Updates from: 04/01/2021 03:14:45
Category Microsoft Docs article Related commit history on GitHub Change details
admin Test And Deploy Microsoft 365 Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/test-and-deploy-microsoft-365-apps.md
Title: "Test and deploy Microsoft 365 Apps"
+ Title: "Test and deploy Microsoft 365 Apps by partners in the Integrated apps portal"
f1.keywords: - NOCSH--++ audience: Admin
description: "Find, test, and deploy Microsoft and Microsoft partner apps for users and groups in your organization from the Integrated apps portal in the Microsoft 365 admin center."
-# Test and deploy Microsoft 365 Apps in the Microsoft 365 admin center
+# Test and deploy Microsoft 365 Apps by partners in the Integrated apps portal
-The Microsoft 365 admin center gives you the flexibility to deploy Microsoft and Microsoft partner apps from a single location. The ability to find, test, and fully deploy purchased and licensed apps by Microsoft and Microsoft partners from the Integrated apps portal provides the convenience and benefits your organization requires to keep business services updated regularly and running efficiently.
+The Microsoft 365 admin center gives you the flexibility to deploy single store apps, custom business line of apps and Microsoft 365 partner apps from a single location. The location can be accessed at Microsoft Admin center > Settings > Integrated apps. The ability to find, test, and fully deploy purchased and licensed apps by Microsoft partners from the Integrated apps portal provides the convenience and benefits your organization requires to keep business services updated regularly and running efficiently.
-For additional information about purchasing and licensing Microsoft 365 apps for your organization, see the blog post called [Manage and deploy Microsoft 365 Apps from the Microsoft 365 admin center](https://techcommunity.microsoft.com/t5/microsoft-365-blog/manage-and-deploy-microsoft-365-apps-from-the-microsoft-365/ba-p/1194324).
-
-## Manage apps in the Integrated apps portal
+For additional information about purchasing and licensing Microsoft 365 apps from partners for your organization, see [Manage and deploy Microsoft 365 Apps from the Microsoft 365 admin center](https://techcommunity.microsoft.com/t5/microsoft-365-blog/manage-and-deploy-microsoft-365-apps-from-the-microsoft-365/ba-p/1194324).
+
+For more info on how partners create these apps, see [How to plan a SaaS offer for the commercial marketplace](https://go.microsoft.com/fwlink/?linkid=2158277)
-By choosing Integrated apps in the Microsoft 365 admin center, you can manage testing and deployment of purchased and licensed Microsoft and Microsoft partner apps.
+The Integrated apps portal is only accessible to global admins and available to WorldWide customers only. This feature is not available in sovereign and government clouds.
-1. In the admin center, in the left nav, choose **Settings**, and then choose **Integrated apps**.
+The Integrated apps portal displays a list of apps, which includes single apps and Microsoft 365 apps from partners which are deployed your organization. Only web apps, SPFx apps, Office add-ins and Teams apps are listed. For web apps, we you can see 2 kinds of apps.
-2. Choose an app with **Status** of **More apps available**.
+- SaaS apps that are available in appsource.microsoft.com, and can be deployed by admins giving consent on behalf of organization.
+- SAML gallery apps that are linked with office add-ins.
-3. Select **Deploy** at the top of the page next to the message that refers to waiting to be deployed.
+## Manage apps in the Integrated apps portal
- Some apps require you to add users before you can select **Deploy**.
+You can manage testing and deployment of purchased and licensed Microsoft 365 Apps from partners.
- a. Select **Add users**, choose **Full deployment**, and then choose **Entire organization** or **Specific users/groups**.
+1. In the admin center, in the left nav, choose **Settings**, and then choose **Integrated apps**.
- Specific users/groups can be a Microsoft 365 group, a security group, or a distributed group.
+2. Choose an app with **Status** of **More apps available** to open the **Manage** pane. The status of **more apps available** lets you know that there are more integrations from the ISVs that aren't yet deployed.
- You can also choose **Test deployment** if you prefer to wait to deploy the app to the entire organization.
+3. On the **Overview** tab select **Deploy**. Some apps require you to add users before you can select Deploy.
- b. Select **Update**, **Done**, and now you can select **Deploy** on the **Overview** tab.
+4. Select **Users**, choose **Is this a test deployment**, and then choose **Entire organization**, **Specific users/groups** or **Just me**. You can also choose **Test deployment** if you prefer to wait to deploy the app to the entire organization. Specific users or groups can be a Microsoft 365 group, a security group, or a distribution group.
-4. Review the app information, and then select **Deploy**.
+5. Select **Update** and then **Done**. You can now select Deploy on the Overview tab.
-5. Select **Done** on the **Deployment completed** page.
+6. Review the app information, and then select **Deploy**.
- Review the details of the test or full deployment on the **Overview** tab.
+7. Select **Done** on the Deployment completed page and review the details of the test or full deployment on the **Overview** tab.
-## Find published apps for testing and full deployment
+8. If the app has a status of **Update pending**, you can click on the app to open the Manage pane and update the app.
-You can find, test, and fully deploy published apps that do not already appear in the list on the Integrated apps page. By purchasing and licensing the apps from the admin center, you can add Microsoft and Microsoft partner apps to your list from a single location.
+## Find published apps for testing and full deployment
-1. In the admin center, in the left nav, choose **Settings**, and then choose **Integrated apps**.
+You can find, test, and fully deploy published apps that don't already appear in the list on the Integrated apps page. By purchasing and licensing the apps from the admin center, you can add Microsoft and Microsoft partner apps to your list from a single location.
-2. Select **Get apps** above the list of apps.
+1. In the admin center, in the left nav, choose **Settings**, and then choose **Integrated apps**.
-3. On the **Microsoft 365 Apps** published apps page, select the app you want to deploy by choosing **Get it now**.
+2. Select **Get apps** to get a view of the apps.
-4. Accept the permissions, and then select **Continue**.
+3. On the **Microsoft 365 Apps** published apps page, select the app you want to deploy by choosing **Get it now**. The apps displayed primarily are Word, PowerPoint, Excel, Outlook add-ins, Teams app and SharePoint apps (built on SharePoint Framework technology). Accept the permissions and select **Continue**.
5. Select **Deploy** at the top of the page next to the message that refers to waiting to be deployed.
- Some apps require you to add users before you can select **Deploy**.
+ If the app selected is linked to a SaaS offer by an ISV, all the other apps that are part of this linked offer will appear on the Configuration page. If you choose to deploy of all of the apps, select **Next**. Otherwise, select **Edit**, and choose which apps you want deployed. Some apps require you to add users before you can select **Deploy**.
- a. Select **Add users**, choose **Full deployment**, and then choose **Entire organization** or **Specific users/groups**.
+6. Select **Add users**, choose **Is this a test deployment**, and then choose **Entire organization** or **Specific users/groups** or **Just me**.
- Specific users/groups can be a Microsoft 365 group, a security group, or a distributed group.
+ Specific users/groups can be a Microsoft 365 group, a security group, or a distributed group. You can also choose **Test deployment** if you prefer to wait to deploy the app to the entire organization.
- You can also choose **Test deployment** if you prefer to wait to deploy the app to the entire organization.
+7. Select **Next** to get to the **Accept permission request** page. The app capabilities and permissions of each of the apps are listed. If the app needs consent, select **Accept permissions**. Only a global administrator can give consent.
- b. Select **Update**, **Done**, and and now you can select **Deploy** on the **Overview** tab.
+8. Select **Next** to review the deployment and choose **Finish deployment**. You can view the deployment from the **Overview** tab by choosing **View this deployment**. In the Microsoft 365 admin center, you can see the status of each deployed app and the date you deployed the app.
-6. Review the app information, and then select **Deploy**.
+> [!NOTE]
+> If an app was previously deployed from somewhere other than the Integrated Apps portal, the **Deployment Type** is **Custom.**
-7. Select **Done** on the **Deployment completed** page.
+## Unsupported scenarios
- Review the details of the test or full deployment on the **Overview** tab.
+You won't be able to deploy a single store app or Microsoft 365 Apps by partner from Integrated apps portal for the following scenarios.
-In the Microsoft 365 admin center, each deployed app **Status** is **OK** with a **Deployment Type** of **Test deployment**, **Full deployment**, or **Custom**, and the date you deployed the app.
+- The same add-in is linked to more than one SaaS offer.
+- The SaaS offer is linked to add-ins, but it does not integrate with Microsoft Graph and no AAD App ID is provided.
+- The SaaS offer is linked to add-ins, but AAD App ID provided for Microsoft Graph integration is shared across multiple SaaS offers.
-> [!NOTE]
-> If an app was previously deployed from somewhere other than the Integrated Apps portal, the **Deployment Type** is **Custom.**
+## Upload custom line of business apps for testing and full deployment
-## Unsupported scenarios
+1. In the admin center, in the left nav, choose **Settings** and then **Integrated apps**.
+
+2. Select **Upload custom apps**. Only a custom line of apps for Word, PowerPoint, Excel and Outlook is supported.
+
+3. Upload the manifest file from your device or add a URL link. Some apps require you to add users before you can select Deploy.
+
+4. Select **Add users**, choose **Is this a test Deployment**, and choose **Entire organization** or **Specific users/groups** or **Just me**.
+
+ Specific users/groups can be a Microsoft 365 group, a security group, or a distributed group. You can also choose **Test deployment** if you want to wait to deploy the app to the entire organization.
+
+5. Select **Next** to get to the **Accept permission request** page. The app capabilities and permissions of the apps are listed. If the app needs consent, select **Accept permissions**. Only a global administrator can give consent.
+
+6. Select **Next** to review the deployment and choose **Finish deployment**. You can view the deployment from the **Overview** tab by choosing **View this deployment**.
+
+## Frequently asked questions
+
+### Which administrator role do I need to access Integrated apps?
+
+Only global administrators can access Integrated Apps. Integrated apps won't show up in the left nav for other administrators.
+
+### Why do I see Add-in in the left nav under Setting but not Integrated apps?
+
+There could be a few reasons:
+
+- The logged in administrator is an Exchange admininstrator.
+- The customer is in sovereign cloud and Integrated apps experience is available to sovereign cloud customers yet.
+
+### What apps can I deploy from Integrated apps?
+
+Integrated apps allows deployment of Web Apps, Teams app, Excel, PowerPoint, Word, Outlook add-ins, and SPFx apps. For add-ins, Integrated apps supports deployment to Exchange online mailboxes and not on-premises Exchange mailboxes.
+
+### Can administrators delete or remove apps?
+
+Yes. Global administrators can delete or remove apps.
+
+- Select an app from the list view. On the **Configuration** tab, select which apps to remove.
+
+### Is Integrated apps available in sovereign cloud?
+
+No. Integrated apps aren't available to sovereign cloud customers.
-The following scenarios are not currently supported for deployment from the Integrated Apps portal:
+### Is Integrated apps available in government clouds?
-- The app or add-in is linked to more than one software as a service (SaaS) offer.-- The SaaS app is linked to apps and add-ins but it doesn't have an associated AADid.-- Two SaaS apps share the same AADid and they are both linked to apps or add-ins.
-
+No. Integrated apps aren't available to government cloud customers.
compliance Check Your Content Search Query For Errors https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/check-your-content-search-query-for-errors.md
f1.keywords:
Previously updated : 11/30/2016 Last updated : audience: Admin
compliance Communication Compliance Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/communication-compliance-configure.md
When you assign a distribution group in the policy, the policy monitors all emai
If you're an organization with an Exchange on-premises deployment or an external email provider and you want to monitor Microsoft Teams chats for your users, you must create a distribution group for the users with on-premises or external mailboxes to monitor. Later in these steps, you'll assign this distribution group as the **Supervised users and groups** selection in the policy wizard.
->[!IMPORTANT]
->You must file a request with Microsoft Support to enable your organization to use the graphical user interface in the Security & Compliance Center to search for Teams chat data for on-premises users. For more information, see [Searching cloud-based mailboxes for on-premises users](search-cloud-based-mailboxes-for-on-premises-users.md).
- To manage supervised users in large enterprise organizations, you may need to monitor all users across large groups. You can use PowerShell to configure a distribution group for a global communication compliance policy for the assigned group. This enables you to monitor thousands of users with a single policy and keep the communication compliance policy updated as new employees join your organization. 1. Create a dedicated [distribution group](/powershell/module/exchange/new-distributiongroup) for your global communication compliance policy with the following properties: Make sure that this distribution group isn't used for other purposes or other Office 365 services.
compliance Communication Compliance Feature Reference https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/communication-compliance-feature-reference.md
With communication compliance policies, you can choose to scan messages in one o
- **For Teams Channel communications:** Assign every Microsoft Teams channel or Microsoft 365 group you want to scan that contains a specific user to the communication compliance policy. If you add the same user to other Microsoft Teams channels or Microsoft 365 groups, be sure to add these new channels and groups to the communication compliance policy. If any member of the channel is a supervised user within a policy and the *Inbound* direction is configured in a policy, all messages sent within the channel are subject to review and potential policy matches (even for users in the channel that aren't explicitly supervised). For example, User A is the owner or a member of a channel. User B and User C are members of the same channel and use language that is matched to the offensive language policy that supervises only User A. User B and User C create policy matches for conversations within the channel even though they aren't directly supervised in the offensive language policy. Teams conversations between User B and User C that are outside of the channel that includes User A would not be subject to the offensive language policy that includes User A. To exclude channel members from supervision when other members of the channel are explicitly supervised, turn off the *Inbound* communication direction setting in the applicable communication compliance policy. - **For Teams chat communications with hybrid email environments**: Communication compliance can monitor chat messages for users for organizations with an Exchange on-premises deployment or an external email provider that have enabled Microsoft Teams. You must create a distribution group for the users with on-premises or external mailboxes to monitor. When creating a communication compliance policy, you'll assign this distribution group as the **Supervised users and groups** selection in the policy wizard.
- >[!IMPORTANT]
- >You must file a request with Microsoft Support to enable your organization to use the graphical user interface in the Security & Compliance Center to search for Teams chat data for on-premises users. For more information, see [Searching cloud-based mailboxes for on-premises users](search-cloud-based-mailboxes-for-on-premises-users.md).
-
-You must file a request with Microsoft Support to enable your organization to use the graphical user interface in the Security & Compliance Center to search for Teams chat data in the cloud-based mailboxes for on-premises users.
- - **Exchange email**: Mailboxes hosted on Exchange Online as part of your Microsoft 365 or Office 365 subscription are all eligible for message scanning. Exchange email messages and attachments matching communication compliance policy conditions may take up to 24 hours to process. Supported attachment types for communication compliance are the same as the [file types supported for Exchange mail flow rule content inspections](/exchange/security-and-compliance/mail-flow-rules/inspect-message-attachments#supported-file-types-for-mail-flow-rule-content-inspection). - **Yammer**: Private messages and public conversations and associated attachments in Yammer communities can be scanned. When a user is added to communication compliance policy that includes Yammer as a defined channel, communications across all Yammer communities that the user is a member of are included in the scanning process. Yammer chats and attachments matching communication compliance policy conditions may take up to 24 hours to process. Yammer must be in [Native Mode](/yammer/configure-your-yammer-network/overview-native-mode) for communication compliance policies to monitor Yammer communications and attachments. In Native Mode, all Yammer users are in Azure Active Directory (AAD), all groups are Office 365 Groups, and all files are stored in SharePoint Online.
compliance Create Ediscovery Holds https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-ediscovery-holds.md
Conversations that are part of a Microsoft Teams channel are stored in the mailb
Alternatively, conversations that are part of the Chat list in Teams (called *1:1 chats* or *1:N group chats*) are stored in the mailboxes of the users who participate in the chat. And files that users share in chat conversations are stored in the OneDrive account of the user who shares the file. Therefore, you have to add the individual user mailboxes and OneDrive accounts to an eDiscovery hold to preserve conversations and files in the chat list. It's a good idea to place a hold on the mailboxes of members of a Microsoft Team in addition to placing the team mailbox and site on hold.
-> [!IMPORTANT]
-> In a cloud-based organization, users who participate in conversations that are part of the chat list in Teams must have an Exchange Online mailbox in order to retain chat conversations when the mailbox is placed on an eDiscovery hold. That's because conversations that are part of the chat list are stored in the cloud-based mailboxes of the chat participants. If a chat participant doesn't have an Exchange Online mailbox, you won't be able to preserve those chat conversations. For example, in an Exchange hybrid deployment, users with an on-premises mailbox may be able to participate in conversations that are part of the chat list in Teams. But in this case, content from these conversation can't be preserved because these users don't have a cloud-based mailboxes that can be placed on hold.
+> [!NOTE]
+> If your organization has an Exchange hybrid deployment (or your organization synchronizes an on-premises Exchange organization with Office 365) and has enabled Microsoft Teams, on-premises users can use the Teams chat application and participate in 1:1 chats and 1:N group chats. These conversations are stored in cloud-based storage that's associated with an on-premises user. If an on-premises user is placed on an eDiscovery hold, the Teams chat content in the cloud-based storage will be preserved. For more information, see [Search for Teams chat data for on-premises users](search-cloud-based-mailboxes-for-on-premises-users.md).
For more information about preserving Teams content, see [Place a Microsoft Teams user or team on legal hold](/MicrosoftTeams/legal-hold).
compliance Disposition https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/disposition.md
Content awaiting a disposition review is deleted only after a reviewer chooses t
## Disposition of records
-Use the **Disposition** tab from the **Records Management** page to identify records that are now deleted, either automatically or after a disposition review. These items display **Records Disposed** in the **Type** column. For example:
+Use the **Disposition** tab from the **Records Management** page to identify:
+
+- Items deleted as a result of a disposition review.
+- Items marked as a record or regulatory record that were automatically deleted at the end of their retention period.
+
+These items display **Records Disposed** in the **Type** column. For example:
![Items that were disposed of without a disposition review](../media/records-disposed2.png)
-Items that are shown in the **Disposed Items** tab for record labels are kept for up to seven years after the item was disposed, with a limit of one million items per record for that period. If you see the **Count** number nearing this limit of one million, and you need proof of disposition for your records, contact [Microsoft Support](/office365/admin/contact-support-for-business-products).
+Items that are shown in the **Disposed Items** tab are kept for up to seven years after the item was disposed, with a limit of one million items per record for that period. If you see the **Count** number nearing this limit of one million, and you need proof of disposition for your records, contact [Microsoft Support](/office365/admin/contact-support-for-business-products).
> [!NOTE]
-> This functionality is based on information from the [unified audit log](search-the-audit-log-in-security-and-compliance.md) and therefore requires auditing to be [enabled and searchable](turn-audit-log-search-on-or-off.md) so the corresponding events are captured.
+> This functionality uses information from the [unified audit log](search-the-audit-log-in-security-and-compliance.md) and therefore requires auditing to be [enabled and searchable](turn-audit-log-search-on-or-off.md) so the corresponding events are captured.
-For auditing, search for **Deleted file marked as a record** in the **File and page activities** category. This audit event is applicable to documents and emails.
+For auditing of deleted items that were marked as records or regulatory records, search for **Deleted file marked as a record** in the **File and page activities** category. This audit event is applicable to documents and emails.
## Filter and export the views
compliance Keyword Queries And Search Conditions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/keyword-queries-and-search-conditions.md
For a complete list of SharePoint properties that can be searched, see [Overview
|FileName|The name of a file.|`filename:"marketing plan"` <br/> `filename:estimate`|The first example returns files with the exact phrase "marketing plan" in the title. The second example returns files with the word "estimate" in the file name.| |LastModifiedTime|The date that an item was last changed.|`lastmodifiedtime>=05/01/2016` <br/> `lastmodifiedtime>=05/10/2016 AND lastmodifiedtime<=06/1/2016`|The first example returns items that were changed on or after May 1, 2016. The second example returns items changed between May 1, 2016 and June 1, 2016.| |ModifiedBy|The person who last changed an item. Be sure to use the user's display name for this property.|`modifiedby:"Garth Fort"`|All items that were last changed by Garth Fort.|
-|Path|The path (URL) of a specific site in a SharePoint or OneDrive for Business site. <br/> To return items located in folders in the site that you specify for the path property, you have to add /\* to the URL of the specified site; for example, `path: "https://contoso.sharepoint.com/Shared Documents/*"` <br/> <br/> **Note:** Using the `Path` property to search OneDrive locations won't return media files, such as .png, .tiff, or .wav files, in the search results. Use a different site property in your search query to search for media files in OneDrive folders. <br/>|`path:"https://contoso-my.sharepoint.com/personal/garthf_contoso_com/"` <br/> `path:"https://contoso-my.sharepoint.com/personal/garthf_contoso_com/*" AND filename:confidential`|The first example returns all items in the specified OneDrive for Business site. The second example returns documents in the specified site (and folders in the site) that contain the word "confidential" in the file name.|
+|Path|The path (URL) of a specific site in a SharePoint or OneDrive for Business site.<br/><br/>To return items only from the specified site, you have to add the trailing `/` to the end of the URL; for example, `path: "https://contoso.sharepoint.com/sites/international/"` <br/><br/> To return items located in folders in the site that you specify in the path property, you have to add `/*` to the end of the URL; for example, `path: "https://contoso.sharepoint.com/Shared Documents/*"` <br/><br/> **Note:** Using the `Path` property to search OneDrive locations won't return media files, such as .png, .tiff, or .wav files, in the search results. Use a different site property in your search query to search for media files in OneDrive folders. <br/>|`path:"https://contoso-my.sharepoint.com/personal/garthf_contoso_com/"` <br/> `path:"https://contoso-my.sharepoint.com/personal/garthf_contoso_com/*" AND filename:confidential`|The first example returns all items in the specified OneDrive for Business site. The second example returns documents in the specified site (and folders in the site) that contain the word "confidential" in the file name.|
|SharedWithUsersOWSUser|Documents that have been shared with the specified user and displayed on the **Shared with me** page in the user's OneDrive for Business site. These are documents that have been explicitly shared with the specified user by other people in your organization. When you export documents that match a search query that uses the SharedWithUsersOWSUser property, the documents are exported from the original content location of the person who shared the document with the specified user. For more information, see [Searching for site content shared within your organization](#searching-for-site-content-shared-within-your-organization).|`sharedwithusersowsuser:garthf` <br/> `sharedwithusersowsuser:"garthf@contoso.com"`|Both examples return all internal documents that have been explicitly shared with Garth Fort and that appear on the **Shared with me** page in Garth Fort's OneDrive for Business account.| |Site|The URL of a site or group of sites in your organization.|`site:"https://contoso-my.sharepoint.com"` <br/> `site:"https://contoso.sharepoint.com/sites/teams"`|The first example returns items from the OneDrive for Business sites for all users in the organization. The second example returns items from all team sites.| |Size|The size of an item, in bytes.|`size>=1` <br/> `size:1..10000`|The first example returns items larger than 1 byte. The second example returns items from 1 through 10,000 bytes in size.|
kind:im AND subject:conversation AND (received=startdate..enddate)
- To exclude content marked with a certain property value from your search results, place a minus sign (-) before the name of the property. For example, `-from:"Sara Davis"` excludes any messages sent by Sara Davis. -- You can export items based on message type. For example, to export Skype conversations and chats in Microsoft Teams, use the syntax `kind:im`. To return only email messages, you would use `kind:email`. To return chats, meetings, and calls in Microsoft Teams, use `kind:microsoftteams`.
+- You can export items based on message type. For example, to export Skype conversations and chats in Microsoft Teams, use the syntax `kind:im`. To return only email messages, you would use `kind:email`. To return chats, meetings, and calls in Microsoft Teams, use `kind:microsoftteams`.
+
+- As previously explained, when searching sites you have to add the trailing `/` to the end of the URL when using the `path` property to return only items in a specified site. If you don't include the trailing `/`, items from a site with a similar path name will also be returned. For example, if you use `path:sites/HelloWorld` then items from sites named `sites/HelloWorld_East` or `sites/HelloWorld_West` would also be returned. To return items only from the HelloWorld site, you have to use `path:sites/HelloWorld/`.
enterprise Ms Cloud Germany Transition Add Pre Work https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/ms-cloud-germany-transition-add-pre-work.md
Read and apply the [ADFS Migration steps](ms-cloud-germany-transition-add-adfs.m
| Step(s) | Description | Impact | |:-|:-|:-|
-| Notify external partners of the upcoming transition to Office 365 services. | Customers must notify their partners with whom they have enabled sharing calendar and availability address space configuration (allow sharing of free/busy information with Office 365). Availability configuration needs to transition to use the [Office 365 worldwide endpoints](https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide) when Exchange Online migration is completed. | Failure to do so may result in service or client failure at a later phase of customer migration. |
-| Notify users of required IMAP4/POP3/SMTP client changes. | Users who have device connections to Microsoft Cloud Deutschland endpoints for client protocols IMAP4, POP3, SMTP are required to manually update their client devices to switch to the [Office 365 worldwide endpoints](https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide). | Pre-communicate this dependency to users of these protocols and ensure they either switch to use Outlook mobile or Outlook on the web during this migration. Failure to update client endpoints will result in client connection failures against Microsoft Cloud Deutschland when user mailboxes are migrated. |
+| Notify external partners of the upcoming transition to Office 365 services. | Customers must notify their partners with whom they have enabled sharing calendar and availability address space configuration (allow sharing of free/busy information with Office 365). Availability configuration needs to transition to use the [Office 365 worldwide endpoints](https://docs.microsoft.com/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide) when Exchange Online migration is completed. | Failure to do so may result in service or client failure at a later phase of customer migration. |
+| Notify users of required IMAP4/POP3/SMTP client changes. | Users who have device connections to Microsoft Cloud Deutschland endpoints for client protocols IMAP4, POP3, SMTP are required to manually update their client devices to switch to the [Office 365 worldwide endpoints](https://docs.microsoft.com/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide). | Pre-communicate this dependency to users of these protocols and ensure they either switch to use Outlook mobile or Outlook on the web during this migration. Failure to update client endpoints will result in client connection failures against Microsoft Cloud Deutschland when user mailboxes are migrated. |
|||| ### Exchange Online Hybrid configuration
enterprise Ms Cloud Germany Transition Phases https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/ms-cloud-germany-transition-phases.md
If you want to modify user photos during phase 5, see [Exchange Online Set-UserP
|Stop or delete any onboarding or offboarding mailbox moves, namely don't move mailboxes between Exchange on-premises and Exchange Online. | This ensures the mailbox move requests don't fail with an error. | Failure to do so may result in failure of the service or Office clients. | | Exchange Online mailboxes are moved from Microsoft Cloud Deutschland to Office 365 Global services.| Exchange Online configuration adds the new go-local German region to the transitioning organization. The Office 365 Global services region is set as default, which enables the internal load-balancing service to redistribute mailboxes to the appropriate default region in Office 365 services. In this transition, users on either side (MCD or Global services) are in the same organization and can use either URL endpoint. |<ul><li>Transition users and services from your legacy MCD URLs (outlook.office.de) to new Office 365 services URLs (`https://outlook.office365.com`).</li><li>Users may continue to access the service through legacy MCD URLs during the migration, however they need to stop using the legacy URLs on completion of the migration.</li><li>Users should transition to using the worldwide Office portal for Office Online features (Calendar, Mail, People). Navigation to services that aren't yet migrated to Office 365 services won't function until they are migrated. </li><li>The Outlook Web App won't provide the public folder experience during migration. </li></ul>| | Update custom DNS Settings for AutoDiscover| Customer-managed DNS settings for AutoDiscover that currently point to Microsoft Cloud Deutschland need to be updated to refer to the Office 365 Global endpoint on completion of the Exchange Online phase (phase 5). <br> Existing DNS entries with CNAME pointing to autodiscover-outlook.office.de need to be updated to point to autodiscover.outlook.com. | Availability requests and service discovery calls via AutoDiscover point directly to the Office 365 services. Customers who do not perform these DNS updates may experience Autodiscover service issues when the migration is finalized. |
-| Users must update POP3, IMAP4, SMTP client configuration. | Users who have device connections to Microsoft Cloud Deutschland endpoints for client protocols POP3, IMAP4, SMTP are required to manually update their client devices to switch to the [Office 365 worldwide endpoints](https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide) concurrent with their mailbox migration to Office 365 Germany region. <br> smtp.office365.com : SMTP (TCP:587), outlook.office365.com : IMAP4 (TCP:993), POP3 (TCP:995)| Users of these protocols must either switch to use Outlook mobile or Outlook on the web while their mailbox is transioned and update IMAP4, POP3, SMTP settings on client devices to the new endpoints on completion. Failure to update client endpoints will result in client connection failures against Microsoft Cloud Deutschland when user mailboxes are migrated. |
+| Users must update POP3, IMAP4, SMTP client configuration. | Users who have device connections to Microsoft Cloud Deutschland endpoints for client protocols POP3, IMAP4, SMTP are required to manually update their client devices to switch to the [Office 365 worldwide endpoints](https://docs.microsoft.com/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide) concurrent with their mailbox migration to Office 365 Germany region. <br> smtp.office365.com : SMTP (TCP:587), outlook.office365.com : IMAP4 (TCP:993), POP3 (TCP:995)| Users of these protocols must either switch to use Outlook mobile or Outlook on the web while their mailbox is transioned and update IMAP4, POP3, SMTP settings on client devices to the new endpoints on completion. Failure to update client endpoints will result in client connection failures against Microsoft Cloud Deutschland when user mailboxes are migrated. |
|||| Additional considerations:
knowledge Topic Experiences Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/knowledge/topic-experiences-overview.md
See [Manage topics in the Topic center](manage-topics.md) for more information.
## Admin controls
-Admin controls in the Microsoft 365 admin center allow you to manage your knowledge network. They allow a Microsoft 365 global or SharePoint administrator to:
+Admin controls in the Microsoft 365 admin center allow you to manage Viva Topics. They allow a Microsoft 365 global or SharePoint administrator to:
- Control which users in your organization are allowed to see topics in SharePoint modern pages or in SharePoint search results. - Control which SharePoint sites will be crawled to identify topics.
Additionally, users with proper permissions can tag items such as Yammer convers
See [Topic discovery and curation](./topic-experiences-discovery-curation.md)
-## See also
+## See also
security Onboard Windows 10 Multi Session Device https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/Onboard-Windows-10-multi-session-device.md
Previously updated : 09/10/2020
Applies to: - Windows 10 multi-session running on Windows Virtual Desktop (WVD)
-> [!WARNING]
-> Microsoft Defender for Endpoint support for Windows Virtual Desktop multi-session scenarios is currently in Preview and limited up to 25 concurrent sessions per host/VM. However, single session scenarios on Windows Virtual Desktop are fully supported.
- Microsoft Defender for Endpoint supports monitoring both VDI and Windows Virtual Desktop sessions. Depending on your organization's needs, you might need to implement VDI or Windows Virtual Desktop sessions to help your employees access corporate data and apps from an unmanaged device, remote location, or similar scenario. With Microsoft Defender for Endpoint, you can monitor these virtual machines for anomalous activity. ## Before you begin
security TOC https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/TOC.md
#### [Troubleshoot]() ##### [Troubleshoot installation issues](mac-support-install.md) ##### [Troubleshoot performance issues](mac-support-perf.md)
+##### [Troubleshoot cloud connectivity](troubleshoot-cloud-connect-mdemac.md)
##### [Troubleshoot kernel extension issues](mac-support-kext.md) ##### [Troubleshoot license issues](mac-support-license.md)
#### [Troubleshoot attack surface reduction issues]() ##### [Network protection](troubleshoot-np.md) ##### [Attack surface reduction rules](troubleshoot-asr.md)
+##### [Migrate to Attack surface reduction rules](migrating-asr-rules.md)
# [Microsoft 365 Defender](../index.yml) # [Defender for Office 365](../office-365-security/overview.md)
security Attack Surface Reduction Faq https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-faq.md
+ ms.technology: mde
ASR was originally a feature of the suite of exploit guard features introduced a
## Do I need to have an enterprise license to run ASR rules?
-The full set of ASR rules and features is only supported if you have an enterprise license for Windows 10. A limited number of rules may work without an enterprise license. If you have Microsoft 365 Business, set Microsoft Defender Antivirus as your primary security solution, and enable the rules through PowerShell. However, ASR usage without an enterprise license is not officially supported and the full capabilities of ASR will not be available.
+The full set of ASR rules and features is only supported if you have an enterprise license for Windows 10. A limited number of rules may work without an enterprise license. If you have Microsoft 365 Business, set Microsoft Defender Antivirus as your primary security solution, and enable the rules through PowerShell. Using ASR without an enterprise license isn't officially supported and you won't be able to use the full capabilities of ASR.
To learn more about Windows licensing, see [Windows 10 Licensing](https://www.microsoft.com/licensing/product-licensing/windows10?activetab=windows10-pivot:primaryr5) and get the [Volume Licensing guide for Windows 10](https://download.microsoft.com/download/2/D/1/2D14FE17-66C2-4D4C-AF73-E122930B60F6/Windows-10-Volume-Licensing-Guide.pdf).
Yes. ASR is supported for Windows Enterprise E3 and above.
All of the rules supported with E3 are also supported with E5.
-E5 also added greater integration with Defender for Endpoint. With E5, you can [use Defender for Endpoint to monitor and review analytics](https://docs.microsoft.com/microsoft-365/security/defender/monitor-devices?view=o365-worldwide&preserve-view=true#monitor-and-manage-asr-rule-deployment-and-detections) on alerts in real-time, fine-tune rule exclusions, configure ASR rules, and view lists of event reports.
+E5 adds greater integration with Defender for Endpoint. With E5, you can view alerts in real-time, fine-tune rule exclusions, configure ASR rules, and view lists of event reports.
## What are the currently supported ASR rules?
+ASR currently supports all of the rules below.
-ASR currently supports all of the rules below:
+## What rules to enable? All, or can I turn on individual rules?
+To help you figure out whatΓÇÖs best for your environment, we
+recommended that you enable ASR rules in [audit mode](audit-windows-defender.md). With this approach, youΓÇÖll determine the possible affect to your organization. For example, your line-of-business applications.
+
+## How do ASR rules exclusions work?
+For ASR rules, if you add one exclusion, it will affect every ASR rule.
+The following two specific rules don't support exclusions:
+
+|Rule name|GUID|File & folder exclusions|
+|:--|:--|:--|
+|Block JavaScript or VBScript from launching downloaded executable content|D3E037E1-3EB8-44C8-A917-57927947596D|Not supported|
+|Block persistence through WMI event subscription|e6db77e5-3df2-4cf1-b95a-636979351e5b|Not supported|
+
+ASR rules exclusions support wildcards, paths, and environmental variables. For more information on how to use wildcards in ASR rules, see [configure and validate exclusions based on file extension and folder location](/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus).
+
+Be aware of the following items about ASR rules exclusions (including wildcards and env. variables):
+
+- ASR rules exclusions are independent from Defender AV exclusions
+- Wildcards cannot be used to define a drive letter
+- If you want to exclude more than one folder, in a path, use multiple instances of \*\ to indicate multiple nested folders (for example, c:\Folder\*\*\Test)
+- Microsoft Endpoint Configuration Manager *does not* support wildcards (* or ?)
+- If you want to exclude a file, that contains random characters (automated file generation), you can use the '?' symbol (for example, C:\Folder\fileversion?.docx)
+- ASR exclusions in Group Policy don't support quotes (the engine will natively handle long path, spaces, etc., so there's no need to use quotes)
+- ASR rules run under NT AUTHORITY\SYSTEM account, so environmental variables are limited to machine variables.
+++
+## How do I know what I need to exclude?
+Different ASR rules will have different protection flows. Always think about what the ASR rule you are configuring protects against, and how the actual execution flow pans out.
+
+Example:
+**Block credential stealing from the Windows local security authority subsystem**
+Reading directly from Local Security Authority Subsystem (LSASS) process can be a security risk, since it might expose corporate credentials.
+
+This rule prevents untrusted processes from having direct access to LSASS memory. Whenever a process tries to use the OpenProcess() function to access LSASS, with an access right of PROCESS_VM_READ, the rule will specifically block that access right.
++
+Looking at the above example, if you really had to create an exception for the process that the access right was blocked, adding the filename along with full path would exclude it from being blocked and after allowed to access LSASS process memory. The value of 0 means that ASR rules will ignore this file/process and not block/audit it.
++
+## What are the rules Microsoft recommends enabling?
+
+We recommend enabling every possible rule. However, there are some cases where you shouldnΓÇÖt enable a rule. For example, we don't recommend enabling the Block process creations originating from PSExec and WMI commands rule, if youΓÇÖre using Microsoft Endpoint Configuration Manager (or, System Center Configuration Manager - SCCM) to manage your endpoints.
+
+We highly recommend you that you read each rule-specific information and/or warnings, which are available in our
+[public documentation](/microsoft-365/security/defender-endpoint/attack-surface-reduction.md).
+ spanning across multiple pillars of protection, like Office, Credentials, Scripts, E-Mail, etc. All ASR rules, except for Block persistence through WMI event subscription, are supported on Windows 1709 and later:
* [Block executable content from email client and webmail](attack-surface-reduction.md#block-executable-content-from-email-client-and-webmail) * [Block all Office applications from creating child processes](attack-surface-reduction.md#block-all-office-applications-from-creating-child-processes)
security Configure Server Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-server-endpoints.md
The following capabilities are included in this integration:
- Automated onboarding - Defender for Endpoint sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/azure/security-center/security-center-onboarding). > [!NOTE]
- > Automated onboarding is only applicable for Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016.
+ > The integration between Azure Defender for Servers and Microsoft Defender for Endpoint has been expanded to support [Windows Server 2019 and Windows Virtual Desktop (WVD)](https://docs.microsoft.com/azure/security-center/release-notes#microsoft-defender-for-endpoint-integration-with-azure-defender-now-supports-windows-server-2019-and-windows-10-virtual-desktop-wvd-in-preview).
- Windows servers monitored by Azure Security Center will also be available in Defender for Endpoint - Azure Security Center seamlessly connects to the Defender for Endpoint tenant, providing a single view across clients and servers. In addition, Defender for Endpoint alerts will be available in the Azure Security Center console. - Server investigation - Azure Security Center customers can access Microsoft Defender Security Center to perform detailed investigation to uncover the scope of a potential breach.
security Mac Install Manually https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-manually.md
To complete this process, you must have admin privileges on the device.
1. Copy wdav.pkg and MicrosoftDefenderATPOnboardingMacOs.py to the device where you deploy Microsoft Defender for Endpoint for macOS.
- The client device isn't associated with orgId. Note that the *orgId* attribute is blank.
+ The client device isn't associated with org_id. Note that the *org_id* attribute is blank.
```bash mdatp health --field org_id
To complete this process, you must have admin privileges on the device.
/usr/bin/python MicrosoftDefenderATPOnboardingMacOs.py ```
-3. Verify that the device is now associated with your organization and reports a valid *orgId*:
+3. Verify that the device is now associated with your organization and reports a valid org ID:
```bash mdatp health --field org_id ```
-After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner.
+ After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner.
+
+ > [!div class="mx-imgBorder"]
+ > ![Microsoft Defender icon in status bar screenshot](images/mdatp-icon-bar.png)
- ![Microsoft Defender icon in status bar screenshot](images/mdatp-icon-bar.png)
-
## How to Allow Full Disk Access > [!CAUTION] > macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default, applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without explicit consent. In the absence of this consent, Microsoft Defender for Endpoint is not able to fully protect your device.
-To grant consent, open System Preferences -> Security & Privacy -> Privacy -> Full Disk Access. Click the lock icon to make changes (bottom of the dialog box). Select Microsoft Defender for Endpoint.
+1. To grant consent, open **System Preferences** > **Security & Privacy** > **Privacy** > **Full Disk Access**. Click the lock icon to make changes (bottom of the dialog box). Select Microsoft Defender for Endpoint.
+
+2. Run an AV detection test to verify that the device is properly onboarded and reporting to the service. Perform the following steps on the newly onboarded device:
+
+ 1. Ensure that real-time protection is enabled (denoted by a result of 1 from running the following command):
+
+ ```bash
+ mdatp health --field real_time_protection_enabled
+ ```
+
+ 1. Open a Terminal window. Copy and execute the following command:
+
+ ```bash
+ curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt
+ ```
+
+ 1. The file should have been quarantined by Defender for Endpoint for Mac. Use the following command to list all the detected threats:
+
+ ```bash
+ mdatp threat list
+ ```
+
+3. Run an EDR detection test to verify that the device is properly onboarded and reporting to the service. Perform the following steps on the newly onboarded device:
+
+ 1. In your browser such as Microsoft Edge for Mac or Safari.
+
+ 1. Download MDATP MacOS DIY.zip from https://aka.ms/mdatpmacosdiy and extract.
+
+ You may be prompted:
+
+ > Do you want to allow downloads on "mdatpclientanalyzer.blob.core.windows.net"?<br/>
+ > You can change which websites can download files in Websites Preferences.
+
+4. Click **Allow**.
+
+5. Open **Downloads**.
+
+6. You should see **MDATP MacOS DIY**.
+
+ > [!TIP]
+ > If you double-click, you will get the following message:
+ >
+ > > **"MDATP MacOS DIY" cannot be opened because the developer cannot be verifier.**<br/>
+ > > macOS cannot verify that this app is free from malware.<br/>
+ > > **\[Move to Trash\]** **\[Cancel\]**
+
+7. Click **Cancel**.
+
+8. Right-click **MDATP MacOS DIY**, and then click **Open**.
+
+ The system should display the following message:
+
+ > **macOS cannot verify the developer of **MDATP MacOS DIY**. Are you sure you want to open it?**<br/>
+ > By opening this app, you will be overriding system security which can expose your computer and personal information to malware that may harm your Mac or compromise your privacy.
+
+10. Click **Open**.
+
+ The system should display the following message:
+
+ > Microsoft Defender ATP - macOS EDR DIY test file<br/>
+ > Corresponding alert will be available in the MDATP portal.
+
+11. Click **Open**.
+
+ In a few minutes an alert named "macOS EDR Test Alert" should be raised.
+
+12. Go to Microsoft Defender Security Center (https://SecurityCenter.microsoft.com).
+
+13. Go to the Alert Queue.
+
+ :::image type="content" source="images/b8db76c2-c368-49ad-970f-dcb87534d9be.png" alt-text="Example of a macOS EDR test alert that shows severity, category, detection source, and a collapsed menu of actions.":::
+
+ Look at the alert details and the device timeline, and perform the regular investigation steps.
## Logging installation issues
security Mac Support Perf https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-support-perf.md
The following steps can be used to troubleshoot and mitigate these issues:
1. Disable real-time protection using one of the following methods and observe whether the performance improves. This approach helps narrow down whether Microsoft Defender for Endpoint for Mac is contributing to the performance issues.
- If your device is not managed by your organization, real-time protection can be disabled using one of the following options:
+ If your device is not managed by your organization, real-time protection can be disabled using one of the following options:
- From the user interface. Open Microsoft Defender for Endpoint for Mac and navigate to **Manage settings**.
The following steps can be used to troubleshoot and mitigate these issues:
mdatp config real-time-protection --value disabled ```
- If your device is managed by your organization, real-time protection can be disabled by your administrator using the instructions in [Set preferences for Microsoft Defender for Endpoint for Mac](mac-preferences.md).
+ If your device is managed by your organization, real-time protection can be disabled by your administrator using the instructions in [Set preferences for Microsoft Defender for Endpoint for Mac](mac-preferences.md).
+
+ If the performance problem persists while real-time protection is off, the origin of the problem could be the endpoint detection and response component. In this case, please contact customer support for further instructions and mitigation.
2. Open Finder and navigate to **Applications** > **Utilities**. Open **Activity Monitor** and analyze which applications are using the resources on your system. Typical examples include software updaters and compilers.
-3. Configure Microsoft Defender for Endpoint for Mac with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection.
+1. To find the applications that are triggering the most scans, you can use real-time statistics gathered by Defender for Endpoint for Mac.
- See [Configure and validate exclusions for Microsoft Defender for Endpoint for Mac](mac-exclusions.md) for details.
+ > [!NOTE]
+ > This feature is available in version 100.90.70 or newer.
+ This feature is enabled by default on the **Dogfood** and **InsiderFast** channels. If you're using a different update channel, this feature can be enabled from the command line:
+ ```bash
+ mdatp config real-time-protection-statistics --value enabled
+ ```
+
+ This feature requires real-time protection to be enabled. To check the status of real-time protection, run the following command:
+
+ ```bash
+ mdatp health --field real_time_protection_enabled
+ ```
+
+ Verify that the **real_time_protection_enabled** entry is true. Otherwise, run the following command to enable it:
+
+ ```bash
+ mdatp config real-time-protection --value enabled
+ ```
+
+ ```output
+ Configuration property updated
+ ```
+
+ To collect current statistics, run:
+
+ ```bash
+ mdatp config real-time-protection --value enabled
+ ```
+
+ > [!NOTE]
+ > Using **--output json** (note the double dash) ensures that the output format is ready for parsing.
+ The output of this command will show all processes and their associated scan activity.
+
+1. On your Mac system, download the sample Python parser high_cpu_parser.py using the command:
+
+ ```bash
+ wget -c https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/linux/diagnostic/high_cpu_parser.py
+ ```
+
+ The output of this command should be similar to the following:
+
+ ```Output
+ --2020-11-14 11:27:27-- https://raw.githubusercontent.com/microsoft.
+ mdatp-xplat/master/linus/diagnostic/high_cpu_parser.py
+ Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.xxx.xxx
+ Connecting to raw.githubusercontent.com (raw.githubusercontent.com)| 151.101.xxx.xxx| :443... connected.
+ HTTP request sent, awaiting response... 200 OK
+ Length: 1020 [text/plain]
+ Saving to: 'high_cpu_parser.py'
+ 100%[===========================================>] 1,020 --.-K/s in
+ 0s
+ ```
+
+1. Next, type the following commands:
+
+ ```bash
+ chmod +x high_cpu_parser.py
+ ```
+
+ ```bash
+ cat real_time_protection.json | python high_cpu_parser.py > real_time_protection.log
+ ```
+
+ The output of the above is a list of the top contributors to performance issues. The first column is the process identifier (PID), the second column is te process name, and the last column is the number of scanned files, sorted by impact.
+
+ For example, the output of the command will be something like the below:
+
+ ```output
+ ... > python ~/repo/mdatp-xplat/linux/diagnostic/high_cpu_parser.py <~Downloads/output.json | head -n 10
+ 27432 None 76703
+ 73467 actool 1249
+ 73914 xcodebuild 1081
+ 73873 bash 1050
+ 27475 None 836
+ 1 launchd 407
+ 73468 ibtool 344
+ 549 telemetryd_v1 325
+ 4764 None 228
+ 125 CrashPlanService 164
+ ```
+
+ To improve the performance of Defender for Endpoint for Mac, locate the one with the highest number under the Total files scanned row and add an exclusion for it. For more information, see [Configure and validate exclusions for Defender for Endpoint for Linux](linux-exclusions.md).
+
+ > [!NOTE]
+ > The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off are not counted. Additionally, only events which triggered scans are counted.
+ >
+1. Configure Microsoft Defender for Endpoint for Mac with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection.
+
+ See [Configure and validate exclusions for Microsoft Defender for Endpoint for Mac](mac-exclusions.md) for details.
security Mac Whatsnew https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-whatsnew.md
ms.technology: mde
> On macOS 11 (Big Sur), Microsoft Defender for Endpoint requires additional configuration profiles. If you are an existing customer upgrading from earlier versions of macOS, make sure to deploy the additional configuration profiles listed on [this page](mac-sysext-policies.md). > [!IMPORTANT]
-> Support for macOS 10.13 (High Sierra) will be discontinued on February 15th, 2021.
+> Support for macOS 10.13 (High Sierra) has been discontinued on February 15th, 2021.
+
+## 101.23.64 (20.121021.12364.0)
+
+- Added a new option to the command-line tool to view information about the last on-demand scan. To view information about the last on-demand scan, run `mdatp health --details antivirus`
+- Performance improvements & bug fixes
## 101.22.79 (20.121012.12279.0)
security Migrating Asr Rules https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/migrating-asr-rules.md
+
+ Title: Migrating from a third-party HIPS to ASR rules
+description: Describes how to approach a migration from a third-party Host Intrusion Prevention System (HIPS) solution into ASR rules.
+keywords: Attack surface reduction rules, asr, asr rules, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, Microsoft Defender for Endpoint, Microsoft Defender ATP
+search.product: eADQiWindows 10XVcnh
+
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+audience: ITPro
++++
+ms.technology: mde
++
+# Migrating from a third-party HIPS to ASR rules
+
+This article helps you to map common rules to Microsoft Defender for Endpoint. The following table shows common questions and scenarios when migrating from a third-party HIPS product to ASR rules.
+
+|Scope and Action|Processes|Operation|Examples of Files/Folders, Registry Keys/Values, Processes, Services|Attack Surface Reduction rules|Other recommended features|
+|:--|:--|:--|:--|:--|:--|
+|All Processes: Block creation of specific files and registry keys||File Creation|*.zepto, *.odin, *.locky, *.jaff, *.lukitus, *.wnry, *.krab|ASR rules block the attack techniques and not the Indicators of Compromise (IOC). Blocking a specific file extension is not always useful, because it does not prevent a device from compromise. It only partially thwarts an attack until attackers create a new type of extension for the payload.|Having Microsoft Defender AV enabled, along with Cloud Protection and Behavior Analysis is highly recommended. We recommended you use other prevention, such as the ASR rule "Use advanced protection against ransomware". This provides a greater level of protection against ransomware attacks. Furthermore, several of these registry keys are monitored by Microsoft Defender for Endpoint, such as ASEP techniques, which will trigger specific alerts. The registry keys used require a minimum of Local Admin or Trusted Installer privileges to be able to be modified. Using a locked down environment, with minimum administrative accounts or rights, is recommended. Other system configurations can be enabled, including "Disable SeDebug for non-required roles" that are part of our wider security recommendations.|
+|All Processes: Block creation of specific files and registry keys||Registry Modifications|*\Software\*,HKCU\Environment\UserInitMprLogonScript,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\*\StartExe, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*\Debugger,HKEY_CURRENT_USER\Software\Microsoft\HtmlHelp Author\location,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\*\MonitorProcess|ASR rules block the attack techniques and not the Indicators of Compromise (IOC). Blocking a specific file extension is not always useful, because it does not prevent a device from compromise. It only partially thwarts an attack until attackers create a new type of extension for the payload.|Having Microsoft Defender AV enabled, along with Cloud Protection and Behavior Analysis is highly recommended. We recommended you use additional prevention, such as the ASR rule "Use advanced protection against ransomware". This provides a greater level of protection against ransomware attacks. Furthermore, several of these registry keys are monitored by Microsoft Defender for Endpoint, such as ASEP techniques, which will trigger specific alerts. Plus, the registry keys used require a minimum of Local Admin or Trusted Installer privileges to be able to be modified. Using a locked down environment, with minimum administrative accounts or rights, is recommended. Other system configurations can be enabled, including "Disable SeDebug for non-required roles" that are part of our wider security recommendations.|
+|Untrusted Programs from USB: Block untrusted programs from running from removable drives|*|Process Execution|*|ASR rules have a built-in rule to prevent the launch of untrusted and unsigned programs from removable drives: "Block untrusted and unsigned processes that run from USB", GUID "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4".|Please explore additional controls for USB devices and other removable media using Microsoft Defender for Endpoint: [How to control USB devices and other removable media using Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/device-control/control-usb-devices-using-intune). |
+|Mshta: Block Mshta from launching certain child processes|mshta.exe|Process Execution|powershell.exe, cmd.exe, regsvr32.exe|ASR rules don't contain any specific rule to prevent child processes from "mshta.exe". This control is within the remit of Exploit Protection or Windows Defender Application Control.|Enable Windows Defender Application Control to prevent mshta.exe from being executed altogether. If your organization requires "mshta.exe" for line of business apps, configure a specific Windows Defender Exploit Protection rule, in order to prevent mshta.exe from launching child processes.|
+|Outlook: Block Outlook from launching child processes|outlook.exe|Process Execution|powershell.exe|ASR rules have a built-in rule to prevent Office communication apps (Outlook, Skype and Teams) from launching child processes: "Block Office communication application from creating child processes", GUID "26190899-1602-49e8-8b27-eb1d0a1ce869".|We recommend enabling PowerShell constrained language mode, in order to minimize the attack surface from PowerShell.|
+|Office: Block Office Apps from launching child processes and from creating executable content|winword.exe, powerpnt.exe, excel.exe|Process Execution|powershell.exe, cmd.exe, wscript.exe, mshta.exe, EQNEDT32.EXE, regsrv32.exe|ASR rules have a built-in rule to prevent Office apps from launching child processes: "Block all Office applications from creating child processes", GUID "D4F940AB-401B-4EFC-AADC-AD5F3C50688A".|N/A|
+|Office: Block Office Apps from launching child processes and from creating executable content|winword.exe, powerpnt.exe, excel.exe|File Creation|C:\Users\*\AppData\**\*.exe, C:\ProgramData\**\*.exe, C:\ProgramData\**\*.com, C:\Users\*AppData\Local\Temp\**\*.com, C:\Users\**\Downloads\**\*.exe, C:\Users\*\AppData\**\*.scf, C:\ProgramData\**\*.scf, C:\Users\Public\*.exe, C:\Users\*\Desktop\**\*.exe|N/A|
+|Wscript: Block Wscript from reading certain types of files|wscript.exe|File Read|C:\Users\*\AppData\**\*.js*, C:\Users\*\Downloads\**\*.js*|Due to reliability and performance issues, ASR rules do not have the capability to prevent a specific process from reading a certain script file type. We do have a rule to prevent attack vectors that might originate from these scenarios. The rule name is "Block JavaScript or VBScript from launching downloaded executable content" (GUID "D3E037E1-3EB8-44C8-A917-57927947596D") and the "Block execution of potentially obfuscated scripts" (GUID " 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC")|Though there are specific ASR rules that mitigate certain attack vectors within these scenarios, it's important to mention that AV is able by default to inspect scripts (PowerShell, Windows Script Host, JavaScript, VBScript, and more) in real time, through the Antimalware Scan Interface (AMSI). More info is available here: [Antimalware Scan Interface (AMSI)](https://docs.microsoft.com/windows/win32/amsi/antimalware-scan-interface-portal). |
+|Adobe Acrobat: Block launch of child processes|AcroRd32.exe, Acrobat.exe|Process Execution|cmd.exe, powershell.exe, wscript.exe|ASR rules allow blocking Adobe Reader from launching child processes. The rule name is "Block Adobe Reader from creating child processes", GUID "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c".|N/A|
+|CertUtil: Block download or creation of executable content|certutil.exe|File Creation|*.exe|ASR rules don't support these scenarios because they're part of Microsoft Defender Antivirus protection.|Microsoft Defender AV prevents CertUtil from creating or downloading executable content.|
+|All Processes: Block processes from stopping critical System components|*|Process Termination|MsSense.exe, MsMpEng.exe, NisSrv.exe, svchost.exe*, services.exe, csrss.exe, smss.exe, wininit.exe, and more.|ASR rules don't support these scenarios because they're protected with Windows 10 built-in security protections.|ELAM (Early Launch AntiMalware), PPL (Protection Process Light), PPL AntiMalware Light, and System Guard.|
+|Specific Processes: Block specific launch Process Attempt|"Name your Process"|Process Execution|tor.exe, bittorrent.exe, cmd.exe, powershell.exe, and more.|Overall, ASR rules aren't designed to function as an Application manager.|To prevent users from launching specific processes or programs, the recommendation would be to use Windows Defender Application Control. Microsoft Defender for Endpoint File and Cert indicators, can be used in an Incident Response scenario (should not be seen as an application control mechanism).|
+|All Processes: Block unauthorized changes to MDATP AV configurations|*|Registry Modifications|HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware, HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\AllowRealTimeMonitoring, etc.|ASR rules don't cover these kinds of scenarios because they are part of the Microsoft Defender for Endpoint built-in protection.|Tamper Protection (opt-in, managed from Intune) prevents unauthorized changes to DisableAntiVirus, DisableAntiSpyware, DisableRealtimeMonitoring, DisableOnAccessProtection, DisableBehaviorMonitoring and DisableIOAVProtection registry keys (and more). |
+++
+See also
+
+- [Attack surface reduction FAQ](attack-surface-reduction-faq.md)
+- [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
+- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
security Production Deployment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/production-deployment.md
the following discovery methods:
If a Transparent proxy or WPAD has been implemented in the network topology, there is no need for special configuration settings. For more information on Microsoft Defender for Endpoint URL exclusions in the proxy, see the
-[Proxy Service URLs](production-deployment.md#proxy-service-urls) section in this document for the URLs allowlist or on
+[Proxy Service URLs](production-deployment.md#proxy-service-urls) section in this document for the URLs allow list or on
[Configure device proxy and Internet connectivity settings](configure-proxy-internet.md#enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server). **Manual static proxy configuration:**
security Switch To Microsoft Defender Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-microsoft-defender-setup.md
To enable Microsoft Defender Antivirus, we recommend using Intune. However, you
||| |[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager) <br/>**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.<br/>2. Select **Devices** > **Configuration profiles**, and then select the profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).<br/>3. Select **Properties**, and then select **Configuration settings: Edit**.<br/>4. Expand **Microsoft Defender Antivirus**. <br/>5. Enable **Cloud-delivered protection**.<br/>6. In the **Prompt users before sample submission** dropdown, select **Send all samples automatically**.<br/>7. In the **Detect potentially unwanted applications** dropdown, select **Enable** or **Audit**.<br/>8. Select **Review + save**, and then choose **Save**.<br/>**TIP**: For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles).| |Control Panel in Windows |Follow the guidance here: [Turn on Microsoft Defender Antivirus](https://docs.microsoft.com/mem/intune/user-help/turn-on-defender-windows). <br/>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
-|[Advanced Group Policy Management](https://docs.microsoft.com/microsoft-desktop-optimization-pack/agpm/) <br/>or<br/>[Group Policy Management Console](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus) |1. Go to `Computer configuration > Administrative templates > Windows components > Microsoft Defender Antivirus`. <br/>2. Look for a policy called **Turn off Microsoft Defender Antivirus**.<br/>3. Choose **Edit policy setting**, and make sure that policy is disabled. This enables Microsoft Defender Antivirus. <br/>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
+|[Advanced Group Policy Management](https://docs.microsoft.com/microsoft-desktop-optimization-pack/agpm/) <br/>or<br/>[Group Policy Management Console](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus) |1. Go to **Computer configuration** > **Administrative templates** > **Windows components** > **Microsoft Defender Antivirus**. <br/>2. Look for a policy called **Turn off Microsoft Defender Antivirus**.<br/>3. Choose **Edit policy setting**, and make sure that policy is disabled. This enables Microsoft Defender Antivirus. <br/>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
### Confirm that Microsoft Defender Antivirus is in passive mode
You can choose from several methods to add your exclusions to Microsoft Defender
|--|--| |[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager) <br/>**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.<br/>2. Select **Devices** > **Configuration profiles**, and then select the profile that you want to configure.<br/>3. Under **Manage**, select **Properties**. <br/>4. Select **Configuration settings: Edit**.<br/>5. Expand **Microsoft Defender Antivirus**, and then expand **Microsoft Defender Antivirus Exclusions**.<br/>6. Specify the files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. For reference, see [Microsoft Defender Antivirus exclusions](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions).<br/>7. Choose **Review + save**, and then choose **Save**. | |[Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/) |1. Using the [Configuration Manager console](https://docs.microsoft.com/mem/configmgr/core/servers/manage/admin-console), go to **Assets and Compliance** > **Endpoint Protection** > **Antimalware Policies**, and then select the policy that you want to modify. <br/>2. Specify exclusion settings for files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. |
-|[Group Policy Object](https://docs.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-objects) | 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.<br/>2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.<br/>3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**.<br/>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.<br/>4. Double-click the **Path Exclusions** setting and add the exclusions.<br/>- Set the option to **Enabled**.<br/>- Under the **Options** section, click **Show...**.<br/>- Specify each folder on its own line under the **Value name** column.<br/>- If you specify a file, make sure to enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.<br/>5. Click **OK**.<br/>6. Double-click the **Extension Exclusions** setting and add the exclusions.<br/>- Set the option to **Enabled**.<br/>- Under the **Options** section, click **Show...**.<br/>- Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.<br/>7. Click **OK**. |
+|[Group Policy Object](https://docs.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-objects) | 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.<br/>2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.<br/>3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Exclusions**.<br/>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.<br/>4. Double-click the **Path Exclusions** setting and add the exclusions.<br/>- Set the option to **Enabled**.<br/>- Under the **Options** section, click **Show...**.<br/>- Specify each folder on its own line under the **Value name** column.<br/>- If you specify a file, make sure to enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.<br/>5. Click **OK**.<br/>6. Double-click the **Extension Exclusions** setting and add the exclusions.<br/>- Set the option to **Enabled**.<br/>- Under the **Options** section, click **Show...**.<br/>- Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.<br/>7. Click **OK**. |
|Local group policy object |1. On the endpoint or device, open the Local Group Policy Editor. <br/>2. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Exclusions**. <br/>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.<br/>3. Specify your path and process exclusions. | |Registry key |1. Export the following registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\exclusions`.<br/>2. Import the registry key. Here are two examples:<br/>- Local path: `regedit.exe /s c:\temp\ MDAV_Exclusion.reg` <br/>- Network share: `regedit.exe /s \\FileServer\ShareName\MDAV_Exclusion.reg` |
security Troubleshoot Cloud Connect Mdemac https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-cloud-connect-mdemac.md
+
+ Title: Troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint for Mac
+description: This topic describes how to troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint for Mac
+keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
++
+ms.localizationpriority: medium
+
+audience: ITPro
+
+ - m365-security-compliance
+ - m365initiative-defender-endpoint
+
+ms.technology: mde
++
+# Troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint for Mac
++
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
+**Platform**
+macOS
+
+This topic describes how to Troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint for Mac.
+
+## Run the connectivity test
+To test if Defender for Endpoint for Mac can communicate to the cloud with the current network settings, run a connectivity test from the command line:
+
+```Bash
+mdatp connectivity test
+```
+
+expected output:
+```Bash
+Testing connection with https://cdn.x.cp.wd.microsoft.com/ping ... [OK]
+Testing connection with https://eu-cdn.x.cp.wd.microsoft.com/ping ... [OK]
+Testing connection with https://wu-cdn.x.cp.wd.microsoft.com/ping ... [OK]
+Testing connection with https://x.cp.wd.microsoft.com/api/report ... [OK]
+Testing connection with https://winatp-gw-cus.microsoft.com/test ... [OK]
+Testing connection with https://winatp-gw-eus.microsoft.com/test ... [OK]
+Testing connection with https://winatp-gw-weu.microsoft.com/test ... [OK]
+Testing connection with https://winatp-gw-neu.microsoft.com/test ... [OK]
+Testing connection with https://winatp-gw-ukw.microsoft.com/test ... [OK]
+Testing connection with https://winatp-gw-uks.microsoft.com/test ... [OK]
+Testing connection with https://eu-v20.events.data.microsoft.com/ping ... [OK]
+Testing connection with https://us-v20.events.data.microsoft.com/ping ... [OK]
+Testing connection with https://uk-v20.events.data.microsoft.com/ping ... [OK]
+Testing connection with https://v20.events.data.microsoft.com/ping ... [OK]
+```
+
+If the connectivity test fails, check if the device has Internet access and if [any of the endpoints required by the product](microsoft-defender-endpoint-mac.md#network-connections) are blocked by a proxy or firewall.
+
+Failures with curl error 35 or 60 indicate certificate pinning rejection, which indicates a potential issue with SSL or HTTPS inspection. See instructions below regarding SSL inspection configuration.
+
+## Troubleshooting steps for environments without proxy or with Proxy autoconfig (PAC) or with Web Proxy Autodiscovery Protocol (WPAD)
+Use the following procedure to test that a connection is not blocked in an environment without a proxy or with Proxy autoconfig (PAC) or with Web Proxy Autodiscovery Protocol (WPAD).
+
+If a proxy or firewall is blocking anonymous traffic, make sure that anonymous traffic is permitted in the previously listed URLs.
+
+> [!WARNING]
+> Authenticated proxies are not supported. Ensure that only PAC, WPAD, or a static proxy is being used. SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL inspection and your proxy server to directly pass through data from Microsoft Defender for Endpoint for Mac to the relevant URLs without interception. Adding your interception certificate to the global store will not allow for interception.
+To test that a connection is not blocked:
+In a browser such as Microsoft Edge for Mac or Safari open https://x.cp.wd.microsoft.com/api/report and https://cdn.x.cp.wd.microsoft.com/ping.
+
+Optionally, in Terminal, run the following command:
+
+```Bash
+curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
+```
+
+The output from this command should be similar to:
+```bash
+OK https://x.cp.wd.microsoft.com/api/report
+OK https://cdn.x.cp.wd.microsoft.com/ping
+```
security Web Content Filtering https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/web-content-filtering.md
For a more user-friendly in-browser experience, consider using Microsoft Edge.
Before trying out this feature, make sure you have the following requirements: -- Windows 10 Enterprise E5 license OR Microsoft 365 E3 + Microsoft 365 E5 Security add-on.
+- Windows 10 Enterprise E5, Microsoft 365 E5, Microsoft 365 E5 Security, Microsoft 365 E3 + Microsoft 365 E5 Security add-on or the Microsoft Defender for Endpoint standalone license.
- Access to Microsoft Defender Security Center portal - Devices running Windows 10 Anniversary Update (version 1607) or later with the latest MoCAMP update.
Use the time range filter at the top left of the page to select a time period. Y
- Unassigned devices will have incorrect data shown within the report. In the Report details > Device groups pivot, you may see a row with a blank Device Group field. This group contains your unassigned devices before they get put into your specified group. The report for this row may not contain an accurate count of devices or access counts.
+- Web Content Filtering reports are currently limited to showing the top 5000 records. For example, the ΓÇÿDomainsΓÇÖ report will only show a maximum of the top 5000 domains for a given filter query, if applicable.
+ ## Related topics - [Web protection overview](web-protection-overview.md)
security Configure Microsoft Threat Experts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/configure-microsoft-threat-experts.md
+
+ Title: Configure and manage Microsoft Threat Experts capabilities through Microsoft 365 Defender
+description: Subscribe to Microsoft Threats Experts through Microsoft 365 Defender to configure, manage, and use it in your daily security operations and security administration work.
+keywords: Microsoft Threat Experts, managed threat hunting service, MTE, Microsoft managed hunting service
+search.product: Windows 10
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
++
+ms.localizationpriority: medium
+
+audience: ITPro
+++
+# Configure and manage Microsoft Threat Experts capabilities through Microsoft 365 Defender
++
+**Applies to:**
+
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
++
+## Before you begin
+
+> [!IMPORTANT]
+> Before you apply, make sure to discuss the eligibility requirements for the Microsoft Threat Experts ΓÇô Targeted Attack Notifications managed threat hunting service with your Microsoft Technical Service provider and account team.
+
+To receive targeted attack notifications, you'll need to have Microsoft 365 Defender deployed with devices enrolled. Then, submit an application through the M365 portal for Microsoft Threat Experts - Targeted Attack Notifications.
+
+Contact your account team or Microsoft representative to subscribe to Microsoft Threat Experts - Experts on Demand. Experts on Demand lets you consult with our threat experts on how to protect your organization from relevant detections and adversaries.
+
+## Apply for Microsoft Threat Experts - Targeted Attack Notifications service
+
+If you already have Microsoft Defender for Endpoint and Microsoft 365 Defender, you can apply for Microsoft Threat Experts ΓÇô Targeted Attack Notifications through their Microsoft 365 Defender portal. Targeted attack notifications grant you special insight and analysis to help identify the most critical threats to your organization, so you can respond to them quickly.
+
+1. From the navigation pane, go to **Settings > Endpoints > General > Advanced features > Microsoft Threat Experts - Targeted Attack Notifications**.
+
+2. Select **Apply**.
+
+ ![Image of Microsoft Threat Experts settings](../../media/mte/mte-collaboratewithmte.png)
+
+3. Enter your name and email address so that Microsoft can contact you about your application.
+
+ ![Image of Microsoft Threat Experts application](../../media/mte/mte-apply.png)
+
+4. Read the [privacy statement](https://privacy.microsoft.com/en-us/privacystatement), then select **Submit** when you're done. You'll receive a welcome email once your application is approved.
+
+ ![Image of Microsoft Threat Experts application confirmation](../../media/mte/mte-applicationconfirmation.png)
+
+5. After you receive your welcome email, you'll automatically start receiving targeted attack notifications.
+
+6. You can verify your status by visiting **Settings > Endpoints > General > Advanced features**. Once approved, the **Microsoft Threat Experts - Targeted Attack Notification** toggle will be visible and switched **On**.
+
+## Where you'll see the targeted attack notifications from Microsoft Threat Experts
+
+You can receive targeted attack notification from Microsoft Threat Experts through the following mediums:
+
+- The Microsoft 365 Defender portal's **Incidents** page
+- The Microsoft 365 Defender portal's **Alerts** dashboard
+- OData alerting [API](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/get-alerts) and [REST API](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api)
+- [DeviceAlertEvents](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table) table in Advanced hunting
+- Your inbox, if you choose to have targeted attack notifications sent to you via email. See [Create an email notification rule](#create-an-email-notification-rule) below.
+
+### Create an email notification rule
+
+You can create rules to send email notifications for notification recipients. For full details, see [Configure alert notifications](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications) to create, edit, delete, or troubleshoot email notification.
+
+## View targeted attack notifications
+
+You'll start receiving targeted attack notification from Microsoft Threat Experts in your email after you have configured your system to receive email notification.
+
+1. Select the link in the email to go to the corresponding alert context in the dashboard tagged with **Threat experts**.
+
+2. From the **Alerts** page, select the same alert topic as the one you received in the email, to view further details.
+
+## Subscribe to Microsoft Threat Experts - Experts on Demand
+
+If you're already a Microsoft Defender for Endpoint customer, you can contact your Microsoft representative to subscribe to Microsoft Threat Experts - Experts on Demand.
+
+## Consult a Microsoft threat expert about suspicious cybersecurity activities in your organization
+
+You can contact Microsoft Threat Experts from inside the Microsoft 365 Defender portal. Experts can help you understand complex threats and targeted attack notifications. Partner with experts for further details about alerts and incidents, or advice on handling compromise. Gain insight into the threat intelligence context described by your portal dashboard.
+
+> [!NOTE]
+>
+> - Alert inquiries related to your organization's customized threat intelligence data are not currently supported. Consult with your security operations or incident response team for details.
+> - You need to have the **Manage security settings in Security Center** permission in the Microsoft 365 Defender portal to submit an inquiry through the **Consult a threat expert** form.
+
+1. Navigate to the portal page related to the information that you'd like to investigate: for example, **Device**, **Alert**, or **Incident**. Make sure that the portal page related to your inquiry is in view before you send an investigation request.
+
+2. From the top menu, select **? Consult a threat expert**.
+
+ ![Image of Microsoft Threat Experts Experts on Demand from the menu](../../media/mte/incidents-action-mte-highlighted.png)
+
+ A flyout screen will open.
+
+ The header will indicate if you are on a trial subscription, or a full Microsoft Threat Experts - Experts on-Demand subscription.
+
+ ![Image of Microsoft Threat Experts Experts on Demand trial subscription screen](../../media/mte/mte-trial.png)
+
+ The **Investigation topic** field will already be populated with the link to the relevant page for your request.
+
+3. In the next field, provide enough information to give the Microsoft Threat Experts enough context to start the investigation.
+
+4. Enter the email address that you'd like to use to correspond with Microsoft Threat Experts.
+
+> [!NOTE]
+> If you would like to track the status of your Experts on Demand cases through Microsoft Services Hub, reach out to your technical account manager.
+
+Watch this video for a quick overview of the Microsoft Services Hub.
+
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4pk9f]
+
+## Sample investigation topics
+
+### Alert information
+
+- We saw a new type of alert for a living-off-the-land binary. We can provide the alert ID. Can you tell us more about this alert and how we can investigate it further?
+- We've observed two similar attacks, which both try to execute malicious PowerShell scripts but generate different alerts. One is "Suspicious PowerShell command line" and the other is "A malicious file was detected based on indication provided by O365". What is the difference?
+- We received an odd alert today about an abnormal number of failed logins from a high profile userΓÇÖs device. We can't find any further evidence for these attempts. How can Microsoft 365 Defender see these attempts? What type of logins are being monitored?
+- Can you give more context or insight about the alert, "Suspicious behavior by a system utility was observed"?
+- I observed an alert titled "Creation of forwarding/redirect rule". I believe the activity is benign. Can you tell me why I received an alert?
+
+### Possible machine compromise
+
+- Can you help explain why we see a message or alert for "Unknown process observed" on many devices in our organization? We appreciate any input to clarify whether this message or alert is related to malicious activity.
+- Can you help validate a possible compromise on the following system, dating from last week? It's behaving similarly as a previous malware detection on the same system six months ago.
+
+### Threat intelligence details
+
+- We detected a phishing email that delivered a malicious Word document to a user. The document caused a series of suspicious events, which triggered multiple alerts for a particular malware family. Do you have any information on this malware? If yes, can you send us a link?
+- We recently saw a blog post about a threat that is targeting our industry. Can you help us understand what protection Microsoft 365 Defender provides against this threat actor?
+- We recently observed a phishing campaign conducted against our organization. Can you tell us if this was targeted specifically to our company or vertical?
+
+### Microsoft Threat ExpertsΓÇÖ alert communications
+
+- Can your incident response team help us address the targeted attack notification that we got?
+- We received this targeted attack notification from Microsoft Threat Experts. We donΓÇÖt have our own incident response team. What can we do now, and how can we contain the incident?
+- We received a targeted attack notification from Microsoft Threat Experts. What data can you provide to us that we can pass on to our incident response team?
+
+> [!NOTE]
+> Microsoft Threat Experts is a managed threat hunting service and not an incident response service. However, the experts can seamlessly transition the investigation to Microsoft Cybersecurity Solutions Group (CSG)'s Detection and Response Team (DART) services, when necessary. You can also opt to engage with your own incident response team to address issues that requires an incident response.
+
+## Scenario
+
+### Receive a progress report about your managed hunting inquiry
+
+The response from Microsoft Threat Experts will vary according to your inquiry. You'll generally receive one of the following responses:
+
+- More information is needed to continue with the investigation
+- A file or several file samples are needed to determine the technical context
+- Investigation requires more time
+- Initial information was enough to conclude the investigation
+
+If an expert requests more information or file samples, it's crucial to respond quickly to keep the investigation moving.
+
+## See also
+
+- [Microsoft Threat Experts overview](microsoft-threat-experts.md)
security Microsoft Threat Experts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/microsoft-threat-experts.md
+
+ Title: Microsoft Threat Experts in Microsoft 365 Defender overview
+
+description: Microsoft Threat Experts provides an extra layer of expertise to Microsoft 365 Defender.
+keywords: managed threat hunting service, managed threat hunting, managed detection and response (MDR) service, MTE, Microsoft Threat Experts
+search.product: Windows 10
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
++
+ms.localizationpriority: medium
+
+audience: ITPro
+++
+# Microsoft Threat Experts in Microsoft 365 overview
++
+**Applies to:**
+
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
++
+Microsoft Threat Experts - Targeted Attack Notifications is a managed threat hunting service. Once you apply and are accepted, you'll receive targeted attack notifications from Microsoft threat experts, so you won't miss critical threats to your environment. These notifications will help you protect your organization's endpoints, email, and identities.
+Microsoft Threat Experts ΓÇô Experts on Demand lets you get expert advice about threats your organization is facing. You can reach out for help on threats your organization is facing. It's available as a subscription service.
+
+## Apply for Microsoft Threat Experts ΓÇô Targeted Attack Notifications
+
+> [!IMPORTANT]
+> Before you apply, make sure to discuss the eligibility requirements for Microsoft Threat Experts ΓÇô Targeted Attack Notifications with your Microsoft Technical Service provider and account team.
+
+If you already have Microsoft Defender for Endpoint and Microsoft 365 Defender, you can apply for Microsoft Threat Experts ΓÇô Targeted Attack Notifications through their Microsoft 365 Defender portal. Go to **Settings > Endpoints > General > Advanced features > Microsoft Threat Experts ΓÇô Targeted Attack Notifications**, and select **Apply**. See [Configure Microsoft Threat Experts capabilities](./configure-microsoft-threat-experts.md) for a full description.
+
+![Screenshot of MTE application page](../../media/mte/mte-collaboratewithmte.png)
+
+Once your application is approved, you'll start receiving targeted attack notifications whenever Threat Experts detect a threat to your environment.
+
+## Subscribe to Microsoft Threat Experts - Experts on Demand
+
+Contact your Microsoft representative to subscribe to Experts on Demand. See [Configure Microsoft Threat Experts capabilities](./configure-microsoft-threat-experts.md) for full details.
+
+## Receive targeted attack notification
+
+The Microsoft Threat Experts ΓÇô Targeted Attack Notification capability provides proactive hunting for the most important threats to your network. Our threat experts hunt for human adversary intrusions, hands-on-keyboard attacks, and advanced attacks, such as cyberespionage. These notifications will show up as a new alert. The managed hunting service includes:
+
+- Threat monitoring and analysis, reducing dwell time and the risk to your business
+- Hunter-trained artificial intelligence to discover and target both known attacks and emerging threats
+- Identification of the most pertinent risks, helping SOCs maximize their effectiveness
+- Help scoping compromises and providing as much context as can be quickly delivered to enable a swift SOC response.
+
+## Collaborate with experts on demand
+
+You can also contact Microsoft threat experts from directly inside the Microsoft 365 security portal, for a swift and accurate threat response. Experts can provide insight to better understand the complex threats your organization may face. Consult an expert to:
+
+- Gather additional information on alerts and incidents, including root causes and scope
+- Gain clarity into suspicious devices, alerts, or incidents and get next steps if faced with an advanced attacker
+- Determine risks and available protections related to threat actors, campaigns, or emerging attacker techniques
+
+The option to **Consult a threat expert** is available in several places throughout the portal:
+
+- <i>**Device page actions menu**</i><BR>
+![Screenshot of MTE-EOD menu option in the Device page action menu](../../media/mte/device-actions-mte-highlighted.png)
+
+- <i>**Device inventory page flyout menu**</i><BR>
+![Screenshot of MTE-EOD menu option on the device inventory page](../../media/mte/device-inventory-mte-highlighted.png)
+
+- <i>**Alerts page flyout menu**</i><BR>
+![Screenshot of MTE-EOD menu option on the alert page](../../media/mte/alerts-actions-mte-highlighted.png)
+
+- <i>**Incidents page actions menu**</i><BR>
+![Screenshot of MTE-EOD menu option on the incidents page](../../media/mte/incidents-action-mte-highlighted.png)
+
+- <i>**Incidents inventory page**</i><BR>
+![Screenshot of MTE-EOD menu option on the incidents inventory page](../../media/mte/incidents-inventory-mte-highlighted.png)
+
+> [!NOTE]
+> If you have Premier Support subscription mapped to your Microsoft Defender for Office 365 license, you can track the status of your Experts on Demand cases through Microsoft Services Hub.
+
+Watch this video for a quick overview of the Microsoft Services Hub.
+
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4pk9f]
+
+## See also
+
+- [Configure Microsoft Threat Experts capabilities](./configure-microsoft-threat-experts.md)
security Install App Guard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/install-app-guard.md
Microsoft Defender Application Guard for Office (Application Guard for Office) h
### Minimum software requirements * **Windows 10**: Windows 10 Enterprise edition, Client Build version 2004 (20H1) build 19041 or later
-* **Office**: Office Current Channel Build version 2011 16.0.13530.10000 or later. Both 32-bit and 64-bit versions of Office are supported.
+* **Office**: Office Current Channel and Monthly Enterprise Channel, Build version 2011 16.0.13530.10000 or later. Both 32-bit and 64-bit versions of Office are supported.
* **Update package**: Windows 10 cumulative monthly security update [KB4571756](https://support.microsoft.com/help/4571756/windows-10-update-KB4571756)
-For detailed system requirements, refer to [System requirements for Microsoft Defender Application Guard](/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard). To learn more about Office update channels, see [Overview of update channels for Microsoft 365](/deployoffice/overview-update-channels).
+For detailed system requirements, refer to [System requirements for Microsoft Defender Application Guard](/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard). Also, please refer to your computer manufacturer's guides on how to enable virtualization technology.
+To learn more about Office update channels, see [Overview of update channels for Microsoft 365](/deployoffice/overview-update-channels).
### Licensing requirements
For detailed system requirements, refer to [System requirements for Microsoft De
### Set Diagnostics & feedback to send full data
+> [!NOTE]
+> This is not required, however, configuring optional diagnostics data will help diagnose reported issues.
+ This step ensures that the data necessary to identify and fix problems is reaching Microsoft. Follow these steps to enable diagnostics on your Windows device:
Upon being opened, the file should display a few visual indicators that the file
## Configure Application Guard for Office
-Office supports the following policies to enable you to configure the capabilities of Application Guard for Office. These policies can be configured through Group policies or through the Office cloud policy service.
+Office supports the following policies to enable you to configure the capabilities of Application Guard for Office. These policies can be configured through Group policies or through the [Office cloud policy service](/DeployOffice/overview-office-cloud-policy-service).
+See configuration set by your administrator by reviewing group policy settings in **User Configuration\\Administrative Templates\\Microsoft Office 2016\\Security Settings\\Trust Center\\Application Guard**.
+ > [!NOTE] > Configuring these policies can disable some functionalities for files opened in Application Guard for Office.
You may also submit feedback from within Office if the issue happens when Office
Application Guard for Office is integrated with Microsoft Defender for Endpoint to provide monitoring and alerting on malicious activity that happens in the isolated environment.
+[Safe Documents in Microsoft E365 E5](/microsoft-365/security/office-365-security/safe-docs) is a feature that uses Microsoft Defender for Endpoint to scan documents opened in Application Guard for Office. For an additional layer of protection, users can't leave Application Guard for Office until the results of the scan have been determined.
+ Microsoft Defender for Endpoint is a security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. For more details about this platform, see [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp). To learn more about onboarding devices to this platform, see [Onboard devices to the Microsoft Defender for Endpoint service](/windows/security/threat-protection/microsoft-defender-atp/onboard-configure). You can also configure Microsoft Defender for Office 365 to work with Defender for Endpoint. For more info, refer to [Integrate Defender for Office 365 with Microsoft Defender for Endpoint](integrate-office-365-ti-with-mde.md). ## Limitations and considerations
-* Application Guard for Office is a restricted mode that isolates untrusted documents so that they can't access trusted corporate resources, an intranet, the user's identity, and arbitrary files on the computer. As a result, if a user tries to access a feature that has a dependency on such accessΓÇöfor example, inserting a picture from a local file on diskΓÇöthe access will fail and produce a prompt like the following example. To enable an untrusted document to access trusted resources, users must remove Application Guard protection from the document.
+* Application Guard for Office is a protected mode that isolates untrusted documents so that they can't access trusted corporate resources, an intranet, the user's identity, and arbitrary files on the computer. As a result, if a user tries to access a feature that has a dependency on such accessΓÇöfor example, inserting a picture from a local file on diskΓÇöthe access will fail and produce a prompt like the following example. To enable an untrusted document to access trusted resources, users must remove Application Guard protection from the document.
![Dialog box saying To help you keep safe, this feature is not available](../../media/ag10-limitations.png)
When this heuristic is met, Office will pre-create an Application Guard containe
* Selecting web links (`http` or `https`) doesn't open the browser. * Pasting rich text format (RTF) content or images in Office documents opened with Application Guard isn't supported at this time.
-* Updates to .NET cause files to fail to open in Application Guard. As a workaround, users can restart their device when they come across this failure. Learn more about the issue at [Receiving an error message when attempting to open Windows Defender Application Guard or Windows Sandbox](https://support.microsoft.com/help/4575917/receiving-an-error-message-when-attempting-to-open-windows-defender-ap).
+* The default setting for unsupported file types protection policy is to block opening untrusted unsupported file types of Information Rights Management (IRM), CSV, or HTML.
+* Updates to .NET might cause files to fail to open in Application Guard. As a workaround, users can restart their device when they come across this failure. Learn more about the issue at [Receiving an error message when attempting to open Windows Defender Application Guard or Windows Sandbox](https://support.microsoft.com/help/4575917/receiving-an-error-message-when-attempting-to-open-windows-defender-ap).