-> Want to see how slow (or fast) your network connection is? Try the [OOKLA Speed test](https://www.speedtest.net/) or the [Network Speed Test App](https://www.windowsphone.com/store/app/network-speed-test/9b9ae06b-2961-41ef-987d-b09567cffe70).

-# Block sign-in for shared mailbox accounts using Microsoft 365 Lighthouse

-Microsoft 365 Lighthouse provides visibility into all the shared mailboxes across your managed tenants that are enabled for direct sign-in. You can track and block sign-in for all shared mailbox accounts from the **Shared mailboxes** page.

-1. In the left navigation pane in <a href="https://go.microsoft.com/fwlink/p/?linkid=2168110" target="_blank">Lighthouse</a>, select **Users** > **Account management** > **Shared mailboxes**.

-2. On the **Shared mailboxes** tab, select the Shared mailbox account you want to block and then select **Block sign-in**.

-1. In the left navigation pane in <a href="https://go.microsoft.com/fwlink/p/?linkid=2168110" target="_blank">Lighthouse</a>, select **Users** > **Account management** > **Shared mailboxes**.

-2. On the **Shared mailboxes** tab, select the check box next to the accounts you want to notify.

-3. From the command bar, select **Create email**.

-Lighthouse opens your default email client and prepopulates the email message to notify them login access has been blocked.

-You can block a user account if you think it's compromised. When you block a user account, it immediately blocks anyone from signing in to that account. If a user tries to sign in, they're automatically signed out of all Microsoft 365 services within 60 minutes. Blocking a user account won't delete any data, and it won't stop the account from receiving mail.

-1. In the left navigation pane in <a href="https://go.microsoft.com/fwlink/p/?linkid=2168110" target="_blank">Lighthouse</a>, select **Users** > **Account management** > **Search users**.

-2. On the **Search users** tab, enter a user's name in the search box.

-2. On the **Risky Users** page, select the set of users you want to take action on.

-## Always remediate PUA

-Potentially unwanted applications (PUA) are a category of software that can cause your machine to run slowly, display unexpected ads, or at worst, install other software, which might be unexpected or unwanted.

-Turn on this feature so that potentially unwanted applications (PUA) are remediated on all devices in your tenant even if PUA protection isn't configured on the devices. This activation of the feature helps to protect users from inadvertently installing unwanted applications on their device. When turned off, remediation is dependent on the device configuration.

-> The Defender app needs to be opened for tags to be synced with Intune and passed to Security Portal. It may take upto 18 hours for tags to reflect in the portal.

-> The Defender app needs to be opened for tags to be synced with Intune and passed to Security Portal. It may take upto 18 hours for tags to reflect in the portal.

-> This a temporary workaround. We are working on other alternatives to provide users more control over the VPN settings from wihtin the app.

-> Unless indicated otherwise, all export hardware and firmware assessment assessment methods listed are **_full export_** and **_by device_** (also referred to as **_per device_**)

-Some malicious programs may try to copy or impersonate Windows system tools to avoid detection or gain privileges. Allowing such executable files can lead to potential attacks. This rule prevents propagation and execution of such duplicates and imposters of the system tools on Windows machines.

-> - Devices running the MMA agent are not supported under streamlined solution and must be onboarded using the down-level method. For a list of required URLs, see the MMA tab in the [streamlined URL list](https://go.microsoft.com/fwlink/?linkid=2248278). Devices running legacy Windows version 1607, 1703, 1709, or 1803 can onboard using the new onboarding package but still require a longer list of URLs. For more information, see the preceeding table.

-|Solution (Preferred 2) | - [Setup Redirect the Microsoft Automatic Update URL for a disconnected environment](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn265983(v=ws.11)?redirectedfrom=MSDN) <br/> - [Configure a server that has access to the Internet to retrieve the CTL files](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn265983(v=ws.11)?redirectedfrom=MSDN) <br/> - [Redirect the Microsoft Automatic Update URL for a disconnected environment](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn265983(v=ws.11)?redirectedfrom=MSDN) <br/> <br/> _Usefule references:_ <br/> - Go to **Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Certificate Path Validation Settings** > **Select the Network Retrieval tab** > **Select Define these policy settings** > **Select to clear the Automatically update certificates in the Microsoft Root Certificate Program (recommended) check box.** <br/> - [Certificate Revocation List (CRL) Verification - an Application Choice](https://social.technet.microsoft.com/wiki/contents/articles/964.certificate-revocation-list-crl-verification-an-application-choice.aspx) <br/> - [https://support.microsoft.com/help/931125/how-to-get-a-root-certificate-update-for-windows](https://support.microsoft.com/help/931125/how-to-get-a-root-certificate-update-for-windows) <br/> - [https://technet.microsoft.com/library/dn265983(v=ws.11).aspx](https://technet.microsoft.com/library/dn265983(v=ws.11).aspx) <br/> - [/dotnet/framework/configure-apps/file-schema/runtime/generatepublisherevidence-element](/dotnet/framework/configure-apps/file-schema/runtime/generatepublisherevidence-element) - [https://blogs.msdn.microsoft.com/amolravande/2008/07/20/improving-application-start-up-time-generatepublisherevidence-setting-in-machine-config/](https://blogs.msdn.microsoft.com/amolravande/2008/07/20/improving-application-start-up-time-generatepublisherevidence-setting-in-machine-config/)|

-| Envionment Variables |`%ALLUSERSPROFILE%\MyFolder\MyProcess.exe`|Any file opened by `C:\ProgramData\MyFolder\MyProcess.exe`|

-|`-z` |Configures registry keys on the machine to prepare it for full machine memory dump collection via [CrashOnCtrlScroll](/windows-hardware/drivers/debugger/forcing-a-system-crash-from-the-keyboard). This would be useful for analysis of computer freeze issues. \* Hold down the rightmost CTRL key, then press the SCROLL LOCK key twice. |Machine hanging or being unresponsive or slow. High memory usage (Memory leak): a) User mode: Private bytes b) Kernel mode: paged pool or nonaged pool memory, handle leaks.|`MSSense.exe` or `MsMpEng.exe` |

-If an onboarded device is protected by a non-Microsoft anti-malware client, Microsoft Defender Antivirus goes into [passive mode](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility). In this scenario, Microsoft Defender Antivirus continues to receive updates, and the `msmpeng.exe` process is listed as a running a service. But, it doesn't perform real-time protection scans, scheduled scans, or on-demand scans, and and doesn't replace the running non-Microsoft antimalware client. The Microsoft Defender Antivirus user interface is disabled. Device users can't use Microsoft Defender Antivirus to perform on-demand scans or configure most options such as Attack Surface Reduction (ASR) rules, Network Protection, Indicators - File/IP address/URL/Certificates allow/block, Web Content Filtering, Controlled Folder Access, and so forth.

- :::image type="content" source="media/device-control-policy-intune.png" alt-text="Screeenshot of Intune user interface for device control policies." lightbox="media/device-control-policy-intune.png":::

-You can add audit policies, and you can add Allow/Deny policies. It is recomended to always add an Allow and/or Deny policy when adding an audit policy so that you don't experience unexpected results.

-### Determine the Security ID of a User, Group, or Device

-Entries can include user, group, or device restrictions based on Security ID (SID). The SID of the user who's signed in can be retrieved by running the PowerShell command `whoami /user`.

- |1|The backing-file for the real-time session "SenseNdrPktmon" has reached its maximum size. As a result, new events will not be logged to this session until space becomes available.|This real-time session, between Pktmon - the built-in Windows service that captures network traffic, and our agent (SenseNDR) - that analyzes packets asynchroniously, is configured to limited to prevent potential performance issues. As a result, this alert may appear if too many packets are intercepted in a short time period, causing some packets to be skipped. This alert is more common with high network traffic.|Normal operating notification; no action required.|

-> The Defender app needs to be opened for tags to be synced with Intune and passed to Security Portal. It may take upto 18 hours for tags to reflect in the portal.

-> **Microsoft does not support using this feature in Enterprise environments.** This feature only uses a limited subset of the Microsoft Defender Antivirus capabilities to detect malware, and can't detect most malware and potentially unwanted software. Management of the feature is not supported, the feature cannot be enabled or disabled through policies, and reporting capabilities are extremely limited. Microsoft recommends that enterprise orgnaizations choose a primary antivirus/antimalware solution, and use it exclusively.

-bash 'Extract Onbaording Json MDATP' do

-11. To enable system extention, select **Details**.

- :::image type="content" source="media/system-extention-image.png" alt-text="Screenshot that shows the system extention.":::

- :::image type="content" source="media/jamfpro-mac-profile.png" alt-text="The configurate app and custom settings." lightbox="media/jamfpro-mac-profile.png":::

-> Making configuration profiles depending on Defender's presence effectively delays deployment of configuration profiles, and results in an initially unhealthy product and/or prompts for manual approval of certian application permissions, that are otherwise auto approved by profiles.

-**Pre-requisites:**

-> Scheduled scans will not run at the scheduled time while the device is asleep. They will instead run once the device resumes from sleep mode.

-> If the device is turned off, the scan will run at the next scheduled scan time.

-> Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: [**Microsoft Defender for Endpoint Tech Community**](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/bd-p/MicrosoftDefenderATP).

-You can use Microsoft Intune to define and apply tag for mobile devices. You can perform this task by creating a app configuration profile in Intune. For more information, please refer to following information.

->It can take up to 90 minutes for a policy to reach a device. To expedite the process, for devices Managed by Defender for Enpoint, you can select **Policy sync** from the actions menu so that it is applied in approximately 10 minutes.

-### March-2024 (Engine: 1.1.24030.4 | Platform: Coming soon)

-Follow the guidance in [Intune](/mem/intune/protect/endpoint-security-edr-policy#updating-the-onboarding-state-for-a-device) using the streamlined onboarding pacakge. After completing the steps, you must restart the device for device connectivity to switch over.

-As the Script has an exit method and wont re-run if the MMA is installed, you could also use a daily scheduled task to achieve the same result. Similar to a Configuration Manager compliance policy it will check daily to ensure the MMA is present.

-|[Zimperium Mobile Threat Defense](https://go.microsoft.com/fwlink/?linkid=2202141)|Zimperuim|Extends your Microsoft Defender for Endpoint to iOS and Android with Machine Learning-based Mobile Threat Defense.|

-|[Zimperium Mobile Threat Defense](https://go.microsoft.com/fwlink/?linkid=2202141)|Zimperuim|Extend your Microsoft Defender for Endpoint to iOS and Android with Machine Learning-based Mobile Threat Defense.|

-|Policy| `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender`|- Microsoft Configuration Manager co-management<br/>- Microsoft Configuration Manager<br/>- GPO|

-> [!TIP]

-> RSS feed: Get notified when this page is updated by copying and pasting the following URL into your feed reader: >

->

-> (/api/search/rss?search=%22features+are+generally+available+%28GA%29+in+the+latest+release+of+Microsoft+Defender+for+Endpoint%22&locale=en-us&facet=)

->

-> (/api/search/rss?search=%22features+are+generally+available+%28GA%29+in+the+latest+release+of+Microsoft+Defender+for+Endpoint%22&locale=en-us&facet=)

-This user guide is a simple tool to help you setup and make the most of your free Microosoft Defedender Vulnerability Managment trial. Using the suggested steps in this guide from the Microsoft Security team, you'll learn how vulnerability management can help you protect your users and data.

- :::image type="content" source=" ../../media/defender-vulnerability-management/firmware-laptop-desktop-server-modals.png" alt-text="Screenshot of the Laptop, desktop, and server modals page" lightbox=" ../../media/defender-vulnerability-management/firmware-laptop-desktop-server-modals.png":::

-> |Alerts|All Defender for Cloud alerts, including multi-cloud, internal and external providers' alerts will be integrated to the Microsoft Defender portal. Defender for Cloud alerts will show on the the Microsoft Defender portal [alert queue](/microsoft-365/security/defender-endpoint/alerts-queue-endpoint-detection-response).</br></br> The *cloud resource* asset will show up in the Asset tab of an alert. Resources are clearly identified as an Azure, Amazon, or a Google Cloud resource.</br></br>Defender for Cloud alerts will automatically be associated with a tenant.</br></br>There will be no duplication of alerts from other Defender workloads.|

-description: If you're new to Microsoft Defender XDR and Defender Experts for Hunting, this is how you subscribe to Defender experts notifications

-3. The Microsoft Defender XDR quick tour will get you familiar with the security suite, where the capabilities are and how important they are. Select **Take a quick tour**.

-4. Read the short descriptions about what the Microsoft Defender Experts service is and the capabilities it provides. Select **Next**. You'll see the welcome page:

-### Where you'll find Defender Experts Notifications

-You can filter your incidents and alerts if you want to only see the Defender Experts Notifications amongst the many alerts. To do so:

-2. Scroll down to the **Tags** field > select the **Defender Experts** check box.

-Select **Ask Defender Experts** directly inside the Microsoft 365 security portal to get swift and accurate responses to all your threat hunting questions. Experts can provide insight to better understand the complex threats your organization may face. Experts on Demand can help to:

-The option to **Ask Defender Experts** is available in several places throughout the portal:

-

-

-

-

-> [!NOTE]

-> If you'd like to track the status of your Experts on Demand cases through Microsoft Services Hub, reach out to your Customer Success Account Manager. Watch this [video](https://www.microsoft.com/videoplayer/embed/RE4pk9f) for a quick overview of the Microsoft Services Hub.

- Multiple values in the same condition use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_).

- Different conditions use AND logic (for example, _\<recipient1\>_ and _\<member of group1\>_). The recipient must satisfy _all_ of the specified conditions, which is typically difficult or redundant. For more information, see [Recipient filters in anti-malware policies](anti-malware-protection-about.md#recipient-filters-in-anti-malware-policies).

- - **Exclude these users, groups, and domains**: To add exceptions for the internal recipients that the policy applies to (recipient exceptions), select this option and configure the exceptions. The settings and behavior are exactly like the conditions.

-|**Form tags in HTML** (MarkAsSpamFormTagsInHtml_)|Messages that contain `<form>` HTML tags are marked as high confidence spam. <br><br> This tag is used to create website forms. Email advertisements often include this tag to solicit information from the recipient.|`X-CustomSpam: Form tag in html`|

-|**Frame or iframe tags in HTML** (MarkAsSpamFramesInHtml_)|Messages that contain `<frame>` or `<iframe>` HTML tags are marked as high confidence spam. <br><br> These tags are used in email messages to format the page for displaying text or graphics.|`X-CustomSpam: IFRAME or FRAME in HTML`|

-|**Web bugs in HTML** (MarkAsSpamWebBugsInHtml_)|A _web bug_ (also known as a _web beacon_) is a graphic element (often as small as one pixel by one pixel) that's used in email messages to determine whether the recipient read the message. <br><br> Messages that contain web bugs are marked as high confidence spam. <br><br> Legitimate newsletters might use web bugs, although many consider this an invasion of privacy. |`X-CustomSpam: Web bug`|

-|**Object tags in HTML** (MarkAsSpamObjectTagsInHtml_)|Messages that contain `<object>` HTML tags are marked as high confidence spam. <br><br> This tag allows plug-ins or applications to run in an HTML window.|`X-CustomSpam: Object tag in html`|

-|**SPF record: hard fail** (MarkAsSpamSpfRecordHardFail_)|Messages sent from an IP address that isn't specified in the SPF Sender Policy Framework (SPF) record in DNS for the source email domain are marked as high confidence spam. <br><br> Test mode isn't available for this setting.|`X-CustomSpam: SPF Record Fail`|

-|**Sender ID filtering hard fail** (MarkAsSpamFromAddressAuthFail_)|Messages that hard fail a conditional Sender ID check are marked as spam. <br><br> This setting combines an SPF check with a Sender ID check to help protect against message headers that contain forged senders. <br><br> Test mode isn't available for this setting.|`X-CustomSpam: SPF From Record Fail`|

-|**Backscatter** (MarkAsSpamNdrBackscatter_)|_Backscatter_ is useless non-delivery reports (also known as NDRs or bounce messages) caused by forged senders in email messages. For more information, see [Backscatter messages and EOP](anti-spam-backscatter-about.md). <br><br> You don't need to configure this setting in the following environments, because legitimate NDRs are delivered and backscatter is marked as spam: <ul><li>Microsoft 365 organizations with Exchange Online mailboxes.</li><li>On-premises email organizations where you route _outbound_ email through EOP.</li></ul> <br><br> In standalone EOP environments that protect inbound email to on-premises mailboxes, turning this setting on or off has the following result: <ul><li> **On**: Legitimate NDRs are delivered, and backscatter is marked as spam.</li><li>**Off**: Legitimate NDRs and backscatter go through normal spam filtering. Most legitimate NDRs are delivered to the original message sender. Some, but not all backscatter is marked as spam. By definition, backscatter can be delivered only to the spoofed sender, not to the original sender.</li></ul> <br><br> Test mode isn't available for this setting.|`X-CustomSpam: Backscatter NDR`|

- Multiple values in the same condition use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_).

- Different conditions use AND logic (for example, _\<recipient1\>_ and _\<member of group1\>_). The recipient must satisfy _all_ of the specified conditions, which is typically difficult or redundant. For more information, see [Recipient filters in anti-spam policies](anti-spam-protection-about.md#recipient-filters-in-anti-spam-policies).

- - **Exclude these users, groups, and domains**: To add exceptions for the internal recipients that the policy applies to (recipient exceptions), select this option and configure the exceptions. The settings and behavior are exactly like the conditions.

- > Users can't release their own messages that were quarantined as high confidence phishing, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to _request_ the release of their quarantined high-confidence phishing messages.

- ⁵ Users can't release their own messages that were quarantined as high confidence phishing, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to _request_ the release of their quarantined high-confidence phishing messages.

-> All incoming messages are scanned for malware and high-confidence phishing, regardless of whether the message source is in the IP Allow List.

- - High-confidence phishing detections by [anti-spam policies](anti-spam-policies-configure.md).

-> Users can't release their own messages that were quarantined as malware by anti-malware or Safe Attachments policies, or as high confidence phishing by anti-spam policies, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to _request_ the release of their quarantined malware or high-confidence phishing messages.

-> Users can't release their own messages that were quarantined as **malware** by anti-malware or Safe Attachments policies, or as **high confidence phishing** by anti-spam policies, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to _request_ the release of their quarantined malware or high-confidence phishing messages.

- Users can't release their own messages that were quarantined as high confidence phishing, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to _request_ the release of their quarantined high-confidence phishing messages.

- Users can't release their own messages that were quarantined as **malware** by anti-malware or Safe Attachments policies, or as **high confidence phishing** by anti-spam policies, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to _request_ the release of their quarantined malware or high-confidence phishing messages.

-|**High confidence phishing** detection action (_HighConfidencePhishAction_)|**Quarantine message** (`Quarantine`)|**Quarantine message** (`Quarantine`)|**Quarantine message** (`Quarantine`)|Users can't release their own messages that were quarantined as high confidence phishing, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to _request_ the release of their quarantined high-confidence phishing messages.|

-> Users can't release their own messages that were quarantined as high confidence phishing, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to _request_ the release of their quarantined high-confidence phishing messages.

-ZAP actions might be overridden by [Safe sender lists](create-safe-sender-lists-in-office-365.md), mail flow rules, and other organizational block and allow settings. For malware and high-confidence phishing verdicts, ZAP always takes action to protect users. Carefully consider the implications of bypassing filtering, as it may affect the security posture of your organization.