+With Configuration Manager, you can manage security and malware on Configuration Manager client computers. Use the [Endpoint Protection point site system role](/mem/configmgr/protect/deploy-use/endpoint-protection-site-role) and [enable Endpoint Protection with custom client settings](/mem/configmgr/protect/deploy-use/endpoint-protection-configure-client). You can use [default and customized antimalware policies](/microsoft-365/security/office-365-security/anti-malware-policies-configure).

+For reporting, you can choose from several options:

+- [Use the Microsoft 365 Defender portal](../defender/microsoft-365-defender-portal.md), which includes a [device inventory list](/microsoft-365/security/defender-endpoint/machines-view-overview). To access the device inventory, in the Microsoft 365 Defender portal ([https://security.microsoft.com/](https://security.microsoft.com/)), go to **Assets** > **Devices**. The device inventory list displays onboarded devices along with their health state and risk level.

+- [Use Intune to view device details](/mem/intune/remote-actions/device-inventory).

+- Use the default [Configuration Manager Monitoring workspace](/mem/configmgr/apps/deploy-use/monitor-applications-from-the-console).

+- [Create email alerts](/configmgr/protect/deploy-use/endpoint-configure-alerts).

+- If your organization has Defender for Endpoint, you can also use the [Microsoft 365 Defender portal](../defender/microsoft-365-defender-portal.md), which includes a [device inventory list](/microsoft-365/security/defender-endpoint/machines-view-overview). To access the device inventory, in the Microsoft 365 Defender portal ([https://security.microsoft.com/](https://security.microsoft.com/)), go to **Assets** > **Devices**. The device inventory list displays onboarded devices along with their health state and risk level.

+## PowerShell

+You can use PowerShell with Group Policy or Configuration Manager to manage Microsoft Defender Antivirus on client devices. You can also use PowerShell to manage Microsoft Defender Antivirus manually on individual devices that are not managed by a security team.

+- Use the appropriate [Get- cmdlets available in the Defender module](/powershell/module/defender).

+- Use the [Set-MpPreference](/powershell/module/defender/set-mppreference) and [Update-MpSignature](/powershell/module/defender/update-mpsignature) cmdlets that are available in the Defender module.

+For reporting, you can choose from the following options:

+- [Use the Microsoft 365 Defender portal](../defender/microsoft-365-defender-portal.md), which includes a [device inventory list](/microsoft-365/security/defender-endpoint/machines-view-overview). To access the device inventory, in the Microsoft 365 Defender portal ([https://security.microsoft.com/](https://security.microsoft.com/)), go to **Assets** > **Devices**. The device inventory list displays onboarded devices along with their health state and risk level.

+- [Use Intune to view device details](/mem/intune/remote-actions/device-inventory).

+- Use the default [Configuration Manager Monitoring workspace](/mem/configmgr/apps/deploy-use/monitor-applications-from-the-console).

+## Group Policy and Azure Active Directory

+You can use a Group Policy Object to deploy configuration changes and ensure Microsoft Defender Antivirus is enabled. Use Group Policy Objects (GPOs) to [configure update options for Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/manage-protection-update-schedule-microsoft-defender-antivirus) and [configure Windows Defender features](/microsoft-365/security/defender-endpoint/configure-microsoft-defender-antivirus-features).

+For reporting, keep in mind that device reporting isn't available with Group Policy.

+- You can generate a list of Group Policies to determine if any settings or policies aren't applied.

+- If your organization has Defender for Endpoint, you can also use the [Microsoft 365 Defender portal](../defender/microsoft-365-defender-portal.md), which includes a [device inventory list](/microsoft-365/security/defender-endpoint/machines-view-overview). To access the device inventory, in the Microsoft 365 Defender portal ([https://security.microsoft.com/](https://security.microsoft.com/)), go to **Assets** > **Devices**. The device inventory list displays onboarded devices along with their health state and risk level.

+## Windows Management Instrumentation

+With Windows Management Instrumentation (WMI), you can manage Microsoft Defender Antivirus with Group Policy or Configuration Manager. You can also use WMI to manage Microsoft Defender Antivirus manually on individual devices that aren't managed by a security team.

+- Use the [Set method of the MSFT_MpPreference class](/previous-versions/windows/desktop/defender/set-msft-mppreference) and the [Update method of the MSFT_MpSignature class](/previous-versions/windows/desktop/defender/update-msft-mpsignature).

+- Use the [MSFT_MpComputerStatus](/previous-versions/windows/desktop/defender/msft-mpcomputerstatus) class and the get method of associated classes in the [Windows Defender WMIv2 Provider](/windows/win32/wmisdk/wmi-providers).

+For reporting, Windows events comprise several security event sources, including Security Account Manager (SAM) events ([enhanced for Windows 10](/windows/whats-new/whats-new-windows-10-version-1507-and-1511). Also see [Security auditing](/windows/security/threat-protection/auditing/security-auditing-overview) and [Windows Defender events](troubleshoot-microsoft-defender-antivirus.md).

+## See also

+- [Microsoft Defender Antivirus compatibility with other security products](microsoft-defender-antivirus-compatibility.md)

+- [Deploy and enable Microsoft Defender Antivirus protection](deploy-microsoft-defender-antivirus.md)

+- [Manage Microsoft Defender Antivirus updates and apply baselines](microsoft-defender-antivirus-updates.md)

+- [Monitor and report on Microsoft Defender Antivirus protection](report-monitor-microsoft-defender-antivirus.md)

+- [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md)

+- [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md)

+- [Configure Defender for Endpoint on Android features](android-configure.md)

+- [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md)

+> **Performance tip** Due to a variety of factors, Microsoft Defender Antivirus, like other antivirus software, can cause performance issues on endpoint devices. In some cases, you might need to tune the performance of Microsoft Defender Antivirus to alleviate those performance issues. Microsoft's **Performance analyzer** is a PowerShell command-line tool that helps determine which files, file paths, processes, and file extensions might be causing performance issues. You can use the information gathered using Performance analyzer to better assess performance issues and apply remediation actions. See [Performance analyzer for Microsoft Defender Antivirus](tune-performance-defender-antivirus.md).

+keywords: Getting started with Microsoft 365 Defender, Microsoft Defender for Identity, MDI

+Microsoft Defender for Identity contributes identity focused information into the incidents and alerts that Microsoft 365 Defender presents. This information is key to providing context and correlating alerts from the other products within Microsoft 365 Defender.

+| Reports |Lateral movement path and passwords exposed in cleartext reports are covered by the [Identity security posture assessments](/defender-for-identity/security-assessment#assessment-reports) (ISPM)<br>Health issues are available in Settings -> Identities -> Health issues<br>Summary of alerts can be found by exporting the alerts queue or using Advanced Hunting (30 days of data)<br>Modification to sensitive groups can be found by using Advanced hunting<br>Customized reports can be created in Microsoft 365 Defender portal using Advanced hunting |

+Japan, Australia, New Zealand, Fiji, Canada, United Kingdom, South Korea, France, United Arab Emirates, South America, Switzerland, Liechtenstein, Norway, Germany, Brazil, Sweden, and Qatar.