| Category | Microsoft Docs article | Related commit history on GitHub | Change details |
|---|---|---|---|
| compliance | Search For And Delete Messages In Your Organization | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/search-for-and-delete-messages-in-your-organization.md | You can use the Content search feature to search for and delete email messages f - Messages that contain sensitive data -> [!CAUTION] -> Search and purge is a powerful feature that allows anyone that is assigned the necessary permissions to delete email messages from mailboxes in your organization. +> [!TIP] +> If your organization has a Defender for Office 365 Plan 2 subscription, we recommend using the procedure detailed in [Remediate malicious email delivered in Office 365](/microsoft-365/security/office-365-security/remediate-malicious-email-delivered-office-365), rather than following the procedure described in this article. ## Before you begin |
| contentunderstanding | Prebuilt Models | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/prebuilt-models.md | To rename an extractor from the **Extractors** panel: - If you're ready to apply the model to a library, in the document area, select **Next**. On the **Add to library** panel, choose the library to which you want to add the model, and then select **Add**. +> [!TIP] +> You can change the view in your document library to fit your needs or preferences. For more information, see [Change the view in a document library](apply-a-model.md#change-the-view-in-a-document-library). + ## See also [Apply a document understanding model](apply-a-model.md) |
| security | Device Control Removable Storage Access Control | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control.md | Before you get started with Removable Storage Access Control, you must confirm y You have to deploy this together with the right AccessMask and Option - see step 2 above. - :::image type="content" source="https://user-images.githubusercontent.com/81826151/156080704-19d68843-8ec4-4742-bdef-f8ba3bd4a636.png" alt-text="Group Policy - Set locaiton for file evidence"::: + :::image type="content" source="../../media/define-device-control-policy-rules.png" alt-text="Group Policy - Set locaiton for file evidence"::: ## Deploying and managing policy via Intune OMA-URI Microsoft Endpoint Manager admin center (<https://endpoint.microsoft.com/>) \> * You have to deploy this together with the right AccessMask and the right Option - see step 2 above. - :::image type="content" source="https://user-images.githubusercontent.com/81826151/156080498-68a807a9-6d7b-4265-92f7-ab8bf1c9a093.png" alt-text="Set locaiton for file evidence"::: + :::image type="content" source="../../media/device-control-oma-uri-edit-row.png" alt-text="Set locaiton for file evidence"::: ## Deploying and managing policy by using Intune user interface |
| security | Linux Whatsnew | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-whatsnew.md | ms.technology: mde **Applies to:** - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037) +## 101.60.93 (30.122012.16093.0) ++- This version contains a security update for [CVE-2022-23278](https://msrc-blog.microsoft.com/2022/03/08/guidance-for-cve-2022-23278-spoofing-in-microsoft-defender-for-endpoint/) ++## 101.60.05 (30.122012.16005.0) ++- Added support for kernel version 2.6.32-754.43.1.el6.x86_64 for RHEL 6.10 +- Bug fixes + ## 101.58.80 (30.122012.15880.0) - The command-line tool now supports restoring quarantined files to a location other than the one where the file was originally detected. This can be done through `mdatp threat quarantine restore --id [threat-id] --path [destination-folder]`. |
| security | Mac Whatsnew | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-whatsnew.md | ms.technology: mde > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink) +## 101.60.91 (20.122021.16091.0) ++- This version contains a security update for [CVE-2022-23278](https://msrc-blog.microsoft.com/2022/03/08/guidance-for-cve-2022-23278-spoofing-in-microsoft-defender-for-endpoint/) + ## 101.59.50 (20.122021.15950.0) - This version adds support for macOS 12.3. Starting with macOS 12.3, [Apple is removing Python 2.7](https://developer.apple.com/documentation/macos-release-notes/macos-12_3-release-notes). There will be no Python version preinstalled on macOS by default. **ACTION NEEDED**: |
| security | Manage Updates Baselines Microsoft Defender Antivirus | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus.md | Security intelligence update version: 1.357.8.0 <br/> - Added the `-ServiceHealthReportInterval` setting to [Set-MpPreference](/powershell/module/defender/set-mppreference). This policy configures the time interval (in minutes) to perform a scheduled scan. - Added the `AllowSwitchToAsyncInspection` setting to [Set-MpPreference](/powershell/module/defender/set-mppreference). This policy enables a performance optimization, that allows synchronously inspected network flows, to switch to async inspection once they have been checked and validated. - Performance Analyzer v2 updates: Remote PowerShell and PowerShell 7.x support added. See [Performance analyzer for Microsoft Defender Antivirus](tune-performance-defender-antivirus.md).+- Fixed potential duplicate packet bug in Microsoft Defender Antivirus network inspection system driver. ### Known Issues We recommend updating your Windows 10 (Enterprise, Pro, and Home editions), Wind For more information, see [Microsoft Defender update for Windows operating system installation images](https://support.microsoft.com/help/4568292/defender-update-for-windows-operating-system-installation-images). <details>+<summary>20220305.1</summary> ++ Package version: **20220305.1**<br/> + Platform version: **4.18.2201.10**<br/> + Engine version: **1.1.18900.3**<br/> + Signature version: **1.359.1405.0**<br/> ++### Fixes +- None ++### Additional information +- None ++<br/> +</details><details> <summary>20220203.1</summary>  Package version: **20220203.1**<br/> |
| security | Microsoft Defender Antivirus Compatibility | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility.md | Microsoft Defender Antivirus is automatically installed on endpoints running the - Windows Server, version 1803, or newer - Windows Server 2016 -What happens when another non-Microsoft antivirus/antimalware solution is used? Can you run Microsoft Defender Antivirus alongside another antivirus product? The answers depend on several factors, such as your operating system and whether you're using [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md) (Defender for Endpoint) together with your antivirus protection. +What happens when another non-Microsoft antivirus/antimalware solution is used? Can you run Microsoft Defender Antivirus alongside another antivirus product? The answers depend on several factors, such as your operating system and whether you're using [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md) together with your antivirus protection. -This article describes what happens with Microsoft Defender Antivirus and a non-Microsoft antivirus/antimalware solution, with or without Defender for Endpoint. +This article describes what happens with Microsoft Defender Antivirus and a non-Microsoft antivirus/antimalware solution, with and without Defender for Endpoint. > [!IMPORTANT] > Microsoft Defender Antivirus is only available on devices running Windows 10 and 11, Windows Server 2022, Windows Server 2019, Windows Server, version 1803 or newer, Windows Server 2016, and Windows Server 2012 R2. This article describes what happens with Microsoft Defender Antivirus and a non- ## Antivirus protection without Defender for Endpoint -This section describes what happens with Microsoft Defender Antivirus and non-Microsoft antivirus/antimalware products on endpoints that are not onboarded to Defender for Endpoint. The following table summarizes what to expect: +This section describes what happens when you use Microsoft Defender Antivirus alongside non-Microsoft antivirus/antimalware products on endpoints that are not onboarded to Defender for Endpoint. -<br/><br/> +> [!NOTE] +> In general, Microsoft Defender Antivirus does not run in passive mode on devices that are not onboarded to Defender for Endpoint. ++The following table summarizes what to expect: |Windows version|Primary antivirus/antimalware solution|Microsoft Defender Antivirus state| |:|:|:| This section describes what happens with Microsoft Defender Antivirus and non-Mi ## Microsoft Defender Antivirus and non-Microsoft antivirus/antimalware solutions -The following table summarizes what happens with Microsoft Defender Antivirus when non-Microsoft antivirus/antimalware solutions are used together or without Microsoft Defender for Endpoint. <br/><br/> +> [!NOTE] +> In general, Microsoft Defender Antivirus can be set to passive mode only on endpoints that are onboarded to Defender for Endpoint. ++Whether Microsoft Defender Antivirus runs in active mode, passive mode, or is disabled depends on several factors, such as: ++- Which version of Windows is installed on an endpoint +- Whether Microsoft Defender Antivirus is the primary antivirus/antimalware solution on the endpoint +- Whether the endpoint is onboarded to Defender for Endpoint ++The following table summarizes the state of Microsoft Defender Antivirus in several scenarios. | Windows version | Antivirus/antimalware solution | Onboarded to <br/> Defender for Endpoint? | Microsoft Defender Antivirus state | |:|:|:-|:-| The table in this section summarizes the features and capabilities that are acti > [!IMPORTANT] > The following table is designed to be informational only. **Do not turn off capabilities**, such as real-time protection, cloud-delivered protection, or limited periodic scanning if you are using Microsoft Defender Antivirus in passive mode, or if you are using [EDR in block mode](edr-in-block-mode.md), which works behind the scenes to detect and remediate malicious artifacts that were detected post-breach. -<br/><br/> - | Protection | Microsoft Defender Antivirus <br/>(*Active mode*) | Microsoft Defender Antivirus <br/>(*Passive mode*) | Microsoft Defender Antivirus <br/>(*Disabled or uninstalled*) | [EDR in block mode](edr-in-block-mode.md) | |:|:|:|:|:| | [Real-time protection](configure-real-time-protection-microsoft-defender-antivirus.md) | Yes | See note <sup>[[4](#fn4)]</sup> | No | No | The table in this section summarizes the features and capabilities that are acti You can use one of several methods to confirm the state of Microsoft Defender Antivirus, as described in the following table: -<br/><br/> - | Method | Procedure | |:|:| | Windows Security app | 1. On a Windows device, open the Windows Security app.<br/>2. Select **Virus & threat protection**.<br/>3. Under **Who's protecting me?** select **Manage providers**.<br/>4. On the **Security providers** page, under **Antivirus**, you should see **Microsoft Defender Antivirus is turned on**. | You can use one of several methods to confirm the state of Microsoft Defender An The table in this section describes various states you might see with Microsoft Defender Antivirus. -<br/><br/> - | State | What happens | |:|:| | Active mode | In active mode, Microsoft Defender Antivirus is used as the antivirus app on the machine. Settings that are configured by using Configuration Manager, Group Policy, Microsoft Intune, or other management products will apply. Files are scanned, threats are remediated, and detection information is reported in your configuration tool (such as Configuration Manager or the Microsoft Defender Antivirus app on the endpoint itself). | The table in this section describes various states you might see with Microsoft ## See also -- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)+- [Microsoft Defender Antivirus on Windows clients](microsoft-defender-antivirus-in-windows-10.md) +- [Microsoft Defender Antivirus on Windows Server](microsoft-defender-antivirus-on-windows-server.md) - [EDR in block mode](edr-in-block-mode.md) - [Learn about Microsoft 365 Endpoint data loss prevention](/microsoft-365/compliance/endpoint-dlp-learn-about) |
| security | Microsoft Defender Endpoint Linux | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-linux.md | If you experience any installation failures, refer to [Troubleshooting installat - 2.6.32-754.35.1.el6.x86_64 - 2.6.32-754.39.1.el6.x86_64 - 2.6.32-754.41.2.el6.x86_64+ - 2.6.32-754.43.1.el6.x86_64 - 2.6.32-754.6.3.el6.x86_64 - 2.6.32-754.9.1.el6.x86_64 |
| security | Respond File Alerts | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/respond-file-alerts.md | This action takes effect on devices with Windows 10, version 1703 or later, and 4. Select any of the status indicators to view more information about the action. For example, select **Failed** to see where the action failed. -#### Notification on device user +#### Notification on device userf When the file is being removed from a device, the following notification is shown: If you come across a problem when trying to submit a file, try each of the follo 5. Change the organizational unit through the Group Policy. For more information, see [Configure with Group Policy](configure-endpoints-gp.md). -6. If these steps do not resolve the issue, contact [winatp@microsoft.com](mailto:winatp@microsoft.com). +6. If these steps do not resolve the issue, contact support. ## Related topics |
| security | Run Analyzer Macos Linux | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-analyzer-macos-linux.md | ms.technology: m365d 1. Download the [XMDE Client Analyzer](https://aka.ms/XMDEClientAnalyzer) tool to the macOS or Linux machine you need to investigate. > [!NOTE]- > The current SHA256 hash of 'XMDEClientAnalyzer.zip' that is downloaded from the above link is: 'AA6E73A5F451C3B78B066C9D55EE6499CE3C2F1A6E05CCE691A6055F36F93A3B'. + > The current SHA256 hash of 'XMDEClientAnalyzer.zip' that is downloaded from the above link is: 'B95E2E21D5A93E0AC88BA401ACB20E5F721727B409D4186147C8D17468185583'. 2. Extract the contents of XMDEClientAnalyzer.zip on the machine. |
| security | Troubleshoot Collect Support Log | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-collect-support-log.md | When contacting support, you may be asked to provide the output package of the M This topic provides instructions on how to run the tool via Live Response. -1. Download the appropriate script - - Microsoft Defender for Endpoint client sensor logs only: [LiveAnalyzer.ps1 script](https://aka.ms/MDELiveAnalyzer). - - Result package approximate size: ~100Kb - - Microsoft Defender for Endpoint client sensor and Antivirus logs: [LiveAnalyzer+MDAV.ps1 script](https://aka.ms/MDELiveAnalyzerAV). - - Result package approximate size: ~10Mb +1. Download and fetch the required scripts available from within the 'Tools' sub-directory of the [Microsoft Defender for Endpoint Client Analyzer](https://aka.ms/BetaMDEAnalyzer). <br> +For example, to get the basic sensor and device health logs, fetch "..\Tools\MDELiveAnalyzer.ps1".<br> +If you also require Defender Antivirus support logs (MpSupportFiles.cab), then fetch "..\Tools\MDELiveAnalyzerAV.ps1" 2. Initiate a [Live Response session](live-response.md#initiate-a-live-response-session-on-a-device) on the machine you need to investigate. |
| security | Notifications | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-identity/notifications.md | In Microsoft 365 Defender, you can add recipients for email notifications of det Defender for Identity can notify you when it detects suspicious activities by sending security and health alerts to your Syslog server through a nominated sensor. +> [!NOTE] +> To learn how to integrate Defender for Identity with Microsoft Sentinel, see [Microsoft 365 Defender integration with Microsoft Sentinel](/azure/sentinel/microsoft-365-defender-sentinel-integration). + 1. In <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender</a>, go to **Settings** and then **Identities**.  |