Updates from: 03/26/2022 02:38:31
Category Microsoft Docs article Related commit history on GitHub Change details
compliance Customer Lockbox Requests https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/customer-lockbox-requests.md
search.appverid:
- MET150 - MOE150
-description: "Learn about Customer Lockbox requests that allow you to control how a Microsoft support engineer can access your data when you run into an issue."
+description: "Learn about Customer Lockbox requests that allow you to control how a Microsoft support engineer can access your data when you encounter an issue."
# Customer Lockbox in Office 365
-This article provides deployment and configuration guidance for Customer Lockbox. Customer Lockbox supports requests to access data in Exchange Online, SharePoint Online, and OneDrive for Business. To recommend support for other services, submit a request at [Feedback Portal](https://feedbackportal.microsoft.com).
+This article provides deployment and configuration guidance for Customer Lockbox. Customer Lockbox supports requests to access data in Exchange Online, SharePoint Online, OneDrive for Business, and Teams. To recommend support for other services, submit a request at [Feedback Portal](https://feedbackportal.microsoft.com).
To see the options for licensing your users to benefit from Microsoft 365 compliance offerings, see the [Microsoft 365 licensing guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance).
-Customer Lockbox ensures that Microsoft can't access your content to do service operations without your explicit approval. Customer Lockbox brings you into the approval workflow process that Microsoft uses to ensure only authorized requests allow access to your content. To learn more about MicrosoftΓÇÖs workflow process, see [Privileged access management in Microsoft 365](privileged-access-management-solution-overview.md).
+Customer Lockbox ensures that Microsoft can't access your content to do service operations without your explicit approval. Customer Lockbox brings you into the approval workflow process that Microsoft uses to ensure only authorized requests allow access to your content. To learn more about Microsoft's workflow process, see [Privileged access management in Microsoft 365](privileged-access-management-solution-overview.md).
Occasionally, Microsoft engineers help troubleshoot and fix issues that arise with the service. Usually, engineers fix issues using extensive telemetry and debugging tools Microsoft has in place for its services. However, some cases require a Microsoft engineer to access your content to determine the root cause and fix the issue. Customer Lockbox requires the engineer to request access from you as a final step in the approval workflow. This gives you the option to approve or deny the request for your organization, and provide direct-access control to your content.
-### Customer Lockbox overview video
+## Customer Lockbox overview video
> [!VIDEO https://www.microsoft.com/videoplayer/embed/8fecf10b-1f03-4849-8b67-76d3d2a43f26?autoplay=false]
These steps outline the typical workflow when a Microsoft engineer starts a Cust
2. After the user troubleshoots the issue, but can't fix it, they open a support request with Microsoft Support.
-3. A Microsoft support engineer reviews the service request and determines a need to access the organization's tenant to repair the issue in Exchange Online.
+3. A Microsoft support engineer reviews the service request and determines a need to access the organization's tenant to repair the issue.
4. The Microsoft support engineer logs into the Customer Lockbox request tool and makes a data access request that includes the organization's tenant name, service request number, and the estimated time the engineer needs access to the data.
These steps outline the typical workflow when a Microsoft engineer starts a Cust
> [!IMPORTANT] > Microsoft does not include any links in Customer Lockbox email notifications requiring you to sign in to Office 365.
-7. After the approver from the organization approves the request, the Microsoft engineer receives the approval message, logs into the tenant in Exchange Online, and fixes the customer's issue. Microsoft engineers have the requested duration to fix the issue after which the access is automatically revoked.
+7. After the approver from the organization approves the request, the Microsoft engineer receives the approval message, logs into the tenant, and fixes the customer's issue. Microsoft engineers have the requested duration to fix the issue after which the access is automatically revoked.
> [!NOTE] > All actions performed by a Microsoft engineer are logged in the audit log. You can search for and review these audit records.
You can turn on Customer Lockbox controls in the Microsoft 365 admin center. Whe
1. Using a work or school account that has either the global administrator or the **Customer Lockbox access approver** role assigned, go to [https://admin.microsoft.com](https://admin.microsoft.com) and sign in.
-2. Choose **Settings** > **Org Settings** > <a href="https://go.microsoft.com/fwlink/p/?linkid=2072756" target="_blank">**Security & Privacy**</a>.
+2. Choose **Settings** > **Org Settings** > **Security & Privacy**.
3. Select **Security & Privacy**, then select **Customer Lockbox** in the left column. Check the **Require approval for all data access requests** checkbox and save the changes to turn on the feature.
An alternative to using the audit search tool in the Microsoft 365 compliance ce
After you [connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell), run one of the following commands. Replace the placeholders with a specific date range.
-#### Search for Set-AccessToCustomerDataRequest activities
+Search for `Set-AccessToCustomerDataRequest` activities
```powershell Search-UnifiedAuditLog -StartDate xx/xx/xxxx -EndDate xx/xx/xxxx -Operations Set-AccessToCustomerDataRequest ```
-#### Search for activities performed by Microsoft engineers
+Search for activities performed by Microsoft engineers
```powershell Search-UnifiedAuditLog -StartDate xx/xx/xxxx -EndDate xx/xx/xxxx -UserIds "Microsoft Operator"
When a person in your organization approves or denies a Customer Lockbox request
| Activity | Set-AccessToCustomerDataRequest; this is the auditing activity that is logged when you approve or deny a Customer Lockbox request. | | Item | The Guid of the Customer Lockbox request |
-The following screenshot shows an example of an audit record that corresponds to an approved Customer Lockbox request. If a Customer Lockbox request was denied, then the value of **ApprovalDecision** parameter would be **Deny**.
+The following screenshot shows an example of an audit record that corresponds to an approved Customer Lockbox request. If a Customer Lockbox request was denied, then the value of `ApprovalDecision` parameter would be `Deny`.
![Audit record for an approved Customer Lockbox request.](../media/CustomerLockbox9.png)
The actions performed by a Microsoft engineer after a Customer Lockbox request i
## Frequently asked questions
-#### Which Microsoft 365 services does Customer Lockbox apply to?
+### Which Microsoft 365 services does Customer Lockbox apply to?
-Customer Lockbox is currently supported in Exchange Online, SharePoint Online, and OneDrive for Business.
+Customer Lockbox is currently supported in Exchange Online, SharePoint Online, OneDrive for Business, and Teams.
-#### Is Customer Lockbox available to all customers?
+### Is Customer Lockbox available to all customers?
Customer Lockbox is included with the Microsoft 365 or Office 365 E5 subscriptions and can be added to other plans with an Information Protection and Compliance or an Advanced Compliance add-on subscription. See [Plans and pricing](https://products.office.com/business/office-365-enterprise-e5-business-software) for more information.
-#### What is customer content?
+### What is customer content?
Customer content is the data created by users of Microsoft 365 services and applications. Examples of customer content include:
Customer content is the data created by users of Microsoft 365 services and appl
- Instant messages (IM) or voice conversations
+- Text entered in Teams chats and Teams channels, for example, 1:1 chats, group chats, shared channels, private channels, and meeting chat
+
+- Other data pasted into Teams chat threads, such as code snippets, images, audio and video messages, and links
+
+- App and bot data in Teams chats and Teams channels
+
+- Teams activity feed
+
+- Teams meeting recordings and transcripts
+
+- Voicemail
+
+- Files posted to Teams chats and Teams channels
+ - Customer-generated blob or structured storage data (for example, SQL Containers) - Customer-owned security information (for example, certificates, encryption keys, and passwords)
Customer content is the data created by users of Microsoft 365 services and appl
For more information about customer content in Office 365, see the [Office 365 Trust Center](https://products.office.com/business/office-365-trust-center-privacy/).
-#### Who is notified when there is a request to access my content?
+### Who is notified when there is a request to access my content?
Global administrators and anyone assigned the Customer Lockbox access approver admin role are notified. These are also the same users who can approve for Customer Lockbox requests.
-#### Who can approve or reject these requests in my organization?
+### Who can approve or reject these requests in my organization?
Global administrators and anyone assigned the Customer Lockbox access approver admin role can approve Customer Lockbox requests. Customers control these role assignments in their organizations.
-#### How do I opt in to Customer Lockbox?
+### How do I opt in to Customer Lockbox?
-A global administrator can enable and configure Customer Lockbox in the Microsoft 365 or <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>.
+A global administrator can enable and configure Customer Lockbox in the Microsoft 365 admin center.
-#### If I approve a Customer Lockbox request, what can the engineer do and how will I know what the Microsoft engineer did?
+### If I approve a Customer Lockbox request, what can the engineer do and how will I know what the Microsoft engineer did?
After you approve a Customer Lockbox request, the Microsoft engineer granted these necessary privileges to access customer content by using pre-approved cmdlets. Actions taken by Microsoft engineers in response to Customer Lockbox requests are logged and accessible in the audit log in the Security & Compliance Center.
-#### How do I know that Microsoft follows the approval process?
+### How do I know that Microsoft follows the approval process?
You can cross-reference the email approval notifications sent to admins and approvers in your organization with the Customer Lockbox request history in the [Microsoft 365 admin center](https://go.microsoft.com/fwlink/p/?linkid=2024339). Customer Lockbox is included in the latest [SOC 1 SSAE 16 audit report](https://servicetrust.microsoft.com/ViewPage/MSComplianceGuide?command=Download&downloadType=Document&downloadId=91592749-e86a-43ac-801e-121382614681&docTab=4ce99610-c9c0-11e7-8c2c-f908a777fa4d_SOC%20%2F%20SSAE%2016%20Reports). For more details, you can find the latest reports in the [Microsoft Service Trust Portal](https://servicetrust.microsoft.com/ViewPage/MSComplianceGuide?command=Download&downloadType=Document&downloadId=91592749-e86a-43ac-801e-121382614681&docTab=4ce99610-c9c0-11e7-8c2c-f908a777fa4d_SOC%20%2F%20SSAE%2016%20Reports).
-#### Can Microsoft modify the list of approvers for my tenant? If not, how is it prevented?
+### Can Microsoft modify the list of approvers for my tenant? If not, how is it prevented?
Only a global administrator in your organization can specify who can approve Customer Lockbox requests. That means only the members of the Global administrator group in Azure Active Directory can specify who can approve request. Membership of the Global administrator group in Azure Active Directory is managed only by your organization.
-#### What if I need more information about a content access request to approve it?
+### What if I need more information about a content access request to approve it?
Each Customer Lockbox request contains a Microsoft 365 service request number. You can contact Microsoft Support and reference this service number to get more information about the request.
-#### When a Customer Lockbox request is approved, how long are the permissions valid?
+### When a Customer Lockbox request is approved, how long are the permissions valid?
Currently, the maximum period for the access permissions granted to the Microsoft engineer is 4 hours. The Microsoft engineer can also request a shorter period.
-#### How can I get a history of all Customer Lockbox requests?
+### How can I get a history of all Customer Lockbox requests?
All Customer Lockbox requests are viewed in the [Microsoft 365 admin center](https://go.microsoft.com/fwlink/p/?linkid=2024339).
-#### How do I correlate the content access requests with the related audit logs?
+### How do I correlate the content access requests with the related audit logs?
The Compliance Center Activity Feed contains log activities of Customer Lockbox. Customers can cross-reference the Customer Lockbox log activities from the activity feed against the email request they receive.
-#### What happens when a customer doesn't respond to a Customer Lockbox request?
+### What happens when a customer doesn't respond to a Customer Lockbox request?
Customer Lockbox requests have a default duration of 12 hours. If you don't respond to a request within 12 hour, the request expires.
-#### What does Microsoft do when a customer rejects a Customer Lockbox request?
+### What does Microsoft do when a customer rejects a Customer Lockbox request?
If a customer rejects a Customer Lockbox request, no access to customer content occurs. If a user in your organization continues to experience a service issue requiring Microsoft to access customer content to resolve the issue, then the service issue might persist and Microsoft will inform the user about this.
-#### How do I set up alerts whenever a request has been approved?
+### How do I set up alerts whenever a request has been approved?
There is no built-in option to alert administrators. However, administrators can set up alerts using [Microsoft Defender for Cloud Apps](/cloud-app-security/getting-started-with-cloud-app-security#to-create-policies).
-#### Does Customer Lockbox protect against data requests from law enforcement agencies or other third parties?
+### Does Customer Lockbox protect against data requests from law enforcement agencies or other third parties?
No. Microsoft takes third-party requests for customer data seriously. As a cloud service provider, Microsoft always advocates for the privacy of customer data. In the event we get a subpoena, Microsoft always attempts to redirect the third party to the customer to obtain the information. (Read Brad Smith's blog: [Protecting customer data from government snooping](https://blogs.microsoft.com/blog/2013/12/04/protecting-customer-data-from-government-snooping/)). We periodically publish [detailed information](https://www.microsoft.com/corporate-responsibility/lerr) about the law enforcement requests that Microsoft receives. See the [Microsoft Trust Center](https://www.microsoft.com/trustcenter/default.aspx) regarding third-party data requests and the "Disclosure of Customer Data" section in the [Online Services Terms](https://www.microsoft.com/Licensing/product-licensing/products.aspx) for more information.
-#### How does Microsoft ensure that a member of its staff doesn't have standing access to customer content in Office 365 applications?
+### How does Microsoft ensure that a member of its staff doesn't have standing access to customer content in Office 365 applications?
-Microsoft implements extensive preventive measures through access control systems, and detective measures to identify and address attempts to circumvent these access control systems. Microsoft 365 operates with the principles of least privilege and just-in-time access. Therefore, no Microsoft personnel have permission to access customer content on an ongoing basis. If permission is granted, it is for a limited duration.
+Microsoft implements extensive preventive measures through access control systems, and detective measures to identify and address attempts to circumvent these access control systems. Microsoft 365 operates with the principles of least privilege and just-in-time access. Therefore, no Microsoft personnel have permission to access customer content on an ongoing basis. If permission is granted, it is for a limited duration.
Microsoft 365 uses an access control system called *Lockbox* to process requests for permissions that grant the ability to perform operational and administrative functions within the service. An operator must request access to customer content using Lockbox, which then requires a second person to take action on the request (for example, approve it) before access is granted. That second person can't be the requestor and must be designated to approve access to customer content. Only if the request is approved does the operator acquire temporary access to customer content. After the elevation period expires, Lockbox revokes access. Refer to the [Online Services Terms](https://www.microsoft.com/licensing/product-licensing/products) for more details about Microsoft general security practices.
-#### Under what circumstances do Microsoft engineers need access to my content?
+### Under what circumstances do Microsoft engineers need access to my content?
The most common scenario where Microsoft engineers need access customer content is when the customer makes a support request that requires access for troubleshooting. A foundational principle of Microsoft 365 is that the service operates without Microsoft access to customer content. Nearly all service operations performed by Microsoft are fully automated and human involvement is highly controlled and abstracted away from customer content. The goal for Microsoft 365 is access to customer content to support the service isn't needed until the customer approves a specific request for Microsoft access.
-#### I already thought my data was secure with the Microsoft cloud, so why do I need Customer Lockbox?
+### I already thought my data was secure with the Microsoft cloud, so why do I need Customer Lockbox?
Customer Lockbox provides an extra layer of control by offering customers the ability to give explicit access authorization for service operations. By demonstrating that procedures are in place for explicit data access authorization, Customer Lockbox also helps customers meet certain compliance obligations such as HIPAA and FEDRAMP.
compliance Dlp Chrome Get Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-chrome-get-started.md
For detailed licensing guidance, see [Microsoft 365 licensing guidance for secur
- Your org must be licensed for Endpoint DLP - Your devices must be running Windows 10 x64 build 1809 or later.-- The device must have Antimalware Client Version is 4.18.2101.9 or later. Check your current version by opening **Windows Security** app, select the **Settings** icon, and then select **About**.
+- The device must have Antimalware Client Version is 4.18.2202.x or later. Check your current version by opening **Windows Security** app, select the **Settings** icon, and then select **About**.
### Permissions
If you are rolling out the Microsoft Compliance Extension to all your monitored
This is the recommended method.
-1. Sign in to the Windows 10 computer on which you want to install the Microsoft Compliance Extension on, and run this PowerShell script as an administrator.
+1. Navigate to [Microsoft Compliance Extension - Chrome Web Store (google.com)](https://chrome.google.com/webstore/detail/microsoft-compliance-exte/echcggldkblhodogklpincgchnpgcdco).
- ```powershell
- Get-Item -path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Miscellaneous Configuration" | New-ItemProperty -Name DlpDisableBrowserCache -Value 0 -Force
- ```
-
-2. Navigate to [Microsoft Compliance Extension - Chrome Web Store (google.com)](https://chrome.google.com/webstore/detail/microsoft-compliance-exte/echcggldkblhodogklpincgchnpgcdco).
-
-3. Install the extension using the instructions on the Chrome Web Store page.
+2. Install the extension using the instructions on the Chrome Web Store page.
### Deploy using Microsoft Endpoint Manager Use this setup method for organization-wide deployments.
-##### Enabling Required Registry Value via Microsoft Endpoint Manager
-
-1. Create a PowerShell script with the following contents:
-
- ```powershell
- Get-Item -path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Miscellaneous Configuration" | New-ItemProperty -Name DlpDisableBrowserCache -Value 0 -Force
- ```
-
-2. Sign in to the [Microsoft Endpoint Manager Admin Center](https://endpoint.microsoft.com).
-
-3. Navigate to **Devices** > **Scripts** and select **Add**.
-
-4. Browse to the location of the script created when prompted.
-
-5. Select the following settings:
- 1. Run this script using the logged-on credentials: NO
- 1. Enforce script signature check: NO
- 1. Run script in 64-bit PowerShell Host: YES
-
-6. Select the proper device groups and apply the policy.
- #### Microsoft Endpoint Manager Force Install Steps Before adding the Microsoft Compliance Extension to the list of force-installed extensions, it is important to ingest the Chrome ADMX. Steps for this process in Microsoft Endpoint Manager are documented by Google: [Manage Chrome Browser with Microsoft Intune - Google Chrome Enterprise Help](https://support.google.com/chrome/a/answer/9102677?hl=en#zippy=%2Cstep-ingest-the-chrome-admx-file-into-intune).
Before adding the Microsoft Compliance Extension to the list of force-installed
### Deploy using Group Policy
-If you don't want to use Microsoft Endpoint Manager, you can use group policies to deploy the Microsoft Compliance Extension across your organization
-
-1. Your devices must be manageable via Group Policy, and you need to import all Chrome ADMXs into the Group Policy Central Store. For more information, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store).
-
-2. Create a PowerShell script using this PowerShell command:
-
- ```powershell
- Get-Item -path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Miscellaneous Configuration" | New-ItemProperty -Name DlpDisableBrowserCache -Value 0 -Force
- ```
-
-3. Open the **Group Policy Management Console** and navigate to your organizational unit (OU).
-
-4. Right-click and select **Create a GPO in this domain and Link it here**. When prompted, assign a descriptive name to this group policy object (GPO) and finish creating it.
-
-5. Right-click the GPO and select **Edit**.
-
-6. Go to **Computer Configuration** > **Preferences** > **Control Panel Settings** > **Scheduled Tasks**.
-
-7. Create a new immediate task by selecting right-clicking and selecting **New** > **Immediate Task (At least Windows 7)**.
-
-8. Give the task a name & description.
-
-9. Choose the corresponding account to run the immediate task, for example NT Authority
-
-10. Select **Run with highest privileges**.
-
-11. Configure the policy for Windows 10.
-
-12. In the **Actions** tab, select the action **Start a program**.
-
-13. Enter the path to the Program/Script created in Step 1.
-
-14. Select **Apply**.
+If you don't want to use Microsoft Endpoint Manager, you can use group policies to deploy the Microsoft Compliance Extension across your organization.
#### Adding the Chrome Extension to the ForceInstall List
compliance Dlp Teams Default Policy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-teams-default-policy.md
description: "Learn about the default data loss prevention policy in Microsoft T
[Data loss prevention](dlp-learn-about-dlp.md) capabilities have been extended to include Microsoft Teams chat and channel messages, including private channel messages. As a part of this release, we created a default DLP policy for Microsoft Teams for first-time customers to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077149" target="_blank">Microsoft 365 compliance center</a>.
-## Applies to
-
-Any tenant who is licensed with one or more of the below licenses and have active Teams users
-
-- ME5, -- MA5, -- E5/A5 Compliance, -- IP+G, -- OE5, -- O365 Advanced Compliance -- EMS E5
+## Licensing
+For complete licensing information for DLP in Microsoft Teams, see [Information Protection: Data Loss Prevention for Teams](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#information-protection-data-loss-prevention-for-teams).
## What does the default policy do?
contentunderstanding Adoption Getstarted https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/adoption-getstarted.md
Title: "Microsoft SharePoint Syntex adoption: Get started"
-description: Learn how to use and implement SharePoint Syntex in your organization to help you solve your business problems.
--
+ Title: Get started driving adoption of Microsoft SharePoint Syntex
+description: Learn how to use and implement SharePoint Syntex in your organization to help you streamline your business processes.
++ Last updated audience: admin
search.appverid:
ms.localizationpriority: medium
-# Microsoft SharePoint Syntex adoption: Get started
+# Get started driving adoption of Microsoft SharePoint Syntex
Think of the intelligent content services available in SharePoint Syntex as having three parts:
contentunderstanding Adoption Scenarios https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/adoption-scenarios.md
When you automate this scenario, you can ensure that:
## See also
-[Microsoft SharePoint Syntex adoption: Get started](adoption-getstarted.md)
+[Get started driving adoption of SharePoint Syntex](adoption-getstarted.md)
contentunderstanding Trial Syntex https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/trial-syntex.md
- admindeeplinkMAC search.appverid: ms.localizationpriority: medium
-description: Learn how to plan and run a trial pilot program for SharePoint Syntex in your organization.
+description: Learn how to plan, sign up, and run a trial pilot program for SharePoint Syntex in your organization.
# Run a trial of Microsoft SharePoint Syntex
enterprise Manage Skype For Business Online With Microsoft 365 Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/manage-skype-for-business-online-with-microsoft-365-powershell.md
Skype for Business Online administrators are responsible for managing policies.
## Before you start > [!NOTE]
-> Skype for Business Online Connector is currently part of the latest Teams PowerShell module. If you're using the latest Teams PowerShell public release, you don't need to install the Skype for Business Online Connector.
+> Skype for Business Online Connector is currently part of the latest Teams PowerShell module. If you're using the latest **Teams PowerShell** public release, you don't need to install the Skype for Business Online Connector.
+
+> [!NOTE]
+> Skype for Business Online Admins can manage both **Teams** and **Skype for Business Online** app policies through PowerShell.
Install the [Teams PowerShell module](/microsoftteams/teams-powershell-install).
security Microsoft 365 Security For Bdm https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/Microsoft-365-security-for-bdm.md
This article is organized by priority of work, starting with protecting those ac
Microsoft provides you with the Secure Score tool within your tenant to automatically analyze your security posture based on your regular activities, assign a score, and provide security improvement recommendations. Before taking the actions recommended in this article, take note of your current score and recommendations. The actions recommended in this article will increase your score. The goal is not to achieve the max score, but to be aware of opportunities to protect your environment in a way that does not negatively affect productivity for your users. See [Microsoft Secure Score](defender/microsoft-secure-score.md). One more thing before we get started . . . be sure to [turn on the audit log](../compliance/search-the-audit-log-in-security-and-compliance.md). You'll need this data later, in the event you need to investigate an incident or a breach.
As a first step, we recommend ensuring critical accounts in the environment are
|Configure and use Privileged Access Workstations (PAW) to administer services. Do not use the same workstations for browsing the Internet and checking email not related to your administrative account.| !![green check mark.](../media/green-check-mark.png)|![green check mark.](../media/green-check-mark.png)::: | The following diagram illustrates these capabilities. Additional recommendations:
Known threats include malware, compromised accounts, and phishing. Some protecti
|**Block connections from countries that you don't do business with**. Create an Azure AD conditional access policy to block any connections coming from these countries, effectively creating a geo firewall around your tenant.| |![green check mark.](../media/green-check-mark.png)| The following diagram illustrates these capabilities.+ ## Protect against unknown threats
After adding extra protections to your privileged accounts and protecting agains
The following diagram illustrates these capabilities. :::image type="content" source="../media/m365-security-bdm-illustrations-unknown-threats.png" alt-text="An example of the capabilities offered by tools to protect against unknown threats" lightbox="../media/m365-security-bdm-illustrations-unknown-threats.png"::: + Additional recommendations: - Secure partner channel communications like Emails using TLS.
While Microsoft takes every possible measure to prevent against threats and atta
|**Use [AIP Scanner](/azure/information-protection/deploy-aip-scanner) to identify and classify information across servers and file shares**. Use the AIP reporting tool to view the results and take appropriate actions.| |![green check mark.](../media/green-check-mark.png)| The following diagram illustrates these capabilities.
-![Recommended capabilities for protecting against breach.](../media/m365-security-bdm-illustrations-assume-breach.png)
+ ## Continuous monitoring and auditing
Last but not least, Continuous Monitoring and Auditing of the Microsoft 365 envi
|Use **Microsoft Defender for Cloud** to monitor for threats across hybrid and cloud workloads. Microsoft Defender for Cloud includes a free tier of capabilities and a standard tier of capabilities that are paid for based on resource hours or transactions.| | | The following diagram illustrates these capabilities.++ Top recommended monitoring actions:
security Microsoft 365 Zero Trust https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/Microsoft-365-zero-trust.md
Microsoft 365 is built intentionally with many security and information protecti
This illustration represents the work of deploying Zero Trust capabilities. This work is broken into units of work that can be configured together, starting from the bottom and working to the top to ensure that prerequisite work is complete. In this illustration: - Zero Trust begins with a foundation of identity and device protection.
In this illustration:
The first step is to build your Zero Trust foundation by configuring identity and device access protection.
Go to [**_Zero Trust identity and device access protection_**](office-365-securi
Start by implementing the starting-point tier. These policies do not require enrolling devices into management. ## Step 2. Manage endpoints with Intune Next, enroll your devices into management and begin protecting these with more sophisticated controls. Go to [**_Manage devices with Intune_**](../solutions/manage-devices-with-intune-overview.md) for prescriptive guidance to accomplish this.
Go to [**_Manage devices with Intune_**](../solutions/manage-devices-with-intune
With devices enrolled into management, you can now implement the full set of recommended Zero Trust identity and device access policies, requiring compliant devices. Return to [**_Common identity and device access policies_**](office-365-security/identity-access-policies.md) and add the policies in the Enterprise tier. ## Step 4. Evaluate, pilot, and deploy Microsoft 365 Defender Microsoft 365 Defender is an extended detection and response (XDR) solution that automatically collects, correlates, and analyzes signal, threat, and alert data from across your Microsoft 365 environment, including endpoint, email, applications, and identities. Go to [**_Evaluate and pilot Microsoft 365 Defender_**](defender/eval-overview.md) for a methodical guide to piloting and deploying Microsoft 365 Defender components.
Implement Microsoft Information Protection (MIP) to help you discover, classify,
MIP capabilities are included with Microsoft 365 Compliance and give you the tools to know your data, protect your data, and prevent data loss. While this work is represented at the top of the deployment stack illustrated earlier in this article, you can begin this work anytime. Microsoft Information Protection provides a framework, process, and capabilities you can use to accomplish your specific business objectives. For more information on how to plan and deploy information protection, see [**_Deploy a Microsoft Information Protection solution_**](../compliance/information-protection-solution.md).
security Active Content In Trusted Docs https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/active-content-in-trusted-docs.md
Previously, when users identified documents as trusted documents, their selectio
The updated Trust Center logic is described in the following diagram: 1. A user opens an Office document that contains active content. 2. If the document is from a trusted location, the document is opened with the active content enabled. If the document is not from a trusted location, the evaluation continues.
-3. This is where the updated behavior takes effect:
+3. It is here the updated behavior takes effect:
- Previously, the next evaluated setting would have been if the user had identified this document as a trusted document. If they did, the document would open with the active content enabled. - Now, whether or not the user identified the document as a trusted document is not considered here (now at step 8).
- This is the fundamental change in behavior: cloud policies (step 4), group policies (step 6) and local settings (step 7) are checked _before_ the user designation of a trusted document is even considered. If any of those steps block access to the active content **and** none of the steps allow user overrides, then user identification of the document as a trusted document is basically irrelevant.
+ The fundamental change in behavior is described as follows: cloud policies (step 4), group policies (step 6), and local settings (step 7) are checked _before_ the user designation of a trusted document is even considered. If any of those steps block access to the active content **and** none of the steps allow user overrides, then user identification of the document as a trusted document is irrelevant.
4. Cloud policies are checked to see if this type of active content is allowed or blocked. If the active content is not blocked, the evaluation continues to step 6.
Admins have many ways to configure Office in an organization. For example:
## Admin options for restricting active content
-There's a big difference in the level of trust in internally created content vs. content that users download from the internet. Consider allowing active content in internal documents and globally not allowing active content in documents from the internet.
+There's a large difference in the level of trust in internally created content vs. content that users download from the internet. Consider allowing active content in internal documents and globally not allowing active content in documents from the internet.
If your users don't need specific types of active content, your most secure option is to use policies to turn off user access to that active content, and allow exceptions as needed.
The following policies are available:
- **Turn off Trusted Documents**: Exceptions for groups available. - **Turn off all active content**: Exceptions for individuals.
-The tables in the following sections describe the settings that control active content. These policies, if applied to users, will be enforced on trusted documents, and the previous end user experience might not be the same. The tables also include the recommended security baselines setting, and identify other settings where the user prompt to override is available (allowing the user to enable the active content).
+The tables in the following sections describe the settings that control active content. These policies, if applied to users, will be enforced on trusted documents, and the previous end-user experience might not be the same. The tables also include the recommended security baselines setting, and identify other settings where the user prompt to override is available (allowing the user to enable the active content).
### HKEY_CURRENT_USER settings
The tables in the following sections describe the settings that control active c
|Macros|Excel|Scan encrypted macros in Excel Open XML workbooks|**Scan encrypted macros (default)**|No| |Macros|Office|Allow VBA to load typelib references by path from untrusted intranet locations|**Disabled**|No| |Macros|Office|Automation Security|**Use application macro security level**|No|
-|Macros|Office|Disable additional security checks on VBA library references that may refer to unsafe locations on the local machine|**Disabled**|No|
+|Macros|Office|Disable other security checks on VBA library references that may refer to unsafe locations on the local machine|**Disabled**|No|
|Macros|Office|Macro Runtime Scan Scope|**Enable for all documents**|No| |Macros|Office|Only trust VBA macros that use V3 signatures|Not a security baseline setting.|No| |Macros|Outlook|Outlook Security Mode|**Use Outlook Security Group Policy**|Required to enable all Outlook GPO settings. <p> Mentioned as a dependency (this policy doesn't block active content itself).|
The tables in the following sections describe the settings that control active c
|||||| |ActiveX|Office|Restrict ActiveX Install|excel.exe = True <p> exprwd.exe = True <p> groove.exe = True <p> msaccess.exe = True <p> mse7.exe = True <p> mspub.exe = True <p> onent.exe = True <p> outlook.exe = True <p> powerpnt.exe = True <p> pptview.exe = True <p> spDesign.exe = True <p> visio.exe = True <p> winproj.exe = True <p> winword.exe = True|No| |Add-ins & Extensibility|Office|Add-on Management|excel.exe = True <p> exprwd.exe = True <p> groove.exe = True <p> msaccess.exe = True <p> mse7.exe = True <p> mspub.exe = True <p> onent.exe = True <p> outlook.exe = True <p> powerpnt.exe = True <p> pptview.exe = True <p> spDesign.exe = True <p> visio.exe = True <p> winproj.exe = True <p> winword.exe = True|No|
-|Add-ins & Extensibility|Office|Block Flash activation in Office documents|See the Microsoft Security Guide ADMX/ADML files for a list of COM killbits to block all activation for Flash in Microsoft 365 apps. The ADMX/ADML files for enterprise Security Baselines are available in the [Security Compliance Toolkit](https://www.microsoft.com/download/details.aspx?id=55319).|No|
+|Add-ins & Extensibility|Office|Block Flash activation in Office documents|See the Microsoft Security Guide ADMX/ADML files for a list of COM killbits to block all activation for Flash at Microsoft 365 apps. The ADMX/ADML files for enterprise Security Baselines are available in the [Security Compliance Toolkit](https://www.microsoft.com/download/details.aspx?id=55319).|No|
|Jscript & VBScript|Office|Restrict legacy JScript execution for Office|**Enabled**: <p> Access: 69632 <p> Excel: 69632 <p> OneNote: 69632 <p> Outlook: 69632 <p> PowerPoint: 69632 <p> Project: 69632 <p> Publisher: 69632 <p> Visio: 69632 <p> Word: 69632|No| |Jscript & VBScript|Office|Scripted Window Security Restrictions|excel.exe = True <p> exprwd.exe = True <p> groove.exe = True <p> msaccess.exe = True <p> mse7.exe = True <p> mspub.exe = True <p> onent.exe = True <p> outlook.exe = True <p> powerpnt.exe = True <p> pptview.exe = True <p> spDesign.exe = True <p> visio.exe = True <p> winproj.exe = True <p> winword.exe = True|No| |
security Advanced Features https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-features.md
Title: Configure advanced features in Microsoft Defender for Endpoint description: Turn on advanced features such as block file in Microsoft Defender for Endpoint.
-keywords: advanced features, settings, block file, automated investigation, auto-resolve, skype, microsoft defender for identity, office 365, azure information protection, intune
+keywords: advanced features, settings, block file, automated investigation, auto resolve, skype, microsoft defender for identity, office 365, azure information protection, intune
ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library
Enabling this feature allows you to run unsigned scripts in a live response sess
Potentially unwanted applications (PUA) are a category of software that can cause your machine to run slowly, display unexpected ads, or at worst, install other software, which might be unexpected or unwanted.
-Turn on this feature so that potentially unwanted applications (PUA) are remediated on all devices in your tenant even if PUA protection is not configured on the devices. This will help protect users from inadvertently installing unwanted applications on their device. When turned off, remediation is dependent on the device configuration.
+Turn on this feature so that potentially unwanted applications (PUA) are remediated on all devices in your tenant even if PUA protection is not configured on the devices. This activation of the feature helps to protect users from inadvertently installing unwanted applications on their device. When turned off, remediation is dependent on the device configuration.
## Restrict correlation to within scoped device groups
-This configuration can be used for scenarios where local SOC operations would like to limit alert correlations only to device groups that they can access. By turning on this setting, an incident composed of alerts that cross device groups will no longer be considered a single incident. The local SOC can then take action on the incident because they have access to one of the device groups involved. However, global SOC will see several different incidents by device group instead of one incident. We don't recommend turning on this setting unless doing so outweighs the benefits of incident correlation across the entire organization.
+This configuration can be used for scenarios where local SOC operations would like to limit alert correlations only to device groups that they can access. By turning on this setting, an incident composed of alerts that cross-device groups will no longer be considered a single incident. The local SOC can then take action on the incident because they have access to one of the device groups involved. However, global SOC will see several different incidents by device group instead of one incident. We don't recommend turning on this setting unless doing so outweighs the benefits of incident correlation across the entire organization.
> [!NOTE] > Changing this setting impacts future alert correlations only.
Endpoint detection and response (EDR) in block mode provides protection from mal
## Autoresolve remediated alerts
-For tenants created on or after Windows 10, version 1809, the automated investigation, and remediation capability is configured by default to resolve alerts where the automated analysis result status is "No threats found" or "Remediated". If you don't want to have alerts auto-resolved, you'll need to manually turn off the feature.
+For tenants created on or after Windows 10, version 1809, the automated investigation, and remediation capability is configured by default to resolve alerts where the automated analysis result status is "No threats found" or "Remediated". If you don't want to have alerts auto resolved, you'll need to manually turn off the feature.
> [!TIP] > For tenants created prior to that version, you'll need to manually turn this feature on from the [Advanced features](https://security.microsoft.com//preferences2/integration) page.
To turn **Allow or block** files on:
1. Toggle the setting between **On** and **Off**.
- :::image type="content" source="../../media/alloworblockfile.png" alt-text="Image of advanced settings for block file feature.":::
+ :::image type="content" source="../../media/alloworblockfile.png" alt-text="The Endpoints screen" lightbox="../../media/alloworblockfile.png":::
1. Select **Save preferences** at the bottom of the page.
For more information, see [Investigate a user account](investigate-user.md).
## Skype for Business integration
-Enabling the Skype for Business integration gives you the ability to communicate with users using Skype for Business, email, or phone. This can be handy when you need to communicate with the user and mitigate risks.
+Enabling the Skype for Business integration gives you the ability to communicate with users using Skype for Business, email, or phone. This activation can be handy when you need to communicate with the user and mitigate risks.
> [!NOTE] > When a device is being isolated from the network, there's a pop-up where you can choose to enable Outlook and Skype communications which allows communications to the user while they are disconnected from the network. This setting applies to Skype and Outlook communication when devices are in isolation mode.
Defender for Endpoint can be integrated with [Microsoft Intune](/intune/what-is-
> [!IMPORTANT] > You'll need to enable the integration on both Intune and Defender for Endpoint to use this feature. For more information on specific steps, see [Configure Conditional Access in Defender for Endpoint](configure-conditional-access.md).
-This feature is only available if you've the following:
+This feature is only available if you've the following prerequisites:
- A licensed tenant for Enterprise Mobility + Security E3, and Windows E5 (or Microsoft 365 Enterprise E5) - An active Microsoft Intune environment, with Intune-managed Windows devices [Azure AD-joined](/azure/active-directory/devices/concept-azure-ad-join/).
security Advanced Hunting Schema Reference https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-hunting-schema-reference.md
While constructing queries, use the built-in schema reference to quickly get the
- **Tables description**: Type of data contained in the table and the source of that data. - **Columns**: All the columns in the table.-- **Action types**: Possible values in the `ActionType` column representing the event types supported by the table. This is provided only for tables that contain event information.
+- **Action types**: Possible values in the `ActionType` column representing the event types supported by the table. These values are provided only for tables that contain event information.
- **Sample query**: Example queries that feature how the table can be utilized. ### Access the schema reference To quickly access the schema reference, select the **View reference** action next to the table name in the schema representation. You can also select **Schema reference** to search for a table.
-![Image showing how to access in-portal schema reference.](images/ah-reference.png)
## Learn the schema tables
Table and column names are also listed within the Microsoft 365 Defender portal,
| > [!TIP]
-> Use [advanced hunting in Microsoft 365 Defender](/microsoft-365/security/defender/advanced-hunting-overview) to hunt for threats using data from Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps, and Microsoft Defender for Identity. [Turn on Microsoft 365 Defender](/microsoft-365/security/defender/m365d-enable).
+> Use [advanced hunting at Microsoft 365 Defender](/microsoft-365/security/defender/advanced-hunting-overview) to hunt for threats using data from Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps, and Microsoft Defender for Identity. [Turn on Microsoft 365 Defender](/microsoft-365/security/defender/m365d-enable).
Learn more about how to move your advanced hunting workflows from Microsoft Defender for Endpoint to Microsoft 365 Defender in [Migrate advanced hunting queries from Microsoft Defender for Endpoint](/microsoft-365/security/defender/advanced-hunting-migrate-from-mde).
security Alerts Queue https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/alerts-queue.md
ms.technology: mde
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-alertsq-abovefoldlink)
-The **Alerts** shows a list of alerts that were flagged from devices in your network. The most recent alerts are showed at the top of the list helping you see the most recent alerts first.
+The **Alerts queue** shows a list of alerts that were flagged from devices in your network. By default, the queue displays alerts seen in the last 30 days in a grouped view. The most recent alerts are shown at the top of the list helping you see the most recent alerts first.
> [!NOTE] > The alerts are significantly reduced with automated investigation and remediation, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. When an alert contains a supported entity for automated investigation (for example, a file) in a device that has a supported operating system for it, an automated investigation and remediation can start. For more information on automated investigations, see [Overview of Automated investigations](automated-investigations.md).
On the top navigation you can:
- Export the alerts list to excel - Manage Alerts ## Sort and filter alerts
You can apply the following filters to limit the list of alerts and get a more f
### Severity
-You can filter the alerts based on their Severity.
-
-|Alert severity|Description|
-|||
-|High <br> (Red)|Alerts commonly seen associated with advanced persistent threats (APT). These alerts indicate a high risk because of the severity of damage they can inflict on devices. Some examples are: credential theft tools activities, ransomware activities not associated with any group, tampering with security sensors, or any malicious activities indicative of a human adversary.|
-|Medium <br> (Orange)|Alerts from endpoint detection and response post-breach behaviors that might be a part of an advanced persistent threat (APT). This includes observed behaviors typical of attack stages, anomalous registry change, execution of suspicious files, and so forth. Although some might be part of internal security testing, it requires investigation as it might also be a part of an advanced attack.|
-|Low <br> (Yellow)|Alerts on threats associated with prevalent malware. For example, hack-tools, non-malware hack tools, such as running exploration commands, clearing logs, etc., that often do not indicate an advanced threat targeting the organization. It could also come from an isolated security tool testing by a user in your organization.|
-|Informational <br> (Grey)|Alerts that might not be considered harmful to the network but can drive organizational security awareness on potential security issues.|
+Alert severity|Description
+|
+High <br> (Red)|Alerts commonly seen associated with advanced persistent threats (APT). These alerts indicate a high risk because of the severity of damage they can inflict on devices. Some examples are: credential theft tools activities, ransomware activities not associated with any group, tampering with security sensors, or any malicious activities indicative of a human adversary.
+Medium <br> (Orange)|Alerts from endpoint detection and response post-breach behaviors that might be a part of an advanced persistent threat (APT). These behaviors include observed behaviors typical of attack stages, anomalous registry change, execution of suspicious files, and so forth. Although some might be part of internal security testing, it requires investigation as it might also be a part of an advanced attack.
+Low <br> (Yellow)|Alerts on threats associated with prevalent malware. For example, hack-tools, non-malware hack tools, such as running exploration commands, clearing logs, etc., that often do not indicate an advanced threat targeting the organization. It could also come from an isolated security tool testing by a user in your organization.
+Informational <br> (Grey)|Alerts that might not be considered harmful to the network but can drive organizational security awareness on potential security issues.
#### Understanding alert severity
The Defender for Endpoint alert severity represents the severity of the detected
So, for example: -- The severity of a Defender for Endpoint alert about a Microsoft Defender Antivirus detected threat that was completely prevented and did not infect the device is categorized as "Informational" because there was no actual damage.
+- The severity of a Defender for Endpoint alert about a Microsoft Defender Antivirus detected threat that was prevented and did not infect the device is categorized as "Informational" because there was no actual damage.
- An alert about a commercial malware was detected while executing, but blocked and remediated by Microsoft Defender AV, is categorized as "Low" because it may have caused some damage to the individual device but poses no organizational threat. - An alert about malware detected while executing which can pose a threat not only to the individual device but to the organization, regardless if it was eventually blocked, may be ranked as "Medium" or "High". - Suspicious behavioral alerts, which weren't blocked or remediated will be ranked "Low", "Medium" or "High" following the same organizational threat considerations.
You can filter the alerts based on Tags assigned to alerts.
You can filter the alerts based on the following policies: -- Activity from infrequent country-- Admin Submission Result Completed-- Admin triggered manual investigation of email-- Admin triggered user compromise investigation-- Anomalous Token -- Atypical travel-- Creation of forwarding/redirect rule-- Email messages containing malicious URL removed after delivery-- Email messages containing malicious file removed after delivery-- Email reported by user as malware or phish-- Password Spray-- Remediation action taken by admin on emails or URL or sender-- Suspicious service creation -- Unfamiliar sign-in properties
+|Detection source|API value|
+|||
+|Third-party sensors|ThirdPartySensors|
+|Antivirus|WindowsDefenderAv|
+|Automated investigation|AutomatedInvestigation|
+|Custom detection|CustomDetection|
+|Custom TI|CustomerTI|
+|EDR|WindowsDefenderAtp|
+|Microsoft 365 Defender|MTP|
+|Microsoft Defender for Office 365|OfficeATP|
+|Microsoft Threat Experts|ThreatExperts|
+|SmartScreen|WindowsDefenderSmartScreen|
### Entities
security Analyzer Feedback https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/analyzer-feedback.md
ms.technology: m365d
- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037)
-If you have feedback or suggestions that would help us improve the Microsoft Defender for Endpoint client analyzer, please use the following link to submit feedback:
+If you have feedback or suggestions that would help us improve the Microsoft Defender for Endpoint client analyzer, use either of these options to submit feedback:
-Microsoft 365 Defender portal (security.microsoft.com):
+1. Microsoft 365 Defender portal (security.microsoft.com):
-![Image of give feedback button.](images/1d5b3c010b4b5c0e9d5eb43f71fa95e3.png)
+
+2. Microsoft 365 Defender portal (security.microsoft.com):
+
security Analyzer Report https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/analyzer-report.md
Use the following example to understand the report.
Example output from the analyzer on a machine onboarded to expired Org ID and failing to reach one of the required Microsoft Defender for Endpoint URLs:
-![Image of client analyzer result.](images/147cbcf0f7b6f0ff65d200bf3e4674cb.png)
- On top, the script version and script runtime are listed for reference - The **Device Information** section provides basic OS and device identifiers to uniquely identify the device on which the analyzer has run. - The **Endpoint Security Details** provides general information about Microsoft Defender for Endpoint-related processes including Microsoft Defender Antivirus and the sensor process. If important processes aren't online as expected, the color will change to red.-
- ![Image of client analyzer detailed result](images/85f56004dc6bd1679c3d2c063e36cb80.png)
-
+
- The **Endpoint Security Details** provides general information about Microsoft Defender for Endpoint-related processes including Microsoft Defender Antivirus and the sensor process. If important processes aren't online as expected, the color will change to red.
- ![Image of client analyzer detailed result.](images/85f56004dc6bd1679c3d2c063e36cb80.png)
+ :::image type="content" source="images/85f56004dc6bd1679c3d2c063e36cb80.png" alt-text="The Check Results Summary page" lightbox="images/85f56004dc6bd1679c3d2c063e36cb80.png":::
-- On **Check Results Summary** you'll have an aggregated count for error,
+- On **Check Results Summary**, you'll have an aggregated count for error,
warning, or informational events detected by the analyzer. -- On **Detailed Results** you'll see a list (sorted by severity) with
+- On **Detailed Results**, you'll see a list (sorted by severity) with
the results and the guidance based on the observations made by the analyzer. ## Open a support ticket to Microsoft and include the Analyzer results
Use the following example to understand the report.
To include analyzer result files [when opening a support ticket](contact-support.md#open-a-service-request), make sure you use the **Attachments** section and include the `MDEClientAnalyzerResult.zip` file:
-![Image of attachment prompt.](images/508c189656c3deb3b239daf811e33741.png)
> [!NOTE] > If the file size is larger than 25 MB, the support engineer assigned to your case will provide a dedicated secure workspace to upload large files for analysis.
security Android Configure Mam https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-configure-mam.md
ms.technology: mde
Microsoft Defender for Endpoint on Android, which already protects enterprise users on Mobile Device Management (MDM) scenarios, now extends support to Mobile App Management (MAM), for devices that are not enrolled using Intune mobile device management (MDM). It also extends this support to customers who use other enterprise mobility management solutions, while still using Intune for mobile application management (MAM).This capability allows you to manage and protect your organization's data within an application.
-Microsoft Defender for Endpoint on Android threat information is leveraged by Intune App Protection Policies to protect these apps. App protection policies (APP) are rules that ensure an organization's data remains safe or contained in a managed app. A managed application has app protection policies applied to it and can be managed by Intune.
+Microsoft Defender for Endpoint on Android threat information is applied by Intune App Protection Policies to protect these apps. App protection policies (APP) are rules that ensure an organization's data remains safe or contained in a managed app. A managed application has app protection policies applied to it and can be managed by Intune.
Microsoft Defender for Endpoint on Android supports both the configurations of MAM - **Intune MDM + MAM**: IT administrators can only manage apps using App Protection Policies on devices that are enrolled with Intune mobile device management (MDM).-- **MAM without device enrollment**: MAM without device enrollment, or MAM-WE, allows IT administrators to manage apps using [App Protection Policies](/mem/intune/app/app-protection-policy) on devices not enrolled with Intune MDM. This means apps can be managed by Intune on devices enrolled with third-party EMM providers.
+- **MAM without device enrollment**: MAM without device enrollment, or MAM-WE, allows IT administrators to manage apps using [App Protection Policies](/mem/intune/app/app-protection-policy) on devices not enrolled with Intune MDM. This provision means that apps can be managed by Intune on devices enrolled with third-party EMM providers.
To manage apps using in both the above configurations customers should use Intune in the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) To enable this capability an administrator needs to configure the connection between Microsoft Defender for Endpoint and Intune, create the app protection policy, and apply the policy on targeted devices and applications.
End users also need to take steps to install Microsoft Defender for Endpoint on
c. If the connection is not turned on, select the toggle to turn it on and then select **Save Preferences**.
- ![Image of Defender for Endpoint -Intune connector](images/enable-intune-connection.png)
+ :::image type="content" source="images/enable-intune-connection.png" alt-text="The Advanced features section in the Microsoft 365 Defender portal" lightbox="images/enable-intune-connection.png":::
d. Go to **Microsoft Endpoint Manager (Intune)** and Validate whether Microsoft Defender for Endpoint-Intune connector is enabled.
- ![Image of Defender for Endpoint-Intune connector in Intune](images/validate-intune-connector.png)
+ :::image type="content" source="images/validate-intune-connector.png" alt-text="The intune-connector status pane in the Microsoft 365 Defender portal" lightbox="images/validate-intune-connector.png":::
- **Enable Microsoft Defender for Endpoint on Android Connector for App Protection Policy (APP)**
End users also need to take steps to install Microsoft Defender for Endpoint on
c. Select **Save**.
- ![App settings](images/app-settings.png)
+ :::image type="content" source="images/app-settings.png" alt-text="The application settings pane in the Microsoft 365 Defender portal" lightbox="images/app-settings.png":::
- **Create an app protection policy**
Microsoft Defender for Endpoint can be configured to send threat signals to be u
1. Create a policy <br> App protection policies (APP) are rules that ensure an organization's data remains safe or contained in a managed app. A policy can be a rule that is enforced when the user attempts to access or move "corporate" data, or a set of actions that are prohibited or monitored when the user is inside the app.
-![Image of policy creation](images/create-policy.png)
2. Add apps <br> a. Choose how you want to apply this policy to apps on different devices. Then add at least one app. <br>
- Use this option to specify whether this policy applies to unmanaged devices. In case of Android, you can specify the policy applies to Android Enterprise, Device Admin, or Unmanaged devices. You can also choose to target your policy to apps on devices of any management state.
+ Use this option to specify whether this policy applies to unmanaged devices. In Android, you can specify the policy applies to Android Enterprise, Device Admin, or Unmanaged devices. You can also choose to target your policy to apps on devices of any management state.
Because mobile app management doesn't require device management, you can protect company data on both managed and unmanaged devices. The management is centered on the user identity, which removes the requirement for device management. Companies can use app protection policies with or without MDM at the same time. For example, consider an employee that uses both a phone issued by the company, and their own personal tablet. The company phone is enrolled in MDM and protected by app protection policies while the personal device is protected by app protection policies only. b. Select Apps<br>
Because mobile app management doesn't require device management, you can protect
*Example: Outlook as a managed app*
- ![Image Outlook as managed app](images/managed-app.png)
+ :::image type="content" source="images/managed-app.png" alt-text="The Public apps pane in the Microsoft 365 Defender portal" lightbox="images/managed-app.png":::
+ 3. Set sign-in security requirements for your protection policy. <br> Select **Setting > Max allowed device threat level** in **Device Conditions** and enter a value. Then select **Action: "Block Access"**. Microsoft Defender for Endpoint on Android shares this Device Threat Level.
- ![Image of conditional launch](images/conditional-launch.png)
--
+ :::image type="content" source="images/conditional-launch.png" alt-text="The Device conditions pane in the Microsoft 365 Defender portal" lightbox="images/conditional-launch.png":::
+
- **Assign user groups for whom the policy needs to be applied.**<br> Select **Included groups**. Then add the relevant groups.
- ![Image of assigments](images/assignment.png)
+ :::image type="content" source="images/assignment.png" alt-text="The Included groups pane in the Microsoft 365 Defender portal" lightbox="images/assignment.png":::
-## End user prerequisites
-- The broker app needs to be installed
+## End-user prerequisites
+- The broker app must be installed
- Intune Company Portal -- Users have the required licenses for the managed app and has the app installed
+- Users have the required licenses for the managed app and have the app installed
-### End user onboarding
+### End-user onboarding
1. Sign in to a managed application, for example, Outlook. The device is registered and the application protection policy is synchronized to the device. The application protection policy recognizes the device's health state.
Select **Setting > Max allowed device threat level** in **Device Conditions** an
4. Install the Microsoft Defender for Endpoint (Mobile) app and launch back Managed app onboarding screen.
- ![Install MDE and launch back managed app onboarding screen](images/download-mde.png)
+ :::image type="content" source="images/download-mde.png" alt-text="The illustrative pages that contain the procedure of downloading MDE and launching back the app-onboarding screen" lightbox="images/download-mde.png":::
+
5. Click **Continue > Launch**. The Microsoft Defender for Endpoint app onboarding/activation flow is initiated. Follow the steps to complete onboarding. You will automatically be redirected back to Managed app onboarding screen, which now indicates that the device is healthy.
security Android Intune https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-intune.md
Learn how to deploy Defender for Endpoint on Android on Intune Company Portal -
1. In [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \> **Android Apps** \> **Add \> Android store app** and choose **Select**.
- :::image type="content" alt-text="Image of Microsoft Endpoint Manager Admin Center add android store application." source="images/mda-addandroidstoreapp.png" lightbox="images/mda-addandroidstoreapp.png":::
+ :::image type="content" source="images/mda-addandroidstoreapp.png" alt-text="The Add Android store application pane in the Microsoft Endpoint Manager Admin Center portal" lightbox="images/mda-addandroidstoreapp.png":::
2. On the **Add app** page and in the *App Information* section enter:
Learn how to deploy Defender for Endpoint on Android on Intune Company Portal -
Other fields are optional. Select **Next**.
- :::image type="content" alt-text="Image of Microsoft Endpoint Manager Admin Center add app info." source="images/mda-addappinfo.png" lightbox="images/mda-addappinfo.png":::
+ :::image type="content" source="images/mda-addappinfo.png" alt-text=" The Add App page displaying the application's publisher and URL information in the Microsoft Endpoint Manager Admin Center portal" lightbox="images/mda-addappinfo.png":::
3. In the *Assignments* section, go to the **Required** section and select **Add group.** You can then choose the user group(s) that you would like to target Defender for Endpoint on Android app. Choose **Select** and then **Next**. > [!NOTE] > The selected user group should consist of Intune enrolled users. >
- > :::image type="content" alt-text="Image of the Microsoft Endpoint Manager Admin Center selected user groups." source="images/363bf30f7d69a94db578e8af0ddd044b.png" lightbox="images/363bf30f7d69a94db578e8af0ddd044b.png":::
+ > :::image type="content" source="images/363bf30f7d69a94db578e8af0ddd044b.png" alt-text="The Add group pane in the Add App page in the Microsoft Endpoint Manager Admin Center portal" lightbox="images/363bf30f7d69a94db578e8af0ddd044b.png":::
4. In the **Review+Create** section, verify that all the information entered is correct and then select **Create**. In a few moments, the Defender for Endpoint app would be created successfully, and a notification would show up at the top-right corner of the page.
- :::image type="content" alt-text="Image of Microsoft Endpoint Manager Admin Center notification of Defender for Endpoint app." source="images/86cbe56f88bb6e93e9c63303397fc24f.png" lightbox="images/86cbe56f88bb6e93e9c63303397fc24f.png":::
+ :::image type="content" source="images/86cbe56f88bb6e93e9c63303397fc24f.png" alt-text="The application status pane in the Microsoft Endpoint Manager Admin Center portal" lightbox="images/86cbe56f88bb6e93e9c63303397fc24f.png":::
5. In the app information page that is displayed, in the **Monitor** section, select **Device install status** to verify that the device installation has completed successfully.
- :::image type="content" alt-text="Image of Microsoft Endpoint Manager Admin Center device install." source="images/513cf5d59eaaef5d2b5bc122715b5844.png" lightbox="images/513cf5d59eaaef5d2b5bc122715b5844.png":::
+ :::image type="content" source="images/513cf5d59eaaef5d2b5bc122715b5844.png" alt-text="The Device install status page in the Microsoft Defender 365 portal" lightbox="images/513cf5d59eaaef5d2b5bc122715b5844.png":::
### Complete onboarding and check status 1. Once Defender for Endpoint on Android has been installed on the device, you'll see the app icon.
- ![Icon on mobile device.](images/7cf9311ad676ec5142002a4d0c2323ca.jpg)
+ :::image type="content" source="images/7cf9311ad676ec5142002a4d0c2323ca.jpg" alt-text="The Microsoft Defender ATP icon listed in the Search pane" lightbox="images/7cf9311ad676ec5142002a4d0c2323ca.jpg":::
2. Tap the Microsoft Defender for Endpoint app icon and follow the on-screen instructions to complete onboarding the app. The details include end-user acceptance of Android permissions required by Defender for Endpoint on Android. 3. Upon successful onboarding, the device will start showing up on the Devices list in the Microsoft 365 Defender portal.
- :::image type="content" alt-text="Image of device in Defender for Endpoint portal." source="images/9fe378a1dce0f143005c3aa53d8c4f51.png" lightbox="images/9fe378a1dce0f143005c3aa53d8c4f51.png":::
+ :::image type="content" source="images/9fe378a1dce0f143005c3aa53d8c4f51.png" alt-text="A device in the Microsoft Defender for Endpoint portal" lightbox="images/9fe378a1dce0f143005c3aa53d8c4f51.png":::
## Deploy on Android Enterprise enrolled devices
Follow the steps below to add Microsoft Defender for Endpoint app into your mana
1. In [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \> **Android Apps** \> **Add** and select **Managed Google Play app**.
- :::image type="content" alt-text="Image of Microsoft Endpoint Manager admin center managed google play." source="images/579ff59f31f599414cedf63051628b2e.png" lightbox="images/579ff59f31f599414cedf63051628b2e.png":::
+ :::image type="content" source="images/579ff59f31f599414cedf63051628b2e.png" alt-text="The application-adding pane in the Microsoft Endpoint Manager admin center portal" lightbox="images/579ff59f31f599414cedf63051628b2e.png":::
2. On your managed Google Play page that loads subsequently, go to the search box and enter `Microsoft Defender`. Your search should display the Microsoft Defender for Endpoint app in your Managed Google Play. Click on the Microsoft Defender for Endpoint app from the Apps search result.
- ![Image of Microsoft Endpoint Manager admin center Apps search.](images/0f79cb37900b57c3e2bb0effad1c19cb.png)
+ :::image type="content" source="images/0f79cb37900b57c3e2bb0effad1c19cb.png" alt-text="The Managed Google Play page in the Microsoft Endpoint Manager admin center portal" lightbox="images/0f79cb37900b57c3e2bb0effad1c19cb.png":::
3. In the App description page that comes up next, you should be able to see app details on Defender for Endpoint. Review the information on the page and then select **Approve**. > [!div class="mx-imgBorder"]
- > ![A screenshot of a Managed Google Play.](images/07e6d4119f265037e3b80a20a73b856f.png)
+ > :::image type="content" source="images/07e6d4119f265037e3b80a20a73b856f.png" alt-text="The page of Managed Google Play in the Microsoft Endpoint Manager admin center portal" lightbox="images/07e6d4119f265037e3b80a20a73b856f.png":::
+
4. You'll be presented with the permissions that Defender for Endpoint obtains for it to work. Review them and then select **Approve**.
- ![A screenshot of Defender for Endpoint preview app approval.](images/206b3d954f06cc58b3466fb7a0bd9f74.png)
+ :::image type="content" source="images/206b3d954f06cc58b3466fb7a0bd9f74.png" alt-text="The permissions approval page in the Microsoft Defender 365 portal" lightbox="images/206b3d954f06cc58b3466fb7a0bd9f74.png":::
5. You'll be presented with the Approval settings page. The page confirms your preference to handle new app permissions that Defender for Endpoint on Android might ask. Review the choices and select your preferred option. Select **Done**. By default, managed Google Play selects **Keep approved when app requests new permissions**. > [!div class="mx-imgBorder"]
- > ![Image of notifications tab.](images/ffecfdda1c4df14148f1526c22cc0236.png)
+ > :::image type="content" source="images/ffecfdda1c4df14148f1526c22cc0236.png" alt-text=" The approval settings configuration completion page in the in the Microsoft Defender 365 portal" lightbox="images/ffecfdda1c4df14148f1526c22cc0236.png":::
6. After the permissions handling selection is made, select **Sync** to sync Microsoft Defender for Endpoint to your apps list. > [!div class="mx-imgBorder"]
- > ![Image of sync page.](images/34e6b9a0dae125d085c84593140180ed.png)
+ > :::image type="content" source="images/34e6b9a0dae125d085c84593140180ed.png" alt-text="The Sync pane in the Microsoft Defender 365 portal" lightbox="images/34e6b9a0dae125d085c84593140180ed.png":::
7. The sync will complete in a few minutes.
- :::image type="content" alt-text="Image of Android app." source="images/9fc07ffc150171f169dc6e57fe6f1c74.png" lightbox="images/9fc07ffc150171f169dc6e57fe6f1c74.png":::
+ :::image type="content" source="images/9fc07ffc150171f169dc6e57fe6f1c74.png" alt-text="The application sync status pane in the Android apps page in the Microsoft Defender 365 portal" lightbox="images/9fc07ffc150171f169dc6e57fe6f1c74.png":::
8. Select the **Refresh** button in the Android apps screen and Microsoft Defender for Endpoint should be visible in the apps list.
- :::image type="content" alt-text="Image of list of Android apps." source="images/fa4ac18a6333335db3775630b8e6b353.png" lightbox="images/fa4ac18a6333335db3775630b8e6b353.png":::
+ :::image type="content" source="images/fa4ac18a6333335db3775630b8e6b353.png" alt-text="The page displaying the synced application" lightbox="images/fa4ac18a6333335db3775630b8e6b353.png":::
9. Defender for Endpoint supports App configuration policies for managed devices via Intune. This capability can be leveraged to autogrant applicable Android permission(s), so the end user does not need to accept these permission(s). 1. In the **Apps** page, go to **Policy > App configuration policies > Add > Managed devices**.
- :::image type="content" alt-text="Image of Microsoft Endpoint Manager admin center android managed devices." source="images/android-mem.png":::
+ :::image type="content" source="images/android-mem.png" alt-text="The App configuration policies pane in the Microsoft Endpoint Manager admin center portal" lightbox="images/android-mem.png":::
1. In the **Create app configuration policy** page, enter the following details:
Follow the steps below to add Microsoft Defender for Endpoint app into your mana
- Choose **Work Profile only** as Profile Type. - Click **Select App**, choose **Microsoft Defender ATP**, select **OK** and then **Next**.
- :::image type="content" alt-text="Image of create app configuration policy page." source="images/android-create-app.png" lightbox="images/android-create-app.png":::
+ :::image type="content" source="images/android-create-app.png" alt-text=" The Associated app details pane" lightbox="images/android-create-app.png":::
1. In the **Settings** page, go to the Permissions section click on Add to view the list of supported permissions. In the Add Permissions section, select the following permissions:
Follow the steps below to add Microsoft Defender for Endpoint app into your mana
Then select **OK**.
- :::image type="content" alt-text="Image of android create app configuration policy." source="images/android-create-app-config.png" lightbox="images/android-create-app-config.png":::
+ :::image type="content" source="images/android-create-app-config.png" alt-text="The Add permissions pane" lightbox="images/android-create-app-config.png":::
1. You should now see both the permissions listed and now you can autogrant both by choosing autogrant in the **Permission state** drop-down and then select **Next**.
- :::image type="content" alt-text="Image of android auto grant create app configuration policy." source="images/android-auto-grant.png" lightbox="images/android-auto-grant.png":::
+ :::image type="content" source="images/android-auto-grant.png" alt-text="The Permission state pane" lightbox="images/android-auto-grant.png":::
1. In the **Assignments** page, select the user group to which this app config policy would be assigned to. Click **Select groups to include** and selecting the applicable group and then selecting **Next**. The group selected here is usually the same group to which you would assign Microsoft Defender for Endpoint Android app.
- :::image type="content" alt-text="Image of the create app configuration policy." source="images/android-select-group.png" lightbox="images/android-select-group.png":::
+ :::image type="content" source="images/android-select-group.png" alt-text="The Selected groups pane" lightbox="images/android-select-group.png":::
1. In the **Review + Create** page that comes up next, review all the information and then select **Create**. The app configuration policy for Defender for Endpoint autogranting the storage permission is now assigned to the selected user group. > [!div class="mx-imgBorder"]
- > ![Image of android review create app config policy.](images/android-review-create.png)
+ > :::image type="content" source="images/android-review-create.png" alt-text="The Review + create tab in the Create app configuration policy page" lightbox="images/android-review-create.png":::
10. Select **Microsoft Defender ATP** app in the list \> **Properties** \> **Assignments** \> **Edit**.
- :::image type="content" alt-text="Image of list of apps." source="images/mda-properties.png" lightbox="images/mda-properties.png":::
+ :::image type="content" source="images/mda-properties.png" alt-text="The Edit option on the Properties page" lightbox="images/mda-properties.png":::
11. Assign the app as a *Required* app to a user group. It is automatically installed in the *work profile* during the next sync of the device via Company Portal app. This assignment can be done by navigating to the *Required* section \> **Add group,** selecting the user group and click **Select**. > [!div class="mx-imgBorder"]
- > ![Image of edit application page.](images/ea06643280075f16265a596fb9a96042.png)
+ > :::image type="content" source="images/ea06643280075f16265a596fb9a96042.png" alt-text="The Edit application page" lightbox="images/ea06643280075f16265a596fb9a96042.png":::
12. In the **Edit Application** page, review all the information that was entered above. Then select **Review + Save** and then **Save** again to commence assignment.
Defender for Endpoint supports Device configuration policies for managed devices
Select **Create**.
- :::image type="content" alt-text="Image of devices configuration profile Create." source="images/1autosetupofvpn.png":::
+ :::image type="content" source="images/1autosetupofvpn.png" alt-text="The Configuration profiles menu item in the Policy pane" lightbox="images/1autosetupofvpn.png":::
2. **Configuration Settings** Provide a **Name** and a **Description** to uniquely identify the configuration profile.
- :::image type="content" alt-text="Image of devices configuration profile Name and Description." source="images/2autosetupofvpn.png":::
+ :::image type="content" source="images/2autosetupofvpn.png" alt-text="The devices configuration profile Name and Description fields in the Basics pane" lightbox="images/2autosetupofvpn.png":::
3. Select **Connectivity** and configure VPN: - Enable **Always-on VPN**
- Setup a VPN client in the work profile to automatically connect and reconnect to the VPN whenever possible. Only one VPN client can be configured for always-on VPN on a given device, so be sure to have no more than one always-on VPN policy deployed to a single device.
+ Set up a VPN client in the work profile to automatically connect and reconnect to the VPN whenever possible. Only one VPN client can be configured for always-on VPN on a given device, so be sure to have no more than one always-on VPN policy deployed to a single device.
- Select **Custom** in VPN client dropdown list
Defender for Endpoint supports Device configuration policies for managed devices
- **Lockdown mode** Not configured (Default)
- ![Image of devices configuration profile enable Always-on VPN.](images/3autosetupofvpn.png)
- :::image type="content" alt-text="Image of devices configuration profile enable Always-on VPN." source="images/3autosetupofvpn.png":::
+ :::image type="content" source="images/3autosetupofvpn.png" alt-text="The Connectivity pane under the Configuration settings tab" lightbox="images/3autosetupofvpn.png":::
4. **Assignment** In the **Assignments** page, select the user group to which this app config policy would be assigned to. Choose **Select groups** to include and selecting the applicable group and then select **Next**. The group selected here is usually the same group to which you would assign Microsoft Defender for Endpoint Android app.
- ![Image of devices configuration profile Assignment.](images/4autosetupofvpn.png)
+ :::image type="content" source="images/4autosetupofvpn.png" alt-text="The devices configuration profile Assignment pane in the Device restrictions" lightbox="images/4autosetupofvpn.png":::
5. In the **Review + Create** page that comes up next, review all the information and then select **Create**. The device configuration profile is now assigned to the selected user group.
- ![Image of devices configuration profile Review and Create.](images/5autosetupofvpn.png)
+ :::image type="content" source="images/5autosetupofvpn.png" alt-text="A devices configuration profile 's provision for Review + create" lightbox="images/5autosetupofvpn.png":::
## Check status and complete onboarding 1. Confirm the installation status of Microsoft Defender for Endpoint on Android by clicking on the **Device Install Status**. Verify that the device is displayed here. > [!div class="mx-imgBorder"]
- > ![Image of device installation status.](images/900c0197aa59f9b7abd762ab2b32e80c.png)
+ > :::image type="content" source="images/900c0197aa59f9b7abd762ab2b32e80c.png" alt-text="The device installation status pane" lightbox="images/900c0197aa59f9b7abd762ab2b32e80c.png":::
2. On the device, you can validate the onboarding status by going to the **work profile**. Confirm that Defender for Endpoint is available and that you are enrolled to the **Personally owned devices with work profile**. If you are enrolled to a **Corporate-owned, fully managed user device**, you will have a single profile on the device where you can confirm that Defender for Endpoint is available.
- ![Image of app in mobile device.](images/c2e647fc8fa31c4f2349c76f2497bc0e.png)
+ :::image type="content" source="images/c2e647fc8fa31c4f2349c76f2497bc0e.png" alt-text="The application display pane" lightbox="images/c2e647fc8fa31c4f2349c76f2497bc0e.png":::
3. When the app is installed, open the app and accept the permissions and then your onboarding should be successful.
- ![Image of mobile device with Microsoft Defender for Endpoint app](images/MDE_new.png)
+ :::image type="content" source="images/MDE_new.png" alt-text="Th display of a Microsoft Defender for Endpoint application on a mobile device" lightbox="images/MDE_new.png":::
4. At this stage the device is successfully onboarded onto Defender for Endpoint on Android. You can verify this on the [Microsoft 365 Defender portal](https://security.microsoft.com) by navigating to the **Device Inventory** page.
- :::image type="content" alt-text="Image of Microsoft Defender for Endpoint portal." source="images/9fe378a1dce0f143005c3aa53d8c4f51.png" lightbox="images/9fe378a1dce0f143005c3aa53d8c4f51.png":::
+ :::image type="content" source="images/9fe378a1dce0f143005c3aa53d8c4f51.png" alt-text="The Microsoft Defender for Endpoint portal" lightbox="images/9fe378a1dce0f143005c3aa53d8c4f51.png":::
## Related topics
security Android Support Signin https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-support-signin.md
This article provides solutions to help address the sign-on issues.
**Sign in failed:** *Unexpected error, try later* **Message:**
from Google Play Store and try again.
**Sign in failed:** *Invalid license, please contact administrator* **Message:** *Invalid license, please contact administrator*
Phishing websites impersonate trustworthy websites for the purpose of obtaining
Phishing and harmful web threats that are detected by Defender for Endpoint for Android are not blocked on some Xiaomi devices. The following functionality doesn't work on these devices.
-![Image of site reported unsafe.](images/0c04975c74746a5cdb085e1d9386e713.png)
**Cause:**
Xiaomi devices include a new permission model. This prevents Defender for Endpoi
Xiaomi devices permission: "Display pop-up windows while running in the background."
-![Image of pop up setting.](images/6e48e7b29daf50afddcc6c8c7d59fd64.png)
**Solution:**
Users can follow these steps to enable the same permissions from the device sett
2. Search for and select **Battery Optimization**.
- ![Search for and select "Battery Optimisation".](images/search-battery-optimisation.png)
+ :::image type="content" source="images/search-battery-optimisation.png" alt-text="The page on which you can search and select Battery Optimisation" lightbox="images/search-battery-optimisation.png":::
3. In **Special app access**, select **Battery Optimization**.
- ![In Special app access, select "Battery Optimisation".](images/special-app-access.png)
+ :::image type="content" source="images/special-app-access.png" alt-text="The Special app access pane from which you can select Battery Optimisation" lightbox="images/special-app-access.png":::
4. Change the Dropdown to show **All Apps**.
- ![Step one to change the dropdown to show "All Apps".](images/show-all-apps-2.png)
+ :::image type="content" source="images/show-all-apps-2.png" alt-text="The drop-down from which you can change the value to All Apps under the Battery Optimisation pane" lightbox="images/show-all-apps-2.png":::
- ![Step two to change dropdown to show "All Apps".](images/show-all-apps-1.png)
+ :::image type="content" source="images/show-all-apps-1.png" alt-text="The drop-down that displays the All Apps option under the Battery Optimisation pane" lightbox="images/show-all-apps-1.png":::
5. Locate ΓÇ£Microsoft Defender for EndpointΓÇ¥ and select **DonΓÇÖt Optimize**.
- ![Locate "Microsoft Defender for Endpoint" and select "Don't Optimize".](images/select-dont-optimise.png)
+ :::image type="content" source="images/select-dont-optimise.png" alt-text="The page that enables location of the option Microsoft Defender for Endpoint and selection of Don't Optimize" lightbox="images/select-dont-optimise.png":::
Return to the Microsoft Defender for Endpoint onboarding screen, select **Allow**, and you will be redirected to the dashboard screen.
If a user faces an issue which is not already addressed in the above sections or
1. Open the **MDE application** on your device and click on the **profile icon** in the top-left corner.
- :::image type="content" alt-text="Click on profile icon." source="images/select-profile-icon-1.jpg":::
+ :::image type="content" source="images/select-profile-icon-1.jpg" alt-text="The profile icon in the Microsoft Defender for Endpoint portal" lightbox="images/select-profile-icon-1.jpg":::
2. Select ΓÇ£Help & feedbackΓÇ¥.
- :::image type="content" alt-text="Select help and feedback." source="images/selecthelpandfeedback2.png":::
+ :::image type="content" source="images/selecthelpandfeedback2.png" alt-text="The Help & feedback option that can be selected in the Microsoft Defender for Endpoint portal" lightbox="images/selecthelpandfeedback2.png":::
3. Select ΓÇ£Send feedback to MicrosoftΓÇ¥.
- :::image type="content" alt-text="Select send feedback to Microsoft." source="images/send-feedback-to-microsoft-3.jpg":::
+ :::image type="content" alt-text="Select send feedback to Microsoft" source="images/send-feedback-to-microsoft-3.jpg":::
4. Choose from the given options. To report an issue, select ΓÇ£I want to report an issueΓÇ¥.
- :::image type="content" alt-text="Report an issue." source="images/report-issue-4.jpg":::
+ :::image type="content" source="images/report-issue-4.jpg" alt-text="The I want to report an issue option" lightbox="images/report-issue-4.jpg":::
5. Provide details of the issue that you are facing and check ΓÇ£Send diagnostic dataΓÇ¥. We recommend checking ΓÇ£Include your email addressΓÇ¥ so that the team can reach back to you with a solution or a follow-up.
- :::image type="content" alt-text="Add details and attach diagnostic data." source="images/finalsubmit5.png":::
+ :::image type="content" source="images/finalsubmit5.png" alt-text="The pane on which you can add details and attach diagnostic data" lightbox="images/finalsubmit5.png":::
6. Click on ΓÇ£SubmitΓÇ¥ to successfully send the feedback.
security Api Hello World https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api-hello-world.md
For the Application registration stage, you must have a **Global administrator**
2. Navigate to **Azure Active Directory** \> **App registrations** \> **New registration**.
- :::image type="content" alt-text="Image of Microsoft Azure and navigation to application registration." source="images/atp-azure-new-app2.png" lightbox="images/atp-azure-new-app2.png":::
+ :::image type="content" source="images/atp-azure-new-app2.png" alt-text="The App registrations option under the Manage pane in the Azure Active Directory portal" lightbox="images/atp-azure-new-app2.png":::
3. In the registration form, choose a name for your application and then click **Register**.
For the Application registration stage, you must have a **Global administrator**
> [!NOTE] > WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear.
- :::image type="content" alt-text="Image of API access and API selection1." source="images/add-permission.png" lightbox="images/add-permission.png":::
+ :::image type="content" source="images/add-permission.png" alt-text="The API permissions option under the Manage pane in the Azure Active Directory portal" lightbox="images/add-permission.png":::
- Choose **Application permissions** \> **Alert.Read.All** > Click on **Add permissions**.
- :::image type="content" alt-text="Image of API access and API selection2." source="images/application-permissions.png" lightbox="images/application-permissions.png":::
+ :::image type="content" source="images/application-permissions.png" alt-text="The permission type and settings panes in the Request API permissions page" lightbox="images/application-permissions.png":::
> [!IMPORTANT] > You need to select the relevant permissions. 'Read All Alerts' is only an example!
For the Application registration stage, you must have a **Global administrator**
> [!NOTE] > Every time you add permission, you must click on **Grant consent** for the new permission to take effect.
- ![Image of Grant permissions.](images/grant-consent.png)
+ :::image type="content" source="images/grant-consent.png" alt-text="The grant permission consent option in the Azure Active Directory portal" lightbox="images/grant-consent.png":::
6. Add a secret to the application.
For the Application registration stage, you must have a **Global administrator**
> [!IMPORTANT] > After click Add, **copy the generated secret value**. You won't be able to retrieve after you leave!
- ![Image of create app key.](images/webapp-create-key2.png)
+ :::image type="content" source="images/webapp-create-key2.png" alt-text="The Certificates & secrets menu item in the Manage pane in the Azure Active Directory portal" lightbox="images/webapp-create-key2.png":::
7. Write down your application ID and your tenant ID. On your application page, go to **Overview** and copy the following:
- ![Image of created app id.](images/app-and-tenant-ids.png)
+ :::image type="content" source="images/app-and-tenant-ids.png" alt-text="The application details pane under the Overview menu item in the Azure Active Directory portal" lightbox="images/app-and-tenant-ids.png":::
Done! You have successfully registered an application!
Done! You have successfully registered an application!
- Paste in the top box. - Look for the "roles" section. Find the _Alert.Read.All_ role.
- :::image type="content" alt-text="Image jwt.ms." source="images/api-jwt-ms.png" lightbox="images/api-jwt-ms.png":::
+ :::image type="content" source="images/api-jwt-ms.png" alt-text="The Decoded Token pane for jwt.ms" lightbox="images/api-jwt-ms.png":::
### Lets get the Alerts!
security Api Microsoft Flow https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api-microsoft-flow.md
- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) - > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink) - Automating security procedures is a standard requirement for every modern Security Operations Center (SOC). For SOC teams to operate in the most efficient way, automation is a must. Use Microsoft Power Automate to help you create automated workflows and build an end-to-end procedure automation within a few minutes. Microsoft Power Automate supports different connectors that were built exactly for that.
-Use this article to guide you in creating automations that is triggered by an event, such as when an new alert is created in your tenant. Microsoft Defender API has an official Power Automate Connector with many capabilities.
-
+Use this article to guide you in creating automations that are triggered by an event, such as when a new alert is created in your tenant. Microsoft Defender API has an official Power Automate Connector with many capabilities.
- > [!NOTE] > For more details about premium connectors licensing prerequisites, see [Licensing for premium connectors](/power-automate/triggers-introduction#licensing-for-premium-connectors). - ## Usage example The following example demonstrates how to create a Flow that is triggered any time a new Alert occurs on your tenant. You'll be guided on defining what event starts the flow and what next action will be taken when that trigger occurs.
The following example demonstrates how to create a Flow that is triggered any ti
2. Go to **My flows** \> **New** \> **Automated-from blank**.
- :::image type="content" alt-text="Image of edit credentials2." source="images/api-flow-1.png":::
+ :::image type="content" source="images/api-flow-1.png" alt-text="The New flow pane under My flows menu item in the Microsoft Defender 365 portal" lightbox="images/api-flow-1.png":::
3. Choose a name for your Flow, search for "Microsoft Defender ATP Triggers" as the trigger, and then select the new Alerts trigger.
- :::image type="content" alt-text="Image of edit credentials3." source="images/api-flow-2.png":::
+ :::image type="content" source="images/api-flow-2.png" alt-text=" The Choose your flow's trigger section in the Microsoft Defender 365 portal" lightbox="images/api-flow-2.png" :::
Now you have a Flow that is triggered every time a new Alert occurs. All you need to do now is choose your next steps. For example, you can isolate the device if the Severity of the Alert is High and send an email about it.
The Alert trigger provides only the Alert ID and the Machine ID. You can use the
3. Set the **Alert ID** from the last step as **Input**.
- :::image type="content" alt-text="Image of edit credentials5." source="images/api-flow-4.png" lightbox="images/api-flow-4.png":::
+ :::image type="content" source="images/api-flow-4.png" alt-text="The Alerts pane" lightbox="images/api-flow-4.png":::
### Isolate the device if the Alert's severity is High
The Alert trigger provides only the Alert ID and the Machine ID. You can use the
If yes, add the **Microsoft Defender ATP - Isolate machine** action with the Machine ID and a comment.
- :::image type="content" alt-text="Image of edit credentials6." source="images/api-flow-5.png" lightbox="images/api-flow-5.png":::
+ :::image type="content" source="images/api-flow-5.png" alt-text="The Actions pane" lightbox="images/api-flow-5.png":::
3. Add a new step for emailing about the Alert and the Isolation. There are multiple email connectors that are very easy to use, such as Outlook or Gmail.
security Api Power Bi https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api-power-bi.md
[!include[Improve request performance](../../includes/improve-request-performance.md)]
-In this section you will learn create a Power BI report on top of Defender for Endpoint APIs.
+In this section you will learn to create a Power BI report on top of Defender for Endpoint APIs.
The first example demonstrates how to connect Power BI to Advanced Hunting API and the second example demonstrates a connection to our OData APIs, such as Machine Actions or Alerts. ## Connect Power BI to Advanced Hunting API -- Open Microsoft Power BI
+- Open Microsoft Power BI.
-- Click **Get Data** \> **Blank Query**
+- Click **Get Data** \> **Blank Query**.
- ![Image of create blank query.](images/power-bi-create-blank-query.png)
+ :::image type="content" source="images/power-bi-create-blank-query.png" alt-text="The Blank Query option under the Get Data menu item" lightbox="images/power-bi-create-blank-query.png":::
-- Click **Advanced Editor**
+- Click **Advanced Editor**.
- ![Image of open advanced editor.](images/power-bi-open-advanced-editor.png)
+ :::image type="content" source="images/power-bi-open-advanced-editor.png" alt-text="The Advanced Editor menu item" lightbox="images/power-bi-open-advanced-editor.png":::
- Copy the below and paste it in the editor:
The first example demonstrates how to connect Power BI to Advanced Hunting API a
in Table ``` -- Click **Done**
+- Click **Done**.
-- Click **Edit Credentials**
+- Click **Edit Credentials**.
- ![Image of edit credentials0.](images/power-bi-edit-credentials.png)
+ :::image type="content" source="images/power-bi-edit-credentials.png" alt-text="The Edit Credentials menu item" lightbox="images/power-bi-edit-credentials.png":::
+
-- Select **Organizational account** \> **Sign in**
+- Select **Organizational account** \> **Sign in**.
- ![Image of set credentials1.](images/power-bi-set-credentials-organizational.png)
+ :::image type="content" source="images/power-bi-set-credentials-organizational.png" alt-text="The Sign in option in the Organizational account menu item" lightbox="images/power-bi-set-credentials-organizational.png":::
-- Enter your credentials and wait to be signed in
+- Enter your credentials and wait to be signed in.
-- Click **Connect**
+- Click **Connect**.
- ![Image of set credentials2.](images/power-bi-set-credentials-organizational-cont.png)
+ :::image type="content" source="images/power-bi-set-credentials-organizational-cont.png" alt-text="The sign-in confirmation message in the Organizational account menu item" lightbox="images/power-bi-set-credentials-organizational-cont.png":::
-- Now the results of your query will appear as table and you can start build visualizations on top of it!
+- Now the results of your query will appear as a table and you can start to build visualizations on top of it!
- You can duplicate this table, rename it and edit the Advanced Hunting query inside to get any data you would like.
The first example demonstrates how to connect Power BI to Advanced Hunting API a
``` - You can do the same for **Alerts** and **Machines**.-- You also can use OData queries for queries filters, see [Using OData Queries](exposed-apis-odata-samples.md)
+- You also can use OData queries for queries filters, see [Using OData Queries](exposed-apis-odata-samples.md).
## Power BI dashboard samples in GitHub
security Attack Surface Reduction Rules Deployment Implement https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-implement.md
Last updated 1/18/2022
Implementing attack surface reduction (ASR) rules moves the first test ring into an enabled, functional state. > [!div class="mx-imgBorder"]
-> ![ASR rules implementation steps](images/asr-rules-implementation-steps.png)
+> :::image type="content" source="images/asr-rules-implementation-steps.png" alt-text="The procedure to implement ASR rules" lightbox="images/asr-rules-implementation-steps.png":::
+
## Step 1: Transition ASR Rules from Audit to Block
security Attack Surface Reduction Rules Deployment Operationalize https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-operationalize.md
Consistent, regular review of reports is an essential aspect of maintaining your
One of the most powerful features of [Microsoft 365 Defender](https://security.microsoft.com) is advanced hunting. If you're not familiar with advanced hunting, see: [Proactively hunt for threats with advanced hunting](/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview). > [!div class="mx-imgBorder"]
-> ![Microsoft 365 Defender Advanced hunting](images/asr-defender365-advanced-hunting2.png)
+> :::image type="content" source="images/asr-defender365-advanced-hunting2.png" alt-text="The Advanced Hunting page in the Microsoft 365 Defender portal" lightbox="images/asr-defender365-advanced-hunting2.png":::
Advanced hunting is a query-based (Kusto Query Language) threat-hunting tool that lets you explore up to 30 days of the captured (raw) data that Microsoft Defender ATP Endpoint Detection and Response (EDR) collects from all your machines. Through advanced hunting, you can proactively inspect events in order to locate interesting indicators and entities. The flexible access to data facilitates unconstrained hunting for both known and potential threats.
Through advanced hunting, it is possible to extract ASR rules information, creat
ASR events shown in the advancing hunting portal are throttled to unique processes seen every hour. The time of the ASR event is the first time the event is seen within that hour. > [!div class="mx-imgBorder"]
-> ![Microsoft 365 Defender Advanced hunting query command line](images/asr-defender365-advanced-hunting3.png)
+> :::image type="content" source="images/asr-defender365-advanced-hunting3.png" alt-text="The Advanced hunting query command line in the Microsoft 365 Defender portal" lightbox="images/asr-defender365-advanced-hunting3.png":::
> [!div class="mx-imgBorder"]
-> ![Microsoft 365 Defender Advanced hunting query results](images/asr-defender365-advanced-hunting4.png)
+> :::image type="content" source="images/asr-defender365-advanced-hunting4.png" alt-text="The Advanced hunting query results in the Microsoft 365 Defender portal" lightbox="images/asr-defender365-advanced-hunting4.png":::
The above shows that 187 events were registered for AsrLsassCredentialTheft:
The above shows that 187 events were registered for AsrLsassCredentialTheft:
If you want to focus on the AsrOfficeChildProcess rule and get details on the actual files and processes involved, change the filter for ActionType and replace the summarize line with a projection of the wanted fields (in this case they are DeviceName, FileName, FolderPath, etc.). > [!div class="mx-imgBorder"]
-> ![Microsoft 365 Defender Advanced hunting query focused](images/asr-defender365-advanced-hunting4b.png)
+> :::image type="content" source="images/asr-defender365-advanced-hunting4b.png" alt-text="The Advanced hunting query focused example in the Microsoft 365 Defender portal" lightbox="images/asr-defender365-advanced-hunting4b.png":::
> [!div class="mx-imgBorder"]
-> ![Microsoft 365 Defender Advanced hunting query focused results](images/asr-defender365-advanced-hunting5b.png)
+> :::image type="content" source="images/asr-defender365-advanced-hunting5b.png" alt-text="The Advanced hunting query focused results in the Microsoft 365 Defender portal" lightbox="images/asr-defender365-advanced-hunting5b.png":::
The true benefit of advanced hunting is that you can shape the queries to your liking. By shaping your query you can see the exact story of what was happening, regardless of whether you want to pinpoint something on an individual machine, or you want to extract insights from your entire environment.
security Attack Surface Reduction Rules Deployment Plan https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-plan.md
Last updated 1/18/2022
When testing attack surface reduction (ASR) rules it is important to start with the right business unit. YouΓÇÖll want to start with a small group of people in a specific business unit. You can identify some ASR champions within a particular business unit who can provide real-world impact about the ASR rules, and help you tune your implementation. > [!div class="mx-imgBorder"]
-> ![ASR rules planning steps](images/asr-rules-planning-steps.png)
+> :::image type="content" source="images/asr-rules-planning-steps.png" alt-text="The ASR rules planning steps" lightbox="images/asr-rules-planning-steps.png":::
## Start with the right business unit
security Attack Surface Reduction Rules Deployment Test https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-test.md
Testing attack surface reduction (ASR) rules helps you determine if rules will i
Begin your attack surface reduction(ASR) rules deployment with ring 1. > [!div class="mx-imgBorder"]
-> ![ASR rules testing steps](images/asr-rules-testing-steps.png)
+> :::image type="content" source="images/asr-rules-testing-steps.png" alt-text="The ASR rules testing steps" lightbox="images/asr-rules-testing-steps.png":::
+
## Step 1: Test ASR rules using Audit
Begin the testing phase by turning on the ASR rules with the rules set to Audit,
You can use Microsoft Endpoint Manager (MEM) Endpoint Security to configure custom ASR rules.
-1. Open [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/#home)
+1. Open [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/#home).
2. Go to **Endpoint Security** > **Attack surface reduction**. 3. Select **Create Policy**. 4. In **Platform**, select **Windows 10 and later**, and in **Profile**, select **Attack surface reduction rules**. > [!div class="mx-imgBorder"]
- > ![Configure ASR rules profile](images/asr-mem-create-profile.png)
+ > :::image type="content" source="images/asr-mem-create-profile.png" alt-text="The profile creation page for ASR rules" lightbox="images/asr-mem-create-profile.png":::
5. Click **Create**. 6. In the **Basics** tab of the **Create profile** pane, in **Name** add a name for your policy. In **Description** add a description for your ASR rules policy. 7. In the **Configuration settings** tab, under **Attack Surface Reduction Rules**, set all rules to **Audit mode**. > [!div class="mx-imgBorder"]
- > ![Set ASR rules to Audit mode](images/asr-mem-configuration-settings.png)
+ > :::image type="content" source="images/asr-mem-configuration-settings.png" alt-text="The configuration of ASR rules to Audit mode" lightbox="images/asr-mem-configuration-settings.png":::
>[!Note] >There are variations in some ASR rules mode listings; _Blocked_ and _Enabled_ provide the same functionality.
You can use Microsoft Endpoint Manager (MEM) Endpoint Security to configure cust
10. Review your settings in the **Review + create** pane. Click **Create** to apply the rules. > [!div class="mx-imgBorder"]
- > ![Activate ASR rules policy](images/asr-mem-review-create.png)
+ > :::image type="content" source="images/asr-mem-review-create.png" alt-text="The Create profile page" lightbox="images/asr-mem-review-create.png":::
Your new attack surface reduction policy for ASR rules is listed in **Endpoint security | Attack surface reduction**. > [!div class="mx-imgBorder"]
- > ![Listed ASR rule policy](images/asr-mem-my-asr-rules.png)
+ > :::image type="content" source="images/asr-mem-my-asr-rules.png" alt-text=" The Attack surface reduction page" lightbox="images/asr-mem-my-asr-rules.png":::
## Step 2: Understand the Attack surface reduction rules reporting page in the Microsoft 365 Defender portal
-The ASR rules reporting page is found in **Microsoft 365 Defender portal** > **Reports** > **Attack surface reduction rules**. This page has three tabs:
+The ASR rules reporting page is found in **Microsoft 365 Defender portal** > **Reports** > **Attack surface reduction rules**. This page has three tabs:
- Detections - Configuration
The ASR rules reporting page is found in **Microsoft 365 Defender portal** > **
Provides a 30-day timeline of detected audit and blocked events. > [!div class="mx-imgBorder"]
-> ![Attack surface reduction rules detections tab](images/asr-defender365-01.png)
+> :::image type="content" source="images/asr-defender365-01.png" alt-text="The Attack surface reduction rules detections tab" lightbox="images/asr-defender365-01.png":::
The Attack Surface reduction rules pane provides an overview of detected events on a per-rule basis.
The Attack Surface reduction rules pane provides an overview of detected events
>There are some variations in ASR rules reports. Microsoft is in the process of updating the behavior of the ASR rules reports to provide a consistent experience. > [!div class="mx-imgBorder"]
-> ![Attack surface reduction rules rule detections](images/asr-defender365-01b.png)
+> :::image type="content" source="images/asr-defender365-01b.png" alt-text="The Attack surface reduction rules page" lightbox="images/asr-defender365-01b.png":::
Click **View detections** to open the **Detections** tab. > [!div class="mx-imgBorder"]
-> ![Attack surface reduction rules detections](images/asr-defender365-reports-detections.png)
+> :::image type="content" source="images/asr-defender365-reports-detections.png" alt-text="The Attack surface reduction rules detections" lightbox="images/asr-defender365-reports-detections.png":::
The **GroupBy** and **Filter** pane provide the following options:
The **GroupBy** returns results set to the following groups:
- Publisher > [!div class="mx-imgBorder"]
-> ![Attack surface reduction rules detections GroupBy filter](images/asr-defender365-reports-detections.png)
+> :::image type="content" source="images/asr-defender365-reports-detections.png" alt-text="The Attack surface reduction rules detections GroupBy filter" lightbox="images/asr-defender365-reports-detections.png":::
**Filter** opens the **Filter on rules** page, which enables you to scope the results to only the selected ASR rules: > [!div class="mx-imgBorder"]
-> ![Attack surface reduction rules detections filter on rules](images/asr-defender365-filter.png)
+> :::image type="content" source="images/asr-defender365-filter.png" alt-text="The Attack surface reduction rules detections filter on rules" lightbox="images/asr-defender365-filter.png":::
>[!Note] >If you have a Microsoft Microsoft 365 Security E5 or A5, Windows E5 or A5 license, the following link opens the Microsoft Defender 365 Reports > [Attack surface reductions](https://security.microsoft.com/asr?viewid=detections) > Detections tab. ### Configuration tab
-Lists ΓÇô on a per-computer basis ΓÇô the aggregate state of ASR rules: Off, Audit, Block.
+ListsΓÇöon a per-computer basisΓÇöthe aggregate state of ASR rules: Off, Audit, Block.
> [!div class="mx-imgBorder"]
-> ![Attack surface reduction rules Configuration tab](images/asr-defender365-configurations.png)
+> :::image type="content" source="images/asr-defender365-configurations.png" alt-text="The Attack surface reduction rules Configuration tab and an entry in its page" lightbox="images/asr-defender365-configurations.png":::
-On the Configurations tab, you can check ΓÇô on a per-device basis ΓÇô which ASR rules are enabled, and in which mode, by selecting the device for which you want to review ASR rules.
+On the Configurations tab, you can checkΓÇöon a per-device basisΓÇöwhich ASR rules are enabled, and in which mode, by selecting the device for which you want to review ASR rules.
> [!div class="mx-imgBorder"]
-> ![Attack surface reduction rules enabled and mode](images/asr-defender365-configurations.settings.png)
+> :::image type="content" source="images/asr-defender365-configurations.settings.png" alt-text="The Attack surface reduction rules enabled and mode" lightbox="images/asr-defender365-configurations.settings.png":::
The **Get started** link opens the Microsoft Endpoint Manager admin center, where you can create or modify an endpoint protection policy for ASR: > [!div class="mx-imgBorder"]
-> ![Attack surface reduction rules in MEM](images/asr-defender365-05b-mem1.png)
+> :::image type="content" source="images/asr-defender365-05b-mem1.png" alt-text="The *Endpoint security menu item on the Overview page" lightbox="images/asr-defender365-05b-mem1.png":::
In Endpoint security | Overview, select **Attack surface reduction**: > [!div class="mx-imgBorder"]
-> ![Attack surface reduction in MEM](images/asr-defender365-05b-mem2.png)
+> :::image type="content" source="images/asr-defender365-05b-mem2.png" alt-text="The Attack surface reduction in MEM" lightbox="images/asr-defender365-05b-mem2.png":::
The Endpoint Security | Attack surface reduction pane opens: > [!div class="mx-imgBorder"]
-> ![Endpoint security Asr pane](images/asr-defender365-05b-mem3.png)
+> :::image type="content" source="images/asr-defender365-05b-mem3.png" alt-text="The Endpoint security Attack surface reduction pane" lightbox="images/asr-defender365-05b-mem3.png":::
>[!Note] >If you have a Microsoft Defender 365 E5 (or Windows E5?) license, this link will open the Microsoft Defender 365 Reports > Attack surface reductions > [Configurations](https://security.microsoft.com/asr?viewid=configuration) tab.
This tab provides a method to select detected entities (for example, false posit
> Microsoft Defender Antivirus AV exclusions are honored by ASR rules. See [Configure and validate exclusions based on extension, name, or location](configure-extension-file-exclusions-microsoft-defender-antivirus.md). > [!div class="mx-imgBorder"]
-> ![Endpoint security Asr tool](Images/asr-defender365-06d.png)
+> :::image type="content" source="Images/asr-defender365-06d.png" alt-text="The pane for exclusion of the detected file" lightbox="Images/asr-defender365-06d.png":::
> [!Note] >If you have a Microsoft Defender 365 E5 (or Windows E5?) license, this link will open the Microsoft Defender 365 Reports > Attack surface reductions > [Exclusions](https://security.microsoft.com/asr?viewid=exclusions) tab.
security Attack Surface Reduction Rules Deployment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment.md
Some rules donΓÇÖt work well if un-signed, internally developed application and
As with any new, wide-scale implementation which could potentially impact your line-of-business operations, it is important to be methodical in your planning and implementation. Because of the powerful capabilities of ASR rules in preventing malware, careful planning and deployment of these rules is necessary to ensure they work best for your unique customer workflows. To work in your environment, you need to plan, test, implement, and operationalize ASR rules carefully. > [!div class="mx-imgBorder"]
-> ![ASR rules deployment phases](images/asr-rules-deployment-phases.png)
+> :::image type="content" source="images/asr-rules-deployment-phases.png" alt-text="The ASR rules deployment phases" lightbox="images/asr-rules-deployment-phases.png":::
>[!Note] >For Customers who are using a non-Microsoft HIPS and are transitioning to Microsoft Defender for Endpoint attack surface reduction rules:
security Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction.md
For more information about configuring attack surface reduction rules, see [Enab
You can assess how an attack surface reduction rule might affect your network by opening the security recommendation for that rule in [threat and vulnerability management](/windows/security/threat-protection/#tvm). In the recommendation details pane, check for user impact to determine what percentage of your devices can accept a new policy enabling the rule in blocking mode without adversely affecting productivity.
security Auto Investigation Action Center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/auto-investigation-action-center.md
During and after an automated investigation, remediation actions for threat dete
We are pleased to announce a new, unified Action center ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center))! The following table compares the new, unified Action center to the previous Action center.
The following table compares the new, unified Action center to the previous Acti
||| |Lists pending and completed actions for devices and email in one location <br/>([Microsoft Defender for Endpoint](microsoft-defender-endpoint.md) plus [Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/office-365-atp))|Lists pending and completed actions for devices <br/> ([Microsoft Defender for Endpoint](microsoft-defender-endpoint.md) only) | |Is located at:<br/>[https://security.microsoft.com/action-center](https://security.microsoft.com/action-center) |Is located at:<br/>[https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center) |
-| In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, choose **Action center**. <p>:::image type="content" source="images/action-center-nav-new.png" alt-text="Navigating to the Action Center in the Microsoft 365 Defender portal."::: | In the Microsoft 365 Defender portal, choose **Automated investigations** > **Action center**. <p>:::image type="content" source="images/action-center-nav-old.png" alt-text="Navigating to the Action center from the Microsoft 365 Defender portal."::: |
+| In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, choose **Action center**. <p>:::image type="content" source="images/action-center-nav-new.png" alt-text="The navigation pane to the Action Center in the Microsoft 365 Defender portal" lightbox="images/action-center-nav-new.png"::: | In the Microsoft 365 Defender portal, choose **Automated investigations** > **Action center**. <p>:::image type="content" source="images/action-center-nav-old.png" alt-text="An older version of the navigation pane to the Action Center in the Microsoft 365 Defender portal" lightbox="images/action-center-nav-old.png"::: |
The unified Action center brings together remediation actions across Defender for Endpoint and Defender for Office 365. It defines a common language for all remediation actions, and provides a unified investigation experience.
When you visit the Action center, you see two tabs: **Pending actions** and **Hi
You can customize, sort, filter, and export data in the Action center. - Select a column heading to sort items in ascending or descending order. - Use the time period filter to view data for the past day, week, 30 days, or 6 months.
security Behavioral Blocking Containment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/behavioral-blocking-containment.md
Title: Behavioral blocking and containment
-description: Learn about behavioral blocking and containment capabilities in Microsoft Defender for Endpoint
+description: Learn about behavioral blocking and containment capabilities at Microsoft Defender for Endpoint
keywords: Microsoft Defender for Endpoint, EDR in block mode, passive mode blocking ms.pagetype: security
Today's threat landscape is overrun by [fileless malware](/windows/security/thre
Behavioral blocking and containment capabilities can help identify and stop threats, based on their behaviors and process trees even when the threat has started execution. Next-generation protection, EDR, and Defender for Endpoint components and features work together in behavioral blocking and containment capabilities. Behavioral blocking and containment capabilities work with multiple components and features of Defender for Endpoint to stop attacks immediately and prevent attacks from progressing.
With these capabilities, more threats can be prevented or blocked, even if they
The following image shows an example of an alert that was triggered by behavioral blocking and containment capabilities: ## Components of behavioral blocking and containment
The following image shows an example of an alert that was triggered by behaviora
- **[Feedback-loop blocking](feedback-loop-blocking.md)** (also referred to as rapid protection) Threat detections are observed through behavioral intelligence. Threats are stopped and prevented from running on other endpoints. (Feedback-loop blocking is enabled by default.) -- **[Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md)** Malicious artifacts or behaviors that are observed through post-breach protection are blocked and contained. EDR in block mode works even if Microsoft Defender Antivirus isn't the primary antivirus solution. (EDR in block mode isn't enabled by default; you turn it on in Microsoft 365 Defender.)
+- **[Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md)** Malicious artifacts or behaviors that are observed through post-breach protection are blocked and contained. EDR in block mode works even if Microsoft Defender Antivirus isn't the primary antivirus solution. (EDR in block mode isn't enabled by default; you turn it on at Microsoft 365 Defender.)
Expect more to come in the area of behavioral blocking and containment, as Microsoft continues to improve threat protection features and capabilities. To see what's planned and rolling out now, visit the [Microsoft 365 roadmap](https://www.microsoft.com/microsoft-365/roadmap).
Below are two real-life examples of behavioral blocking and containment in actio
As described in [In hot pursuit of elusive threats: AI-driven behavior-based blocking stops attacks in their tracks](https://www.microsoft.com/security/blog/2019/10/08/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks), a credential theft attack against 100 organizations around the world was stopped by behavioral blocking and containment capabilities. Spear-phishing email messages that contained a lure document were sent to the targeted organizations. If a recipient opened the attachment, a related remote document was able to execute code on the user's device and load Lokibot malware, which stole credentials, exfiltrated stolen data, and waited for further instructions from a command-and-control server.
-Behavior-based device learning models in Defender for Endpoint caught and stopped the attacker's techniques at two points in the attack chain:
+Behavior-based device-learning models in Defender for Endpoint caught and stopped the attacker's techniques at two points in the attack chain:
-- The first protection layer detected the exploit behavior. Device learning classifiers in the cloud correctly identified the threat as and immediately instructed the client device to block the attack.
+- The first protection layer detected the exploit behavior. Device-learning classifiers in the cloud correctly identified the threat as and immediately instructed the client device to block the attack.
- The second protection layer, which helped stop cases where the attack got past the first layer, detected process hollowing, stopped that process, and removed the corresponding files (such as Lokibot). While the attack was detected and stopped, alerts, such as an "initial access alert," were triggered and appeared in the [Microsoft 365 Defender portal](/microsoft-365/security/defender/microsoft-365-defender).
-This example shows how behavior-based device learning models in the cloud add new layers of protection against attacks, even after they have started running.
+This example shows how behavior-based device-learning models in the cloud add new layers of protection against attacks, even after they have started running.
### Example 2: NTLM relay - Juicy Potato malware variant As described in the recent blog post, [Behavioral blocking and containment: Transforming optics into protection](https://www.microsoft.com/security/blog/2020/03/09/behavioral-blocking-and-containment-transforming-optics-into-protection), in January 2020, Defender for Endpoint detected a privilege escalation activity on a device in an organization. An alert called "Possible privilege escalation using NTLM relay" was triggered. The threat turned out to be malware; it was a new, not-seen-before variant of a notorious hacking tool called Juicy Potato, which is used by attackers to get privilege escalation on a device. Minutes after the alert was triggered, the file was analyzed, and confirmed to be malicious. Its process was stopped and blocked, as shown in the following image: A few minutes after the artifact was blocked, multiple instances of the same file were blocked on the same device, preventing more attackers or other malware from deploying on the device.
security Check Sensor Status https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/check-sensor-status.md
Title: Check the health state of the sensor in Microsoft Defender for Endpoint
+ Title: Check the health state of the sensor at Microsoft Defender for Endpoint
description: Check the sensor health on devices to identify which ones are misconfigured, inactive, or aren't reporting sensor data. keywords: sensor, sensor health, misconfigured, inactive, no sensor data, sensor data, impaired communications, communication ms.prod: m365-security
Last updated 04/24/2018
ms.technology: mde
-# Check sensor health state in Microsoft Defender for Endpoint
+# Check sensor health state at Microsoft Defender for Endpoint
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
There are two status indicators on the tile that provide information on the numb
Clicking any of the groups directs you to **Devices list**, filtered according to your choice.
-![Screenshot of Devices with sensor issues tile.](images/atp-devices-with-sensor-issues-tile.png)
On **Devices list**, you can filter the health state list by the following status:
You can also download the entire list in CSV format using the **Export** feature
> [!NOTE] > Export the list in CSV format to display the unfiltered data. The CSV file will include all devices in the organization, regardless of any filtering applied in the view itself and can take a significant amount of time to download, depending on how large your organization is.
-![Screenshot of Devices list page.](images/atp-devices-list-page.png)
You can view the device details when you click on a misconfigured or inactive device.
security Client Behavioral Blocking https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/client-behavioral-blocking.md
Title: Client behavioral blocking
-description: Client behavioral blocking is part of behavioral blocking and containment capabilities in Microsoft Defender for Endpoint
+description: Client behavioral blocking is part of behavioral blocking and containment capabilities at Microsoft Defender for Endpoint
keywords: behavioral blocking, rapid protection, client behavior, Microsoft Defender for Endpoint ms.pagetype: security
ms.technology: mde
Client behavioral blocking is a component of [behavioral blocking and containment capabilities](behavioral-blocking-containment.md) in Defender for Endpoint. As suspicious behaviors are detected on devices (also referred to as clients or endpoints), artifacts (such as files or applications) are blocked, checked, and remediated automatically. Antivirus protection works best when paired with cloud protection.
security Cloud Protection Microsoft Antivirus Sample Submission https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-antivirus-sample-submission.md
Title: Cloud protection and sample submission in Microsoft Defender Antivirus
+ Title: Cloud protection and sample submission at Microsoft Defender Antivirus
description: Learn about cloud-delivered protection and Microsoft Defender Antivirus keywords: Microsoft Defender Antivirus, next-generation technologies, antivirus sample submission, next-generation av, machine learning, antimalware, security, defender, cloud, cloud-delivered protection ms.prod: m365-security
Last updated 02/24/2022
-# Cloud protection and sample submission in Microsoft Defender Antivirus
+# Cloud protection and sample submission at Microsoft Defender Antivirus
**Applies to:** - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)
Microsoft Defender Antivirus uses many intelligent mechanisms for detecting malw
If a suspicious or malicious file is detected, a sample is sent to the cloud service for analysis while Microsoft Defender Antivirus blocks the file. As soon as a determination is made, which happens quickly, the file is either released or blocked by Microsoft Defender Antivirus.
-This article provides an overview of cloud protection and automatic sample submission in Microsoft Defender Antivirus. To learn more about cloud protection, see [Cloud protection and Microsoft Defender Antivirus](cloud-protection-microsoft-defender-antivirus.md).
+This article provides an overview of cloud protection and automatic sample submission at Microsoft Defender Antivirus. To learn more about cloud protection, see [Cloud protection and Microsoft Defender Antivirus](cloud-protection-microsoft-defender-antivirus.md).
## How cloud protection and sample submission work together
-To understand how cloud protection works together with sample submission, it can be helpful to understand how Defender for Endpoint protects against threats. The Microsoft Intelligent Security Graph monitors threat data from a vast network of sensors. Microsoft layers cloud-based machine learning models that can assess files based on signals from the client and the vast network of sensors and data in the Intelligent Security Graph. This approach gives Defender for Endpoint the ability to block many never-before-seen threats.
+To understand how cloud protection works together with sample submission, it can be helpful to understand how Defender for Endpoint protects against threats. The Microsoft Intelligent Security Graph monitors threat data from a vast network of sensors. Microsoft layers cloud-based machine-learning models that can assess files based on signals from the client and the vast network of sensors and data in the Intelligent Security Graph. This approach gives Defender for Endpoint the ability to block many never-before-seen threats.
The following image depicts the flow of cloud protection and sample submission with Microsoft Defender Antivirus: Microsoft Defender Antivirus and cloud protection automatically block most new, never-before-seen threats at first sight by using the following methods:
-1. Lightweight client-based machine learning models, blocking new and unknown malware.
+1. Lightweight client-based machine-learning models, blocking new and unknown malware.
2. Local behavioral analysis, stopping file-based and file-less attacks.
Microsoft Defender Antivirus and cloud protection automatically block most new,
- "Do not send" is the equivalent to the "Disabled" setting in macOS policy - Metadata is sent for detections even when sample submission is disabled
- 3. After metadata and/or files are submitted to cloud protection, you can use **samples**, **detonation**, or **big data analysis** machine learning models to reach a verdict. Turning off cloud-delivered protection will limit analysis to only what the client can provide through local machine learning models, and similar functions.
+ 3. After metadata and/or files are submitted to cloud protection, you can use **samples**, **detonation**, or **big data analysis** machine-learning models to reach a verdict. Turning off cloud-delivered protection will limit analysis to only what the client can provide through local machine-learning models, and similar functions.
> [!IMPORTANT] > [Block at first sight (BAFS)](configure-block-at-first-sight-microsoft-defender-antivirus.md) provides detonation and analysis to determine whether a file or process is safe. BAFS can delay the opening of a file momentarily until a verdict is reached. If you disable sample submission, BAFS is also disabled, and file analysis is limited to metadata only. We recommend keeping sample submission and BAFS enabled. To learn more, see [What is "block at first sight"?](configure-block-at-first-sight-microsoft-defender-antivirus.md#what-is-block-at-first-sight) ## Cloud protection levels
-Cloud protection is enabled by default in Microsoft Defender Antivirus. We recommend that you keep cloud protection enabled, although you can configure the protection level for your organization. See [Specify the cloud-delivered protection level for Microsoft Defender Antivirus](specify-cloud-protection-level-microsoft-defender-antivirus.md).
+Cloud protection is enabled by default at Microsoft Defender Antivirus. We recommend that you keep cloud protection enabled, although you can configure the protection level for your organization. See [Specify the cloud-delivered protection level for Microsoft Defender Antivirus](specify-cloud-protection-level-microsoft-defender-antivirus.md).
## Sample submission settings
In addition to configuring your cloud protection level, you can configure your s
- **Send all samples automatically** - **Do not send samples**
-For information about configuration options using Intune, Configuration Manager, GPO, or PowerShell, see [Turn on cloud protection in Microsoft Defender Antivirus](enable-cloud-protection-microsoft-defender-antivirus.md).
+For information about configuration options using Intune, Configuration Manager, GPO, or PowerShell, see [Turn on cloud protection at Microsoft Defender Antivirus](enable-cloud-protection-microsoft-defender-antivirus.md).
## Examples of metadata sent to the cloud protection service The following table lists examples of metadata sent for analysis by cloud protection:
In addition, Defender for Endpoint has received multiple compliance certificatio
- ISO 27001 - ISO 27018 - SOC I, II, III-- and PCI
+- PCI
For more information, see the following resources:
For more information, see the following resources:
## Other file sample submission scenarios
-There are two more scenarios where Defender for Endpoint might request a file sample that is not related to the cloud protection in Microsoft Defender Antivirus. These scenarios are described in the following table:
+There are two more scenarios where Defender for Endpoint might request a file sample that is not related to the cloud protection at Microsoft Defender Antivirus. These scenarios are described in the following table:
| Scenario | Description | |:|:|
security Cloud Protection Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus.md
Next-generation technologies in Microsoft Defender Antivirus provide near-instant, automated protection against new and emerging threats. To identify new threats dynamically, next-generation technologies work with large sets of interconnected data in the Microsoft Intelligent Security Graph and powerful artificial intelligence (AI) systems driven by advanced machine learning models. Cloud protection works together with Microsoft Defender Antivirus to deliver accurate, real-time, and intelligent protection.
-[:::image type="content" source="images/mde-cloud-protection.png" alt-text="Diagram showing how cloud protection works together with Microsoft Defender Antivirus":::](enable-cloud-protection-microsoft-defender-antivirus.md)
+[:::image type="content" source="images/mde-cloud-protection.png" alt-text="Diagram showing how cloud protection works together with Microsoft Defender Antivirus" lightbox="images/mde-cloud-protection.png":::](enable-cloud-protection-microsoft-defender-antivirus.md)
> [!TIP] > We recommend keeping cloud protection turned on. To learn more, see [Why cloud protection should be enabled for Microsoft Defender Antivirus](why-cloud-protection-should-be-on-mdav.md).
security Collect Diagnostic Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/collect-diagnostic-data.md
You can also specify where the diagnostic .cab file will be created using a Grou
2. Select **Define the directory path to copy support log files**.
- ![Screenshot of local group policy editor](images/GPO1-SupportLogLocationDefender.png)
+ :::image type="content" source="images/GPO1-SupportLogLocationDefender.png" alt-text="The local group policy editor" lightbox="images/GPO1-SupportLogLocationDefender.png":::
- ![Screenshot of define path for log files setting](images/GPO2-SupportLogLocationGPPage.png)
+ :::image type="content" source="images/GPO2-SupportLogLocationGPPage.png" alt-text="The define path for log files setting" lightbox="images/GPO2-SupportLogLocationGPPage.png":::
- ![Screenshot of local group policy editor.](images/GPO1-SupportLogLocationDefender.png)
+ :::image type="content" source="images/GPO1-SupportLogLocationDefender.png" alt-text="The local group policy editor" lightbox="images/GPO1-SupportLogLocationDefender.png":::
- ![Screenshot of define path for log files setting.](images/GPO2-SupportLogLocationGPPage.png)
+ :::image type="content" source="images/GPO2-SupportLogLocationGPPage.png" alt-text="The define path for configuring the log files setting" lightbox="images/GPO2-SupportLogLocationGPPage.png":::
+
3. Inside the policy editor, select **Enabled**. 4. Specify the directory path where you want to copy the support log files in the **Options** field.
- ![Screenshot of Enabled directory path custom setting.](images/GPO3-SupportLogLocationGPPageEnabledExample.png)
+ :::image type="content" source="images/GPO3-SupportLogLocationGPPageEnabledExample.png" alt-text="The Enabled directory path custom setting" lightbox="images/GPO3-SupportLogLocationGPPageEnabledExample.png":::
5. Select **OK** or **Apply**. ## See also
security Configure Block At First Sight Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus.md
When Microsoft Defender Antivirus encounters a suspicious but undetected file, i
Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, intelligent, and real-time protection.
-![List of Microsoft Defender AV engines.](images/microsoft-defender-atp-next-generation-protection-engines.png)
> [!TIP] > To learn more, see [(Blog) Get to know the advanced technologies at the core of Microsoft Defender for Endpoint next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
Microsoft Defender Antivirus uses multiple detection and prevention technologies
- **Time extension for file scanning by the cloud**: 50 - **Prompt users before sample submission**: Send all data without prompting
- :::image type="content" source="../../media/intune-block-at-first-sight.png" alt-text="Intune config block at first sight.":::
+ :::image type="content" source="../../media/intune-block-at-first-sight.png" alt-text="Intune config block at first sight" lightbox="../../media/intune-block-at-first-sight.png":::
4. Save your settings.
Microsoft Defender Antivirus uses multiple detection and prevention technologies
- **Cloud-delivered protection level**: High - **Microsoft Defender Antivirus Extended Timeout in Seconds**: 50
- :::image type="content" source="images/endpointmgr-antivirus-cloudprotection.png" alt-text="Block at first sight settings in Endpoint Manager.":::
+ :::image type="content" source="images/endpointmgr-antivirus-cloudprotection.png" alt-text="Block at first sight settings in the Microsoft Endpoint Manager portal" lightbox="images/endpointmgr-antivirus-cloudprotection.png":::
4. Apply the Microsoft Defender Antivirus profile to a group, such as **All users**, **All devices**, or **All users and devices**.
You can confirm that block at first sight is enabled on individual client device
2. Select **Virus & threat protection**, and then, under **Virus & threat protection settings**, select **Manage Settings**.
- :::image type="content" source="../../media/wdav-protection-settings-wdsc.png" alt-text="Screenshot of the Virus & threat protection settings label in the Windows Security app":::
+ :::image type="content" source="../../media/wdav-protection-settings-wdsc.png" alt-text="The Virus & threat protection settings label in the Windows Security app" lightbox="../../media/wdav-protection-settings-wdsc.png":::
3. Confirm that **Cloud-delivered protection** and **Automatic sample submission** are both turned on.
security Configure Endpoints Gp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-gp.md
Get the current list of attack surface reduction rules GUIDs from [Attack surfac
This will set each up for audit only.
- ![Image of attack surface reduction configuration.](images/asr-guid.png)
+ :::image type="content" source="images/asr-guid.png" alt-text="The Attack surface reduction configuration" lightbox="images/asr-guid.png":::
Policy|Location|Setting ||
Create a new Group Policy or group these settings in with the other policies. Th
2. Browse to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Real-time Protection**.
- :::image type="content" source="images/realtime-protect.png" alt-text="real time protection.":::
+ :::image type="content" source="images/realtime-protect.png" alt-text="Real-time protection" lightbox="images/realtime-protect.png":::
1. In the Quarantine folder, configure removal of items from Quarantine folder.
- :::image type="content" source="images/removal-items-quarantine1.png" alt-text="removal items quarantine folder.":::
+ :::image type="content" source="images/removal-items-quarantine1.png" alt-text="Removal items quarantine folder" lightbox="images/removal-items-quarantine1.png":::
- :::image type="content" source="images/config-removal-items-quarantine2.png" alt-text="config-removal quarantine.":::
+ :::image type="content" source="images/config-removal-items-quarantine2.png" alt-text="config-removal quarantine" lightbox="images/config-removal-items-quarantine2.png":::
4. In the Scan folder, configure the scan settings.
- :::image type="content" source="images/gpo-scans.png" alt-text="gpo scans.":::
+ :::image type="content" source="images/gpo-scans.png" alt-text="gpo scans" lightbox="images/gpo-scans.png":::
### Monitor all files in Real time protection Browse to **Computer Configuration** \> **Policies** \> **Administrative Templates** \> **Windows Components** \> **Microsoft Defender Antivirus** \> **Real-time Protection**.
- Since the value for "Scan incoming and outgoing files" (default) is 0, the group policy for the "Configure monitoring for incoming and outgoing file and program activity" for "bi-directional (full on-access)" setting changes to disabled.
- ### Configure Windows Defender SmartScreen settings 1. Browse to **Computer Configuration** \> **Policies** \> **Administrative Templates** \> **Windows Components** \> **Windows Defender SmartScreen** \> **Explorer**.
- :::image type="content" source="images/config-windows-def-smartscr-explorer.png" alt-text="config windows defender smart screen explorer.":::
+ :::image type="content" source="images/config-windows-def-smartscr-explorer.png" alt-text="Configure windows defender smart screen explorer" lightbox="images/config-windows-def-smartscr-explorer.png":::
2. Browse to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Defender SmartScreen** > **Microsoft Edge**.
- :::image type="content" source="images/config-windows-def-smartscr-explorer.png" alt-text="config windows defender smart screen Edge.":::
+ :::image type="content" source="images/config-windows-def-smartscr-explorer.png" alt-text="Configure windows defender smart screen Edge" lightbox="images/config-windows-def-smartscr-explorer.png":::
### Configure Potentially Unwanted Applications Browse to **Computer Configuration** \> **Policies** \> **Administrative Templates** \> **Windows Components** \> **Microsoft Defender Antivirus**. ### Configure Cloud Deliver Protection and send samples automatically Browse to **Computer Configuration** \> **Policies** \> **Administrative Templates** \> **Windows Components** \> **Microsoft Defender Antivirus** \> **MAPS**. > [!NOTE] > The **Send all samples** option will provide the most analysis of binaries/scripts/docs which increases security posture.
For more information, see [Turn on cloud protection in Microsoft Defender Antivi
Browse to **Computer Configuration** \> **Policies** \> **Administrative Templates** \> **Windows Components** \> **Microsoft Defender Antivirus** \> **Security Intelligence Updates**. ### Configure cloud deliver timeout and protection level Browse to **Computer Configuration** \> **Policies** \> **Administrative Templates** \> **Windows Components** \> **Microsoft Defender Antivirus** \> **MpEngine**. When you configure cloud protection level policy to **Default Microsoft Defender Antivirus blocking policy** this will disable the policy. This is what is required to set the protection level to the windows default. ## Related topics - [Onboard Windows devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)
security Configure Endpoints Sccm https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-sccm.md
If you're using System Center 2012 R2 Configuration Manager, monitoring consists
If there are failed deployments (devices with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the devices. For more information, see, [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md).
- ![Configuration Manager showing successful deployment with no errors.](images/sccm-deployment.png)
+ :::image type="content" source="images/sccm-deployment.png" alt-text="The Configuration Manager showing successful deployment with no errors" lightbox="images/sccm-deployment.png":::
### Check that the devices are compliant with the Microsoft Defender for Endpoint service
security Configure Endpoints Script https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-script.md
Check out the [PDF](https://download.microsoft.com/download/5/6/0/5609001f-b8ae-
1. Go to **Start** and type **cmd**. 2. Right-click **Command prompt** and select **Run as administrator**.
- ![Window Start menu pointing to Run as administrator.](images/run-as-admin.png)
+ :::image type="content" source="images/run-as-admin.png" alt-text="The Window Start menu pointing to Run as administrator" lightbox="images/run-as-admin.png":::
4. Type the location of the script file. If you copied the file to the desktop, type: *%userprofile%\Desktop\WindowsDefenderATPLocalOnboardingScript.cmd*
For security reasons, the package used to Offboard devices will expire 30 days a
1. Go to **Start** and type **cmd**. 2. Right-click **Command prompt** and select **Run as administrator**.
- ![Window Start menu pointing to Run as administrator.](images/run-as-admin.png)
+ :::image type="content" source="images/run-as-admin.png" alt-text="The Windows Start menu pointing to the Run as administrator option" lightbox="images/run-as-admin.png":::
4. Type the location of the script file. If you copied the file to the desktop, type: *%userprofile%\Desktop\WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*
security Configure Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints.md
Devices in your organization must be configured so that the Defender for Endpoin
In general, you'll identify the Windows device you're onboarding, then follow the corresponding tool appropriate to the device or your environment.
-![Image of onboarding tools and methods](images/onboarding-config-tools.png)
## Endpoint onboarding tools
security Configure Extension File Exclusions Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus.md
Get-MpPreference
In the following example, the items contained in the `ExclusionExtension` list are highlighted: For more information, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender Antivirus cmdlets](/powershell/module/defender/).
$WDAVprefs.ExclusionPath
In the following example, the list is split into new lines for each use of the `Add-MpPreference` cmdlet: For more information, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender Antivirus cmdlets](/powershell/module/defender/).
security Configure Machines Asr https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-machines-asr.md
ms.technology: mde
[Attack surface reduction (ASR) rules](./attack-surface-reduction.md) identify and prevent typical malware exploits. They control when and how potentially malicious code can run. For example, they can prevent JavaScript or VBScript from launching a downloaded executable, block Win32 API calls from Office macros, and block processes that run from USB drives. <br> *Attack surface management card*
The *Attack surface management card* is an entry point to tools in <a href="http
Select **Go to attack surface management** \> **Reports** \> **Attack surface reduction rules** \> **Add exclusions**. From there, you can navigate to other sections of Microsoft 365 Defender portal.
-![Add exclusions tab in the Attack surface reduction rules page in Microsoft 365 Defender portal.](images/secconmgmt_asr_m365exlusions.png)<br>
The ***Add exclusions** tab in the Attack surface reduction rules page in Microsoft 365 Defender portal* > [!NOTE]
security Configure Machines Onboarding https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-machines-onboarding.md
Before you can track and manage onboarding of devices:
The **Onboarding** card provides a high-level overview of your onboarding rate by comparing the number of Windows devices that have actually onboarded to Defender for Endpoint against the total number of Intune-managed Windows devices.
-![Device configuration management Onboarding card.](images/secconmgmt_onboarding_card.png)
*Card showing onboarded devices compared to the total number of Intune-managed Windows device*
Defender for Endpoint provides several convenient options for [onboarding Window
From the **Onboarding** card, select **Onboard more devices** to create and assign a profile on Intune. The link takes you to the device compliance page on Intune, which provides a similar overview of your onboarding state.
-![Microsoft Defender for Endpoint device compliance page on Intune device management.](images/secconmgmt_onboarding_1deviceconfprofile.png)
*Microsoft Defender for Endpoint device compliance page on Intune device management*
security Configure Machines Security Baseline https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-machines-security-baseline.md
Ideally, devices onboarded to Defender for Endpoint are deployed both baselines:
The **Security baseline** card on [device configuration management](configure-machines.md) provides an overview of compliance across Windows 10 and Windows 11 devices that have been assigned the Defender for Endpoint security baseline.
-![Security baseline card.](images/secconmgmt_baseline_card.png)
*Card showing compliance to the Defender for Endpoint security baseline*
Device configuration management monitors baseline compliance only of Windows 10
2. Create a new profile.
- ![Microsoft Defender for Endpoint security baseline overview on Intune.](images/secconmgmt_baseline_intuneprofile1.png)<br>
+ :::image type="content" source="images/secconmgmt_baseline_intuneprofile1.png" alt-text="The Create profile tab in the Microsoft Defender for Endpoint security baseline overview on Intune" lightbox="images/secconmgmt_baseline_intuneprofile1.png":::<br>
*Microsoft Defender for Endpoint security baseline overview on Intune* 3. During profile creation, you can review and adjust specific settings on the baseline.
- ![Security baseline options during profile creation on Intune.](images/secconmgmt_baseline_intuneprofile2.png)<br>
+ :::image type="content" source="images/secconmgmt_baseline_intuneprofile2.png" alt-text="The Security baseline options during profile creation on Intune" lightbox="images/secconmgmt_baseline_intuneprofile2.png":::<br>
*Security baseline options during profile creation on Intune* 4. Assign the profile to the appropriate device group.
- ![Security baseline profiles on Intune.](images/secconmgmt_baseline_intuneprofile3.png)<br>
+ :::image type="content" source="images/secconmgmt_baseline_intuneprofile3.png" alt-text="The Security baseline profiles on Intune" lightbox="images/secconmgmt_baseline_intuneprofile3.png":::<br>
*Assigning the security baseline profile on Intune* 5. Create the profile to save it and deploy it to the assigned device group.
- ![Assigning the security baseline on Intune.](images/secconmgmt_baseline_intuneprofile4.png)<br>
+ :::image type="content" source="images/secconmgmt_baseline_intuneprofile4.png" alt-text="Assigning the security baseline on Intune" lightbox="images/secconmgmt_baseline_intuneprofile4.png":::<br>
*Creating the security baseline profile on Intune* > [!TIP]
security Configure Machines https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-machines.md
With properly configured devices, you can boost overall resilience against threa
Click **Configuration management** from the navigation menu to open the Device configuration management page.
-![Security configuration management page.](images/secconmgmt_main.png)
*Device configuration management page*
If you have been assigned other roles, ensure you have the necessary permissions
- Read permissions to device compliance policies - Read permissions to the organization
-![Required permissions on intune.](images/secconmgmt_intune_permissions.png)
*Device configuration permissions on Intune*
security Configure Microsoft Threat Experts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-microsoft-threat-experts.md
If you're already a Defender for Endpoint customer, you can apply through the Mi
2. Click **Apply**.
- ![Image of Microsoft Threat Experts settings.](images/mte-collaboratewithmte.png)
+ :::image type="content" source="images/mte-collaboratewithmte.png" alt-text="The Microsoft Threat Experts settings" lightbox="images/mte-collaboratewithmte.png":::
3. Enter your name and email address so that Microsoft can get back to you on your application.
- ![Image of Microsoft Threat Experts application.](images/mte-apply.png)
+ :::image type="content" source="images/mte-apply.png" alt-text="The Name field on the Microsoft Threat Experts application page" lightbox="images/mte-apply.png":::
4. Read the [privacy statement](https://privacy.microsoft.com/privacystatement), then click **Submit** when you're done. You will receive a welcome email once your application is approved.
- ![Image of Microsoft Threat Experts application confirmation.](images/mte-applicationconfirmation.png)
+ :::image type="content" source="images/mte-applicationconfirmation.png" alt-text="The Microsoft Threat Experts application confirmation message" lightbox="images/mte-applicationconfirmation.png":::
When accepted, you will receive a welcome email and you will see the **Apply** button change to a toggle that is "on". In case you want to take yourself out of the Targeted Attack Notifications service, slide the toggle "off" and click **Save preferences** at the bottom of the page.
You can partner with Microsoft Threat Experts who can be engaged directly from w
2. From the upper right-hand menu, click the **?** icon. Then, select **Consult a threat expert**.
- ![Image of Microsoft Threat Experts Experts on Demand from the menu.](images/mte-eod-menu.png)
+ :::image type="content" source="images/mte-eod-menu.png" alt-text="The Microsoft Threat Experts Experts on Demand menu item" lightbox="images/mte-eod-menu.png":::
A flyout screen opens. The following screen shows when you are on a trial subscription.
- ![Image of Microsoft Threat Experts Experts on Demand screen.](images/mte-eod.png)
+ :::image type="content" source="images/mte-eod.png" alt-text="The Microsoft Threat Experts Experts on Demand page" lightbox="images/mte-eod.png":::
The following screen shows when you are on a full Microsoft Threat Experts - Experts on-Demand subscription.
- ![Image of Microsoft Threat Experts Experts on Demand full subscription screen.](images/mte-eod-fullsubscription.png)
+ :::image type="content" source="images/mte-eod-fullsubscription.png" alt-text="The Microsoft Threat Experts Experts on Demand full subscription page" lightbox="images/mte-eod-fullsubscription.png":::
The **Inquiry topic** field is pre-populated with the link to the relevant page for your investigation request. For example, a link to the incident, alert, or device details page that you were at when you made the request.
security Configure Network Connections Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus.md
If you're properly connected, you'll see a warning Microsoft Defender Antivirus
If you're using Microsoft Edge, you'll also see a notification message: A similar message occurs if you're using Internet Explorer: #### View the fake malware detection in your Windows Security app
security Configure Proxy Internet https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-proxy-internet.md
The static proxy is configurable through group policy (GP), both the settings un
Set it to **Enabled** and select **Disable Authenticated Proxy usage**.
- ![Image of Group Policy setting1.](images/atp-gpo-proxy1.png)
+ :::image type="content" source="images/atp-gpo-proxy1.png" alt-text="The Group Policy setting1 status pane" lightbox="images/atp-gpo-proxy1.png":::
- **Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure connected user experiences and telemetry**: Configure the proxy.
- ![Image of Group Policy setting2.](images/atp-gpo-proxy2.png)
+ :::image type="content" source="images/atp-gpo-proxy2.png" alt-text="The Group Policy setting2 status pane" lightbox="images/atp-gpo-proxy2.png":::
| Group Policy | Registry key | Registry entry | Value |
Configure the static proxy using the Group Policy available in Administrative Te
2. Set it to **Enabled** and define the proxy server. Note, the URL must have either http:// or https://. For supported versions for https://, see [Manage Microsoft Defender Antivirus updates](manage-updates-baselines-microsoft-defender-antivirus.md).
- :::image type="content" source="images/proxy-server-mdav.png" alt-text="Proxy server for Microsoft Defender Antivirus.":::
+ :::image type="content" source="images/proxy-server-mdav.png" alt-text="The proxy server for Microsoft Defender Antivirus" lightbox="images/proxy-server-mdav.png":::
3. Under the registry key `HKLM\Software\Policies\Microsoft\Windows Defender`, the policy sets the registry value `ProxyServer` as REG_SZ.
The following downloadable spreadsheet lists the services and their associated U
**** |Spreadsheet of domains list| Description| |||
-|Microsoft Defender for Endpoint URL list for commercial customers| Spreadsheet of specific DNS records for service locations, geographic locations, and OS for commercial customers. <p> [Download the spreadsheet here.](https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx)
-| Microsoft Defender for Endpoint URL list for Gov/GCC/DoD customers | Spreadsheet of specific DNS records for service locations, geographic locations, and OS for Gov/GCC/DoD customers. <p> [Download the spreadsheet here.](https://download.microsoft.com/download/6/e-urls-gov.xlsx)
+|:::image type="content" source="images/mdatp-urls.png" alt-text="The Microsoft Defender for Endpoint URLs spreadsheet" lightbox="images/mdatp-urls.png":::|Spreadsheet of specific DNS records for service locations, geographic locations, and OS. <p> [Download the spreadsheet here.](https://download.microsoft.com/download/8/e-urls.xlsx)|
+|
If a proxy or firewall has HTTPS scanning (SSL inspection) enabled, exclude the domains listed in the above table from HTTPS scanning. In your firewall, open all the URLs where the geography column is WW. For rows where the geography column isn't WW, open the URLs to your specific data location. To verify your data location setting, see [Verify data storage location and update data retention settings for Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/data-retention-settings).
The information in the list of proxy and firewall configuration information is r
4. Check the Microsoft Defender for Endpoint URLs list for the complete list of requirements for your region (refer to the Service URLs [Spreadsheet](https://download.microsoft.com/download/8/e-urls.xlsx)).
- ![Image of administrator in Windows PowerShell.](images/admin-powershell.png)
+ :::image type="content" source="images/admin-powershell.png" alt-text="The administrator in Windows PowerShell" lightbox="images/admin-powershell.png":::
The wildcards (\*) used in \*.ods.opinsights.azure.com, \*.oms.opinsights.azure.com, and \*.agentsvc.azure-automation.net URL endpoints can be replaced with your specific Workspace ID. The Workspace ID is specific to your environment and workspace. It can be found in the Onboarding section of your tenant within the Microsoft 365 Defender portal.
security Configure Real Time Protection Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus.md
To enable and configure always-on protection:
2. Under **Best match**, select **Edit group policy** to launch **Local Group Policy Editor**.
- ![GPEdit taskbar search result.](images/gpedit-search.png)
+ :::image type="content" source="images/gpedit-search.png" alt-text="The GPEdit taskbar search result in the Control panel" lightbox="images/gpedit-search.png":::
2. In the left pane of **Local Group Policy Editor**, expand the tree to **Computer Configuration** \> **Administrative Templates** \> **Windows Components** \> **Microsoft Defender Antivirus**.
security Configure Server Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-server-endpoints.md
For guidance on how to download and use Windows Security Baselines for Windows s
You'll need to complete the following general steps to successfully onboard servers.
-![Illustration of onboarding flow for Windows Servers and Windows 10 devices](images/server-onboarding-tools-methods.png)
**Windows Server 2012 R2 and Windows Server 2016 (Preview)**
The following steps are only applicable if you're using a third-party anti-malwa
- Type: `REG_DWORD` - Value: `1`
-2. Run the following PowerShell command to verify that the passive mode was configured:
-
- ```powershell
- Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=84}
- ```
-
-3. Confirm that a recent event containing the passive mode event is found:
-
- ![Image of passive mode verification result](images/atp-verify-passive-mode.png)
-
+ :::image type="content" source="images/atp-verify-passive-mode.png" alt-text="The passive mode verification result" lightbox="images/atp-verify-passive-mode.png":::
> [!IMPORTANT] > > - When you use Microsoft Defender for Cloud to monitor servers, a Defender for Endpoint tenant is automatically created (in the US for US users, in the EU for European users, and in the UK for UK users).
security Connected Applications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/connected-applications.md
From the left navigation menu, select **Partners & APIs** (under **Endpoints**)
The Connected applications page provides information about the Azure AD applications connected to Microsoft Defender for Endpoint in your organization. You can review the usage of the connected applications: last seen, number of requests in the past 24 hours, and request trends in the last 30 days.
-![Image of connected apps.](images/connected-apps.png)
## Edit, reconfigure, or delete a connected application
security Contact Support https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/contact-support.md
Accessing the new support widget can be done in one of two ways:
1. Clicking on the question mark on the top right of the portal and then clicking on "Microsoft support":
- :::image type="content" source="../../media/contactsupport.png" alt-text="Microsoft support.":::
+ :::image type="content" source="../../media/contactsupport.png" alt-text="The Microsoft support icon in the Microsoft 365 Defender portal" lightbox="../../media/contactsupport.png":::
2. Clicking on the **Need help?** button in the bottom right of the Microsoft 365 Defender portal:
- ![Image of the need help button.](images/need-help-option.png)
+ :::image type="content" source="images/need-help-option.png" alt-text="The Need help button" lightbox="images/need-help-option.png":::
In the widget you'll be offered two options:
In the widget you'll be offered two options:
This option includes articles that might be related to the question you may ask. Just start typing the question in the search box and articles related to your search will be surfaced. In case the suggested articles aren't sufficient, you can open a service request.
Learn how to open support tickets by contacting Defender for Endpoint support.
### Contact support - 1. Fill in a title and description for the issue you are facing, the phone number and email address where we may reach you. 2. (Optional) Include up to five attachments that are relevant to the issue to provide additional context for the support case.
security Corelight Integration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/corelight-integration.md
To enable the Corelight integration, youΓÇÖll need to take the following steps:
1. In the navigation pane of the [https://security.microsoft.com](https://security.microsoft.com/) portal, select **Settings** \> **Device discovery** \> **Data sources**.
- ![Image of data sources](images/enable-corelight.png)
+ :::image type="content" source="images/enable-corelight.png" alt-text="The data sources page in the Microsoft 365 Defender portal" lightbox="images/enable-corelight.png":::
2. Select **Send Corelight data to M365D** and select **Save**.
In addition to this, the GUI validation requires that a broker is configured in
1. In the Corelight Sensor GUI configuration section, select **Sensor** \> **Export**. 2. From the list, go to **EXPORT TO KAFKA** and select the switch to turn it on.
- ![Image of kafka export](images/exporttokafka.png)
+ :::image type="content" source="images/exporttokafka.png" alt-text="The kafka export" lightbox="images/exporttokafka.png":::
3. Next, turn on **EXPORT TO AZURE DEFENDER FOR IOT** and enter your tenant ID, noted in Step 1, in the TENANT ID field.
- ![Image of iot export](images/exporttodiot.png)
+ :::image type="content" source="images/exporttodiot.png" alt-text="The iot export" lightbox="images/exporttodiot.png":::
4. Select **Apply Changes**.
- ![Apply image ](images/corelightapply.png)
+ :::image type="content" source="images/corelightapply.png" alt-text="The Apply changes icon" lightbox="images/corelightapply.png":::
> [!NOTE] > Configuration options in Kafka (excluding Log Exclusion and Filters) should not be changed. Any changes made will be ignored.
security Customize Controlled Folders https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/customize-controlled-folders.md
You can use the Windows Security app, Group Policy, PowerShell cmdlets, or mobil
``` 3. Repeat step 2 for each folder that you want to protect. Folders that are protected are visible in the Windows Security app.
- :::image type="content" source="images/cfa-allow-folder-ps.png" alt-text="PowerShell window with cmdlet shown.":::
+ :::image type="content" source="images/cfa-allow-folder-ps.png" alt-text="The PowerShell window with cmdlet shown" lightbox="images/cfa-allow-folder-ps.png":::
> [!IMPORTANT] > Use `Add-MpPreference` to append or add apps to the list and not `Set-MpPreference`. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
An allowed application or service only has write access to a controlled folder a
4. Select **Add an allowed app** and follow the prompts to add apps.
- :::image type="content" source="images/cfa-allow-app.png" alt-text="Add an allowed app button.":::
+ :::image type="content" source="images/cfa-allow-app.png" alt-text="The Add an allowed app button" lightbox="images/cfa-allow-app.png":::
### Use Group Policy to allow specific apps
An allowed application or service only has write access to a controlled folder a
Continue to use `Add-MpPreference -ControlledFolderAccessAllowedApplications` to add more apps to the list. Apps added using this cmdlet will appear in the Windows Security app.
- :::image type="content" source="images/cfa-allow-app-ps.png" alt-text="PowerShell cmdlet to allow an app.":::
+ :::image type="content" source="images/cfa-allow-app-ps.png" alt-text="The PowerShell cmdlet to allow an application" lightbox="images/cfa-allow-app-ps.png":::
> [!IMPORTANT] > Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
security Data Collection Analyzer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/data-collection-analyzer.md
When collaborating with Microsoft support professionals, you may be asked to use
Run '**MDEClientAnalyzer.cmd /?**' to see the list of available parameters and their description:
-![Image of client analyzer parameters in command line.](images/d89a1c04cf8441e4df72005879871bd0.png)
> [!NOTE] > When any advanced troubleshooting parameter is used, the analyzer also calls into [MpCmdRun.exe](/microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus) to collect Microsoft Defender Antivirus related support logs.
Run '**MDEClientAnalyzer.cmd /?**' to see the list of available parameters and t
The analyzer and all the above scenario flags can be initiated remotely by running 'RemoteMDEClientAnalyzer.cmd', which is also bundled into the analyzer toolset:
-![Image of commandline with analyzer information.](images/57cab9d82d08f672a92bf9e748ac9572.png)
> [!NOTE] >
security Defender Endpoint False Positives Negatives https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-false-positives-negatives.md
In endpoint protection solutions, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. False positives/negatives can occur with any threat protection solution, including [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md).
-![Definition of false positive and negatives in Defender for Endpoint.](images/false-positives-overview.png)
Fortunately, steps can be taken to address and reduce these kinds of issues. If you're seeing false positives/negatives in [Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-365-defender), your security operations can take steps to address them by using the following process:
Fortunately, steps can be taken to address and reduce these kinds of issues. If
You can get help if you still have issues with false positives/negatives after performing the tasks described in this article. See [Still need help?](#still-need-help)
-![Steps to address false positives and negatives.](images/false-positives-step-diagram.png)
> [!NOTE] > This article is intended as guidance for security operators and security administrators who are using [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md).
When you're done reviewing and undoing actions that were taken as a result of fa
### Remove a file from quarantine across multiple devices > [!div class="mx-imgBorder"]
-> ![Quarantine file.](images/autoir-quarantine-file-1.png)
+> :::image type="content" source="images/autoir-quarantine-file-1.png" alt-text="The Quarantine file" lightbox="images/autoir-quarantine-file-1.png":::
1. In the left navigation pane of the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, click **Action center**.
To specify entities as exclusions for Microsoft Defender for Endpoint, create "a
- [IP addresses, URLs, and domains](#indicators-for-ip-addresses-urls-or-domains) - [Application certificates](#indicators-for-application-certificates)
-![Indicator types diagram.](images/false-positives-indicators.png)
#### Indicators for files
security Defender Endpoint Plan 1 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-plan-1.md
Microsoft Defender for Endpoint is an enterprise endpoint security platform desi
The green boxes in the following image depict what's included in Defender for Endpoint Plan 1: Use this guide to:
security Deployment Phases https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deployment-phases.md
This guide helps you work across stakeholders to prepare your environment and th
Each section corresponds to a separate article in this solution.
-![Image of deployment phases with details from table.](images/deployment-guide-phases.png)
-![Summary of deployment phases: prepare, setup, onboard.](images/phase-diagrams/deployment-phases.png)
<br>
security Deployment Rings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deployment-rings.md
The deployment rings can be applied in the following scenarios:
## New deployments
-![Image of deployment rings.](images/deployment-rings.png)
A ring-based approach is a method of identifying a set of endpoints to onboard and verifying that certain criteria is met before proceeding to deploy the service to a larger set of devices. You can define the exit criteria for each ring and ensure that they are satisfied before moving on to the next ring.
Use the following material to select the appropriate Microsoft Defender for Endp
|**Item**|**Description**| |:--|:--|
-|[![Thumb image for Microsoft Defender for Endpoint deployment strategy.](images/mde-deployment-strategy.png)](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/security/defender-endpoint/downloads/mdatp-deployment-strategy.pdf)<br/> [PDF](https://download.microsoft.com/download/5/6/0/5609001f-b8ae-412f-89eb-643976f6b79c/mde-deployment-strategy.pdf) \| [Visio](https://download.microsoft.com/download/5/6/0/5609001f-b8ae-412f-89eb-643976f6b79c/mde-deployment-strategy.vsdx) | The architectural material helps you plan your deployment for the following architectures: <ul><li> Cloud-native </li><li> Co-management </li><li> On-premise</li><li>Evaluation and local onboarding</li></ul>
+|[:::image type="content" source="images/mde-deployment-strategy.png" alt-text="The strategy for Microsoft Defender for Endpoint deployment" lightbox="images/mde-deployment-strategy.png":::](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/security/defender-endpoint/downloads/mdatp-deployment-strategy.pdf)<br/> [PDF](https://download.microsoft.com/download/5/6/0/5609001f-b8ae-412f-89eb-643976f6b79c/mde-deployment-strategy.pdf) \| [Visio](https://download.microsoft.com/download/5/6/0/5609001f-b8ae-412f-89eb-643976f6b79c/mde-deployment-strategy.vsdx) | The architectural material helps you plan your deployment for the following architectures: <ul><li> Cloud-native </li><li> Co-management </li><li> On-premise</li><li>Evaluation and local onboarding</li></ul>
## Existing deployments
With macOS and Linux, you could take a couple of systems and run in the Beta cha
The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in Beta are the first ones to receive updates and new features, followed later by Preview and lastly by Current.
-![Image of insider rings.](images/insider-rings.png)
+ In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use either Beta or Preview.
security Deployment Strategy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deployment-strategy.md
Plan your Microsoft Defender for Endpoint deployment so that you can maximize th
This solution provides guidance on how to identify your environment architecture, select the type of deployment tool that best fits your needs, and guidance on how to configure capabilities.
-![Image of deployment flow.](images/deployment-guide-plan.png)
## Step 1: Identify architecture
Use the following material to select the appropriate Defender for Endpoint archi
| Item | Description | |:--|:--|
-|[![Thumb image for Defender for Endpoint deployment strategy.](images/mde-deployment-strategy.png)](https://download.microsoft.com/download/5/6/0/5609001f-b8ae-412f-89eb-643976f6b79c/mde-deployment-strategy.pdf)<br/> [PDF](https://download.microsoft.com/download/5/6/0/5609001f-b8ae-412f-89eb-643976f6b79c/mde-deployment-strategy.pdf) \| [Visio](https://download.microsoft.com/download/5/6/0/5609001f-b8ae-412f-89eb-643976f6b79c/mde-deployment-strategy.vsdx) | The architectural material helps you plan your deployment for the following architectures: <ul><li> Cloud-native </li><li> Co-management </li><li> On-premise</li><li>Evaluation and local onboarding</li>
+|[:::image type="content" source="images/mde-deployment-strategy.png" alt-text="The strategy for deployment of Defender for Endpoint" lightbox="images/mde-deployment-strategy.png":::](https://download.microsoft.com/download/5/6/0/5609001f-b8ae-412f-89eb-643976f6b79c/mde-deployment-strategy.pdf)<br/> [PDF](https://download.microsoft.com/download/5/6/0/5609001f-b8ae-412f-89eb-643976f6b79c/mde-deployment-strategy.pdf) \| [Visio](https://download.microsoft.com/download/5/6/0/5609001f-b8ae-412f-89eb-643976f6b79c/mde-deployment-strategy.vsdx) | The architectural material helps you plan your deployment for the following architectures: <ul><li> Cloud-native </li><li> Co-management </li><li> On-premise</li><li>Evaluation and local onboarding</li>
## Step 2: Select deployment method
security Device Control Removable Storage Access Control https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control.md
Deploy Removable Storage Access Control on Windows 10 and Windows 11 devices tha
- **4.18.2107 or later**: Add Windows Portable Device (WPD) support (for mobile devices, such as tablets); add AccountName into [advanced hunting](device-control-removable-storage-access-control.md#view-device-control-removable-storage-access-control-data-in-microsoft-defender-for-endpoint) -- **4.18.2111 or later**: Add 'Enable or Disable Removable Storage Access Control', 'Default Enforcement', client machine policy update time through PowerShell, file information--- **4.18.2201 or later**: Support a copy of file written to allowed storage through OMA-URI- > [!NOTE] > None of Windows Security components need to be active as you can run Removable Storage Access Control independent of Windows Security status.
Before you get started with Removable Storage Access Control, you must confirm y
The following image illustrates the example of [Scenario 1: Prevent Write and Execute access to all but allow specific approved USBs](#scenario-1-prevent-write-and-execute-access-to-all-but-allow-specific-approved-usbs).
- :::image type="content" source="images/prevent-write-access-allow-usb.png" alt-text="The screen displaying the configuration settings that allow specific approved USBs on devices.":::
+ :::image type="content" source="images/prevent-write-access-allow-usb.png" alt-text="The configuration settings that allow specific approved USBs on devices" lightbox="images/prevent-write-access-allow-usb.png":::
2. Combine all rules within `<PolicyRules>` `</PolicyRules>` into one xml file.
Before you get started with Removable Storage Access Control, you must confirm y
The following image illustrates the usage of SID property, and an example of [Scenario 1: Prevent Write and Execute access to all but allow specific approved USBs](#scenario-1-prevent-write-and-execute-access-to-all-but-allow-specific-approved-usbs).
- :::image type="content" source="images/usage-sid-property.png" alt-text="The screen displaying a code that indicates usage of the SID property attribute.":::
+ :::image type="content" source="images/usage-sid-property.png" alt-text="The code that indicates usage of the SID property attribute" lightbox="images/usage-sid-property.png":::
3. Save both rule and group XML files on the network share folder and put the network share folder path into the Group Policy setting: **Computer Configuration** \> **Administrative Templates** \> **Windows Components** \> **Microsoft Defender Antivirus** \> **Device Control**: **'Define device control policy groups'** and **'Define device control policy rules'**.
Before you get started with Removable Storage Access Control, you must confirm y
- The target machine must be able to access the network share to have the policy. However, once the policy is read, the network share connection is no longer required, even after machine reboot.
- :::image type="content" source="images/device-control.png" alt-text="The Device Control screen.":::
+ :::image type="content" source="images/device-control.png" alt-text="The Device Control screen" lightbox="images/device-control.png":::
4. Default enforcement: allows you to set default access (Deny or Allow) to removable media if there is no policy. For example, you only have policy (either Deny or Allow) for RemovableMediaDevices, but do not have any policy for CdRomDevices or WpdDevices, and you set default Deny through this policy, Read/Write/Execute access to CdRomDevices or WpdDevices will be blocked.
Microsoft Endpoint Manager admin center (<https://endpoint.microsoft.com/>) \> *
- Data Type: String (XML file)
- :::image type="content" source="images/xml-data-type-string.png" alt-text="The xml file for the STRING data type.":::
+ :::image type="content" source="images/xml-data-type-string.png" alt-text="The Data type field in the Add Row page" lightbox="images/xml-data-type-string.png":::
2. For each policy, also create an OMA-URI:
DeviceEvents
| order by Timestamp desc ```
-```kusto
-//RemovableStorageFileEvent: event triggered by File level enforcement, information of files written to removable storage
-DeviceEvents
-| where ActionType contains "RemovableStorageFileEvent"
-| extend parsed=parse_json(AdditionalFields)
-| extend Policy = tostring(parsed.Policy)
-| extend PolicyRuleId = tostring(parsed.PolicyRuleId)
-| extend MediaClassName = tostring(parsed.ClassName)
-| extend MediaInstanceId = tostring(parsed.InstanceId)
-| extend MediaName = tostring(parsed.MediaName)
-| extend MediaProductId = tostring(parsed.ProductId)
-| extend MediaVendorId = tostring(parsed.VendorId)
-| extend MediaSerialNumber = tostring(parsed.SerialNumber)
-| extend DuplicatedOperation = tostring(parsed.DuplicatedOperation)
-| extend FileEvidenceLocation = tostring(parsed.TargetFileLocation)
-| project Timestamp, DeviceId, DeviceName, InitiatingProcessAccountName,
- ActionType, Policy, PolicyRuleId, DuplicatedOperation,
- MediaClassName, MediaInstanceId, MediaName, MediaProductId, MediaVendorId, MediaSerialNumber,
- FileName, FolderPath, FileSize, FileEvidenceLocation,
- AdditionalFields
-| order by Timestamp desc
-```
-
## Frequently asked questions
security Device Control Report https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-report.md
The **View details** button shows more media usage data in the **device control
The page provides a dashboard with aggregated number of events per type and a list of events. Administrators can filter on time range, media class name, and device ID. > [!div class="mx-imgBorder"]
-> ![DeviceControlReportDetails](images/Detaileddevicecontrolreport.png)
+> :::image type="content" source="images/Detaileddevicecontrolreport.png" alt-text="The Device Control Report Details page in the Microsoft 365 Defender portal" lightbox="images/Detaileddevicecontrolreport.png":::
When you select an event, a flyout appears that shows you more information:
When you select an event, a flyout appears that shows you more information:
- **Location details:** Device name, User, and MDATP device ID. > [!div class="mx-imgBorder"]
-> ![FilterOnDeviceControlReport](images/devicecontrolreportfilter.png)
+> :::image type="content" source="images/devicecontrolreportfilter.png" alt-text="The Filter On Device Control Report page" lightbox="images/devicecontrolreportfilter.png":::
To see real-time activity for this media across the organization, select the **Open Advanced hunting** button. This includes an embedded, pre-defined query. > [!div class="mx-imgBorder"]
-> ![QueryOnDeviceControlReport](images/Devicecontrolreportquery.png)
+> :::image type="content" source="images/Devicecontrolreportquery.png" alt-text="The Query On Device Control Report page" lightbox="images/Devicecontrolreportquery.png":::
To see the security of the device, select the **Open device page** button on the flyout. This button opens the device entity page. > [!div class="mx-imgBorder"]
-> ![DeviceEntityPage](images/Devicesecuritypage.png)
+> :::image type="content" source="images/Devicesecuritypage.png" alt-text="The Device Entity Page" lightbox="images/Devicesecuritypage.png":::
## Reporting delays
security Device Discovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-discovery.md
To assess these devices, you can use a filter in the device inventory list calle
- Unsupported: The endpoint was discovered in the network but is not supported by Microsoft Defender for Endpoint. - Insufficient info: The system could not determine the supportability of the device. Enabling standard discovery on more devices in the network can enrich the discovered attributes.
-![Image of device inventory dashboard.](images/device-discovery-inventory.png)
> [!TIP] > You can always apply filters to exclude unmanaged devices from the device inventory list. You can also use the onboarding status column on API queries to filter out unmanaged devices.
To address the challenge of gaining enough visibility to locate, identify, and s
Vulnerabilities and risks on your devices as well as other discovered unmanaged devices in the network are part of the current TVM flows under "Security Recommendations" and represented in entity pages across the portal. Search for "SSH" related security recommendations to find SSH vulnerabilities that are related for unmanaged and managed devices.
-![Image of security recommendations dashboard.](images/1156c82ffadd356ce329d1cf551e806c.png)
+ ## Use Advanced Hunting on discovered devices You can use Advanced Hunting queries to gain visibility on discovered devices. Find details about discovered Endpoints in the DeviceInfo table, or network-related information about those devices in the DeviceNetworkInfo table.
-![Image of advanced hunting use.](images/f48ba1779eddee9872f167453c24e5c9.png)
Device discovery leverages Microsoft Defender for Endpoint onboarded devices as a network data source to attribute activities to non-onboarded devices. This means that if a Microsoft Defender for Endpoint onboarded device communicated with a non-onboarded device, activities on the non-onboarded device can be seen on the timeline and through the Advanced hunting DeviceNetworkEvents table.
security Device Timeline Event Flag https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-timeline-event-flag.md
While navigating the device timeline, you can search and filter for specific eve
## Flag an event 1. Find the event that you want to flag
-2. Click the flag icon in the Flag column.
- ![Image of device timeline flag.](images/device-flags.png)
+2. Click the flag icon in the Flag column.
-3. Click the flag icon in the Flag column.
-
- ![Image of device timeline flag](images/device-flags.png)
## View flagged events 1. In the timeline **Filters** section, enable **Flagged events**. 2. Click **Apply**. Only flagged events are displayed.
- You can apply additional filters by clicking on the time bar. This will only show events prior to the flagged event.
-
- ![Image of device timeline flag with filter on.](images/device-flag-filter.png)
-
-3. Click **Apply**. Only flagged events are displayed. You can apply additional filters by clicking on the time bar. This will only show events prior to the flagged event.
+You can apply additional filters by clicking on the time bar. This will only show events prior to the flagged event.
- ![Image of device timeline flag with filter on](images/device-flag-filter.png)
security Edr In Block Mode https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/edr-in-block-mode.md
ms.technology: mde
EDR in block mode is integrated with [threat & vulnerability management](next-gen-threat-and-vuln-mgt.md). Your organization's security team will get a [security recommendation](tvm-security-recommendation.md) to turn EDR in block mode on if it isn't already enabled. > [!TIP] > To get the best protection, make sure to **[deploy Microsoft Defender for Endpoint baselines](configure-machines-security-baseline.md)**.
When EDR in block mode is turned on, and a malicious artifact is detected, Micro
The following image shows an instance of unwanted software that was detected and blocked through EDR in block mode: ## Enable EDR in block mode
security Enable Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction.md
You can use Microsoft Endpoint Manager (MEM) OMA-URI to configure custom ASR rul
1. Open the Microsoft Endpoint Manager (MEM) admin center. In the **Home** menu, click **Devices**, select **Configuration profiles**, and then click **Create profile**. > [!div class="mx-imgBorder"]
- > ![MEM Create Profile.](images/mem01-create-profile.png)
+ > :::image type="content" source="images/mem01-create-profile.png" alt-text="The Create profile page in the Microsoft Endpoint Manager admin center portal" lightbox="images/mem01-create-profile.png":::
2. In **Create a profile**, in the following two drop-down lists, select the following:
You can use Microsoft Endpoint Manager (MEM) OMA-URI to configure custom ASR rul
Select **Custom**, and then select **Create**. > [!div class="mx-imgBorder"]
- > ![MEM rule profile attributes.](images/mem02-profile-attributes.png)
+ > :::image type="content" source="images/mem02-profile-attributes.png" alt-text="The rule profile attributes in the Microsoft Endpoint Manager admin center portal" lightbox="images/mem02-profile-attributes.png":::
3. The Custom template tool opens to step **1 Basics**. In **1 Basics**, in **Name**, type a name for your template, and in **Description** you can type a description (optional). > [!div class="mx-imgBorder"]
- > ![MEM basic attributes.](images/mem03-1-basics.png)
+ > :::image type="content" source="images/mem03-1-basics.png" alt-text="The basic attributes in the Microsoft Endpoint Manager admin center portal" lightbox="images/mem03-1-basics.png":::
4. Click **Next**. Step **2 Configuration settings** opens. For OMA-URI Settings, click **Add**. Two options now appear: **Add** and **Export**. > [!div class="mx-imgBorder"]
- > ![MEM Configuration settings.](images/mem04-2-configuration-settings.png)
+ > :::image type="content" source="images/mem04-2-configuration-settings.png" alt-text="The configuration settings in the Microsoft Endpoint Manager admin center portal" lightbox="images/mem04-2-configuration-settings.png":::
5. Click **Add** again. The **Add Row OMA-URI Settings** opens. In **Add Row**, do the following:
You can use Microsoft Endpoint Manager (MEM) OMA-URI to configure custom ASR rul
- 6 : Warn (Enable the ASR rule but allow the end-user to bypass the block) > [!div class="mx-imgBorder"]
- > ![MEM OMA URI configuration.](images/mem05-add-row-oma-uri.png)
+ > :::image type="content" source="images/mem05-add-row-oma-uri.png" alt-text="The OMA URI configuration in the Microsoft Endpoint Manager admin center portal" lightbox="images/mem05-add-row-oma-uri.png":::
6. Select **Save**. **Add Row** closes. In **Custom**, select **Next**. In step **3 Scope tags**, scope tags are optional. Do one of the following:
You can use Microsoft Endpoint Manager (MEM) OMA-URI to configure custom ASR rul
- **Add all devices** > [!div class="mx-imgBorder"]
- > ![MEM assignments.](images/mem06-4-assignments.png)
+ > :::image type="content" source="images/mem06-4-assignments.png" alt-text="The assignments in the Microsoft Endpoint Manager admin center portal" lightbox="images/mem06-4-assignments.png":::
8. In **Excluded groups**, select any groups that you want to exclude from this rule, and then select **Next**.
You can use Microsoft Endpoint Manager (MEM) OMA-URI to configure custom ASR rul
- In **Value**, enter the applicable value or value range > [!div class="mx-imgBorder"]
- > ![MEM Applicability rules.](images/mem07-5-applicability-rules.png)
+ > :::image type="content" source="images/mem07-5-applicability-rules.png" alt-text="The applicability rules in the Microsoft Endpoint Manager admin center portal" lightbox="images/mem07-5-applicability-rules.png":::
10. Select **Next**. In step **6 Review + create**, review the settings and information you have selected and entered, and then select **Create**. > [!div class="mx-imgBorder"]
- > ![MEM Review and create.](images/mem08-6-review-create.png)
+ > :::image type="content" source="images/mem08-6-review-create.png" alt-text="The Review and create option in the Microsoft Endpoint Manager admin center portal" lightbox="images/mem08-6-review-create.png":::
> [!NOTE] > Rules are active and live within minutes.
Example:
- 2 : Audit (Evaluate how the ASR rule would impact your organization if enabled) - 6 : Warn (Enable the ASR rule but allow the end-user to bypass the block)
- :::image type="content" source="images/asr-rules-gp.png" alt-text="ASR rules in Group Policy.":::
+ :::image type="content" source="images/asr-rules-gp.png" alt-text="ASR rules in Group Policy" lightbox="images/asr-rules-gp.png":::
5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Select **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
Example:
> The User Defined option setting is shown in the following figure. > [!div class="mx-imgBorder"]
-> ![ASR enable "User Defined"](images/asr-user-defined.png)
+> :::image type="content" source="images/asr-user-defined.png" alt-text="The Enable option for credential security" lightbox="images/asr-user-defined.png":::
1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**.
security Enable Cloud Protection Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus.md
For more information about allowed parameters, see [Windows Defender WMIv2 APIs]
2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar), and then, under **Manage settings** select **Virus & threat protection settings**.
-3. Confirm that **Cloud-based Protection** and **Automatic sample submission** are both switched to **On**.
+ :::image type="content" source="../../media/wdav-protection-settings-wdsc.png" alt-text="The Virus & threat protection settings" lightbox="../../media/wdav-protection-settings-wdsc.png":::
+
+3. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**.
> [!NOTE] > If automatic sample submission has been configured with Group Policy then the setting will be greyed-out and unavailable.
security Enable Controlled Folders https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-controlled-folders.md
Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](/wi
- **Block disk modification only** - Attempts by untrusted apps to write to disk sectors will be logged in Windows Event log. These logs can be found in **Applications and Services Logs** \> Microsoft \> Windows \> Windows Defender \> Operational \> ID 1123. - **Audit disk modification only** - Only attempts to write to protected disk sectors will be recorded in the Windows event log (under **Applications and Services Logs** \> **Microsoft** \> **Windows** \> **Windows Defender** \> **Operational** \> **ID 1124**). Attempts to modify or delete files in protected folders won't be recorded.
- ![Screenshot of the group policy option Enabled and Audit Mode selected in the drop-down.](../../media/cfa-gp-enable.png)
+ :::image type="content" source="../../media/cfa-gp-enable.png" alt-text="The group policy option Enabled and Audit Mode selected" lightbox="../../media/cfa-gp-enable.png":::
> [!IMPORTANT] > To fully enable controlled folder access, you must set the Group Policy option to **Enabled** and select **Block** in the options drop-down menu.
security Enable Exploit Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-exploit-protection.md
The result is that DEP is enabled for *test.exe*. DEP will not be enabled for an
3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
- :::image type="content" source="images/create-endpoint-protection-profile.png" alt-text="Create endpoint protection profile.":::
+ :::image type="content" source="images/create-endpoint-protection-profile.png" alt-text="The Create endpoint protection profile" lightbox="images/create-endpoint-protection-profile.png":::
4. Select **Configure** \> **Windows Defender Exploit Guard** \> **Exploit protection**. 5. Upload an [XML file](/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings:
- :::image type="content" source="images/enable-ep-intune.png" alt-text="Enable network protection in Intune.":::
+ :::image type="content" source="images/enable-ep-intune.png" alt-text="The Enable network protection setting in Intune" lightbox="images/enable-ep-intune.png":::
6. Select **OK** to save each open blade, and then choose **Create**.
security Enable Microsoft Defender For Iot Integration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-microsoft-defender-for-iot-integration.md
To enable Microsoft Defender for IoT, the user must have the following roles:
1. In the navigation pane of the [https://security.microsoft.com](https://security.microsoft.com/) portal, select **Settings** \> **Device discovery** \> **Microsoft Defender for IoT**.
- ![Image of IoT integration setup.](images/enable-defender-for-iot.png)
+ :::image type="content" source="images/enable-defender-for-iot.png" alt-text="The IoT integration setup" lightbox="images/enable-defender-for-iot.png":::
2. **Select an Azure subscription** from the dropdown list of available subscriptions in your Azure Active Directory tenant and select **Save**.
security Enable Network Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-network-protection.md
If the Key is missing, Navigate to **SOFTWARE** \> **Microsoft** \> **Windows D
- 1, or **On** - 2, or **Audit** mode
- :::image type="content" alt-text="Network Protection registry key." source="../../media/95341270-b738b280-08d3-11eb-84a0-16abb140c9fd.png" lightbox="../../media/95341270-b738b280-08d3-11eb-84a0-16abb140c9fd.png":::
-
-
+ :::image type="content" source="../../media/95341270-b738b280-08d3-11eb-84a0-16abb140c9fd.png" alt-text="Network Protection registry key" lightbox="../../media/95341270-b738b280-08d3-11eb-84a0-16abb140c9fd.png":::
+ ## Enable network protection Enable network protection by using any of these methods:
security Evaluate Network Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/evaluate-network-protection.md
Enable network protection in audit mode to see which IP addresses and domains wo
The network connection will be allowed and a test message will be displayed.
- ![Example notification that says Connection blocked: Your IT administrator caused Windows Security to block this network connection. Contact your IT help desk.](images/np-notif.png)
+ :::image type="content" source="images/np-notif.png" alt-text="The connection blockage notification" lightbox="images/np-notif.png":::
> [!NOTE] > Network connections can be successful even though a site is blocked by network protection. To learn more, see [Network protection and the TCP three-way handshake](network-protection.md#network-protection-and-the-tcp-three-way-handshake).
security Evaluation Lab https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/evaluation-lab.md
Already have a lab? Make sure to enable the new threat simulators and have activ
1. In the navigation pane, select **Evaluation & tutorials** \> **Evaluation lab**, then select **Setup lab**.
- :::image type="content" source="../../media/evaluationtutormenu.png" alt-text="Image of evaluation lab welcome page.":::
+ :::image type="content" source="../../media/evaluationtutormenu.png" alt-text="The evaluation lab welcome page" lightbox="../../media/evaluationtutormenu.png":::
2. Depending on your evaluation needs, you can choose to setup an environment with fewer devices for a longer period or more devices for a shorter period. Select your preferred lab configuration then select **Next**.
- ![Image of lab configuration options.](images/lab-creation-page.png)
+ :::image type="content" source="images/lab-creation-page.png" alt-text="The lab configuration options" lightbox="images/lab-creation-page.png":::
3. (Optional) You can choose to install threat simulators in the lab.
- ![Image of install simulators agent.](images/install-agent.png)
+ :::image type="content" source="images/install-agent.png" alt-text="The install simulators agent page" lightbox="images/install-agent.png":::
> [!IMPORTANT] > You'll first need to accept and provide consent to the terms and information sharing statements. 4. Select the threat simulation agent you'd like to use and enter your details. You can also choose to install threat simulators at a later time. If you choose to install threat simulation agents during the lab setup, you'll enjoy the benefit of having them conveniently installed on the devices you add.
- ![Image of summary page.](images/lab-setup-summary.png)
+ :::image type="content" source="images/lab-setup-summary.png" alt-text="The summary page" lightbox="images/lab-setup-summary.png":::
5. Review the summary and select **Setup lab**.
Automated investigation settings will be dependent on tenant settings. It will b
1. From the dashboard, select **Add device**.
-2. Choose the type of device to add. You can choose to add Windows 10, Windows 11, Windows Server 2019, Windows Server 2016, and Linux (Ubuntu).
+2. Choose the type of device to add. You can choose to add Windows 10, Windows 11, Windows Server 2019, Windows Server 2016, and Linux (Ubuntu).
+
+ :::image type="content" source="../../media/add-machine-optionsnew.png" alt-text="The lab setup with device options" lightbox="../../media/add-machine-optionsnew.png":::
> [!NOTE] > If something goes wrong with the device creation process, you'll be notified and you'll need to submit a new request. If the device creation fails, it will not be counted against the overall allowed quota.
Automated investigation settings will be dependent on tenant settings. It will b
> [!NOTE] > The password is only displayed once. Be sure to save it for later use.
- :::image type="content" source="../../media/add-machine-eval-lab-new.png" alt-text="Image of device added with connection details.":::
+ :::image type="content" source="../../media/add-machine-eval-lab-new.png" alt-text="The device added with connection details" lightbox="../../media/add-machine-eval-lab-new.png":::
4. Device set up begins. This can take up to approximately 30 minutes. 5. See the status of test devices, the risk and exposure levels, and the status of simulator installations by selecting the **Devices** tab.
- ![Image of devices tab.](images/machines-tab.png)
+ :::image type="content" source="images/machines-tab.png" alt-text="The devices tab" lightbox="images/machines-tab.png":::
+
> [!TIP] > In the **Simulator status** column, you can hover over the information icon to know the installation status of an agent.
When all existing devices are used and deleted, you can request for more devices
1. From the evaluation lab dashboard, select **Request for more devices**.
- ![Image of request for more devices.](images/request-more-devices.png)
+ :::image type="content" source="images/request-more-devices.png" alt-text="The request for more devices option" lightbox="images/request-more-devices.png":::
2. Choose your configuration. 3. Submit the request.
If you are looking for a pre-made simulation, you can use our ["Do It Yourself"
1. Connect to your device and run an attack simulation by selecting **Connect**.
- ![Image of the connect button for test devices.](images/test-machine-table.png)
+ :::image type="content" source="images/test-machine-table.png" alt-text="The Connect button for the test devices" lightbox="images/test-machine-table.png":::
-2. For **Windows devices**: save the RDP file and launch it by selecting **Connect**.<br>
- ![Image of remote desktop connection.](images/remote-connection.png)
+ :::image type="content" source="images/remote-connection.png" alt-text="The remote desktop connection screen" lightbox="images/remote-connection.png":::
For **Linux devices**: you'll need to use a local SSH client and the provided command.
If you are looking for a pre-made simulation, you can use our ["Do It Yourself"
> [!NOTE] > If you don't have a copy of the password saved during the initial setup, you can reset the password by selecting **Reset password** from the menu: >
- > ![Image of reset password.](images/reset-password-test-machine.png)
+ > :::image type="content" source="images/reset-password-test-machine.png" alt-text="The Reset password option" lightbox="images/reset-password-test-machine.png":::
> > The device will change it's state to "Executing password reset", then you'll be presented with your new password in a few minutes. 3. Enter the password that was displayed during the device creation step.
- ![Image of window to enter credentials.](images/enter-password.png)
+ :::image type="content" source="images/enter-password.png" alt-text="The screen on which you enter credentials" lightbox="images/enter-password.png":::
4. Run Do-it-yourself attack simulations on the device.
Running threat simulations using third-party platforms is a good way to evaluate
2. Select a threat simulator.
- ![Image of threat simulator selection.](images/select-simulator.png)
+ :::image type="content" source="images/select-simulator.png" alt-text="The threat simulator selection" lightbox="images/select-simulator.png":::
3. Choose a simulation or look through the simulation gallery to browse through the available simulations.
Running threat simulations using third-party platforms is a good way to evaluate
6. View the progress of a simulation by selecting the **Simulations** tab. View the simulation state, active alerts, and other details.
- ![Image of simulations tab.](images/simulations-tab.png)
+ :::image type="content" source="images/simulations-tab.png" alt-text="Simulations tab" lightbox="images/simulations-tab.png":::
After running your simulations, we encourage you to walk through the lab progress bar and explore **Microsoft Defender for Endpoint triggered an automated investigation and remediation**. Check out the evidence collected and analyzed by the feature.
A list of supported third-party threat simulation agents are listed, and specifi
You can conveniently run any available simulation right from the catalog.
-![Image of simulations catalog.](images/simulations-catalog.png)
Each simulation comes with an in-depth description of the attack scenario and references such as the MITRE attack techniques used and sample Advanced hunting queries you run. **Examples:**
-![Image of simulation description details1.](images/simulation-details-aiq.png)
-![Image of simulation description details2.](images/simulation-details-sb.png)
## Evaluation report The lab reports summarize the results of the simulations conducted on the devices.
-![Image of the evaluation report.](images/eval-report.png)
At a glance, you'll quickly be able to see:
Your feedback helps us get better in protecting your environment from advanced a
Let us know what you think, by selecting **Provide feedback**.
-![Image of provide feedback.](images/send-us-feedback-eval-lab.png)
security Exposed Apis Create App Nativeapp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/exposed-apis-create-app-nativeapp.md
This page explains how to create an AAD application, get an access token to Micr
2. Navigate to **Azure Active Directory** \> **App registrations** \> **New registration**.
- :::image type="content" alt-text="Image of Microsoft Azure and navigation to application registration." source="images/atp-azure-new-app2.png" lightbox="images/atp-azure-new-app2.png":::
+ :::image type="content" source="images/atp-azure-new-app2.png" alt-text="The App registrations page in the Microsoft Azure portal" lightbox="images/atp-azure-new-app2.png":::
3. When the **Register an application** page appears, enter your application's registration information: - **Name** - Enter a meaningful application name that will be displayed to users of the app.
This page explains how to create an AAD application, get an access token to Micr
- Choose **Delegated permissions** \> **Alert.Read** > select **Add permissions**.
- :::image type="content" alt-text="application permissions." source="images/application-permissions-public-client.png" lightbox="images/application-permissions-public-client.png":::
+ :::image type="content" source="images/application-permissions-public-client.png" alt-text="The application type and permissions panes" lightbox="images/application-permissions-public-client.png":::
> [!IMPORTANT] > Select the relevant permissions. Read alerts is only an example.
This page explains how to create an AAD application, get an access token to Micr
> [!NOTE] > Every time you add permission you must select on **Grant consent** for the new permission to take effect.
- ![Image of Grant permissions.](images/grant-consent.png)
+ :::image type="content" source="images/grant-consent.png" alt-text="The Grand admin consent option" lightbox="images/grant-consent.png":::
5. Write down your application ID and your tenant ID. On your application page, go to **Overview** and copy the following information:
- :::image type="content" alt-text="Image of created app id." source="images/app-and-tenant-ids.png" lightbox="images/app-and-tenant-ids.png":::
+ :::image type="content" source="images/app-and-tenant-ids.png" alt-text="The created app ID" lightbox="images/app-and-tenant-ids.png":::
## Get an access token
Verify to make sure you got a correct token:
- Validate you get a 'scp' claim with the desired app permissions. - In the screenshot below you can see a decoded token acquired from the app in the tutorial:
- :::image type="content" alt-text="Image of token validation." source="images/nativeapp-decoded-token.png" lightbox="images/nativeapp-decoded-token.png":::
+ :::image type="content" source="images/nativeapp-decoded-token.png" alt-text="The token validation page" lightbox="images/nativeapp-decoded-token.png":::
## Use the token to access Microsoft Defender for Endpoint API
security Exposed Apis Create App Partners https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/exposed-apis-create-app-partners.md
The following steps will guide you how to create an Azure AD application, get an
2. Navigate to **Azure Active Directory** \> **App registrations** \> **New registration**.
- ![Image of Microsoft Azure and navigation to application registration.](images/atp-azure-new-app2.png)
+ :::image type="content" source="images/atp-azure-new-app2.png" alt-text="The navigation to application registration pane" lightbox="images/atp-azure-new-app2.png":::
3. In the registration form:
The following steps will guide you how to create an Azure AD application, get an
- Redirect URI - type: Web, URI: https://portal.azure.com
- ![Image of Microsoft Azure partner application registration.](images/atp-api-new-app-partner.png)
+ :::image type="content" source="images/atp-api-new-app-partner.png" alt-text="The Microsoft Azure partner application registration page" lightbox="images/atp-api-new-app-partner.png":::
4. Allow your Application to access Microsoft Defender for Endpoint and assign it with the minimal set of permissions required to complete the integration.
The following steps will guide you how to create an Azure AD application, get an
- **Note**: *WindowsDefenderATP* does not appear in the original list. Start writing its name in the text box to see it appear.
- ![add permission.](images/add-permission.png)
+ :::image type="content" source="images/add-permission.png" alt-text="The Add a permission option" lightbox="images/add-permission.png":::
### Request API permissions
In the following example we will use **'Read all alerts'** permission:
1. Choose **Application permissions** \> **Alert.Read.All** > select on **Add permissions**
- ![app permissions.](images/application-permissions.png)
+ :::image type="content" source="images/application-permissions.png" alt-text="The option that allows to add a permission" lightbox="images/application-permissions.png":::
2. Select **Grant consent** - **Note**: Every time you add permission you must select on **Grant consent** for the new permission to take effect.
- ![Image of Grant permissions.](images/grant-consent.png)
+ :::image type="content" source="images/grant-consent.png" alt-text="The option that allows consent to be granted" lightbox="images/grant-consent.png":::
3. Add a secret to the application.
In the following example we will use **'Read all alerts'** permission:
**Important**: After click Add, **copy the generated secret value**. You won't be able to retrieve after you leave!
- ![Image of create app key.](images/webapp-create-key2.png)
+ :::image type="content" source="images/webapp-create-key2.png" alt-text="The create app key" lightbox="images/webapp-create-key2.png":::
4. Write down your application ID: - On your application page, go to **Overview** and copy the following information:
- ![Image of created app id.](images/app-id.png)
+ :::image type="content" source="images/app-id.png" alt-text="The create application's ID" lightbox="images/app-id.png":::
5. Add the application to your customer's tenant.
In the following example we will use **'Read all alerts'** permission:
After clicking on the consent link, sign in with the Global Administrator of the customer's tenant and consent the application.
- ![Image of consent.](images/app-consent-partner.png)
+ :::image type="content" source="images/app-consent-partner.png" alt-text="The Accept button" lightbox="images/app-consent-partner.png":::
In addition, you will need to ask your customer for their tenant ID and save it for future use when acquiring the token.
Sanity check to make sure you got a correct token:
- In the screenshot below, you can see a decoded token acquired from an Application with multiple permissions to Microsoft Defender for Endpoint: - The "tid" claim is the tenant ID the token belongs to.
-![Image of token validation.](images/webapp-decoded-token.png)
## Use the token to access Microsoft Defender for Endpoint API
security Exposed Apis Create App Webapp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/exposed-apis-create-app-webapp.md
This article explains how to create an Azure AD application, get an access token
2. Navigate to **Azure Active Directory** \> **App registrations** \> **New registration**.
- :::image type="content" alt-text="Image of Microsoft Azure and navigation to application registration." source="images/atp-azure-new-app2.png" lightbox="images/atp-azure-new-app2.png":::
+ :::image type="content" source="images/atp-azure-new-app2.png" alt-text="The application registration pane" lightbox="images/atp-azure-new-app2.png":::
3. In the registration form, choose a name for your application, and then select **Register**.
This article explains how to create an Azure AD application, get an access token
> [!NOTE] > *WindowsDefenderATP* does not appear in the original list. Start writing its name in the text box to see it appear.
- :::image type="content" alt-text="add permission." source="images/add-permission.png" lightbox="images/add-permission.png":::
+ :::image type="content" source="images/add-permission.png" alt-text="The API permissions pane" lightbox="images/add-permission.png":::
Select **Application permissions** \> **Alert.Read.All**, and then select **Add permissions**.
- :::image type="content" alt-text="app permission." source="images/application-permissions.png" lightbox="images/application-permissions.png":::
+ :::image type="content" source="images/application-permissions.png" alt-text="The application permission information pane" lightbox="images/application-permissions.png":::
You need to select the relevant permissions. 'Read All Alerts' is only an example. For example:
This article explains how to create an Azure AD application, get an access token
> [!NOTE] > Every time you add a permission, you must select **Grant consent** for the new permission to take effect.
- ![Grant permissions.](images/grant-consent.png)
+ :::image type="content" source="images/grant-consent.png" alt-text="The grant permissions page" lightbox="images/grant-consent.png":::
6. To add a secret to the application, select **Certificates & secrets**, add a description to the secret, and then select **Add**. > [!NOTE] > After you select **Add**, select **copy the generated secret value**. You won't be able to retrieve this value after you leave.
- ![Image of create app key.](images/webapp-create-key2.png)
+ :::image type="content" source="images/webapp-create-key2.png" alt-text="The create application option" lightbox="images/webapp-create-key2.png":::
7. Write down your application ID and your tenant ID. On your application page, go to **Overview** and copy the following.
- :::image type="content" alt-text="Image of created app id." source="images/app-and-tenant-ids.png" lightbox="images/app-and-tenant-ids.png":::
+ :::image type="content" source="images/app-and-tenant-ids.png" alt-text="The created app and tenant IDs" lightbox="images/app-and-tenant-ids.png":::
8. **For Microsoft Defender for Endpoint Partners only**. Set your app to be multi-tenanted (available in all tenants after consent). This is **required** for third-party apps (for example, if you create an app that is intended to run in multiple customers' tenant). This is **not required** if you create a service that you want to run in your tenant only (for example, if you create an application for your own usage that will only interact with your own data). To set your app to be multi-tenanted:
Ensure that you got the correct token:
In the following image, you can see a decoded token acquired from an app with permissions to all of Microsoft Defender for Endpoint's roles:
- :::image type="content" alt-text="Image of token validation." source="images/webapp-decoded-token.png" lightbox="images/webapp-decoded-token.png":::
+ :::image type="content" source="images/webapp-decoded-token.png" alt-text="The token details portion" lightbox="images/webapp-decoded-token.png":::
## Use the token to access Microsoft Defender for Endpoint API
security Gov https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/gov.md
If a proxy or firewall is blocking all traffic by default and allowing only spec
The following downloadable spreadsheet lists the services and their associated URLs your network must be able to connect to. Verify there are no firewall or network-filtering rules that would deny access to these URLs, or create an *allow* rule specifically for them.
-|Spreadsheet of domains list| Description|
-|||
-| Microsoft Defender for Endpoint URL list for Gov/GCC/DoD customers | Spreadsheet of specific DNS records for service locations, geographic locations, and OS for Gov/GCC/DoD customers. <p> [Download the spreadsheet here.](https://download.microsoft.com/download/6/e-urls-gov.xlsx)
+Spreadsheet of domains list|Description
+:--|:--
For more information, see [Configure device proxy and Internet connectivity settings](configure-proxy-internet.md).
security Grant Mssp Access https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/grant-mssp-access.md
To implement a multi-tenant delegated access solution, take the following steps:
To enable RBAC in the customer Microsoft 365 Defender portal, access **Settings > Permissions > Roles** and "Turn on roles", from a user account with Global Administrator or Security Administrator rights.
- ![Image of MSSP access.](images/mssp-access.png)
+ :::image type="content" source="images/mssp-access.png" alt-text="MSSP access" lightbox="images/mssp-access.png":::
Then, create RBAC roles to meet MSSP SOC Tier needs. Link these roles to the created user groups via "Assigned user groups".
To implement a multi-tenant delegated access solution, take the following steps:
To do so, in the customer AD tenant, access Identity Governance: Catalogs, and add **New Catalog**. In our example, we will call it **MSSP Accesses**.
- ![Image of new catalog.](images/goverance-catalog.png)
+ :::image type="content" source="images/goverance-catalog.png" alt-text="The new catalog page" lightbox="images/goverance-catalog.png":::
Further more information, see [Create a catalog of resources](/azure/active-directory/governance/entitlement-management-catalog-create).
To implement a multi-tenant delegated access solution, take the following steps:
- Access auto expires after 365 days > [!div class="mx-imgBorder"]
- > ![Image of new access package.](images/new-access-package.png)
+ > :::image type="content" source="images/new-access-package.png" alt-text="The New access package page" lightbox="images/new-access-package.png":::
For more information, see [Create a new access package](/azure/active-directory/governance/entitlement-management-access-package-create).
To implement a multi-tenant delegated access solution, take the following steps:
The My Access portal link is used by MSSP SOC analysts to request access via the access packages created. The link is durable, meaning the same link may be used over time for new analysts. The analyst request goes into a queue for approval by the **MSSP Analyst Approvers**. > [!div class="mx-imgBorder"]
- > ![Image of access properties.](images/access-properties.png)
+ > :::image type="content" source="images/access-properties.png" alt-text="The Properties page" lightbox="images/access-properties.png":::
The link is located on the overview page of each access package.
security Host Firewall Reporting https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/host-firewall-reporting.md
The following scenarios are supported during Ring0 Preview.
Here is a couple of examples of the firewall report pages. Here you will find a summary of inbound, outbound, and application activity. You can access this page directly by going to <https://security.microsoft.com/firewall>. > [!div class="mx-imgBorder"]
-> ![Host firewall reporting page.](\images\host-firewall-reporting-page.png)
+> :::image type="content" source="\images\host-firewall-reporting-page.png" alt-text="The Host firewall reporting page" lightbox="\images\host-firewall-reporting-page.png":::
These reports can also be accessed by going to **Reports** > **Security Report** > **Devices** (section) located at the bottom of the **Firewall Blocked Inbound Connections** card.
These reports can also be accessed by going to **Reports** > **Security Report**
Cards support interactive objects. You can drill into the activity of a device by clicking on the device name, which will launch the Microsoft 365 Defender portal in a new tab, and take you directly to the **Device Timeline** tab. > [!div class="mx-imgBorder"]
-> ![Computers with a blocked connection.](\images\firewall-reporting-blocked-connection.png)
+> :::image type="content" source="\images\firewall-reporting-blocked-connection.png" alt-text="The Computers with a blocked connection page" lightbox="\images\firewall-reporting-blocked-connection.png":::
You can now select the **Timeline** tab, which will give you a list of events associated with that device. After clicking on the **Filters** button on the upper right-hand corner of the viewing pane, select the type of event you want. In this case, select **Firewall events** and the pane will be filtered to Firewall events. > [!div class="mx-imgBorder"]
-> ![Filters button.](\images\firewall-reporting-filters-button.png)
+> :::image type="content" source="\images\firewall-reporting-filters-button.png" alt-text="The Filters button" lightbox="\images\firewall-reporting-filters-button.png":::
### Drill into advanced hunting (preview refresh) Firewall reports support drilling from the card directly into **Advanced Hunting** by clicking the **Open Advanced hunting** button. The query will be pre-populated. > [!div class="mx-imgBorder"]
-> ![Open Advanced hunting button.](\images\firewall-reporting-advanced-hunting.png)
+> :::image type="content" source="\images\firewall-reporting-advanced-hunting.png" alt-text="The Open Advanced hunting button" lightbox="\images\firewall-reporting-advanced-hunting.png":::
The query can now be executed, and all related Firewall events from the last 30 days can be explored.
security Import Export Exploit Protection Emet Xml https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/import-export-exploit-protection-emet-xml.md
When you've configured exploit protection to your desired state (including both
2. Select the **App & browser control** tile (or the app icon on the left menu bar) and then select **Exploit protection settings**:
- ![Highlight of the Exploit protection settings option in the Windows Security app.](../../media/wdsc-exp-prot.png)
+ :::image type="content" source="../../media/wdsc-exp-prot.png" alt-text="The Exploit protection settings option in the Windows Security app" lightbox="../../media/wdsc-exp-prot.png":::
3. At the bottom of the **Exploit protection** section, select **Export settings**. Choose the location and name of the XML file where you want the configuration to be saved. > [!IMPORTANT] > If you want to use Default configuration, use the settings "On by default" instead of "Use Default (On)" to get the settings exported correctly on the XML file.
- ![Highlight of the Export Settings option.](../../media/wdsc-exp-prot-export.png)
+ :::image type="content" source="../../media/wdsc-exp-prot-export.png" alt-text="The Export Settings option" lightbox="../../media/wdsc-exp-prot-export.png":::
> [!NOTE] > When you export the settings, all settings for both app-level and system-level mitigations are saved. This means you don't need to export a file from both the **System settings** and **Program settings** sections (either section will export all settings).
You can use Group Policy to deploy the configuration you've created to multiple
3. Expand the tree to **Windows components** \> **Windows Defender Exploit Guard** \> **Exploit protection**.
- ![Screenshot of the group policy setting for exploit protection.](../../media/exp-prot-gp.png)
+ :::image type="content" source="../../media/exp-prot-gp.png" alt-text="The group policy setting for exploit protection" lightbox="../../media/exp-prot-gp.png":::
4. Double-click **Use a common set of Exploit protection settings** and set the option to **Enabled**.
security Indicator File https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/indicator-file.md
Choose if to Generate an alert on the file block event and define the alerts set
- Description - Recommended actions
-![Alert settings for file indicators.](images/indicators-generate-alert.png)
> [!IMPORTANT] >
security Information Protection Investigation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/information-protection-investigation.md
Learn how to use data sensitivity labels to prioritize incident investigation.
2. Scroll to the right to see the **Data sensitivity** column. This column reflects sensitivity labels that have been observed on devices related to the incidents providing an indication of whether sensitive files may be impacted by the incident.
- ![Image of data sensitivity column.](images/data-sensitivity-column.png)
+ :::image type="content" source="images/data-sensitivity-column.png" alt-text="The Highly confidential option in the data sensitivity column" lightbox="images/data-sensitivity-column.png":::
You can also filter based on **Data sensitivity**
- ![Image of data sensitivity filter.](images/data-sensitivity-filter.png)
+ :::image type="content" source="images/data-sensitivity-filter.png" alt-text="The data sensitivity filter" lightbox="images/data-sensitivity-filter.png":::
3. Open the incident page to further investigate.
- ![Image of incident page details.](images/incident-page.png)
+ :::image type="content" source="images/incident-page.png" alt-text="The incident page details" lightbox="images/incident-page.png":::
4. Select the **Devices** tab to identify devices storing files with sensitivity labels.
- ![Image of device tab.](images/investigate-devices-tab.png)
+ :::image type="content" source="images/investigate-devices-tab.png" alt-text="The Device tab" lightbox="images/investigate-devices-tab.png":::
5. Select the devices that store sensitive data and search through the timeline to identify which files may be impacted then take appropriate action to ensure that data is protected. You can narrow down the events shown on the device timeline by searching for data sensitivity labels. Doing this will show only events associated with files that have said label name.
- ![Image of device timeline with narrowed down search results based on label.](images/machine-timeline-labels.png)
+ :::image type="content" source="images/machine-timeline-labels.png" alt-text="The device timeline with narrowed down search results based on label" lightbox="images/machine-timeline-labels.png":::
> [!TIP] > These data points are also exposed through the 'DeviceFileEvents' in advanced hunting, allowing advanced queries and schedule detection to take into account sensitivity labels and file protection status.
security Investigate Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-alerts.md
Expand entities to view details at a glance. Selecting an entity will switch the
> [!NOTE] > The alert story section may contain more than one alert, with additional alerts related to the same execution tree appearing before or after the alert you've selected.
-![An example of an alert story with an alert in focus and some expanded cards.](images/alert-story-tree.png)
## Take action from the details pane
Once you're done investigating, go back to the alert you started with, mark the
If you classify it as a true alert, you can also select a determination, as shown in the image below.
-![A snippet of the details pane with a resolved alert and the determination drop-down expanded.](images/alert-details-resolved-true.png)
If you are experiencing a false alert with a line-of-business application, create a suppression rule to avoid this type of alert in the future.
-![actions and classification in the details pane with the suppression rule highlighted.](images/alert-false-suppression-rule.png)
> [!TIP] > If you're experiencing any issues not described above, use the 🙂 button to provide feedback or open a support ticket.
security Investigate Behind Proxy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-behind-proxy.md
For more information, see [Enable network protection](enable-network-protection.
When network protection is turned on, you'll see that on a device's timeline the IP address will keep representing the proxy, while the real target address shows up.
-![Image of network events on device's timeline.](images/atp-proxy-investigation.png)
Other events triggered by the network protection layer are now available to surface the real domain names even behind a proxy. Event's information:
-![Image of single network event.](images/atp-proxy-investigation-event.png)
## Hunt for connection events using advanced hunting
DeviceNetworkEvents
| take 10 ```
-![Image of advanced hunting query.](images/atp-proxy-investigation-ah.png)
You can also filter out events that are related to connection to the proxy itself.
security Investigate Files https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-files.md
The file prevalence card shows where the file was seen in devices in the organiz
> [!NOTE] > Different users may see dissimilar values in the *devices in organization* section of the file prevalence card. This is because the card displays information based on the RBAC scope that a user has. Meaning, if a user has been granted visibility on a specific set of devices, they will only see the file organizational prevalence on those devices.
-![Image of file information.](images/atp-file-information.png)
## Alerts The **Alerts** tab provides a list of alerts that are associated with the file. This list covers much of the same information as the Alerts queue, except for the device group, if any, the affected device belongs to. You can choose what kind of information is shown by selecting **Customize columns** from the toolbar above the column headers.
-![Image of alerts related to the file section.](images/atp-alerts-related-to-file.png)
## Observed in organization
The **Observed in organization** tab allows you to specify a date range to see w
> [!NOTE] > This tab will show a maximum number of 100 devices. To see _all_ devices with the file, export the tab to a CSV file, by selecting **Export** from the action menu above the tab's column headers.
-![Image of most recent observed device with the file.](images/atp-observed-machines.png)
Use the slider or the range selector to quickly specify a time period that you want to check for events involving the file. You can specify a time window as small as a single day. This will allow you to see only files that communicated with that IP Address at that time, drastically reducing unnecessary scrolling and searching.
Use the slider or the range selector to quickly specify a time period that you w
The **Deep analysis** tab allows you to [submit the file for deep analysis](respond-file-alerts.md#deep-analysis), to uncover more details about the file's behavior, as well as the effect it is having within your organizations. After you submit the file, the deep analysis report will appear in this tab once results are available. If deep analysis did not find anything, the report will be empty and the results space will remain blank.
-![Image of deep analysis tab.](images/submit-file.png)
## File names The **File names** tab lists all names the file has been observed to use, within your organizations.
-![Image of file names tab.](images/atp-file-names.png)
## Related topics
security Investigate Incidents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-incidents.md
When you investigate an incident, you'll see:
Click an incident to see the **Incident pane**. Select **Open incident page** to see the incident details and related information (alerts, devices, investigations, evidence, graph).
-![Image of incident details1.](images/atp-incident-details.png)
### Alerts
You can investigate the alerts and see how they were linked together in an incid
- Same file - The files associated with the alert are exactly the same - Same URL - The URL that triggered the alert is exactly the same
-![Image of alerts tab with incident details page showing the reasons the alerts were linked together in that incident.](images/atp-incidents-alerts-reason.png)
You can also manage an alert and see alert metadata along with other information. For more information, see [Investigate alerts](investigate-alerts.md).
You can also manage an alert and see alert metadata along with other information
You can also investigate the devices that are part of, or related to, a given incident. For more information, see [Investigate devices](investigate-machines.md).
-![Image of devices tab in incident details page.](images/atp-incident-device-tab.png)
### Investigations Select **Investigations** to see all the automatic investigations launched by the system in response to the incident alerts.
-![Image of investigations tab in incident details page.](images/atp-incident-investigations-tab.png)
## Going through the evidence
Microsoft Defender for Endpoint automatically investigates all the incidents' su
Each of the analyzed entities will be marked as infected, remediated, or suspicious.
-![Image of evidence tab in incident details page.](images/atp-incident-evidence-tab.png)
## Visualizing associated cybersecurity threats
Microsoft Defender for Endpoint aggregates the threat information into an incide
The **Graph** tells the story of the cybersecurity attack. For example, it shows you what was the entry point, which indicator of compromise or activity was observed on which device. etc.
-![Image of the incident graph.](images/atp-incident-graph-tab.png)
You can click the circles on the incident graph to view the details of the malicious files, associated file detections, how many instances have there been worldwide, whether it's been observed in your organization, if so, how many instances.
-![Image of incident details.](images/atp-incident-graph-details.png)
## Related topics
security Investigate Machines https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-machines.md
When you investigate a specific device, you'll see:
- Tabs (overview, alerts, timeline, security recommendations, software inventory, discovered vulnerabilities, missing KBs) - Cards (active alerts, logged on users, security assessment)
-![Image of device view.](images/specific-device.png)
> [!NOTE] > Due to product constrains, the device profile does not consider all cyber evidence when determining the 'Last Seen' timeframe (as seen on the device page as well).
The tabs provide relevant security and threat prevention information related to
The **Overview** tab displays the [cards](#cards) for active alerts, logged on users, and security assessment.
-![Image of overview tab on the device page.](images/overview-device.png)
### Alerts The **Alerts** tab provides a list of alerts that are associated with the device. This list is a filtered version of the [Alerts queue](alerts-queue.md), and shows a short description of the alert, severity (high, medium, low, informational), status in the queue (new, in progress, resolved), classification (not set, false alert, true alert), investigation state, category of alert, who is addressing the alert, and last activity. You can also filter the alerts.
-![Image of alerts related to the device.](images/alerts-device.png)
When the circle icon to the left of an alert is selected, a fly-out appears. From this panel you can manage the alert and view more details such as incident number and related devices. Multiple alerts can be selected at a time.
The timeline also enables you to selectively drill down into events that occurre
> - [5031](/windows/security/threat-protection/auditing/event-5031) - application blocked from accepting incoming connections on the network > - [5157](/windows/security/threat-protection/auditing/event-5157) - blocked connection
-![Image of device timeline with events.](images/timeline-device.png)
Some of the functionality includes:
Select an event to view relevant details about that event. A panel displays to s
To further inspect the event and related events, you can quickly run an [advanced hunting](advanced-hunting-overview.md) query by selecting **Hunt for related events**. The query will return the selected event and the list of other events that occurred around the same time on the same endpoint.
-![Image of the event details panel.](images/event-details.png)
### Security recommendations **Security recommendations** are generated from Microsoft Defender for Endpoint's [Threat & Vulnerability Management](tvm-dashboard-insights.md) capability. Selecting a recommendation will show a panel where you can view relevant details such as description of the recommendation and the potential risks associated with not enacting it. See [Security recommendation](tvm-security-recommendation.md) for details.
-![Image of security recommendations tab.](images/security-recommendations-device.png)
### Software inventory The **Software inventory** tab lets you view software on the device, along with any weaknesses or threats. Selecting the name of the software will take you to the software details page where you can view security recommendations, discovered vulnerabilities, installed devices, and version distribution. See [Software inventory](tvm-software-inventory.md) for details
-![Image of software inventory tab.](images/software-inventory-device.png)
### Discovered vulnerabilities The **Discovered vulnerabilities** tab shows the name, severity, and threat insights of discovered vulnerabilities on the device. Selecting specific vulnerabilities will show a description and details.
-![Image of discovered vulnerabilities tab.](images/discovered-vulnerabilities-device.png)
### Missing KBs The **Missing KBs** tab lists the missing security updates for the device.
-![Image of missing kbs tab.](images/missing-kbs-device.png)
## Cards
The **Missing KBs** tab lists the missing security updates for the device.
The **Azure Advanced Threat Protection** card will display a high-level overview of alerts related to the device and their risk level, if you have enabled the Microsoft Defender for Identity feature, and there are any active alerts. More information is available in the "Alerts" drill down.
-![Image of active alerts card.](images/risk-level-small.png)
> [!NOTE] > You'll need to enable the integration on both Microsoft Defender for Identity and Defender for Endpoint to use this feature. In Defender for Endpoint, you can enable this feature in advanced features. For more information on how to enable advanced features, see [Turn on advanced features](advanced-features.md).
The **Azure Advanced Threat Protection** card will display a high-level overview
The **Logged on users** card shows how many users have logged on in the past 30 days, along with the most and least frequent users. Selecting the "See all users" link opens the details pane, which displays information such as user type, log on type, and when the user was first and last seen. For more information, see [Investigate user entities](investigate-user.md).
-![Image of user details pane.](images/logged-on-users.png)
> [!NOTE] > The 'Most frequent' user value is calculated only based on evidence of users who successfully logged on interactively.
The **Logged on users** card shows how many users have logged on in the past 30
The **Security assessments** card shows the overall exposure level, security recommendations, installed software, and discovered vulnerabilities. A device's exposure level is determined by the cumulative impact of its pending security recommendations.
-![Image of security assessments card.](images/security-assessments.png)
## Related topics
security Investigate User https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-user.md
When you investigate a user account entity, you'll see:
- Alerts related to this user - Observed in organization (devices logged on to)
-![Image of the user account entity details page.](images/atp-user-details-view.png)
### User details
security Ios Configure Features https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-configure-features.md
While enabled by default, there might be some cases that require you to disable
1. Toggle off **Connect On Demand** to disable VPN. > [!div class="mx-imgBorder"]
- > ![VPN config connect on demand.](images/ios-vpn-config.png)
+ > :::image type="content" source="images/ios-vpn-config.png" alt-text="The toggle button for the VPN config Connect on demand option" lightbox="images/ios-vpn-config.png":::
> [!NOTE] > Web Protection will not be available when VPN is disabled. To re-enable Web Protection, open the Microsoft Defender for Endpoint app on the device and click or tap **Start VPN**.
Follow the steps below to create a compliance policy against jailbroken devices.
1. In [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** -> **Compliance policies** -> **Create Policy**. Select "iOS/iPadOS" as platform and click **Create**. > [!div class="mx-imgBorder"]
- > ![Create Policy.](images/ios-jb-policy.png)
+ > :::image type="content" source="images/ios-jb-policy.png" alt-text="The Create Policy tab" lightbox="images/ios-jb-policy.png":::
2. Specify a name of the policy, for example "Compliance Policy for Jailbreak". 3. In the compliance settings page, click to expand **Device Health** section and click **Block** for **Jailbroken devices** field. > [!div class="mx-imgBorder"]
- > ![Policy Settings.](images/ios-jb-settings.png)
+ > :::image type="content" source="images/ios-jb-settings.png" alt-text="The Compliance settings tab" lightbox="images/ios-jb-settings.png":::
-4. In the **Action for noncompliance** section, select the actions as per your requirements and select **Next**.
+4. In the **Actions for noncompliance** section, select the actions as per your requirements and select **Next**.
> [!div class="mx-imgBorder"]
- > ![Policy Actions.](images/ios-jb-actions.png)
+ > :::image type="content" source="images/ios-jb-actions.png" alt-text="The Actions for noncompliance tab" lightbox="images/ios-jb-actions.png":::
5. In the **Assignments** section, select the user groups that you want to include for this policy and then select **Next**. 6. In the **Review+Create** section, verify that all the information entered is correct and then select **Create**.
security Ios Install Unmanaged https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-install-unmanaged.md
End users also need to take steps to install Microsoft Defender for Endpoint on
1. **Verify that the connector is enabled**. <br> On the [unified security console](https://security.microsoft.com), go to **Settings** > **Endpoints** > **Advanced Features** and ensure that **Microsoft Intune connection** is enabled.
- ![Image of Defender for Endpoint -Intune connector](images/enable-intune-connection.png)
+ :::image type="content" source="images/enable-intune-connection.png" alt-text="The Defender for Endpoint - Intune connector" lightbox="images/enable-intune-connection.png":::
+ 2. **Verify that the connector is enabled on the Intune portal**. <br> In [Microsoft Endpoint manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Endpoint Security** > **Microsoft Defender for Endpoint** and ensure that the Connection status is enabled.
- ![App settings](images/app-settings.png)
+ :::image type="content" source="images/app-settings.png" alt-text="The application settings" lightbox="images/app-settings.png":::
### Create an app protection policy
Microsoft Defender for Endpoint can be configured to send threat signals to be u
1. Create a policy <br> App protection policies (APP) are rules that ensure an organization's data remains safe or contained in a managed app. A policy can be a rule that is enforced when the user attempts to access or move "corporate" data, or a set of actions that are prohibited or monitored when the user is inside the app.
-![Image of policy creation](images/create-policy.png)
2. Add apps <br> a. Choose how you want to apply this policy to apps on different devices. Then add at least one app. <br>
Because mobile app management doesn't require device management, you can protect
*Example: Outlook as a managed app*
- ![Image Outlook as managed app](images/managed-app.png)
+ :::image type="content" source="images/managed-app.png" alt-text="The Microsoft Outlook menu item on the left navigation pane" lightbox="images/managed-app.png":::
+
3. Set sign-in security requirements for your protection policy. <br> Select **Setting > Max allowed device threat level** in **Device Conditions** and enter a value. Then select **Action: "Block Access"**. Microsoft Defender for Endpoint on iOS shares this Device Threat Level.
- ![Image of conditional launch](images/conditional-launch.png)
+
+ :::image type="content" source="images/conditional-launch.png" alt-text="The Device conditions pane" lightbox="images/conditional-launch.png":::
4. Assign user groups for whom the policy needs to be applied.<br> Select **Included groups**. Then add the relevant groups.
security Ios Install https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-install.md
Deploy Defender for Endpoint on iOS via Intune Company Portal.
1. In [Microsoft Endpoint manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Apps** -> **iOS/iPadOS** -> **Add** -> **iOS store app** and click **Select**. > [!div class="mx-imgBorder"]
- > ![Image of Microsoft Endpoint Manager Admin Center1.](images/ios-deploy-1.png)
+ > :::image type="content" source="images/ios-deploy-1.png" alt-text="The Add applications tab in the Microsoft Endpoint Manager Admin Center" lightbox="images/ios-deploy-1.png":::
1. On the **Add app** page, click on **Search the App Store** and type **Microsoft Defender for Endpoint** in the search bar. In the search results section, click on *Microsoft Defender for Endpoint* and click **Select**.
Deploy Defender for Endpoint on iOS via Intune Company Portal.
> The selected user group should consist of Intune enrolled users. > [!div class="mx-imgBorder"]
- > ![Image of Microsoft Endpoint Manager Admin Center2.](images/ios-deploy-2.png)
+ > :::image type="content" source="images/ios-deploy-2.png" alt-text="The Add group tab in the Microsoft Endpoint Manager Admin Center" lightbox="images/ios-deploy-2.png":::
1. In the *Review + Create* section, verify that all the information entered is correct and then select **Create**. In a few moments, the Defender for Endpoint app should be created successfully, and a notification should show up at the top-right corner of the page. 1. In the app information page that is displayed, in the **Monitor** section, select **Device install status** to verify that the device installation has completed successfully. > [!div class="mx-imgBorder"]
- > ![Image of Microsoft Endpoint Manager Admin Center3.](images/ios-deploy-3.png)
+ > :::image type="content" source="images/ios-deploy-3.png" alt-text="The Device install status page" lightbox="images/ios-deploy-3.png":::
## Complete deployment for supervised devices
This step simplifies the onboarding process by setting up the VPN profile. For a
- Type of Automatic VPN = On-demand VPN - Click **Add** for **On Demand Rules** and select **I want to do the following = Establish VPN**, **I want to restrict to = All domains**.
- ![A screen shot of VPN profile configuration settings](images/ios-deploy-8.png)
+ :::image type="content" source="images/ios-deploy-8.png" alt-text="The VPN profile Configuration settings tab" lightbox="images/ios-deploy-8.png":::
1. Click Next and assign the profile to targeted users. 1. In the *Review + Create* section, verify that all the information entered is correct and then select **Create**.
Admins can configure Microsoft Defender for Endpoint to deploy and activate sile
- Type of Automatic VPN = On-demand VPN - Select **Add** for **On Demand Rules** and select **I want to do the following = Establish VPN**, **I want to restrict to = All domains**.
- ![A screen shot of VPN profile configuration.](images/ios-deploy-9.png)
+ :::image type="content" source="images/ios-deploy-9.png" alt-text="The VPN profile Configuration page" lightbox="images/ios-deploy-9.png":::
1. Select **Next** and assign the profile to targeted users. 1. In the *Review + Create* section, verify that all the information entered is correct and then select **Create**.
Once the above configuration is done and synced with the device, the following a
1. Once Defender for Endpoint on iOS has been installed on the device, you will see the app icon.
- ![A screen shot of a smart phone Description automatically generated.](images/41627a709700c324849bf7e13510c516.png)
+ :::image type="content" source="images/41627a709700c324849bf7e13510c516.png" alt-text="A smart phone Description automatically generated" lightbox="images/41627a709700c324849bf7e13510c516.png":::
2. Tap the Defender for Endpoint app icon (MSDefender) and follow the on-screen instructions to complete the onboarding steps. The details include end-user acceptance of iOS permissions required by Defender for Endpoint on iOS. 3. Upon successful onboarding, the device will start showing up on the Devices list in the Microsoft 365 Defender portal. > [!div class="mx-imgBorder"]
- > ![A screenshot of a cell phone Description automatically generated.](images/device-inventory-screen.png)
+ > :::image type="content" source="images/device-inventory-screen.png" alt-text="The Device inventory page" lightbox="images/device-inventory-screen.png":::
+## Configure Microsoft Defender for Endpoint for Supervised Mode
+
+The Microsoft Defender for Endpoint on iOS app has specialized ability on supervised iOS/iPadOS devices, given the increased management capabilities provided by the platform on these types of devices. To take advantage of these capabilities, the Defender for Endpoint app needs to know if a device is in Supervised Mode.
+
+### Configure Supervised Mode via Intune
+
+Intune allows you to configure the Defender for iOS app through an App Configuration policy.
+
+ > [!NOTE]
+ > This app configuration policy for supervised devices is applicable only to managed devices and should be targeted for all managed iOS devices as a best practice.
+
+1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and go to **Apps** \> **App configuration policies** \> **Add**. Click on **Managed devices**.
+
+ > [!div class="mx-imgBorder"]
+ > :::image type="content" source="images/ios-deploy-4.png" alt-text="The Managed devices option" lightbox="images/ios-deploy-4.png":::
+
+1. In the *Create app configuration policy* page, provide the following information:
+ - Policy Name
+ - Platform: Select iOS/iPadOS
+ - Targeted app: Select **Microsoft Defender for Endpoint** from the list
+
+ > [!div class="mx-imgBorder"]
+ > :::image type="content" source="images/ios-deploy-5.png" alt-text="The basic fields for the configuration policy for the application" lightbox="images/ios-deploy-5.png":::
+
+1. In the next screen, select **Use configuration designer** as the format. Specify the following property:
+ - Configuration Key: issupervised
+ - Value type: String
+ - Configuration Value: {{issupervised}}
+
+ > [!div class="mx-imgBorder"]
+ > :::image type="content" source="images/ios-deploy-6.png" alt-text="The page from which to choose the format for the settings of the policy configuration" lightbox="images/ios-deploy-6.png":::
+
+1. Click **Next** to open the **Scope tags** page. Scope tags are optional. Click **Next** to continue.
+
+1. On the **Assignments** page, select the groups that will receive this profile. For this scenario, it is best practice to target **All Devices**. For more information on assigning profiles, see [Assign user and device profiles](/mem/intune/configuration/device-profile-assign).
+
+ When deploying to user groups, a user must sign in to a device before the policy applies.
+
+ Click **Next**.
+
+1. On the **Review + create** page, when you're done, choose **Create**. The new profile is displayed in the list of configuration profiles.
## Next Steps
security Ios Troubleshoot https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-troubleshoot.md
While enabled by default, there might be some cases that require you to disable
1. Toggle off **Connect On Demand** to disable VPN. > [!div class="mx-imgBorder"]
- > ![VPN config connect on demand.](images/ios-vpn-config.png)
+ > :::image type="content" source="images/ios-vpn-config.png" alt-text="The Connect on demand option" lightbox="images/ios-vpn-config.png":::
> [!NOTE] > Web Protection will not be available when VPN is disabled. To re-enable Web Protection, open the Microsoft Defender for Endpoint app on the device and Enable Web Protection.
Microsoft Defender for Endpoint protects you against phishing or other web-based
In addition, a notification is shown on the iOS device. Tapping on the notification opens the following screen for the user to review the details. > [!div class="mx-imgBorder"]
-> ![Image of site reported as unsafe notification.](images/ios-phish-alert.png)
+> :::image type="content" source="images/ios-phish-alert.png" alt-text="The site reported as unsafe notification" lightbox="images/ios-phish-alert.png":::
## Device not seen on the Defender for Endpoint console after onboarding.
security Limited Periodic Scanning Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/limited-periodic-scanning-microsoft-defender-antivirus.md
By default, Microsoft Defender Antivirus will enable itself on a Windows 10 or a
If Microsoft Defender Antivirus is enabled, the usual options will appear to configure it on that device:
-![Windows Security app showing Microsoft Defender AV options, including scan options, settings, and update options.](images/vtp-wdav.png)
If another antivirus product is installed and working correctly, Microsoft Defender Antivirus will disable itself. The Windows Security app will change the **Virus & threat protection** section to show status about the AV product, and provide a link to the product's configuration options.
security Linux Install Manually https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-install-manually.md
Download the onboarding package from Microsoft 365 Defender portal.
2. In the first drop-down menu, select **Linux Server** as the operating system. In the second drop-down menu, select **Local Script** as the deployment method. 3. Select **Download onboarding package**. Save the file as WindowsDefenderATPOnboardingPackage.zip.
- ![Microsoft 365 Defender portal screenshot.](images/portal-onboarding-linux.png)
+ :::image type="content" source="images/portal-onboarding-linux.png" alt-text="Downloading an onboarding package in the Microsoft 365 Defender portal" lightbox="images/portal-onboarding-linux.png":::
4. From a command prompt, verify that you have the file, and extract the contents of the archive:
security Linux Install With Ansible https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-install-with-ansible.md
Download the onboarding package from Microsoft 365 Defender portal:
2. In the first drop-down menu, select **Linux Server** as the operating system. In the second drop-down menu, select **Your preferred Linux configuration management tool** as the deployment method. 3. Select **Download onboarding package**. Save the file as WindowsDefenderATPOnboardingPackage.zip.
- ![Microsoft 365 Defender portal screenshot.](images/portal-onboarding-linux-2.png)
+ :::image type="content" source="images/portal-onboarding-linux-2.png" alt-text="The Download onboarding package option" lightbox="images/portal-onboarding-linux-2.png":::
4. From a command prompt, verify that you have the file. Extract the contents of the archive:
security Linux Install With Puppet https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-install-with-puppet.md
Download the onboarding package from Microsoft 365 Defender portal:
2. In the first drop-down menu, select **Linux Server** as the operating system. In the second drop-down menu, select **Your preferred Linux configuration management tool** as the deployment method. 3. Select **Download onboarding package**. Save the file as WindowsDefenderATPOnboardingPackage.zip.
- ![Microsoft 365 Defender portal screenshot.](images/portal-onboarding-linux-2.png)
+ :::image type="content" source="images/portal-onboarding-linux-2.png" alt-text="The option to download the onboarded package" lightbox="images/portal-onboarding-linux-2.png":::
4. From a command prompt, verify that you have the file.
security Linux Schedule Scan Mde https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-schedule-scan-mde.md
Type "`:wq`" without the double quotes.
To view your cron jobs, type `sudo crontab -l` #### To inspect cron job runs
security Live Response https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/live-response.md
Before you can initiate a session on a device, make sure you fulfill the followi
You'll receive the following error:
- ![Image of error message.](images/live-response-error.png)
+ :::image type="content" source="images/live-response-error.png" alt-text="The error message" lightbox="images/live-response-error.png":::
- **Enable live response unsigned script execution** (optional).
security Mac Device Control Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-device-control-overview.md
The device control policy can be used to:
When the device control policy that you have put in place is enforced on a device (for example, access to a removable media device is restricted), a notification is displayed to the user.
-![Device control notification.](images/mac-device-control-notification.png)
When end users click this notification, a web page is opened in the default browser. You can configure the URL that is opened when end users click the notification.
To find the vendor ID, product ID, and serial number of a USB device:
1. Plug in the USB device for which you want to look up the identifiers. 1. In the top-level menu of macOS, select **About This Mac**.
- ![About this Mac.](images/mac-device-control-lookup-1.png)
+ :::image type="content" source="images/mac-device-control-lookup-1.png" alt-text="The About this Mac page" lightbox="images/mac-device-control-lookup-1.png":::
1. Select **System Report**.
- ![System Report.](images/mac-device-control-lookup-2.png)
+ :::image type="content" source="images/mac-device-control-lookup-2.png" alt-text="The system report" lightbox="images/mac-device-control-lookup-2.png":::
1. From the left column, select **USB**.
- ![View of all USB devices.](images/mac-device-control-lookup-3.png)
+ :::image type="content" source="images/mac-device-control-lookup-3.png" alt-text="The view of all the USB devices" lightbox="images/mac-device-control-lookup-3.png":::
+
1. Under **USB Device Tree**, navigate to the USB device that you plugged in.
- ![Details of a USB device.](images/mac-device-control-lookup-4.png)
+ :::image type="content" source="images/mac-device-control-lookup-4.png" alt-text="The details of a USB device" lightbox="images/mac-device-control-lookup-4.png":::
1. The vendor ID, product ID, and serial number are displayed. When adding the vendor ID and product ID to the removable media policy, you must only add the part after `0x`. For example, in the below image, vendor ID is `1000` and product ID is `090c`.
security Mac Exclusions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-exclusions.md
For more information on how to configure exclusions from JAMF, Intune, or anothe
Open the Defender for Endpoint application and navigate to **Manage settings** \> **Add or Remove Exclusion...**, as shown in the following screenshot:
-![Manage exclusions screenshot.](images/mdatp-37-exclusions.png)
Select the type of exclusion that you wish to add and follow the prompts.
security Mac Install Jamfpro Login https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-jamfpro-login.md
ms.technology: mde
1. Enter your credentials.
- ![Image of Jamf Pro dashboard1.](images/jamf-pro-portal1.png)
+ :::image type="content" source="images/jamf-pro-portal1.png" alt-text="The Jamf Pro dashboard1" lightbox="images/jamf-pro-portal1.png":::
2. Select **Computers**.
- ![Image of Jamf Pro dashboard2.](images/jamf-pro-dashboard.png)
+ :::image type="content" source="images/jamf-pro-dashboard.png" alt-text="The Jamf Pro dashboard2" lightbox="images/jamf-pro-dashboard.png":::
3. You will see the settings that are available.
- ![Image of Jamf Pro dashboard3.](images/jamfpro-settings.png)
+ :::image type="content" source="images/jamfpro-settings.png" alt-text="The Jamf Pro dashboard3" lightbox="images/jamfpro-settings.png":::
## Next step
security Mac Install Manually https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-manually.md
Download the installation and onboarding packages from Microsoft 365 Defender po
3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. 4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory.
- ![Microsoft 365 Defender portal screenshot.](images/portal-onboarding-macos.png)
+ :::image type="content" source="images/portal-onboarding-macos.png" alt-text="The options to download the installation and onboarding packages" lightbox="images/portal-onboarding-macos.png":::
5. From a command prompt, verify that you have the two files.
To complete this process, you must have admin privileges on the device.
1. Navigate to the downloaded wdav.pkg in Finder and open it.
- ![App install screenshot1.](images/mdatp-28-appinstall.png)
+ :::image type="content" source="images/mdatp-28-appinstall.png" alt-text="The installation of the application" lightbox="images/mdatp-28-appinstall.png":::
2. Select **Continue**, agree with the License terms, and enter the password when prompted.
- ![App install screenshot2.](images/mdatp-29-appinstalllogin.png)
+ :::image type="content" source="images/mdatp-29-appinstalllogin.png" alt-text="The application installation" lightbox="images/mdatp-29-appinstalllogin.png":::
> [!IMPORTANT] > You will be prompted to allow a driver from Microsoft to be installed (either "System Extension Blocked" or "Installation is on hold" or both. The driver must be allowed to be installed.
- ![App install screenshot3.](images/mdatp-30-systemextension.png)
+ :::image type="content" source="images/mdatp-30-systemextension.png" alt-text="The application's installation" lightbox="images/mdatp-30-systemextension.png":::
3. Select **Open Security Preferences** or **Open System Preferences > Security & Privacy**. Select **Allow**:
- ![Security and privacy window screenshot.](images/mdatp-31-securityprivacysettings.png)
+ :::image type="content" source="images/mdatp-31-securityprivacysettings.png" alt-text="The Security and privacy window" lightbox="images/mdatp-31-securityprivacysettings.png":::
The installation proceeds.
To complete this process, you must have admin privileges on the device.
1. Navigate to the downloaded wdav.pkg in Finder and open it.
- ![App install screenshot4.](images/monterey-install-1.png)
+ :::image type="content" source="images/monterey-install-1.png" alt-text="The installation process for the application" lightbox="images/monterey-install-1.png":::
2. Select **Continue**, agree with the License terms, and enter the password when prompted. 3. At the end of the installation process, you'll be promoted to approve the system extensions used by the product. Select **Open Security Preferences**.
- ![System extension approval.](images/monterey-install-2.png)
+ :::image type="content" source="images/monterey-install-2.png" alt-text="The system extension approval" lightbox="images/monterey-install-2.png":::
4. From the **Security & Privacy** window, select **Allow**.
- ![System extension security preferences1.](images/monterey-install-3.png)
+ :::image type="content" source="images/monterey-install-3.png" alt-text="The system extension security preferences1" lightbox="images/monterey-install-3.png":::
5. Repeat steps 3 & 4 for all system extensions distributed with Microsoft Defender for Endpoint on Mac. 6. As part of the Endpoint Detection and Response capabilities, Microsoft Defender for Endpoint on Mac inspects socket traffic and reports this information to the Microsoft 365 Defender portal. When prompted to grant Microsoft Defender for Endpoint permissions to filter network traffic, select **Allow**.
- ![System extension security preferences2.](images/monterey-install-4.png)
+ :::image type="content" source="images/monterey-install-4.png" alt-text="The system extension security preferences2" lightbox="images/monterey-install-4.png":::
7. Open **System Preferences** \> **Security & Privacy** and navigate to the **Privacy** tab. Grant **Full Disk Access** permission to **Microsoft Defender** and **Microsoft Defenders Endpoint Security Extension**.
- ![Full disk access.](images/monterey-install-5.png)
+ :::image type="content" source="images/monterey-install-5.png" alt-text="The full disk access" lightbox="images/monterey-install-5.png":::
## Client configuration
To complete this process, you must have admin privileges on the device.
After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. > [!div class="mx-imgBorder"]
- > ![Microsoft Defender icon in status bar screenshot.](images/mdatp-icon-bar.png)
+ > :::image type="content" source="images/mdatp-icon-bar.png" alt-text="The Microsoft Defender icon in status bar" lightbox="images/mdatp-icon-bar.png":::
## How to Allow Full Disk Access
To complete this process, you must have admin privileges on the device.
12. Go to the Alert Queue.
- :::image type="content" source="images/b8db76c2-c368-49ad-970f-dcb87534d9be.png" alt-text="Example of a macOS EDR test alert that shows severity, category, detection source, and a collapsed menu of actions.":::
+ :::image type="content" source="images/b8db76c2-c368-49ad-970f-dcb87534d9be.png" alt-text="An macOS EDR test alert that shows severity, category, detection source, and a collapsed menu of actions" lightbox="images/b8db76c2-c368-49ad-970f-dcb87534d9be.png":::
Look at the alert details and the device timeline, and perform the regular investigation steps.
security Mac Install With Intune https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-with-intune.md
Download the onboarding packages from Microsoft 365 Defender portal:
2. Set the operating system to **macOS** and the deployment method to **Mobile Device Management / Microsoft Intune**.
- ![Onboarding settings screenshot.](images/macos-install-with-intune.png)
+ :::image type="content" source="images/macos-install-with-intune.png" alt-text="The Onboarding settings page" lightbox="images/macos-install-with-intune.png":::
3. Select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory.
This profile contains license information for Microsoft Defender for Endpoint. W
1. Select **Platform**=**macOS**, **Profile type**=**Templates**. **Template name**=**Custom**. Click **Create**. > [!div class="mx-imgBorder"]
- > ![Custom Configuration Profile creation.](images/mdatp-6-systemconfigurationprofiles-1.png)
+ > :::image type="content" source="images/mdatp-6-systemconfigurationprofiles-1.png" alt-text="The Custom Configuration Profile creation page" lightbox="images/mdatp-6-systemconfigurationprofiles-1.png":::
1. Choose a name for the profile, e.g., "Defender for Cloud or Endpoint onboarding for macOS". Click **Next**. > [!div class="mx-imgBorder"]
- > ![Custom Configuration Profile - name.](images/mdatp-6-systemconfigurationprofiles-2.png)
+ > :::image type="content" source="images/mdatp-6-systemconfigurationprofiles-2.png" alt-text="The Custom Configuration Profile name field" lightbox="images/mdatp-6-systemconfigurationprofiles-2.png":::
1. Choose a name for the configuration profile name, e.g., "Defender for Endpoint onboarding for macOS". 1. Choose a [deployment channel](/mem/intune/fundamentals/whats-new#new-deployment-channel-setting-for-custom-device-configuration-profiles-on-macos-devices). 1. Select intune/WindowsDefenderATPOnboarding.xml that you extracted from the onboarding package above as configuration profile file. > [!div class="mx-imgBorder"]
- > ![Import a configuration from a file for Custom Configuration Profile.](images/mdatp-6-systemconfigurationprofiles.png)
+ > :::image type="content" source="images/mdatp-6-systemconfigurationprofiles.png" alt-text="The import of a configuration from a file for Custom Configuration Profile" lightbox="images/mdatp-6-systemconfigurationprofiles.png":::
1. Click **Next**. 1. Assign devices on the **Assignment** tab. Click **Next**. > [!div class="mx-imgBorder"]
- > ![Custom Configuration Profile - assignment.](images/mdatp-6-systemconfigurationprofiles-2.png)
+ > :::image type="content" source="images/mdatp-6-systemconfigurationprofiles-2.png" alt-text="The custom configuration profile - assignment" lightbox="images/mdatp-6-systemconfigurationprofiles-2.png":::
1. Review and **Create**. 1. Open **Devices** \> **Configuration profiles**, you can see your created profile there. > [!div class="mx-imgBorder"]
- > ![Custom Configuration Profile - done.](images/mdatp-6-systemconfigurationprofiles-3.png)
+ > :::image type="content" source="images/mdatp-6-systemconfigurationprofiles-3.png" alt-text="The completion of the custom configuration profile" lightbox="images/mdatp-6-systemconfigurationprofiles-3.png":::
### Approve System Extensions
This profile is needed for macOS 10.15 (Catalina) or newer. It will be ignored o
|com.microsoft.wdav.netext|UBF8T346G9| > [!div class="mx-imgBorder"]
- > ![System extension settings.](images/mac-system-extension-intune2.png)
+ > :::image type="content" source="images/mac-system-extension-intune2.png" alt-text="The settings of the system's extension" lightbox="images/mac-system-extension-intune2.png":::
1. In the **Assignments** tab, assign this profile to **All Users & All devices**. 1. Review and create this configuration profile.
This profile is needed for macOS 10.15 (Catalina) or older. It will be ignored o
1. Set **Team identifier** to **UBF8T346G9** and click **Next**. > [!div class="mx-imgBorder"]
- > ![Kernel extension settings.](images/mac-kernel-extension-intune2.png)
+ > :::image type="content" source="images/mac-system-extension-intune2.png" alt-text="The Kernel settings of the system's extension" lightbox="images/mac-system-extension-intune2.png":::
1. In the **Assignments** tab, assign this profile to **All Users & All devices**. 1. Review and create this configuration profile.
Follow the instructions for [Onboarding blob](#onboarding-blob) from above, usin
Once the Intune changes are propagated to the enrolled devices, you can see them listed under **Monitor** \> **Device status**: > [!div class="mx-imgBorder"]
-> ![View of Device Status in Monitor.](images/mdatp-7-devicestatusblade.png)
+> :::image type="content" source="images/mdatp-7-devicestatusblade.png" alt-text="The view of the device status" lightbox="images/mdatp-7-devicestatusblade.png":::
## Publish application
This step enables deploying Microsoft Defender for Endpoint to enrolled machines
1. In the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/), open **Apps**. > [!div class="mx-imgBorder"]
- > ![Ready to create application.](images/mdatp-8-app-before.png)
+ > :::image type="content" source="images/mdatp-8-app-before.png" alt-text="The application's overview page" lightbox="images/mdatp-8-app-before.png":::
1. Select By platform > macOS > Add. 1. Choose **App type**=**macOS**, click **Select**. > [!div class="mx-imgBorder"]
- > ![Specify application type.](images/mdatp-9-app-type.png)
+ > :::image type="content" source="images/mdatp-9-app-type.png" alt-text="The specific application type" lightbox="images/mdatp-9-app-type.png":::
1. Keep default values, click **Next**. > [!div class="mx-imgBorder"]
- > ![Application properties.](images/mdatp-10-properties.png)
+ > :::image type="content" source="images/mdatp-10-properties.png" alt-text="The application properties page" lightbox="images/mdatp-10-properties.png":::
1. Add assignments, click **Next**. > [!div class="mx-imgBorder"]
- > ![Intune assignments info screenshot.](images/mdatp-11-assignments.png)
+ > :::image type="content" source="images/mdatp-11-assignments.png" alt-text="The Intune assignments information page" lightbox="images/mdatp-11-assignments.png":::
1. Review and **Create**. 1. You can visit **Apps** \> **By platform** \> **macOS** to see it on the list of all applications. > [!div class="mx-imgBorder"]
- > ![Applications list.](images/mdatp-12-applications.png)
+ > :::image type="content" source="images/mdatp-12-applications.png" alt-text="The application lists page" lightbox="images/mdatp-12-applications.png":::
For more information, see [Add Microsoft Defender for Endpoint to macOS devices using Microsoft Intune](/mem/intune/apps/apps-advanced-threat-protection-macos).)
You don't need any special provisioning for a Mac device beyond a standard [Comp
1. Confirm device management. > [!div class="mx-imgBorder"]
- > ![Confirm device management screenshot.](images/mdatp-3-confirmdevicemgmt.png)
+ > :::image type="content" source="images/mdatp-3-confirmdevicemgmt.png" alt-text="The Confirm device management page" lightbox="images/mdatp-3-confirmdevicemgmt.png":::
Select **Open System Preferences**, locate **Management Profile** on the list, and select **Approve...**. Your Management Profile would be displayed as **Verified**:
- ![Management profile screenshot.](images/mdatp-4-managementprofile.png)
+ :::image type="content" source="images/mdatp-4-managementprofile.png" alt-text="The Management profile page" lightbox="images/mdatp-4-managementprofile.png":::
2. Select **Continue** and complete the enrollment.
You don't need any special provisioning for a Mac device beyond a standard [Comp
3. In Intune, open **Manage** \> **Devices** \> **All devices**. Here you can see your device among those listed: > [!div class="mx-imgBorder"]
- > ![Add Devices screenshot.](images/mdatp-5-alldevices.png)
+ > :::image type="content" source="images/mdatp-5-alldevices.png" alt-text="The All Devices page" lightbox="images/mdatp-5-alldevices.png":::
## Verify client device state 1. After the configuration profiles are deployed to your devices, open **System Preferences** \> **Profiles** on your Mac device. > [!div class="mx-imgBorder"]
- > ![System Preferences screenshot.](images/mdatp-13-systempreferences.png)
+ > :::image type="content" source="images/mdatp-13-systempreferences.png" alt-text="The System preferences page" lightbox="images/mdatp-13-systempreferences.png":::
- ![System Preferences Profiles screenshot.](images/mdatp-14-systempreferencesprofiles.png)
+ :::image type="content" source="images/mdatp-14-systempreferencesprofiles.png" alt-text="The System Preferences Profiles page" lightbox="images/mdatp-14-systempreferencesprofiles.png":::
2. Verify that the following configuration profiles are present and installed. The **Management Profile** should be the Intune system profile. _Wdav-config_ and _wdav-kext_ are system configuration profiles that were added in Intune:
- ![Profiles screenshot.](images/mdatp-15-managementprofileconfig.png)
+ :::image type="content" source="images/mdatp-15-managementprofileconfig.png" alt-text="The Profiles page" lightbox="images/mdatp-15-managementprofileconfig.png":::
3. You should also see the Microsoft Defender for Endpoint icon in the top-right corner: > [!div class="mx-imgBorder"]
- > ![Microsoft Defender for Endpoint icon in status bar screenshot.](images/mdatp-icon-bar.png)
+ > :::image type="content" source="images/mdatp-icon-bar.png" alt-text="The icon for Microsoft Defender for Endpoint in the status bar" lightbox="images/mdatp-icon-bar.png":::
## Troubleshooting
security Mac Jamfpro Device Groups https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-jamfpro-device-groups.md
Set up the device groups similar to Group policy organizational unite (OUs), Mi
2. Select **New**.
- ![Image of Jamf Pro1.](images/jamf-pro-static-group.png)
+ :::image type="content" source="images/jamf-pro-static-group.png" alt-text="The Jamf Pro1 page" lightbox="images/jamf-pro-static-group.png":::
3. Provide a display name and select **Save**.
- ![Image of Jamf Pro2.](images/jamfpro-machine-group.png)
+ :::image type="content" source="images/jamfpro-machine-group.png" alt-text="The Jamf Pro2 page" lightbox="images/jamfpro-machine-group.png":::
4. Now you will see the **Contoso's Machine Group** under **Static Computer Groups**.
- ![Image of Jamf Pro3.](images/contoso-machine-group.png)
+ :::image type="content" source="images/contoso-machine-group.png" alt-text="The Jamf Pro3 page" lightbox="images/contoso-machine-group.png":::
## Next step - [Set up Microsoft Defender for Endpoint on macOS policies in Jamf Pro](mac-jamfpro-policies.md)
security Mac Jamfpro Enroll Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-jamfpro-enroll-devices.md
For a complete list, see [About Computer Enrollment](https://docs.jamf.com/9.9/c
1. In the Jamf Pro dashboard, navigate to **Enrollment invitations**.
- ![Image of configuration settings1.](images/a347307458d6a9bbfa88df7dbe15398f.png)
+ :::image type="content" source="images/a347307458d6a9bbfa88df7dbe15398f.png" alt-text="The configuration settings1" lightbox="images/a347307458d6a9bbfa88df7dbe15398f.png":::
2. Select **+ New**.
- ![A close up of a logo Description automatically generated.](images/b6c7ad56d50f497c38fc14c1e315456c.png)
+ :::image type="content" source="images/b6c7ad56d50f497c38fc14c1e315456c.png" alt-text="The close up of a logo description automatically generated" lightbox="images/b6c7ad56d50f497c38fc14c1e315456c.png":::
3. In **Specify Recipients for the Invitation** > under **Email Addresses** enter the e-mail address(es) of the recipients.
- ![Image of configuration settings2.](images/718b9d609f9f77c8b13ba88c4c0abe5d.png)
+ :::image type="content" source="images/718b9d609f9f77c8b13ba88c4c0abe5d.png" alt-text="The configuration settings2" lightbox="images/718b9d609f9f77c8b13ba88c4c0abe5d.png":::
- ![Image of configuration settings3.](images/ae3597247b6bc7c5347cf56ab1e820c0.png)
+ :::image type="content" source="images/ae3597247b6bc7c5347cf56ab1e820c0.png" alt-text="The configuration settings3" lightbox="images/ae3597247b6bc7c5347cf56ab1e820c0.png":::
For example: janedoe@contoso.com
- ![Image of configuration settings4.](images/4922c0fcdde4c7f73242b13bf5e35c19.png)
+ :::image type="content" source="images/4922c0fcdde4c7f73242b13bf5e35c19.png" alt-text="The configuration settings4" lightbox="images/4922c0fcdde4c7f73242b13bf5e35c19.png":::
4. Configure the message for the invitation.
- ![Image of configuration settings5.](images/ce580aec080512d44a37ff8e82e5c2ac.png)
+ :::image type="content" source="images/ce580aec080512d44a37ff8e82e5c2ac.png" alt-text="The configuration settings5" lightbox="images/ce580aec080512d44a37ff8e82e5c2ac.png":::
- ![Image of configuration settings6.](images/5856b765a6ce677caacb130ca36b1a62.png)
+ :::image type="content" source="images/5856b765a6ce677caacb130ca36b1a62.png" alt-text="The configuration settings6" lightbox="images/5856b765a6ce677caacb130ca36b1a62.png":::
- ![Image of configuration settings7.](images/3ced5383a6be788486d89d407d042f28.png)
+ :::image type="content" source="images/3ced5383a6be788486d89d407d042f28.png" alt-text="The configuration settings7" lightbox="images/3ced5383a6be788486d89d407d042f28.png":::
- ![Image of configuration settings8.](images/54be9c6ed5b24cebe628dc3cd9ca4089.png)
+ :::image type="content" source="images/54be9c6ed5b24cebe628dc3cd9ca4089.png" alt-text="The configuration settings8" lightbox="images/54be9c6ed5b24cebe628dc3cd9ca4089.png":::
## Enrollment Method 2: Prestage Enrollments 1. In the Jamf Pro dashboard, navigate to **Prestage enrollments**.
- ![Image of configuration settings9.](images/6fd0cb2bbb0e60a623829c91fd0826ab.png)
+ :::image type="content" source="images/6fd0cb2bbb0e60a623829c91fd0826ab.png" alt-text="The configuration settings9" lightbox="images/6fd0cb2bbb0e60a623829c91fd0826ab.png":::
2. Follow the instructions in [Computer PreStage Enrollments](https://docs.jamf.com/9.9/casper-suite/administrator-guide/Computer_PreStage_Enrollments.html).
For a complete list, see [About Computer Enrollment](https://docs.jamf.com/9.9/c
1. Select **Continue** and install the CA certificate from a **System Preferences** window.
- ![Image of Jamf Pro enrollment1.](images/jamfpro-ca-certificate.png)
+ :::image type="content" source="images/jamfpro-ca-certificate.png" alt-text="The Jamf Pro enrollment1" lightbox="images/jamfpro-ca-certificate.png":::
2. Once CA certificate is installed, return to the browser window and select **Continue** and install the MDM profile.
- ![Image of Jamf Pro enrollment2.](images/jamfpro-install-mdm-profile.png)
+ :::image type="content" source="images/jamfpro-install-mdm-profile.png" alt-text="The Jamf Pro enrollment2" lightbox="images/jamfpro-install-mdm-profile.png":::
3. Select **Allow** to downloads from JAMF.
- ![Image of Jamf Pro enrollment3.](images/jamfpro-download.png)
+ :::image type="content" source="images/jamfpro-download.png" alt-text="The Jamf Pro enrollment3" lightbox="images/jamfpro-download.png":::
4. Select **Continue** to proceed with the MDM Profile installation.
- ![Image of Jamf Pro enrollment4.](images/jamfpro-install-mdm.png)
+ :::image type="content" source="images/jamfpro-install-mdm.png" alt-text="The Jamf Pro enrollment4" lightbox="images/jamfpro-install-mdm.png":::
5. Select **Continue** to install the MDM Profile.
- ![Image of Jamf Pro enrollment5.](images/jamfpro-mdm-unverified.png)
+ :::image type="content" source="images/jamfpro-mdm-unverified.png" alt-text="The Jamf Pro enrollment5" lightbox="images/jamfpro-mdm-unverified.png":::
6. Select **Continue** to complete the configuration.
- ![Image of Jamf Pro enrollment6.](images/jamfpro-mdm-profile.png)
+ :::image type="content" source="images/jamfpro-mdm-profile.png" alt-text="The Jamf Pro enrollment6" lightbox="images/jamfpro-mdm-profile.png":::
security Mac Jamfpro Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-jamfpro-policies.md
You'll need to take the following steps:
2. Select macOS as the operating system and Mobile Device Management / Microsoft Intune as the deployment method.
- ![Image of Microsoft 365 Defender portal.](images/onboarding-macos.png)
+ :::image type="content" source="images/onboarding-macos.png" alt-text="The Settings page of the Microsoft Defender Security Center" lightbox="images/onboarding-macos.png":::
3. Select **Download onboarding package** (WindowsDefenderATPOnboardingPackage.zip).
You'll need to take the following steps:
1. Locate the file `WindowsDefenderATPOnboarding.plist` from the previous section.
- ![Image of WindowsDefenderATPOnboarding file.](images/plist-onboarding-file.png)
+ :::image type="content" source="images/plist-onboarding-file.png" alt-text="The Windows Defender ATP Onboarding file" lightbox="images/plist-onboarding-file.png":::
2. Sign in to Jamf Pro, navigate to **Computers** > **Configuration Profiles**, and select **New**.
- ![Image of creating a new Jamf Pro dashboard.](images/jamf-pro-configure-profile.png)
+ :::image type="content" source="images/jamf-pro-configure-profile.png" alt-text="The page on which you create a new Jamf Pro dashboard" lightbox="images/jamf-pro-configure-profile.png":::
3. Enter the following details:
You'll need to take the following steps:
4. Navigate to the **Application & Custom Settings** page and select **Upload** > **Add**.
- ![Image of configurate app and custom settings.](images/jamfpro-mac-profile.png)
+ :::image type="content" source="images/jamfpro-mac-profile.png" alt-text="The configurate app and custom settings" lightbox="images/jamfpro-mac-profile.png":::
5. Select **Upload File (PLIST file)** then in **Preference Domain** enter: `com.microsoft.wdav.atp`.
- ![Image of jamfpro plist upload file.](images/jamfpro-plist-upload.png)
+ :::image type="content" source="images/jamfpro-plist-upload.png" alt-text="The jamfpro plist upload file" lightbox="images/jamfpro-plist-upload.png":::
- ![Image of upload file property List file.](images/jamfpro-plist-file.png)
+ :::image type="content" source="images/jamfpro-plist-file.png" alt-text="The upload file property List file" lightbox="images/jamfpro-plist-file.png":::
6. Select **Open** and select the onboarding file.
- ![Image of onboarding file.](images/jamfpro-plist-file-onboard.png)
+ :::image type="content" source="images/jamfpro-plist-file-onboard.png" alt-text="The onboarding file" lightbox="images/jamfpro-plist-file-onboard.png":::
7. Select **Upload**.
- ![Image of uploading plist file.](images/jamfpro-upload-plist.png)
+ :::image type="content" source="images/jamfpro-upload-plist.png" alt-text="The uploading plist file" lightbox="images/jamfpro-upload-plist.png":::
8. Select the **Scope** tab.
- ![Image of scope tab.](images/jamfpro-scope-tab.png)
+ :::image type="content" source="images/jamfpro-scope-tab.png" alt-text="The Scope tab" lightbox="images/jamfpro-scope-tab.png":::
9. Select the target computers.
- ![Image of target computers.](images/jamfpro-target-computer.png)
+ :::image type="content" source="images/jamfpro-target-computer.png" alt-text="The target computers" lightbox="images/jamfpro-target-computer.png":::
- ![Image of targets.](images/jamfpro-targets.png)
+ :::image type="content" source="images/jamfpro-targets.png" alt-text="The targets" lightbox="images/jamfpro-targets.png":::
10. Select **Save**.
- ![Image of deployment target computers.](images/jamfpro-deployment-target.png)
+ :::image type="content" source="images/jamfpro-deployment-target.png" alt-text="The deployment of target computers" lightbox="images/jamfpro-deployment-target.png":::
- ![Image of target computers selected.](images/jamfpro-target-selected.png)
+ :::image type="content" source="images/jamfpro-target-selected.png" alt-text="The selection of target computers" lightbox="images/jamfpro-target-selected.png":::
11. Select **Done**.
- ![Image of target group computers.](images/jamfpro-target-group.png)
+ :::image type="content" source="images/jamfpro-target-group.png" alt-text="The computers of a target group" lightbox="images/jamfpro-target-group.png":::
- ![List of configuration profiles.](images/jamfpro-configuration-policies.png)
+ :::image type="content" source="images/jamfpro-configuration-policies.png" alt-text="The list of configuration profiles" lightbox="images/jamfpro-configuration-policies.png":::
## Step 3: Configure Microsoft Defender for Endpoint settings
Note that you must use exact `com.microsoft.wdav` as the **Preference Domain**,
2. Create a new Configuration Profile under Computers -> Configuration Profiles, enter the following details on the **General** tab:
- ![New profile.](images/644e0f3af40c29e80ca1443535b2fe32.png)
+ :::image type="content" source="images/644e0f3af40c29e80ca1443535b2fe32.png" alt-text="A new profile" lightbox="images/644e0f3af40c29e80ca1443535b2fe32.png":::
- Name: MDATP MDAV configuration settings - Description:\<blank\>
Note that you must use exact `com.microsoft.wdav` as the **Preference Domain**,
3. Scroll down to the **Application & Custom Settings** tab, select **External Applications**, click **Add** and use **Custom Schema** as Source to use for the preference domain.
- ![Add custom schema.](images/4137189bc3204bb09eed3aabc41afd78.png)
+ :::image type="content" source="images/4137189bc3204bb09eed3aabc41afd78.png" alt-text="Add custom schema" lightbox="images/4137189bc3204bb09eed3aabc41afd78.png":::
4. Enter `com.microsoft.wdav` as the Preference Domain, click on **Add Schema** and **Upload** the schema.json file downloaded on Step 1. Click **Save**.
- ![Upload schema.](images/a6f9f556037c42fabcfdcb1b697244cf.png)
+ :::image type="content" source="images/a6f9f556037c42fabcfdcb1b697244cf.png" alt-text="Upload schema" lightbox="images/a6f9f556037c42fabcfdcb1b697244cf.png":::
5. You can see all supported Microsoft Defender for Endpoint configuration settings below, under **Preference Domain Properties**. Click **Add/Remove properties** to select the settings that you want to be managed, and click **Ok** to save your changes. (Settings left unselected will not be included into the managed configuration, an end user will be able to configure those settings on their machines.)
- ![Select managed settings.](images/817b3b760d11467abe9bdd519513f54f.png)
+ :::image type="content" source="images/817b3b760d11467abe9bdd519513f54f.png" alt-text="The chosen managed settings" lightbox="images/817b3b760d11467abe9bdd519513f54f.png":::
6. Change values of the settings to desired values. You can click **More information** to get documentation for a particular setting. (You may click **Plist preview** to inspect what the configuration plist will look like. Click **Form editor** to return to the visual editor.)
- ![Change settings values.](images/a14a79efd5c041bb8974cb5b12b3a9b6.png)
+ :::image type="content" source="images/a14a79efd5c041bb8974cb5b12b3a9b6.png" alt-text="The page on which you change the settings values" lightbox="images/a14a79efd5c041bb8974cb5b12b3a9b6.png":::
7. Select the **Scope** tab.
- ![Configuration profile scope.](images/9fc17529e5577eefd773c658ec576a7d.png)
+ :::image type="content" source="images/9fc17529e5577eefd773c658ec576a7d.png" alt-text="The Configuration profile scope" lightbox="images/9fc17529e5577eefd773c658ec576a7d.png":::
8. Select **Contoso's Machine Group**. 9. Select **Add**, then select **Save**.
- ![Configuration settings - add.](images/cf30438b5512ac89af1d11cbf35219a6.png)
+ :::image type="content" source="images/cf30438b5512ac89af1d11cbf35219a6.png" alt-text="The page on which you can add the Configuration settings" lightbox="images/cf30438b5512ac89af1d11cbf35219a6.png":::
- ![Configuration settings - save.](images/6f093e42856753a3955cab7ee14f12d9.png)
+ :::image type="content" source="images/6f093e42856753a3955cab7ee14f12d9.png" alt-text="The page on which you can save the Configuration settings" lightbox="images/6f093e42856753a3955cab7ee14f12d9.png":::
10. Select **Done**. You'll see the new **Configuration profile**.
- ![Configuration settings - done.](images/dd55405106da0dfc2f50f8d4525b01c8.png)
+ :::image type="content" source="images/dd55405106da0dfc2f50f8d4525b01c8.png" alt-text="The page on which you complete the Configuration settings" lightbox="images/dd55405106da0dfc2f50f8d4525b01c8.png":::
Microsoft Defender for Endpoint adds new settings over time. These new settings will be added to the schema, and a new version will be published to Github. All you need to do to have updates is to download an updated schema, edit existing configuration profile, and **Edit schema** at the **Application & Custom Settings** tab.
All you need to do to have updates is to download an updated schema, edit existi
3. In the Jamf Pro dashboard, open **Computers**, and their **Configuration Profiles**. Click **New** and switch to the **General** tab.
- ![New profile.](images/644e0f3af40c29e80ca1443535b2fe32.png)
+ :::image type="content" source="images/644e0f3af40c29e80ca1443535b2fe32.png" alt-text="The page displaying a new profile" lightbox="images/644e0f3af40c29e80ca1443535b2fe32.png":::
4. Enter the following details:
All you need to do to have updates is to download an updated schema, edit existi
- Distribution Method: Install Automatically(default) - Level: Computer Level(default)
- ![Image of MDATP MDAV configuration settings.](images/3160906404bc5a2edf84d1d015894e3b.png)
+ :::image type="content" source="images/3160906404bc5a2edf84d1d015894e3b.png" alt-text="The MDATP MDAV configuration settings" lightbox="images/3160906404bc5a2edf84d1d015894e3b.png":::
5. In **Application & Custom Settings** select **Configure**.
- ![Image of app and custom settings.](images/e1cc1e48ec9d5d688087b4d771e668d2.png)
+ :::image type="content" source="images/e1cc1e48ec9d5d688087b4d771e668d2.png" alt-text="The application and custom settings" lightbox="images/e1cc1e48ec9d5d688087b4d771e668d2.png":::
6. Select **Upload File (PLIST file)**.
- ![Image of configuration settings plist file.](images/6f85269276b2278eca4bce84f935f87b.png)
+ :::image type="content" source="images/6f85269276b2278eca4bce84f935f87b.png" alt-text="The configuration settings plist file" lightbox="images/6f85269276b2278eca4bce84f935f87b.png":::
7. In **Preferences Domain**, enter `com.microsoft.wdav`, then select **Upload PLIST File**.
- ![Image of configuration settings preferences domain.](images/db15f147dd959e872a044184711d7d46.png)
+ :::image type="content" source="images/db15f147dd959e872a044184711d7d46.png" alt-text="The configuration settings preferences domain" lightbox="images/db15f147dd959e872a044184711d7d46.png":::
8. Select **Choose File**.
- ![Image of configuration settings choose file.](images/526e978761fc571cca06907da7b01fd6.png)
+ :::image type="content" source="images/526e978761fc571cca06907da7b01fd6.png" alt-text="The prompt to choose the plist file" lightbox="images/526e978761fc571cca06907da7b01fd6.png":::
9. Select the **MDATP_MDAV_configuration_settings.plist**, then select **Open**.
- ![Image of mdatpmdav configuration settings.](images/98acea3750113b8dbab334296e833003.png)
+ :::image type="content" source="images/98acea3750113b8dbab334296e833003.png" alt-text="The mdatpmdav configuration settings" lightbox="images/98acea3750113b8dbab334296e833003.png":::
10. Select **Upload**.
- ![Image of configuration setting upload.](images/0adb21c13206861ba9b30a879ade93d3.png)
+ :::image type="content" source="images/0adb21c13206861ba9b30a879ade93d3.png" alt-text="The configuration setting upload" lightbox="images/0adb21c13206861ba9b30a879ade93d3.png":::
- ![Image of configuration settings upload image.](images/f624de59b3cc86e3e2d32ae5de093e02.png)
+ :::image type="content" source="images/f624de59b3cc86e3e2d32ae5de093e02.png" alt-text="The prompt to upload the image related to the configuration settings" lightbox="images/f624de59b3cc86e3e2d32ae5de093e02.png":::
> [!NOTE] > If you happen to upload the Intune file, you'll get the following error: >
- >![Image of configuration settings intune file upload.](images/8e69f867664668796a3b2904896f0436.png)
+ > :::image type="content" source="images/8e69f867664668796a3b2904896f0436.png" alt-text="The prompt to upload the intune file related to the configuration settings" lightbox="images/8e69f867664668796a3b2904896f0436.png":::
11. Select **Save**.
- ![Image of configuration settings Save image.](images/1b6b5a4edcb42d97f1e70a6a0fa48e3a.png)
+ :::image type="content" source="images/1b6b5a4edcb42d97f1e70a6a0fa48e3a.png" alt-text="The option to save the image related to the configuration settings" lightbox="images/1b6b5a4edcb42d97f1e70a6a0fa48e3a.png":::
12. The file is uploaded.
- ![Image of configuration settings file uploaded image.](images/33e2b2a1611fdddf6b5b79e54496e3bb.png)
+ :::image type="content" source="images/33e2b2a1611fdddf6b5b79e54496e3bb.png" alt-text="The uploaded file related to the configuration settings" lightbox="images/33e2b2a1611fdddf6b5b79e54496e3bb.png":::
- ![Image of configuration settings file uploaded.](images/a422e57fe8d45689227e784443e51bd1.png)
+ :::image type="content" source="images/a422e57fe8d45689227e784443e51bd1.png" alt-text="The configuration settings page" lightbox="images/a422e57fe8d45689227e784443e51bd1.png":::
13. Select the **Scope** tab.
- ![Image of configuration settings scope.](images/9fc17529e5577eefd773c658ec576a7d.png)
+ :::image type="content" source="images/9fc17529e5577eefd773c658ec576a7d.png" alt-text="The scope for the configuration settings" lightbox="images/9fc17529e5577eefd773c658ec576a7d.png":::
14. Select **Contoso's Machine Group**. 15. Select **Add**, then select **Save**.
- ![Image of configuration settings addsav.](images/cf30438b5512ac89af1d11cbf35219a6.png)
+ :::image type="content" source="images/cf30438b5512ac89af1d11cbf35219a6.png" alt-text="The configuration settings addsav" lightbox="images/cf30438b5512ac89af1d11cbf35219a6.png":::
- ![Image of configuration settings save add.](images/6f093e42856753a3955cab7ee14f12d9.png)
+ :::image type="content" source="images/6f093e42856753a3955cab7ee14f12d9.png" alt-text="The notification of configuration settings" lightbox="images/6f093e42856753a3955cab7ee14f12d9.png":::
16. Select **Done**. You'll see the new **Configuration profile**. ![Image of configuration settings config profile image.](images/dd55405106da0dfc2f50f8d4525b01c8.png)
+ :::image type="content" source="images/dd55405106da0dfc2f50f8d4525b01c8.png" alt-text="The config profile's settings" lightbox="images/dd55405106da0dfc2f50f8d4525b01c8.png":::
## Step 4: Configure notifications settings
These steps are applicable of macOS 10.15 (Catalina) or newer.
- **Distribution Method**: Install Automatically *(default)* - **Level**: Computer Level *(default)*
- ![Image of new macOS configuration profile screen.](images/c9820a5ff84aaf21635c04a23a97ca93.png)
+ :::image type="content" source="images/c9820a5ff84aaf21635c04a23a97ca93.png" alt-text="The new macOS configuration profile page" lightbox="images/c9820a5ff84aaf21635c04a23a97ca93.png":::
- Tab **Notifications**, click **Add**, and enter the following values: - **Bundle ID**: `com.microsoft.wdav.tray`
These steps are applicable of macOS 10.15 (Catalina) or newer.
- **Notifications in Notification Center**: Click **Display** - **Badge app icon**: Click **Display**
- ![Image of configuration settings mdatpmdav notifications tray.](images/7f9138053dbcbf928e5182ee7b295ebe.png)
+ :::image type="content" source="images/7f9138053dbcbf928e5182ee7b295ebe.png" alt-text="The configuration settings mdatpmdav notifications tray" lightbox="images/7f9138053dbcbf928e5182ee7b295ebe.png":::
- Tab **Notifications**, click **Add** one more time, scroll down to **New Notifications Settings** - **Bundle ID**: `com.microsoft.autoupdate2` - Configure the rest of the settings to the same values as above
- ![Image of configuration settings mdatpmdav notifications mau.](images/4bac6ce277aedfb4a674f2d9fcb2599a.png)
+ :::image type="content" source="images/4bac6ce277aedfb4a674f2d9fcb2599a.png" alt-text="The configuration settings mdatpmdav notifications mau" lightbox="images/4bac6ce277aedfb4a674f2d9fcb2599a.png":::
Note that now you have two 'tables' with notification configurations, one for **Bundle ID: com.microsoft.wdav.tray**, and another for **Bundle ID: com.microsoft.autoupdate2**. While you can configure alert settings per your requirements, Bundle IDs must be exactly the same as described before, and **Include** switch must be **On** for **Notifications**. 3. Select the **Scope** tab, then select **Add**.
- ![Image of configuration settings scope add.](images/441aa2ecd36abadcdd8aed03556080b5.png)
+ :::image type="content" source="images/441aa2ecd36abadcdd8aed03556080b5.png" alt-text="The page on which you can add values for the configuration settings" lightbox="images/441aa2ecd36abadcdd8aed03556080b5.png":::
4. Select **Contoso's Machine Group**. 5. Select **Add**, then select **Save**.
- ![Image of configuration settings contoso machine grp save.](images/09a275e321268e5e3ac0c0865d3e2db5.png)
+ :::image type="content" source="images/09a275e321268e5e3ac0c0865d3e2db5.png" alt-text="The page on which you can save values for the configuration settings contoso machine group" lightbox="images/09a275e321268e5e3ac0c0865d3e2db5.png":::
- ![Image of configuration settings add save.](images/4d2d1d4ee13d3f840f425924c3df0d51.png)
+ :::image type="content" source="images/4d2d1d4ee13d3f840f425924c3df0d51.png" alt-text="The page that displays the completion notification of the configuration settings" lightbox="images/4d2d1d4ee13d3f840f425924c3df0d51.png":::
6. Select **Done**. You'll see the new **Configuration profile**.
- ![Image of configuration setting done img.](images/633ad26b8bf24ec683c98b2feb884bdf.png)
+ :::image type="content" source="images/633ad26b8bf24ec683c98b2feb884bdf.png" alt-text="The completed configuration settings" lightbox="images/633ad26b8bf24ec683c98b2feb884bdf.png":::
## Step 5: Configure Microsoft AutoUpdate (MAU)
These steps are applicable of macOS 10.15 (Catalina) or newer.
3. In the Jamf Pro dashboard, select **General**.
- ![Image of configuration setting general image.](images/eaba2a23dd34f73bf59e826217ba6f15.png)
+ :::image type="content" source="images/eaba2a23dd34f73bf59e826217ba6f15.png" alt-text="The configuration settings" lightbox="images/eaba2a23dd34f73bf59e826217ba6f15.png":::
4. Enter the following details:
These steps are applicable of macOS 10.15 (Catalina) or newer.
5. In **Application & Custom Settings** select **Configure**.
- ![Image of configuration setting app and custom settings.](images/1f72e9c15eaafcabf1504397e99be311.png)
+ :::image type="content" source="images/1f72e9c15eaafcabf1504397e99be311.png" alt-text="The configuration setting application and custom settings" lightbox="images/1f72e9c15eaafcabf1504397e99be311.png":::
6. Select **Upload File (PLIST file)**.
- ![Image of configuration setting plist.](images/1213872db5833aa8be535da57653219f.png)
- 7. In **Preference Domain** enter: `com.microsoft.autoupdate2`, then select **Upload PLIST File**.
- ![Image of configuration setting pref domain.](images/1213872db5833aa8be535da57653219f.png)
+ :::image type="content" source="images/1213872db5833aa8be535da57653219f.png" alt-text="The configuration setting preference domain" lightbox="images/1213872db5833aa8be535da57653219f.png":::
+
8. Select **Choose File**.
- ![Image of configuration setting choosefile.](images/335aff58950ce62d1dabc289ecdce9ed.png)
+ :::image type="content" source="images/335aff58950ce62d1dabc289ecdce9ed.png" alt-text="The prompt to choose the file regarding configuration setting" lightbox="images/335aff58950ce62d1dabc289ecdce9ed.png":::
9. Select **MDATP_MDAV_MAU_settings.plist**.
- ![Image of configuration setting mdatpmdavmau settings.](images/a26bd4967cd54bb113a2c8d32894c3de.png)
+ :::image type="content" source="images/a26bd4967cd54bb113a2c8d32894c3de.png" alt-text="The mdatpmdavmau settings" lightbox="images/a26bd4967cd54bb113a2c8d32894c3de.png":::
10. Select **Upload**.
- ![Image of configuration setting uplimage.](images/4239ca0528efb0734e4ca0b490bfb22d.png)
+ :::image type="content" source="images/4239ca0528efb0734e4ca0b490bfb22d.png" alt-text="The upload of the file regarding configuration setting" lightbox="images/4239ca0528efb0734e4ca0b490bfb22d.png":::
- ![Image of configuration setting uplimg.](images/4ec20e72c8aed9a4c16912e01692436a.png)
+ :::image type="content" source="images/4ec20e72c8aed9a4c16912e01692436a.png" alt-text="The page displaying the upload option for the file regarding configuration setting" lightbox="images/4ec20e72c8aed9a4c16912e01692436a.png":::
11. Select **Save**.
- ![Image of configuration setting saveimg.](images/253274b33e74f3f5b8d475cf8692ce4e.png)
+ :::image type="content" source="images/253274b33e74f3f5b8d475cf8692ce4e.png" alt-text="The page displaying the save option for the file regarding configuration setting" lightbox="images/253274b33e74f3f5b8d475cf8692ce4e.png":::
12. Select the **Scope** tab.
- ![Image of configuration setting scopetab.](images/10ab98358b2d602f3f67618735fa82fb.png)
+ :::image type="content" source="images/10ab98358b2d602f3f67618735fa82fb.png" alt-text="The Scope tab for the configuration settings" lightbox="images/10ab98358b2d602f3f67618735fa82fb.png":::
13. Select **Add**.
- ![Image of configuration setting addimg1.](images/56e6f6259b9ce3c1706ed8d666ae4947.png)
+ :::image type="content" source="images/56e6f6259b9ce3c1706ed8d666ae4947.png" alt-text="The option to add deployment targets" lightbox="images/56e6f6259b9ce3c1706ed8d666ae4947.png":::
- ![Image of configuration setting addimg2.](images/38c67ee1905c4747c3b26c8eba57726b.png)
+ :::image type="content" source="images/38c67ee1905c4747c3b26c8eba57726b.png" alt-text="The page on which you add more values to the configuration settings" lightbox="images/38c67ee1905c4747c3b26c8eba57726b.png":::
- ![Image of configuration setting addimg3.](images/321ba245f14743c1d5d51c15e99deecc.png)
+ :::image type="content" source="images/321ba245f14743c1d5d51c15e99deecc.png" alt-text="The page on which you can add more values to the configuration settings" lightbox="images/321ba245f14743c1d5d51c15e99deecc.png":::
14. Select **Done**.
- ![Image of configuration setting doneimage.](images/ba44cdb77e4781aa8b940fb83e3c21f7.png)
+ :::image type="content" source="images/ba44cdb77e4781aa8b940fb83e3c21f7.png" alt-text="The completion notification regarding the configuration settings" lightbox="images/ba44cdb77e4781aa8b940fb83e3c21f7.png":::
## Step 6: Grant full disk access to Microsoft Defender for Endpoint 1. In the Jamf Pro dashboard, select **Configuration Profiles**.
- ![Image of configuration setting config profile.](images/264493cd01e62c7085659d6fdc26dc91.png)
+ :::image type="content" source="images/264493cd01e62c7085659d6fdc26dc91.png" alt-text="The profile for which settings are to be configured" lightbox="images/264493cd01e62c7085659d6fdc26dc91.png":::
2. Select **+ New**.
These steps are applicable of macOS 10.15 (Catalina) or newer.
- Distribution method: Install Automatically - Level: Computer level
- ![Image of configuration setting general.](images/ba3d40399e1a6d09214ecbb2b341923f.png)
+ :::image type="content" source="images/ba3d40399e1a6d09214ecbb2b341923f.png" alt-text="The configuration setting in general" lightbox="images/ba3d40399e1a6d09214ecbb2b341923f.png":::
+
4. In **Configure Privacy Preferences Policy Control** select **Configure**.
- ![Image of configuration privacy policy control.](images/715ae7ec8d6a262c489f94d14e1e51bb.png)
+ :::image type="content" source="images/715ae7ec8d6a262c489f94d14e1e51bb.png" alt-text="The configuration privacy policy control" lightbox="images/715ae7ec8d6a262c489f94d14e1e51bb.png":::
5. In **Privacy Preferences Policy Control**, enter the following details:
These steps are applicable of macOS 10.15 (Catalina) or newer.
- Identifier Type: Bundle ID - Code Requirement: `identifier "com.microsoft.wdav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9`
- ![Image of configuration setting privacy preference policy control details.](images/22cb439de958101c0a12f3038f905b27.png)
+ :::image type="content" source="images/22cb439de958101c0a12f3038f905b27.png" alt-text="The configuration setting privacy preference policy control details" lightbox="images/22cb439de958101c0a12f3038f905b27.png":::
6. Select **+ Add**.
- ![Image of configuration setting add system policy all files.](images/bd93e78b74c2660a0541af4690dd9485.png)
+ :::image type="content" source="images/bd93e78b74c2660a0541af4690dd9485.png" alt-text="The configuration setting add system policy all files option" lightbox="images/bd93e78b74c2660a0541af4690dd9485.png":::
- Under App or service: Set to **SystemPolicyAllFiles**
These steps are applicable of macOS 10.15 (Catalina) or newer.
7. Select **Save** (not the one at the bottom right).
- ![Image of configuration setting save images.](images/6de50b4a897408ddc6ded56a09c09fe2.png)
+ :::image type="content" source="images/6de50b4a897408ddc6ded56a09c09fe2.png" alt-text="The save operation for the configuration setting" lightbox="images/6de50b4a897408ddc6ded56a09c09fe2.png":::
8. Click the `+` sign next to **App Access** to add a new entry.
- ![Image of configuration setting app access.](images/tcc-add-entry.png)
+ :::image type="content" source="images/tcc-add-entry.png" alt-text="The save operation relating to the configuration setting" lightbox="images/tcc-add-entry.png":::
9. Enter the following details:
These steps are applicable of macOS 10.15 (Catalina) or newer.
10. Select **+ Add**.
- ![Image of configuration setting tcc epsext entry.](images/tcc-epsext-entry.png)
+ :::image type="content" source="images/tcc-epsext-entry.png" alt-text="The configuration setting tcc epsext entry" lightbox="images/tcc-epsext-entry.png":::
- Under App or service: Set to **SystemPolicyAllFiles**
These steps are applicable of macOS 10.15 (Catalina) or newer.
11. Select **Save** (not the one at the bottom right).
- ![Image of configuration setting tcc epsext image2.](images/tcc-epsext-entry2.png)
+ :::image type="content" source="images/tcc-epsext-entry2.png" alt-text="The other instance of configuration setting tcc epsext" lightbox="images/tcc-epsext-entry2.png":::
12. Select the **Scope** tab.
- ![Image of configuration setting scope.](images/2c49b16cd112729b3719724f581e6882.png)
+ :::image type="content" source="images/2c49b16cd112729b3719724f581e6882.png" alt-text="The page depicting the scope for the configuration setting" lightbox="images/2c49b16cd112729b3719724f581e6882.png":::
13. Select **+ Add**.
- ![Image of configuration setting addimage.](images/57cef926d1b9260fb74a5f460cee887a.png)
+ :::image type="content" source="images/57cef926d1b9260fb74a5f460cee887a.png" alt-text="The page depicting the configuration setting" lightbox="images/57cef926d1b9260fb74a5f460cee887a.png":::
14. Select **Computer Groups** > under **Group Name** > select **Contoso's MachineGroup**.
- ![Image of configuration setting contoso machinegrp.](images/368d35b3d6179af92ffdbfd93b226b69.png)
+ :::image type="content" source="images/368d35b3d6179af92ffdbfd93b226b69.png" alt-text="The configuration setting contoso machine group" lightbox="images/368d35b3d6179af92ffdbfd93b226b69.png":::
15. Select **Add**.
These steps are applicable of macOS 10.15 (Catalina) or newer.
17. Select **Done**.
- ![Image of configuration setting donimg.](images/809cef630281b64b8f07f20913b0039b.png)
+ :::image type="content" source="images/809cef630281b64b8f07f20913b0039b.png" alt-text="The configuration setting contoso machine-group" lightbox="images/809cef630281b64b8f07f20913b0039b.png":::
- ![Image of configuration setting donimg2.](images/6c8b406ee224335a8c65d06953dc756e.png)
+ :::image type="content" source="images/6c8b406ee224335a8c65d06953dc756e.png" alt-text="The configuration setting illustration" lightbox="images/6c8b406ee224335a8c65d06953dc756e.png":::
Alternatively, you can download [fulldisk.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/fulldisk.mobileconfig) and upload it to JAMF Configuration Profiles as described in [Deploying Custom Configuration Profiles using Jamf Pro|Method 2: Upload a Configuration Profile to Jamf Pro](https://www.jamf.com/jamf-nation/articles/648/deploying-custom-configuration-profiles-using-jamf-pro).
Alternatively, you can download [fulldisk.mobileconfig](https://github.com/micro
1. In the **Configuration Profiles**, select **+ New**.
- ![A screenshot of a social media post Description automatically generated.](images/6c8b406ee224335a8c65d06953dc756e.png)
+ :::image type="content" source="images/6c8b406ee224335a8c65d06953dc756e.png" alt-text="The social media post Description automatically generated" lightbox="images/6c8b406ee224335a8c65d06953dc756e.png":::
2. Enter the following details:
Alternatively, you can download [fulldisk.mobileconfig](https://github.com/micro
- Distribution Method: Install Automatically - Level: Computer Level
- ![Image of configuration settings mdatpmdav kernel.](images/24e290f5fc309932cf41f3a280d22c14.png)
+ :::image type="content" source="images/24e290f5fc309932cf41f3a280d22c14.png" alt-text="The configuration settings mdatpmdav kernel" lightbox="images/24e290f5fc309932cf41f3a280d22c14.png":::
3. In **Configure Approved Kernel Extensions** select **Configure**.
- ![Image of configuration settings approved kernel ext.](images/30be88b63abc5e8dde11b73f1b1ade6a.png)
+ :::image type="content" source="images/30be88b63abc5e8dde11b73f1b1ade6a.png" alt-text="The page displaying the configuration settings approved kernel extensions" lightbox="images/30be88b63abc5e8dde11b73f1b1ade6a.png":::
4. In **Approved Kernel Extensions** Enter the following details: - Display Name: Microsoft Corp. - Team ID: UBF8T346G9
- ![Image of configuration settings appr kernel extension.](images/39cf120d3ac3652292d8d1b6d057bd60.png)
+ :::image type="content" source="images/39cf120d3ac3652292d8d1b6d057bd60.png" alt-text="The Approved Kernel Extensions pane" lightbox="images/39cf120d3ac3652292d8d1b6d057bd60.png":::
5. Select the **Scope** tab.
- ![Image of configuration settings scope tab img.](images/0df36fc308ba569db204ee32db3fb40a.png)
+ :::image type="content" source="images/0df36fc308ba569db204ee32db3fb40a.png" alt-text="The Scope tab for the configuration" lightbox="images/0df36fc308ba569db204ee32db3fb40a.png":::
6. Select **+ Add**.
Alternatively, you can download [fulldisk.mobileconfig](https://github.com/micro
8. Select **+ Add**.
- ![Image of configuration settings add images.](images/0dde8a4c41110dbc398c485433a81359.png)
+ :::image type="content" source="images/0dde8a4c41110dbc398c485433a81359.png" alt-text="The page on which you define additional values for the configuration settings" lightbox="images/0dde8a4c41110dbc398c485433a81359.png":::
9. Select **Save**.
- ![Image of configuration settings saveimag.](images/0add8019b85a453b47fa5c402c72761b.png)
+ :::image type="content" source="images/0add8019b85a453b47fa5c402c72761b.png" alt-text="The MDATP MDAV Kernel extension" lightbox="images/0add8019b85a453b47fa5c402c72761b.png":::
10. Select **Done**.
- ![Image of configuration settings doneimag.](images/1c9bd3f68db20b80193dac18f33c22d0.png)
+ :::image type="content" source="images/1c9bd3f68db20b80193dac18f33c22d0.png" alt-text="The Configuration Profiles details page" lightbox="images/1c9bd3f68db20b80193dac18f33c22d0.png":::
Alternatively, you can download [kext.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/kext.mobileconfig) and upload it to JAMF Configuration Profiles as described in [Deploying Custom Configuration Profiles using Jamf Pro|Method 2: Upload a Configuration Profile to Jamf Pro](https://www.jamf.com/jamf-nation/articles/648/deploying-custom-configuration-profiles-using-jamf-pro).
Alternatively, you can download [kext.mobileconfig](https://github.com/microsoft
1. In the **Configuration Profiles**, select **+ New**.
- ![A screenshot of a social media post Description automatically generated.](images/6c8b406ee224335a8c65d06953dc756e.png)
+ :::image type="content" source="images/6c8b406ee224335a8c65d06953dc756e.png" alt-text="The automatically generated social media post's description" lightbox="images/6c8b406ee224335a8c65d06953dc756e.png":::
2. Enter the following details:
Alternatively, you can download [kext.mobileconfig](https://github.com/microsoft
- Distribution Method: Install Automatically - Level: Computer Level
- ![Image of configuration settings sysext new prof.](images/sysext-new-profile.png)
+ :::image type="content" source="images/sysext-new-profile.png" alt-text="The configuration settings sysext new profile" lightbox="images/sysext-new-profile.png":::
3. In **System Extensions** select **Configure**.
- ![Image of configuration settings sysext config.](images/sysext-configure.png)
+ :::image type="content" source="images/sysext-configure.png" alt-text="The pane with the Configure option for the system extensions" lightbox="images/sysext-configure.png":::
4. In **System Extensions** enter the following details:
Alternatively, you can download [kext.mobileconfig](https://github.com/microsoft
- **com.microsoft.wdav.epsext** - **com.microsoft.wdav.netext**
- ![Image of configuration settings sysextconfig2.](images/sysext-configure2.png)
+ :::image type="content" source="images/sysext-configure2.png" alt-text="The MDATP MDAV system extensions pane" lightbox="images/sysext-configure2.png":::
5. Select the **Scope** tab.
- ![Image of configuration settings scopeimage.](images/0df36fc308ba569db204ee32db3fb40a.png)
+ :::image type="content" source="images/0df36fc308ba569db204ee32db3fb40a.png" alt-text="The Target Computers selection pane" lightbox="images/0df36fc308ba569db204ee32db3fb40a.png":::
6. Select **+ Add**.
Alternatively, you can download [kext.mobileconfig](https://github.com/microsoft
8. Select **+ Add**.
- ![Image of configuration settings addima.](images/0dde8a4c41110dbc398c485433a81359.png)
+ :::image type="content" source="images/0dde8a4c41110dbc398c485433a81359.png" alt-text="The New macOS Configuration Profile pane" lightbox="images/0dde8a4c41110dbc398c485433a81359.png":::
9. Select **Save**.
- ![Image of configuration settings sysext scope.](images/sysext-scope.png)
+ :::image type="content" source="images/sysext-scope.png" alt-text="The display of options regarding MDATP MDAV System Extensions" lightbox="images/sysext-scope.png":::
10. Select **Done**.
- ![Image of configuration settings sysext-final.](images/sysext-final.png)
+ :::image type="content" source="images/sysext-final.png" alt-text="The configuration settings sysext - final" lightbox="images/sysext-final.png":::
## Step 9: Configure Network Extension
These steps are applicable of macOS 10.15 (Catalina) or newer.
Note that **Identifier**, **Socket Filter** and **Socket Filter Designated Requirement** exact values as specified above.
- ![Image of configuration setting mdatpmdav.](images/netext-create-profile.png)
-
- > [!NOTE]
- > Jamf supports built-in content filter settings which can be set directly through the interface.
+ :::image type="content" source="images/netext-create-profile.png" alt-text="The mdatpmdav configuration setting" lightbox="images/netext-create-profile.png":::
3. Select the **Scope** tab.
- ![Image of configuration settings sco tab.](images/0df36fc308ba569db204ee32db3fb40a.png)
+ :::image type="content" source="images/0df36fc308ba569db204ee32db3fb40a.png" alt-text="The configuration settings sco tab" lightbox="images/0df36fc308ba569db204ee32db3fb40a.png":::
4. Select **+ Add**.
These steps are applicable of macOS 10.15 (Catalina) or newer.
6. Select **+ Add**.
- ![Image of configuration settings adim.](images/0dde8a4c41110dbc398c485433a81359.png)
+ :::image type="content" source="images/0dde8a4c41110dbc398c485433a81359.png" alt-text="The configuration settings adim" lightbox="images/0dde8a4c41110dbc398c485433a81359.png":::
7. Select **Save**.
- ![Image of configuration settings savimg netextscop.](images/netext-scope.png)
+ :::image type="content" source="images/netext-scope.png" alt-text="The Content Filter pane" lightbox="images/netext-scope.png":::
8. Select **Done**.
- ![Image of configuration settings netextfinal.](images/netext-final.png)
+ :::image type="content" source="images/netext-final.png" alt-text="The configuration settings netext - final" lightbox="images/netext-final.png":::
Alternatively, you can download [netfilter.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/netfilter.mobileconfig) and upload it to JAMF Configuration Profiles as described in [Deploying Custom Configuration Profiles using Jamf Pro|Method 2: Upload a Configuration Profile to Jamf Pro](https://www.jamf.com/jamf-nation/articles/648/deploying-custom-configuration-profiles-using-jamf-pro).
Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint
1. Navigate to where you saved `wdav.pkg`.
- ![Image of file explorer wdav pkg.](images/8dde76b5463047423f8637c86b05c29d.png)
+ :::image type="content" source="images/8dde76b5463047423f8637c86b05c29d.png" alt-text="The file explorer wdav package" lightbox="images/8dde76b5463047423f8637c86b05c29d.png":::
2. Rename it to `wdav_MDM_Contoso_200329.pkg`.
- ![Image of file explorer1 wdavmdmpkg.](images/fb2220fed3a530f4b3ef36f600da0c27.png)
+ :::image type="content" source="images/fb2220fed3a530f4b3ef36f600da0c27.png" alt-text="The file explorer1 wdavmdm package" lightbox="images/fb2220fed3a530f4b3ef36f600da0c27.png":::
3. Open the Jamf Pro dashboard.
- ![Image of configuration settings jamfpro.](images/990742cd9a15ca9fdd37c9f695d1b9f4.png)
+ :::image type="content" source="images/990742cd9a15ca9fdd37c9f695d1b9f4.png" alt-text="The configuration settings for jamfpro" lightbox="images/990742cd9a15ca9fdd37c9f695d1b9f4.png":::
4. Select your computer and click the gear icon at the top, then select **Computer Management**.
- ![Image of configuration settings compmgmt.](images/b6d671b2f18b89d96c1c8e2ea1991242.png)
+ :::image type="content" source="images/b6d671b2f18b89d96c1c8e2ea1991242.png" alt-text="The configuration settings - computer management" lightbox="images/b6d671b2f18b89d96c1c8e2ea1991242.png":::
5. In **Packages**, select **+ New**.
- ![A picture containing bird Description automatically generated package new.](images/57aa4d21e2ccc65466bf284701d4e961.png)
+ :::image type="content" source="images/57aa4d21e2ccc65466bf284701d4e961.png" alt-text="The bird Description for an automatically generated package" lightbox="images/57aa4d21e2ccc65466bf284701d4e961.png":::
6. In **New Package** Enter the following details:
Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint
- Category: None (default) - Filename: Choose File
- ![Image of configuration settings general tab.](images/21de3658bf58b1b767a17358a3f06341.png)
+ :::image type="content" source="images/21de3658bf58b1b767a17358a3f06341.png" alt-text="The General tab for configuration settings" lightbox="images/21de3658bf58b1b767a17358a3f06341.png":::
Open the file and point it to `wdav.pkg` or `wdav_MDM_Contoso_200329.pkg`.
- ![A screenshot of a computer screen Description automatically generated.](images/1aa5aaa0a387f4e16ce55b66facc77d1.png)
+ :::image type="content" source="images/1aa5aaa0a387f4e16ce55b66facc77d1.png" alt-text="The computer screen displaying the description for an automatically generated package" lightbox="images/1aa5aaa0a387f4e16ce55b66facc77d1.png":::
7. Select **Open**. Set the **Display Name** to **Microsoft Defender Advanced Threat Protection and Microsoft Defender Antivirus**.
Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint
**Limitations tab**: Keep default values.
- ![Image of configuration settings limitation tab.](images/56dac54634d13b2d3948ab50e8d3ef21.png)
+ :::image type="content" source="images/56dac54634d13b2d3948ab50e8d3ef21.png" alt-text="The limitation tab for the configuration settings" lightbox="images/56dac54634d13b2d3948ab50e8d3ef21.png":::
8. Select **Save**. The package is uploaded to Jamf Pro.
- ![Image of configuration settings pack upl jamf pro.](images/33f1ecdc7d4872555418bbc3efe4b7a3.png)
+ :::image type="content" source="images/33f1ecdc7d4872555418bbc3efe4b7a3.png" alt-text="The configuration settings pack uploading process for the package related to the configuration settings" lightbox="images/33f1ecdc7d4872555418bbc3efe4b7a3.png":::
It can take a few minutes for the package to be available for deployment.
- ![Image of configuration settings pack upl.](images/1626d138e6309c6e87bfaab64f5ccf7b.png)
+ :::image type="content" source="images/1626d138e6309c6e87bfaab64f5ccf7b.png" alt-text="An instance of uploading the package for configuration settings" lightbox="images/1626d138e6309c6e87bfaab64f5ccf7b.png":::
9. Navigate to the **Policies** page.
- ![Image of configuration settings polocies.](images/f878f8efa5ebc92d069f4b8f79f62c7f.png)
+ :::image type="content" source="images/f878f8efa5ebc92d069f4b8f79f62c7f.png" alt-text="The configuration settings policies" lightbox="images/f878f8efa5ebc92d069f4b8f79f62c7f.png":::
10. Select **+ New** to create a new policy.
- ![Image of configuration settings new policy.](images/847b70e54ed04787e415f5180414b310.png)
+ :::image type="content" source="images/847b70e54ed04787e415f5180414b310.png" alt-text="The configuration settings new policy" lightbox="images/847b70e54ed04787e415f5180414b310.png":::
11. In **General** Enter the following details: - Display name: MDATP Onboarding Contoso 200329 v100.86.92 or later
- ![Image of configuration settingsmdatponboard.](images/625ba6d19e8597f05e4907298a454d28.png)
+ :::image type="content" source="images/625ba6d19e8597f05e4907298a454d28.png" alt-text="The configuration settings - MDATP onboard" lightbox="images/625ba6d19e8597f05e4907298a454d28.png":::
12. Select **Recurring Check-in**.
- ![Image of configuration settings recur checkin.](images/68bdbc5754dfc80aa1a024dde0fce7b0.png)
+ :::image type="content" source="images/68bdbc5754dfc80aa1a024dde0fce7b0.png" alt-text="The recurring check-in for the configuration settings" lightbox="images/68bdbc5754dfc80aa1a024dde0fce7b0.png":::
13. Select **Save**. 14. Select **Packages > Configure**.
- ![Image of configuration settings pack configure.](images/8fb4cc03721e1efb4a15867d5241ebfb.png)
+ :::image type="content" source="images/8fb4cc03721e1efb4a15867d5241ebfb.png" alt-text="The option to configure packages" lightbox="images/8fb4cc03721e1efb4a15867d5241ebfb.png":::
15. Select the **Add** button next to **Microsoft Defender Advanced Threat Protection and Microsoft Defender Antivirus**.
- ![Image of configuration settings MDATP and MDA add.](images/526b83fbdbb31265b3d0c1e5fbbdc33a.png)
+ :::image type="content" source="images/526b83fbdbb31265b3d0c1e5fbbdc33a.png" alt-text="The option to add more settings to MDATP MDA" lightbox="images/526b83fbdbb31265b3d0c1e5fbbdc33a.png":::
16. Select **Save**.
- ![Image of configuration settingssavimg.](images/9d6e5386e652e00715ff348af72671c6.png)
+ :::image type="content" source="images/9d6e5386e652e00715ff348af72671c6.png" alt-text="The save option for the configuration settings" lightbox="images/9d6e5386e652e00715ff348af72671c6.png":::
17. Select the **Scope** tab.
- ![Image of configuration settings scptab.](images/8d80fe378a31143db9be0bacf7ddc5a3.png)
+ :::image type="content" source="images/8d80fe378a31143db9be0bacf7ddc5a3.png" alt-text="The Scope tab related to the configuration settings" lightbox="images/8d80fe378a31143db9be0bacf7ddc5a3.png":::
18. Select the target computers.
- ![Image of configuration settings tgtcomp.](images/6eda18a64a660fa149575454e54e7156.png)
+ :::image type="content" source="images/6eda18a64a660fa149575454e54e7156.png" alt-text="The option to add computer groups" lightbox="images/6eda18a64a660fa149575454e54e7156.png":::
**Scope** Select **Add**.
- ![Image of configuration settings ad1img.](images/1c08d097829863778d562c10c5f92b67.png)
+ :::image type="content" source="images/1c08d097829863778d562c10c5f92b67.png" alt-text="The configuration settings - ad1" lightbox="images/1c08d097829863778d562c10c5f92b67.png":::
- ![Image of configuration settings ad2img.](images/216253cbfb6ae738b9f13496b9c799fd.png)
+ :::image type="content" source="images/216253cbfb6ae738b9f13496b9c799fd.png" alt-text="The configuration settings - ad2" lightbox="images/216253cbfb6ae738b9f13496b9c799fd.png":::
**Self-Service**
- ![Image of configuration settings selfservice.](images/c9f85bba3e96d627fe00fc5a8363b83a.png)
+ :::image type="content" source="images/c9f85bba3e96d627fe00fc5a8363b83a.png" alt-text="The Self Service tab for configuration settings" lightbox="images/c9f85bba3e96d627fe00fc5a8363b83a.png":::
19. Select **Done**.
- ![Image of configuration settings do1img.](images/99679a7835b0d27d0a222bc3fdaf7f3b.png)
+ :::image type="content" source="images/99679a7835b0d27d0a222bc3fdaf7f3b.png" alt-text="The Contoso onboarding status with an option to complete it" lightbox="images/99679a7835b0d27d0a222bc3fdaf7f3b.png":::
- ![Image of configuration settings do2img.](images/632aaab79ae18d0d2b8e0c16b6ba39e2.png)
+ :::image type="content" source="images/632aaab79ae18d0d2b8e0c16b6ba39e2.png" alt-text="The policies page" lightbox="images/632aaab79ae18d0d2b8e0c16b6ba39e2.png":::
security Mac Support Kext https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-support-kext.md
Starting with macOS High Sierra (10.13), macOS requires all kernel extensions to
If you didn't approve the kernel extension during the deployment/installation of Microsoft Defender for Endpoint on macOS, the application displays a banner prompting you to enable it:
- ![RTP disabled screenshot.](images/mdatp-32-main-app-fix.png)
You can also run ```mdatp health```. It reports if real-time protection is enabled but not available. This indicates that the kernel extension isn't approved to run on your device.
If less than 30 minutes have passed since the product was installed, navigate to
If you don't see this prompt, it means that 30 or more minutes have passed, and the kernel extension still not been approved to run on your device:
-![Security and privacy window after prompt expired screenshot.](images/mdatp-33-securityprivacysettings-noprompt.png)
In this case, you need to perform the following steps to trigger the approval flow again.
security Mac Support License https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-support-license.md
ms.technology: mde
While you are going through [Microsoft Defender for Endpoint on macOS](microsoft-defender-endpoint-mac.md) and [Manual deployment](mac-install-manually.md) testing or a Proof Of Concept (PoC), you might get the following error:
-![Image of license error.](images/no-license-found.png)
**Message:**
security Mac Support Perf https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-support-perf.md
The following steps can be used to troubleshoot and mitigate these issues:
- From the user interface. Open Microsoft Defender for Endpoint on macOS and navigate to **Manage settings**.
- ![Manage real-time protection screenshot.](images/mdatp-36-rtp.png)
+ :::image type="content" source="images/mdatp-36-rtp.png" alt-text=" The Manage real-time protection page" lightbox="images/mdatp-36-rtp.png":::
+
- From the Terminal. For security purposes, this operation requires elevation.
security Mac Sysext Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-sysext-policies.md
To approve the system extensions, create the following payload:
- **com.microsoft.wdav.epsext** - **com.microsoft.wdav.netext**
- ![Approved system extensions screenshot.](images/mac-approved-system-extensions.png)
+ :::image type="content" source="images/mac-approved-system-extensions.png" alt-text=" The Approved system extensions page" lightbox="images/mac-approved-system-extensions.png":::
### Privacy Preferences Policy Control
Add the following JAMF payload to grant Full Disk Access to the Microsoft Defend
3. Set Code Requirement to `identifier "com.microsoft.wdav.epsext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9` 4. Set **App or service** to **SystemPolicyAllFiles** and access to **Allow**.
- ![Privacy Preferences Policy Control.](images/mac-system-extension-privacy.png)
+ :::image type="content" source="images/mac-system-extension-privacy.png" alt-text=" The Privacy Preferences Policy Control menu item" lightbox="images/mac-system-extension-privacy.png":::
### Network Extension Policy
To approve the system extensions:
|com.microsoft.wdav.netext|UBF8T346G9| |||
- ![System configuration profiles screenshot.](images/mac-system-extension-intune2.png)
+ :::image type="content" source="images/mac-system-extension-intune2.png" alt-text=" The System configuration profiles page" lightbox="images/mac-system-extension-intune2.png":::
5. In the `Assignments` tab, assign this profile to **All Users & All devices**. 6. Review and create this configuration profile.
To deploy this custom configuration profile:
3. Open the configuration profile and upload **sysext.xml**. This file was created in the preceding step. 4. Select **OK**.
- ![System extension in Intune screenshot.](images/mac-system-extension-intune.png)
+ :::image type="content" source="images/mac-system-extension-intune.png" alt-text=" The System extension in Intune page" lightbox="images/mac-system-extension-intune.png":::
5. In the `Assignments` tab, assign this profile to **All Users & All devices**. 6. Review and create this configuration profile.
security Mac Updates https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-updates.md
Microsoft regularly publishes software updates to improve performance, security,
To update Microsoft Defender for Endpoint on macOS, a program named Microsoft AutoUpdate (MAU) is used. By default, MAU automatically checks for updates daily, but you can change that to weekly, monthly, or manually.
-![MAU screenshot.](images/MDATP-34-MAU.png)
If you decide to deploy updates by using your software distribution tools, you should configure MAU to manually check for software updates. You can deploy preferences to configure how and when MAU checks for updates for the Macs in your organization.
security Machine Reports https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/machine-reports.md
The devices status report provides high-level information about the devices in y
The dashboard is structured into two sections: <br>
security Machine Tags https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/machine-tags.md
To add device tags using API, see [Add or remove device tags API](add-or-remove-
2. Select **Manage tags** from the row of Response actions.
- :::image type="content" alt-text="Image of manage tags button." source="images/manage-tags-option.png":::
+ :::image type="content" source="images/manage-tags-option.png" alt-text="Image of manage tags button" lightbox="images/manage-tags-option.png":::
+
3. Type to find or create tags
- :::image type="content" alt-text="Image of adding tags on a device1." source="images/create-new-tag.png":::
+ :::image type="content" source="images/create-new-tag.png" alt-text="Adding tags on device1" lightbox="images/create-new-tag.png":::
Tags are added to the device view and will also be reflected on the **Devices inventory** view. You can then use the **Tags** filter to see the relevant list of devices.
Tags are added to the device view and will also be reflected on the **Devices in
You can also delete tags from this view. ## Add device tags by setting a registry key value
security Machines View Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/machines-view-overview.md
ms.technology: mde
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-machinesview-abovefoldlink)
-The device inventory helps you discover, explore, and investigate devices in your organization including computers, servers, mobile, network appliances and IoT devices. It can help you discover unknown devices and identify device management gaps in your network.
+The **Devices list** shows a list of the devices in your network where alerts were generated. By default, the queue displays devices seen in the last 30 days.
+
+At a glance you'll see information such as domain, risk level, OS platform, and other details for easy identification of devices most at risk.
+
+There are several options you can choose from to customize the devices list view. On the top navigation you can:
+
+- Add or remove columns
+- Export the entire list in CSV format
+- Select the number of items to show per page
+- Apply filters
+
+During the onboarding process, the **Devices list** is gradually populated with devices as they begin to report sensor data. Use this view to track your onboarded endpoints as they come online, or download the complete endpoint list as a CSV file for offline analysis.
+
+> [!NOTE]
+> If you export the device list, it will contain every device in your organization. It might take a significant amount of time to download, depending on how large your organization is. Exporting the list in CSV format displays the data in an unfiltered manner. The CSV file will include all devices in the organization, regardless of any filtering applied in the view itself.
++
+## Sort and filter the device list
+
+You can apply the following filters to limit the list of alerts and get a more focused view.
+
+### Device name
During the Microsoft Defender for Endpoint onboarding process, devices onboarded to MDE are gradually populated into the device inventory as they begin to report sensor data. Following this, the device inventory is populated by devices that are discovered in your network through the device discovery process. The device inventory has three tabs that list devices by:
security Manage Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-alerts.md
You can manage alerts by selecting an alert in the **Alerts queue**, or the **Al
Selecting an alert in either of those places brings up the **Alert management pane**.
-![Image of alert management pane and alerts queue.](images/atp-alerts-selected.png)
## Link to another incident
security Manage Incidents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-incidents.md
Managing incidents is an important part of every cybersecurity operation. You ca
Selecting an incident from the **Incidents queue** brings up the **Incident management pane** where you can open the incident page for details. -
-![Image of the incidents management pane.](images/atp-incidents-mgt-pane-updated.png)
You can assign incidents to yourself, change the status and classification, rename, or comment on them to keep track of their progress.
You can assign incidents to yourself, change the status and classification, rena
> Incidents that existed prior the rollout of automatic incident naming will retain their names. > -
-![Image of incident detail page.](images/atp-incident-details-updated.png)
## Assign incidents If an incident has not been assigned yet, you can select **Assign to me** to assign the incident to yourself. Doing so assumes ownership of not just the incident, but also all the alerts associated with it.
security Manage Protection Updates Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-protection-updates-microsoft-defender-antivirus.md
The procedures in this article first describe how to set the order, and then how
2. Enter the order of sources, separated by a single pipe, for example: `InternalDefinitionUpdateServer|MicrosoftUpdateServer|MMPC`, as shown in the following screenshot.
- :::image type="content" source="../../media/wdav-order-update-sources.png" alt-text="group policy setting listing the order of sources.":::
+ :::image type="content" source="../../media/wdav-order-update-sources.png" alt-text="Group policy setting listing the order of sources" lightbox="../../media/wdav-order-update-sources.png":::
3. Select **OK**. This will set the order of protection update sources.
security Management Apis https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/management-apis.md
The Microsoft Defender for Endpoint solution is built on top of an integration-r
Defender for Endpoint exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Defender for Endpoint capabilities.
-![Image of available API and integration in Microsoft Defender for Endpoint.](images/mdatp-apis.png)
The Defender for Endpoint APIs can be grouped into three:
security Mde Device Control Device Installation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mde-device-control-device-installation.md
In Microsoft Endpoint Manager [https://endpoint.microsoft.com/](https://endpoint
1. Configure **Prevent installation of devices using drivers that match these device setup classes**. - Open Endpoint security > Attack surface reduction > Create Policy > Platform: Windows 10 (and later) & Profile: Device control.-
- :::image type="content" source="../../media/devicepolicy-editprofile.png" alt-text="edit profile":::
-
+
+ :::image type="content" source="../../media/devicepolicy-editprofile.png" alt-text="The Edit profile page" lightbox="../../media/devicepolicy-editprofile.png":::
+
2. Plug in a USB, device and you will see following error message:
- :::image type="content" source="../../media/devicepolicy-errormsg.png" alt-text="error message":::
+ :::image type="content" source="../../media/devicepolicy-errormsg.png" alt-text="The error message" lightbox="../../media/devicepolicy-errormsg.png":::
3. Enable **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria**. - **only support OMA-URI for now**: Devices > Configuration profiles > Create profile > Platform: Windows 10 (and later) & Profile: Custom-
- :::image type="content" source="../../media/devicepolicy-editrow.png" alt-text="edit row":::
+
+ :::image type="content" source="../../media/devicepolicy-editrow.png" alt-text="The Edit Row page" lightbox="../../media/devicepolicy-editrow.png":::
4. Enable and add allowed USB Instance ID ΓÇô **Allow installation of devices that match any of these device IDs**. - Update the step 1 Device control profile-
- :::image type="content" source="../../media/devicepolicy-devicecontrol.png" alt-text="devicecontrol":::
+
+ :::image type="content" source="../../media/devicepolicy-devicecontrol.png" alt-text="An identifier in the Device Control page" lightbox="../../media/devicepolicy-devicecontrol.png":::
+
+ Adding PCI\CC_0C03; PCI\CC_0C0330; PCI\VEN_8086; PNP0CA1; PNP0CA1&HOST; USB\ROOT_HUB30; USB\ROOT_HUB20; USB\USB20_HUB on above screen capture is because it's not enough to enable only a single hardware ID to enable a single USB thumb-drive. You have to ensure all the USB devices that preceding the target one aren't blocked (allowed) as well. You can open Device Manager and change view to ΓÇÿDevices by connectionsΓÇÖ to see the way devices are installed in the PnP tree. In Our case the following devices has to be allowed so the target USB thumb-drive could be allowed as well:
Adding PCI\CC_0C03; PCI\CC_0C0330; PCI\VEN_8086; PNP0CA1; PNP0CA1&HOST; USB\ROOT_HUB30; USB\ROOT_HUB20; USB\USB20_HUB on above screen capture is because it's not enough to enable only a single hardware ID to enable a single USB thumb-drive. You have to ensure all the USB devices that preceding the target one aren't blocked (allowed) as well. You can open Device Manager and change view to ΓÇÿDevices by connectionsΓÇÖ to see the way devices are installed in the PnP tree. In Our case the following devices has to be allowed so the target USB thumb-drive could be allowed as well:
In Microsoft Endpoint Manager [https://endpoint.microsoft.com/](https://endpoint
- ΓÇ£USB Root Hub (USB 3.0)ΓÇ¥ -> USB\ROOT_HUB30 - ΓÇ£Generic USB HubΓÇ¥ -> USB\USB20_HUB
- :::image type="content" source="../../media/devicepolicy-devicemgr.png" alt-text="device control":::
+ :::image type="content" source="../../media/devicepolicy-devicemgr.png" alt-text="The View menu item in the Device Manager page" lightbox="../../media/devicepolicy-devicemgr.png":::
> [!NOTE] > Some devices in the system have several layers of connectivity to define their installation on the system. USB thumb drives are such devices. Thus, when looking to either block or allow them on a system, it's important to understand the path of connectivity for each device. There are several generic device IDs that are commonly used in systems and could provide a good start to build an "Allow list" in such cases. The following is one example (it is not always the same for all USBs; you need to understand the PnP tree of the device you want to manage through the Device Manager):
In Microsoft Endpoint Manager [https://endpoint.microsoft.com/](https://endpoint
5. Plug in the allowed USB again. YouΓÇÖll see that it's now allowed and available.
- :::image type="content" source="../../media/devicepolicy-removedrive.png" alt-text="remove drive":::
+ :::image type="content" source="../../media/devicepolicy-removedrive.png" alt-text="The Remove drive details page" lightbox="../../media/devicepolicy-removedrive.png":::
#### Deploying and managing policy via Group Policy
DeviceEvents
| order by Timestamp desc ``` ## Frequently asked questions
DeviceRegistryEvents
It is not enough to enable only a single hardware ID to enable a single USB thumb-drive. Ensure that all the USB devices that precede the target one aren't blocked (allowed) as well. +
security Mde P1 Maintenance Operations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mde-p1-maintenance-operations.md
To learn more, see [Manage Defender for Endpoint](manage-mde-post-migration.md).
A false positive is an artifact, like a file or a process, that was detected as malicious, even though it isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is. False positives/negatives can occur with any endpoint protection solution, including Defender for Endpoint. However, there are steps you can take to address these kinds of issues and fine-tune your solution, as depicted in the following image: If youΓÇÖre seeing false positives/negatives in Defender for Endpoint, see [Address false positives/negatives in Microsoft Defender for Endpoint](defender-endpoint-false-positives-negatives.md).
security Mde P1 Setup Configuration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mde-p1-setup-configuration.md
This article describes how to set up and configure Defender for Endpoint Plan 1.
## The setup and configuration process The general setup and configuration process for Defender for Endpoint Plan 1 is as follows: <br/><br/>
Then, proceed to configure your next-generation protection and attack surface re
We recommend using [Microsoft Endpoint Manager](/mem) to manage your organizationΓÇÖs devices and security settings, as shown in the following image: To configure your next-generation protection in Microsoft Endpoint Manager, follow these steps:
Attack surface reduction is all about reducing the places and ways your organiza
Attack surface reduction rules are available on devices running Windows. We recommend using Microsoft Endpoint Manager, as shown in the following image: 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in.
You get ransomware mitigation through [controlled folder access](controlled-fold
We recommend using Microsoft Endpoint Manager to configure controlled folder access. 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in.
We recommend using Microsoft Endpoint Manager to configure controlled folder acc
You can configure Defender for Endpoint to block or allow removable devices and files on removable devices. We recommend using Microsoft Endpoint Manager to configure your device control settings. 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in.
You can configure Defender for Endpoint to block or allow removable devices and
With network protection, you can help protect your organization against dangerous domains that might host phishing scams, exploits, and other malicious content on the Internet. We recommend using Microsoft Endpoint Manager to turn on network protection. 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in.
With web protection, you can protect your organization's devices from web threat
Network firewall helps reduce the risk of network security threats. Your security team can set rules that determine which traffic is permitted to flow to or from your organization's devices. We recommend using Microsoft Endpoint Manager to configure your network firewall. To configure basic firewall settings, follow these steps:
security Mde Plan1 Getting Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mde-plan1-getting-started.md
The Microsoft 365 Defender portal ([https://security.microsoft.com](https://secu
The Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) is where you'll view alerts, manage devices, and view reports. When you sign into the Microsoft 365 Defender portal, youΓÇÖll start with the Home page, as shown in the following image: The Home page provides your security team with a snapshot aggregate view of alerts, device status, and threats detected. The Defender for Cloud is set up so that your security operations team can find the information they are looking for quickly and easily.
The Home page provides your security team with a snapshot aggregate view of aler
The Home page includes cards, such as the Active incidents card shown in the following image: The card provides you with information at a glance, along with a link or button that you can select to view more detailed information. Referring to our example Active incidents card, we can select **View all incidents** to navigate to our list of incidents. ### Navigation bar makes it easy to find alerts, the Action center, and more
When you sign into the Microsoft 365 Defender portal, make sure to view and mana
Select an incident to view details about the incident. Details include what alerts were triggered, how many devices and users were affected, and other details. The following image shows an example of incident details. Use the **Alerts**, **Devices**, and **Users** tabs to view more information, such as the alerts that were triggered, devices that were affected, and user accounts that were affected. From there, you can take manual response actions, such as isolating a device, stopping and quarantining a file, and so on.
Use the **Alerts**, **Devices**, and **Users** tabs to view more information, su
To view and manage your organizationΓÇÖs devices, in the navigation bar, under **Endpoints**, select **Device inventory**. YouΓÇÖll see a list of devices as shown in the following image: The list includes devices for which alerts were generated. By default, the data shown is for the past 30 days, with the most recent items listed first. Select a device to view more information about it. A flyout pane opens, as shown in the following image: The flyout pane displays details, such as any active alerts for the device, and includes links to take action, such as isolating a device.
In Defender for Endpoint Plan 1, several reports are available in the Microsoft
To access your Threat protection report, in the Microsoft 365 Defender portal, choose **Reports**, and then choose **Threat protection**. The Threat Protection report shows alert trends, status, categories, and more. Views are arranged in two columns: **Alert trends** and **Alert status**, as shown in the following image: Scroll down to see all the views in each list.
Scroll down to see all the views in each list.
To access your Device health report, in the Microsoft 365 Defender portal, choose **Reports**, and then choose **Device health**. The Device health report shows health state and antivirus across devices in your organization. Similar to the [Threat protection report](#threat-protection-report), views are arranged in two columns: **Device trends** and **Device summary**, as shown in the following image: Scroll down to see all the views in each list. By default, the views in the **Device trends** column display data for the past 30 days, but you can change a view to display data for the last three months, last six months, or a custom time range (up to 180 days). The **Device summary** views are snapshots for the previous business day.
Scroll down to see all the views in each list. By default, the views in the **De
To access your Device health report, in the Microsoft 365 Defender portal, choose **Reports**, and then choose **Web protection**. The Web protection report shows detections over time, such as malicious URLs and attempts to access blocked URLs, as shown in the following image: Scroll down to see all the views in the Web protection report. Some views include links that enable you to view more details, configure your threat protection features, and even manage indicators that serve as exceptions in Defender for Endpoint.
security Microsoft Defender Antivirus On Windows Server https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-on-windows-server.md
If the GUI isnΓÇÖt installed on your server, and you want to install it, either
In Windows Server 2016, the **Add Roles and Features Wizard** looks like this:
- ![Add roles and feature wizard showing the GUI for Windows Defender option.](images/server-add-gui.png)
+ :::image type="content" source="images/server-add-gui.png" alt-text="The Add roles and feature wizard showing the GUI for Windows Defender option." lightbox="images/server-add-gui.png":::
In Windows Server 2019 and Windows Server 2022, the **Add Roles and Feature Wizard** is similar.
security Microsoft Defender Endpoint Linux https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-linux.md
If you experience any installation failures, refer to [Troubleshooting installat
- 2.6.32-754.6.3.el6.x86_64 - 2.6.32-754.9.1.el6.x86_64 -
- > [!NOTE]
- > After a new package version is released, support for the previous two versions is reduced to technical support only. Versions older than that that are listed in this section are provided for technical upgrade support only.
-
- - For rest of the supported distributions, minimum kernel version required is 3.10.0-327
--- Event provider mechanism
- - Red Hat Enterprise Linux 6 and CentOS 6: `Talpa` kernel module based solution
- - For rest of the supported distributions: `Fanotify`
- - The `fanotify` kernel option must be enabled
-
- > [!CAUTION]
- > Running Defender for Endpoint on Linux side by side with other `fanotify`-based security solutions is not supported. It can lead to unpredictable results, including hanging the operating system.
+ For Red Hat Enterprise Linux 6 and CentOS 6, the list of supported kernel versions are:
+ - For 6.7: 2.6.32-573.*
+ - For 6.8: 2.6.32-642.*
+ - For 6.9: 2.6.32-696.*
+ - For 6.10: 2.6.32.754.2.1.el6.x86_64 to 2.6.32-754.41.2:
+
+ > [!NOTE]
+ > After a new package version is released, support for the previous two versions is reduced to technical support only. Versions older than that that are listed in this section are provided for technical upgrade support only.
+
+ List of versions:
+
+ - 2.6.32-754.2.1.el6.x86_64
+ - 2.6.32-754.17.1.el6.x86_64
+ - 2.6.32-754.29.1.el6.x86_64
+ - 2.6.32-754.3.5.el6.x86_64
+ - 2.6.32-754.18.2.el6.x86_64
+ - 2.6.32-754.29.2.el6.x86_64
+ - 2.6.32-754.6.3.el6.x86_64
+ - 2.6.32-754.22.1.el6.x86_64
+ - 2.6.32-754.30.2.el6.x86_64
+ - 2.6.32-754.9.1.el6.x86_64
+ - 2.6.32-754.23.1.el6.x86_64
+ - 2.6.32-754.33.1.el6.x86_64
+ - 2.6.32-754.10.1.el6.x86_64
+ - 2.6.32-754.24.2.el6.x86_64
+ - 2.6.32-754.35.1.el6.x86_64
+ - 2.6.32-754.11.1.el6.x86_64
+ - 2.6.32-754.24.3.el6.x86_64
+ - 2.6.32-754.39.1.el6.x86_64
+ - 2.6.32-754.12.1.el6.x86_64
+ - 2.6.32-754.25.1.el6.x86_64
+ - 2.6.32-754.41.2.el6.x86_64
+ - 2.6.32-754.14.2.el6.x86_64
+ - 2.6.32-754.27.1.el6.x86_64
+ - 2.6.32-754.15.3.el6.x86_64
+ - 2.6.32-754.28.1.el6.x86_64
++
+- Minimum kernel version 3.10.0-327
+
+- The `fanotify` kernel option must be enabled
+
+ > [!CAUTION]
+ > Running Defender for Endpoint on Linux side by side with other `fanotify`-based security solutions is not supported. It can lead to unpredictable results, including hanging the operating system.
- Disk space: 1 GB
The following downloadable spreadsheet lists the services and their associated U
|Spreadsheet of domains list| Description| |||
-|Microsoft Defender for Endpoint URL list for commercial customers | Spreadsheet of specific DNS records for service locations, geographic locations, and OS for commercial customers. <p> [Download the spreadsheet here.](https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx)
-| Microsoft Defender for Endpoint URL list for Gov/GCC/DoD customers| Spreadsheet of specific DNS records for service locations, geographic locations, and OS for Gov/GCC/DoD customers. <p> [Download the spreadsheet here.](https://download.microsoft.com/download/6/e-urls-gov.xlsx)
-|
-
+|:::image type="content" source="images/mdatp-urls.png" alt-text="Microsoft Defender for Endpoint URLs spreadsheet" lightbox="images/mdatp-urls.png":::|Spreadsheet of specific DNS records for service locations, geographic locations, and OS. <p> Download the spreadsheet [here](https://download.microsoft.com/download/8/e-urls.xlsx).|
+|||
> [!NOTE] > For a more specific URL list, see [Configure proxy and internet connectivity settings](/microsoft-365/security/defender-endpoint/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server).
security Microsoft Defender Endpoint Mac https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-mac.md
The following downloadable spreadsheet lists the services and their associated U
|Spreadsheet of domains list| Description| |||
-|Microsoft Defender for Endpoint URL list for commercial customers | Spreadsheet of specific DNS records for service locations, geographic locations, and OS for commercial customers. <p> [Download the spreadsheet here.](https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx)
-| Microsoft Defender for Endpoint URL list for Gov/GCC/DoD customers| Spreadsheet of specific DNS records for service locations, geographic locations, and OS for Gov/GCC/DoD customers. <p> [Download the spreadsheet here.](https://download.microsoft.com/download/6/e-urls-gov.xlsx)
-|
---
+|:::image type="content" source="images/mdatp-urls.png" alt-text="The spreadsheet for the URLs of the Microsoft Defender for Endpoint portal" lightbox="images/mdatp-urls.png":::|Spreadsheet of specific DNS records for service locations, geographic locations, and OS. <p> Download the spreadsheet here: [mdatp-urls.xlsx](https://download.microsoft.com/download/8/e-urls.xlsx).
Microsoft Defender for Endpoint can discover a proxy server by using the following discovery methods:
security Microsoft Defender Offline https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-offline.md
The need to perform an offline scan will also be revealed in Microsoft Endpoint
The prompt can occur via a notification, similar to the following: The user will also be notified within the Windows Defender client.
In Configuration Manager, you can identify the status of endpoints by navigating
Microsoft Defender Offline scans are indicated under **Malware remediation status** as **Offline scan required**. ## Configure notifications
security Microsoft Defender Security Center Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-security-center-antivirus.md
The Windows Security app is a client interface on Windows 10, version 1703 and l
## Review virus and threat protection settings in the Windows Security app 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Windows Security**.
The following sections describe how to perform some of the most common tasks whe
## Review the security intelligence update version and download the latest updates in the Windows Security app 1. Open the Windows Security app by searching the start menu for *Security*, and then selecting **Windows Security**.
security Microsoft Threat Experts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-threat-experts.md
The option to **Consult a threat expert** is available in several places in the
- ***Help and support menu***
- ![Screenshot of MTE-EOD menu option.](images/mte-eod-menu.png)
+ :::image type="content" source="images/mte-eod-menu.png" alt-text="The MTE-EOD menu item" lightbox="images/mte-eod-menu.png":::
- ***Device page actions menu***
- ![Screenshot of MTE-EOD device page action menu option.](images/mte-eod-machines.png)
+ :::image type="content" source="images/mte-eod-machines.png" alt-text="The MTE-EOD device page action menu option" lightbox="images/mte-eod-machines.png":::
- ***Alerts page actions menu***
- ![Screenshot of MTE-EOD alert page action menu option.](images/mte-eod-alerts.png)
+ :::image type="content" source="images/mte-eod-alerts.png" alt-text="The MTE-EOD alert page action menu option" lightbox="images/mte-eod-alerts.png":::
- ***File page actions menu***
- ![Screenshot of MTE-EOD file page action menu option.](images/mte-eod-file.png)
+ :::image type="content" source="images/mte-eod-file.png" alt-text="The MTE-EOD file page action menu option" lightbox="images/mte-eod-file.png":::
> [!NOTE] > If you would like to track the status of your Experts on Demand cases through Microsoft Services Hub, reach out to your Customer Success Account Manager.
security Minimum Requirements https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/minimum-requirements.md
By default, this service is enabled. It's good practice to check to ensure that
If the service is enabled, then the result should look like the following screenshot:
- ![Result of the sc query command for diagtrack.](images/windefatp-sc-qc-diagtrack.png)
+ :::image type="content" source="images/windefatp-sc-qc-diagtrack.png" alt-text="Result of the sc query command for diagtrack" lightbox="images/windefatp-sc-qc-diagtrack.png":::
You'll need to set the service to automatically start if the **START_TYPE** isn't set to **AUTO_START**.
security Network Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/network-devices.md
To configure assessment jobs, the following user permission option is required:
2. Download the network scanner and install it on the designated Defender for Endpoint assessment device. > [!div class="mx-imgBorder"]
- > ![Download scanner button.](images/assessment-jobs-download-scanner.png)
+ > :::image type="content" source="images/assessment-jobs-download-scanner.png" alt-text="The Download scanner button" lightbox="images/assessment-jobs-download-scanner.png":::
## Network scanner installation & registration
In the Assessment jobs page in **Settings**, select **Add network assessment job
To prevent device duplication in the network device inventory, make sure each IP address is configured only once across multiple assessment devices. > [!div class="mx-imgBorder"]
-> ![Add network assessment job button.](images/assessment-jobs-add.png)
+> :::image type="content" source="images/assessment-jobs-add.png" alt-text="The Add network assessment job button" lightbox="images/assessment-jobs-add.png":::
Adding a network assessment job steps:
Once the results show up, you can choose which devices will be included in the p
Newly discovered devices will be shown under the new **Network devices** tab in the **Device inventory** page. It may take up to two hours after adding an assessment job until the devices are updated. > [!div class="mx-imgBorder"]
-> ![Network devices section in the Device inventory.](images/assessment-jobs-device-inventory.png)
+> :::image type="content" source="images/assessment-jobs-device-inventory.png" alt-text="The Network devices section in the Device inventory" lightbox="images/assessment-jobs-device-inventory.png":::
## Troubleshooting
security Onboard Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboard-configure.md
Deploying Microsoft Defender for Endpoint is a two-step process.
- Onboard devices to the service - Configure capabilities of the service
-![Illustration of onboarding and configuration process](images/deployment-steps.png)
## Onboard devices to the service You'll need to go the onboarding section of the Defender for Endpoint portal to onboard any of the supported devices. Depending on the device, you'll be guided with appropriate steps and provided management and deployment tool options suitable for the device.
security Onboard Downlevel https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboard-downlevel.md
Create a new group policy specifically for onboarding devices such as "Microsoft
- Create a Group Policy Folder named "c:\windows\MMA"
- :::image type="content" source="images/grppolicyconfig1.png" alt-text="folders":::
+ :::image type="content" source="images/grppolicyconfig1.png" alt-text="The folders location" lightbox="images/grppolicyconfig1.png":::
**This will add a new folder on every server that gets the GPO applied, called MMA, and will be stored in c:\windows. This will contain the installation files for the MMA, prerequisites, and install script.** - Create a Group Policy Files preference for each of the files stored in Net logon.
- :::image type="content" source="images/grppolicyconfig2.png" alt-text="group policy image1":::
+ :::image type="content" source="images/grppolicyconfig2.png" alt-text="The group policy - 1" lightbox="images/grppolicyconfig2.png":::
It copies the files from DOMAIN\NETLOGON\MMA\filename to C:\windows\MMA\filename - **so the installation files are local to the server**: Repeat the process but create item level targeting on the COMMON tab, so the file only gets copied to the appropriate platform/Operating system version in scope: For Windows Server 2008 R2 you'll need (and it will only copy down) the following: - Windows6.1-KB3080149-x64.msu
For Windows Server 2008 R2 you'll need (and it will only copy down) the followin
Once this is done, you'll need to create a start-up script policy: The name of the file to run here is c:\windows\MMA\DeployMMA.cmd. Once the server is restarted as part of the start-up process it will install the Update for customer experience and diagnostic telemetry KB, and then install the MMA Agent, while setting the Workspace ID and Key, and the server will be onboarded.
This could be done in two phases. First create **the files and the folder in** G
As the Script has an exit method and wont re-run if the MMA is installed, you could also use a daily scheduled task to achieve the same result. Similar to a Configuration Manager compliance policy it will check daily to ensure the MMA is present. As mentioned in the onboarding documentation for Server specifically around Server 2008 R2 please see below: For Windows Server 2008 R2 SP1, ensure that you fulfill the following requirements:
You can use either of the following methods:
2. Select the Defender for Endpoint workspace, and click **Remove**.
- ![Image of Microsoft Monitoring Agent Properties](images/atp-mma.png)
+ :::image type="content" source="images/atp-mma.png" alt-text="The Workspaces pane" lightbox="images/atp-mma.png":::
#### Run a PowerShell command to remove the configuration
security Onboarding Endpoint Configuration Manager https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboarding-endpoint-configuration-manager.md
This article is part of the Deployment guide and acts as an example onboarding m
In the [Planning](deployment-strategy.md) topic, there were several methods provided to onboard devices to the service. This topic covers the co-management architecture.
-![Image of cloud-native architecture.](images/co-management-architecture.png)
*Diagram of environment architectures* While Defender for Endpoint supports onboarding of various endpoints and tools, this article does not cover them. For information on general onboarding using other supported deployment tools and methods, see [Onboarding overview](onboarding.md).
Follow the steps below to onboard endpoints using Microsoft Endpoint Configurati
1. In Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Device Collections**.
- ![Image of Microsoft Endpoint Configuration Manager wizard1.](images/configmgr-device-collections.png)
+ :::image type="content" source="images/configmgr-device-collections.png" alt-text="The Microsoft Endpoint Configuration Manager wizard1" lightbox="images/configmgr-device-collections.png":::
2. Right Click **Device Collection** and select **Create Device Collection**.
- ![Image of Microsoft Endpoint Configuration Manager wizard2.](images/configmgr-create-device-collection.png)
+ :::image type="content" source="images/configmgr-create-device-collection.png" alt-text="The Microsoft Endpoint Configuration Manager wizard2" lightbox="images/configmgr-create-device-collection.png":::
3. Provide a **Name** and **Limiting Collection**, then select **Next**.
- ![Image of Microsoft Endpoint Configuration Manager wizard3.](images/configmgr-limiting-collection.png)
+ :::image type="content" source="images/configmgr-limiting-collection.png" alt-text="The Microsoft Endpoint Configuration Manager wizard3" lightbox="images/configmgr-limiting-collection.png":::
4. Select **Add Rule** and choose **Query Rule**.
- ![Image of Microsoft Endpoint Configuration Manager wizard4.](images/configmgr-query-rule.png)
+ :::image type="content" source="images/configmgr-query-rule.png" alt-text="The Microsoft Endpoint Configuration Manager wizard4" lightbox="images/configmgr-query-rule.png":::
5. Click **Next** on the **Direct Membership Wizard** and click on **Edit Query Statement**.
- ![Image of Microsoft Endpoint Configuration Manager wizard5.](images/configmgr-direct-membership.png)
+ :::image type="content" source="images/configmgr-direct-membership.png" alt-text="The Microsoft Endpoint Configuration Manager wizard5" lightbox="images/configmgr-direct-membership.png":::
6. Select **Criteria** and then choose the star icon.
- ![Image of Microsoft Endpoint Configuration Manager wizard6.](images/configmgr-criteria.png)
+ :::image type="content" source="images/configmgr-criteria.png" alt-text="The Microsoft Endpoint Configuration Manager wizard6" lightbox="images/configmgr-criteria.png":::
7. Keep criterion type as **simple value**, choose where as **Operating System - build number**, operator as **is greater than or equal to** and value **14393** and click on **OK**.
- ![Image of Microsoft Endpoint Configuration Manager wizard7.](images/configmgr-simple-value.png)
+ :::image type="content" source="images/configmgr-simple-value.png" alt-text="The Microsoft Endpoint Configuration Manager wizard7" lightbox="images/configmgr-simple-value.png":::
8. Select **Next** and **Close**.
- ![Image of Microsoft Endpoint Configuration Manager wizard8.](images/configmgr-membership-rules.png)
+ :::image type="content" source="images/configmgr-membership-rules.png" alt-text="The Microsoft Endpoint Configuration Manager wizard8" lightbox="images/configmgr-membership-rules.png":::
9. Select **Next**.
- ![Image of Microsoft Endpoint Configuration Manager wizard9.](images/configmgr-confirm.png)
+ :::image type="content" source="images/configmgr-confirm.png" alt-text="The Microsoft Endpoint Configuration Manager wizard9" lightbox="images/configmgr-confirm.png":::
After completing this task, you now have a device collection with all the Windows endpoints in the environment.
From within the Microsoft 365 Defender portal it is possible to download the `.o
2. Under Deployment method select the supported version of **Microsoft Endpoint Configuration Manager**.
- ![Image of Microsoft Defender for Endpoint onboarding wizard10.](images/mdatp-onboarding-wizard.png)
+ :::image type="content" source="images/mdatp-onboarding-wizard.png" alt-text="The Microsoft Endpoint Configuration Manager wizard10" lightbox="images/mdatp-onboarding-wizard.png":::
3. Select **Download package**.
- ![Image of Microsoft Defender for Endpoint onboarding wizard11.](images/mdatp-download-package.png)
+ :::image type="content" source="images/mdatp-download-package.png" alt-text="The Microsoft Endpoint Configuration Manager wizard11" lightbox="images/mdatp-download-package.png":::
4. Save the package to an accessible location. 5. In Microsoft Endpoint Configuration Manager, navigate to: **Assets and Compliance > Overview > Endpoint Protection > Microsoft Defender ATP Policies**. 6. Right-click **Microsoft Defender ATP Policies** and select **Create Microsoft Defender ATP Policy**.
- ![Image of Microsoft Endpoint Configuration Manager wizard12.](images/configmgr-create-policy.png)
+ :::image type="content" source="images/configmgr-create-policy.png" alt-text="The Microsoft Endpoint Configuration Manager wizard12" lightbox="images/configmgr-create-policy.png":::
7. Enter the name and description, verify **Onboarding** is selected, then select **Next**.
- ![Image of Microsoft Endpoint Configuration Manager wizard13.](images/configmgr-policy-name.png)
+ :::image type="content" source="images/configmgr-policy-name.png" alt-text="The Microsoft Endpoint Configuration Manager wizard13" lightbox="images/configmgr-policy-name.png":::
8. Click **Browse**.
From within the Microsoft 365 Defender portal it is possible to download the `.o
10. Click **Next**. 11. Configure the Agent with the appropriate samples (**None** or **All file types**).
- ![Image of configuration settings1.](images/configmgr-config-settings.png)
+ :::image type="content" source="images/configmgr-config-settings.png" alt-text="The configuration settings1" lightbox="images/configmgr-config-settings.png":::
12. Select the appropriate telemetry (**Normal** or **Expedited**) then click **Next**.
- ![Image of configuration settings2.](images/configmgr-telemetry.png)
+ :::image type="content" source="images/configmgr-telemetry.png" alt-text="The configuration settings2" lightbox="images/configmgr-telemetry.png":::
13. Verify the configuration, then click **Next**.
- ![Image of configuration settings3.](images/configmgr-verify-configuration.png)
+ :::image type="content" source="images/configmgr-verify-configuration.png" alt-text="The configuration settings3" lightbox="images/configmgr-verify-configuration.png":::
14. Click **Close** when the Wizard completes. 15. In the Microsoft Endpoint Configuration Manager console, right-click the Defender for Endpoint policy you just created and select **Deploy**.
- ![Image of configuration settings4.](images/configmgr-deploy.png)
+ :::image type="content" source="images/configmgr-deploy.png" alt-text="The configuration settings4" lightbox="images/configmgr-deploy.png":::
16. On the right panel, select the previously created collection and click **OK**.
- ![Image of configuration settings5.](images/configmgr-select-collection.png)
+ :::image type="content" source="images/configmgr-select-collection.png" alt-text="The configuration settings5" lightbox="images/configmgr-select-collection.png":::
#### Previous versions of Windows Client (Windows 7 and Windows 8.1)
Follow the steps below to identify the Defender for Endpoint Workspace ID and Wo
3. Copy the **Workspace ID** and **Workspace Key** and save them. They will be used later in the process.
- ![Image of onboarding.](images/91b738e4b97c4272fd6d438d8c2d5269.png)
+ :::image type="content" source="images/91b738e4b97c4272fd6d438d8c2d5269.png" alt-text="The onboarding process" lightbox="images/91b738e4b97c4272fd6d438d8c2d5269.png":::
4. Install the Microsoft Monitoring Agent (MMA).
Microsoft Defender Antivirus is a built-in antimalware solution that provides ne
1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Antimalware Polices** and choose **Create Antimalware Policy**.
- ![Image of antimalware policy.](images/9736e0358e86bc778ce1bd4c516adb8b.png)
+ :::image type="content" source="images/9736e0358e86bc778ce1bd4c516adb8b.png" alt-text="The antimalware policy" lightbox="images/9736e0358e86bc778ce1bd4c516adb8b.png":::
2. Select **Scheduled scans**, **Scan settings**, **Default actions**, **Real-time protection**, **Exclusion settings**, **Advanced**, **Threat overrides**, **Cloud Protection Service** and **Security intelligence updates** and choose **OK**.
- ![Image of next generation protection pane1.](images/1566ad81bae3d714cc9e0d47575a8cbd.png)
+ :::image type="content" source="images/1566ad81bae3d714cc9e0d47575a8cbd.png" alt-text="The next-generation protection pane1" lightbox="images/1566ad81bae3d714cc9e0d47575a8cbd.png":::
In certain industries or some select enterprise customers might have specific needs on how Antivirus is configured.
Microsoft Defender Antivirus is a built-in antimalware solution that provides ne
For more details, see [Windows Security configuration framework](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework).
- ![Image of next generation protection pane2.](images/cd7daeb392ad5a36f2d3a15d650f1e96.png)
+ :::image type="content" source="images/cd7daeb392ad5a36f2d3a15d650f1e96.png" alt-text="The next-generation protection pane2" lightbox="images/cd7daeb392ad5a36f2d3a15d650f1e96.png":::
- ![Image of next generation protection pane3.](images/36c7c2ed737f2f4b54918a4f20791d4b.png)
+ :::image type="content" source="images/36c7c2ed737f2f4b54918a4f20791d4b.png" alt-text="The next-generation protection pane3" lightbox="images/36c7c2ed737f2f4b54918a4f20791d4b.png":::
- ![Image of next generation protection pane4.](images/a28afc02c1940d5220b233640364970c.png)
+ :::image type="content" source="images/a28afc02c1940d5220b233640364970c.png" alt-text="The next-generation protection pane4" lightbox="images/a28afc02c1940d5220b233640364970c.png":::
- ![Image of next generation protection pane5.](images/5420a8790c550f39f189830775a6d4c9.png)
+ :::image type="content" source="images/5420a8790c550f39f189830775a6d4c9.png" alt-text="The next-generation protection pane5" lightbox="images/5420a8790c550f39f189830775a6d4c9.png":::
- ![Image of next generation protection pane6.](images/33f08a38f2f4dd12a364f8eac95e8c6b.png)
+ :::image type="content" source="images/33f08a38f2f4dd12a364f8eac95e8c6b.png" alt-text="The next-generation protection pane6" lightbox="images/33f08a38f2f4dd12a364f8eac95e8c6b.png":::
- ![Image of next generation protection pane7.](images/41b9a023bc96364062c2041a8f5c344e.png)
+ :::image type="content" source="images/41b9a023bc96364062c2041a8f5c344e.png" alt-text="The next-generation protection pane7" lightbox="images/41b9a023bc96364062c2041a8f5c344e.png":::
- ![Image of next generation protection pane8.](images/945c9c5d66797037c3caeaa5c19f135c.png)
+ :::image type="content" source="images/945c9c5d66797037c3caeaa5c19f135c.png" alt-text="The next-generation protection pane8" lightbox="images/945c9c5d66797037c3caeaa5c19f135c.png":::
- ![Image of next generation protection pane9.](images/3876ca687391bfc0ce215d221c683970.png)
+ :::image type="content" source="images/3876ca687391bfc0ce215d221c683970.png" alt-text="The next-generation protection pane9" lightbox="images/3876ca687391bfc0ce215d221c683970.png":::
3. Right-click on the newly created antimalware policy and select **Deploy**.
- ![Image of next generation protection pane10.](images/f5508317cd8c7870627cb4726acd5f3d.png)
+ :::image type="content" source="images/f5508317cd8c7870627cb4726acd5f3d.png" alt-text="The next-generation protection pane10" lightbox="images/f5508317cd8c7870627cb4726acd5f3d.png":::
4. Target the new antimalware policy to your Windows collection and click **OK**.
- ![Image of next generation protection pane11.](images/configmgr-select-collection.png)
+ :::image type="content" source="images/configmgr-select-collection.png" alt-text="The next-generation protection pane11" lightbox="images/configmgr-select-collection.png":::
After completing this task, you now have successfully configured Windows Defender Antivirus.
To set ASR rules in Audit mode:
1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
- ![Image of Microsoft Endpoint Configuration Manager console0.](images/728c10ef26042bbdbcd270b6343f1a8a.png)
+ :::image type="content" source="images/728c10ef26042bbdbcd270b6343f1a8a.png" alt-text="The Microsoft Endpoint Configuration Manager console0" lightbox="images/728c10ef26042bbdbcd270b6343f1a8a.png":::
2. Select **Attack Surface Reduction**. 3. Set rules to **Audit** and click **Next**.
- ![Image of Microsoft Endpoint Configuration Manager console1.](images/d18e40c9e60aecf1f9a93065cb7567bd.png)
+ :::image type="content" source="images/d18e40c9e60aecf1f9a93065cb7567bd.png" alt-text="The Microsoft Endpoint Configuration Manager console1" lightbox="images/d18e40c9e60aecf1f9a93065cb7567bd.png":::
4. Confirm the new Exploit Guard policy by clicking on **Next**.
- ![Image of Microsoft Endpoint Configuration Manager console2.](images/0a6536f2c4024c08709cac8fcf800060.png)
+ :::image type="content" source="images/0a6536f2c4024c08709cac8fcf800060.png" alt-text="The Microsoft Endpoint Configuration Manager console2" lightbox="images/0a6536f2c4024c08709cac8fcf800060.png":::
5. Once the policy is created click **Close**.
- ![Image of Microsoft Endpoint Configuration Manager console3.](images/95d23a07c2c8bc79176788f28cef7557.png)
+ :::image type="content" source="images/95d23a07c2c8bc79176788f28cef7557.png" alt-text="The Microsoft Endpoint Configuration Manager console3" lightbox="images/95d23a07c2c8bc79176788f28cef7557.png":::
6. Right-click on the newly created policy and choose **Deploy**.
- ![Image of Microsoft Endpoint Configuration Manager console4.](images/8999dd697e3b495c04eb911f8b68a1ef.png)
+ :::image type="content" source="images/8999dd697e3b495c04eb911f8b68a1ef.png" alt-text="The Microsoft Endpoint Configuration Manager console4" lightbox="images/8999dd697e3b495c04eb911f8b68a1ef.png":::
7. Target the policy to the newly created Windows collection and click **OK**.
- ![Image of Microsoft Endpoint Configuration Manager console5.](images/0ccfe3e803be4b56c668b220b51da7f7.png)
+ :::image type="content" source="images/0ccfe3e803be4b56c668b220b51da7f7.png" alt-text="The Microsoft Endpoint Configuration Manager console5" lightbox="images/0ccfe3e803be4b56c668b220b51da7f7.png":::
After completing this task, you now have successfully configured ASR rules in audit mode.
Below are additional steps to verify whether ASR rules are correctly applied to
3. Click **Go to attack surface management** in the Attack surface management panel.
- ![Image of attack surface management.](images/security-center-attack-surface-mgnt-tile.png)
+ :::image type="content" source="images/security-center-attack-surface-mgnt-tile.png" alt-text="The attack surface management" lightbox="images/security-center-attack-surface-mgnt-tile.png":::
4. Click **Configuration** tab in Attack surface reduction rules reports. It shows ASR rules configuration overview and ASR rules status on each devices.
- ![A screenshot of attack surface reduction rules reports1.](images/f91f406e6e0aae197a947d3b0e8b2d0d.png)
+ :::image type="content" source="images/f91f406e6e0aae197a947d3b0e8b2d0d.png" alt-text="The attack surface reduction rules reports1" lightbox="images/f91f406e6e0aae197a947d3b0e8b2d0d.png":::
5. Click each device shows configuration details of ASR rules.
- ![A screenshot of attack surface reduction rules reports2.](images/24bfb16ed561cbb468bd8ce51130ca9d.png)
+ :::image type="content" source="images/24bfb16ed561cbb468bd8ce51130ca9d.png" alt-text="The attack surface reduction rules reports2" lightbox="images/24bfb16ed561cbb468bd8ce51130ca9d.png":::
See [Optimize ASR rule deployment and detections](/microsoft-365/security/defender-endpoint/configure-machines-asr) for more details.
See [Optimize ASR rule deployment and detections](/microsoft-365/security/defend
1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
- ![A screenshot System Center Configuration Manager1.](images/728c10ef26042bbdbcd270b6343f1a8a.png)
+ :::image type="content" source="images/728c10ef26042bbdbcd270b6343f1a8a.png" alt-text="The System Center Configuration Manager1" lightbox="images/728c10ef26042bbdbcd270b6343f1a8a.png":::
2. Select **Network protection**. 3. Set the setting to **Audit** and click **Next**.
- ![A screenshot System Center Configuration Manager2.](images/c039b2e05dba1ade6fb4512456380c9f.png)
+ :::image type="content" source="images/c039b2e05dba1ade6fb4512456380c9f.png" alt-text="The System Center Configuration Manager2" lightbox="images/c039b2e05dba1ade6fb4512456380c9f.png":::
4. Confirm the new Exploit Guard Policy by clicking **Next**.
- ![A screenshot Exploit Guard policy1.](images/0a6536f2c4024c08709cac8fcf800060.png)
+ :::image type="content" source="images/0a6536f2c4024c08709cac8fcf800060.png" alt-text="The Exploit Guard policy1" lightbox="images/0a6536f2c4024c08709cac8fcf800060.png":::
5. Once the policy is created click on **Close**.
- ![A screenshot Exploit Guard policy2.](images/95d23a07c2c8bc79176788f28cef7557.png)
+ :::image type="content" source="images/95d23a07c2c8bc79176788f28cef7557.png" alt-text="The Exploit Guard policy2" lightbox="images/95d23a07c2c8bc79176788f28cef7557.png":::
6. Right-click on the newly created policy and choose **Deploy**.
- ![A screenshot Microsoft Endpoint Configuration Manager1.](images/8999dd697e3b495c04eb911f8b68a1ef.png)
+ :::image type="content" source="images/8999dd697e3b495c04eb911f8b68a1ef.png" alt-text="The Microsoft Endpoint Configuration Manager-1" lightbox="images/8999dd697e3b495c04eb911f8b68a1ef.png":::
7. Select the policy to the newly created Windows collection and choose **OK**.
- ![A screenshot Microsoft Endpoint Configuration Manager2.](images/0ccfe3e803be4b56c668b220b51da7f7.png)
+ :::image type="content" source="images/0ccfe3e803be4b56c668b220b51da7f7.png" alt-text="The Microsoft Endpoint Configuration Manager-2" lightbox="images/0ccfe3e803be4b56c668b220b51da7f7.png":::
After completing this task, you now have successfully configured Network Protection in audit mode.
After completing this task, you now have successfully configured Network Protect
1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance** > **Overview** > **Endpoint Protection** > **Windows Defender Exploit Guard** and then choose **Create Exploit Guard Policy**.
- ![A screenshot of Microsoft Endpoint Configuration Manager3.](images/728c10ef26042bbdbcd270b6343f1a8a.png)
+ :::image type="content" source="images/728c10ef26042bbdbcd270b6343f1a8a.png" alt-text="The Microsoft Endpoint Configuration Manager-3" lightbox="images/728c10ef26042bbdbcd270b6343f1a8a.png":::
2. Select **Controlled folder access**. 3. Set the configuration to **Audit** and click **Next**.
- ![A screenshot of Microsoft Endpoint Configuration Manager4.](images/a8b934dab2dbba289cf64fe30e0e8aa4.png)
+ :::image type="content" source="images/a8b934dab2dbba289cf64fe30e0e8aa4.png" alt-text="The Microsoft Endpoint Configuration Manager-4" lightbox="images/a8b934dab2dbba289cf64fe30e0e8aa4.png":::
4. Confirm the new Exploit Guard Policy by clicking on **Next**.
- ![A screenshot of Microsoft Endpoint Configuration Manager5.](images/0a6536f2c4024c08709cac8fcf800060.png)
+ :::image type="content" source="images/0a6536f2c4024c08709cac8fcf800060.png" alt-text="The Microsoft Endpoint Configuration Manager-5" lightbox="images/0a6536f2c4024c08709cac8fcf800060.png":::
5. Once the policy is created click on **Close**.
- ![A screenshot of Microsoft Endpoint Configuration Manager6.](images/95d23a07c2c8bc79176788f28cef7557.png)
+ :::image type="content" source="images/95d23a07c2c8bc79176788f28cef7557.png" alt-text="The Microsoft Endpoint Configuration Manager-6" lightbox="images/95d23a07c2c8bc79176788f28cef7557.png":::
6. Right-click on the newly created policy and choose **Deploy**.
- ![A screenshot of Microsoft Endpoint Configuration Manager7.](images/8999dd697e3b495c04eb911f8b68a1ef.png)
+ :::image type="content" source="images/8999dd697e3b495c04eb911f8b68a1ef.png" alt-text="The Microsoft Endpoint Configuration Manager-7" lightbox="images/8999dd697e3b495c04eb911f8b68a1ef.png":::
7. Target the policy to the newly created Windows collection and click **OK**.
- ![A screenshot of Microsoft Endpoint Configuration Manager8.](images/0ccfe3e803be4b56c668b220b51da7f7.png)
You have now successfully configured Controlled folder access in audit mode.
security Onboarding Endpoint Manager https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboarding-endpoint-manager.md
This article is part of the Deployment guide and acts as an example onboarding m
In the [Planning](deployment-strategy.md) topic, there were several methods provided to onboard devices to the service. This topic covers the cloud-native architecture.
-![Image of cloud-native architecture.](images/cloud-native-architecture.png)
*Diagram of environment architectures* While Defender for Endpoint supports onboarding of various endpoints and tools, this article does not cover them. For information on general onboarding using other supported deployment tools and methods, see [Onboarding overview](onboarding.md).
In this section, we will create a test group to assign your configurations on.
2. Open **Groups > New Group**. > [!div class="mx-imgBorder"]
- > ![Image of Microsoft Endpoint Manager portal1.](images/66f724598d9c3319cba27f79dd4617a4.png)
+ > :::image type="content" source="images/66f724598d9c3319cba27f79dd4617a4.png" alt-text="The Microsoft Endpoint Manager portal1" lightbox="images/66f724598d9c3319cba27f79dd4617a4.png":::
3. Enter details and create a new group. > [!div class="mx-imgBorder"]
- > ![Image of Microsoft Endpoint Manager portal2.](images/b1e0206d675ad07db218b63cd9b9abc3.png)
+ > :::image type="content" source="images/b1e0206d675ad07db218b63cd9b9abc3.png" alt-text="The Microsoft Endpoint Manager portal2" lightbox="images/b1e0206d675ad07db218b63cd9b9abc3.png":::
4. Add your test user or device.
In this section, we will create a test group to assign your configurations on.
7. Find your test user or device and select it. > [!div class="mx-imgBorder"]
- > ![Image of Microsoft Endpoint Manager portal3.](images/149cbfdf221cdbde8159d0ab72644cd0.png)
+ > :::image type="content" source="images/149cbfdf221cdbde8159d0ab72644cd0.png" alt-text="The Microsoft Endpoint Manager portal3" lightbox="images/149cbfdf221cdbde8159d0ab72644cd0.png":::
8. Your testing group now has a member to test.
Then you will continue by creating several different types of endpoint security
2. Navigate to **Endpoint security > Endpoint detection and response**. Click on **Create Profile**. > [!div class="mx-imgBorder"]
- > ![Image of Microsoft Endpoint Manager portal4.](images/58dcd48811147feb4ddc17212b7fe840.png)
+ > :::image type="content" source="images/58dcd48811147feb4ddc17212b7fe840.png" alt-text="The Microsoft Endpoint Manager portal4" lightbox="images/58dcd48811147feb4ddc17212b7fe840.png":::
3. Under **Platform, select Windows 10 and Later, Profile - Endpoint detection and response > Create**.
Then you will continue by creating several different types of endpoint security
4. Enter a name and description, then select **Next**. > [!div class="mx-imgBorder"]
- > ![Image of Microsoft Endpoint Manager portal5.](images/a5b2d23bdd50b160fef4afd25dda28d4.png)
+ > :::image type="content" source="images/a5b2d23bdd50b160fef4afd25dda28d4.png" alt-text="The Microsoft Endpoint Manager portal5" lightbox="images/a5b2d23bdd50b160fef4afd25dda28d4.png":::
5. Select settings as required, then select **Next**. > [!div class="mx-imgBorder"]
- > ![Image of Microsoft Endpoint Manager portal6.](images/cea7e288b5d42a9baf1aef0754ade910.png)
+ > :::image type="content" source="images/cea7e288b5d42a9baf1aef0754ade910.png" alt-text="The Microsoft Endpoint Manager portal6" lightbox="images/cea7e288b5d42a9baf1aef0754ade910.png":::
> [!NOTE] > In this instance, this has been auto populated as Defender for Endpoint has already been integrated with Intune. For more information on the integration, see [Enable Microsoft Defender for Endpoint in Intune](/mem/intune/protect/advanced-threat-protection-configure#to-enable-microsoft-defender-atp). > > The following image is an example of what you'll see when Microsoft Defender for Endpoint is NOT integrated with Intune: >
- > ![Image of Microsoft Endpoint Manager portal7.](images/2466460812371ffae2d19a10c347d6f4.png)
+ > :::image type="content" source="images/2466460812371ffae2d19a10c347d6f4.png" alt-text="The Microsoft Endpoint Manager portal7" lightbox="images/2466460812371ffae2d19a10c347d6f4.png":::
6. Add scope tags if necessary, then select **Next**. > [!div class="mx-imgBorder"]
- > ![Image of Microsoft Endpoint Manager portal8.](images/ef844f52ec2c0d737ce793f68b5e8408.png)
+ > :::image type="content" source="images/ef844f52ec2c0d737ce793f68b5e8408.png" alt-text="The Microsoft Endpoint Manager portal8" lightbox="images/ef844f52ec2c0d737ce793f68b5e8408.png":::
7. Add test group by clicking on **Select groups to include** and choose your group, then select **Next**. > [!div class="mx-imgBorder"]
- > ![Image of Microsoft Endpoint Manager portal9.](images/fc3525e20752da026ec9f46ab4fec64f.png)
+ > :::image type="content" source="images/fc3525e20752da026ec9f46ab4fec64f.png" alt-text="The Microsoft Endpoint Manager portal9" lightbox="images/fc3525e20752da026ec9f46ab4fec64f.png":::
8. Review and accept, then select **Create**. > [!div class="mx-imgBorder"]
- > ![Image of Microsoft Endpoint Manager portal10.](images/289172dbd7bd34d55d24810d9d4d8158.png)
+ > :::image type="content" source="images/289172dbd7bd34d55d24810d9d4d8158.png" alt-text="The Microsoft Endpoint Manager portal10" lightbox="images/289172dbd7bd34d55d24810d9d4d8158.png":::
9. You can view your completed policy. > [!div class="mx-imgBorder"]
- > ![Image of Microsoft Endpoint Manager portal11.](images/5a568b6878be8243ea2b9d82d41ed297.png)
+ > :::image type="content" source="images/5a568b6878be8243ea2b9d82d41ed297.png" alt-text="The Microsoft Endpoint Manager portal11" lightbox="images/5a568b6878be8243ea2b9d82d41ed297.png":::
### Next-generation protection
Then you will continue by creating several different types of endpoint security
2. Navigate to **Endpoint security > Antivirus > Create Policy**. > [!div class="mx-imgBorder"]
- > ![Image of Microsoft Endpoint Manager portal12.](images/6b728d6e0d71108d768e368b416ff8ba.png)
+ > :::image type="content" source="images/6b728d6e0d71108d768e368b416ff8ba.png" alt-text="The Microsoft Endpoint Manager portal12" lightbox="images/6b728d6e0d71108d768e368b416ff8ba.png":::
3. Select **Platform - Windows 10 and Later - Windows and Profile - Microsoft Defender Antivirus > Create**. 4. Enter name and description, then select **Next**. > [!div class="mx-imgBorder"]
- > ![Image of Microsoft Endpoint Manager portal13.](images/a7d738dd4509d65407b7d12beaa3e917.png)
+ > :::image type="content" source="images/a7d738dd4509d65407b7d12beaa3e917.png" alt-text="The Microsoft Endpoint Manager portal13" lightbox="images/a7d738dd4509d65407b7d12beaa3e917.png":::
5. In the **Configuration settings page**: Set the configurations you require for Microsoft Defender Antivirus (Cloud Protection, Exclusions, Real-Time Protection, and Remediation). > [!div class="mx-imgBorder"]
- > ![Image of Microsoft Endpoint Manager portal14.](images/3840b1576d6f79a1d72eb14760ef5e8c.png)
+ > :::image type="content" source="images/3840b1576d6f79a1d72eb14760ef5e8c.png" alt-text="The Microsoft Endpoint Manager portal14" lightbox="images/3840b1576d6f79a1d72eb14760ef5e8c.png":::
6. Add scope tags if necessary, then select **Next**. > [!div class="mx-imgBorder"]
- > ![Image of Microsoft Endpoint Manager portal15.](images/2055e4f9b9141525c0eb681e7ba19381.png)
+ > :::image type="content" source="images/2055e4f9b9141525c0eb681e7ba19381.png" alt-text="The Microsoft Endpoint Manager portal15" lightbox="images/2055e4f9b9141525c0eb681e7ba19381.png":::
7. Select groups to include, assign to your test group, then select **Next**. > [!div class="mx-imgBorder"]
- > ![Image of Microsoft Endpoint Manager portal16.](images/48318a51adee06bff3908e8ad4944dc9.png)
+ > :::image type="content" source="images/48318a51adee06bff3908e8ad4944dc9.png" alt-text="The Microsoft Endpoint Manager portal16" lightbox="images/48318a51adee06bff3908e8ad4944dc9.png":::
8. Review and create, then select **Create**. > [!div class="mx-imgBorder"]
- > ![Image of Microsoft Endpoint Manager portal17.](images/dfdadab79112d61bd3693d957084b0ec.png)
+ > :::image type="content" source="images/dfdadab79112d61bd3693d957084b0ec.png" alt-text="The Microsoft Endpoint Manager portal17" lightbox="images/dfdadab79112d61bd3693d957084b0ec.png":::
9. You'll see the configuration policy you created. > [!div class="mx-imgBorder"]
- > ![Image of Microsoft Endpoint Manager portal18.](images/38180219e632d6e4ec7bd25a46398da8.png)
+ > :::image type="content" source="images/38180219e632d6e4ec7bd25a46398da8.png" alt-text="The Microsoft Endpoint Manager portal18" lightbox="images/38180219e632d6e4ec7bd25a46398da8.png":::
### Attack Surface Reduction - Attack surface reduction rules
Then you will continue by creating several different types of endpoint security
rules > Create**. > [!div class="mx-imgBorder"]
- > ![Image of Microsoft Endpoint Manager portal19.](images/522d9bb4288dc9c1a957392b51384fdd.png)
+ > :::image type="content" source="images/522d9bb4288dc9c1a957392b51384fdd.png" alt-text="The Microsoft Endpoint Manager portal19" lightbox="images/522d9bb4288dc9c1a957392b51384fdd.png":::
5. Enter a name and description, then select **Next**. > [!div class="mx-imgBorder"]
- > ![Image of Microsoft Endpoint Manager portal20.](images/a5a71fd73ec389f3cdce6d1a6bd1ff31.png)
+ > :::image type="content" source="images/a5a71fd73ec389f3cdce6d1a6bd1ff31.png" alt-text="The Microsoft Endpoint Manager portal20" lightbox="images/a5a71fd73ec389f3cdce6d1a6bd1ff31.png":::
6. In the **Configuration settings page**: Set the configurations you require for Attack surface reduction rules, then select **Next**.
Then you will continue by creating several different types of endpoint security
> For more information, see [Attack surface reduction rules](attack-surface-reduction.md). > [!div class="mx-imgBorder"]
- > ![Image of Microsoft Endpoint Manager portal21.](images/dd0c00efe615a64a4a368f54257777d0.png)
+ > :::image type="content" source="images/dd0c00efe615a64a4a368f54257777d0.png" alt-text="The Microsoft Endpoint Manager portal21" lightbox="images/dd0c00efe615a64a4a368f54257777d0.png":::
7. Add Scope Tags as required, then select **Next**. > [!div class="mx-imgBorder"]
- > ![Image of Microsoft Endpoint Manager portal22.](images/6daa8d347c98fe94a0d9c22797ff6f28.png)
+ > :::image type="content" source="images/6daa8d347c98fe94a0d9c22797ff6f28.png" alt-text="The Microsoft Endpoint Manager portal22" lightbox="images/6daa8d347c98fe94a0d9c22797ff6f28.png":::
8. Select groups to include and assign to test group, then select **Next**. > [!div class="mx-imgBorder"]
- > ![Image of Microsoft Endpoint Manager portal23.](images/45cefc8e4e474321b4d47b4626346597.png)
+ > :::image type="content" source="images/45cefc8e4e474321b4d47b4626346597.png" alt-text="The Microsoft Endpoint Manager portal23" lightbox="images/45cefc8e4e474321b4d47b4626346597.png":::
9. Review the details, then select **Create**. > [!div class="mx-imgBorder"]
- > ![Image of Microsoft Endpoint Manager portal24.](images/2c2e87c5fedc87eba17be0cdeffdb17f.png)
+ > :::image type="content" source="images/2c2e87c5fedc87eba17be0cdeffdb17f.png" alt-text="The Microsoft Endpoint Manager portal24" lightbox="images/2c2e87c5fedc87eba17be0cdeffdb17f.png":::
10. View the policy. > [!div class="mx-imgBorder"]
- > ![Image of Microsoft Endpoint Manager portal25.](images/7a631d17cc42500dacad4e995823ffef.png)
+ > :::image type="content" source="images/7a631d17cc42500dacad4e995823ffef.png" alt-text="The Microsoft Endpoint Manager portal25" lightbox="images/7a631d17cc42500dacad4e995823ffef.png":::
### Attack Surface Reduction - Web Protection
Then you will continue by creating several different types of endpoint security
4. Select **Windows 10 and Later - Web protection > Create**. > [!div class="mx-imgBorder"]
- > ![Image of Microsoft Endpoint Manager portal26.](images/cd7b5a1cbc16cc05f878cdc99ba4c27f.png)
+ > :::image type="content" source="images/cd7b5a1cbc16cc05f878cdc99ba4c27f.png" alt-text="The Microsoft Endpoint Manager portal26" lightbox="images/cd7b5a1cbc16cc05f878cdc99ba4c27f.png":::
5. Enter a name and description, then select **Next**. > [!div class="mx-imgBorder"]
- > ![Image of Microsoft Endpoint Manager portal27.](images/5be573a60cd4fa56a86a6668b62dd808.png)
+ > :::image type="content" source="images/5be573a60cd4fa56a86a6668b62dd808.png" alt-text="The Microsoft Endpoint Manager portal27" lightbox="images/5be573a60cd4fa56a86a6668b62dd808.png":::
6. In the **Configuration settings page**: Set the configurations you require for Web Protection, then select **Next**.
Then you will continue by creating several different types of endpoint security
> For more information, see [Web Protection](web-protection-overview.md). > [!div class="mx-imgBorder"]
- > ![Image of Microsoft Endpoint Manager portal28.](images/6104aa33a56fab750cf30ecabef9f5b6.png)
+ > :::image type="content" source="images/6104aa33a56fab750cf30ecabef9f5b6.png" alt-text="The Microsoft Endpoint Manager portal28" lightbox="images/6104aa33a56fab750cf30ecabef9f5b6.png":::
7. Add **Scope Tags as required > Next**. > [!div class="mx-imgBorder"]
- > ![Image of Microsoft Endpoint Manager portal29.](images/6daa8d347c98fe94a0d9c22797ff6f28.png)
+ > :::image type="content" source="images/6daa8d347c98fe94a0d9c22797ff6f28.png" alt-text="The Microsoft Endpoint Manager portal29" lightbox="images/6daa8d347c98fe94a0d9c22797ff6f28.png":::
8. Select **Assign to test group > Next**. > [!div class="mx-imgBorder"]
- > ![Image of Microsoft Endpoint Manager portal30.](images/45cefc8e4e474321b4d47b4626346597.png)
+ > :::image type="content" source="images/45cefc8e4e474321b4d47b4626346597.png" alt-text="The Microsoft Endpoint Manager portal30" lightbox="images/45cefc8e4e474321b4d47b4626346597.png":::
9. Select **Review and Create > Create**. > [!div class="mx-imgBorder"]
- > ![Image of Microsoft Endpoint Manager portal31.](images/8ee0405f1a96c23d2eb6f737f11c1ae5.png)
+ > :::image type="content" source="images/8ee0405f1a96c23d2eb6f737f11c1ae5.png" alt-text="The Microsoft Endpoint Manager portal31" lightbox="images/8ee0405f1a96c23d2eb6f737f11c1ae5.png":::
10. View the policy. > [!div class="mx-imgBorder"]
- > ![Image of Microsoft Endpoint Manager portal32.](images/e74f6f6c150d017a286e6ed3dffb7757.png)
+ > :::image type="content" source="images/e74f6f6c150d017a286e6ed3dffb7757.png" alt-text="The Microsoft Endpoint Manager portal32" lightbox="images/e74f6f6c150d017a286e6ed3dffb7757.png":::
## Validate configuration settings
To confirm that the configuration policy has been applied to your test device, f
steps above. The following example shows the next generation protection settings. > [!div class="mx-imgBorder"]
- > [![Image of Microsoft Endpoint Manager portal33.](images/43ab6aa74471ee2977e154a4a5ef2d39.png)](images/43ab6aa74471ee2977e154a4a5ef2d39.png#lightbox)
+ > [![Image of Microsoft Endpoint Manager portal33.](images/43ab6aa74471ee2977e154a4a5ef2d39.png)](images/43ab6aa74471ee2977e154a4a5ef2d39.png#lightbox)
2. Select the **Configuration Policy** to view the policy status.
To confirm that the configuration policy has been applied to your test device, f
manage the settings as shown below. > [!div class="mx-imgBorder"]
- > ![Image of setting page1.](images/88efb4c3710493a53f2840c3eac3e3d3.png)
+ > :::image type="content" source="images/88efb4c3710493a53f2840c3eac3e3d3.png" alt-text="The settings page-1" lightbox="images/88efb4c3710493a53f2840c3eac3e3d3.png":::
2. After the policy has been applied, you should not be able to manually manage the settings.
To confirm that the configuration policy has been applied to your test device, f
> **Turn on real-time protection** are being shown as managed. > [!div class="mx-imgBorder"]
- > ![Image of setting page2.](images/9341428b2d3164ca63d7d4eaa5cff642.png)
+ > :::image type="content" source="images/9341428b2d3164ca63d7d4eaa5cff642.png" alt-text="The settings page-2" lightbox="images/9341428b2d3164ca63d7d4eaa5cff642.png":::
### Confirm Attack Surface Reduction - Attack surface reduction rules
To confirm that the configuration policy has been applied to your test device, f
> > AttackSurfaceReductionRules_Ids:
- ![Image of command line1.](images/cb0260d4b2636814e37eee427211fe71.png)
+ :::image type="content" source="images/cb0260d4b2636814e37eee427211fe71.png" alt-text="The command line-1" lightbox="images/cb0260d4b2636814e37eee427211fe71.png":::
3. After applying the policy on a test device, open a PowerShell Windows and type `Get-MpPreference`. 4. This should respond with the following lines with content as shown below:
- ![Image of command line2.](images/619fb877791b1fc8bc7dfae1a579043d.png)
+ :::image type="content" source="images/619fb877791b1fc8bc7dfae1a579043d.png" alt-text="The command line-2" lightbox="images/619fb877791b1fc8bc7dfae1a579043d.png":::
### Confirm Attack Surface Reduction - Web Protection
To confirm that the configuration policy has been applied to your test device, f
2. This should respond with a 0 as shown below.
- ![Image of command line3.](images/196a8e194ac99d84221f405d0f684f8c.png)
+ :::image type="content" source="images/196a8e194ac99d84221f405d0f684f8c.png" alt-text="The command line-3" lightbox="images/196a8e194ac99d84221f405d0f684f8c.png":::
3. After applying the policy, open a PowerShell Windows and type `(Get-MpPreference).EnableNetworkProtection`. 4. This should respond with a 1 as shown below.
- ![Image of command line4.](images/c06fa3bbc2f70d59dfe1e106cd9a4683.png)
+ :::image type="content" source="images/c06fa3bbc2f70d59dfe1e106cd9a4683.png" alt-text="The command line-4" lightbox="images/c06fa3bbc2f70d59dfe1e106cd9a4683.png":::
security Onboarding Notification https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboarding-notification.md
You'll need to have access to:
2. Navigate to **My flows > New > Scheduled - from blank**.
- ![Image of flow.](images/new-flow.png)
+ :::image type="content" source="images/new-flow.png" alt-text="The flow" lightbox="images/new-flow.png":::
+ 3. Build a scheduled flow. 1. Enter a flow name. 2. Specify the start and time. 3. Specify the frequency. For example, every 5 minutes.
- ![Image of the notification flow.](images/build-flow.png)
+ :::image type="content" source="images/build-flow.png" alt-text="The notification flow" lightbox="images/build-flow.png":::
4. Select the + button to add a new action. The new action will be an HTTP request to the Defender for Endpoint security center device(s) API. You can also replace it with the out-of-the-box "WDATP Connector" (action: "Machines - Get list of machines").
- ![Image of recurrence and add action.](images/recurrence-add.png)
+ :::image type="content" source="images/recurrence-add.png" alt-text="The recurrence and add action" lightbox="images/recurrence-add.png":::
5. Enter the following HTTP fields:
You'll need to have access to:
- Credential Type: Select "Secret". - Secret: Sign-in to https://portal.azure.com and navigate to **Azure Active Directory > App Registrations** and get the Tenant ID value.
- ![Image of the HTTP conditions.](images/http-conditions.png)
+ :::image type="content" source="images/http-conditions.png" alt-text="The HTTP conditions" lightbox="images/http-conditions.png":::
6. Add a new step by selecting **Add new action** then search for **Data Operations** and select **Parse JSON**.
- ![Image of data operations.](images/data-operations.png)
+ :::image type="content" source="images/data-operations.png" alt-text="The data operations entry" lightbox="images/data-operations.png":::
7. Add Body in the **Content** field.
- ![Image of parse JSON.](images/parse-json.png)
+ :::image type="content" source="images/parse-json.png" alt-text="The parse JSON section" lightbox="images/parse-json.png":::
8. Select the **Use sample payload to generate schema** link.
- ![Image of parse json with payload.](images/parse-json-schema.png)
+ :::image type="content" source="images/parse-json-schema.png" alt-text="The parse JSON with payload" lightbox="images/parse-json-schema.png":::
9. Copy and paste the following JSON snippet:
You'll need to have access to:
- If yes, no notification will be triggered - If no, will register the new onboarded device(s) in the SharePoint list and a notification will be sent to the Defender for Endpoint admin
- ![Image of apply to each.](images/flow-apply.png)
+ :::image type="content" source="images/flow-apply.png" alt-text="The application of the flow to each element" lightbox="images/flow-apply.png":::
- ![Image of apply to each with get items.](images/apply-to-each.png)
+ :::image type="content" source="images/apply-to-each.png" alt-text="The application of the flow to the Get items element" lightbox="images/apply-to-each.png":::
11. Under **Condition**, add the following expression: "length(body('Get_items')?['value'])" and set the condition to equal to 0.
- ![Image of apply to each condition.](images/apply-to-each-value.png)
- ![Image of condition1.](images/conditions-2.png)
- ![Image of condition2.](images/condition3.png)
- ![Image of send email.](images/send-email.png)
+ :::image type="content" source="images/apply-to-each-value.png" alt-text="The application of the flow to each condition" lightbox="images/apply-to-each-value.png":::
+ :::image type="content" source="images/conditions-2.png" alt-text="The condition-1" lightbox="images/conditions-2.png":::
+ :::image type="content" source="images/condition3.png" alt-text="The condition-2" lightbox="images/condition3.png":::
+ :::image type="content" source="images/send-email.png" alt-text="The Send an email section" lightbox="images/send-email.png":::
## Alert notification The following image is an example of an email notification.
-![Image of email notification.](images/alert-notification.png)
## Tips
security Onboarding https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboarding.md
These are the steps you need to take to deploy Defender for Endpoint:
- Step 1: Onboard endpoints to the service - Step 2: Configure capabilities
-![Illustration of the deployment steps](images/deployment-steps.png)
+
security Prevent Changes To Security Settings With Tamper Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection.md
For more information about releases, see [Windows 10 release information](/windo
### Turn tamper protection on (or off) in the Microsoft 365 Defender portal 1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.
If your organization uses Microsoft Endpoint Manager (MEM) you can turn tamper p
### Turn tamper protection on (or off) in Microsoft Endpoint Manager
-![Turn tamper protection on with Endpoint Manager.](images/turnontamperprotectinmem.png)
1. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Endpoint security** \> **Antivirus**, and then choose **+ Create Policy**.
If you are a home user, or you are not subject to settings managed by a security
Here's what you see in the Windows Security app:
-![Tamper protection turned on in Windows 10 Home.](images/tamperprotectionturnedon.png)
1. Select **Start**, and start typing *Security*. In the search results, select **Windows Security**.
Tampering attempts typically indicate bigger cyberattacks. Bad actors try to cha
When a tampering attempt is detected, an alert is raised in the [Microsoft 365 Defender portal](/microsoft-365/security/defender-endpoint/portal-overview) ([https://security.microsoft.com](https://security.microsoft.com)).
-![Microsoft 365 Defender.](images/tamperattemptalert.png)
Using [endpoint detection and response](overview-endpoint-detection-response.md) and [advanced hunting](advanced-hunting-overview.md) capabilities in Microsoft Defender for Endpoint, your security operations team can investigate and address such attempts.
Using [endpoint detection and response](overview-endpoint-detection-response.md)
Tamper protection integrates with [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) capabilities. [Security recommendations](tvm-security-recommendation.md) include making sure tamper protection is turned on. For example, you can search on *tamper*. In the results, you can select **Turn on Tamper Protection** to learn more and turn it on.
-![Turn on tamper protection.](images/tamperprotectsecurityrecos.png)
To learn more about Threat & Vulnerability Management, see [Dashboard insights - threat and vulnerability management](tvm-dashboard-insights.md#dashboard-insightsthreat-and-vulnerability-management).
security Prevent End User Interaction Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/prevent-end-user-interaction-microsoft-defender-antivirus.md
In Windows 10, versions 1703, hiding the interface will hide Microsoft Defender
With the setting set to **Enabled**: With the setting set to **Disabled** or not configured: > [!NOTE] > Hiding the interface will also prevent Microsoft Defender Antivirus notifications from appearing on the endpoint. Microsoft Defender for Endpoint notifications will still appear. You can also individually [configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md) In earlier versions of Windows 10, the setting will hide the Windows Defender client interface. If the user attempts to open it, they will receive a warning that says, "Your system administrator has restricted access to this app." ## Use Group Policy to hide the Microsoft Defender AV interface from users
security Preview Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/preview-settings.md
Turn on the preview experience setting to be among the first to try upcoming fea
1. In the navigation pane, select **Settings** \> **Endpoints** \> **Advanced features**.
- :::image type="content" source="../../media/atp-preview-features-new.png" alt-text="settings and preview experience image.":::
+ :::image type="content" source="../../media/atp-preview-features-new.png" alt-text="The settings and preview experience" lightbox="../../media/atp-preview-features-new.png":::
2. Toggle the setting between **On** and **Off** and select **Save preferences**.
security Printer Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/printer-protection.md
For Intune, currently Device Control Printer Protection supports OMA-URI only.
The CSP support string with `<enabled/>`: ### Scenario 2: Allow specific approved USB printers using Intune
The CSP support string with `<enabled/>`:
The CSP support string with approved USB printers via 'ApprovedUsbPrintDevices' property, example `<enabled><data id="ApprovedUsbPrintDevices_List" value="03F0/0853,0351/0872"/>`: ## Deploy policy via Group Policy
If the device isn't Intune joined, you can also deploy the policy via Group Poli
User Configuration \> Administrative Templates \> Control Panel \> Printers: Enable Device control Printing Restrictions ### Scenario 2: Allow specific approved USB printers using Group Policy
If the device isn't Intune joined, you can also deploy the policy via Group Poli
User Configuration \> Administrative Templates \> Control Panel \> Printers: List of Approved USB-connected print devices ## View Device Control Printer Protection data in Microsoft Defender for Endpoint portal
DeviceEvents
| order by Timestamp desc ```
- :::image type="content" source="../../media/device-control-advanced-hunting.png" alt-text="advanced hunting.":::
+ :::image type="content" source="../../media/device-control-advanced-hunting.png" alt-text="advanced hunting" lightbox="../../media/device-control-advanced-hunting.png":::
You can use the PnP event to find the USB printer used in the organization:
DeviceEvents
| order by Timestamp desc ```
- :::image type="content" source="https://user-images.githubusercontent.com/81826151/128954383-71df3009-77ef-40db-b575-79c73fda332b.png" alt-text="advanced hunting":::
+ :::image type="content" source="https://user-images.githubusercontent.com/81826151/128954383-71df3009-77ef-40db-b575-79c73fda332b.png" alt-text="The Advanced Hunting page" lightbox="https://user-images.githubusercontent.com/81826151/128954383-71df3009-77ef-40db-b575-79c73fda332b.png":::
security Production Deployment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/production-deployment.md
ms.technology: mde
Deploying Defender for Endpoint is a three-phase process:
-|[![deployment phase - prepare.](images/phase-diagrams/prepare.png)](prepare-deployment.md)<br>[Phase 1: Prepare](prepare-deployment.md) | ![deployment phase - setup](images/phase-diagrams/setup.png)<br>Phase 2: Setup | [![deployment phase - onboard](images/phase-diagrams/onboard.png)](onboarding.md)<br>[Phase 3: Onboard](onboarding.md)|
+|[![deployment phase - prepare.](images/phase-diagrams/prepare.png#lightbox)](prepare-deployment.md)<br>[Phase 1: Prepare](prepare-deployment.md) | ![deployment phase - setup](images/phase-diagrams/setup.png#lightbox)<br>Phase 2: Setup | [![deployment phase - onboard](images/phase-diagrams/onboard.png#lightbox)](onboarding.md)<br>[Phase 3: Onboard](onboarding.md)|
|||| ||*You are here!*||
Checking for the license state and whether it got properly provisioned, can be d
1. To view your licenses, go to the **Microsoft Azure portal** and navigate to the [Microsoft Azure portal license section](https://portal.azure.com/#blade/Microsoft_AAD_IAM/LicensesMenuBlade/Products).
- ![Image of Azure Licensing page.](images/atp-licensing-azure-portal.png)
+ :::image type="content" source="images/atp-licensing-azure-portal.png" alt-text="The Azure Licensing page" lightbox="images/atp-licensing-azure-portal.png":::
1. Alternately, in the admin center, navigate to **Billing** \> **Subscriptions**. On the screen, you'll see all the provisioned licenses and their current **Status**.
- ![Image of billing licenses.](images/atp-billing-subscriptions.png)
+ :::image type="content" source="images/atp-billing-subscriptions.png" alt-text="The billing licenses page" lightbox="images/atp-billing-subscriptions.png":::
## Cloud Service Provider validation
To gain access into which licenses are provisioned to your company, and to check
2. Clicking on the **Partner portal** link will open the **Admin on behalf** option and will give you access to the customer admin center.
- ![Image of O365 admin portal.](images/atp-O365-admin-portal-customer.png)
+ :::image type="content" source="images/atp-O365-admin-portal-customer.png" alt-text="The Office 365 admin portal" lightbox="images/atp-O365-admin-portal-customer.png":::
## Tenant Configuration
Configure a registry-based static proxy to allow only Microsoft Defender for End
2. Create a policy or edit an existing policy based off the organizational practices. 3. Edit the Group Policy and navigate to **Administrative Templates \> Windows Components \> Data Collection and Preview Builds \> Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service**.
- ![Image of Group Policy configuration.](images/atp-gpo-proxy1.png)
+ :::image type="content" source="images/atp-gpo-proxy1.png" alt-text="The options related to configuration of the usage policy" lightbox="images/atp-gpo-proxy1.png":::
4. Select **Enabled**. 5. Select **Disable Authenticated Proxy usage**. 6. Navigate to **Administrative Templates \> Windows Components \> Data Collection and Preview Builds \> Configure connected user experiences and telemetry**.
- ![Image of Group Policy configuration setting.](images/atp-gpo-proxy2.png)
+ :::image type="content" source="images/atp-gpo-proxy2.png" alt-text="The options related to configuration of the connected user experience and telemetry" lightbox="images/atp-gpo-proxy2.png":::
7. Select **Enabled**. 8. Enter the **Proxy Server Name**.
The following downloadable spreadsheet lists the services and their associated U
|Spreadsheet of domains list| Description| |||
-|Microsoft Defender for Endpoint URL list for commercial customers | Spreadsheet of specific DNS records for service locations, geographic locations, and OS for commercial customers. <p> [Download the spreadsheet here.](https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx)
-| Microsoft Defender for Endpoint URL list for Gov/GCC/DoD customers| Spreadsheet of specific DNS records for service locations, geographic locations, and OS for Gov/GCC/DoD customers. <p> [Download the spreadsheet here.](https://download.microsoft.com/download/6/e-urls-gov.xlsx)
+|:::image type="content" source="images/mdatp-urls.png" alt-text="The Microsoft Defender for Endpoint URLs spreadsheet" lightbox="images/mdatp-urls.png":::|Spreadsheet of specific DNS records for service locations, geographic locations, and OS. <p> [Download the spreadsheet here.](https://download.microsoft.com/download/8/e-urls.xlsx)|
| ## Next step
-![**Phase 3: Onboard**.](images/onboard.png) <br> [Phase 3: Onboard](onboarding.md): Onboard devices to the service so that the Microsoft Defender for Endpoint service can get sensor data from them.
+[![**Phase 3: Onboard**.](images/onboard.png#lightbox)] <br> [Phase 3: Onboard](onboarding.md): Onboard devices to the service so that the Microsoft Defender for Endpoint service can get sensor data from them.
security Raw Data Export Event Hub https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/raw-data-export-event-hub.md
In order to get your **Event Hubs resource ID**, go to your Azure Event Hubs namespace page on [Azure](https://ms.portal.azure.com/) > properties tab \> copy the text under **Resource ID**:
- :::image type="content" alt-text="Image of event hub resource Id1." source="images/event-hub-resource-id.png" lightbox="images/event-hub-resource-id.png":::
+ :::image type="content" source="images/event-hub-resource-id.png" alt-text="The Event Hubs resource Id-1" lightbox="images/event-hub-resource-id.png":::
7. Choose the events you want to stream and click **Save**.
To get the data types for event properties do the following:
- Here is an example for Device Info event:
- ![Image of event hub resource Id2.](images/machine-info-datatype-example.png)
+ :::image type="content" source="images/machine-info-datatype-example.png" alt-text="The Event Hubs resource Id-2" lightbox="images/machine-info-datatype-example.png":::
## Related topics
security Raw Data Export Storage https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/raw-data-export-storage.md
6. Type your **Storage Account Resource ID**. In order to get your **Storage Account Resource ID**, go to your Storage account page on [Azure portal](https://ms.portal.azure.com/) \> properties tab \> copy the text under **Storage account resource ID**:
- :::image type="content" alt-text="Image of event hub resource ID1." source="images/storage-account-resource-id.png" lightbox="images/storage-account-resource-id.png":::
+ :::image type="content" source="images/storage-account-resource-id.png" alt-text="The Event Hubs with resource ID1" lightbox="images/storage-account-resource-id.png":::
7. Choose the events you want to stream and click **Save**.
- A blob container will be created for each event type:
- :::image type="content" alt-text="Image of event hub resource ID2." source="images/storage-account-event-schema.png" lightbox="images/storage-account-event-schema.png":::
+ :::image type="content" source="images/storage-account-event-schema.png" alt-text="The Event Hubs with resource ID2" lightbox="images/storage-account-event-schema.png":::
- The schema of each row in a blob is the following JSON:
In order to get the data types for our events properties do the following:
- Here is an example for Device Info event:
- ![Image of event hub resource ID3.](images/data-types-mapping-query.png)
+ :::image type="content" source="images/data-types-mapping-query.png" alt-text="The Event Hubs with resource ID3" lightbox="images/data-types-mapping-query.png":::
## Related topics
security Respond File Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/respond-file-alerts.md
You can also submit files for deep analysis, to run the file in a secure cloud s
Some actions require certain permissions. The following table describes what action certain permissions can take on portable executable (PE) and non-PE files:
-<br>
-
-****
- |Permission|PE files|Non-PE files| ||::|::| |View data|X|X| |Alerts investigation|&#x2611;|X| |Live response basic|X|X| |Live response advanced|&#x2611;|&#x2611;|
-|
For more information on roles, see [Create and manage roles for role-based access control](user-roles.md).
This action takes effect on devices with Windows 10, version 1703 or later, and
2. Go to the top bar and select **Stop and Quarantine File**.
- ![Image of stop and quarantine file action.](images/atp-stop-quarantine-file.png)
+ :::image type="content" source="images/atp-stop-quarantine-file.png" alt-text="The stop and quarantine file action" lightbox="images/atp-stop-quarantine-file.png":::
3. Specify a reason, then select **Confirm**.
- ![Image of stop and quarantine file modal window.](images/atp-stop-quarantine.png)
+ :::image type="content" source="images/atp-stop-quarantine.png" alt-text="The stop and quarantine file page" lightbox="images/atp-stop-quarantine.png":::
The Action center shows the submission information:
- ![Image of stop and quarantine file action center.](images/atp-stopnquarantine-file.png)
+ :::image type="content" source="images/atp-stopnquarantine-file.png" alt-text="The stop and quarantine file action center" lightbox="images/atp-stopnquarantine-file.png":::
- **Submission time** - Shows when the action was submitted. - **Success** - Shows the number of devices where the file has been stopped and quarantined.
This action takes effect on devices with Windows 10, version 1703 or later, and
When the file is being removed from a device, the following notification is shown:
-![Image of notification on device user.](images/atp-notification-file.png)
In the device timeline, a new event is added for each device where a file was stopped and quarantined.
Selecting **Download file** from the response actions allows you to download a l
By default, you should be able to download files that are in quarantine.
-![Image of download file action.](images/atp-download-file-action.png)
### Download quarantined files
The **Action center** provides information on actions that were taken on a devic
All other related details are also shown, such as submission date/time, submitting user, and if the action succeeded or failed.
-![Image of action center with information.](images/action-center-details.png)
## Deep analysis
Use the deep analysis feature to investigate the details of any file, usually du
> [!NOTE] > Only files from Windows 10 and Windows 11 can be automatically collected.
-You can also submit a sample through the [Microsoft Security Center Portal](https://www.microsoft.com/security/portal/submission/submit.aspx) if the file wasn't observed on a Windows 10 device (or Windows 11), and wait for **Submit for deep analysis** button to become available.
+You can also submit a sample through the [Microsoft 365 Defender Portal](https://www.microsoft.com/security/portal/submission/submit.aspx) if the file wasn't observed on a Windows 10 device (or Windows 11), and wait for **Submit for deep analysis** button to become available.
> [!NOTE]
-> Due to backend processing flows in the Microsoft Security Center Portal, there could be up to 10 minutes of latency between file submission and availability of the deep analysis feature in Defender for Endpoint.
+> Due to backend processing flows in the Microsoft 365 Defender Portal, there could be up to 10 minutes of latency between file submission and availability of the deep analysis feature in Defender for Endpoint.
### Submit files for deep analysis
You can also submit a sample through the [Microsoft Security Center Portal](http
2. In the **Deep analysis** tab of the file view, select **Submit**.
- ![You can only submit PE files in the file details section.](images/submit-file.png)
+ :::image type="content" source="images/submit-file.png" alt-text="The submit PE files button" lightbox="images/submit-file.png":::
> [!NOTE] > Only PE files are supported, including _.exe_ and _.dll_ files.
The details provided can help you investigate if there are indications of a pote
1. Select the file you submitted for deep analysis. 2. Select the **Deep analysis** tab. If there are any previous reports, the report summary will appear in this tab.
- ![The deep analysis report shows detailed information across a number of categories.](images/analysis-results-nothing500.png)
+ :::image type="content" source="images/analysis-results-nothing500.png" alt-text="The deep analysis report showing detailed information across a number of categories" lightbox="images/analysis-results-nothing500.png":::
#### Troubleshoot deep analysis
security Respond Machine Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/respond-machine-alerts.md
Response actions run along the top of a specific device page and include:
[![Image of response actions.](images/response-actions.png)](images/response-actions.png#lightbox) + You can find device pages from any of the following views: - **Security operations dashboard** - Select a device name from the Devices at risk card.
Alternate way:
1. Select **Action center** from the response actions section of the device page.
- ![Image of action center button.](images/action-center-package-collection.png)
+ :::image type="content" source="images/action-center-package-collection.png" alt-text="The Action center option" lightbox="images/action-center-package-collection.png":::
2. In the Action center fly-out, select **Package collection package available** to download the zip file.
- ![Image of download package button.](images/collect-package.png)
+ :::image type="content" source="images/collect-package.png" alt-text="The download package option" lightbox="images/collect-package.png":::
The package contains the following folders:
As part of the investigation or response process, you can remotely initiate an a
One you have selected **Run antivirus scan**, select the scan type that you'd like to run (quick or full) and add a comment before confirming the scan.
-![Image of notification to select quick scan or full scan and add comment.](images/run-antivirus.png)
The Action center will show the scan information and the device timeline will include a new event, reflecting that a scan action was submitted on the device. Microsoft Defender AV alerts will reflect any detections that surfaced during the scan.
To restrict an application from running, a code integrity policy is applied that
Once you have selected **Restrict app execution** on the device page, type a comment and select **Confirm**. The Action center will show the scan information and the device timeline will include a new event.
-![Image of app restriction notification.](images/restrict-app-execution.png)
### Notification on device user When an app is restricted, the following notification is displayed to inform the user that an app is being restricted from running:
-![Image of app restriction.](images/atp-app-restriction.png)
>[!NOTE] >The notification is not available on Windows Server 2016 and Windows Server 2012 R2.
On Windows 10, version 1709 or later, you'll have more control over the network
Once you have selected **Isolate device** on the device page, type a comment and select **Confirm**. The Action center will show the scan information and the device timeline will include a new event.
-![Image of isolate device.](images/isolate-device.png)
> [!NOTE] > The device will remain connected to the Defender for Endpoint service even if it is isolated from the network. If you've chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the device is isolated.
Once you have selected **Isolate device** on the device page, type a comment and
When a device is being isolated, the following notification is displayed to inform the user that the device is being isolated from the network:
-![Image of no network connection.](images/atp-notification-isolate.png)
## Consult a threat expert
The **Action center** provides information on actions that were taken on a devic
All other related details are also shown, for example, submission date/time, submitting user, and if the action succeeded or failed.
-![Image of action center with information.](images/action-center-details.png)
+ ## See also
security Review Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/review-alerts.md
Note the detection status for your alert.
- Prevented: The attempted suspicious action was avoided. For example, a file either wasn't written to disk or executed.
- ![An alert page showing threat was prevented.](images/detstat-prevented.png)
+ :::image type="content" source="images/detstat-prevented.png" alt-text="The page showing the prevention of a threat" lightbox="images/detstat-prevented.png":::
- Blocked: Suspicious behavior was executed and then blocked. For example, a process was executed but because it subsequently exhibited suspicious behaviors, the process was terminated.
- ![An alert page showing threat was blocked.](images/detstat-blocked.png)
+ :::image type="content" source="images/detstat-blocked.png" alt-text="The page showing the blockage of a threat" lightbox="images/detstat-blocked.png":::
- Detected: An attack was detected and is possibly still active.
- ![An alert page showing threat was detected.](images/detstat-detected.png)
+ :::image type="content" source="images/detstat-detected.png" alt-text="The page showing the detection of a threat" lightbox="images/detstat-detected.png":::
You can then also review the *automated investigation details* in your alert's details pane, to see which actions were already taken, as well as reading the alert's description for recommended actions.
-![A snippet of the details pane with the alert description and automatic investigation sections highlighted.](images/alert-air-and-alert-description.png)
Other information available in the details pane when the alert opens includes MITRE techniques, source, and additional contextual details.
Selecting a device or a user card in the affected assets sections will switch to
- **For devices**, the details pane will display information about the device itself, like Domain, Operating System, and IP. Active alerts and the logged on users on that device are also available. You can take immediate action by isolating the device, restricting app execution, or running an antivirus scan. Alternatively, you could collect an investigation package, initiate an automated investigation, or go to the device page to investigate from the device's point of view.
- ![A snippet of the details pane when a device is selected.](images/device-page-details.png)
+ :::image type="content" source="images/device-page-details.png" alt-text="The details pane when a device is selected" lightbox="images/device-page-details.png":::
- **For users**, the details pane will display detailed user information, such as the user's SAM name and SID, as well as logon types performed by this user and any alerts and incidents related to it. You can select *Open user page* to continue the investigation from that user's point of view.
- ![A snippet of the details pane when a user is selected.](images/user-page-details.png)
+ :::image type="content" source="images/user-page-details.png" alt-text="The details pane when a user is selected" lightbox="images/user-page-details.png":::
## Related topics
security Review Scan Results Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/review-scan-results-microsoft-defender-antivirus.md
The following cmdlet will return each detection on the endpoint. If there are mu
Get-MpThreatDetection ``` You can specify `-ThreatID` to limit the output to only show the detections for a specific threat.
If you want to list threat detections, but combine detections of the same threat
Get-MpThreat ``` See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender Antivirus cmdlets](/powershell/module/defender/) for more information on how to use PowerShell with Microsoft Defender Antivirus.
security Run Analyzer Macos Linux https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-analyzer-macos-linux.md
Open a terminal or SSH into the relevant machine and run the following commands:
Example:
-![Image of command line example.](images/4ca188f6c457e335abe3c9ad3eddda26.png)
Additional syntax help:
security Run Analyzer Windows https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-analyzer-windows.md
In addition to the above, there is also an option to [collect the analyzer suppo
All the PowerShell scripts and modules included with the analyzer are Microsoft-signed. If files have been modified in any way, then the analyzer is expected to exit with the following error:
-![Image of client analyzer error](images/sigerror.png)
If this error is shown, then the issuerInfo.txt output will contain detailed information about why that happened and what file was affected:
-![Image of issuer info](images/issuerinfo.png)
Example contents after MDEClientAnalyzer.ps1 is modified:
-![Image of modified ps1 file](images/modified-ps1.png)
security Run Detection Test https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-detection-test.md
Run the following PowerShell script on a newly onboarded device to verify that i
1. Right-click **Command Prompt** and select **Run as administrator**.
- ![Window Start menu pointing to Run as administrator.](images/run-as-admin.png)
-
+ :::image type="content" source="images/run-as-admin.png" alt-text="The Start menu pointing to Run as administrator" lightbox="images/run-as-admin.png":::
+
3. At the prompt, copy and run the following command: ```powershell
security Security Operations Dashboard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/security-operations-dashboard.md
The dashboard displays a snapshot of:
- Users at risk - Suspicious activities
-![Image of Security operations dashboard.](images/atp-sec-ops-dashboard.png)
You can explore and investigate alerts and devices to quickly determine if, where, and when suspicious activities occurred in your network to help you understand the context they appeared in.
It also has clickable tiles that give visual cues on the overall health state of
You can view the overall number of active alerts from the last 30 days in your network from the tile. Alerts are grouped into **New** and **In progress**.
-![Click on each slice or severity to see a list of alerts from the past 30 days.](images/active-alerts-tile.png)
Each group is further sub-categorized into their corresponding alert severity levels. Click the number of alerts inside each alert ring to see a sorted view of that category's queue (**New** or **In progress**).
Each row includes an alert severity category and a short description of the aler
This tile shows you a list of devices with the highest number of active alerts. The total number of alerts for each device is shown in a circle next to the device name, and then further categorized by severity levels at the far end of the tile (hover over each severity bar to see its label).
-![The Devices at risk tile shows a list of devices with the highest number of alerts, and a breakdown of the severity of the alerts.](images/devices-at-risk-tile.png)
Click the name of the device to see details about that device. For more information see, [Investigate devices in the Microsoft Defender for Endpoint Devices list](investigate-machines.md).
You can also click **Devices list** at the top of the tile to go directly to the
The **Devices with sensor issues** tile provides information on the individual device's ability to provide sensor data to the Microsoft Defender for Endpoint service. It reports how many devices require attention and helps you identify problematic devices.
-![Devices with sensor issues tile.](images/atp-tile-sensor-health.png)
There are two status indicators that provide information on the number of devices that are not reporting properly to the service:
When you click any of the groups, you'll be directed to devices list, filtered a
The **Service health** tile informs you if the service is active or if there are issues.
-![The Service health tile shows an overall indicator of the service.](images/status-tile.png)
For more information on the service health, see [Check the Microsoft Defender for Endpoint service health](service-status.md).
For more information on the service health, see [Check the Microsoft Defender fo
The **Daily devices reporting** tile shows a bar graph that represents the number of devices reporting daily in the last 30 days. Hover over individual bars on the graph to see the exact number of devices reporting in each day.
-![Image of daily devices reporting tile.](images/atp-daily-devices-reporting.png)
## Active automated investigations You can view the overall number of automated investigations from the last 30 days in your network from the **Active automated investigations** tile. Investigations are grouped into **Pending action**, **Waiting for device**, and **Running**.
-![Inmage of active automated investigations.](images/atp-active-investigations-tile.png)
## Automated investigations statistics This tile shows statistics related to automated investigations in the last seven days. It shows the number of investigations completed, the number of successfully remediated investigations, the average pending time it takes for an investigation to be initiated, the average time it takes to remediate an alert, the number of alerts investigated, and the number of hours of automation saved from a typical manual investigation.
-![Image of automated investigations statistics.](images/atp-automated-investigations-statistics.png)
You can click on **Automated investigations**, **Remediated investigations**, and **Alerts investigated** to navigate to the **Investigations** page, filtered by the appropriate category. This lets you see a detailed breakdown of investigations in context.
You can click on **Automated investigations**, **Remediated investigations**, an
The tile shows you a list of user accounts with the most active alerts and the number of alerts seen on high, medium, or low alerts.
-![User accounts at risk tile shows a list of user accounts with the highest number of alerts and a breakdown of the severity of the alerts.](images/atp-users-at-risk.png)
Click the user account to see details about the user account. For more information see [Investigate a user account](investigate-user.md).
security Switch To Mde Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-mde-overview.md
ms.technology: mde
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) If you are considering switching from a non-Microsoft endpoint protection solution to [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md) (Defender for Endpoint), or you are in the planning phase, use this article as a guide. This article describes the overall process of moving to Defender for Endpoint. When you make the switch to Defender for Endpoint, you begin with your non-Microsoft antivirus/antimalware protection in active mode. Then, you configure Microsoft Defender Antivirus in passive mode, and onboard your devices to Defender for Endpoint. Next, you configure your endpoint protection features, set Microsoft Defender Antivirus to active mode, and verify that everything is working correctly. Finally, you remove the non-Microsoft solution.
When you make the switch to Defender for Endpoint, you begin with your non-Micro
The process of migrating to Defender for Endpoint can be divided into three phases, as described in the following table:
-![MDE migration process.](images/phase-diagrams/migration-phases.png)
+ <br/><br/>
security Switch To Mde Phase 1 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-mde-phase-1.md
- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-| ![Phase 1: Prepare.](images/phase-diagrams/prepare.png)<br/>Phase 1: Prepare | [![Phase 2: Set up](images/phase-diagrams/setup.png)](switch-to-mde-phase-2.md)<br/>[Phase 2: Set up](switch-to-mde-phase-2.md) | [![Phase 3: Onboard](images/phase-diagrams/onboard.png)](switch-to-mde-phase-3.md)<br/>[Phase 3: Onboard](switch-to-mde-phase-3.md) |
+| ![Phase 1: Prepare.](images/phase-diagrams/prepare.png#lightbox)<br/>Phase 1: Prepare | [![Phase 2: Set up](images/phase-diagrams/setup.png#lightbox)](switch-to-mde-phase-2.md)<br/>[Phase 2: Set up](switch-to-mde-phase-2.md) | [![Phase 3: Onboard](images/phase-diagrams/onboard.png#lightbox)](switch-to-mde-phase-3.md)<br/>[Phase 3: Onboard](switch-to-mde-phase-3.md) |
|--|--|--| |*You are here!*| | |
security Switch To Mde Phase 2 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-mde-phase-2.md
- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-|[![Phase 1: Prepare.](images/phase-diagrams/prepare.png)](switch-to-mde-phase-1.md)<br/>[Phase 1: Prepare](switch-to-mde-phase-1.md)|![Phase 2: Set up.](images/phase-diagrams/setup.png)<br/>Phase 2: Set up|[![Phase 3: Onboard3.](images/phase-diagrams/onboard.png)](switch-to-mde-phase-3.md)<br/>[Phase 3: Onboard](switch-to-mde-phase-3.md)|
+|[![Phase 1: Prepare.](images/phase-diagrams/prepare.png#lightbox)](switch-to-mde-phase-1.md)<br/>[Phase 1: Prepare](switch-to-mde-phase-1.md)|![Phase 2: Set up.](images/phase-diagrams/setup.png#lightbox)<br/>Phase 2: Set up|[![Phase 3: Onboard3.](images/phase-diagrams/onboard.png#lightbox)](switch-to-mde-phase-3.md)<br/>[Phase 3: Onboard](switch-to-mde-phase-3.md)|
|||| ||*You are here!*||
security Switch To Mde Phase 3 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-mde-phase-3.md
- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-| [![Phase 1: Prepare3.](images/phase-diagrams/prepare.png)](switch-to-mde-phase-1.md)<br/>[Phase 1: Prepare](switch-to-mde-phase-1.md) | [![Phase 2: Set up](images/phase-diagrams/setup.png)](switch-to-mde-phase-2.md)<br/>[Phase 2: Set up](switch-to-mde-phase-2.md) | ![Phase 3: Onboard](images/phase-diagrams/onboard.png)<br/>Phase 3: Onboard |
+| [![Phase 1: Prepare3.](images/phase-diagrams/prepare.png#lightbox)](switch-to-mde-phase-1.md)<br/>[Phase 1: Prepare](switch-to-mde-phase-1.md) | [![Phase 2: Set up](images/phase-diagrams/setup.png#lightbox)](switch-to-mde-phase-2.md)<br/>[Phase 2: Set up](switch-to-mde-phase-2.md) | ![Phase 3: Onboard](images/phase-diagrams/onboard.png#lightbox)<br/>Phase 3: Onboard |
|--|--|--| || |*You are here!* |
security Techniques Device Timeline https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/techniques-device-timeline.md
This feature simplifies the investigation experience by helping analysts underst
For public preview, Techniques are available by default and shown together with events when a device's timeline is viewed.
-![Techniques in device timeline screenshot.](images/device-timeline-2.png)
Techniques are highlighted in bold text and appear with a blue icon on the left. The corresponding MITRE ATT&CK ID and technique name also appear as tags under Additional information.
Select the specific *Attack technique* to open the related ATT&CK technique page
You can copy an entity's details when you see a blue icon on the right. For instance, to copy a related file's SHA1, select the blue page icon.
-![Copy entity details.](images/techniques-side-pane-clickable.png)
You can do the same for command lines.
-![Copy command line.](images/techniques-side-pane-command.png)
## Investigate related events To use [advanced hunting](advanced-hunting-overview.md) to find events related to the selected Technique, select **Hunt for related events**. This leads to the advanced hunting page with a query to find events related to the Technique.
-![Hunt for related events.](images/techniques-hunt-for-related-events.png)
> [!NOTE] > Querying using the **Hunt for related events** button from a Technique side pane displays all the events related to the identified technique but does not include the Technique itself in the query results.
You can customize which columns to expose. You can also filter for flagged event
You can choose which columns to expose in the timeline by selecting the **Choose columns** button.
-![Customize columns.](images/filter-customize-columns.png)
+ From there you can select which information set to include.
From there you can select which information set to include.
To view only either events or techniques, select **Filters** from the device timeline and choose your preferred Data type to view.
-![Filters screenshot.](images/device-timeline-filters.png)
## See also
security Threat Analytics Analyst Reports https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/threat-analytics-analyst-reports.md
ms.technology: mde
Each [threat analytics report](threat-analytics.md) includes dynamic sections and a comprehensive written section called the _analyst report_. To access this section, open the report about the tracked threat and select the **Analyst report** tab.
-![Image of the analyst report section of a threat analytics report.](images/ta-analyst-report-small.png)
_Analyst report section of a threat analytics report_
security Threat Analytics https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/threat-analytics.md
The threat analytics dashboard is a great jump off point for getting to the repo
Select a threat from the dashboard to view the report for that threat.
-![Image of a threat analytics dashboard.](images/ta_dashboard.png)
## View a threat analytics report
Each threat analytics report provides information in three sections: **Overview*
The **Overview** section provides a preview of the detailed analyst report. It also provides charts that highlight the impact of the threat to your organization and your exposure through misconfigured and unpatched devices.
-![Image of the overview section of a threat analytics report.](images/ta-overview.png)
_Overview section of a threat analytics report_ #### Assess the impact to your organization
In the **Mitigations** section, review the list of specific actionable recommend
Mitigation information in this section incorporates data from [threat and vulnerability management](next-gen-threat-and-vuln-mgt.md), which also provides detailed drill-down information from various links in the report.
-![Image of the mitigations section of a threat analytics report.](images/ta-mitigations.png)
+ _Mitigations section of a threat analytics report_
security Threat And Vuln Mgt Event Timeline https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/threat-and-vuln-mgt-event-timeline.md
In the threat and vulnerability management dashboard, hover over the Exposure sc
If there are no events that affect your devices or your score for devices, then none will be shown.
-![Exposure score hover.](images/tvm-event-timeline-exposure-score350.png)
-![Microsoft Secure Score for Devices hover.](images/tvm-event-timeline-device-hover360.png)
### Drill down to events from that day Selecting **Show all events from this day** takes you to the Event timeline page with a custom date range for that day.
-![Event timeline selected custom date range.](images/tvm-event-timeline-drilldown.png)
Select **Custom range** to change the date range to another custom one, or a pre-set time range.
-![Event timeline date range options.](images/tvm-event-timeline-dates.png)
## Event timeline overview
Features:
The two large numbers at the top of the page show the number of new vulnerabilities and exploitable vulnerabilities, not events. Some events can have multiple vulnerabilities, and some vulnerabilities can have multiple events.
-![Event timeline page.](images/tvm-event-timeline-overview-mixed-type.png)
### Columns
Once you select an event, a flyout will appear with a list of the details and cu
The arrow below "score trend" helps you determine whether this event potentially raised or lowered your organizational exposure score. Higher exposure score means devices are more vulnerable to exploitation.
-![Event timeline flyout.](images/tvm-event-timeline-flyout500.png)
From there, select **Go to related security recommendation** view the recommendation that addresses the new software vulnerability in the [security recommendations page](tvm-security-recommendation.md). After reading the description and vulnerability details in the security recommendation, you can submit a remediation request, and track the request in the [remediation page](tvm-remediation.md).
To open a software page, select an event > select the hyperlinked software name
A full page will appear with all the details of a specific software. Mouse over the graph to see the timeline of events for that specific software.
-![Software page with an Event timeline graph.](images/tvm-event-timeline-software2.png)
Navigate to the event timeline tab to view all the events related to that software. You can also see security recommendations, discovered vulnerabilities, installed devices, and version distribution.
-![Software page with an Event timeline tab.](images/tvm-event-timeline-software-pages.png)
## Related topics
security Threat Protection Reports https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/threat-protection-reports.md
The threat protection report provides high-level information about alerts genera
The dashboard is structured into two sections:
-![Image of the threat protection report.](images/threat-protection-reports.png)
Section|Description |
security Time Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/time-settings.md
ms.technology: mde
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-settings-abovefoldlink)
-Use the **Time zone** menu ![Time zone settings icon1.](images/atp-time-zone.png) to configure the time zone and view license information.
+Use the **Time zone** menu to configure the time zone and view license information.
## Time zone settings
Cyberforensic investigations often rely on time stamps to piece together the seq
Microsoft Defender for Endpoint can display either Coordinated Universal Time (UTC) or local time.
-Your current time zone setting is shown in the Microsoft Defender settings. You can change the displayed time zone in the **Time zone** menu Under **Settings > Security center**.
+Your current time zone setting is shown in the Microsoft Defender for Endpoint menu. You can change the displayed time zone in the **Time zone** menu.
+ ### UTC time zone
The Microsoft Defender for Endpoint time zone is set by default to UTC. Setting
To set the time zone:
-1. Click the **Settings** menu in the [Microsoft 365 Defender Portal](https://security.microsoft.com/) ![Time zone settings icon3.](images/atp-time-zone.png).
-2. Select **Security center**.
-3. Select **Timezone** and set the time zone to either UTC or your local time zone.
+1. Click the **Time zone** menu.
+ :::image type="content" source="images/atp-time-zone.png" alt-text="The Time zone settings-3" lightbox="images/atp-time-zone.png":::
+1. Select the **Timezone UTC** indicator.
+1. Select **Timezone UTC** or your local time zone, for example -7:00.
### Regional settings
security Troubleshoot Asr Rules https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-asr-rules.md
The <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">
In <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, we offer you a complete look at the current ASR rules configuration and events in your estate. Note that your devices must be onboarded into the Microsoft Defender for Endpoint service for these reports to be populated. Here's a screenshot from the Microsoft 365 Defender portal (under **Reports** \> **Devices** \> **Attack surface reduction**). At the device level, select **Configuration** from the **Attack surface reduction rules** pane. The following screen is displayed, where you can select a specific device and check its individual ASR rule configuration. ## Microsoft Defender for Endpoint - Advanced hunting
Through advanced hunting, it's possible to extract ASR rules information, create
ASR rules events are available to be queried from the DeviceEvents table in the advanced hunting section of the Microsoft 365 Defender. For example, a simple query such as the one below can report all the events that have ASR rules as data source, for the last 30 days, and will summarize them by the ActionType count, that in this case it will be the actual codename of the ASR rule. With advanced hunting you can shape the queries to your liking, so that you can see what is happening, regardless of whether you want to pinpoint something on an individual machine, or you want to extract insights from your entire environment.
An alternative to advanced hunting, but with a narrower scope, is the Microsoft
Pictured below is a screenshot of the Timeline view of these events on a given endpoint. From this view, you can filter the events list based on any of the Event Groups along the right-side pane. You can also enable or disable Flagged and Verbose events while viewing alerts and scrolling through the historical timeline. ## How to troubleshoot ASR rules?
One of the easiest ways to determine if ASR rules are already enabled is through
Here's an example: There are multiple ASR rules active, with different configured actions.
Example:
Get-MPPreference | Select-Object -ExpandProperty**AttackSurfaceReductionRules_Ids ``` The above shows all the IDs for ASR rules that have a setting different from 0 (Not Configured).
The next step is then to list the actual actions (Block or Audit) that each rule
Get-MPPreference | Select-Object -ExpandProperty**AttackSurfaceReductionRules_Actions ``` ### Querying blocking and auditing events
ASR rule events can be viewed within the Windows Defender log.
To access it, open Windows Event Viewer, and browse to **Applications and Services Logs** \> **Microsoft** \> **Windows** \> **Windows Defender** \> **Operational**. ## Microsoft Defender Antimalware Protection Logs
You can find this utility in *%ProgramFiles%\Windows Defender\MpCmdRun.exe*. You
To generate the support information, type *MpCmdRun.exe -getfiles*. After a while, several logs will be packaged into an archive (MpSupportFiles.cab) and made available in *C:\ProgramData\Microsoft\Windows Defender\Support*. Extract that archive and you'll have many files available for troubleshooting purposes.
security Troubleshoot Collect Support Log https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-collect-support-log.md
If you also require Defender Antivirus support logs (MpSupportFiles.cab), then f
3. Select **Upload file to library**.
- ![Image of upload file.](images/upload-file.png)
+ :::image type="content" source="images/upload-file.png" alt-text="The upload file" lightbox="images/upload-file.png":::
4. Select **Choose file**.
- ![Image of choose file button1.](images/choose-file.png)
+ :::image type="content" source="images/choose-file.png" alt-text="The choose file button-1" lightbox="images/choose-file.png":::
5. Select the downloaded file named MDELiveAnalyzer.ps1 and then click on **Confirm**
- ![Image of choose file button2.](images/analyzer-file.png)
+ :::image type="content" source="images/analyzer-file.png" alt-text="The choose file button-2" lightbox="images/analyzer-file.png":::
6. While still in the LiveResponse session, use the commands below to run the analyzer and collect the result file:
security Troubleshoot Onboarding Error Messages https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-onboarding-error-messages.md
Potential reasons:
For both cases, you should contact Microsoft support at [General Microsoft Defender for Endpoint Support](https://support.microsoft.com/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636419533611396913) or [Volume license support](https://www.microsoft.com/licensing/servicecenter/Help/Contact.aspx).
-![Image of no subscriptions found.](images/atp-no-subscriptions-found.png)
## Your subscription has expired
You can choose to renew or extend the license at any point in time. When accessi
> [!NOTE] > For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
-![Image of subscription expired.](images/atp-subscription-expired.png)
## You are not authorized to access the portal If you receive a **You are not authorized to access the portal**, be aware that Microsoft Defender for Endpoint is a security monitoring, incident investigation and response product, and as such, access to it is restricted and controlled by the user. For more information, see, [**Assign user access to the portal**](/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection).
-![Image of not authorized to access portal.](images/atp-not-authorized-to-access-portal.png)
## Data currently isn't available on some sections of the portal If the portal dashboard and other sections show an error message such as "Data currently isn't available":
-![Image of data currently isn't available.](images/atp-data-not-available.png)
You'll need to allow the `security.windows.com` and all subdomains under it on your web browser. For example, `*.security.windows.com`.
security Troubleshoot Onboarding https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-onboarding.md
If the deployment tools used does not indicate an error in the onboarding proces
5. On the **Filter** tab, under **Event level:** select **Critical**, **Warning**, and **Error**, and click **OK**.
- ![Image of Event Viewer log filter.](images/filter-log.png)
+ :::image type="content" source="images/filter-log.png" alt-text="The Event Viewer log filter" lightbox="images/filter-log.png":::
6. Events which can indicate issues will appear in the **Operational** pane. You can attempt to troubleshoot them based on the solutions in the following table:
First, you should check that the service is set to start automatically when Wind
If the service is enabled, then the result should look like the following screenshot:
- ![Result of the sc query command for diagtrack.](images/windefatp-sc-qc-diagtrack.png)
+ :::image type="content" source="images/windefatp-sc-qc-diagtrack.png" alt-text="The result of the sc query command for diagtrack" lightbox="images/windefatp-sc-qc-diagtrack.png":::
If the `START_TYPE` is not set to `AUTO_START`, then you'll need to set the service to automatically start.
If the verification fails and your environment is using a proxy to connect to th
- You can also check the previous registry key values to verify that the policy is disabled, by opening the registry key `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender`.
- ![Image of registry key for Microsoft Defender Antivirus.](images/atp-disableantispyware-regkey.png)
+ :::image type="content" source="images/atp-disableantispyware-regkey.png" alt-text="The registry key for Microsoft Defender Antivirus" lightbox="images/atp-disableantispyware-regkey.png":::
> [!NOTE] > All Windows Defender services (wdboot, wdfilter, wdnisdrv, wdnissvc, and windefend) should be in their default state. Changing the startup of these services is unsupported and may force you to reimage your system.
You might also need to check the following:
- Check that there is a Microsoft Defender for Endpoint Service running in the **Processes** tab in **Task Manager**. For example:
- ![Image of process view with Microsoft Defender for Endpoint Service running.](images/atp-task-manager.png)
+ :::image type="content" source="images/atp-task-manager.png" alt-text="The process view with Microsoft Defender for Endpoint Service running" lightbox="images/atp-task-manager.png":::
- Check **Event Viewer** \> **Applications and Services Logs** \> **Operation Manager** to see if there are any errors. - In **Services**, check if the **Microsoft Monitoring Agent** is running on the server. For example,
- ![Image of Services.](images/atp-services.png)
+ :::image type="content" source="images/atp-services.png" alt-text="The services" lightbox="images/atp-services.png":::
- In **Microsoft Monitoring Agent** \> **Azure Log Analytics (OMS)**, check the Workspaces and verify that the status is running.
- ![Image of Microsoft Monitoring Agent Properties.](images/atp-mma-properties.png)
+ :::image type="content" source="images/atp-mma-properties.png" alt-text="The Microsoft Monitoring Agent Properties" lightbox="images/atp-mma-properties.png":::
- Check to see that devices are reflected in the **Devices list** in the portal.
The steps below provide guidance for the following scenario:
1. Create an application in Microsoft Endpoint Configuration Manager.
- ![Image of Microsoft Endpoint Configuration Manager configuration1.](images/mecm-1.png)
+ :::image type="content" source="images/mecm-1.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-1" lightbox="images/mecm-1.png":::
2. Select **Manually specify the application information**.
- ![Image of Microsoft Endpoint Configuration Manager configuration2.](images/mecm-2.png)
+ :::image type="content" source="images/mecm-2.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-2" lightbox="images/mecm-2.png":::
3. Specify information about the application, then select **Next**.
- ![Image of Microsoft Endpoint Configuration Manager configuration3.](images/mecm-3.png)
+ :::image type="content" source="images/mecm-3.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-3" lightbox="images/mecm-3.png":::
4. Specify information about the software center, then select **Next**.
- ![Image of Microsoft Endpoint Configuration Manager configuration4.](images/mecm-4.png)
+ :::image type="content" source="images/mecm-4.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-4" lightbox="images/mecm-4.png":::
5. In **Deployment types** select **Add**.
- ![Image of Microsoft Endpoint Configuration Manager configuration5.](images/mecm-5.png)
+ :::image type="content" source="images/mecm-5.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-5" lightbox="images/mecm-5.png":::
6. Select **Manually specify the deployment type information**, then select **Next**.
- ![Image of Microsoft Endpoint Configuration Manager configuration6.](images/mecm-6.png)
+ :::image type="content" source="images/mecm-6.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-6" lightbox="images/mecm-6.png":::
7. Specify information about the deployment type, then select **Next**.
- ![Image of Microsoft Endpoint Configuration Manager configuration7.](images/mecm-7.png)
+ :::image type="content" source="images/mecm-7.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-7" lightbox="images/mecm-7.png":::
8. In **Content** \> **Installation program** specify the command: `net start sense`.
- ![Image of Microsoft Endpoint Configuration Manager configuration8.](images/mecm-8.png)
+ :::image type="content" source="images/mecm-8.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-8" lightbox="images/mecm-8.png":::
9. In **Detection method**, select **Configure rules to detect the presence of this deployment type**, then select **Add Clause**.
- ![Image of Microsoft Endpoint Configuration Manager configuration9.](images/mecm-9.png)
+ :::image type="content" source="images/mecm-9.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-9" lightbox="images/mecm-9.png":::
10. Specify the following detection rule details, then select **OK**:
- ![Image of Microsoft Endpoint Configuration Manager configuration10.](images/mecm-10.png)
+ :::image type="content" source="images/mecm-10.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-10" lightbox="images/mecm-10.png":::
11. In **Detection method** select **Next**.
- ![Image of Microsoft Endpoint Configuration Manager configuration11.](images/mecm-11.png)
+ :::image type="content" source="images/mecm-11.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-11" lightbox="images/mecm-11.png":::
12. In **User Experience**, specify the following information, then select **Next**:
- ![Image of Microsoft Endpoint Configuration Manager configuration12.](images/mecm-12.png)
+ :::image type="content" source="images/mecm-12.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-12" lightbox="images/mecm-12.png":::
13. In **Requirements**, select **Next**.
- ![Image of Microsoft Endpoint Configuration Manager configuration13.](images/mecm-13.png)
+ :::image type="content" source="images/mecm-13.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-13" lightbox="images/mecm-13.png":::
14. In **Dependencies**, select **Next**.
- ![Image of Microsoft Endpoint Configuration Manager configuration14.](images/mecm-14.png)
+ :::image type="content" source="images/mecm-14.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-14" lightbox="images/mecm-14.png":::
15. In **Summary**, select **Next**.
- ![Image of Microsoft Endpoint Configuration Manager configuration15.](images/mecm-15.png)
+ :::image type="content" source="images/mecm-15.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-15" lightbox="images/mecm-15.png":::
16. In **Completion**, select **Close**.
- ![Image of Microsoft Endpoint Configuration Manager configuration16.](images/mecm-16.png)
+ :::image type="content" source="images/mecm-16.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-16" lightbox="images/mecm-16.png":::
17. In **Deployment types**, select **Next**.
- ![Image of Microsoft Endpoint Configuration Manager configuration17.](images/mecm-17.png)
+ :::image type="content" source="images/mecm-17.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-17" lightbox="images/mecm-17.png":::
18. In **Summary**, select **Next**.
- ![Image of Microsoft Endpoint Configuration Manager configuration18.](images/mecm-18.png)
+ :::image type="content" source="images/mecm-18.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-18" lightbox="images/mecm-18.png":::
The status is then displayed:
- ![Image of Microsoft Endpoint Configuration Manager configuration19.](images/mecm-19.png)
+ :::image type="content" source="images/mecm-19.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-19" lightbox="images/mecm-19.png":::
19. In **Completion**, select **Close**.
- ![Image of Microsoft Endpoint Configuration Manager configuration20.](images/mecm-20.png)
+ :::image type="content" source="images/mecm-20.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-20" lightbox="images/mecm-20.png":::
20. You can now deploy the application by right-clicking the app and selecting **Deploy**.
- ![Image of Microsoft Endpoint Configuration Manager configuration21.](images/mecm-21.png)
+ :::image type="content" source="images/mecm-21.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-21" lightbox="images/mecm-21.png":::
21. In **General** select **Automatically distribute content for dependencies** and **Browse**.
- ![Image of Microsoft Endpoint Configuration Manager configuration22.](images/mecm-22.png)
+ :::image type="content" source="images/mecm-22.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-22" lightbox="images/mecm-22.png":::
22. In **Content** select **Next**.
- ![Image of Microsoft Endpoint Configuration Manager configuration23.](images/mecm-23.png)
+ :::image type="content" source="images/mecm-23.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-23" lightbox="images/mecm-23.png":::
23. In **Deployment settings**, select **Next**.
- ![Image of Microsoft Endpoint Configuration Manager configuration24.](images/mecm-24.png)
+ :::image type="content" source="images/mecm-24.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-24" lightbox="images/mecm-24.png":::
24. In **Scheduling** select **As soon as possible after the available time**, then select **Next**.
- ![Image of Microsoft Endpoint Configuration Manager configuration25.](images/mecm-25.png)
+ :::image type="content" source="images/mecm-25.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-25" lightbox="images/mecm-25.png":::
25. In **User experience**, select **Commit changes at deadline or during a maintenance window (requires restarts)**, then select **Next**.
- ![Image of Microsoft Endpoint Configuration Manager configuration26.](images/mecm-26.png)
+ :::image type="content" source="images/mecm-26.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-26" lightbox="images/mecm-26.png":::
26. In **Alerts** select **Next**.
- ![Image of Microsoft Endpoint Configuration Manager configuration27.](images/mecm-27.png)
+ :::image type="content" source="images/mecm-27.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-27" lightbox="images/mecm-27.png":::
27. In **Summary**, select **Next**.
- ![Image of Microsoft Endpoint Configuration Manager configuration28.](images/mecm-28.png)
+ :::image type="content" source="images/mecm-28.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-28" lightbox="images/mecm-28.png":::
+
The status is then displayed
- ![Image of Microsoft Endpoint Configuration Manager configuration29.](images/mecm-29.png)
+ :::image type="content" source="images/mecm-29.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-29" lightbox="images/mecm-29.png":::
28. In **Completion**, select **Close**.
- ![Image of Microsoft Endpoint Configuration Manager configuration30.](images/mecm-30.png)
+ :::image type="content" source="images/mecm-30.png" alt-text="The Microsoft Endpoint Configuration Manager configuration-30" lightbox="images/mecm-30.png":::
## Related topics
security Troubleshoot Performance Issues https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-performance-issues.md
Process Monitor (ProcMon) is an advanced monitoring tool that can show real-time
1. Check the box beside **Unblock**. 1. Select **Apply**.
- ![Remove MOTW.](images/procmon-motw.png)
+ :::image type="content" source="images/procmon-motw.png" alt-text="The Remove MOTW page" lightbox="images/procmon-motw.png":::
3. Unzip the file in `C:\temp` so that the folder path will be `C:\temp\ProcessMonitor`.
Process Monitor (ProcMon) is an advanced monitoring tool that can show real-time
Since logging starts automatically, select the magnifying glass icon to stop the current capture or use the keyboard shortcut **Ctrl+E**.
- ![magnifying glass icon.](images/procmon-magglass.png)
+ :::image type="content" source="images/procmon-magglass.png" alt-text="The magnifying glass icon" lightbox="images/procmon-magglass.png":::
To verify that you have stopped the capture, check if the magnifying glass icon now appears with a red X.
- ![red slash.](images/procmon-magglass-stop.png)
+ :::image type="content" source="images/procmon-magglass-stop.png" alt-text="The red slash" lightbox="images/procmon-magglass-stop.png":::
Next, to clear the earlier capture, select the eraser icon.
- ![clear icon.](images/procmon-eraser-clear.png)
+ :::image type="content" source="images/procmon-eraser-clear.png" alt-text="The clear icon" lightbox="images/procmon-eraser-clear.png":::
Or use the keyboard shortcut **Ctrl+X**. 2. The second way is to run the **command line** as admin, then from the Process Monitor path, run:
- ![cmd procmon.](images/cmd-procmon.png)
+ :::image type="content" source="images/cmd-procmon.png" alt-text="The cmd procmon" lightbox="images/cmd-procmon.png":::
```console Procmon.exe /AcceptEula /Noconnect /Profiling
Process Monitor (ProcMon) is an advanced monitoring tool that can show real-time
> [!TIP] > Make the ProcMon window as small as possible when capturing data so you can easily start and stop the trace. >
- > ![Minimize Procmon.](images/procmon-minimize.png)
+ > :::image type="content" source="images/procmon-minimize.png" alt-text="The page displaying a minimize Procmon" lightbox="images/procmon-minimize.png":::
7. After following one of the procedures in step 6, you'll next see an option to set filters. Select **OK**. You can always filter the results after the capture is completed.
- ![Filter out Process Name is System Exclude.](images/procmon-filter-options.png)
+ :::image type="content" source="images/procmon-filter-options.png" alt-text="The page on which System Exclude is chosen as the Filter out Process Name" lightbox="images/procmon-filter-options.png":::
8. To start the capture, select the magnifying glass icon again.
Process Monitor (ProcMon) is an advanced monitoring tool that can show real-time
11. To save the capture with a unique name and with the .pml format, select **File** then select **Save...**. Make sure to select the radio buttons **All events** and **Native Process Monitor Format (PML)**.
- ![save settings.](images/procmon-savesettings1.png)
+ :::image type="content" source="images/procmon-savesettings1.png" alt-text="The save settings page" lightbox="images/procmon-savesettings1.png":::
12. For better tracking, change the default path from `C:\temp\ProcessMonitor\LogFile.PML` to `C:\temp\ProcessMonitor\%ComputerName%_LogFile_MMDDYEAR_Repro_of_issue.PML` where: - `%ComputerName%` is the device name
Alternatively, you can also use the command-line tool *wpr.exe*, which is availa
2. Under *Windows Kits*, right-click **Windows Performance Recorder**.
- ![Start menu.](images/wpr-01.png)
+ :::image type="content" source="images/wpr-01.png" alt-text="The Start menu" lightbox="images/wpr-01.png":::
Select **More**. Select **Run as administrator**. 3. When the User Account Control dialog box appears, select **Yes**.
- ![UAC.](images/wpt-yes.png)
+ :::image type="content" source="images/wpt-yes.png" alt-text="The UAC page" lightbox="images/wpt-yes.png":::
4. Next, download the [Microsoft Defender for Endpoint analysis](https://github.com/YongRhee-MDE/Scripts/blob/master/MDAV.wprp) profile and save as `MDAV.wprp` to a folder like `C:\temp`. 5. On the WPR dialog box, select **More options**.
- ![Select more options.](images/wpr-03.png)
+ :::image type="content" source="images/wpr-03.png" alt-text="The page on which you can select more options" lightbox="images/wpr-03.png":::
+ 6. Select **Add Profiles...** and browse to the path of the `MDAV.wprp` file. 7. After that, you should see a new profile set under *Custom measurements* named *Microsoft Defender for Endpoint analysis* underneath it.
- ![in-file.](images/wpr-infile.png)
+ :::image type="content" source="images/wpr-infile.png" alt-text="The in-file" lightbox="images/wpr-infile.png":::
> [!WARNING] > If your Windows Server has 64 GB of RAM or more, use the custom measurement `Microsoft Defender for Endpoint analysis for large servers` instead of `Microsoft Defender for Endpoint analysis`. Otherwise, your system could consume a high amount of non-paged pool memory or buffers which can lead to system instability. You can choose which profiles to add by expanding **Resource Analysis**.
Alternatively, you can also use the command-line tool *wpr.exe*, which is availa
9. Now you're ready to collect data. Exit all the applications that are not relevant to reproducing the performance issue. You can select **Hide options** to keep the space occupied by the WPR window small.
- ![Hide options.](images/wpr-08.png)
+ :::image type="content" source="images/wpr-08.png" alt-text="The Hide options" lightbox="images/wpr-08.png":::
> [!TIP] > Try starting the trace at whole number seconds. For instance, 01:30:00. This will make it easier to analyze the data. Also try to keep track of the timestamp of exactly when the issue is reproduced. 10. Select **Start**.
- ![Select start of trace.](images/wpr-09.png)
+ :::image type="content" source="images/wpr-09.png" alt-text="The Record system information page" lightbox="images/wpr-09.png":::
11. Reproduce the issue.
Alternatively, you can also use the command-line tool *wpr.exe*, which is availa
12. Select **Save**.
- ![Select save.](images/wpr-10.png)
+ :::image type="content" source="images/wpr-10.png" alt-text="The Save option" lightbox="images/wpr-10.png":::
13. Fill up **Type in a detailed description of the problem:** with information about the problem and how you reproduced the issue.
- ![Fill up details.](images/wpr-12.png)
+ :::image type="content" source="images/wpr-12.png" alt-text="The pane in which you fill" lightbox="images/wpr-12.png":::
1. Select **File Name:** to determine where your trace file will be saved. By default, it is saved to `%user%\Documents\WPR Files\`. 1. Select **Save**. 14. Wait while the trace is being merged.
- ![WPR gathering general trace.](images/wpr-13.png)
+ :::image type="content" source="images/wpr-13.png" alt-text="The WPR gathering general trace" lightbox="images/wpr-13.png":::
15. Once the trace is saved, select **Open folder**.
- ![WPR trace saved.](images/wpr-14.png)
+ :::image type="content" source="images/wpr-14.png" alt-text="The page displaying the notification that WPR trace has been saved" lightbox="images/wpr-14.png":::
Include both the file and the folder in your submission to Microsoft Support.
- ![File and folder.](images/wpr-15.png)
+ :::image type="content" source="images/wpr-15.png" alt-text="The details of the file and the folder" lightbox="images/wpr-15.png":::
### Capture performance logs using the WPR CLI
security Troubleshoot Security Config Mgt https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-security-config-mgt.md
Through the Microsoft Defender for Endpoint portal, security administrators can
In **Endpoints** \> **Device inventory**, the **Managed By** column has been added to filter by management channel (for example, MEM). To see a list of all devices that have failed the Security Management for Microsoft Defender for Endpoint onboarding process, filter the table by **MDE-Error**. In the list, select a specific device to see troubleshooting details in the side panel, pointing to the root cause of the error, and corresponding documentation. + ## Run Microsoft Defender for Endpoint Client Analyzer on Windows
The Client Analyzer output file (MDE Client Analyzer Results.htm) can provide ke
- Verify that the device OS is in scope for Security Management for Microsoft Defender for Endpoint onboarding flow in **General Device Details** section - Verify that the device has successfully registered to Azure Active Directory in **Device Configuration Management Details**
- ![Image of client analyzer results](images/client-analyzer-results.png)
+ :::image type="content" source="images/client-analyzer-results.png" alt-text="The client analyzer results" lightbox="images/client-analyzer-results.png":::
In the **Detailed Results** section of the report, the Client Analyzer also provides actionable guidance.
In the **Detailed Results** section of the report, the Client Analyzer also prov
For example, as part of the Security Management onboarding flow, it is required for the Azure Active Directory Tenant ID in your Microsoft Defender for Endpoint Tenant to match the SCP Tenant ID that appears in the reports' **Device Configuration Management Details** section. If relevant, the report output will recommend to perform this verification.
-![Image of detailed results](images/detailed-results.png)
## General troubleshooting If you weren't able to identify the onboarded device in AAD or MEM, and did not receive an error during the enrollment, checking the registry key `Computer\\HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\SenseCM\\EnrollmentStatus` can provide additional troubleshooting information. The following table lists errors and directions on what to try/check in order to address the error. Note that the list of errors is not complete and is based on typical/common errors encountered by customers in the past:
The main mechanism to troubleshoot Azure Active Directory Runtime (AADRT) is to
See below for a typical error in AADRT log and how to read it:
-![Image of event properties](images/event-properties.png)
From the information in the message, it's possible in most cases to understand what error was encountered, what Win32 API returned the error (if applicable), what URL (if applicable) was used and what AAD Runtime API error was encountered.
For Security Management for Microsoft Defender for Endpoint on Windows Server 20
1. Open the Synchronization Rules Editor application from the start menu. In the rule list, locate the rule named **In from AD ΓÇô Computer Join**. **Take note of the value in the 'Precedence' column for this rule.**
- ![Image of synchronization rules editor](images/57ea94e2913562abaf93749d306dd6cf.png)
+ :::image type="content" source="images/57ea94e2913562abaf93749d306dd6cf.png" alt-text="The synchronization rules editor" lightbox="images/57ea94e2913562abaf93749d306dd6cf.png":::
2. With the **In from AD ΓÇô Computer Join** rule highlighted, select **Edit**. In the **Edit Reserved Rule Confirmation** dialog box, select **Yes**.
- ![Image of edit reserved rule confirmation](images/8854440d6180a5580efda24110551c68.png)
+ :::image type="content" source="images/8854440d6180a5580efda24110551c68.png" alt-text="The edit reserved rule confirmation page" lightbox="images/8854440d6180a5580efda24110551c68.png":::
3. The **Edit inbound synchronization rule** window will be shown. Update the rule description to note that Windows Server 2012R2 will be synchronized using this rule. Leave all other options unchanged except for the Precedence value. Enter a value for Precedence that is higher than the value from the original rule (as seen in the rule list).
- ![Image of confirmation](images/ee0f29162bc3f2fbe666c22f14614c45.png)
+ :::image type="content" source="images/ee0f29162bc3f2fbe666c22f14614c45.png" alt-text="The Edit inbound synchronization rule page in which you enter values" lightbox="images/ee0f29162bc3f2fbe666c22f14614c45.png":::
4. Select **Next** three times. This will navigate to the 'Transformations' section of the rule. Do not make any changes to the 'Scoping filter' and 'Join rules' sections of the rule. The 'Transformations' section should now be shown.
- ![Image of inbound synchornization rule](images/296f2c2a705e41233631c3784373bc23.png)
+ :::image type="content" source="images/296f2c2a705e41233631c3784373bc23.png" alt-text="The inbound synchronization rule" lightbox="images/296f2c2a705e41233631c3784373bc23.png":::
5. Scroll to the bottom of the list of transformations. Find the transformation for the **cloudFiltered** attribute. In the textbox in the **Source** column, select all of the text (Control-A) and delete it. The textbox should now be empty.
security Tune Performance Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tune-performance-defender-antivirus.md
For more information on command-line parameters and options, see the [New-MpPerf
Based on the query, the user will be able to view data for scan counts, duration (total/min/average/max/median), path, process, and reason for scan. The image below shows sample output for a simple query of the top 10 files for scan impact. ### Additional functionality: exporting and converting to CSV and JSON
security Tvm Assign Device Value https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-assign-device-value.md
Examples of devices that should be assigned a high value:
2. Select **Device value** from three dots next to the actions bar at the top of the page.
- ![Example of the device value dropdown.](images/tvm-device-value-dropdown.png)
+ :::image type="content" source="images/tvm-device-value-dropdown.png" alt-text="The Device value option" lightbox="images/tvm-device-value-dropdown.png":::
3. A flyout will appear with the current device value and what it means. Review the value of the device and choose the one that best fits your device.
-![Example of the device value flyout.](images/tvm-device-value-flyout.png)
+ ## How device value impacts your exposure score
security Tvm Dashboard Insights https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-dashboard-insights.md
Watch this video for a quick overview of what is in the threat and vulnerability
## Threat and vulnerability management dashboard <br>
security Tvm End Of Support Software https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-end-of-support-software.md
It's crucial for Security and IT Administrators to work together and ensure that
1. From the threat and vulnerability management menu, navigate to [**Security recommendations**](tvm-security-recommendation.md). 2. Go to the **Filters** panel and look for the tags section. Select one or more of the EOS tag options. Then **Apply**.
- ![Screenshot tags that say EOS software, EOS versions, and Upcoming EOS versions.](images/tvm-eos-tag.png)
+ :::image type="content" source="images/tvm-eos-tag.png" alt-text="The EOS software, EOS versions, and Upcoming EOS versions" lightbox="images/tvm-eos-tag.png":::
3. You'll see a list of recommendations related to software with ended support, software versions that are end of support, or versions with upcoming end of support. These tags are also visible in the [software inventory](tvm-software-inventory.md) page.
- ![Recommendations with EOS tag.](images/tvm-eos-tags-column.png)
+ :::image type="content" source="images/tvm-eos-tags-column.png" alt-text="The Recommendations with EOS tag" lightbox="images/tvm-eos-tags-column.png":::
## List of versions and dates
To view a list of versions that have reached end of support, or end or support s
1. A message will appear in the security recommendation flyout for software with versions that have reached end of support, or will reach end of support soon.
- ![Screenshot of version distribution link.](images/eos-upcoming-eos.png)
+ :::image type="content" source="images/eos-upcoming-eos.png" alt-text="The version distribution link" lightbox="images/eos-upcoming-eos.png":::
2. Select the **version distribution** link to go to the software drill-down page. There, you can see a filtered list of versions with tags identifying them as end of support, or upcoming end of support.
- ![Screenshot of software drilldown page with end of support software.](images/software-drilldown-eos.png)
+ :::image type="content" source="images/software-drilldown-eos.png" alt-text="The software drilldown page with details of the end of support software" lightbox="images/software-drilldown-eos.png":::
3. Select one of the versions in the table to open. For example, version 10.0.18362.1. A flyout will appear with the end of support date.
- ![Screenshot of end of support date.](images/version-eos-date.png)
+ :::image type="content" source="images/version-eos-date.png" alt-text="The display of the end of support date" lightbox="images/version-eos-date.png":::
Once you identify which software and software versions are vulnerable due to their end-of-support status, you must decide whether to update or remove them from your organization. Doing so will lower your organizations exposure to vulnerabilities and advanced persistent threats.
security Tvm Exception https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-exception.md
When an exception is created for a recommendation, the recommendation will not b
Only users with "exceptions handling" permissions can manage exceptions (including creating or canceling). [Learn more about RBAC roles](user-roles.md).
-![View of exception handling permission.](images/tvm-exception-permissions.png)
## Create an exception Select a security recommendation you would like create an exception for, and then select **Exception options** and fill out the form.
-![Showing where the button for "exception options" is location in a security recommendation flyout.](images/tvm-exception-options.png)
### Exception by device group Apply the exception to all current device groups or choose specific device groups. Future device groups won't be included in the exception. Device groups that already have an exception will not be displayed in the list. If you only select certain device groups, the recommendation state will change from "active" to "partial exception." The state will change to "full exception" if you select all the device groups.
-![Showing device group dropdown.](images/tvm-exception-device-group-500.png)
#### Filtered views
If you have filtered by device group on any of the threat and vulnerability mana
This is the button to filter by device group on any of the threat and vulnerability management pages:
-![Showing selected device groups filter.](images/tvm-selected-device-groups.png)
Exception view with filtered device groups:
-![Showing filtered device group dropdown.](images/tvm-exception-device-filter500.png)
#### Large number of device groups If your organization has more than 20 device groups, select **Edit** next to the filtered device group option.
-![Showing how to edit large numbers of groups.](images/tvm-exception-edit-groups.png)
A flyout will appear where you can search and choose device groups you want included. Select the check mark icon below Search to check/uncheck all.
-![Showing large device group flyout.](images/tvm-exception-device-group-flyout-400.png)
### Global exceptions If you have global administrator permissions, you will be able to create and cancel a global exception. It affects **all** current and future device groups in your organization, and only a user with similar permission would be able to change it. The recommendation state will change from "active" to "full exception."
-![Showing global exception option.](images/tvm-exception-global.png)
Some things to keep in mind:
Navigate to the **Exceptions** tab in the **Remediation** page. You can filter b
Select an exception to open a flyout with more details. Exceptions per devices group will have a list of every device group the exception covers, which you can export. You can also view the related recommendation or cancel the exception.
-![Showing the "Exceptions" tab in the Remediation page.](images/tvm-exception-view.png)
## How to cancel an exception
To cancel an exception, navigate to the **Exceptions** tab in the **Remediation*
To cancel the exception for all device groups or for a global exception, select the **Cancel exception for all device groups** button. You will only be able to cancel exceptions for device groups you have permissions for.
-![The cancel button.](images/tvm-exception-cancel.png)
### Cancel the exception for a specific device group Select the specific device group to cancel the exception for it. A flyout will appear for the device group, and you can select **Cancel exception**.
-![Showing how to select a specific device group.](images/tvm-exception-device-group-hover.png)
## View impact after exceptions are applied In the Security Recommendations page, select **Customize columns** and check the boxes for **Exposed devices (after exceptions)** and **Impact (after exceptions)**.
-![Showing customize columns options.](images/tvm-after-exceptions.png)
The exposed devices (after exceptions) column shows the remaining devices that are still exposed to vulnerabilities after exceptions are applied. Exception justifications that affect the exposure include 'third party control' and 'alternate mitigation'. Other justifications do not reduce the exposure of a device, and they are still considered exposed. The impact (after exceptions) shows remaining impact to exposure score or secure score after exceptions are applied. Exception justifications that affect the scores include 'third party control' and 'alternate mitigation.' Other justifications do not reduce the exposure of a device, and so the exposure score and secure score do not change.
-![Showing the columns in the table.](images/tvm-after-exceptions-table.png)
## Related topics
security Tvm Exposure Score https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-exposure-score.md
Your exposure score is visible in the [Threat and vulnerability management dashb
The card gives you a high-level view of your exposure score trend over time. Any spikes in the chart give you a visual indication of a high cybersecurity threat exposure that you can investigate further.
-![Exposure score card.](images/tvm_exp_score.png)
## How it works
security Tvm Microsoft Secure Score Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-microsoft-secure-score-devices.md
Improve your security configuration by remediating issues from the security reco
2. Select an item on the list. The flyout panel will open with details related to the recommendation. Select **Remediation options**.
- :::image type="content" alt-text="Security controls related security recommendations." source="images/security-controls.png":::
+ :::image type="content" source="images/security-controls.png" alt-text="The Security controls-related security recommendations" lightbox="images/security-controls.png":::
3. Read the description to understand the context of the issue and what to do next. Select a due date, add notes, and select **Export all remediation activity data to CSV** so you can attach it to an email for follow-up. 4. **Submit request**. You'll see a confirmation message that the remediation task has been created.
- :::image type="content" alt-text="Remediation task creation confirmation." source="images/remediation-task-created.png":::
+ :::image type="content" source="images/remediation-task-created.png" alt-text="The Remediation task creation confirmation" lightbox="images/remediation-task-created.png":::
5. Save your CSV file.
- :::image type="content" alt-text="Save csv file." source="images/tvm_save_csv_file.png":::
+ :::image type="content" source="images/tvm_save_csv_file.png" alt-text="The page containing the option to save CSV file" lightbox="images/tvm_save_csv_file.png":::
6. Send a follow-up email to your IT Administrator and allow the time that you've allotted for the remediation to propagate in the system.
security Tvm Remediation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-remediation.md
If you chose the "attention required" remediation option, there will be no progr
Once you are in the Remediation page, select the remediation activity that you want to view. You can follow the remediation steps, track progress, view the related recommendation, export to CSV, or mark as complete. > [!NOTE] > There is a 180 day retention period for completed remediation activities. To keep the Remediation page performing optimally, the remediation activity will be removed 6 months after its completion.
Track who closed the remediation activity with the "Completed by" column on the
- **System confirmation**: The task was automatically completed (all devices remediated) - **N/A**: Information is not available because we don't know how this older task was completed ### Top remediation activities in the dashboard View **Top remediation activities** in the [threat and **Vulnerability management** dashboard](tvm-dashboard-insights.md). Select any of the entries to go to the **Remediation** page. You can mark the remediation activity as completed after the IT admin team remediates the task.
-![Example of Top remediation activities card with a table that lists top activities that were generated from security recommendations.](images/tvm-remediation-activities-card.png)
## Related articles
security Tvm Security Recommendation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-security-recommendation.md
Go to the **Vulnerability management** navigation menu and select **Recommendati
In a given day as a Security Administrator, you can take a look at the [threat and vulnerability management dashboard](tvm-dashboard-insights.md) to see your [exposure score](tvm-exposure-score.md) side by side with your [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md). The goal is to **lower** your organization's exposure from vulnerabilities, and **increase** your organization's device security to be more resilient against cybersecurity threat attacks. The top security recommendations list can help you achieve that goal.
-![Example of Top security recommendations card, with four security recommendations.](images/top-security-recommendations350.png)
+ The top security recommendations list the improvement opportunities prioritized based on the important factors mentioned in the previous section - threat, likelihood to be breached, and value. Selecting a recommendation will take you to the security recommendations page with more details.
The color of the **Exposed devices** graph changes as the trend changes. If the
> [!NOTE] > Threat and vulnerability management shows devices that were in use up to **30 days** ago. This is different from the rest of Microsoft Defender for Endpoint, where if a device has not been in use for more than 7 days it has in an 'Inactive' status.
-![Example of the landing page for security recommendations.](images/tvmsecrec-updated.png)
### Icons
Useful icons also quickly call your attention to:
Select the security recommendation that you want to investigate or process. From the flyout, you can choose any of the following options:
When an exception is created for a recommendation, the recommendation is no long
Select a security recommendation you would like create an exception for, and then select **Exception options**.
-![Showing where the button for "exception options" is location in a security recommendation flyout.](images/tvm-exception-options.png)
Fill out the form and submit. To view all your exceptions (current and past), navigate to the [Remediation](tvm-remediation.md) page under the **Threat & Vulnerability Management** menu and select the **Exceptions** tab. [Learn more about how to create an exception](tvm-exception.md#create-an-exception)
You can report a false positive when you see any vague, inaccurate, incomplete,
2. Select the three dots beside the security recommendation that you want to report, then select **Report inaccuracy**.
- ![Showing where the "Report inaccuracy" button is in a security recommendation flyout.](images/report-inaccuracy500.png)
+ :::image type="content" source="images/report-inaccuracy500.png" alt-text="The Report inaccuracy button" lightbox="images/report-inaccuracy500.png":::
3. From the flyout pane, select the inaccuracy category from the drop-down menu, fill in your email address, and details regarding the inaccuracy.
security Tvm Software Inventory https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-software-inventory.md
The **Software inventory** page opens with a list of software installed in your
By default, the view is filtered by **Product Code (CPE): Available**. You can also filter the list view based on weaknesses found in the software, threats associated with them, and tags like whether the software has reached end-of-support. Select the software that you want to investigate. A flyout panel will open with a more compact view of the information on the page. You can either dive deeper into the investigation and select **Open software page**, or flag any technical inconsistencies by selecting **Report inaccuracy**.
Select the software that you want to investigate. A flyout panel will open with
Software that isn't currently supported by threat & vulnerability management may be present in the software inventory page. Because it is not supported, only limited data will be available. Filter by unsupported software with the "Not available" option in the "Weakness" section. The following indicates that software is not supported:
See evidence of where we detected a specific software on a device from the regis
Select a software name to open the flyout, and look for the section called "Software Evidence." ## Software pages
You can view software pages a few different ways:
- Devices that have the software installed (along with device name, domain, OS, and more). - Software version list (including number of devices the version is installed on, the number of discovered vulnerabilities, and the names of the installed devices).
- :::image type="content" alt-text="Software example page for Visual Studio 2017 with the software details, weaknesses, exposed devices, and more." source="images/tvm-software-page-example.png" lightbox="images/tvm-software-page-example.png":::
+ :::image type="content" source="images/tvm-software-page-example.png" alt-text="The Visual Studio 2017 with the software details, weaknesses, exposed devices, and more" lightbox="images/tvm-software-page-example.png":::
## Report inaccuracy
security Tvm Vulnerable Devices Report https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-vulnerable-devices-report.md
There are two columns:
Each device is counted only once according to the most severe vulnerability found on that device. ## Exploit availability graphs Each device is counted only once based on the highest level of known exploit. ## Vulnerability age graphs Each device is counted only once under the oldest vulnerability publication date. Older vulnerabilities have a higher chance of being exploited. ## Vulnerable devices by operating system platform graphs The number of devices on each operating system that are exposed due to software vulnerabilities. ## Vulnerable devices by Windows version graphs The number of devices on each Windows 10 or Windows 11 version that are exposed due to vulnerable applications or OS. ## Related topics
security Tvm Weaknesses https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-weaknesses.md
Go to the **Vulnerability management** navigation menu and select **Weaknesses**
1. Go to the global search drop-down menu. 2. Select **Vulnerability** and key-in the Common Vulnerabilities and Exposures (CVE) ID that you're looking for, then select the search icon. The **Weaknesses** page opens with the CVE information that you're looking for.
-![Global search box with the dropdown option "vulnerability" selected and an example CVE.](images/tvm-vuln-globalsearch.png)
++ 3. Select the CVE to open a flyout panel with more information, including the vulnerability description, details, threat insights, and exposed devices. To see the rest of the vulnerabilities in the **Weaknesses** page, type CVE, then select search.
To see the rest of the vulnerabilities in the **Weaknesses** page, type CVE, the
Remediate the vulnerabilities in exposed devices to reduce the risk to your assets and organization. If the **Exposed Devices** column shows 0, that means you aren't at risk.
-![Weaknesses landing page.](images/tvm-weaknesses-overview.png)
### Breach and threat insights
If you select a CVE, a flyout panel will open with more information such as the
- The "OS Feature" category is shown in relevant scenarios - You can go to the related security recommendation for every CVE with exposed device
- ![Weakness flyout example.](images/tvm-weakness-flyout400.png)
+ :::image type="content" source="images/tvm-weakness-flyout400.png" alt-text="The Vulnerability description page" lightbox="images/tvm-weakness-flyout400.png":::
### Software that isn't supported
Exposed device information will not be available for CVEs with unsupported softw
1. Go to the [threat and vulnerability management dashboard](tvm-dashboard-insights.md) and scroll down to the **Top vulnerable software** widget. You will see the number of vulnerabilities found in each software, along with threat information and a high-level view of device exposure over time.
- ![Top vulnerable software card with four columns: software, weaknesses, threats, exposed devices.](images/tvm-top-vulnerable-software500.png)
+ :::image type="content" source="images/tvm-top-vulnerable-software500.png" alt-text="The Weaknesses column in the Top vulnerable software page" lightbox="images/tvm-top-vulnerable-software500.png":::
2. Select the software you want to investigate to go to a drilldown page.
Exposed device information will not be available for CVEs with unsupported softw
4. Select the vulnerability you want to investigate for more information on vulnerability details
- ![Windows Server 2019 drill down overview.](images/windows-server-drilldown.png)
+ :::image type="content" source="images/windows-server-drilldown.png" alt-text="The Windows Server 2019 drill down overview" lightbox="images/windows-server-drilldown.png":::
### Discover vulnerabilities in the device page
View related weaknesses information in the device page.
2. In the **Device inventory** page, select the device name that you want to investigate.
- ![Device list with selected device to investigate.](images/tvm_machinetoinvestigate.png)
+ :::image type="content" source="images/tvm_machinetoinvestigate.png" alt-text="The Device list with a selected device to investigate" lightbox="images/tvm_machinetoinvestigate.png":::
3. The device page will open with details and response options for the device you want to investigate. 4. Select **Discovered vulnerabilities**.
- :::image type="content" alt-text="Device page with details and response options." source="images/tvm-discovered-vulnerabilities.png" lightbox="images/tvm-discovered-vulnerabilities.png":::
+ :::image type="content" source="images/tvm-discovered-vulnerabilities.png" alt-text="The Device page with details and response options." lightbox="images/tvm-discovered-vulnerabilities.png":::
5. Select the vulnerability that you want to investigate to open up a flyout panel with the CVE details, such as: vulnerability description, threat insights, and detection logic.
Similar to the software evidence, we now show the detection logic we applied on
The "OS Feature" category is also shown in relevant scenarios. A CVE would affect devices that run a vulnerable OS only if a specific OS component is enabled. Let's say Windows Server 2019 or Windows Server 2022 has vulnerability in its DNS component. With this new capability, we'll only attach this CVE to the Windows Server 2019 and Windows Server 2022 devices with the DNS capability enabled in their OS. ## Report inaccuracy
security Tvm Zero Day Vulnerabilities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-zero-day-vulnerabilities.md
Once a zero-day vulnerability has been found, information about it will be conve
Look for recommendations with a zero-day tag in the "Top security recommendations" card.
-![Top recommendations with a zero-day tag.](images/tvm-zero-day-top-security-recommendations.png)
Find top software with the zero-day tag in the "Top vulnerable software" card.
-![Top vulnerable software with a zero-day tag.](images/tvm-zero-day-top-software.png)
### Weaknesses page
Look for the named zero-day vulnerability along with a description and details.
- If this vulnerability has no CVE-ID assigned, you'll find it under an internal, temporary name that looks like "TVM-XXXX-XXXX". The name will be updated once an official CVE-ID has been assigned, but the previous internal name will still be searchable and found in the side-panel. ### Software inventory page Look for software with the zero-day tag. Filter by the "zero day" tag to only see software with zero-day vulnerabilities. ### Software page Look for a zero-day tag for each software that has been affected by the zero-day vulnerability. ### Security recommendations page
View clear suggestions about remediation and mitigation options, including worka
If there's software with a zero-day vulnerability and additional vulnerabilities to address, you'll get one recommendation about all vulnerabilities. ## Addressing zero-day vulnerabilities
There will be a link to mitigation options and workarounds if they are available
Open remediation options and choose the attention type. An "attention required" remediation option is recommended for the zero-day vulnerabilities, since an update hasn't been released yet. You won't be able to select a due date, since there's no specific action to perform. If there are older vulnerabilities for this software you wish to remediation, you can override the "attention required" remediation option and choose "update."
-![Zero day flyout example of Windows Server 2016 in the security recommendations page.](images/tvm-zero-day-recommendation-flyout400.png)
## Track zero-day remediation activities
security View Incidents Queue https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/view-incidents-queue.md
On the top navigation you can:
- Navigate between pages - Apply filters
-![Image of incidents queue.](images/atp-incident-queue.png)
## Sort and filter the incidents queue You can apply the following filters to limit the list of incidents and get a more focused view.
security Web Content Filtering https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/web-content-filtering.md
A panel will open where you can select the priority and add more details such as
To determine the category of a website, you can use the URL search function available on the Microsoft 365 Defender portal (<https://security.microsoft.com>) under **Endpoints** \> **Search**. In the URL search results, the web content filtering category appears under **URL/Domain details**. Administrators can also dispute the category of the domain directly from this page, as shown in the following image. If the category result is not shown, the URL is not currently assigned to an existing web content filtering category.
-![Image of web content filtering category lookup results.](../../media/web-content-filtering-category-lookup.png)
## Web content filtering cards and details
This card lists the parent web content categories with the largest increase or d
In the first 30 days of using this feature, your organization might not have enough data to display this information.
-![Image of web activity by category card.](images/web-activity-by-category600.png)
### Web content filtering summary card This card displays the distribution of blocked access attempts across the different parent web content categories. Select one of the colored bars to view more information about a specific parent web category.
-![Image of web content filtering summary card.](images/web-content-filtering-summary.png)
### Web activity summary card This card displays the total number of requests for web content in all URLs.
-![Image of web activity summary card.](images/web-activity-summary.png)
### View card details You can access the **Report details** for each card by selecting a table row or colored bar from the chart in the card. The report details page for each card contains extensive statistical data about web content categories, website domains, and device groups.
-![Image of web protection report details.](images/web-protection-report-details.png)
- **Web categories**: Lists the web content categories that have had access attempts in your organization. Select a specific category to open a summary flyout.
security Web Protection Monitoring https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/web-protection-monitoring.md
Web protection lets you monitor your organization's web browsing security throug
- **Web threat protection detections over time** - this trending card displays the number of web threats detected by type during the selected time period (Last 30 days, Last 3 months, Last 6 months)
- :::image type="content" alt-text="Image of the card showing web threats protection detections over time." source="images/wtp-blocks-over-time.png" lightbox="images/wtp-blocks-over-time.png":::
+ :::image type="content" source="images/wtp-blocks-over-time.png" alt-text="The card showing web threats protection detections over time" lightbox="images/wtp-blocks-over-time.png":::
- **Web threat protection summary** - this card displays the total web threat detections in the past 30 days, showing distribution across the different types of web threats. Selecting a slice opens the list of the domains that were found with malicious or unwanted websites.
- :::image type="content" alt-text="Image of the card showing web threats protection summary." source="images/wtp-summary.png" lightbox="images/wtp-summary.png":::
+ :::image type="content" source="images/wtp-summary.png" alt-text="The card showing web threats protection summary" lightbox="images/wtp-summary.png":::
> [!NOTE] > It can take up to 12 hours before a block is reflected in the cards or the domain list.
security Web Protection Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/web-protection-overview.md
ms.technology: mde
Web protection in Microsoft Defender for Endpoint is a capability made up of [Web threat protection](web-threat-protection.md), [Web content filtering](web-content-filtering.md), and [Custom indicators](manage-indicators.md). Web protection lets you secure your devices against web threats and helps you regulate unwanted content. You can find Web protection reports in the Microsoft 365 Defender portal by going to **Reports > Web protection**. ### Web threat protection
Internal IP addresses are not supported by custom indicators. For a warn policy
In all web protection scenarios, SmartScreen and Network Protection can be used together to ensure protection across both first and third-party browsers and processes. SmartScreen is built directly into Microsoft Edge, while Network Protection monitors traffic in third-party browsers and processes. The diagram below illustrates this concept. This diagram of the two clients working together to provide multiple browser/app coverages is accurate for all features of Web Protection (Indicators, Web Threats, Content Filtering). ## Troubleshoot endpoint blocks
To list blocks that are due to other features (like Custom Indicators), refer to
If a user visits a web page that poses a risk of malware, phishing, or other web threats, Microsoft Edge will trigger a block page that reads ΓÇÿThis site has been reported as unsafeΓÇÖ along with information related to the threat. > [!div class="mx-imgBorder"]
-> ![Page blocked by Microsoft Edge.](../../media/web-protection-malicious-block.png)
+> :::image type="content" source="../../media/web-protection-malicious-block.png" alt-text="The page blocked by Microsoft Edge" lightbox="../../media/web-protection-malicious-block.png":::
If blocked by WCF or a custom indicator, a block page shows in Microsoft Edge that tells the user this site is blocked by their organization. > [!div class="mx-imgBorder"]
-> ![Page blocked by your organization.](../../media/web-protection-indicator-blockpage.png)
+> :::image type="content" source="../../media/web-protection-indicator-blockpage.png" alt-text="The page blocked by your organization" lightbox="../../media/web-protection-indicator-blockpage.png":::
In any case, no block pages are shown in third-party browsers, and the user sees a ΓÇÿSecure Connection FailedΓÇÖ page along with a toast notification. Depending on the policy responsible for the block, a user will see a different message in the toast notification. For example, web content filtering will display the message ΓÇÿThis content is blockedΓÇÖ. > [!div class="mx-imgBorder"]
-> ![Page blocked by WCF.](../../media/web-protection-np-block.png)
+> :::image type="content" source="../../media/web-protection-np-block.png" alt-text="The page blocked by WCF" lightbox="../../media/web-protection-np-block.png":::
## Report false positives
security Web Protection Response https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/web-protection-response.md
Each alert provides the following information:
- Malicious URL or URL in the custom indicator list - Recommended actions for responders
-![Image of an alert related to web threat protection.](images/wtp-alert.png)
> [!NOTE] > To reduce the volume of alerts, Microsoft Defender for Endpoint consolidates web threat detections for the same domain on the same device each day to a single alert. Only one alert is generated and counted into the [web protection report](web-protection-monitoring.md).
You can dive deeper by selecting the URL or domain of the website in the alert.
- Incidents and alerts related to the website - How frequent the website was seen in events in your organization
- ![Image of the domain or URL entity details page.](images/wtp-website-details.png)
+ :::image type="content" source="images/wtp-website-details.png" alt-text="The domain or URL entity details page" lightbox="images/wtp-website-details.png":::
[Learn more about URL or domain entity pages](investigate-domain.md)
You can also check the device that attempted to access a blocked URL. Selecting
With web protection in Microsoft Defender for Endpoint, your end users will be prevented from visiting malicious or unwanted websites using Microsoft Edge or other browsers. Because blocking is performed by [network protection](network-protection.md), they will see a generic error from the web browser. They will also see a notification from Windows.
-![Image of Microsoft Edge showing a 403 error and the Windows notification.](images/wtp-browser-blocking-page.png)
+ *Web threat blocked on Microsoft Edge*
-![Image of Chrome web browser showing a secure connection warning and the Windows notification.](images/wtp-chrome-browser-blocking-page.png)
*Web threat blocked on Chrome* ## Related topics
security Why Cloud Protection Should Be On Mdav https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/why-cloud-protection-should-be-on-mdav.md
Microsoft Defender Antivirus cloud protection helps protect against malware on your endpoints and across your network. We recommend keeping cloud protection turned on, because certain security features and capabilities in Microsoft Defender for Endpoint only work when cloud protection is enabled.
-[:::image type="content" source="images/mde-cloud-protection.png" alt-text="Diagram showing things that depend on cloud protection":::](enable-cloud-protection-microsoft-defender-antivirus.md)
+[![alt-text="Diagram showing things that depend on cloud protection](images/mde-cloud-protection.png#lightbox)](enable-cloud-protection-microsoft-defender-antivirus.md)
The following table summarizes the features and capabilities that depend on cloud protection: <br/><br/>
security Directory Service Accounts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-identity/directory-service-accounts.md
To connect the [sensor](sensor-health.md#add-a-sensor) with your Active Director
1. In <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender</a>, go to **Settings** and then **Identities**.
- ![Go to Settings, then Identities.](../../media/defender-identity/settings-identities.png)
+ :::image type="content" source="../../media/defender-identity/settings-identities.png" alt-text="The Identities option in the Settings page" lightbox="../../media/defender-identity/settings-identities.png":::
+ 1. Select **Directory Service accounts**. You'll see which accounts are associated with which domains.
- ![Directory Service accounts.](../../media/defender-identity/directory-service-accounts.png)
+ :::image type="content" source="../../media/defender-identity/directory-service-accounts.png" alt-text="The Directory Service accounts menu item" lightbox="../../media/defender-identity/directory-service-accounts.png":::
1. If you select an account, a pane will open with the settings for that account.
- ![Account settings.](../../media/defender-identity/account-settings.png)
+ :::image type="content" source="../../media/defender-identity/account-settings.png" alt-text="The Account settings page" lightbox="../../media/defender-identity/account-settings.png":::
1. To add a new Directory Services account, select **Create new account** and fill in the **Account name**, **Domain**, and **Password**. You can also choose if it's a **Group managed service account** (gMSA), and if it belongs to a **Single label domain**.
- ![New Directory Service account.](../../media/defender-identity/new-directory-service-account.png)
+ :::image type="content" source="../../media/defender-identity/new-directory-service-account.png" alt-text="The Create new account option" lightbox="../../media/defender-identity/new-directory-service-account.png":::
1. Select **Save**.
security Entity Tags https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-identity/entity-tags.md
In Microsoft 365 Defender, you can set three types of Defender for Identity enti
To set these tags, in <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender</a>, go to **Settings** and then **Identities**.
-![Go to Settings, then Identities.](../../media/defender-identity/settings-identities.png)
The tag settings will appear under **Entity tags**.
-![Tag setting types.](../../media/defender-identity/tag-settings.png)
To set each type of tag, follow the instructions below.
You can also manually tag users, devices, or groups as sensitive.
1. Select **Sensitive**. You will then see the existing sensitive **Users**, **Devices**, and **Groups**.
- ![Sensitive entities.](../../media/defender-identity/sensitive-entities.png)
+ :::image type="content" source="../../media/defender-identity/sensitive-entities.png" alt-text="The Devices tab in the Sensitive entities menu item" lightbox="../../media/defender-identity/sensitive-entities.png":::
1. Under each category, select **Tag...** to tag that type of entity. For example, under **Groups**, select **Tag groups.** A pane will open with the groups you can select to tag. To search for a group, enter its name in the search box.
- ![Add groups.](../../media/defender-identity/add-groups.png)
+ :::image type="content" source="../../media/defender-identity/add-groups.png" alt-text="The option to add a group" lightbox="../../media/defender-identity/add-groups.png":::
1. Select your group, and click **Add selection.**
- ![Add selection.](../../media/defender-identity/add-selection.png)
+ :::image type="content" source="../../media/defender-identity/add-selection.png" alt-text="The Add selection option" lightbox="../../media/defender-identity/add-selection.png":::
## Honeytoken tags
You can tag users or devices with the **Honeytoken** tag in the same way you tag
1. Under each category, select **Tag...** to tag that type of entity. For example, under **Users**, select **Tag users.** A pane will open with the groups you can select to tag. To search for a group, enter its name in the search box.
- ![Add users.](../../media/defender-identity/add-users.png)
+ :::image type="content" source="../../media/defender-identity/add-users.png" alt-text="The option to add users" lightbox="../../media/defender-identity/add-users.png":::
1. Select your user, and click **Add selection.**
- ![Add selected user.](../../media/defender-identity/add-selected-user.png)
+ :::image type="content" source="../../media/defender-identity/add-selected-user.png" alt-text="The option to add a selected user" lightbox="../../media/defender-identity/add-selected-user.png":::
## Exchange server tags
Defender for Identity considers Exchange servers as high-value assets and automa
1. Select **Exchange server**. You'll then see the existing devices labeled with the **Exchange server** tag.
- ![Exchange servers.](../../media/defender-identity/exchange-servers.png)
+ :::image type="content" source="../../media/defender-identity/exchange-servers.png" alt-text="The Exchange server menu item" lightbox="../../media/defender-identity/exchange-servers.png":::
1. To tag a device as an Exchange server, select **Tag devices**. A pane will open with the devices that you can select to tag. To search for a device, enter its name in the search box.
- ![Add devices.](../../media/defender-identity/add-devices.png)
+ :::image type="content" source="../../media/defender-identity/add-devices.png" alt-text="The option to add a device" lightbox="../../media/defender-identity/add-devices.png":::
1. Select your device, and click **Add selection.**
- ![Select device.](../../media/defender-identity/select-device.png)
+ :::image type="content" source="../../media/defender-identity/select-device.png" alt-text="The selection of a device" lightbox="../../media/defender-identity/select-device.png":::
## See also
security Exclusions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-identity/exclusions.md
For example, a **DNS Reconnaissance** alert could be triggered by a security sca
1. In [Microsoft 365 Defender](https://security.microsoft.com/), go to **Settings** and then **Identities**.
- ![Go to Settings, then Identities.](../../media/defender-identity/settings-identities.png)
+ :::image type="content" source="../../media/defender-identity/settings-identities.png" alt-text="The Identities option in the Name column" lightbox="../../media/defender-identity/settings-identities.png":::
1. You'll then see **Excluded entities** in the left-hand menu.
- ![Excluded entities.](../../media/defender-identity/excluded-entities.png)
+ :::image type="content" source="../../media/defender-identity/excluded-entities.png" alt-text="The Excluded entities pane" lightbox="../../media/defender-identity/excluded-entities.png":::
You can then set exclusions by two methods: **Exclusions by detection rule** and **Global excluded entities**.
You can then set exclusions by two methods: **Exclusions by detection rule** and
1. In the left-hand menu, select **Exclusions by detection rule**. You'll see a list of detection rules.
- ![Exclusions by detection rule.](../../media/defender-identity/exclusions-by-detection-rule.png)
+ :::image type="content" source="../../media/defender-identity/exclusions-by-detection-rule.png" alt-text="The Exclusions by detection rule option in the Excluded entities item in the left pane" lightbox="../../media/defender-identity/exclusions-by-detection-rule.png":::
1. For each detection you want to configure, do the following steps: 1. Select the rule. You can search for detections using the search bar. Once selected, a pane will open with the detection rule details.
- ![Detection rule details.](../../media/defender-identity/detection-rule-details.png)
+ :::image type="content" source="../../media/defender-identity/detection-rule-details.png" alt-text="The details of a detection rule" lightbox="../../media/defender-identity/detection-rule-details.png":::
1. To add an exclusion, select the **Excluded entities** button, and then choose the exclusion type. Different excluded entities are available for each rule. They include users, devices, domains and IP addresses. In this example, the choices are **Exclude devices** and **Exclude IP addresses**.
- ![Exclude devices or IP addresses.](../../media/defender-identity/exclude-devices-or-ip-addresses.png)
+ :::image type="content" source="../../media/defender-identity/exclude-devices-or-ip-addresses.png" alt-text="The option to exclude devices or IP addresses" lightbox="../../media/defender-identity/exclude-devices-or-ip-addresses.png":::
1. After choosing the exclusion type, you can add the exclusion. In the pane that opens, select the **+** button to add the exclusion.
- ![Add an exclusion.](../../media/defender-identity/add-exclusion.png)
+ :::image type="content" source="../../media/defender-identity/add-exclusion.png" alt-text="The option to add an exclusion" lightbox="../../media/defender-identity/add-exclusion.png":::
1. Then add the entity to be excluded. Select **+ Add** to add the entity to the list.
- ![Add an entity to be excluded.](../../media/defender-identity/add-excluded-entity.png)
+ :::image type="content" source="../../media/defender-identity/add-excluded-entity.png" alt-text="The option to add entity that is to be excluded" lightbox="../../media/defender-identity/add-excluded-entity.png":::
1. Then select **Exclude IP addresses** (in this example) to complete the exclusion.
- ![Exclude IP addresses.](../../media/defender-identity/exclude-ip-addresses.png)
+ :::image type="content" source="../../media/defender-identity/exclude-ip-addresses.png" alt-text="The option to exclude IP addresses" lightbox="../../media/defender-identity/exclude-ip-addresses.png":::
1. Once you've added exclusions, you can export the list or remove the exclusions by returning to the **Excluded entities** button. In this example, we've returned to **Exclude devices**. To export the list, select the down arrow button.
- ![Return to Exclude devices.](../../media/defender-identity/return-to-exclude-devices.png)
+ :::image type="content" source="../../media/defender-identity/return-to-exclude-devices.png" alt-text="The Return to Exclude devices option" lightbox="../../media/defender-identity/return-to-exclude-devices.png":::
1. To delete an exclusion, select the exclusion and select the trash icon.
- ![Delete an exclusion.](../../media/defender-identity/delete-exclusion.png)
+ :::image type="content" source="../../media/defender-identity/delete-exclusion.png" alt-text="The Delete an exclusion option" lightbox="../../media/defender-identity/delete-exclusion.png":::
## Global excluded entities
You can now also configure exclusions by **Global excluded entities**. Global ex
1. In the left-hand menu, select **Global excluded entities**. You'll see the categories of entities that you can exclude.
- ![Global excluded entities.](../../media/defender-identity/global-excluded-entities.png)
+ :::image type="content" source="../../media/defender-identity/global-excluded-entities.png" alt-text="The Global excluded entities submenu item" lightbox="../../media/defender-identity/global-excluded-entities.png":::
1. Choose an exclusion type. In this example, we selected **Exclude domains**.
- ![Exclude domains.](../../media/defender-identity/exclude-domains.png)
+ :::image type="content" source="../../media/defender-identity/exclude-domains.png" alt-text="The Domains tab" lightbox="../../media/defender-identity/exclude-domains.png":::
1. A pane will open where you can add a domain to be excluded. Add the domain you want to exclude.
- ![Add a domain to be excluded.](../../media/defender-identity/add-excluded-domain.png)
+ :::image type="content" source="../../media/defender-identity/add-excluded-domain.png" alt-text="The option to add a domain to be excluded" lightbox="../../media/defender-identity/add-excluded-domain.png":::
1. The domain will be added to the list. Select **Exclude domains** to complete the exclusion.
- ![Select exclude domains.](../../media/defender-identity/select-exclude-domains.png)
+ :::image type="content" source="../../media/defender-identity/select-exclude-domains.png" alt-text="The option to Select domains to be excluded" lightbox="../../media/defender-identity/select-exclude-domains.png":::
1. You'll then see the domain in the list of entities to be excluded from all detection rules. You can export the list, or remove the entities by selecting them and clicking the **Remove** button.
- ![List of global excluded entries.](../../media/defender-identity/global-excluded-entries-list.png)
+ :::image type="content" source="../../media/defender-identity/global-excluded-entries-list.png" alt-text="The list of global excluded entries" lightbox="../../media/defender-identity/global-excluded-entries-list.png":::
## See also
security Manage Security Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-identity/manage-security-alerts.md
Alerts can be accessed from multiple locations, including the **Alerts** page, t
In <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender</a>, go to **Incidents & alerts** and then to **Alerts**.
-![Go to Incidents and Alerts, then Alerts.](../../media/defender-identity/incidents-alerts.png)
To see alerts from Defender for Identity, on the top-right select **Filter**, and then under **Service sources** select **Microsoft Defender for Identity**, and select **Apply**:
-![Filter for Defender for Identity events.](../../media/defender-identity/filter-defender-for-identity.png)
The alerts are displayed with information in the following columns: **Alert name**, **Tags**, **Severity**, **Investigation state**, **Status**, **Category**, **Detection source**, **Impacted assets**, **First activity**, and **Last activity**.
-![Defender for Identity events.](../../media/defender-identity/filtered-alerts.png)
## Manage alerts If you click the **Alert name** for one of the alerts, you'll go to the page with details about the alert. In the left pane, you'll see a summary of **What happened**:
-![What happened in alert.](../../media/defender-identity/what-happened.png)
Above the **What happened** box are buttons for the **Accounts**, **Destination Host** and **Source Host** of the alert. For other alerts, you might see buttons for details about additional hosts, accounts, IP addresses, domains, and security groups. Select any of them to get more details about the entities involved.
On the right pane, you'll see the **Alert details**. Here you can see more detai
- **Classify this alert** - Here you can designate this alert as a **True alert** or **False alert**
- ![Classify alert.](../../media/defender-identity/classify-alert.png)
+ :::image type="content" source="../../media/defender-identity/classify-alert.png" alt-text="The page on which you can classify an alert" lightbox="../../media/defender-identity/classify-alert.png":::
- **Alert state** - In **Set Classification**, you can classify the alert as **True** or **False**. In **Assigned to**, you can assign the alert to yourself or unassign it.
- ![Alert state.](../../media/defender-identity/alert-state.png)
+ :::image type="content" source="../../media/defender-identity/alert-state.png" alt-text="The Alert state pane" lightbox="../../media/defender-identity/alert-state.png":::
- **Alert details** - Under **Alert details**, you can find more information about the specific alert, follow a link to documentation about the type of alert, see which incident the alert is associated with, review any automated investigations linked to this alert type, and see the impacted devices and users.
- ![Alert details.](../../media/defender-identity/alert-details.png)
+ :::image type="content" source="../../media/defender-identity/alert-details.png" alt-text="The Alert details page" lightbox="../../media/defender-identity/alert-details.png":::
- **Comments & history** - Here you can add your comments to the alert, and see the history of all actions associated with the alert.
- ![Comments and history.](../../media/defender-identity/comments-history.png)
+ :::image type="content" source="../../media/defender-identity/comments-history.png" alt-text="The Comments & history page" lightbox="../../media/defender-identity/comments-history.png":::
- **Manage alert** - If you select **Manage alert**, you'll go to a pane that will allow you to edit the: - **Status** - You can choose **New**, **Resolved** or **In progress**.
On the right pane, you'll see the **Alert details**. Here you can see more detai
If you select the three dots next to **Manage alert**, you can **Consult a threat expert**, **Export** the alert to an Excel file, or **Link to another incident**.
- ![Manage alert.](../../media/defender-identity/manage-alert.png)
+ :::image type="content" source="../../media/defender-identity/manage-alert.png" alt-text="The Manage alert option" lightbox="../../media/defender-identity/manage-alert.png":::
> [!NOTE] > In the Excel file, you now have two links available: **View in Microsoft Defender for Identity** and **View in Microsoft 365 Defender**. Each link will bring you to the relevant portal, and provide information about the alert there.
security Notifications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-identity/notifications.md
In Microsoft 365 Defender, you can add recipients for email notifications of hea
1. In <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender</a>, go to **Settings** and then **Identities**.
- ![Go to Settings, then Identities.](../../media/defender-identity/settings-identities.png)
+ :::image type="content" source="../../media/defender-identity/settings-identities.png" alt-text="The Identities option in the column Name" lightbox="../../media/defender-identity/settings-identities.png":::
+ 1. Select **Health issues notifications**. 1. Enter the recipient's email address. Select **Add**.
- ![Enter email address for health issues.](../../media/defender-identity/health-email-recipient.png)
+ :::image type="content" source="../../media/defender-identity/health-email-recipient.png" alt-text="The Health issues notifications submenu item" lightbox="../../media/defender-identity/health-email-recipient.png":::
1. When Defender for Identity detects a health issue, the recipients will receive an email notification with the details.
- ![Example of health issue email.](../../media/defender-identity/health-email.png)
+ :::image type="content" source="../../media/defender-identity/health-email.png" alt-text="The health issue email" lightbox="../../media/defender-identity/health-email.png":::
> [!NOTE] > The email provides two links for further details about the issue. You can either go to the **MDI Health Center** or the new **Health Center in M365D**.
In Microsoft 365 Defender, you can add recipients for email notifications of det
1. In <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender</a>, go to **Settings** and then **Identities**.
- ![Go to Settings, then Identities.](../../media/defender-identity/settings-identities.png)
+ :::image type="content" source="../../media/defender-identity/settings-identities.png" alt-text="The Identities option" lightbox="../../media/defender-identity/settings-identities.png":::
1. Select **Alert notifications**. 1. Enter the recipient's email address. Select **Add**.
- ![Enter email address for detected alerts.](../../media/defender-identity/alert-email-recipient.png)
+ :::image type="content" source="../../media/defender-identity/alert-email-recipient.png" alt-text="The Alert notifications submenu item" lightbox="../../media/defender-identity/alert-email-recipient.png":::
## Syslog notifications
Defender for Identity can notify you when it detects suspicious activities by se
1. In <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender</a>, go to **Settings** and then **Identities**.
- ![Go to Settings, then Identities.](../../media/defender-identity/settings-identities.png)
+ :::image type="content" source="../../media/defender-identity/settings-identities.png" alt-text="The option of Identities in the Name column" lightbox="../../media/defender-identity/settings-identities.png":::
1. Select **Syslog notifications**. 1. To enable syslog notification, set the **Syslog service** toggle to the **on** position.
- ![Turn on syslog service.](../../media/defender-identity/syslog-service.png)
+ :::image type="content" source="../../media/defender-identity/syslog-service.png" alt-text="The Syslog service option that can be turned on" lightbox="../../media/defender-identity/syslog-service.png":::
1. Select **Configure service**. A pane will open where you can enter the details for the syslog service.
- ![Enter syslog service details.](../../media/defender-identity/syslog-sensor.png)
+ :::image type="content" source="../../media/defender-identity/syslog-sensor.png" alt-text="The page on which you enter the Syslog service details" lightbox="../../media/defender-identity/syslog-sensor.png":::
1. Enter the following details:
Defender for Identity can notify you when it detects suspicious activities by se
1. Once you've configured the **Syslog service**, you can choose which types of notifications (alerts or health issues) to send to your Syslog server.
- ![Syslog service configured.](../../media/defender-identity/syslog-configured.png)
+ :::image type="content" source="../../media/defender-identity/syslog-configured.png" alt-text="The Syslog service is configured option checked" lightbox="../../media/defender-identity/syslog-configured.png":::
## See also
security Sensor Health https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-identity/sensor-health.md
This article explains how to configure and monitor [Microsoft Defender for Ident
1. In <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender</a>, go to **Settings** and then **Identities**.
- ![Go to Settings, then Identities.](../../media/defender-identity/settings-identities.png)
+ :::image type="content" source="../../media/defender-identity/settings-identities.png" alt-text="The option of Identities on the Settings page" lightbox="../../media/defender-identity/settings-identities.png":::
1. Select the **Sensors** page, which displays all of your Defender for Identity sensors. For each sensor, you'll see its name, its domain membership, the version number, if updates should be delayed, the service status, update status, health status, the number of health issues, and when the sensor was created.
This article explains how to configure and monitor [Microsoft Defender for Ident
[![Sensor filters.](../../media/defender-identity/sensor-filters.png)](../../media/defender-identity/sensor-filters.png#lightbox)
- ![Filtered sensor.](../../media/defender-identity/filtered-sensor.png)
+ :::image type="content" source="../../media/defender-identity/filtered-sensor.png" alt-text="The Filtered sensor" lightbox="../../media/defender-identity/filtered-sensor.png":::
1. If you select one of the sensors, a pane will display with information about the sensor and its health status.
This article explains how to configure and monitor [Microsoft Defender for Ident
1. If you select any of the health issues, you'll get a pane with more details about them. If you choose a closed issue, you can reopen it from here.
- ![Issue details.](../../media/defender-identity/issue-details.png)
+ :::image type="content" source="../../media/defender-identity/issue-details.png" alt-text="The Issue details" lightbox="../../media/defender-identity/issue-details.png":::
+
1. If you select **Manage sensor**, a pane will open where you can configure the sensor details.
- ![Manage sensor.](../../media/defender-identity/manage-sensor.png)
+ :::image type="content" source="../../media/defender-identity/manage-sensor.png" alt-text="The Manage sensor option" lightbox="../../media/defender-identity/manage-sensor.png":::
- ![Configure sensor details.](../../media/defender-identity/configure-sensor-details.png)
+ :::image type="content" source="../../media/defender-identity/configure-sensor-details.png" alt-text="The page on which you configure settings for the sensor" lightbox="../../media/defender-identity/configure-sensor-details.png":::
1. In the **Sensors** page, you can export your list of sensors to a .csv file by selecting **Export**.
- ![Export list of sensors.](../../media/defender-identity/export-sensors.png)
+ :::image type="content" source="../../media/defender-identity/export-sensors.png" alt-text="The Export list of sensors" lightbox="../../media/defender-identity/export-sensors.png":::
## Add a sensor
From the **Sensors** page, you can add a new sensor.
1. Select **Add sensor**.
- ![Add sensor.](../../media/defender-identity/add-sensor.png)
+ :::image type="content" source="../../media/defender-identity/add-sensor.png" alt-text="The Add sensor option" lightbox="../../media/defender-identity/add-sensor.png":::
1. A pane will open, providing you with a button to download the sensor installer and a generated access key.
- ![Download installer and access key.](../../media/defender-identity/installer-access-key.png)
+ :::image type="content" source="../../media/defender-identity/installer-access-key.png" alt-text="The options to download the installer and regenerate the key" lightbox="../../media/defender-identity/installer-access-key.png":::
1. Select **Download installer** to save the package locally. The zip file includes the following files:
security Vpn Integration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-identity/vpn-integration.md
Perform the following steps on your RRAS server.
1. Right-click the server name and select **Properties**. 1. In the **Security** tab, under **Accounting provider**, select **RADIUS Accounting** and select **Configure**.
- ![RADIUS setup.](../../media/defender-identity/radius-setup.png)
+ :::image type="content" source="../../media/defender-identity/radius-setup.png" alt-text="The RADIUS setup" lightbox="../../media/defender-identity/radius-setup.png":::
1. In the **Add RADIUS Server** window, type the **Server name** of the closest [!INCLUDE [Product short](includes/product-short.md)] sensor (which has network connectivity). For high availability, you can add additional [!INCLUDE [Product short](includes/product-short.md)] sensors as RADIUS Servers. Under **Port**, make sure the default of 1813 is configured. Select **Change** and type a new shared secret string of alphanumeric characters. Take note of the new shared secret string as you'll need to fill it out later during [!INCLUDE [Product short](includes/product-short.md)] Configuration. Check the **Send RADIUS Account On and Accounting Off messages** box and select **OK** on all open dialog boxes.
- ![VPN setup.](../../media/defender-identity/vpn-set-accounting.png)
+ :::image type="content" source="../../media/defender-identity/vpn-set-accounting.png" alt-text="The VPN setup" lightbox="../../media/defender-identity/vpn-set-accounting.png":::
## Configure VPN in Defender for Identity
To configure VPN data in [!INCLUDE [Product short](includes/product-short.md)] i
1. In <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender</a>, go to **Settings** and then **Identities**.
- ![Go to Settings, then Identities.](../../media/defender-identity/settings-identities.png)
+ :::image type="content" source="../../media/defender-identity/settings-identities.png" alt-text="The Identities option under the settings menu item" lightbox="../../media/defender-identity/settings-identities.png":::
1. Select **VPN**. 1. Select **Enable radius accounting**, and type the **Shared Secret** you configured previously on your RRAS VPN Server. Then select **Save**.
- ![VPN integration.](../../media/defender-identity/vpn-integration.png)
+ :::image type="content" source="../../media/defender-identity/vpn-integration.png" alt-text="The VPN integration" lightbox="../../media/defender-identity/vpn-integration.png":::
After this is enabled, all Defender for Identity sensors will listen on port 1813 for RADIUS accounting events, and your VPN setup is complete.
security About Defender For Office 365 Trial https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/about-defender-for-office-365-trial.md
As part of the trial setup, the Defender for Office 365 licenses are automatical
The licensing card for the trial shows the following information:
-![The Licensing card in the Microsoft Defender for Office 365 trial.](../../media/mdo-trial-licensing-card.png)
- **Usage type** section: - **Trial**: The number of trial Defender for Office 365 licenses that are available for you to use.
Defender for Office 365 helps organizations secure their enterprise by offering
You can also learn more about Defender for Office 365 at this [interactive guide](https://aka.ms/MS365D.InteractiveGuide).
-![Microsoft Defender for Office 365 conceptual diagram.](../../media/microsoft-defender-for-office-365.png)
### Prevention
security Address Compromised Users Quickly https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/address-compromised-users-quickly.md
You have a few options for navigating to a list of restricted users. For example
2. On the **Alerts** page, filter the results by time period and the policy named **User restricted from sending email**.
- ![The Alerts page in the Microsoft 365 Defender portal filtered for restricted users.](../../media/m365-sc-alerts-page-with-restricted-user.png)
+ :::image type="content" source="../../media/m365-sc-alerts-page-with-restricted-user.png" alt-text="The Alerts page in the Microsoft 365 Defender portal filtered for restricted users" lightbox="../../media/m365-sc-alerts-page-with-restricted-user.png":::
3. If you select the entry by clicking on the name, a **User restricted from sending email** page opens with additional details for you to review. Next to the **Manage alert** button, you can click ![More options icon.](../../medi).
- ![The User restricted from sending email page from the Alerts center.](../../media/m365-sc-alerts-user-restricted-from-sending-email-page.png)
+ :::image type="content" source="../../media/m365-sc-alerts-user-restricted-from-sending-email-page.png" alt-text="The User restricted from sending email page" lightbox="../../media/m365-sc-alerts-user-restricted-from-sending-email-page.png":::
### View details about automated investigations
security Admin Review Reported Message https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/admin-review-reported-message.md
You will only be able to mark and notify users of review results if the message
3. Select the **Mark as and notify** drop-down, and then select **No threats found**, **Phishing**, or **Junk**. > [!div class="mx-imgBorder"]
- > ![Send messages from portal.](../../media/admin-review-send-message-from-portal.png)
+ > :::image type="content" source="../../media/admin-review-send-message-from-portal.png" alt-text="The page displaying the user-reported messages" lightbox="../../media/admin-review-send-message-from-portal.png":::
The reported message will be marked as either false positive or false negative, and an email will be automatically sent from within the portal notifying the user who reported the message.
The reported message will be marked as either false positive or false negative,
- Footer > [!div class="mx-imgBorder"]
- > ![Customize messages send to users.](../../media/admin-review-customize-message.png)
+ > :::image type="content" source="../../media/admin-review-customize-message.png" alt-text="The Customize confirmation message page" lightbox="../../media/admin-review-customize-message.png":::
4. When you're finished, click **Save**. To clear these values, click **Discard** on the **User submissions** page.
security Admin Submission https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/admin-submission.md
For other ways to submit email messages, URLs, and attachments to Microsoft, see
3. Select the **Mark as and notify** drop-down, and then select **No threats found** \> **Phishing** or **Junk**.
- :::image type="content" alt-text="Send messages from portal." source="../../media/unified-submission-user-reported-message.png" lightbox="../../media/unified-submission-user-reported-message.png":::
+ :::image type="content" source="../../media/unified-submission-user-reported-message.png" alt-text="The Submissions page" lightbox="../../media/unified-submission-user-reported-message.png":::
The reported message will be marked as a false positive or a false negative. An email notification is sent automatically from within the portal to the user who reported the message.
The reported message will be marked as a false positive or a false negative. An
5. When you're finished, click **Submit**. > [!div class="mx-imgBorder"]
- > ![New URL submission example.](../../media/submission-flyout-email.png)
+ > :::image type="content" source="../../media/submission-flyout-email.png" alt-text="The New URL submission process" lightbox="../../media/submission-flyout-email.png":::
### Send a suspect URL to Microsoft
The reported message will be marked as a false positive or a false negative. An
4. When you're finished, click **Submit**. > [!div class="mx-imgBorder"]
- > ![New Email submission example.](../../media/submission-url-flyout.png)
+ > :::image type="content" source="../../media/submission-url-flyout.png" alt-text="The New Email submission process" lightbox="../../media/submission-url-flyout.png":::
### Submit a suspected email attachment to Microsoft
The reported message will be marked as a false positive or a false negative. An
4. When you're finished, click **Submit**. > [!div class="mx-imgBorder"]
- > ![New Attachment submission example.](../../media/submit-email-attachment-for-analysis.png)
+ > :::image type="content" source="../../media/submission-file-flyout.png" alt-text="The New Attachment submission process" lightbox="../../media/submission-file-flyout.png":::
> [!NOTE] > If malware filtering has replaced the message attachments with the Malware Alert Text.txt file, you need to submit the original message from quarantine that contains the original attachments. For more information on quarantine and how to release messages with malware false positives, see [Manage quarantined messages and files as an admin](manage-quarantined-messages-and-files.md).
The reported message will be marked as a false positive or a false negative. An
When you're finished, click **Apply**. > [!div class="mx-imgBorder"]
- > ![New Customize column options for admin submissions.](../../media/submit-admin-submissios-customize-columns.png)
+ > :::image type="content" source="../../media/admin-submission-customize-columns.png" alt-text="The New Customize column options for admin submissions" lightbox="../../media/admin-submission-customize-columns.png":::
- To filter the entries, click **Filter**. The available filters are: - **Date submitted**: **Start date** and **End date**.
The reported message will be marked as a false positive or a false negative. An
When you're finished, click **Apply**. > [!div class="mx-imgBorder"]
- > ![New Filter options for admin submissions.](../../media/submit-admin-submissions-view-filters.png)
+ > :::image type="content" source="../../media/admin-submission-filters.png" alt-text="The New Filter options for admin submissions" lightbox="../../media/admin-submission-filters.png":::
- To group the entries, click **Group** and select one of the following values from the dropdown list: - **None**
If you've deployed the [Report Message add-in](enable-the-report-message-add-in.
When you're finished, click **Apply**. > [!div class="mx-imgBorder"]
- > ![New Filter options for user submissions.](../../media/submit-user-submissions-view-filters.png)
+ > :::image type="content" source="../../media/admin-submission-reported-messages.png" alt-text="The New Filter options for user submissions" lightbox="../../media/admin-submission-reported-messages.png":::
- To group the entries, click **Group** and select one of the following values from the dropdown list: - **None**
On the **User reported messages** tab, select a message in the list, click **Sub
- **Trigger investigation** > [!div class="mx-imgBorder"]
-> ![New Options on the Action button.](../../media/admin-submission-main-action-button.png)
+> :::image type="content" source="../../media/admin-submission-main-action-button.png" alt-text="The New options on the Action button" lightbox="../../media/admin-submission-main-action-button.png":::
security Anti Spoofing Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-spoofing-protection.md
The following anti-spoofing technologies are available in EOP:
EOP analyzes and blocks messages that can't be authenticated by the combination of standard email authentication methods and sender reputation techniques.
- ![EOP anti-spoofing checks.](../../media/eop-anti-spoofing-protection.png)
+ :::image type="content" source="../../media/eop-anti-spoofing-protection.png" alt-text="The EOP anti-spoofing checks" lightbox="../../media/eop-anti-spoofing-protection.png":::
- **Spoof intelligence insight**: Review spoofed messages from senders in internal and external domains during the last 7 days, and allow or block those senders. For more information, see [Spoof intelligence insight in EOP](learn-about-spoof-intelligence.md).
security Attack Simulation Training Faq https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-faq.md
While the whole simulation creation and scheduling experience has been designed
A URL reputation service might identify one or more of the URLs that are used by Attack simulation training as unsafe. Google Safe Browsing in Google Chrome blocks some of the simulated phishing URLs with a **Deceptive site ahead** message. While we work with many URL reputation vendors to always allow our simulation URLs, we don't always have full coverage.
-![Deceptive site ahead warning in Google Chrome.](../../media/attack-sim-training-faq-chrome-deceptive-site-message.png)
Note that this issue does not affect Microsoft Edge.
Every simulation campaign has a lifecycle. When first created, the simulation is
While a simulation is in the **Scheduled** state, the simulation reports will be mostly empty. During this stage, the simulation engine is resolving the target user email addresses, expanding distribution groups, removing guest users from the list, etc.:
-![Simulation details showing the simulation in the Scheduled state.](../../media/attack-sim-training-faq-scheduled-state.png)
Once the simulation enters the **In progress** stage, you will notice information starting to trickle into the reporting:
-![Simulation details showing the simulation in the In progress state.](../../media/attack-sim-training-faq-in-progress-state.png)
It can take up to 30 minutes for the individual simulation reports to update after the transition to the **In progress** state. The report data continues to build until the simulation reaches the **Completed** state. Reporting updates occur at the following intervals:
Note that the configuration change might take up to 30 minutes to synchronize ac
A: Yes you can! On the very last **Review Simulation** page in the wizard to create a new simulation, there's an option to **Send a test**. This option will send a sample phishing simulation message to the currently logged in user. After you validate the phishing message in your Inbox, you can submit the simulation.
-![Send a test button on the Review simulation page.](../../media/attack-sim-training-simulations-review-simulation.png)
### Q: Can I target users that belong to a different tenant as part of the same simulation campaign?
security Attack Simulation Training Insights https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-insights.md
Selecting **View all simulations** takes you to the **Simulations** tab.
Selecting **Launch a simulation** starts the simulation creation wizard. For more information, see [Simulate a phishing attack in Defender for Office 365](attack-simulation-training.md).
-![Recent simulations card on the Overview tab in Attack simulation training in the Microsoft 365 Defender portal.](../../media/attack-sim-training-overview-recent-simulations-card.png)
### Behavior impact on compromise rate card
The following summary information is also shown on the card:
- **users less susceptible to phishing**: The difference between the actual number of users compromised by the simulated attack and the predicted compromise rate. This number of users is less likely to be compromised by similar attacks in the future. - **x% better than predicted rate**: Indicates how users did overall in contrast with the predicted compromise rate.
-![Behavior impact on compromise rate card on the Overview tab in Attack simulation training in the Microsoft 365 Defender portal.](../../media/attack-sim-training-overview-behavior-impact-card.png)
To see a more detailed report, click **View simulations and training efficacy report**. This report is explained [later in this article](#training-efficacy-tab-for-the-attack-simulation-report).
Selecting **Launch simulation for non-simulated users** starts the simulation cr
Selecting **View simulation coverage report** takes you to the [User coverage tab for the Attack simulation report](#user-coverage-tab-for-the-attack-simulation-report).
-![Simulation coverage card on the Overview tab in Attack simulation training in the Microsoft 365 Defender portal.](../../media/attack-sim-training-overview-sim-coverage-card.png)
### Training completion card
The **Recommendations** card on the **Overview** tab suggests different types of
Selecting **Launch now** starts the simulation creation wizard with the specified simulation type automatically selected on the **Select technique** page. For more information, see [Simulate a phishing attack in Defender for Office 365](attack-simulation-training.md).
-![Recommendations card on the Overview tab in Attack simulation training in the Microsoft 365 Defender portal.](../../media/attack-sim-training-overview-recommendations-card.png)
### Attack simulation report
You can open the **Attack simulation report** from the **Overview** tab by click
On the **Attack simulation report** page, the **Training efficacy** tab is selected by default. This tab provides the same information that's available in the **Behavior impact on compromise rate** card, with additional context from the simulation itself.
-![Training efficacy tab in the Attack simulation report in the Microsoft 365 Defender portal.](../../media/attack-sim-report-training-efficacy-view.png)
The chart shows the **Predicted compromise rate** and **Actual compromised rate**. If you hover over a section in the chart, the actual percentage values for are shown.
If you click the ![Export icon.](../../media/m365-cc-sc-download-icon.png) **Exp
#### User coverage tab for the Attack simulation report
-![User coverage tab in the Attack simulation report in the Microsoft 365 Defender portal.](../../media/attack-sim-report-user-coverage-view.png)
On the **User coverage** tab, the chart shows the **Simulated users** and **Non-simulated users**. If you hover over a data point in the chart, the actual values are shown.
If you click the ![Export icon.](../../media/m365-cc-sc-download-icon.png) **Exp
#### Training completion tab for the Attack simulation report
-![Training completion tab in the Attack simulation report in the Microsoft 365 Defender portal.](../../media/attack-sim-report-training-completion-view.png)
On the **Training completion** tab, the chart shows the number of **Completed**, **In progress**, and **Incomplete** simulations. If you hover over a section in the chart, the actual values are shown.
If you click the ![Export icon.](../../media/m365-cc-sc-download-icon.png) **Exp
#### Repeat offenders tab for the Attack simulation report
-![Repeat offenders tab in the Attack simulation report in the Microsoft 365 Defender portal.](../../media/attack-sim-report-repeat-offenders-view.png)
A _repeat offender_ is a user who was compromised by consecutive simulations. The default number of consecutive simulations is two, but you can change the value on the **Settings** tab of Attack simulation training at <https://security.microsoft.com/attacksimulator?viewid=setting>.
The **Simulation impact** section on the simulation details page shows how many
- Links: **Entered credentials** and **Did not enter credentials**.
- ![Simulation impact section for link-related simulation details.](../../media/attack-sim-training-sim-details-sim-impact-links.png)
+ :::image type="content" source="../../media/attack-sim-training-sim-details-sim-impact-links.png" alt-text="The Simulation impact section for link-related simulation details" lightbox="../../media/attack-sim-training-sim-details-sim-impact-links.png":::
- Attachments: **Opened attachment** and **Did not open attachment**.
- ![Simulation impact section for attachment-related simulation details.](../../media/attack-sim-training-sim-details-sim-impact-attachments.png)
+ :::image type="content" source="../../media/attack-sim-training-sim-details-sim-impact-attachments.png" alt-text="The Simulation impact section for attachment-related simulation details" lightbox="../../media/attack-sim-training-sim-details-sim-impact-attachments.png":::
If you hover over a section in the chart, the actual numbers for each category are shown.
The **All user activity** section on the simulation details page shows numbers f
- **EmailLinkClicked**: How many users clicked on the link in the simulation message. - **CredSupplied**: After clicking on the link, how many users supplied their credentials.
- ![All user activity section for link-related simulation details.](../../media/attack-sim-training-sim-details-all-user-activity-links.png)
+ :::image type="content" source="../../media/attack-sim-training-sim-details-all-user-activity-links.png" alt-text="The All user activity section for link-related simulation details" lightbox="../../media/attack-sim-training-sim-details-all-user-activity-links.png":::
- Attachments: - **AttachmentOpened**: How many users opened the attachment in the simulation message.
- ![All user activity section for attachment-related simulation details.](../../media/attack-sim-training-sim-details-all-user-activity-attachments.png)
+ :::image type="content" source="../../media/attack-sim-training-sim-details-all-user-activity-attachments.png" alt-text="The All user activity section for attachment-related simulation details" lightbox="../../media/attack-sim-training-sim-details-all-user-activity-attachments.png":::
### Training completion section The **Training completion** section on the simulation details page shows the trainings that are required for the simulation, and how many users have completed the trainings.
-![Training completion section for attachment-related simulation details.](../../media/attack-sim-training-sim-details-training-completed.png)
## Recommended actions section The **Recommended actions** section on the simulation details page shows recommendation actions from [Microsoft Secure Score](../defender/microsoft-secure-score.md) and the effect the action will have on your Secure Score. These recommendations are based on the payload that was used in the simulation, and will help protect your users and your environment. Selecting an **Improvement action** from the list takes you to the location to implement the suggested action.
-![Recommendation actions section on Attack simulation training.](../../media/attack-sim-training-sim-details-recommended-actions.png)
## Related Links
security Attack Simulation Training Payload Automations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-payload-automations.md
To create a payload automation, do the following steps:
2. On the **Payload automations** tab, select ![Create automation icon.](../../media/m365-cc-sc-create-icon.png) **Create automation**.
- ![Create automation button on the Payload automations tab in Attack simulation training in the Microsoft 365 Defender portal.](../../media/attack-sim-training-payload-automations-create.png)
+ :::image type="content" source="../../media/attack-sim-training-sim-automations-create.png" alt-text="The Create simulation button on the Payload automations tab in Attack simulation training in the Microsoft 365 Defender portal" lightbox="../../media/attack-sim-training-sim-automations-create.png":::
3. The creation wizard opens. The rest of this article describes the pages and the settings they contain.
security Attack Simulation Training Payloads https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-payloads.md
On the **Configure payload** page, it's time to build your payload. Many of the
- **Insert name**: The value that's added in the message body is `${userName}`. - **Insert email**: The value that's added in the message body is `${emailAddress}`.
- ![The Email message section on the Configure payload page in the payload creation wizard in Attack simulation training in Microsoft Defender for Office 365.](../../media/attack-sim-training-payloads-configure-payload-email-message.png)
+ :::image type="content" source="../../media/attack-sim-training-payloads-configure-payload-email-message.png" alt-text="The Email message section on the Configure payload page in the payload creation wizard in Attack simulation training in Microsoft Defender for Office 365" lightbox="../../media/attack-sim-training-payloads-configure-payload-email-message.png":::
**Phishing link** control: This control is available only if you selected **Credential harvest**, **Link in attachment**, or **Drive-by URL** on the **Select technique** page. Use this control to insert the URL that you previously selected in the **Phishing link** section.
On the **Add indicators** page, click **Add indicator**. On the flyout that appe
If you select the email message subject or the message body as the location for the indicator, a **Select text** button is available. Click this button to select the text in the message subject or message body where you want the indicator to appear. When you're finished, click **Select**.
- ![Selected text location in the message body to add to an indicator in the payload creation wizard in Attack simulation training.](../../media/attack-sim-training-payloads-add-indicators-select-location.png)
+ :::image type="content" source="../../media/attack-sim-training-payloads-add-indicators-select-location.png" alt-text="The Selected text location in the message body to add to an indicator in the payload creation wizard in Attack simulation training" lightbox="../../media/attack-sim-training-payloads-add-indicators-select-location.png":::
- **Indicator description**: You can accept the default description for the indicator, or you can customize it.
On the main **Review payload** page, you can select **Edit** in each section to
When you're finished, click **Submit**. On the confirmation page that appears, click **Done**.
-![Review payload page in Attack simulation training in the Microsoft 365 Defender portal.](../../media/attack-sim-training-payloads-review-payload.png)
> [!IMPORTANT] > Payloads that you created will have the value **Tenant** for the **Source** property. When you create simulations and select payloads, make sure that you don't filter out the **Source** value **Tenant**.
security Attack Simulation Training Simulation Automations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-simulation-automations.md
To create a simulation automation, do the following steps:
2. On the **Simulation automations** tab, select ![Create automation icon.](../../media/m365-cc-sc-create-icon.png) **Create automation**.
- ![Create automation button on the Simulation automations tab in Attack simulation training in the Microsoft 365 Defender portal.](../../media/attack-sim-training-sim-automations-create.png)
+ :::image type="content" source="../../media/attack-sim-training-sim-automations-create.png" alt-text="The Create simulation button on the Simulation automations tab in Attack simulation training in the Microsoft 365 Defender portal" lightbox="../../media/attack-sim-training-sim-automations-create.png":::
3. The creation wizard opens. The rest of this article describes the pages and the settings they contain.
On the **Select social engineering techniques** page, select one or more of the
If you click the **View details** link in the description, a details flyout opens that describes the technique and the simulation steps that result from the technique.
-![Details flyout for the credential harvest technique on the Select social engineering techniques page.](../../media/attack-sim-training-simulations-select-technique-sim-steps.png)
When you're finished, click **Next**.
If you select a payload from the list by clicking on the name, details about the
- The **Overview** tab contains an example and other details about the payload. - The **Simulations launched** tab contains the **Simulation name**, **Click rate**, **Compromised rate**, and **Action**.
-![Payload details flyout in Attack simulation training in the Microsoft 365 Defender portal.](../../media/attack-sim-training-simulations-select-payload-details.png)
When you're finished, click **Next**.
On the **Target users** page, select who will receive the simulation. Configure
- Select **All Title** - Select existing Title values.
- ![User filtering on the Target users page in Attack simulation training in the Microsoft 365 Defender portal.](../../media/attack-sim-training-simulations-target-users-filter-by-category.png)
+ :::image type="content" source="../../media/attack-sim-training-simulations-target-users-filter-by-category.png" alt-text="The user filtering on the Target users page in Attack simulation training in the Microsoft 365 Defender portal" lightbox="../../media/attack-sim-training-simulations-target-users-filter-by-category.png":::
After you identify your criteria, the affected users are shown in the **User list** section that appears, where you can select some or all of the discovered recipients.
On the **Assign training** page, you can assign trainings for the simulation. We
- **7 days after simulation ends** - **No training**: If you select this value, the only option on the page is the **Next** button that takes you to the [**Landing page**](#landing-page) page.
-![Add recommended training on the Training assignment page in Attack simulation training in the Microsoft 365 Defender portal.](../../media/attack-sim-training-simulations-assign-training-add-recommended-training.png)
### Training assignment
For each training in the list, you need to select who gets the training by selec
If you don't want to use a training that's shown, click ![Delete icon.](../../media/m365-cc-sc-delete-icon.png) **Delete**.
-![Training assignment page in Attack simulation training in the Microsoft 365 Defender portal.](../../media/attack-sim-training-training-assignment.png)
When you're finished, click **Next**.
security Attack Simulation Training https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training.md
To launch a simulated phishing attack, do the following steps:
2. On the **Simulations** tab, select ![Launch a simulation icon.](../../media/m365-cc-sc-create-icon.png) **Launch a simulation**.
- ![Launch a simulation button on the Simulations tab in Attack simulation training in the Microsoft 365 Defender portal.](../../media/attack-sim-training-simulations-launch.png)
+ :::image type="content" source="../../media/attack-sim-training-simulations-launch.png" alt-text="The Launch a simulation button on the Simulations tab in Attack simulation training in the Microsoft 365 Defender portal" lightbox="../../media/attack-sim-training-simulations-launch.png":::
3. The simulation creation wizard opens. The rest of this article describes the pages and the settings they contain.
On the **Select technique** page, select an available social engineering techniq
If you click the **View details** link in the description, a details flyout opens that describes the technique and the simulation steps that result from the technique.
-![Details flyout for the credential harvest technique on the Select technique page.](../../media/attack-sim-training-simulations-select-technique-sim-steps.png)
When you're finished, click **Next**.
If you click **Filter**, the following filters are available:
When you're finished configuring the filters, click **Apply**, **Cancel**, or **Clear filters**.
-![Select payload page in Attack simulation training in the Microsoft 365 Defender portal.](../../media/attack-sim-training-simulations-select-payload.png)
If you select a payload from the list, details about the payload are shown in a flyout: - The **Overview** tab contains an example and other details about the payload. - The **Simulations launched** tab contains the **Simulation name**, **Click rate**, **Compromised rate**, and **Action**.
-![Payload details flyout in Attack simulation training in the Microsoft 365 Defender portal.](../../media/attack-sim-training-simulations-select-payload-details.png)
If you select a payload from the list by clicking on the name, a ![Send a test payload icon.](../../media/m365-cc-sc-create-icon.png) **Send a test** button appears on the main page where you can send a copy of the payload email to yourself (the currently logged in user) for inspection.
On the **Target users** page, select who will receive the simulation. Configure
- Select **All Title** - Select existing Title values.
- ![User filtering on the Target users page in Attack simulation training in the Microsoft 365 Defender portal.](../../media/attack-sim-training-simulations-target-users-filter-by-category.png)
+ :::image type="content" source="../../media/attack-sim-training-simulations-target-users-filter-by-category.png" alt-text="The User filtering on the Target users page in Attack simulation training in the Microsoft 365 Defender portal" lightbox="../../media/attack-sim-training-simulations-target-users-filter-by-category.png":::
After you identify your criteria, the affected users are shown in the **User list** section that appears, where you can select some or all of the discovered recipients.
On the **Assign training** page, you can assign trainings for the simulation. We
- **7 days after simulation ends** - **No training**: If you select this value, the only option on the page is the **Next** button that takes you to the [**Landing page**](#landing-page) page.
-![Add recommended training on the Training assignment page in Attack simulation training in the Microsoft 365 Defender portal.](../../media/attack-sim-training-simulations-assign-training-add-recommended-training.png)
### Training assignment
For each training in the list, you need to select who gets the training by selec
If you don't want to use a training that's shown, click ![Delete training icon.](../../media/m365-cc-sc-delete-icon.png) **Delete**.
-![Training assignment page in Attack simulation training in the Microsoft 365 Defender portal.](../../media/attack-sim-training-training-assignment.png)
When you're finished, click **Next**.
You can select **Edit** in each section to modify the settings within the sectio
When you're finished, click **Submit**.
-![Review simulation page in Attack simulation training in the Microsoft 365 Defender portal.](../../media/attack-sim-training-simulations-review-simulation.png)
security Automated Investigation Response Office https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/automated-investigation-response-office.md
In addition to automated investigations that are triggered by an alert, your org
For example, suppose that you are using the **Malware** view in Explorer. Using the tabs below the chart, you select the **Email** tab. If you select one or more items in the list, the **+ Actions** button activates.
-![Explorer with selected messages.](../../media/Explorer-Malware-Email-ActionsInvestigate.png)
+ Using the **Actions** menu, you can select **Trigger investigation**.
-![Actions menu for selected messages.](../../media/explorer-malwareview-selectedemails-actions.jpg)
Similar to playbooks triggered by an alert, automatic investigations that are triggered from a view in Explorer include a root investigation, steps to identify and correlate threats, and recommended actions to mitigate those threats.
security Azure Ip Protection Features https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/azure-ip-protection-features.md
Starting July 1, 2018, Microsoft will enable the protection capability in Azure
Tenant administrators can check the protection status in the Office 365 administrator portal.
-![Screenshot that shows that rights management in Office 365 is activated.](../../media/303453c8-e4a5-4875-b49f-e80c3eb7b91e.png)
## Why are we making this change?
To opt out of the upcoming change, complete these steps:
Once this is enabled, provided you haven't opted out, you can start using the new version of Office 365 Message Encryption which was announced at [Microsoft Ignite 2017](https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Email-Encryption-and-Rights-Protection/ba-p/110801) and leverages the encryption and protection capabilities of Azure Information Protection.
-![Screenshot that shows an OME protected message in Outlook on the web.](../../media/599ca9e7-c05a-429e-ae8d-359f1291a3d8.png)
For more information about the new enhancements, see [Office 365 Message Encryption](../../compliance/ome.md).
security Campaigns https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/campaigns.md
A campaign might be short-lived, or could span several days, weeks, or months wi
Campaign Views is available in the Microsoft 365 Defender portal at <https://security.microsoft.com> at **Email & collaboration** \> **Campaigns**, or directly at <https://security.microsoft.com/campaigns>.
-![Campaigns overview in the Microsoft 365 Defender portal.](../../media/campaigns-overview.png)
You can also get to Campaign Views from:
The **Campaign origin** tab shows the message sources on a map of the world.
At the top of the **Campaign** page, there are several filter and query settings to help you find and isolate specific campaigns.
-![Campaign filters.](../../media/campaign-filters-and-settings.png)
The most basic filtering that you can do is the start date/time and the end date/time.
At the top of the campaign details view, the following campaign information is a
- Start date/time and end data/time filters for the campaign flow as described in the next section. - An interactive timeline of campaign activity: The timeline shows activity over the entire lifetime of the campaign. You can hover over the data points in the graph to see the amount of detected messages.
-![Campaign information.](../../media/campaign-details-campaign-info.png)
### Campaign flow
In the middle of the campaign details view, important details about the campaign
> [!TIP] > The information that's displayed in the flow diagram is controlled by the date range filter in the timeline as described in the previous section.
-![Campaign details that don't contain user URL clicks.](../../media/campaign-details-no-recipient-actions.png)
If you hover over a horizontal band in the diagram, you'll see the number of related messages (for example, messages from a particular source IP, messages from the source IP using the specified sender domain, etc.).
security Configuration Analyzer For Security Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configuration-analyzer-for-security-policies.md
The **Configuration analyzer** page has three main tabs:
By default, the configuration analyzer opens on the **Standard recommendations** tab. You can switch to the **Strict recommendations** tab. The settings, layout, and actions are the same on both tabs.
-![Settings and recommendations view in the Configuration analyzer.](../../media/configuration-analyzer-settings-and-recommendations-view.png)
The first section of the tab displays the number of settings in each type of policy that need improvement as compared to Standard or Strict protection. The types of policies are:
To export the results to a .csv file, click **Export**.
To filter the results by a specific **Modified by**, **Setting name**, or **Type** value, use the **Search** box.
-![Configuration drift analysis and history view in the Configuration analyzer.](../../media/configuration-analyzer-configuration-drift-analysis-view.png)
security Create Safe Sender Lists In Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/create-safe-sender-lists-in-office-365.md
The following example assumes you need email from contoso.com to skip spam filte
When a message skips spam filtering due to a mail flow rule, the value `SFV:SKN` value is stamped in the **X-Forefront-Antispam-Report** header. If the message is from a source that's on the IP Allow List, the value `IPV:CAL` is also added. These values can help you with troubleshooting.
-![Mail flow rule settings in the EAC for bypassing spam filtering.](../../media/1-AllowList-SkipFilteringFromContoso.png)
+ :::image type="content" source="../../media/1-AllowList-SkipFilteringFromContoso.png" alt-text="The Mail flow rule settings in the EAC for bypassing spam filtering" lightbox="../../media/1-AllowList-SkipFilteringFromContoso.png":::
+ ## Use Outlook Safe Senders
security Email Analysis Investigations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/email-analysis-investigations.md
To ensure investigation actions are up to date, any investigation that has pendi
Email-based evidence in the **Evidence and Response** tab for an incident now displays the following information. From the numbered callouts in the figure:
From the numbered callouts in the figure:
For email or email clusters in the **Entities** tab of an incident, **Prevented** means that there was no malicious emails in the mailbox for this item (mail or cluster). Here is an example. In this example, the email is malicious but not in a mailbox.
security Email Security In Microsoft Defender https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/email-security-in-microsoft-defender.md
To see malware detected in email sorted by Microsoft 365 technology, use the [**
3. Click **Sender**, and then choose **Basic** \> **Detection technology** in the drop down list.
- :::image type="content" source="../../media/exploreremailmalwaredetectiontech-newimg.png" alt-text="malware detection technology.":::
+ :::image type="content" source="../../media/exploreremailmalwaredetectiontech-newimg.png" alt-text="The malware detection technology" lightbox="../../media/exploreremailmalwaredetectiontech-newimg.png":::
Your detection technologies are now available as filters for the report. 4. Choose an option, and then click **Refresh** to apply that filter (don't refresh your browser window).
- :::image type="content" source="../../media/exploreremailmalwaredetectiontech2-new.png" alt-text="selected detection technology.":::
+ :::image type="content" source="../../media/exploreremailmalwaredetectiontech2-new.png" alt-text="selected detection technology" lightbox="../../media/exploreremailmalwaredetectiontech2-new.png":::
The report refreshes to show the results that malware detected in email, using the technology option you selected. From here, you can conduct further analysis.
You can use the **Report clean** option in Explorer to report a message as false
4. Scroll down the list of options to go to the **Start new submission** section, and then select **Report clean**. A flyout appears. > [!div class="mx-imgBorder"]
- > ![Report clean option in Explorer.](../../media/report-clean-option-explorer.png)
+ > :::image type="content" source="../../media/report-clean-option-explorer.png" alt-text="The Report clean option in the Explorer" lightbox="../../media/report-clean-option-explorer.png":::
5. Toggle the slider to **On**. From the drop down list, specify the number of days you want the message to be removed, add a note if needed, and then select **Submit**.
You can view phishing attempts through URLs in email, including a list of URLs t
2. In the **View** drop down list, choose **Email** \> **Phish**. > [!div class="mx-imgBorder"]
- > ![View menu for Explorer in phishing context.](../../media/ExplorerViewEmailPhishMenu.png)
+ > :::image type="content" source="../../media/ExplorerViewEmailPhishMenu.png" alt-text="The View menu for Explorer in phishing context" lightbox="../../media/ExplorerViewEmailPhishMenu.png":::
3. Click **Sender**, and then choose **URLs** \> **Click verdict** in the drop down list. 4. In options that appear, select one or more options, such as **Blocked** and **Block overridden**, and then click **Refresh** (don't refresh your browser window).
- :::image type="content" source="../../media/threatexploreremailphishclickverdict-new.png" alt-text="URLs and click verdicts.":::
+ :::image type="content" source="../../media/threatexploreremailphishclickverdict-new.png" alt-text="The URLs and click verdicts" lightbox="../../media/threatexploreremailphishclickverdict-new.png":::
The report refreshes to show two different URL tables on the **URLs** tab under the report:
You can view phishing attempts through URLs in email, including a list of URLs t
The two URL tables show top URLs in phishing email messages by delivery action and location. The tables show URL clicks that were blocked or visited despite a warning, so you can see what potential bad links were presented to users and that the users clicked. From here, you can conduct further analysis. For example, below the chart you can see the top URLs in email messages that were blocked in your organization's environment. > [!div class="mx-imgBorder"]
- > ![Explorer URLs that were blocked.](../../media/ExplorerPhishClickVerdictURLs.png)
+ > :::image type="content" source="../../media/ExplorerPhishClickVerdictURLs.png" alt-text="The Explorer URLs that were blocked" lightbox="../../media/ExplorerPhishClickVerdictURLs.png":::
Select a URL to view more detailed information.
security Enable The Report Message Add In https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/enable-the-report-message-add-in.md
Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -ReportJunkEmailEnabled
2. Click **GET IT NOW**.
- ![Report Message - Get It Now.](../../media/ReportMessageGETITNOW.png)
+ :::image type="content" source="../../media/ReportMessageGETITNOW.png" alt-text="The Get It Now report message" lightbox="../../media/ReportMessageGETITNOW.png":::
3. In the dialog that appears, review the terms of use and privacy policy, and then click **Continue**.
After the add-in is installed and enabled, you'll see the following icons:
- In Outlook, the icon looks like this: > [!div class="mx-imgBorder"]
- > ![Report Message add-in icon for Outlook.](../../media/OutlookReportMessageIcon.png)
+ > :::image type="content" source="../../media/OutlookReportMessageIcon.png" alt-text="The Report Message add-in icon for Outlook" lightbox="../../media/OutlookReportMessageIcon.png":::
- In Outlook on the web, the icon looks like this:
After the add-in is installed and enabled, you'll see the following icons:
1. In the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home?#/homepage), go to **Settings** \> **Integrated apps**. Click **Get apps**. > [!div class="mx-imgBorder"]
- > ![Microsoft 365 admin center Integrated apps](../../media/microsoft-365-admin-center-integrated-apps.png)
+ > :::image type="content" source="../../media/microsoft-365-admin-center-integrated-apps.png" alt-text="The Microsoft 365 admin center Integrated apps" lightbox="../../media/microsoft-365-admin-center-integrated-apps.png":::
+ 2. In the **Microsoft 365 Apps** page that appears, click in the **Search** box, enter **Report Message**, and then click **Search** ![Search icon.](../../media/search-icon.png). In the list of results, find and select **Report Message**. 3. The app details page opens. Select **Get It Now**. > [!div class="mx-imgBorder"]
- > ![Report Message add-in](../../media/microsoft-365-admin-center-report-message.png)
+ > :::image type="content" source="../../media/microsoft-365-admin-center-report-message.png" alt-text="The Report Message add-in" lightbox="../../media/microsoft-365-admin-center-report-message.png":::
4. Complete the basic profile information, and then click **Continue**. > [!div class="mx-imgBorder"]
- > ![Report Message add-in profile setup](../../media/microsoft-365-admin-center-profile-info.png)
+ > :::image type="content" source="../../media/microsoft-365-admin-center-profile-info.png" alt-text="The Report Message add-in profile setup" lightbox="../../media/microsoft-365-admin-center-profile-info.png":::
5. The **Deploy New App** flyout opens. Configure the following settings. Click **Next** to go to the next page to complete setup.
After the add-in is installed and enabled, you'll see the following icons:
- **Accept Permissions requests**: Read the app permissions and capabilities carefully before going to the next page. > [!div class="mx-imgBorder"]
- > ![App permissions](../../media/microsoft-365-admin-center-deploy-new-app.png)
+ > :::image type="content" source="../../media/microsoft-365-admin-center-deploy-new-app.png" alt-text="The Accept permissions requests page" lightbox="../../media/microsoft-365-admin-center-deploy-new-app.png":::
- **Finish deployment**: Review and finish deploying the add-in. - **Deployment completed**: Select **Done** to complete the setup. > [!div class="mx-imgBorder"]
- > ![Deployment complete](../../media/microsoft-365-admin-center-deployment-complete.png)
+ > :::image type="content" source="../../media/microsoft-365-admin-center-deployment-complete.png" alt-text="The notification message of the deployment completed" lightbox="../../media/microsoft-365-admin-center-deployment-complete.png":::
## Edit settings for the Report Message add-in
After the add-in is installed and enabled, you'll see the following icons:
2. In the flyout that appears, select **Edit users** to edit user settings. > [!div class="mx-imgBorder"]
- > ![Report Message flyout](../../media/microsoft-365-admin-center-report-message-edit.png)
+ > :::image type="content" source="../../media/microsoft-365-admin-center-report-message-edit.png" alt-text="The Report Message flyout" lightbox="../../media/microsoft-365-admin-center-report-message-edit.png":::
3. To remove the add-in, select **Remove app** under **Actions** in the same flyout.
After the add-in is installed and enabled, you'll see the following icons:
1. In the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home?#/homepage), go to **Settings** \> **Integrated apps**. Click **Get apps**. > [!div class="mx-imgBorder"]
- > ![Microsoft 365 admin center Integrated apps](../../media/microsoft-365-admin-center-integrated-apps.png)
+ > :::image type="content" source="../../media/microsoft-365-admin-center-integrated-apps.png" alt-text="The Microsoft 365 admin center Integrated apps" lightbox="../../media/microsoft-365-admin-center-integrated-apps.png":::
2. In the **Microsoft 365 Apps** page that appears, click in the **Search** box, enter **Report Phishing**, and then click **Search** ![Search icon.](../../media/search-icon.png). In the list of results, find and select **Report Phishing**.
After the add-in is installed and enabled, you'll see the following icons:
2. In the flyout that appears, select **Edit users** to edit user settings. > [!div class="mx-imgBorder"]
- > ![Report Phishing flyout](../../media/microsoft-365-admin-center-report-phishing-edit.png)
+ > :::image type="content" source="../../media/microsoft-365-admin-center-report-phishing-edit.png" alt-text="The Report Phishing flyout" lightbox="../../media/microsoft-365-admin-center-report-phishing-edit.png":::
3. To remove the add-in, select **Remove app** under **Actions** in the same flyout.
security Exchange Online Protection Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/exchange-online-protection-overview.md
The rest of this article explains how EOP works and the features that are availa
To understand how EOP works, it helps to see how it processes incoming email: 1. When an incoming message enters EOP, it initially passes through connection filtering, which checks the sender's reputation. The majority of spam is stopped at this point and rejected by EOP. For more information, see [Configure connection filtering](configure-the-connection-filter-policy.md).
security External Email Forwarding https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/external-email-forwarding.md
The following information is required to create the mail flow rule in the Exchan
- (Optional) **Do the following** (action): You can configure an optional action. For example, you can use the action **Modify the message properties** \> **set a message header**, with the header name **X-Forwarded** and the value **True**. But, configuring an action is not required. - Set **Audit this rue with severity level** to the value **Low**, **Medium**, or **High**. This setting allows you to use the [Exchange transport rule report](view-email-security-reports.md#exchange-transport-rule-report) to get details of users that are forwarding.
-![Mail flow rule properties in the EAC for a rule to identify forwarded messages.](../../media/mail-flow-rule-for-forwarded-messages.png)
+ ## Blocked email forwarding messages
security Find And Release Quarantined Messages As A User https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/find-and-release-quarantined-messages-as-a-user.md
After you find a specific quarantined message, select the message to view detail
When you select quarantined message from the list, the following information is available in the details flyout that appears.
-![The details flyout of a quarantined message.](../../media/quarantine-user-message-details.png)
When you select an email message in the list, the following message details appear in the **Details** flyout pane:
To take action on the message, see the next section.
> [!NOTE] > To remain in the details flyout, but change the quarantined message that you're looking at, use the up and down arrows at the top of the flyout. >
-> ![The up and down arrows in the details flyout of a quarantined message.](../../media/quarantine-message-details-flyout-up-down-arrows.png)
+> :::image type="content" source="../../media/quarantine-message-details-flyout-up-down-arrows.png" alt-text="The up and down arrows in the details flyout of a quarantined message" lightbox="../../media/quarantine-message-details-flyout-up-down-arrows.png":::
### Take action on quarantined email
To take action on the message, see the next section.
After you select a quarantined message from the list, the following actions are available in the details flyout:
-![Available actions in the details flyout of a quarantined message.](../../media/quarantine-user-message-details-flyout-actions.png)
- ![Release email icon.](../../media/m365-cc-sc-check-mark-icon.png) **Release email**<sup>\*</sup>: Delivers the message to your Inbox.
If you don't release or remove the message, it will be deleted after the default
> [!NOTE] > On a mobile device, the description text isn't available on the action icons. >
-> ![Details of a quarantined message with available actions highlighted.](../../media/quarantine-user-message-details-flyout-mobile-actions.png)
+> :::image type="content" source="../../media/quarantine-user-message-details-flyout-mobile-actions.png" alt-text="The details of a quarantined message with available actions highlighted" lightbox="../../media/quarantine-user-message-details-flyout-mobile-actions.png":::
+ > > The icons in order and their corresponding descriptions are summarized in the following table: >
If you don't release or remove the message, it will be deleted after the default
When you select multiple quarantined messages in the list (up to 100) by clicking in the blank area to the left of the first column, the **Bulk actions** drop down list appears where you can take the following actions:
-![Bulk actions drop down list for messages in quarantine.](../../media/quarantine-user-message-bulk-actions.png)
- ![Release email icon.](../../media/m365-cc-sc-check-mark-icon.png) **Release messages**: Delivers the messages to your Inbox. - ![Remove from quarantine icon.](../../media/m365-cc-sc-delete-icon.png) **Delete messages**: After you click **Yes** in the warning that appears, the messages are immediately removed from quarantine without being sent to the original recipients.
security Identity Access Policies Guest Access https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/identity-access-policies-guest-access.md
Providing a path for B2B accounts to authenticate with your Azure AD tenant does
This diagram shows which policies to add or update among the common identity and device access policies, for B2B guest and external user access. The following table lists the policies you either need to create and update. The common policies link to the associated configuration instructions in the [Common identity and device access policies](identity-access-policies.md) article.
The following table lists the policies you either need to create and update. The
To include or exclude guests and external users in Conditional Access policies, for **Assignments > Users and groups > Include** or **Exclude**, check **All guest and external users**.
-![screen capture of controls for excluding guests and external users.](../../media/microsoft-365-policies-configurations/identity-access-exclude-guests-ui.png)
## More information
Only one organization can manage a device. If you don't exclude guests and exter
## Next step
-![Step 4: Policies for Microsoft 365 cloud apps and Microsoft Defender for Cloud Apps.](../../media/microsoft-365-policies-configurations/identity-device-access-steps-next-step-4.png)
Configure Conditional Access policies for:
security Identity Access Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/identity-access-policies.md
This guidance discusses how to deploy the recommended policies in a newly-provis
The following diagram illustrates the recommended set of policies. It shows which tier of protections each policy applies to and whether the policies apply to PCs or phones and tablets, or both categories of devices. It also indicates where you configure these policies. <!--
A recommended practice is to create an Azure AD group for Conditional Access exc
Here's an example of group assignment and exclusions for requiring MFA.
-![Example group assignment and exclusions for MFA policies.](../../media/microsoft-365-policies-configurations/identity-access-policies-assignment.png)
Here are the results:
Be careful when applying higher levels of protection to groups and users. For ex
All Azure AD groups created as part of these recommendations must be created as Microsoft 365 groups. This is important for the deployment of sensitivity labels when securing documents in Microsoft Teams and SharePoint.
-![Example of creating a Microsoft 365 group.](../../media/microsoft-365-policies-configurations/identity-device-AAD-groups.png)
## Require MFA based on sign-in risk
To require compliance for all devices:
## Next step
-[![Step 3: Policies for guest and external users.](../../medi)
+[![Step 3: Policies for guest and external users.](../../medi)
[Learn about policy recommendations for guest and external users](identity-access-policies-guest-access.md)
security Identity Access Prerequisites https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/identity-access-prerequisites.md
Here are some additional recommendations:
## Next step
-[![Step 2: Configure the common Zero Trust identity and access Conditional Access policies.](../../medi)
+[![Step 2: Configure the common Zero Trust identity and access Conditional Access policies.](../../medi)
[Configure the common Zero Trust identity and device access policies](identity-access-policies.md)
security Impersonation Insight https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/impersonation-insight.md
You can use the impersonation insight in the Microsoft 365 Defender portal to qu
2. On the **Anti-phishing** page, the impersonation insight looks like this:
- ![Impersonation insight and spoof intelligence on the Anti-phishing policy page.](../../media/m365-sc-impersonation-and-spoof-intelligence-insight.png)
+ :::image type="content" source="../../media/m365-sc-impersonation-and-spoof-intelligence-insight.png" alt-text="The impersonation insight and spoof intelligence on the Anti-phishing policy page" lightbox="../../media/m365-sc-impersonation-and-spoof-intelligence-insight.png":::
The insight has two modes:
security Install App Guard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/install-app-guard.md
To learn more about Office update channels, see [Overview of update channels for
2. Select **Microsoft Defender Application Guard** under Windows Features and select **OK**. Enabling the Application Guard feature will prompt a system reboot. You can choose to reboot now or after step 3.
- ![Windows Features dialog box showing AG.](../../media/ag03-deploy.png)
+ :::image type="content" source="../../media/ag03-deploy.png" alt-text="The Windows Features dialog box showing AG" lightbox="../../media/ag03-deploy.png":::
The feature can also be enabled by running the following PowerShell command as administrator:
To learn more about Office update channels, see [Overview of update channels for
3. Search for **Microsoft Defender Application Guard in Managed Mode**, a group policy in **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Defender Application Guard**. Turn on this policy by setting the value under Options as **2** or **3**, and then selecting **OK** or **Apply**.
- ![Turn on AG in Managed Mode.](../../media/ag04-deploy.png)
+ :::image type="content" source="../../media/ag04-deploy.png" alt-text="The option to turn on AG in Managed Mode" lightbox="../../media/ag04-deploy.png":::
Instead, you can set the corresponding CSP policy:
This step ensures that the data necessary to identify and fix problems is reachi
1. Open **Settings** from the Start menu.
- ![Start menu.](../../media/ag05-diagnostic.png)
+ :::image type="content" source="../../media/ag05-diagnostic.png" alt-text="The Start menu" lightbox="../../media/ag05-diagnostic.png":::
2. On **Windows Settings**, select **Privacy**.
- ![Windows Settings menu.](../../media/ag06-diagnostic.png)
+ :::image type="content" source="../../media/ag06-diagnostic.png" alt-text="The Windows Settings menu" lightbox="../../media/ag06-diagnostic.png":::
3. Under Privacy, select **Diagnostics & feedback** and select **Optional diagnostic data**.
- ![Diagnostics and feedback menu.](../../media/ag07a-diagnostic.png)
+ :::image type="content" source="../../media/ag07a-diagnostic.png" alt-text="The Diagnostics and feedback menu" lightbox="../../media/ag07a-diagnostic.png":::
For more on configuring Windows diagnostic settings, refer to [Configuring Windows diagnostic data in your organization](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#enterprise-management).
To confirm that Application Guard for Office is enabled, launch Word, Excel, or
When you first open an untrusted file, you may see an Office splash screen like the following example. It might be displayed for some time while Application Guard for Office is being activated and the file is being opened. Subsequent openings of untrusted files should be faster.
-![Office app splash screen.](../../media/ag08-confirm.png)
Upon being opened, the file should display a few visual indicators that the file was opened inside Application Guard for Office: * A callout in the ribbon
- ![Doc file showing small App Guard note.](../../media/ag09-confirm.png)
+ :::image type="content" source="../../media/ag09-confirm.png" alt-text="The Doc file showing small App Guard note" lightbox="../../media/ag09-confirm.png":::
* The application icon with a shield in the taskbar
You can also configure Microsoft Defender for Office 365 to work with Defender f
* Application Guard for Office is a protected mode that isolates untrusted documents so that they cannot access trusted corporate resources, an intranet, the user's identity, and arbitrary files on the computer. As a result, if a user tries to access a feature that has a dependency on such access, such as inserting a picture from a local file on disk, the access fails and produces a prompt that resembles the following example. To enable an untrusted document to access trusted resources, users must remove Application Guard protection from the document.
- ![Dialog box saying To help you keep safe, this feature is not available.](../../media/ag10-limitations.png)
+ :::image type="content" source="../../media/ag09-confirm.png" alt-text="The Dialog box stating safety message and the feature status" lightbox="../../media/ag09-confirm.png":::
> [!NOTE] > Advise users to only remove protection if they trust the file and its source or where it came from.
security Integrate Office 365 Ti With Mde https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/integrate-office-365-ti-with-mde.md
Integrating Microsoft Defender for Office 365 with Microsoft Defender for Endpoi
The following image depicts what the **Devices** tab looks like when you have Microsoft Defender for Endpoint integration enabled:
-![When Microsoft Defender for Endpoint is enabled, you can see a list of devices with alerts.](../../media/fec928ea-8f0c-44d7-80b9-a2e0a8cd4e89.PNG)
In this example, you can see that the recipients of the detected email message have four devices and one has an alert. Clicking the link for a device opens its page in the [Microsoft 365 Defender portal](/microsoft-365/security/defender/microsoft-365-defender).
Integrating Microsoft Defender for Office 365 with Microsoft Defender for Endpoi
3. In the **Microsoft Defender for Endpoint connection** flyout that appears, turn on **Connect to Microsoft Defender for Endpoint** (![Toggle on.](../../media/scc-toggle-on.png)) and then select **Close**.
- :::image type="content" source="../../mediE Connection.":::
+ :::image type="content" source="../../medieconnection-dialognew.png":::
4. In the navigation pane, choose **Settings**. On the **Settings** page, choose **Endpoints**
security Investigate Malicious Email That Was Delivered https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/investigate-malicious-email-that-was-delivered.md
Threat Explorer is a powerful report that can serve multiple purposes, such as f
2. In the **View** menu, choose **Email** \> **All email** from the drop down list.
- ![Threat explorer View menu, and Email - Malware, Phish, Submissions and All Email options, also Content - Malware.](../../media/tp-InvestigateMalEmail-viewmenu.png)
+ :::image type="content" source="../../media/tp-InvestigateMalEmail-viewmenu.png" alt-text="The Malware drop-down list" lightbox="../../media/tp-InvestigateMalEmail-viewmenu.png":::
The *Malware* view is currently the default, and captures emails where a malware threat is detected. The *Phish* view operates in the same way, for Phish.
Threat Explorer is a powerful report that can serve multiple purposes, such as f
Advanced filtering is a great addition to search capabilities. A boolean NOT on the **Recipient**, **Sender** and **Sender domain** filters allows admins to investigate by excluding values. This option is the **Equals none of** selection. This option allows admins to exclude unwanted mailboxes from investigations (for example, alert mailboxes and default reply mailboxes), and is useful for cases where admins search for a specific subject (for example, Attention) where the Recipient can be set to *Equals none of: defaultMail@contoso.com*. This is an exact value search.
- ![The Recipients - 'Contains none of' Advanced filter.](../../media/tp-InvestigateMalEmail-AdvancedFilter.png)
+ :::image type="content" source="../../media/tp-InvestigateMalEmail-AdvancedFilter.png" alt-text="The Recipients pane" lightbox="../../media/tp-InvestigateMalEmail-AdvancedFilter.png":::
Adding a time filter to the start date and end date helps your security team to drill down quickly. The shortest allowed time duration is 30 minutes. If you can narrow the suspicious action by time-frame (e.g., it happened 3 hours ago), this will limit the context and help pinpoint the problem.
- ![The filtering by hours option to narrow the amount of data security teams have to process, and whose shortest duration is 30 minutes.](../../media/tp-InvestigateMalEmail-FilterbyHours.png)
+ :::image type="content" source="../../media/tp-InvestigateMalEmail-FilterbyHours.png" alt-text="The filtering by hours option" lightbox="../../media/tp-InvestigateMalEmail-FilterbyHours.png":::
6. **Fields in Threat Explorer**: Threat Explorer exposes a lot more security-related mail information such as *Delivery action*, *Delivery location*, *Special action*, *Directionality*, *Overrides*, and *URL threat*. It also allows your organization's security team to investigate with a higher certainty.
security Learn About Spoof Intelligence https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/learn-about-spoof-intelligence.md
The rest of this article explains how to use the spoof intelligence insight in t
2. On the **Tenant Allow/Block Lists** page, the spoof intelligence insight looks like this:
- ![Spoof intelligence insight on the Anti-phishing policy page.](../../media/m365-sc-spoof-intelligence-insight.png)
+ :::image type="content" source="../../media/m365-sc-spoof-intelligence-insight.png" alt-text="The Spoof intelligence insight on the Anti-phishing policy page" lightbox="../../media/m365-sc-spoof-intelligence-insight.png":::
The insight has two modes:
security Mail Flow Insights V2 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mail-flow-insights-v2.md
ms.prod: m365-security
Admins can use Mail flow dashboard in the Security & Compliance Center to discover trends, insights, and take actions to fix issues related to mail flow in their organization.
-![The Mail flow dashboard in the Security & Compliance Center.](../../media/mail-flow-dashboard-v2.png)
The available insights are:
security Manage Quarantined Messages And Files https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/manage-quarantined-messages-and-files.md
After you find a specific quarantined message, select the message to view detail
When you select quarantined message from the list, the following information is available in the details flyout that appears.
-![The details flyout of a quarantined message.](../../media/quarantine-message-details-flyout.png)
- **Message ID**: The globally unique identifier for the message. Available in the **Message-ID** header field in the message header. - **Sender address**
To take action on the message, see the next section.
> [!NOTE] > To remain in the details flyout, but change the quarantined message that you're looking at, use the up and down arrows at the top of the flyout. >
-> ![The up and down arrows in the details flyout of a quarantined message.](../../media/quarantine-message-details-flyout-up-down-arrows.png)
+> :::image type="content" source="../../media/quarantine-message-details-flyout-up-down-arrows.png" alt-text="The up and down arrows in the details flyout of a quarantined message" lightbox="../../media/quarantine-message-details-flyout-up-down-arrows.png":::
### Take action on quarantined email After you select a quarantined message from the list, the following actions are available in the details flyout:
-![Available actions in the details flyout of a quarantined message.](../../media/quarantine-message-details-flyout-actions.png)
- ![Release email icon.](../../media/m365-cc-sc-check-mark-icon.png) **Release email**<sup>\*</sup>: In the flyout pane that appears, configure the following options: - **Add sender to your organization's allow list**: Select this option to prevent messages from the sender from being quarantined.
If you don't release or remove the message, it will be deleted after the default
> [!NOTE] > On a mobile device, the description text isn't available on the action icons. >
-> ![Details of a quarantined message with available actions highlighted.](../../media/quarantine-message-details-flyout-mobile-actions.png)
+> :::image type="content" source="../../media/quarantine-message-details-flyout-mobile-actions.png" alt-text="The details of a quarantined message with available actions being highlighted" lightbox="../../media/quarantine-message-details-flyout-mobile-actions.png":::
> > The icons in order and their corresponding descriptions are summarized in the following table: >
If you don't release or remove the message, it will be deleted after the default
When you select multiple quarantined messages in the list (up to 100) by clicking in the blank area to the left of the first column, the **Bulk actions** drop down list appears where you can take the following actions:
-![Bulk actions drop down list for messages in quarantine.](../../media/quarantine-message-bulk-actions.png)
- ![Release email icon.](../../media/m365-cc-sc-check-mark-icon.png) **Release messages**: Releases messages to all recipients. In the flyout that appears, you can choose the following options, which are the same as when you release a single message: - **Add sender to your organization's allow list**
After you find a specific quarantined file, select the file to view details abou
When you select a quarantined file from the list, the following information is available in the details flyout that opens:
-![The details flyout of a quarantined file.](../../media/quarantine-file-details-flyout.png)
- **File Name** - **File URL**: URL that defines the location of the file (for example, in SharePoint Online).
To take action on the file, see the next section.
> [!NOTE] > To remain in the details flyout, but change the quarantined file that you're looking at, use the up and down arrows at the top of the flyout. >
-> ![The up and down arrows in the details flyout of a quarantined file.](../../media/quarantine-file-details-flyout-up-down-arrows.png)
+> :::image type="content" source="../../media/quarantine-file-details-flyout-up-down-arrows.png" alt-text="The up and down arrows in the details flyout of quarantined files" lightbox="../../media/quarantine-file-details-flyout-up-down-arrows.png":::
### Take action on quarantined files After you select a quarantined file from the list, the following actions are available in the details flyout:
-![Available actions in the details flyout of a quarantined file.](../../media/quarantine-file-details-flyout-actions.png)
- ![Release file icon.](../../media/m365-cc-sc-check-mark-icon.png) **Release file**<sup>\*</sup>: In the flyout pane that appears, turn on or turn off **Report files to Microsoft for analysis**, and then click **Release**. - ![Release file icon.](../../media/m365-cc-sc-check-mark-icon.png)
If you don't release or remove the file, it will be deleted after the default qu
When you select multiple quarantined files in the list (up to 100) by clicking in the blank area to the left of the **Subject** column, the **Bulk actions** drop down list appears where you can take the following actions:
-![Bulk actions drop down list for files in quarantine.](../../media/quarantine-file-bulk-actions.png)
- ![Release file icon.](../../media/m365-cc-sc-check-mark-icon.png) **Release file**: In the flyout pane that appears, turn on or turn off **Report files to Microsoft for analysis**, and then click **Release**. - ![Delete from quarantine icon.](../../media/m365-cc-sc-delete-icon.png) **Delete from quarantine**: After you click **Yes** in the warning that appears, the file is immediately deleted.
security Manage Tenant Allows https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/manage-tenant-allows.md
Allow senders (or domains) on the **Submissions** page in Microsoft 365 Defender
7. When you're finished, click the **Submit** button.
-> [!div class="mx-imgBorder"]
> ![Submit malware to Microsoft for analysis example.](../../media/admin-submission-allow-messages.png)- ## Add URL allows using the Submissions portal Allow URLs on the **Submissions** page in Microsoft 365 Defender.
Allow URLs on the **Submissions** page in Microsoft 365 Defender.
> [!div class="mx-imgBorder"] > ![Submit URL for analysis.](../../media/submit-url-for-analysis.png)- ## Add File allows using the Submissions portal Allow Files on the **Submissions** page in Microsoft 365 Defender.
security Mcas Saas Access Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mcas-saas-access-policies.md
Permissions to SaaS apps are typically based on business need for access to the
To protect data across your collection of SaaS apps, the following diagram illustrates the necessary Azure AD conditional access policy plus suggested policies you can create in Defender for Cloud Apps. In this example, the policies created in Defender for Cloud Apps apply to all SaaS apps you are managing. These are designed to apply appropriate controls based on whether devices are managed as well as sensitivity labels that are already applied to files. The following table lists the new conditional access policy you must create in Azure AD.
Defender for Cloud Apps can be a valuable tool for configuring protection for co
The following illustration and table provide several examples of policies that can be configured to help comply with the General Data Protection Regulation (GDPR). In these examples, policies look for specific data. Based on the sensitivity of the data, each policy is configured to take appropriate action. |Protection level|Example policies| |||
security Mdo Email Entity Page https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-email-entity-page.md
The email entity page is available in the Microsoft 365 Defender portal at <http
In **Explorer**, select the subject of an email you're investigating. A gold bar will display at the top of the email fly-out for that mail. This invitation to the new page, reads 'Try out our new email entity page with enriched data...'. Select to view the new page. > [!NOTE] > The permissions needed to view and use this page are the same as to view **Explorer**. The admin must be a member of Global admin or global reader, or Security admin or Security Reader. For more information, see [Permissions in the Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md).
The structure is designed to be easy to read and navigate through at a glance. V
1. The most required fields are on the left side of the fly-out. These details are 'sticky', meaning they're anchored to the left no matter the tab you navigate to in the rest of the fly-out.
- :::image type="content" source="../../media/email-entities-3-left-panel.png" alt-text="Graphic of the email entity page with the left side highlighted. The title and facts about the mail delivery are over here.":::
+ :::image type="content" source="../../media/email-entities-3-left-panel.png" alt-text="The Graphic of the email entity page with the left side highlighted" lightbox="../../media/email-entities-3-left-panel.png":::
2. On the top-right corner are the actions that can be taken on an email. Any actions that can be taken through **Explorer** will also be available through email entity page.
- :::image type="content" source="../../media/email-entities-5-preview.png" alt-text="Graphic of the email entity page with the *right* side highlighted, this time. Actions like 'Email preview' and 'Go to quarantine' are here.":::
+ :::image type="content" source="../../media/email-entities-5-preview.png" alt-text="The Graphic of the email entity page with the right side highlighted" lightbox="../../media/email-entities-5-preview.png":::
3. Deeper analysis can be done by sorting through the rest of the page. Check the email detection details, email authentication status, and header. This area should be looked on a case-by-case basis, but the info in these tabs is available for any email.
- :::image type="content" source="../../media/email-entities-4-middle-panel.png" alt-text="The main panel of this page includes the email header and authentication status.":::
+ :::image type="content" source="../../media/email-entities-4-middle-panel.png" alt-text="The main panel of the page which includes the email header and authentication status" lightbox="../../media/email-entities-4-middle-panel.png":::
### Use email entity page tabs
Users will see enriched detonation details for known malicious attachments or UR
1. *Behavior Details* are an export that shows behavior details like exact events that took place during detonation, and observables that contain URLs, IPs, domains, and files that were found during detonation (and can either be problematic or benign). Be aware, there may be no behavior details for: - Container files like .zip or .rar that are holding other files. ### Other innovations
security Mdo For Spo Odb And Teams https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-for-spo-odb-and-teams.md
Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is not enabled by
When Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is enabled and identifies a file as malicious, the file is locked using direct integration with the file stores. The following image shows an example of a malicious file detected in a library.
-![Files in OneDrive for Business with one detected as malicious.](../../media/2bba71cc-7ad1-4799-8b9d-d56f923db3a7.png)
Although the blocked file is still listed in the document library and in web, mobile, or desktop applications, people can't open, copy, move, or share the file. But they can delete the blocked file. Here's an example of what a blocked file looks like on a mobile device:
-![Deleting a blocked file from OneDrive for Business from the OneDrive mobile app.](../../media/cb1c1705-fd0a-45b8-9a26-c22503011d54.png)
By default, people can download a blocked file. Here's what downloading a blocked file looks like on a mobile device:
-![Downloading a blocked file in OneDrive for Business.](../../media/be288a82-bdd8-4371-93d8-1783db3b61bc.png)
SharePoint Online admins can prevent people from downloading malicious files. For instructions, see [Use SharePoint Online PowerShell to prevent users from downloading malicious files](turn-on-mdo-for-spo-odb-and-teams.md#step-2-recommended-use-sharepoint-online-powershell-to-prevent-users-from-downloading-malicious-files).
security Mfi Auto Forwarded Messages Report https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mfi-auto-forwarded-messages-report.md
The **Auto-forwarded messages** insight in the [Mail flow dashboard](mail-flow-insights-v2.md) in the [Security & Compliance Center](https://protection.office.com) displays information about messages that are automatically forwarded from your organization to recipients in external domains.
-![Auto-forwarded messages widget in the Security & Compliance Center.](../../media/mfi-auto-forwarded-messages.png)
## Auto-forwarded messages details
When you click the number of messages in the widget, a flyout pane appears that
- **New users (last week)** - A link to the [Forwarding modifications report](mfi-new-users-forwarding-email.md#forwarding-modifications-report) for more details.
-![Details flyout for the Auto-forwarded messages report in the Security & Compliance Center.](../../media/mfi-auto-forwarded-messages-details.png)
## Insights
security Mfi Domain Mail Flow Status Insight https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mfi-domain-mail-flow-status-insight.md
The **Top domain mail flow status** insight in the [Mail flow dashboard](mail-fl
This insight helps you identify and troubleshoot domains that are experiencing ***mail flow*** issues. For example, the domain is unable to receive external email because the domain has expired or the domain has an incorrect MX record.
-![Top domain flow status widget in the Mail flow dashboard in the Security & Compliance Center.](../../media/mfi-top-domain-mail-flow-status-widget.png)
When you click **View details** in the widget, a **Domain status** flyout appears that shows you more details for the status of each domain:
When you click **View details** in the widget, a **Domain status** flyout appear
You can click **View more** to see the same information for more domains.
-![Details flyout in the Top domain mail flow status insight.](../../media/mfi-top-domain-mail-flow-status-view-details.png)
## See also
security Mfi Mail Flow Map Report https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mfi-mail-flow-map-report.md
ms.prod: m365-security
The **Mail flow map** in the [Mail flow dashboard](mail-flow-insights-v2.md) in the [Security & Compliance Center](https://protection.office.com) gives insight as to how mail flows through your organization. You can use this information to learn patterns, identify anomalies, and fix issues as they occur.
-![Mail flow map widget in the Mail flow dashboard in the Security & Compliance Center.](../../media/mfi-mail-flow-map-widget.png)
By default, the widget shows the mail flow pattern from the previous day in a chart known as a *Sankey* diagram. You can use the left arrow ![Left arrow.](../../media/scc-left-arrow.png) and right arrow ![Right arrow](../../media/scc-right-arrow.png) to show information from different days. Each different color represents mail flow over a different inbound or outbound connector (or without using connectors). If you hover over a specific color, the number of messages is displayed for that type of connector.
The following charts are available in the report view:
- **Show data for: Overview**: This is basically a larger view of the widget. If you hover over a specific color, the number of messages is displayed for that type of connector.
- ![Overview view in the Mail flow map report.](../../media/mfi-mail-flow-map-report-overview.png)
+ :::image type="content" source="../../media/mfi-mail-flow-map-report-overview.png" alt-text="The Overview view in the Mail flow map report" lightbox="../../media/mfi-mail-flow-map-report-overview.png":::
- **Show data for: Detail**: This view shows details about the connectors and destination domains. The top sender and recipient domains are listed, and the rest are put in **Others**. If you hover over a specific color and section, the number of messages is displayed.
- ![Detail view in the Mail flow map report.](../../media/mfi-mail-flow-map-report-detail.png)
+ :::image type="content" source="../../media/mfi-mail-flow-map-report-detail.png" alt-text="The Detail view in the Mail flow map report" lightbox="../../media/mfi-mail-flow-map-report-detail.png":::
If you click **Filters** in a report view, you can specify a date range with **Start date** and **End date**.
If you click **Filters** in a details table view, you can specify a date range w
If you select a row, similar details are shown in a flyout:
-![Details flyout from the details table in the Mail flow map.](../../media/mfi-mail-flow-map-view-details-table-details.png)
To email the report for a specific date range to one or more recipients, click **Request download**.
security Mfi Mail Loop Insight https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mfi-mail-loop-insight.md
The **Fix possible mail loop** insight in the **Recommended for you** area of th
This insight appears only after the condition is detected (if you don't have any mail loops, you won't see the insight).
-![Fix slow mail flow rules insight in the Recommended for you area of the Mail flow dashboard.](../../media/mfi-fix-possible-mail-loop.png)
When you click **View details** on the widget, a flyout appears with more information:
When you click **View details** on the widget, a flyout appears with more inform
- **MX record**: The host (**Mail server**) and **Priority** values of the MX record for the domain. - **Loop reason** and **How to fix**: We'll identify the most common mail loop scenarios and provide recommended actions to fix the loop.
-![Details flyout that appears after clicking View details on the Fix possible mail loop insight.](../../media/mfi-fix-possible-mail-loop-details.png)
## See also
security Mfi New Domains Being Forwarded Email https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mfi-new-domains-being-forwarded-email.md
The **New domains being forwarded email** insight in the [Security & Compliance
This insight appears only when the issue is detected, and it appears on the [Forwarding report](view-mail-flow-reports.md#forwarding-report) page.
-![New domains being forwarded email insight.](../../media/mfi-new-domains-being-forwarded.png)
+ When you click on the widget, a flyout appears where you can find more details about the forwarded messages, including a link back to the [Forwarding report](view-mail-flow-reports.md#forwarding-report).
-![Details flyout that appears after clicking on the New domains being forwarded email insight.](../../media/mfi-new-domains-being-forwarded-details.png)
You can also get to this details page when you select the insight after you click **View all** in the **Top insights & recommendations** area on (**Reports** \> **Dashboard** or <https://protection.office.com/insightdashboard>).
security Mfi New Users Forwarding Email https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mfi-new-users-forwarding-email.md
The **New domains being forwarded email** insight in the [Security & Compliance
This insight appears only when the issue is detected, and it appears on the [Forwarding report](view-mail-flow-reports.md#forwarding-report) page.
-![New users forwarding email insight.](../../media/mfi-new-users-forwarding-email.png)
When you click on the widget, a flyout appears where you can find more details about the forwarded messages, including a link to the [Forwarding modifications report](#forwarding-modifications-report) as described later in this article.
-![Details flyout that appears after clicking on the New users forwarding email insight.](../../media/mfi-new-users-forwarding-email-details.png)
You can also get to this details page when you select the insight after you click **View all** in the **Top insights & recommendations** area on (**Reports** \> **Dashboard** or <https://protection.office.com/insightdashboard>).
The following charts are available in the report view:
- **Show data for: New forwarding users**:
- ![New forwarding users view in the Forwarding modifications report.](../../media/forwarding-modifications-report-new-forwarding-users.png)
+ :::image type="content" source="../../media/forwarding-modifications-report-new-forwarding-users.png" alt-text="The New forwarding users view in the Forwarding modifications report" lightbox="../../media/forwarding-modifications-report-new-forwarding-users.png":::
- **Show data for: New forwarding domains**:
- ![New forwarded domains view in the Forwarding modifications report.](../../media/forwarding-modifications-report-new-forwarded-domains.png)
+ :::image type="content" source="../../media/forwarding-modifications-report-new-forwarded-domains.png" alt-text="The New forwarded domains view in the Forwarding modifications report" lightbox="../../media/forwarding-modifications-report-new-forwarded-domains.png":::
If you click **Filters** in a report view, you can specify a date range with **Start date** and **End date**.
If you select a row from the table, a **Details** flyout appears with the follow
- **Start date** - **Recommendation**: From here, you can click the link to manage the user in the Microsoft 365 admin center.
-![Details flyout from the details table of the New forwarding users view in the Forwarding modifications report.](../../media/mfi-forwarding-modifications-report-new-forwarding-users-view-details-table-details.png)
+ :::image type="content" source="../../media/mfi-forwarding-modifications-report-new-forwarding-users-view-details-table-details.png" alt-text="The Details flyout from the details table of the New forwarding users view in the Forwarding modifications report" lightbox="../../media/mfi-forwarding-modifications-report-new-forwarding-users-view-details-table-details.png":::
To go back to the reports view, click **View report**.
security Mfi Non Accepted Domain Report https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mfi-non-accepted-domain-report.md
The **Non-accepted domain** report in the [Mail flow dashboard](mail-flow-insigh
Microsoft 365 might throttle these messages if we have data to prove that the intent of these messages is malicious. Therefore, it's important for you to understand what's happening and to fix the issue.
-![Non-accepted domain widget in the Mail flow dashboard in the Security & Compliance Center.](../../media/mfi-non-accepted-domain-report-widget.png)
## Report view for the Non-accepted domain report
By default, the activity for all affected connectors is shown. If you click **Sh
If you hover over a data point (day) in the chart, you'll see the total number of messages for the connector.
-![Report view in the Non-accepted domain report.](../../media/mfi-non-accepted-domain-report-overview-view.png)
## Details table view for the Non-accepted domain report
When you select a row in the table, a flyout appears with the following informat
- **Message count** - **Sample messages**: You can click **View sample messages** to see the [message trace](message-trace-scc.md) results for a sample of the affected messages.
-![Details flyout after selecting a row in Details table view in the Non-accepted domain report.](../../media/mfi-non-accepted-domain-report-details-flyout.png)
To go back to the reports view, click **View report**.
security Mfi Non Delivery Report https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mfi-non-delivery-report.md
ms.prod: m365-security
The **Non-delivery report** in the [Mail flow dashboard](mail-flow-insights-v2.md) in the [Security & Compliance Center](https://protection.office.com) shows the most-encountered error codes in non-delivery reports (also known as NDRs or bounce messages) for users in your organization. This report shows the details of NDRs so you can troubleshoot email delivery problems.
-![Non-delivery report widget in the Mail flow dashboard in the Security & Compliance Center.](../../media/mfi-non-delivery-report-widget.png)
## Report view for the Non-delivery report
By default, the activity for all error codes is shown. If you click **Show data
If you hover over a specific color (error code) on a specific day in the chart, you'll see the total number of messages for the error.
-![Report view in the Non-accepted domain report.](../../media/mfi-non-delivery-report-overview-view.png)
## Details table view for the Non-delivery report
When you select a row in the table, a flyout appears with the following informat
- **Count** - **Sample messages**: You can click **View sample messages** to see the [message trace](message-trace-scc.md) results for a sample of the affected messages.
-![Details flyout after selecting a row in Details table view in the Non-delivery report.](../../media/mfi-non-delivery-report-details-flyout.png)
+ ## Related topics
security Mfi Outbound And Inbound Mail Flow https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mfi-outbound-and-inbound-mail-flow.md
The **Outbound and inbound mail flow** insight in the [Mail flow dashboard](mail
The widget displays the TLS encryption that's used for the connection when messages are delivered to and from your organization. The connections that are established with other email services are encrypted by TLS when TLS is offered by both sides. The widget offers a snapshot of the last week of mail flow.
-![Outbound and inbound mail flow widget in the Mail flow dashboard in the Security & Compliance Center.](../../media/mfi-outbound-and-inbound-mail-flow-report-widget.png)
The information in the widget is related to connectors and TLS message protection in Microsoft 365. For more information, see these topics:
The information in the widget is related to connectors and TLS message protectio
When you click **View Details** on the widget, the **Message protected in transit (by TLS)** flyout shows you the TLS protection for messages entering and leaving your organization.
-![Messages protected in transit (by TLS) flyout that appears after you click View details on the Outbound and inbound email widget.](../../media/mfi-outbound-and-inbound-mail-flow-report-details.png)
Currently, TLS 1.2 is the most secure version of TLS that's offered by Microsoft 365. Often, you'll need to know the TLS encryption that's being used for compliance audits. You probably don't have a direct relationship with most of the source and destination email servers (you don't own them, and neither does Microsoft), so you don't have many options to improve the TLS encryption that's used by those servers.
security Mfi Queue Alerts And Queues https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mfi-queue-alerts-and-queues.md
If the queued email volume exceeds the pre-defined threshold (the default value
- An alert is displayed in **Recent alerts** the Alerts dashboard in the [Security & Compliance Center](https://protection.office.com) (**Alerts** \> **Dashboard** or <https://protection.office.com/alertsdashboard>).
- ![Recent alerts in the Alerts dashboard in the Security & Compliance Center.](../../media/mfi-queued-messages-alert.png)
+ :::image type="content" source="../../media/mfi-queued-messages-alert.png" alt-text="The Recent alerts in the Alerts dashboard in the Security & Compliance Center" lightbox="../../media/mfi-queued-messages-alert.png":::
+ - Admins will receive an email notification based on the configuration of the default alert policy named **Messages have been delayed**. To configure the notification settings for this alert, see the next section.
If the queued email volume exceeds the pre-defined threshold (the default value
3. In the **Message have been delayed** flyout that opens, you can turn the alert on or off and configure the notification settings.
- ![Messages have been delayed alert policy details the Security & Compliance Center.](../../media/mfi-queued-messages-alert-policy.png)
+ :::image type="content" source="../../media/mfi-queued-messages-alert-policy.png" alt-text="The details of the Messages have been delayed alert" lightbox="../../media/mfi-queued-messages-alert-policy.png":::
- **Status**: You can toggle the alert on or off.
If the queued email volume exceeds the pre-defined threshold (the default value
- **Daily notification limit**: The default value is **No limit**. - **Threshold**: The default value is 200.
- ![Notification settings in the Messages have been delayed alert policy details the Security & Compliance Center.](../../media/mfi-queued-messages-alert-policy-notification-settings.png)
+ :::image type="content" source="../../media/mfi-queued-messages-alert-policy-notification-settings.png" alt-text="The Notification settings in the Messages have been delayed alert" lightbox="../../media/mfi-queued-messages-alert-policy-notification-settings.png":::
5. When you're finished, click **Save** and **Close**.
If the queued email volume exceeds the pre-defined threshold (the default value
Even if the queued message volume hasn't exceeded the threshold and generated an alert, you can still use the **Queues** insight in the [Mail flow dashboard](mail-flow-insights-v2.md) to see messages that have been queued for more than one hour, and take action before the number of queued messages becomes too large.
-![Queues widget in the Mail flow dashboard in the Security & Compliance Center.](../../media/mfi-queues-widget.png)
If you click the number of messages on the widget, a **Messages queued** flyout appears with the following information:
If you click the number of messages on the widget, a **Messages queued** flyout
- **Last error** - **How to fix**: Common issues and solutions are available. If a **Fix it now** link is available, click it to fix the problem. Otherwise, click on any available links for more information about the error and possible solutions.
-![Details after clicking on the Queues insight in the Mail flow dashboard.](../../media/mfi-queues-details.png)
The same flyout is displayed after you click **View queue** in the details of a **Messages have been delayed** alert.
-![Messages have been delayed alert details in the Security & Compliance Center.](../../media/mfi-queued-messages-alert-details.png)
## See also
security Mfi Slow Mail Flow Rules Insight https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mfi-slow-mail-flow-rules-insight.md
This insight appears only after the condition is detected (if you don't have any
You can use this notification to help you to identify and fine-tune mail flow rules to help reduce mail flow delays.
-![Fix slow mail flow rules insight in the Recommended for you area of the Mail flow dashboard.](../../media/mfi-fix-slow-mail-flow-rules.png)
When you click **View details** on the widget, a flyout appears with more information:
When you click **View details** on the widget, a flyout appears with more inform
- **Average time spent on each message** - **Median time spent on a message**: The middle value that separates the upper half from the lower half of time data.
-![Details flyout that appears after clicking View details on the Fix slow mail flow rules insight.](../../media/mfi-fix-slow-mail-flow-rules-details.png)
For more information about conditions and exceptions in mail flow rules, see [Mail flow rule conditions and exceptions (predicates) in Exchange Online](/Exchange/security-and-compliance/mail-flow-rules/conditions-and-exceptions).
security Mfi Smtp Auth Clients Report https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mfi-smtp-auth-clients-report.md
The **SMTP Auth clients** insight in the [Mail flow dashboard](mail-flow-insight
The widget indicates the number of users or service accounts that have used the SMTP Auth protocol in the last 7 days.
-![SMTP Auth clients widget in the Mail flow dashboard in the Security & Compliance Center.](../../media/mfi-smtp-auth-clients-report-widget.png)
If you click the number of messages on the widget, an **SMTP Auth clients** flyout appears. The flyout provides an aggregated view of the TLS usage and volumes for the last week.
-![Details flyout after clicking on the SMTP Auth clients widget in the Mail flow dashboard.](../../media/mfi-smtp-auth-clients-report-details.png)
You can click the **SMTP Auth clients report** link to go to the SMTP Auth clients report as described in the next section.
The overview section contains the following charts:
- **View data by: Sending volume**: By default, the chart shows the number of SMTP Auth client messages that were sent from all domains (**Show data for: All sender domains** is selected by default). You can filter the results to a specific sender domain by clicking **Show data for** and selecting the sender domain from the dropdown list. If you hover a specific data point (day), the number of messages is shown.
- ![Sending volume view in the SMTP Auth clients report in the Security & Compliance Center.](../../media/mfi-smtp-auth-clients-report-sending-volume-view.png)
+ :::image type="content" source="../../media/mfi-smtp-auth-clients-report-sending-volume-view.png" alt-text="The Sending volume view in the SMTP Auth clients report in the Security & Compliance Center" lightbox="../../media/mfi-smtp-auth-clients-report-sending-volume-view.png":::
- **View data by: TLS Usage**: The chart shows the percentage of TLS usage for all SMTP Auth client messages during the selected time period. This chart allows you to identify and take action on users and system accounts that are still using older versions of TLS.
- ![TLS usage view in the SMTP Auth clients report in the Security & Compliance Center.](../../media/mfi-smtp-auth-clients-report-tls-usage-view.png)
+ :::image type="content" source="../../media/mfi-smtp-auth-clients-report-tls-usage-view.png" alt-text="The TLS usage view in the SMTP Auth clients report in the Security & Compliance Center" lightbox="../../media/mfi-smtp-auth-clients-report-tls-usage-view.png":::
If you click **Filters** in a report view, you can specify a date range with **Start date** and **End date**.
If you click **Filters** in a details table view, you can specify a date range w
If you select a row, similar details are shown in a flyout:
-![Details flyout from the details table of the TLS usage view in the SMTP Auth clients report.](../../media/mfi-smtp-auth-clients-report-tls-usage-view-view-details-table-details.png)
Click **Request report** to receive a more detailed version of the report in an email message. You can specify the date range and the recipients to receive the report.
security Microsoft 365 Policies Configurations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/microsoft-365-policies-configurations.md
Each industry also has their own set of specialized regulations. Rather than pro
- **Enterprise**: Some customers have a subset of data that must be protected at higher levels, or they may require all data to be protected at a higher level. You can apply increased protection to all or specific data sets in your Microsoft 365 environment. We recommend protecting identities and devices that access sensitive data with comparable levels of security. - **Specialized security**: As needed, a few customers have a small amount of data that is highly classified, constitutes trade secrets, or is regulated. Microsoft provides capabilities to help these customers meet these requirements, including added protection for identities and devices.
-![Security cone - All customers > Some customers > A few customers](../../media/microsoft-365-policies-configurations/M365-idquality-threetiers.png)
This guidance shows you how to implement Zero Trust protection for identities and devices for each of these levels of protection. Use this guidance as a minimum for your organization and adjust the policies to meet your organization's specific requirements.
Additionally, see the [Deploy information protection for data privacy regulation
Implementing any security strategy requires trade-offs between security and productivity. It's helpful to evaluate how each decision affects the balance of security, functionality, and ease of use.
-![Security triad balancing security, functionality, and ease of use.](../../media/microsoft-365-policies-configurations/security-triad.png)
The recommendations provided are based on the following principles:
Azure AD provides a full suite of identity management capabilities. We recommend
Here are the components of Zero Trust identity and device access, including Intune and Azure AD objects, settings, and subservices. ### Microsoft Intune
Microsoft recommends that you do not create policy sets that apply to all apps b
## Steps to configure Zero Trust identity and device access
-![Steps to configure Zero Trust identity and device access.](../../media/microsoft-365-policies-configurations/identity-device-access-steps.png)
1. Configure prerequisite identity features and their settings. 2. Configure the common identity and access Conditional Access policies.
security Migrate To Defender For Office 365 Onboard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/migrate-to-defender-for-office-365-onboard.md
ms.prod: m365-security
<br>
-|[![Phase 1: Prepare.](../../medi)|![Phase 3: Onboard.](../../media/phase-diagrams/onboard.png) <br> Phase 3: Onboard|
+|[![Phase 1: Prepare.](../../medi)|![Phase 3: Onboard.](../../media/phase-diagrams/onboard.png) <br> Phase 3: Onboard|
|||| |||*You are here!*|
Congratulations! You have completed your [migration to Microsoft Defender for Of
Now you begin the normal operation and maintenance of Defender for Office 365. Monitor and watch for issues that are similar to what you experienced during the pilot, but on a larger scale. The [spoof intelligence insight](learn-about-spoof-intelligence.md) and the [impersonation insight](impersonation-insight.md) will be most helpful, but consider making the following activities a regular occurrence: -- Review user submissions, especially [user-reported phishing messages](https://docs.microsoft.com/microsoft-365/security/office-365-security/automated-investigation-response-office)
+- Review user submissions, especially [user-reported phishing messages](automated-investigation-response-office.md)
- Review overrides in the [Threat protection status report](view-email-security-reports.md#threat-protection-status-report). - Use [Advanced Hunting](/microsoft-365/security/defender/advanced-hunting-example) queries to look for tuning opportunities and risky messages.
security Migrate To Defender For Office 365 Prepare https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/migrate-to-defender-for-office-365-prepare.md
ms.prod: m365-security
<br>
-|![Phase 1: Prepare.](../../medi)|
+|![Phase 1: Prepare.](../../medi)|
|||| |*You are here!*|||
security Migrate To Defender For Office 365 Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/migrate-to-defender-for-office-365-setup.md
ms.prod: m365-security
<br>
-|[![Phase 1: Prepare.](../../medi)|
+|[![Phase 1: Prepare.](../../medi)|
|||| ||*You are here!*||
security Migrate To Defender For Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/migrate-to-defender-for-office-365.md
This guide provides specific and actionable steps for your migration, and assume
- You already have Microsoft 365 mailboxes, but you're currently using a third-party service or device for email protection. Mail from the internet flows through the protection service before delivery into your Microsoft 365 organization, and Microsoft 365 protection is as low as possible (it's never completely off; for example, malware protection is always enforced).
- ![Mail flows from the internet through the third-party protection service or device before delivery into Microsoft 365.](../../media/mdo-migration-before.png)
+ :::image type="content" source="../../medio-migration-before.png":::
- You're beyond the investigation and consideration phase for protection by Defender for Office 365. If you need to evaluate Defender for Office 365 to decide whether it's right for your organization, we recommend that you consider [Evaluation Mode](office-365-evaluation.md).
This guide provides specific and actionable steps for your migration, and assume
- You need to retire your existing third-party protection service, which means you'll ultimately need to point the MX records for your email domains to Microsoft 365. When you're done, mail from the internet will flow directly into Microsoft 365 and will be protected exclusively by Exchange Online Protection (EOP) and Defender for Office 365.
- ![Your existing protection service or devices is eliminated, so mail flows from the internet into Microsoft 365, with full protection from Microsoft Defender for Office 365.](../../media/mdo-migration-after.png)
+ :::image type="content" source="../../medio-migration-after.png":::
Eliminating your existing protection service in favor of Defender for Office 365 is a big step that you shouldn't take lightly, nor should you rush to make the change. The guidance in this migration guide will help you transition your protection in an orderly manner with minimal disruption to your users. The very high-level migration steps are illustrated in the following diagram. The actual steps are listed in the section named [The migration process](#the-migration-process) later in this article.
-![Migrate from a third-party protection solution or device to Defender for Office 365.](../../media/mdo-migration-overview.png)
## Why use the steps in this guide?
This migration guide gives you a plan for gradually "turning the dial" so you ca
The process of migrating from a third-party protection service to Defender for Office 365 can be divided into three phases as described in the following table:
-![The process for migrating to Defender for Office 365.](../../media/phase-diagrams/migration-phases.png)
|Phase|Description| |||
security Monitor For Leaks Of Personal Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/monitor-for-leaks-of-personal-data.md
ms.prod: m365-security
There are many tools that can be used to monitor the use and transport of personal data. This topic describes three tools that work well.
-![Tools to monitor the use and transport of personal data.](../../media/Monitor-for-leaks-of-personal-data-image1.png)
In the illustration:
DLP reports are in the Microsoft 365 compliance center. Go to **Reports** \> **O
For more information, see [View the reports for data loss prevention](../../compliance/view-the-dlp-reports.md).
-![Report showing DLP policy matches.](../../media/Monitor-for-leaks-of-personal-data-image2.png)
## Audit log and alert policies
To better understand your cloud environment, the Defender for Cloud Apps investi
For examples, the following illustration demonstrates two Defender for Cloud Apps policies that can help with GDPR.
-![Example Defender for Cloud Apps policies.](../../media/Monitor-for-leaks-of-personal-data-image3.png)
The first policy alerts when files with a predefined PII attribute or custom expression that you choose is shared outside the organization from the SaaS apps that you choose.
If you haven't yet started to use Defender for Cloud Apps, begin by starting it
> [!NOTE] > Be sure to enable 'Automatically scan files for Azure Information Protection classification labels' (in General settings) when getting started with Defender for Cloud Apps or before you assign labels. After setup, Defender for Cloud Apps does not scan existing files again until they are modified.
-![Dashboard showing information about alerts.](../../media/Monitor-for-leaks-of-personal-data-image4.png)
More information:
security Office 365 Air https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/office-365-air.md
Permissions are granted through certain roles, such as those that are described
If you're already using AIR capabilities in Microsoft Defender for Office 365, you're about to see some changes in the [improved Microsoft 365 Defender portal](../defender/microsoft-365-defender.md#the-microsoft-365-defender-portal). The new and improved Microsoft 365 Defender portal <https://security.microsoft.com> brings together AIR capabilities in [Microsoft Defender for Office 365](defender-for-office-365.md) and in [Microsoft Defender for Endpoint](../defender-endpoint/automated-investigations.md). With these updates and improvements, your security operations team will be able to view details about automated investigations and remediation actions across your email, collaboration content, user accounts, and devices, all in one place.
security Office 365 Ti https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/office-365-ti.md
Threat investigation and response capabilities in the Microsoft 365 Defender por
Use [Explorer (and real-time detections)](threat-explorer.md) to analyze threats, see the volume of attacks over time, and analyze data by threat families, attacker infrastructure, and more. Explorer (also referred to as Threat Explorer) is the starting place for any security analyst's investigation workflow.
-![Threat explorer.](../../media/7a7cecee-17f0-4134-bcb8-7cee3f3c3890.png)
To view and use this report in the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Explorer**. Or, to go directly to the **Explorer** page, use <https://security.microsoft.com/threatexplorer>.
To receive contextual device integration in Office 365 Threat Intelligence, you'
Use the Incidents list (this is also called Investigations) to see a list of in flight security incidents. Incidents are used to track threats such as suspicious email messages, and to conduct further investigation and remediation.
-![List of current Threat Incidents in Office 365.](../../media/acadd4c7-d2de-4146-aeb8-90cfad805a9c.png)
To view the list of current incidents for your organization in the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Incidents & alerts** \> **Incidents**. Or, to go directly to the **Incidents** page, use <https://security.microsoft.com/incidents>.
-![In the Security & Compliance Center, choose Threat management \> Review.](../../media/e0f46454-fa38-40f0-a120-b595614d1d22.png)
### Attack simulation training
Use automated investigation and response (AIR) capabilities to save time and eff
As part of the Microsoft Defender for Office 365 Plan 2 offering, security analysts can review details about a known threat. This is useful to determine whether there are additional preventative measures/steps that can be taken to keep users safe.
-![Security Trends showing information about recent threats.](../../media/11e7d40d-139b-4c56-8d52-c091c8654151.png)
## How do we get these capabilities?
security Old Index https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/old-index.md
But in terms of architecture, let's start by thinking of each piece as cumulativ
<!--:::image type="content" source="../../media/tp-EOPATPStack.PNG" alt-text="Placeholder graphic.":::--> Though each of these services emphasizes a goal from among Protect, Detect, Investigate, and Respond, ***all*** the services can carry out ***any*** of the goals of protecting, detecting, investigating, and responding.
security Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/overview.md
You may be accustomed to seeing these three components discussed in this way:
But in terms of architecture, let's start by thinking of each piece as cumulative layers of security, each with a security emphasis. More like this: Though each of these services emphasizes a goal from among Protect, Detect, Investigate, and Respond, ***all*** the services can carry out ***any*** of the goals of protecting, detecting, investigating, and responding.
security Permissions In The Security And Compliance Center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/permissions-in-the-security-and-compliance-center.md
The Security & Compliance Center lets you grant permissions to people who perfor
Permissions in the Security & Compliance Center are based on the role-based access control (RBAC) permissions model. RBAC is the same permissions model that's used by Exchange, so if you're familiar with Exchange, granting permissions in the Security & Compliance Center will be very similar. It's important to remember, however, that Exchange role groups and Security & Compliance Center role groups don't share membership or permissions. While both have an Organization Management role group, they aren't the same. The permissions they grant, and the members of the role groups, are different. There's a list of Security & Compliance Center role groups below.
-![Permissions page in the Security & Compliance Center.](../../media/992c20ca-e82e-497c-9c8d-6fab212deb80.png)
## Relationship of members, roles, and role groups
A **role group** is a set of roles that lets people do their jobs across the Sec
The Security & Compliance Center includes default role groups for the most common tasks and functions that you'll need to assign people to. We recommend simply adding individual users as **members** to the default role groups.
-![Diagram showing relationship of role groups to roles and members.](../../media/2a16d200-968c-4755-98ec-f1862d58cb8b.png)
## Role groups in the Security & Compliance Center
To see how to grant access to the Security & Compliance Center, check out [Give
|||| |**Attack Simulation Administrators**|Don't use this role group in the Security & Compliance Center. Use the corresponding role in Azure AD.|Attack Simulator Admin| |**Attack Simulator Payload Authors**|Don't use this role group in the Security & Compliance Center. Use the corresponding role in Azure AD.|Attack Simulator Payload Author|
-|**Communication Compliance**|Provides permission to all the communication compliance roles: administrator, analyst, investigator, and viewer.|Case Management <p><p> Communication Compliance Admin <p> Communication Compliance Analysis <p> Communication Compliance Case Management <p> Communication Compliance Investigation <p> Communication Compliance Viewer <p> Data Classification Feedback Provider <p> Data Connector Admin <p> View-Only Case|
-|**Communication Compliance Administrators**|Administrators of communication compliance that can create/edit policies and define global settings.|Communication Compliance Admin <p><p> Communication Compliance Case Management <p> Data Connector Admin|
-|**Communication Compliance Analysts**|Analysts of communication compliance that can investigate policy matches, view message meta data, and take remediation actions.|Communication Compliance Analysis <p><p> Communication Compliance Case Management|
-|**Communication Compliance Investigators**|Analysts of communication compliance that can investigate policy matches, view message content, and take remediation actions.|Case Management <p><p> Communication Compliance Analysis <p> Communication Compliance Case Management <p> Communication Compliance Investigation <p> Data Classification Feedback Provider <p> View-Only Case|
-|**Communication Compliance Viewers**|Viewer of communication compliance that can access the available reports and widgets.|Communication Compliance Case Management <p><p> Communication Compliance Viewer|
-|**Compliance Administrator**<sup>1</sup>|Members can manage settings for device management, data loss prevention, reports, and preservation.|Case Management <p><p> Communication Compliance Admin <p> Communication Compliance Case Management <p> Compliance Administrator <p> Compliance Search <p> Data Classification Feedback Provider <p> Data Classification Feedback Reviewer <p> Data Connector Admin <p> Data Investigation Management <p> Device Management <p> Disposition Management <p> DLP Compliance Management <p> Hold <p> IB Compliance Management <p> Information Protection Admin <p> Information Protection Analyst <p> Information Protection Investigator <p> Information Protection Reader <p> Insider Risk Management Admin <p> Manage Alerts <p> Organization Configuration <p> RecordManagement <p> Retention Management <p> View-Only Audit Logs <p> View-Only Case <p> View-Only Device Management <p> View-Only DLP Compliance Management <p> View-Only IB Compliance Management <p> View-Only Manage Alerts <p> View-Only Recipients <p> View-Only Record Management <p> View-Only Retention Management|
-|**Compliance Data Administrator**|Members can manage settings for device management, data protection, data loss prevention, reports, and preservation.|Compliance Administrator <p><p> Compliance Search <p> Data Connector Admin <p> Device Management <p> Disposition Management <p> DLP Compliance Management <p> IB Compliance Management <p> Information Protection Admin <p> Information Protection Analyst <p> Information Protection Investigator <p> Information Protection Reader <p> Manage Alerts <p> Organization Configuration <p> RecordManagement <p> Retention Management <p> Sensitivity Label Administrator <p> View-Only Audit Logs <p> View-Only Device Management <p> View-Only DLP Compliance Management <p> View-Only IB Compliance Management <p> View-Only Manage Alerts <p> View-Only Recipients <p> View-Only Record Management <p> View-Only Retention Management|
-|**Compliance Manager Administrators**|Manage template creation and modification.|Compliance Manager Administration <p><p> Compliance Manager Assessment <p> Compliance Manager Contribution <p> Compliance Manager Reader <p> Data Connector Admin|
-|**Compliance Manager Assessors**|Create assessments, implement improvement actions, and update test status for improvement actions.|Compliance Manager Assessment <p><p> Compliance Manager Contribution <p> Compliance Manager Reader <p> Data Connector Admin|
-|**Compliance Manager Contributors**|Create assessments and perform work to implement improvement actions.|Compliance Manager Contribution <p><p> Compliance Manager Reader <p> Data Connector Admin|
+|**Communication Compliance**|Provides permission to all the communication compliance roles: administrator, analyst, investigator, and viewer.|Case Management <br/><br/> Communication Compliance Admin <br/><br/> Communication Compliance Analysis <br/><br/> Communication Compliance Case Management <br/><br/> Communication Compliance Investigation <br/><br/> Communication Compliance Viewer <br/><br/> Data Classification Feedback Provider <br/><br/> Data Connector Admin <br/><br/> View-Only Case|
+|**Communication Compliance Administrators**|Administrators of communication compliance that can create/edit policies and define global settings.|Communication Compliance Admin <br/><br/> Communication Compliance Case Management <br/><br/> Data Connector Admin|
+|**Communication Compliance Analysts**|Analysts of communication compliance that can investigate policy matches, view message meta data, and take remediation actions.|Communication Compliance Analysis <br/><br/> Communication Compliance Case Management|
+|**Communication Compliance Investigators**|Analysts of communication compliance that can investigate policy matches, view message content, and take remediation actions.|Case Management <br/><br/> Communication Compliance Analysis <br/><br/> Communication Compliance Case Management <br/><br/> Communication Compliance Investigation <br/><br/> Data Classification Feedback Provider <br/><br/> View-Only Case|
+|**Communication Compliance Viewers**|Viewer of communication compliance that can access the available reports and widgets.|Communication Compliance Case Management <br/><br/> Communication Compliance Viewer|
+|**Compliance Administrator**<sup>1</sup>|Members can manage settings for device management, data loss prevention, reports, and preservation.|Case Management <br/><br/> Communication Compliance Admin <br/><br/> Communication Compliance Case Management <br/><br/> Compliance Administrator <br/><br/> Compliance Search <br/><br/> Data Classification Feedback Provider <br/><br/> Data Classification Feedback Reviewer <br/><br/> Data Connector Admin <br/><br/> Data Investigation Management <br/><br/> Device Management <br/><br/> Disposition Management <br/><br/> DLP Compliance Management <br/><br/> Hold <br/><br/> IB Compliance Management <br/><br/> Information Protection Admin <br/><br/> Information Protection Analyst <br/><br/> Information Protection Investigator <br/><br/> Information Protection Reader <br/><br/> Insider Risk Management Admin <br/><br/> Manage Alerts <br/><br/> Organization Configuration <br/><br/> RecordManagement <br/><br/> Retention Management <br/><br/> View-Only Audit Logs <br/><br/> View-Only Case <br/><br/> View-Only Device Management <br/><br/> View-Only DLP Compliance Management <br/><br/> View-Only IB Compliance Management <br/><br/> View-Only Manage Alerts <br/><br/> View-Only Recipients <br/><br/> View-Only Record Management <br/><br/> View-Only Retention Management|
+|**Compliance Data Administrator**|Members can manage settings for device management, data protection, data loss prevention, reports, and preservation.|Compliance Administrator <br/><br/> Compliance Search <br/><br/> Data Connector Admin <br/><br/> Device Management <br/><br/> Disposition Management <br/><br/> DLP Compliance Management <br/><br/> IB Compliance Management <br/><br/> Information Protection Admin <br/><br/> Information Protection Analyst <br/><br/> Information Protection Investigator <br/><br/> Information Protection Reader <br/><br/> Manage Alerts <br/><br/> Organization Configuration <br/><br/> RecordManagement <br/><br/> Retention Management <br/><br/> Sensitivity Label Administrator <br/><br/> View-Only Audit Logs <br/><br/> View-Only Device Management <br/><br/> View-Only DLP Compliance Management <br/><br/> View-Only IB Compliance Management <br/><br/> View-Only Manage Alerts <br/><br/> View-Only Recipients <br/><br/> View-Only Record Management <br/><br/> View-Only Retention Management|
+|**Compliance Manager Administrators**|Manage template creation and modification.|Compliance Manager Administration <br/><br/> Compliance Manager Assessment <br/><br/> Compliance Manager Contribution <br/><br/> Compliance Manager Reader <br/><br/> Data Connector Admin|
+|**Compliance Manager Assessors**|Create assessments, implement improvement actions, and update test status for improvement actions.|Compliance Manager Assessment <br/><br/> Compliance Manager Contribution <br/><br/> Compliance Manager Reader <br/><br/> Data Connector Admin|
+|**Compliance Manager Contributors**|Create assessments and perform work to implement improvement actions.|Compliance Manager Contribution <br/><br/> Compliance Manager Reader <br/><br/> Data Connector Admin|
|**Compliance Manager Readers**|View all Compliance Manager content except for administrator functions.|Compliance Manager Reader| |**Content Explorer Content Viewer**|View the contents files in Content explorer.|Data Classification Content Viewer| |**Content Explorer List Viewer**|View all items in Content explorer in list format only.|Data Classification List Viewer|
-|**Data Investigator**|Perform searches on mailboxes, SharePoint Online sites, and OneDrive for Business locations.|Communication <p><p> Compliance Search <p> Custodian <p> Data Investigation Management <p> Export <p> Preview <p> Review <p> RMS Decrypt <p> Search And Purge|
-|**eDiscovery Manager**|Members can perform searches and place holds on mailboxes, SharePoint Online sites, and OneDrive for Business locations. Members can also create and manage eDiscovery cases, add and remove members to a case, create and edit Content Searches associated with a case, and access case data in Advanced eDiscovery. <p> An eDiscovery Administrator is a member of the eDiscovery Manager role group who has been assigned additional permissions. In addition to the tasks that an eDiscovery Manager can perform, an eDiscovery Administrator can:<ul><li>View all eDiscovery cases in the organization.</li><li>Manage any eDiscovery case after they add themselves as a member of the case.</li></ul> <p> The primary difference between an eDiscovery Manager and an eDiscovery Administrator is that an eDiscovery Administrator can access all cases that are listed on the **eDiscovery cases** page in the Security & Compliance Center. An eDiscovery manager can only access the cases they created or cases they are a member of. For more information about making a user an eDiscovery Administrator, see [Assign eDiscovery permissions in the Security & Compliance Center](../../compliance/assign-ediscovery-permissions.md).|Case Management <p><p> Communication <p> Compliance Search <p> Custodian <p> Export <p> Hold <p> Preview <p> Review <p> RMS Decrypt|
-|**Global Reader**|Members have read-only access to reports, alerts, and can see all the configuration and settings. <p> The primary difference between Global Reader and Security Reader is that a Global Reader can access **configuration and settings**.|Security Reader <p><p> Sensitivity Label Reader <p> Service Assurance View <p> View-Only Audit Logs <p> View-Only Device Management <p> View-Only DLP Compliance Management <p> View-Only IB Compliance Management <p> View-Only Manage Alerts <p> View-Only Recipients <p> View-Only Record Management <p> View-Only Retention Management|
-|**Information Protection**|Full control over all information protection features, including sensitivity labels and their policies, DLP, all classifier types, activity and content explorers, and all related reports.|Data Classification Content Viewer <p><p> Information Protection Admin <p> Information Protection Analyst <p> Information Protection Investigator <p> Information Protection Reader|
+|**Data Investigator**|Perform searches on mailboxes, SharePoint Online sites, and OneDrive for Business locations.|Communication <br/><br/> Compliance Search <br/><br/> Custodian <br/><br/> Data Investigation Management <br/><br/> Export <br/><br/> Preview <br/><br/> Review <br/><br/> RMS Decrypt <br/><br/> Search And Purge|
+|**eDiscovery Manager**|Members can perform searches and place holds on mailboxes, SharePoint Online sites, and OneDrive for Business locations. Members can also create and manage eDiscovery cases, add and remove members to a case, create and edit Content Searches associated with a case, and access case data in Advanced eDiscovery. <br/><br/> An eDiscovery Administrator is a member of the eDiscovery Manager role group who has been assigned additional permissions. In addition to the tasks that an eDiscovery Manager can perform, an eDiscovery Administrator can:<ul><li>View all eDiscovery cases in the organization.</li><li>Manage any eDiscovery case after they add themselves as a member of the case.</li></ul> <br/><br/> The primary difference between an eDiscovery Manager and an eDiscovery Administrator is that an eDiscovery Administrator can access all cases that are listed on the **eDiscovery cases** page in the Security & Compliance Center. An eDiscovery manager can only access the cases they created or cases they are a member of. For more information about making a user an eDiscovery Administrator, see [Assign eDiscovery permissions in the Security & Compliance Center](../../compliance/assign-ediscovery-permissions.md).|Case Management <br/><br/> Communication <br/><br/> Compliance Search <br/><br/> Custodian <br/><br/> Export <br/><br/> Hold <br/><br/> Preview <br/><br/> Review <br/><br/> RMS Decrypt|
+|**Global Reader**|Members have read-only access to reports, alerts, and can see all the configuration and settings. <br/><br/> The primary difference between Global Reader and Security Reader is that a Global Reader can access **configuration and settings**.|Security Reader <br/><br/> Sensitivity Label Reader <br/><br/> Service Assurance View <br/><br/> View-Only Audit Logs <br/><br/> View-Only Device Management <br/><br/> View-Only DLP Compliance Management <br/><br/> View-Only IB Compliance Management <br/><br/> View-Only Manage Alerts <br/><br/> View-Only Recipients <br/><br/> View-Only Record Management <br/><br/> View-Only Retention Management|
+|**Information Protection**|Full control over all information protection features, including sensitivity labels and their policies, DLP, all classifier types, activity and content explorers, and all related reports.|Data Classification Content Viewer <br/><br/> Information Protection Admin <br/><br/> Information Protection Analyst <br/><br/> Information Protection Investigator <br/><br/> Information Protection Reader|
|**Information Protection Admins**|Create, edit, and delete DLP policies, sensitivity labels and their policies, and all classifier types. Manage endpoint DLP settings and simulation mode for auto-labeling policies.|Information Protection Admin|
-|**Information Protection Analysts**|Access and manage DLP alerts and activity explorer. View-only access to DLP policies, sensitivity labels and their policies, and all classifier types.|Data Classification List Viewer <p><p> Information Protection Analyst|
-|**Information Protection Investigators**|Access and manage DLP alerts, activity explorer, and content explorer. View-only access to DLP policies, sensitivity labels and their policies, and all classifier types.|Data Classification Content Viewer <p><p> Information Protection Analyst <p> Information Protection Investigator|
+|**Information Protection Analysts**|Access and manage DLP alerts and activity explorer. View-only access to DLP policies, sensitivity labels and their policies, and all classifier types.|Data Classification List Viewer <br/><br/> Information Protection Analyst|
+|**Information Protection Investigators**|Access and manage DLP alerts, activity explorer, and content explorer. View-only access to DLP policies, sensitivity labels and their policies, and all classifier types.|Data Classification Content Viewer <br/><br/> Information Protection Analyst <br/><br/> Information Protection Investigator|
|**Information Protection Readers**|View-only access to reports for DLP polcies and sensitivity labels and their policies.|Information Protection Reader|
-|**Insider Risk Management**|Use this role group to manage insider risk management for your organization in a single group. By adding all user accounts for designated administrators, analysts, and investigators, you can configure insider risk management permissions in a single group. This role group contains all the insider risk management permission roles. This is the easiest way to quickly get started with insider risk management and is a good fit for organizations that do not need separate permissions defined for separate groups of users.|Case Management <p><p> Data Connector Admin <p> Insider Risk Management Admin <p> Insider Risk Management Analysis <p> Insider Risk Management Audit <p> Insider Risk Management Investigation <p> Insider Risk Management Sessions <p> View-Only Case|
-|**Insider Risk Management Admins**|Use this role group to initially configure insider risk management and later to segregate insider risk administrators into a defined group. Users in this role group can create, read, update, and delete insider risk management policies, global settings, and role group assignments.|Case Management <p><p> Data Connector Admin <p> Insider Risk Management Admin <p> View-Only Case|
-|**Insider Risk Management Analysts**|Use this group to assign permissions to users that will act as insider risk case analysts. Users in this role group can access all insider risk management alerts, cases, and notices templates. They cannot access the insider risk Content Explorer.|Case Management <p><p> Insider Risk Management Analysis <p> View-Only Case|
+|**Insider Risk Management**|Use this role group to manage insider risk management for your organization in a single group. By adding all user accounts for designated administrators, analysts, and investigators, you can configure insider risk management permissions in a single group. This role group contains all the insider risk management permission roles. This is the easiest way to quickly get started with insider risk management and is a good fit for organizations that do not need separate permissions defined for separate groups of users.|Case Management <br/><br/> Data Connector Admin <br/><br/> Insider Risk Management Admin <br/><br/> Insider Risk Management Analysis <br/><br/> Insider Risk Management Audit <br/><br/> Insider Risk Management Investigation <br/><br/> Insider Risk Management Sessions <br/><br/> View-Only Case|
+|**Insider Risk Management Admins**|Use this role group to initially configure insider risk management and later to segregate insider risk administrators into a defined group. Users in this role group can create, read, update, and delete insider risk management policies, global settings, and role group assignments.|Case Management <br/><br/> Data Connector Admin <br/><br/> Insider Risk Management Admin <br/><br/> View-Only Case|
+|**Insider Risk Management Analysts**|Use this group to assign permissions to users that will act as insider risk case analysts. Users in this role group can access all insider risk management alerts, cases, and notices templates. They cannot access the insider risk Content Explorer.|Case Management <br/><br/> Insider Risk Management Analysis <br/><br/> View-Only Case|
|**Insider Risk Management Auditors**|Use this group to assign permissions to users that will audit insider risk management activities. Users in this role group can access the insider risk audit log.|Insider Risk Management Audit|
-|**Insider Risk Management Investigators**|Use this group to assign permissions to users that will act as insider risk data investigators. Users in this role group can access all insider risk management alerts, cases, notices templates, and the Content Explorer for all cases.|Case Management <p><p> Insider Risk Management Investigation <p> View-Only Case|
+|**Insider Risk Management Investigators**|Use this group to assign permissions to users that will act as insider risk data investigators. Users in this role group can access all insider risk management alerts, cases, notices templates, and the Content Explorer for all cases.|Case Management <br/><br/> Insider Risk Management Investigation <br/><br/> View-Only Case|
|**Insider Risk Management Session Approvers**|Manage group modification requests for session recording.|Insider Risk Management Sessions|
-|**IRM Contributors**|This role group is visible, but is used by background services only.|Insider Risk Management Permanent contribution <p><p> Insider Risk Management Temporary contribution|
+|**IRM Contributors**|This role group is visible, but is used by background services only.|Insider Risk Management Permanent contribution <br/><br/> Insider Risk Management Temporary contribution|
|**Knowledge Administrators**|Configure knowledge, learning, assign trainings and other intelligent features.|Knowledge Admin| |**MailFlow Administrator**|Members can monitor and view mail flow insights and reports in the Security & Compliance Center. Global admins can add ordinary users to this group, but, if the user isn't a member of the Exchange Admin group, the user will not have access to Exchange admin-related tasks.|View-Only Recipients|
-|**Organization Management**<sup>1</sup>|Members can control permissions for accessing features in the Security & Compliance Center, and also manage settings for device management, data loss prevention, reports, and preservation. <p> Users who are not global administrators must be Exchange administrators to see and take action on devices that are managed by Basic Mobility and Security for Microsoft 365 (formerly known as Mobile Device Management or MDM). <p> Global admins are automatically added as members of this role group, but you won't see them in the output of the [Get-RoleGroupMember](/powershell/module/exchange/get-rolegroupmember) cmdlet in [Security & Compliance Center PowerShell](/powershell/module/exchange/get-rolegroupmember).|Audit Logs <p><p> Case Management <p> Communication Compliance Admin <p> Communication Compliance Case Management <p> Compliance Administrator <p> Compliance Search <p> Data Connector Admin <p> Device Management <p> DLP Compliance Management <p> Hold <p> IB Compliance Management <p> Insider Risk Management Admin <p> Manage Alerts <p> Organization Configuration <p> Quarantine <p> RecordManagement <p> Retention Management <p> Role Management <p> Search And Purge <p> Security Administrator <p> Security Reader <p> Sensitivity Label Administrator <p> Sensitivity Label Reader <p> Service Assurance View <p> Tag Contributor <p> Tag Manager <p> Tag Reader <p> View-Only Audit Logs <p> View-Only Device Management <p> View-Only DLP Compliance Management <p> View-Only IB Compliance Management <p> View-Only Case <p> View-Only Manage Alerts <p> View-Only Recipients <p> View-Only Record Management <p> View-Only Retention Management|
-|**Privacy Management**|Manage access control for Priva in the Microsoft 365 compliance center.|Case Management <p><p> Data Classification Content Viewer <p> Data Classification List Viewer <p> Privacy Management Admin <p> Privacy Management Analysis <p> Privacy Management Investigation <p> Privacy Management Permanent contribution <p> Privacy Management Temporary contribution <p> Privacy Management Viewer <p> Subject Rights Request Admin <p> View-Only Case|
-|**Privacy Management Administrators**|Administrators of privacy management solution that can create/edit policies and define global settings.|Case Management <p><p> Privacy Management Admin <p> View-Only Case|
-|**Privacy Management Analysts**|Analysts of privacy management solution that can investigate policy matches, view messages meta data, and take remediation actions.|Case Management <p><p> Data Classification List Viewer <p> Privacy Management Analysis <p> View-Only Case|
-|**Privacy Management Contributors**|Manage contributor access for privacy management cases.|Privacy Management Permanent contribution <p><p> Privacy Management Temporary contribution|
-|**Privacy Management Investigators**|Investigators of privacy management solution that can investigate policy matches, view message content, and take remediation actions.|Case Management <p><p> Data Classification Content Viewer <p> Data Classification List Viewer <p> Privacy Management Investigation <p> View-Only Case|
-|**Privacy Management Viewers**|Viewer of privacy management solution that can access the available dashboards and widgets.|Data Classification List Viewer <p><p> Privacy Management Viewer|
+|**Organization Management**<sup>1</sup>|Members can control permissions for accessing features in the Security & Compliance Center, and also manage settings for device management, data loss prevention, reports, and preservation. <br/><br/> Users who are not global administrators must be Exchange administrators to see and take action on devices that are managed by Basic Mobility and Security for Microsoft 365 (formerly known as Mobile Device Management or MDM). <br/><br/> Global admins are automatically added as members of this role group, but you won't see them in the output of the [Get-RoleGroupMember](/powershell/module/exchange/get-rolegroupmember) cmdlet in [Security & Compliance Center PowerShell](/powershell/module/exchange/get-rolegroupmember).|Audit Logs <br/><br/> Case Management <br/><br/> Communication Compliance Admin <br/><br/> Communication Compliance Case Management <br/><br/> Compliance Administrator <br/><br/> Compliance Search <br/><br/> Data Connector Admin <br/><br/> Device Management <br/><br/> DLP Compliance Management <br/><br/> Hold <br/><br/> IB Compliance Management <br/><br/> Insider Risk Management Admin <br/><br/> Manage Alerts <br/><br/> Organization Configuration <br/><br/> Quarantine <br/><br/> RecordManagement <br/><br/> Retention Management <br/><br/> Role Management <br/><br/> Search And Purge <br/><br/> Security Administrator <br/><br/> Security Reader <br/><br/> Sensitivity Label Administrator <br/><br/> Sensitivity Label Reader <br/><br/> Service Assurance View <br/><br/> Tag Contributor <br/><br/> Tag Manager <br/><br/> Tag Reader <br/><br/> View-Only Audit Logs <br/><br/> View-Only Device Management <br/><br/> View-Only DLP Compliance Management <br/><br/> View-Only IB Compliance Management <br/><br/> View-Only Case <br/><br/> View-Only Manage Alerts <br/><br/> View-Only Recipients <br/><br/> View-Only Record Management <br/><br/> View-Only Retention Management|
+|**Privacy Management**|Manage access control for Priva in the Microsoft 365 compliance center.|Case Management <br/><br/> Data Classification Content Viewer <br/><br/> Data Classification List Viewer <br/><br/> Privacy Management Admin <br/><br/> Privacy Management Analysis <br/><br/> Privacy Management Investigation <br/><br/> Privacy Management Permanent contribution <br/><br/> Privacy Management Temporary contribution <br/><br/> Privacy Management Viewer <br/><br/> Subject Rights Request Admin <br/><br/> View-Only Case|
+|**Privacy Management Administrators**|Administrators of privacy management solution that can create/edit policies and define global settings.|Case Management <br/><br/> Privacy Management Admin <br/><br/> View-Only Case|
+|**Privacy Management Analysts**|Analysts of privacy management solution that can investigate policy matches, view messages meta data, and take remediation actions.|Case Management <br/><br/> Data Classification List Viewer <br/><br/> Privacy Management Analysis <br/><br/> View-Only Case|
+|**Privacy Management Contributors**|Manage contributor access for privacy management cases.|Privacy Management Permanent contribution <br/><br/> Privacy Management Temporary contribution|
+|**Privacy Management Investigators**|Investigators of privacy management solution that can investigate policy matches, view message content, and take remediation actions.|Case Management <br/><br/> Data Classification Content Viewer <br/><br/> Data Classification List Viewer <br/><br/> Privacy Management Investigation <br/><br/> View-Only Case|
+|**Privacy Management Viewers**|Viewer of privacy management solution that can access the available dashboards and widgets.|Data Classification List Viewer <br/><br/> Privacy Management Viewer|
|**Quarantine Administrator**|Members can access all Quarantine actions. For more information, see [Manage quarantined messages and files as an admin in EOP](manage-quarantined-messages-and-files.md)|Quarantine|
-|**Records Management**|Members can configure all aspects of records management, including retention labels and disposition reviews.|Disposition Management <p><p> RecordManagement <p> Retention Management|
+|**Records Management**|Members can configure all aspects of records management, including retention labels and disposition reviews.|Disposition Management <br/><br/> RecordManagement <br/><br/> Retention Management|
|**Reviewer**|Members can access review sets in [Advanced eDiscovery](../../compliance/overview-ediscovery-20.md) cases. Members of this role group can see and open the list of cases on the **eDiscovery > Advanced** page in the Microsoft 365 compliance center that they're members of. After the user accesses an Advanced eDiscovery case, they can select **Review sets** to access case data. This role doesn't allow the user to preview the results of a collection search that's associated with the case or do other search or case management tasks. Members of this role group can only access the data in a review set.|Review|
-|**Security Administrator**|Members have access to a number of security features of Identity Protection Center, Privileged Identity Management, Monitor Microsoft 365 Service Health, and Security & Compliance Center. <p> By default, this role group may not appear to have any members. However, the Security Administrator role from Azure Active Directory is assigned to this role group. Therefore, this role group inherits the capabilities and membership of the Security Administrator role from Azure Active Directory. <p> To manage permissions centrally, add and remove group members in the Azure Active Directory admin center. For more information, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference). If you edit this role group in the Security & Compliance Center (membership or roles), those changes apply only to the Security & Compliance Center and not to any other services. <p> This role group includes all of the read-only permissions of the Security reader role, plus a number of additional administrative permissions for the same
-|**Security Operator**|Members can manage security alerts, and also view reports and settings of security features.|Compliance Search <p><p> Manage Alerts <p> Security Reader <p> Tag Contributor <p> Tag Reader <p> Tenant AllowBlockList Manager <p> View-Only Audit Logs <p> View-Only Device Management <p> View-Only DLP Compliance Management <p> View-Only IB Compliance Management <p> View-Only Manage Alerts|
-|**Security Reader**|Members have read-only access to a number of security features of Identity Protection Center, Privileged Identity Management, Monitor Microsoft 365 Service Health, and Security & Compliance Center. <p> By default, this role group may not appear to have any members. However, the Security Reader role from Azure Active Directory is assigned to this role group. Therefore, this role group inherits the capabilities and membership of the Security Reader role from Azure Active Directory. <p> To manage permissions centrally, add and remove group members in the Azure Active Directory admin center. For more information, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference). If you edit this role group in the Security & Compliance Center (membership or roles), those changes apply only to the Security & Compliance Center and not to any other services.|Security Reader <p><p> Sensitivity Label Reader <p> Tag Reader <p> View-Only Device Management <p> View-Only DLP Compliance Management <p> View-Only IB Compliance Management <p> View-Only Manage Alerts|
+|**Security Administrator**|Members have access to a number of security features of Identity Protection Center, Privileged Identity Management, Monitor Microsoft 365 Service Health, and Security & Compliance Center. <br/><br/> By default, this role group may not appear to have any members. However, the Security Administrator role from Azure Active Directory is assigned to this role group. Therefore, this role group inherits the capabilities and membership of the Security Administrator role from Azure Active Directory. <br/><br/> To manage permissions centrally, add and remove group members in the Azure Active Directory admin center. For more information, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference). If you edit this role group in the Security & Compliance Center (membership or roles), those changes apply only to the Security & Compliance Center and not to any other services. <br/><br/> This role group includes all of the read-only permissions of the Security reader role, plus a number of additional administrative permissions for the same
+|**Security Operator**|Members can manage security alerts, and also view reports and settings of security features.|Compliance Search <br/><br/> Manage Alerts <br/><br/> Security Reader <br/><br/> Tag Contributor <br/><br/> Tag Reader <br/><br/> Tenant AllowBlockList Manager <br/><br/> View-Only Audit Logs <br/><br/> View-Only Device Management <br/><br/> View-Only DLP Compliance Management <br/><br/> View-Only IB Compliance Management <br/><br/> View-Only Manage Alerts|
+|**Security Reader**|Members have read-only access to a number of security features of Identity Protection Center, Privileged Identity Management, Monitor Microsoft 365 Service Health, and Security & Compliance Center. <br/><br/> By default, this role group may not appear to have any members. However, the Security Reader role from Azure Active Directory is assigned to this role group. Therefore, this role group inherits the capabilities and membership of the Security Reader role from Azure Active Directory. <br/><br/> To manage permissions centrally, add and remove group members in the Azure Active Directory admin center. For more information, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference). If you edit this role group in the Security & Compliance Center (membership or roles), those changes apply only to the Security & Compliance Center and not to any other services.|Security Reader <br/><br/> Sensitivity Label Reader <br/><br/> Tag Reader <br/><br/> View-Only Device Management <br/><br/> View-Only DLP Compliance Management <br/><br/> View-Only IB Compliance Management <br/><br/> View-Only Manage Alerts|
|**Service Assurance User**|Members can access the Service assurance section in the Security & Compliance Center. Service assurance provides reports and documents that describe Microsoft's security practices for customer data that's stored in Microsoft 365. It also provides independent third-party audit reports on Microsoft 365. For more information, see [Service assurance in the Security & Compliance Center](../../compliance/service-assurance.md).|Service Assurance View|
-|**Subject Rights Request Administrators**|Create subject rights requests.|Case Management <p><p> Subject Rights Request Admin <p> View-Only Case|
+|**Subject Rights Request Administrators**|Create subject rights requests.|Case Management <br/><br/> Subject Rights Request Admin <br/><br/> View-Only Case|
|**Supervisory Review**|Members can create and manage the policies that define which communications are subject to review in an organization. For more information, see [Configure communication compliance policies for your organization](../../compliance/communication-compliance-configure.md).|Supervisory Review Administrator| > [!NOTE]
Note that the following roles aren't assigned to the Organization Management rol
|||| |**Attack Simulator Admin**|Don't use this role in the Security & Compliance Center. Use the corresponding role in Azure AD.|Attack Simulator Administrators| |**Attack Simulator Payload Author**|Don't use this role in the Security & Compliance Center. Use the corresponding role in Azure AD.|Attack Simulator Payload Authors|
-|**Audit Logs**|Turn on and configure auditing for the organization, view the organization's audit reports, and then export these reports to a file.|Organization Management <p><p> Security Administrator|
-|**Case Management**|Create, edit, delete, and control access to eDiscovery cases.|Communication Compliance <p><p> Communication Compliance Investigators <p> Compliance Administrator <p> eDiscovery Manager <p> Insider Risk Management <p> Insider Risk Management Admins <p> Insider Risk Management Analysts <p> Insider Risk Management Investigators <p> Organization Management <p> Privacy Management <p> Privacy Management Administrators <p> Privacy Management Analysts <p> Privacy Management Investigators <p> Subject Rights Request Administrators|
-|**Communication**|Manage all communications with the custodians identified in an Advanced eDiscovery case. Create hold notifications, hold reminders, and escalations to management. Track custodian acknowledgment of hold notifications and manage access to the custodian portal that is used by each custodian in a case to track communications for the cases where they were identified as a custodian.|Data Investigator <p><p> eDiscovery Manager|
-|**Communication Compliance Admin**|Used to manage policies in the Communication Compliance feature.|Communication Compliance <p><p> Communication Compliance Administrators <p> Compliance Administrator <p> Organization Management|
-|**Communication Compliance Analysis**|Used to perform investigation, remediation of the message violations in the Communication Compliance feature. Can only view message meta data.|Communication Compliance <p><p> Communication Compliance Analysts <p> Communication Compliance Investigators|
-|**Communication Compliance Case Management**|Used to access Communication Compliance cases.|Communication Compliance <p><p> Communication Compliance Administrators <p> Communication Compliance Analysts <p> Communication Compliance Investigators <p> Communication Compliance Viewers <p> Compliance Administrator <p> Organization Management|
-|**Communication Compliance Investigation**|Used to perform investigation, remediation, and review message violations in the Communication Compliance feature. Can view message meta data and message.|Communication Compliance <p><p> Communication Compliance Investigators|
-|**Communication Compliance Viewer**|Used to access reports and widgets in the Communication Compliance feature.|Communication Compliance <p><p> Communication Compliance Viewers|
-|**Compliance Administrator**|View and edit settings and reports for compliance features.|Compliance Administrator <p><p> Compliance Data Administrator <p> Organization Management|
+|**Audit Logs**|Turn on and configure auditing for the organization, view the organization's audit reports, and then export these reports to a file.|Organization Management <br/><br/> Security Administrator|
+|**Case Management**|Create, edit, delete, and control access to eDiscovery cases.|Communication Compliance <br/><br/> Communication Compliance Investigators <br/><br/> Compliance Administrator <br/><br/> eDiscovery Manager <br/><br/> Insider Risk Management <br/><br/> Insider Risk Management Admins <br/><br/> Insider Risk Management Analysts <br/><br/> Insider Risk Management Investigators <br/><br/> Organization Management <br/><br/> Privacy Management <br/><br/> Privacy Management Administrators <br/><br/> Privacy Management Analysts <br/><br/> Privacy Management Investigators <br/><br/> Subject Rights Request Administrators|
+|**Communication**|Manage all communications with the custodians identified in an Advanced eDiscovery case. Create hold notifications, hold reminders, and escalations to management. Track custodian acknowledgment of hold notifications and manage access to the custodian portal that is used by each custodian in a case to track communications for the cases where they were identified as a custodian.|Data Investigator <br/><br/> eDiscovery Manager|
+|**Communication Compliance Admin**|Used to manage policies in the Communication Compliance feature.|Communication Compliance <br/><br/> Communication Compliance Administrators <br/><br/> Compliance Administrator <br/><br/> Organization Management|
+|**Communication Compliance Analysis**|Used to perform investigation, remediation of the message violations in the Communication Compliance feature. Can only view message meta data.|Communication Compliance