Category | Microsoft Docs article | Related commit history on GitHub | Change details |
---|---|---|---|
microsoft-365-copilot-privacy | Microsoft 365 Copilot Privacy | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/copilot/microsoft-365-copilot-privacy.md | ms.localizationpriority: high - privacy-microsoft365 - privacy-copilot+- m365copilot hideEdit: true Last updated 03/04/2024 |
threat-intelligence | Security Copilot And Defender Threat Intelligence | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/defender/threat-intelligence/security-copilot-and-defender-threat-intelligence.md | + - security-copilot Last updated 12/04/2023 |
threat-intelligence | Using Copilot Threat Intelligence Defender Xdr | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/defender/threat-intelligence/using-copilot-threat-intelligence-defender-xdr.md | + - security-copilot Last updated 04/01/2024 |
admin | Microsoft 365 Copilot Usage | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/microsoft-365-copilot-usage.md | +- m365copilot search.appverid: - BCS160 |
enterprise | Best Practices For Using Office 365 On A Slow Network | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/best-practices-for-using-office-365-on-a-slow-network.md | Title: "Best practices for using Office 365 on a slow network" Previously updated : 03/15/2024 Last updated : 04/09/2024 audience: End User description: "This article guides you through the best practices that you can ad Wouldn't it be nice if your Internet connection was always fast and never down? Perhaps that day will come. But in the meantime, there are practical things you can do to work around a balky network and still get your day-to-day work done. Although Office 365 is a cloud-based service, it also provides many ways to work with your content offline and to smoothly keep your changes synchronized. Besides, it's sometimes more efficient to work with content offline just because applications run faster and the user interface is more responsive. The point is this: Office 365 gives you the best of both worlds. Here's how to take advantage of that. > [!TIP]-> Want to see how slow (or fast) your network connection is? Try the [OOKLA Speed test](https://www.speedtest.net/) or the [Network Speed Test App](https://www.windowsphone.com/store/app/network-speed-test/9b9ae06b-2961-41ef-987d-b09567cffe70). +> Want to see how slow (or fast) your network connection is? Try the [OOKLA Speed test](https://www.speedtest.net/). ## Why is my network so slow? |
enterprise | M365 Dr Workload Copilot | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/m365-dr-workload-copilot.md | ms.localizationpriority: medium - M365-subscription-management - must-keep+- m365copilot # Data Residency for Microsoft Copilot for Microsoft 365 |
lighthouse | M365 Lighthouse Block Signin Shared Mailboxes | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-block-signin-shared-mailboxes.md | search.appverid: MET150 description: "For Managed Service Providers (MSPs) using Microsoft 365 Lighthouse, learn how to block sign-in on shared mailbox accounts." -# Block sign-in for shared mailbox accounts using Microsoft 365 Lighthouse +# Block sign-in for shared mailbox accounts in Microsoft 365 Lighthouse Every shared mailbox has a corresponding user account. A shared mailbox isn't intended for direct sign-in by its associated user account. You should always block sign-in for the shared mailbox account and keep it blocked. -Microsoft 365 Lighthouse provides visibility into all the shared mailboxes across your managed tenants that are enabled for direct sign-in. You can track and block sign-in for all shared mailbox accounts from the **Shared mailboxes** page. +Microsoft 365 Lighthouse provides visibility into all the shared mailboxes across your managed tenants that are enabled for direct sign-in. You can track and block sign-in for all shared mailbox accounts from the **Shared mailboxes** tab on the **Account management** page. ## Block sign-in for shared mailbox accounts -1. In the left navigation pane in <a href="https://go.microsoft.com/fwlink/p/?linkid=2168110" target="_blank">Lighthouse</a>, select **Users** > **Account management** > **Shared mailboxes**. +1. In the left navigation pane in <a href="https://go.microsoft.com/fwlink/p/?linkid=2168110" target="_blank">Lighthouse</a>, select **Users** > **Account management**, and then select the **Shared mailboxes** tab. -2. On the **Shared mailboxes** tab, select the Shared mailbox account you want to block and then select **Block sign-in**. +2. Select the shared mailbox account that you want to block, and then select **Block sign-in**. 3. In the **Manage sign-in status** pane, select **Block users from signing in**. Microsoft 365 Lighthouse provides visibility into all the shared mailboxes acros ## Notify users that access is blocked (optional) -1. In the left navigation pane in <a href="https://go.microsoft.com/fwlink/p/?linkid=2168110" target="_blank">Lighthouse</a>, select **Users** > **Account management** > **Shared mailboxes**. +1. In the left navigation pane in <a href="https://go.microsoft.com/fwlink/p/?linkid=2168110" target="_blank">Lighthouse</a>, select **Users** > **Account management**, and then select the **Shared mailboxes** tab. -2. On the **Shared mailboxes** tab, select the check box next to the accounts you want to notify. +2. Select the check box next to the shared mailbox accounts whose user you want to notify, and then select **Create email**. -3. From the command bar, select **Create email**. --Lighthouse opens your default email client and prepopulates the email message to notify them login access has been blocked. +Lighthouse opens your default email client and prepopulates the email message to notify the selected users that their login access has been blocked. ## Related content |
lighthouse | M365 Lighthouse Block User Signin | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-block-user-signin.md | description: "For Managed Service Providers (MSPs) using Microsoft 365 Lighthous # Block user sign-in in Microsoft 365 Lighthouse -You can block a user account if you think it's compromised. When you block a user account, it immediately blocks anyone from signing in to that account. If a user tries to sign in, they're automatically signed out of all Microsoft 365 services within 60 minutes. Blocking a user account won't delete any data, and it won't stop the account from receiving mail. +You can block a user account if you think it's compromised. When you block a user account, it immediately blocks anyone from signing in to that account. If a user tries to sign in, they're automatically signed out of all Microsoft 365 services within 60 minutes. Blocking a user account doesn't delete any data, and it doesn't stop the account from receiving mail. ## Block sign-in for a user -1. In the left navigation pane in <a href="https://go.microsoft.com/fwlink/p/?linkid=2168110" target="_blank">Lighthouse</a>, select **Users** > **Account management** > **Search users**. +1. In the left navigation pane in <a href="https://go.microsoft.com/fwlink/p/?linkid=2168110" target="_blank">Lighthouse</a>, select **Users** > **Account management**, and then select the **Search users** tab. -2. On the **Search users** tab, enter a user's name in the search box. +2. Enter the user's name in the search box. 3. From the search results list, select the user. You can block a user account if you think it's compromised. When you block a use 1. In the left navigation pane in <a href="https://go.microsoft.com/fwlink/p/?linkid=2168110" target="_blank">Lighthouse</a>, select **Users** > **Risky users**. -2. On the **Risky Users** page, select the set of users you want to take action on. +2. On the **Risky Users** page, select the users you want to block from signing in. 3. Select **Block sign-in**. |
lighthouse | M365 Lighthouse Overview Of Permissions | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-overview-of-permissions.md | |
security | Advanced Features | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-features.md | description: Turn on advanced features such as block file in Microsoft Defender + ms.localizationpriority: medium audience: ITPro For more information about role assignments, see [Create and manage roles](user- Enabling this feature allows you to run unsigned scripts in a live response session. -## Always remediate PUA --Potentially unwanted applications (PUA) are a category of software that can cause your machine to run slowly, display unexpected ads, or at worst, install other software, which might be unexpected or unwanted. --Turn on this feature so that potentially unwanted applications (PUA) are remediated on all devices in your tenant even if PUA protection isn't configured on the devices. This activation of the feature helps to protect users from inadvertently installing unwanted applications on their device. When turned off, remediation is dependent on the device configuration. - ## Restrict correlation to within scoped device groups This configuration can be used for scenarios where local SOC operations would like to limit alert correlations only to device groups that they can access. By turning on this setting, an incident composed of alerts that cross-device groups will no longer be considered a single incident. The local SOC can then take action on the incident because they have access to one of the device groups involved. However, global SOC will see several different incidents by device group instead of one incident. We don't recommend turning on this setting unless doing so outweighs the benefits of incident correlation across the entire organization. |
security | Android Configure Mam | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-configure-mam.md | Use the following steps to configure the Device tags: > [!NOTE] -> The Defender app needs to be opened for tags to be synced with Intune and passed to Security Portal. It may take upto 18 hours for tags to reflect in the portal. +> The Defender app needs to be opened for tags to be synced with Intune and passed to Security Portal. It may take up to 18 hours for tags to reflect in the portal. ## Related topics |
security | Android Configure | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-configure.md | Use the following steps to configure the Device tags: > [!NOTE] -> The Defender app needs to be opened for tags to be synced with Intune and passed to Security Portal. It may take upto 18 hours for tags to reflect in the portal. +> The Defender app needs to be opened for tags to be synced with Intune and passed to Security Portal. It may take up to 18 hours for tags to reflect in the portal. ## Related articles |
security | Android Support Signin | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-support-signin.md | Users need to disable MDE VPN from the Settings page. The following steps can be Users should enable VPN when they're no longer using the banking app to ensure that their devices are protected. >[!NOTE]-> This a temporary workaround. We are working on other alternatives to provide users more control over the VPN settings from wihtin the app. +> This a temporary workaround. We are working on other alternatives to provide users more control over the VPN settings from within the app. |
security | Export Firmware Hardware Assessment | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/export-firmware-hardware-assessment.md | There are different API calls to get different types of data. In general, each A Data that is collected using either '_JSON response_ or _via files_' is the current snapshot of the current state. It doesn't contain historic data. To collect historic data, customers must save the data in their own data storages. > [!NOTE]-> Unless indicated otherwise, all export hardware and firmware assessment assessment methods listed are **_full export_** and **_by device_** (also referred to as **_per device_**) +> Unless indicated otherwise, all export hardware and firmware assessment methods listed are **_full export_** and **_by device_** (also referred to as **_per device_**) ## 1. Export hardware and firmware assessment (JSON response) |
security | Attack Simulations | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-simulations.md | +> [!IMPORTANT] +> **The Microsoft Defender for Endpoint evaluation lab was deprecated in January, 2024**. + [!INCLUDE [Microsoft Defender XDR rebranding](../../includes/microsoft-defender.md)] **Applies to:** |
security | Attack Surface Reduction Rules Reference | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference.md | Dependencies: Microsoft Defender Antivirus This rule blocks the use of executable files that are identified as copies of Windows system tools. These files are either duplicates or impostors of the original system tools. -Some malicious programs may try to copy or impersonate Windows system tools to avoid detection or gain privileges. Allowing such executable files can lead to potential attacks. This rule prevents propagation and execution of such duplicates and imposters of the system tools on Windows machines. +Some malicious programs may try to copy or impersonate Windows system tools to avoid detection or gain privileges. Allowing such executable files can lead to potential attacks. This rule prevents propagation and execution of such duplicates and impostors of the system tools on Windows machines. > [!NOTE] > This capability is currently in preview. Additional upgrades to improve efficacy are under development. |
security | Configure Environment | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-environment.md | The following downloadable spreadsheet lists the services and their associated U > - To use the new onboarding method, devices must meet specific prerequisites and use a new onboarding package. For more information, see [prerequisites](configure-device-connectivity.md#prerequisites). You can migrate previously onboarded devices. See, [migrating devices to streamlined connectivity](migrate-devices-streamlined.md ).<br> > - Certain services are not included in this consolidation. You must verify that you maintain connectivity with the required services. For details on services **not** included in the consolidation, see the [streamlined URL sheet](https://go.microsoft.com/fwlink/?linkid=2248278) or [onboarding devices using streamlined method](configure-device-connectivity.md).-> - Devices running the MMA agent are not supported under streamlined solution and must be onboarded using the down-level method. For a list of required URLs, see the MMA tab in the [streamlined URL list](https://go.microsoft.com/fwlink/?linkid=2248278). Devices running legacy Windows version 1607, 1703, 1709, or 1803 can onboard using the new onboarding package but still require a longer list of URLs. For more information, see the preceeding table. +> - Devices running the MMA agent are not supported under streamlined solution and must be onboarded using the down-level method. For a list of required URLs, see the MMA tab in the [streamlined URL list](https://go.microsoft.com/fwlink/?linkid=2248278). Devices running legacy Windows version 1607, 1703, 1709, or 1803 can onboard using the new onboarding package but still require a longer list of URLs. For more information, see the preceding table. <br> |
security | Configure Network Connections Microsoft Defender Antivirus | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus.md | Use the tables below to see error messages you might encounter along with inform |Solution|Description| |:|:| |Solution (Preferred) | Configure the system-wide WinHttp proxy that allows the CRL check.|-|Solution (Preferred 2) | - [Setup Redirect the Microsoft Automatic Update URL for a disconnected environment](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn265983(v=ws.11)?redirectedfrom=MSDN) <br/> - [Configure a server that has access to the Internet to retrieve the CTL files](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn265983(v=ws.11)?redirectedfrom=MSDN) <br/> - [Redirect the Microsoft Automatic Update URL for a disconnected environment](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn265983(v=ws.11)?redirectedfrom=MSDN) <br/> <br/> _Usefule references:_ <br/> - Go to **Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Certificate Path Validation Settings** > **Select the Network Retrieval tab** > **Select Define these policy settings** > **Select to clear the Automatically update certificates in the Microsoft Root Certificate Program (recommended) check box.** <br/> - [Certificate Revocation List (CRL) Verification - an Application Choice](https://social.technet.microsoft.com/wiki/contents/articles/964.certificate-revocation-list-crl-verification-an-application-choice.aspx) <br/> - [https://support.microsoft.com/help/931125/how-to-get-a-root-certificate-update-for-windows](https://support.microsoft.com/help/931125/how-to-get-a-root-certificate-update-for-windows) <br/> - [https://technet.microsoft.com/library/dn265983(v=ws.11).aspx](https://technet.microsoft.com/library/dn265983(v=ws.11).aspx) <br/> - [/dotnet/framework/configure-apps/file-schema/runtime/generatepublisherevidence-element](/dotnet/framework/configure-apps/file-schema/runtime/generatepublisherevidence-element) - [https://blogs.msdn.microsoft.com/amolravande/2008/07/20/improving-application-start-up-time-generatepublisherevidence-setting-in-machine-config/](https://blogs.msdn.microsoft.com/amolravande/2008/07/20/improving-application-start-up-time-generatepublisherevidence-setting-in-machine-config/)| +|Solution (Preferred 2) | - [Setup Redirect the Microsoft Automatic Update URL for a disconnected environment](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn265983(v=ws.11)?redirectedfrom=MSDN) <br/> - [Configure a server that has access to the Internet to retrieve the CTL files](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn265983(v=ws.11)?redirectedfrom=MSDN) <br/> - [Redirect the Microsoft Automatic Update URL for a disconnected environment](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn265983(v=ws.11)?redirectedfrom=MSDN) <br/> <br/> _Useful references:_ <br/> - Go to **Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Certificate Path Validation Settings** > **Select the Network Retrieval tab** > **Select Define these policy settings** > **Select to clear the Automatically update certificates in the Microsoft Root Certificate Program (recommended) check box.** <br/> - [Certificate Revocation List (CRL) Verification - an Application Choice](https://social.technet.microsoft.com/wiki/contents/articles/964.certificate-revocation-list-crl-verification-an-application-choice.aspx) <br/> - [https://support.microsoft.com/help/931125/how-to-get-a-root-certificate-update-for-windows](https://support.microsoft.com/help/931125/how-to-get-a-root-certificate-update-for-windows) <br/> - [https://technet.microsoft.com/library/dn265983(v=ws.11).aspx](https://technet.microsoft.com/library/dn265983(v=ws.11).aspx) <br/> - [/dotnet/framework/configure-apps/file-schema/runtime/generatepublisherevidence-element](/dotnet/framework/configure-apps/file-schema/runtime/generatepublisherevidence-element) - [https://blogs.msdn.microsoft.com/amolravande/2008/07/20/improving-application-start-up-time-generatepublisherevidence-setting-in-machine-config/](https://blogs.msdn.microsoft.com/amolravande/2008/07/20/improving-application-start-up-time-generatepublisherevidence-setting-in-machine-config/)| |Work-around solution (Alternative) <br/> _Not best practice since you'll no longer check for revoked certificates or certificate pinning_.| Disable CRL check only for SPYNET. <br/> Configuring this registry SSLOption disables CRL check only for SPYNET reporting. It wonΓÇÖt impact other services.<br/><br/> To to this: <br/> Go to **HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet** > set SSLOptions (dword) to 0 (hex). <br/> - 0 ΓÇô disable pinning and revocation checks <br/> - 1 ΓÇô disable pinning <br/> - 2 ΓÇô disable revocation checks only <br/> - 3 ΓÇô enable revocation checks and pinning (default)| ## Attempt to download a fake malware file from Microsoft |
security | Configure Process Opened File Exclusions Microsoft Defender Antivirus | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md | The following table describes how the wildcards can be used in the process exclu | |`C:\*\*\MyProcess.exe`|Any file opened by `C:\MyFolder1\MyFolder2\MyProcess.exe` or `C:\MyFolder3\MyFolder4\MyProcess.exe`| | |`C:\*\MyFolder\My*.exe`|Any file opened by `C:\MyOtherFolder\MyFolder\MyProcess.exe` or `C:\AnotherFolder\MyFolder\MyOtherProcess.exe`| |'?' (question mark) <p> Replaces one character. |`C:\MyFolder\MyProcess??.exe`|Any file opened by `C:\MyFolder\MyProcess42.exe` or `C:\MyFolder\MyProcessAA.exe` or `C:\MyFolder\MyProcessF5.exe`|-| Envionment Variables |`%ALLUSERSPROFILE%\MyFolder\MyProcess.exe`|Any file opened by `C:\ProgramData\MyFolder\MyProcess.exe`| +| Environment Variables |`%ALLUSERSPROFILE%\MyFolder\MyProcess.exe`|Any file opened by `C:\ProgramData\MyFolder\MyProcess.exe`| ### Contextual Process Exclusions |
security | Data Collection Analyzer | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/data-collection-analyzer.md | Run `MDEClientAnalyzer.cmd /?` to see the list of available parameters and their |`-t` |Starts verbose trace of all client-side components relevant to Endpoint DLP, which is useful for scenarios where [DLP actions](/microsoft-365/compliance/endpoint-dlp-learn-about#endpoint-activities-you-can-monitor-and-take-action-on) aren't happening as expected for files. |When running into issues where the Microsoft Endpoint Data Loss Prevention (DLP) actions expected aren't occurring.|`MpDlpService.exe` | |`-q`|Calls into DLPDiagnose.ps1 script from the analyzer `Tools` directory that validates the basic configuration and requirements for Endpoint DLP. |Checks the basic configuration and requirements for Microsoft Endpoint DLP|`MpDlpService.exe`| |`-d`|Collects a memory dump of `MsSenseS.exe` (the sensor process on Windows Server 2016 or older OS) and related processes. - \* This flag can be used with above mentioned flags. - \*\* Capturing a memory dump of [PPL protected processes](/windows-hardware/drivers/install/early-launch-antimalware) such as `MsSense.exe` or `MsMpEng.exe` isn't supported by the analyzer at this time.|On Windows 7 SP1, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2 or Windows Server 2016 running w/ the MMA agent and having performance (high cpu or high memory usage) or application compatibility issues. |`MsSenseS.exe`|-|`-z` |Configures registry keys on the machine to prepare it for full machine memory dump collection via [CrashOnCtrlScroll](/windows-hardware/drivers/debugger/forcing-a-system-crash-from-the-keyboard). This would be useful for analysis of computer freeze issues. \* Hold down the rightmost CTRL key, then press the SCROLL LOCK key twice. |Machine hanging or being unresponsive or slow. High memory usage (Memory leak): a) User mode: Private bytes b) Kernel mode: paged pool or nonaged pool memory, handle leaks.|`MSSense.exe` or `MsMpEng.exe` | +|`-z` |Configures registry keys on the machine to prepare it for full machine memory dump collection via [CrashOnCtrlScroll](/windows-hardware/drivers/debugger/forcing-a-system-crash-from-the-keyboard). This would be useful for analysis of computer freeze issues. \* Hold down the rightmost CTRL key, then press the SCROLL LOCK key twice. |Machine hanging or being unresponsive or slow. High memory usage (Memory leak): a) User mode: Private bytes b) Kernel mode: paged pool or nonpaged pool memory, handle leaks.|`MSSense.exe` or `MsMpEng.exe` | |`-k` |Uses [NotMyFault](/sysinternals/downloads/notmyfault) tool to force the system to crash and generate a machine memory dump. This would be useful for analysis of various OS stability issues. |Same as above.|`MSSense.exe` or `MsMpEng.exe` | The analyzer, and all of the scenario flags listed in this article, can be initiated remotely by running `RemoteMDEClientAnalyzer.cmd`, which is also bundled into the analyzer toolset: |
security | Defender Compatibility | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-compatibility.md | For optimal protection, configure the following settings for devices that are on For more information, see [Manage Microsoft Defender Antivirus updates and apply baselines](microsoft-defender-antivirus-updates.md). -If an onboarded device is protected by a non-Microsoft anti-malware client, Microsoft Defender Antivirus goes into [passive mode](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility). In this scenario, Microsoft Defender Antivirus continues to receive updates, and the `msmpeng.exe` process is listed as a running a service. But, it doesn't perform real-time protection scans, scheduled scans, or on-demand scans, and and doesn't replace the running non-Microsoft antimalware client. The Microsoft Defender Antivirus user interface is disabled. Device users can't use Microsoft Defender Antivirus to perform on-demand scans or configure most options such as Attack Surface Reduction (ASR) rules, Network Protection, Indicators - File/IP address/URL/Certificates allow/block, Web Content Filtering, Controlled Folder Access, and so forth. +If an onboarded device is protected by a non-Microsoft anti-malware client, Microsoft Defender Antivirus goes into [passive mode](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility). In this scenario, Microsoft Defender Antivirus continues to receive updates, and the `msmpeng.exe` process is listed as a running a service. But, it doesn't perform real-time protection scans, scheduled scans, or on-demand scans, and doesn't replace the running non-Microsoft antimalware client. The Microsoft Defender Antivirus user interface is disabled. Device users can't use Microsoft Defender Antivirus to perform on-demand scans or configure most options such as Attack Surface Reduction (ASR) rules, Network Protection, Indicators - File/IP address/URL/Certificates allow/block, Web Content Filtering, Controlled Folder Access, and so forth. For more information, see the [Microsoft Defender Antivirus and Defender for Endpoint compatibility topic](microsoft-defender-antivirus-compatibility.md). |
security | Device Control Deploy Manage Intune | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-deploy-manage-intune.md | If you're using Intune to manage Defender for Endpoint settings, you can use it 5. On the **Configuration settings** tab, you see a list of settings. You don't have to configure all of these settings at once. Consider starting with **Device Control**. - :::image type="content" source="media/device-control-policy-intune.png" alt-text="Screeenshot of Intune user interface for device control policies." lightbox="media/device-control-policy-intune.png"::: + :::image type="content" source="media/device-control-policy-intune.png" alt-text="Screenshot of Intune user interface for device control policies." lightbox="media/device-control-policy-intune.png"::: - Under **Administrative Templates**, you have [Device Installation](/windows/client-management/mdm/policy-csp-deviceinstallation?WT.mc_id=Portal-fx) and [Removable Storage Access](/windows/client-management/mdm/policy-csp-admx-removablestorage) settings. - Under **Defender**, see [Allow Full Scan Removable Drive Scanning](/windows/client-management/mdm/policy-csp-defender#allowfullscanremovabledrivescanning) settings. For information on how to add the reusable groups of settings that are included Policies can be added and removed using the **+** and **ΓÇô** icons. The name of the policy appears in the warning to users, and in advanced hunting and reports. -You can add audit policies, and you can add Allow/Deny policies. It is recomended to always add an Allow and/or Deny policy when adding an audit policy so that you don't experience unexpected results. +You can add audit policies, and you can add Allow/Deny policies. It is recommended to always add an Allow and/or Deny policy when adding an audit policy so that you don't experience unexpected results. > [!IMPORTANT] > If you only configure audit policies, the permissions are inherited from the default enforcement setting. |
security | Device Control Policies | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-policies.md | description: Learn about Device control policies in Defender for Endpoint Previously updated : 03/20/2024 Last updated : 04/09/2024 Rules and groups are identified by Global Unique ID (GUIDs). If device control p For schema details, see [JSON schema for Mac](https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/device_control_policy_schema.json). +## Users ++Device control policies can be applied to users and/or user groups. ++> [!NOTE] +> In the articles related to device control, groups of users are referred to as <i>user groups</i>. The term <i>groups</i> refer to [groups](#groups) defined in the device control policy. ++ Using Intune, on either Mac and Windows, device control policies can be targeted to user groups defined in Entra Id. ++On Windows, a user or user group can be a condition on an [entry](#entries) in a policy. ++Entries with user or user groups can reference objects from either Entra Id or a local Active Directory. ++### Best practices for using device control with users and user groups ++- To create a rule for an indidual user on Windows, create an entry with a `Sid` condition foreach user in a [rule](#rules) ++- To create a rule for a user group on Windows and Intune, **either** create an entry with a `Sid` condition for each user group in a [rule] and target the policy to a machine group in Intune **or** create a rule without conditions and target the policy with Intune to the user group. ++- On Mac, use Intune and target the policy to a user group in Entra Id. ++> [!WARNING] +> Do not use both user/user group conditions in rules and user group targeting in Intune. ++> [!NOTE] +> If network connectivity is an issue, use Intune user group targeting **or** a local Active Directory groups. User/user group conditions that reference Entra Id should **only** be used in environments that have a reliable connection to Entra Id. + ## Rules A rule defines the list of included groups and a list of excluded groups. For the rule to apply, the device must be in all of the included groups and none of the excluded groups. If the device matches the rule, then the entries for that rule are evaluated. An entry defines the action and notification options applied, if the request matches the conditions. If no rules apply or no entries match the request then the default enforcement is applied. If device control is configured, and a user attempts to use a device that's not An entry supports the following optional conditions: -- User Condition: Applies the action only to the user/group identified by the SID+- User/User Group Condition: Applies the action only to the user/user group identified by the SID ++> [!NOTE] +> For user groups and users that are stored in Microsoft Entra Id, use the object id in the condition. For user groups and users that are stored localy, use the Security Identifier (SID) ++> [!NOTE] +> On Windows, The SID of the user who's signed in can be retrieved by running the PowerShell command `whoami /user`. + - Machine Condition: Applies the action only to the device/group identified by the SID - Parameters Condition: Applies the action only if the parameters match (See Advanced Conditions) Entries can be further scoped to specific users and devices. For example, allow All of the conditions in the entry must be true for the action to be applied. -### Determine the Security ID of a User, Group, or Device --Entries can include user, group, or device restrictions based on Security ID (SID). The SID of the user who's signed in can be retrieved by running the PowerShell command `whoami /user`. - You can configure entries using Intune, an XML file in Windows, or a JSON file on Mac. Select each tab for more details. ### [**Intune**](#tab/Removable) The following table describes the device type specific access and how they map t Groups define criteria for filtering objects by their properties. The object is assigned to the group if its properties match the properties defined for the group. +> [!NOTE] +> Groups in this section **do not** refer to [user groups](#users). + For example: - Allowed USBs are all the devices that match any of these manufacturers Device properties have slightly different labels in advanced hunting. The table You can configure groups in Intune, by using an XML file for Windows, or by using a JSON file on Mac. Select each tab for more details. +> [!NOTE] +> The `Group Id` in XML and `id` in JSON is used to identify the group within device control. Its not a reference to any other such as a [user group](#users) in Entra Id. + ### [**Intune**](#tab/Removable) Reusable settings in Intune map to device groups. You can configure reusable settings in Intune. |
security | Event Error Codes | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/event-error-codes.md | You can use this table for more information on the Defender for Endpoint events |Event ID|Message|Description|Action| |||||- |1|The backing-file for the real-time session "SenseNdrPktmon" has reached its maximum size. As a result, new events will not be logged to this session until space becomes available.|This real-time session, between Pktmon - the built-in Windows service that captures network traffic, and our agent (SenseNDR) - that analyzes packets asynchroniously, is configured to limited to prevent potential performance issues. As a result, this alert may appear if too many packets are intercepted in a short time period, causing some packets to be skipped. This alert is more common with high network traffic.|Normal operating notification; no action required.| + |1|The backing-file for the real-time session "SenseNdrPktmon" has reached its maximum size. As a result, new events will not be logged to this session until space becomes available.|This real-time session, between Pktmon - the built-in Windows service that captures network traffic, and our agent (SenseNDR) - that analyzes packets asynchronously, is configured to limited to prevent potential performance issues. As a result, this alert may appear if too many packets are intercepted in a short time period, causing some packets to be skipped. This alert is more common with high network traffic.|Normal operating notification; no action required.| ## See also |
security | Ios Configure Features | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-configure-features.md | This configuration is available for both the enrolled (MDM) devices as well as u 1. Click Next and assign this policy to targeted devices/users. > [!NOTE] -> The Defender app needs to be opened for tags to be synced with Intune and passed to Security Portal. It may take upto 18 hours for tags to reflect in the portal. +> The Defender app needs to be opened for tags to be synced with Intune and passed to Security Portal. It may take up to 18 hours for tags to reflect in the portal. ## Configure option to send in-app feedback |
security | Limited Periodic Scanning Microsoft Defender Antivirus | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/limited-periodic-scanning-microsoft-defender-antivirus.md | search.appverid: met150 - Windows > [!NOTE] -> **Microsoft does not support using this feature in Enterprise environments.** This feature only uses a limited subset of the Microsoft Defender Antivirus capabilities to detect malware, and can't detect most malware and potentially unwanted software. Management of the feature is not supported, the feature cannot be enabled or disabled through policies, and reporting capabilities are extremely limited. Microsoft recommends that enterprise orgnaizations choose a primary antivirus/antimalware solution, and use it exclusively. +> **Microsoft does not support using this feature in Enterprise environments.** This feature only uses a limited subset of the Microsoft Defender Antivirus capabilities to detect malware, and can't detect most malware and potentially unwanted software. Management of the feature is not supported, the feature cannot be enabled or disabled through policies, and reporting capabilities are extremely limited. Microsoft recommends that enterprise organizations choose a primary antivirus/antimalware solution, and use it exclusively. Limited periodic scanning is a special type of threat detection and remediation that can be enabled when another antivirus product is installed on a Windows 10 or Windows 11 device. It can only be enabled in certain situations. For more information about limited periodic scanning and how Microsoft Defender Antivirus works with other antivirus products, see [Microsoft Defender Antivirus compatibility](microsoft-defender-antivirus-compatibility.md). |
security | Linux Deploy Defender For Endpoint With Chef | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-deploy-defender-for-endpoint-with-chef.md | end #Extract WindowsDefenderATPOnbaordingPackage.zip into /etc/opt/microsoft/mdatp -bash 'Extract Onbaording Json MDATP' do +bash 'Extract Onboarding Json MDATP' do code <<-EOS unzip #{zip_path} -d #{mdatp} EOS |
security | Mac Install Manually | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-manually.md | To complete this process, you must have admin privileges on the device. :::image type="content" source="media/monterey-install-2.png" alt-text="Screenshot that shows the system extension approval"::: -11. To enable system extention, select **Details**. +11. To enable system extension, select **Details**. - :::image type="content" source="media/system-extention-image.png" alt-text="Screenshot that shows the system extention."::: + :::image type="content" source="media/system-extention-image.png" alt-text="Screenshot that shows the system extension."::: 12. From the **Security & Privacy** window, select the checkboxes next to **Microsoft Defender** and select **OK**. |
security | Mac Jamfpro Policies | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-jamfpro-policies.md | You'll need to take the following steps: 4. Navigate to the **Application & Custom Settings** page and select **Upload** > **Add**. - :::image type="content" source="media/jamfpro-mac-profile.png" alt-text="The configurate app and custom settings." lightbox="media/jamfpro-mac-profile.png"::: + :::image type="content" source="media/jamfpro-mac-profile.png" alt-text="The configuration app and custom settings." lightbox="media/jamfpro-mac-profile.png"::: 5. Select **Upload File (PLIST file)** then in **Preference Domain** enter: `com.microsoft.wdav.atp`. You need to make sure that all machines receiving Defender's package, also recei > While using this criterion may sound logical, it creates problems that are difficult to diagnose. > > Defender relies on all these profiles at the moment of its installation.-> Making configuration profiles depending on Defender's presence effectively delays deployment of configuration profiles, and results in an initially unhealthy product and/or prompts for manual approval of certian application permissions, that are otherwise auto approved by profiles. +> Making configuration profiles depending on Defender's presence effectively delays deployment of configuration profiles, and results in an initially unhealthy product and/or prompts for manual approval of certain application permissions, that are otherwise auto approved by profiles. Deploying a policy with Microsoft Defender's package *after* deploying configuration profiles ensures the end user's best experience, because all required configurations will be applied before the package installs. [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)] |
security | Mac Schedule Scan | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-schedule-scan.md | description: Learn how to schedule an automatic scanning time for Microsoft Defe + ms.localizationpriority: medium Previously updated : 02/12/2024 Last updated : 04/09/2024 audience: ITPro search.appverid: met150 While you can start a threat scan at any time with Microsoft Defender for Endpoint, your enterprise might benefit from scheduled or timed scans. For example, you can schedule a scan to run at the beginning of every workday or week. There are three types of scheduled scans that are configurable: hourly, daily, and weekly scans. Hourly and daily scheduled scans are always run as quick scans, weekly scans can be configured to be either quick or full scans. It is possible to have all three types of scheduled scans at the same time. See the samples below. -**Pre-requisites:** ++**Prerequisites**: - Platform Update version: [101.23122.0005](mac-whatsnew.md#jan-2024-build-101231220005release-version-2012312250) or newer-- [Beta Channel (formerly Insiders-Fast), or Current Channel (Preview) (formerly Insiders-Slow)](/microsoft-365/security/defender-endpoint/mac-updates) ## Schedule a scan with *Microsoft Defender for Endpoint on macOS* Use the following command: > [!IMPORTANT]-> Scheduled scans will not run at the scheduled time while the device is asleep. They will instead run once the device resumes from sleep mode. -> If the device is turned off, the scan will run at the next scheduled scan time. +> Scheduled scans do not run at the scheduled time while the device is asleep. Instead, scheduled scans run when the device resumes from sleep mode. +> If the device is turned off, the scan runs at the next scheduled scan time. > [!TIP]-> Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: [**Microsoft Defender for Endpoint Tech Community**](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/bd-p/MicrosoftDefenderATP). +> Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: [**Microsoft Defender for Endpoint Tech Community**](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/bd-p/MicrosoftDefenderATP). |
security | Machine Tags | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/machine-tags.md | You can use Microsoft Intune to define and apply device tags. You can perform th > - iOS > - Android -You can use Microsoft Intune to define and apply tag for mobile devices. You can perform this task by creating a app configuration profile in Intune. For more information, please refer to following information. +You can use Microsoft Intune to define and apply tag for mobile devices. You can perform this task by creating an app configuration profile in Intune. For more information, please refer to following information. - [Tag mobile devices with Microsoft Defender for Endpoint](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/announcing-mobile-device-tagging-for-ios-and-android/ba-p/3897368) |
security | Manage Security Policies | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-security-policies.md | The following list provides a brief description of each endpoint security policy To verify that you have successfully created a policy, select a policy name from the list of endpoint security policies. >[!NOTE]->It can take up to 90 minutes for a policy to reach a device. To expedite the process, for devices Managed by Defender for Enpoint, you can select **Policy sync** from the actions menu so that it is applied in approximately 10 minutes. +>It can take up to 90 minutes for a policy to reach a device. To expedite the process, for devices Managed by Defender for Endpoint, you can select **Policy sync** from the actions menu so that it is applied in approximately 10 minutes. > :::image type="content" source="./media/policy-sync.png" alt-text="Image showing policy sync button"::: The policy page displays details that summarize the status of the policy. You can view a policy's status, which devices it has been applied to, and assigned groups. |
security | Mde Plugin Wsl | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mde-plugin-wsl.md | DeviceProcessEvents :::image type="content" source="medieplugin-wsl/wsl-health-check-overview.png"::: +6. Microsoft Defender Endpoint for WSL supports Linux distributions running on WSL 2. If they are associated with WSL 1, you may face issues. Therefore, it is advised to disable WSL 1. To do so with the Intune policy, perform the following steps : ++ 1. Navigate to your Microsoft Intune admin center portal. ++ 2. Go to Devices -> Configuration Profiles -> Create -> New Policy. ++ 3. Select Windows 10 and later -> Settings catalog. ++ 4. Create a name for the new profile and search for ΓÇ£Windows Subsystem for LinuxΓÇ¥ to see and add the full list of available settings. + + 5. Set the Allow WSL1 setting to Disabled. ++ This will ensure only WSL 2 distributions can be used. ++ Alternately, if you want to keep using WSL 1, or not use the Intune Policy, you can selectively associate your installed distributions to run on WSL 2, by running the command in PowerShell: + + ```powershell + wsl --set-version <YourDistroName> 2 + ``` ++ To have WSL 2 as your default WSL version for new distributions to be installed in the system, run the following command in PowerShell: + + ```powershell + wsl --set-default-version 2 + ``` |
security | Microsoft Defender Antivirus Updates | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-updates.md | Title: Microsoft Defender Antivirus security intelligence and product updates description: Manage how Microsoft Defender Antivirus receives protection and product updates. ms.localizationpriority: high Previously updated : 04/03/2024 Last updated : 04/09/2024 audience: ITPro All our updates contain - Serviceability improvements - Integration improvements (Cloud, [Microsoft Defender XDR](/microsoft-365/security/defender/microsoft-365-defender)) -### March-2024 (Engine: 1.1.24030.4 | Platform: Coming soon) +### March-2024 (Engine: 1.1.24030.4 | Platform: 4.18.24030.9) - Security intelligence update version: **1.409.1.0**-- Release date: **April 2, 2024** (Engine) / **Coming soon** (Platform)+- Release date: **April 2, 2024** (Engine) / **April 9, 2024** (Platform) - Engine: **1.1.24030.4**-- Platform: **Coming soon**+- Platform: **4.18.24030.9** - Support phase: **Security and Critical Updates** #### What's new All our updates contain - Introducted performance improvements when processing paths for exclusions. - Added improvements to allow recovering from erroneously added [Indicators of compromise (IoC)](manage-indicators.md). - Improved resilience in processing [attack surface reduction](attack-surface-reduction.md) exclusions for Anti Malware Scan Interface (AMSI) scans.-- Fixed a high memory issue related to the [Behavior Monitoring](behavior-monitor.md) queue that occured when MAPS is disabled.+- Fixed a high memory issue related to the [Behavior Monitoring](behavior-monitor.md) queue that occurred when MAPS is disabled. - A possible deadlock when receiving a [Tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) configuration change from the [Microsoft Defender portal](https://security.microsoft.com) no longer occurs. ### February-2024 (Engine: 1.1.24020.9 | Platform: 4.18.24020.7) |
security | Migrate Devices Streamlined | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/migrate-devices-streamlined.md | Follow the guidance in [Group policy](configure-endpoints-gp.md) using the strea ### Microsoft Intune -Follow the guidance in [Intune](/mem/intune/protect/endpoint-security-edr-policy#updating-the-onboarding-state-for-a-device) using the streamlined onboarding pacakge. After completing the steps, you must restart the device for device connectivity to switch over. +Follow the guidance in [Intune](/mem/intune/protect/endpoint-security-edr-policy#updating-the-onboarding-state-for-a-device) using the streamlined onboarding package. After completing the steps, you must restart the device for device connectivity to switch over. ### Microsoft Configuration Manager |
security | Onboard Downlevel | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboard-downlevel.md | You could also use an **immediate task** to run the deployMMA.cmd if you don't w This could be done in two phases. First create **the files and the folder in** GPO - Give the system time to ensure the GPO has been applied, and all the servers have the install files. Then, add the immediate task. This will achieve the same result without requiring a reboot. -As the Script has an exit method and wont re-run if the MMA is installed, you could also use a daily scheduled task to achieve the same result. Similar to a Configuration Manager compliance policy it will check daily to ensure the MMA is present. +As the Script has an exit method and won't re-run if the MMA is installed, you could also use a daily scheduled task to achieve the same result. Similar to a Configuration Manager compliance policy it will check daily to ensure the MMA is present. :::image type="content" source="media/schtask.png" alt-text="schedule task" lightbox="media/schtask.png"::: |
security | Technological Partners | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/technological-partners.md | The following are the solution's categories: |||| |[Corrata Mobile Security](https://go.microsoft.com/fwlink/?linkid=2201879)|Corrata|Corrata is an immune system for mobile devices and tablets that detects & protects mobile devices from the full spectrum of security threats like phishing, malware, man-in-the-middle attacks, and data loss.| |[Better Mobile Security Platform](https://go.microsoft.com/fwlink/?linkid=2202043)|Better Mobile Security Inc.|Provides solution for Threat, Phishing, and Privacy Protection and Simulation.|-|[Zimperium Mobile Threat Defense](https://go.microsoft.com/fwlink/?linkid=2202141)|Zimperuim|Extends your Microsoft Defender for Endpoint to iOS and Android with Machine Learning-based Mobile Threat Defense.| +|[Zimperium Mobile Threat Defense](https://go.microsoft.com/fwlink/?linkid=2202141)|Zimperium|Extends your Microsoft Defender for Endpoint to iOS and Android with Machine Learning-based Mobile Threat Defense.| |[Bitdefender](https://go.microsoft.com/fwlink/?linkid=2201968)|Bitdefender|Bitdefender GravityZone is a layered next generation endpoint protection platform offering comprehensive protection against the full spectrum of sophisticated cyber threats.| ### Business cloud applications The following are the solution's categories: |||| |[Attack Path Management](https://go.microsoft.com/fwlink/?linkid=2201774)|XM Cyber|Hybrid cloud security company providing attack path management changing the ways organizations approach cyber risk.| |[Corrata Mobile Security](https://go.microsoft.com/fwlink/?linkid=2201879)|Corrata|Corrata is an immune system for mobile devices and tablets that detects & protects mobile devices from the full spectrum of security threats like phishing, malware, man-in-the-middle attacks, and data loss.|-|[Zimperium Mobile Threat Defense](https://go.microsoft.com/fwlink/?linkid=2202141)|Zimperuim|Extend your Microsoft Defender for Endpoint to iOS and Android with Machine Learning-based Mobile Threat Defense.| +|[Zimperium Mobile Threat Defense](https://go.microsoft.com/fwlink/?linkid=2202141)|Zimperium|Extend your Microsoft Defender for Endpoint to iOS and Android with Machine Learning-based Mobile Threat Defense.| |[RiskAnalyzer](https://go.microsoft.com/fwlink/?linkid=2202245)|DeepSurface Security|DeepSurface RiskAnalyzer helps quickly and efficiently discover, analyze and prioritize cybersecurity risk.| |[Vulnerability Control](https://go.microsoft.com/fwlink/?linkid=2201965)|Skybox security|Global security posture management leader with solutions for vulnerability management and network security policy management.| |[Vulcan Cyber risk management platform](https://go.microsoft.com/fwlink/?linkid=2201770)|Vulcan Cyber|Vulcan Cyber gives you the tools to effectively manage the vulnerability and risk lifecycle for all your cyber assets, including application, cloud, and infrastructure.| |
security | Troubleshoot Settings | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-settings.md | To remove policy conflicts, here's our current, recommended process: When policies and settings are configured in multiple tools, in general, here's the order of precedence: +1. Microsoft Defender for Endpoint security settings management + 1. Group Policy (GPO) 2. Microsoft Configuration Manager co-management 3. Microsoft Configuration Manager (standalone) Find out whether Microsoft Defender Antivirus settings are coming through a poli |Policy or setting| Registry location | Tools| | -- | -- | -- |-|Policy| `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender`|- Microsoft Configuration Manager co-management<br/>- Microsoft Configuration Manager<br/>- GPO| +|Policy| `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender`|- Microsoft Defender for Endpoint security settings management<br/>- Microsoft Configuration Manager co-management<br/>- Microsoft Configuration Manager<br/>- GPO| |MDM|`HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager` |- Microsoft Intune (MDM)<br/>- Microsoft Configuration Manager with Tenant Attach| |Local setting|`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender`|- MpCmdRun.exe<br/>- PowerShell (Set-MpPreference)<br/>- Windows Management Instrumentation (WMI)| |
security | Whats New In Microsoft Defender Endpoint | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/whats-new-in-microsoft-defender-endpoint.md | search.appverid: met150 + ms.localizationpriority: medium Previously updated : 04/01/2024 Last updated : 04/09/2024 audience: ITPro For more information on Microsoft Defender for Endpoint on specific operating sy - [What's new in Defender for Endpoint on Android](android-whatsnew.md) - [What's new in Defender for Endpoint on iOS](ios-whatsnew.md) --> [!TIP] -> RSS feed: Get notified when this page is updated by copying and pasting the following URL into your feed reader: > -> -> (/api/search/rss?search=%22features+are+generally+available+%28GA%29+in+the+latest+release+of+Microsoft+Defender+for+Endpoint%22&locale=en-us&facet=) -> -> (/api/search/rss?search=%22features+are+generally+available+%28GA%29+in+the+latest+release+of+Microsoft+Defender+for+Endpoint%22&locale=en-us&facet=) - ## April 2024 **Microsoft Defender for Endpoint on macOS** feature now in GA: Two new ASR rules are now in public preview: - Defender Boxed opens automatically when you go to the **Incidents** page in the Microsoft Defender portal. - If you close Defender Boxed and you want to reopen it, in the Microsoft Defender portal, go to **Incidents**, and then select **Your Defender Boxed**. - Act quickly! Defender Boxed is available only for a short period of time.+- (GA) [User Contain](https://www.microsoft.com/en-us/security/blog/2023/10/11/microsoft-defender-for-endpoint-now-stops-human-operated-attacks-on-its-own) can now contain compromised users automatically stopping Human Operated Ransomware in its track using [Automatic Attack Disruption](/microsoft-365/security/defender/automatic-attack-disruption). ## November 2023 |
security | Trial User Guide Defender Vulnerability Management | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/trial-user-guide-defender-vulnerability-management.md | Last updated 03/15/2024 # Trial user guide: Microsoft Defender Vulnerability Management -This user guide is a simple tool to help you setup and make the most of your free Microosoft Defedender Vulnerability Managment trial. Using the suggested steps in this guide from the Microsoft Security team, you'll learn how vulnerability management can help you protect your users and data. +This user guide is a simple tool to help you setup and make the most of your free Microsoft Defender Vulnerability Management trial. Using the suggested steps in this guide from the Microsoft Security team, you'll learn how vulnerability management can help you protect your users and data. > [!NOTE] > The trial offering for Microsoft Defender Vulnerability Management isn't currently available to: |
security | Tvm Hardware And Firmware | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-hardware-and-firmware.md | The **Hardware and Firmware** page opens with individual pages available for: Select the **Laptop, desktop, and server models** page to see a list of all system models in the organization. - :::image type="content" source=" ../../media/defender-vulnerability-management/firmware-laptop-desktop-server-modals.png" alt-text="Screenshot of the Laptop, desktop, and server modals page" lightbox=" ../../media/defender-vulnerability-management/firmware-laptop-desktop-server-modals.png"::: + :::image type="content" source=" ../../media/defender-vulnerability-management/firmware-laptop-desktop-server-modals.png" alt-text="Screenshot of the Laptop, desktop, and server models page" lightbox=" ../../media/defender-vulnerability-management/firmware-laptop-desktop-server-modals.png"::: At the top of the page, you can view the number of models per vendor. |
security | Advanced Hunting Security Copilot | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-security-copilot.md | audience: ITPro - m365-security - tier1+ - security-copilot Last updated 04/01/2024 |
security | Eval Defender Investigate Respond Simulate Attack | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-investigate-respond-simulate-attack.md | You'll simulate a sophisticated attack that leverages advanced techniques to hid In this simulation, our sample scenario starts with a PowerShell script. In the real world, a user might be tricked into running a script or the script might run from a remote connection to another computer from a previously infected device, which indicates that the attacker is attempting to move laterally in the network. Detection of these scripts can be difficult because administrators also often run scripts remotely to carry out various administrative activities. During the simulation, the attack injects shellcode into a seemingly innocent process. The scenario requires the use of notepad.exe. We chose this process for the simulation, but attackers would more likely target a long-running system process, such as svchost.exe. The shellcode then goes on to contact the attacker's command-and-control (C2) server to receive instructions on how to proceed. The script attempts executing reconnaissance queries against the domain controller (DC). Reconnaissance allows an attacker to get information about recent user login information. Once attackers have this information, they can move laterally in the network to get to a specific sensitive account |
security | Microsoft 365 Security Center Defender Cloud | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-security-center-defender-cloud.md | The following section describes the detection and investigation experience in th > |Area |Description | > |-|--| > |Incidents|All Defender for Cloud incidents will be integrated to the Microsoft Defender portal.</br></br> - Searching for cloud resource assets in the [incident queue](incident-queue.md) is supported.</br> - The [attack story](investigate-incidents.md#attack-story) graph will show the cloud resource.</br> - The [assets tab](investigate-incidents.md#assets) in an incident page will show the cloud resource.</br> - Each virtual machine has its own device page containing all related alerts and activity.</br></br> There will be no duplication of incidents from other Defender workloads.|-> |Alerts|All Defender for Cloud alerts, including multi-cloud, internal and external providers' alerts will be integrated to the Microsoft Defender portal. Defender for Cloud alerts will show on the the Microsoft Defender portal [alert queue](/microsoft-365/security/defender-endpoint/alerts-queue-endpoint-detection-response).</br></br> The *cloud resource* asset will show up in the Asset tab of an alert. Resources are clearly identified as an Azure, Amazon, or a Google Cloud resource.</br></br>Defender for Cloud alerts will automatically be associated with a tenant.</br></br>There will be no duplication of alerts from other Defender workloads.| +> |Alerts|All Defender for Cloud alerts, including multi-cloud, internal and external providers' alerts will be integrated to the Microsoft Defender portal. Defender for Cloud alerts will show on the Microsoft Defender portal [alert queue](/microsoft-365/security/defender-endpoint/alerts-queue-endpoint-detection-response).</br></br> The *cloud resource* asset will show up in the Asset tab of an alert. Resources are clearly identified as an Azure, Amazon, or a Google Cloud resource.</br></br>Defender for Cloud alerts will automatically be associated with a tenant.</br></br>There will be no duplication of alerts from other Defender workloads.| > |Alert and incident correlation|Alerts and incidents are automatically correlated, providing robust context to security operations teams to understand the complete attack story in their cloud environment.| > |Threat detection|Accurate matching of virtual entities to device entities to ensure precision and effective threat detection.| > |Unified API|Defender for Cloud alerts and incidents are now included in [Microsoft Defender XDR's public API](api-overview.md), allowing customers to export their security alerts data into other systems using one API.| |
security | Onboarding Defender Experts For Hunting | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/onboarding-defender-experts-for-hunting.md | Title: How to subscribe to Microsoft Defender Experts for Hunting -description: If you're new to Microsoft Defender XDR and Defender Experts for Hunting, this is how you subscribe to Defender experts notifications +description: If you're new to Microsoft Defender XDR and Defender Experts for Hunting, this is how you onboard, receive, and set up Defender experts notifications. keywords: managed threat hunting service,onboarding to Defender Experts, sample DEN, defender experts notifications, Ask Defender Experts, MTE, Microsoft Threat Experts, EOD, endpoint attack notifications, Microsoft Defender Experts for hunting, managed response. search.product: Windows 10 If you're new to Microsoft Defender XDR and Defender Experts for Hunting: 1. Upon getting your welcome email, select **Log into Microsoft Defender XDR**. 2. Sign in if you already have a Microsoft account. If none, create one.-3. The Microsoft Defender XDR quick tour will get you familiar with the security suite, where the capabilities are and how important they are. Select **Take a quick tour**. -4. Read the short descriptions about what the Microsoft Defender Experts service is and the capabilities it provides. Select **Next**. You'll see the welcome page: +3. The Microsoft Defender XDR quick tour gets you familiar with the security suite, where the capabilities are and how important they are. Select **Take a quick tour**. +4. Read the short descriptions about what the Microsoft Defender Experts service is and the capabilities it provides. Select **Next**. You see the welcome page: ![Screenshot of the Microsoft Defender XDR welcome page with a card for the Defender Experts for Hunting service.](../../media/mte/defenderexperts/start-using-defender-experts-for-hunting.png) Refer to the following screenshot to see a sample Defender Experts Notification: ![Screenshot of a Defender Experts Notification in Microsoft Defender XDR. A Defender Expert Notification includes a title that describes the threat or activity observed, an executive summary, and list of recommendations.](../../media/mte/defenderexperts/receive-defender-experts-notification.png) -### Where you'll find Defender Experts Notifications +### Where to find Defender Experts Notifications You can receive Defender Experts Notifications from Defender Experts through the following mediums: You can receive Defender Experts Notifications from Defender Experts through the ### Filter to view just the Defender Experts Notifications -You can filter your incidents and alerts if you want to only see the Defender Experts Notifications amongst the many alerts. To do so: +You can filter your incidents and alerts if you want to only see the Defender Experts Notifications among the many alerts. To do so: 1. On the navigation menu, go to **Incidents & alerts** > **Incidents** > select the ![Filter icon](../../media/mte/defenderexperts/filter.png) icon.-2. Scroll down to the **Tags** field > select the **Defender Experts** check box. +2. Scroll down to **Service/detection sources** then select the **Microsoft Defender Experts** checkboxes under *Microsoft Defender for Endpoint* and *Microsoft Defender XDR*. 3. Select **Apply**. ### Set up Defender Experts email notifications A sample Defender Experts Notification shows up in your **Incidents** page with > [!NOTE] > Ask Defender Experts is included in your Defender Experts for Hunting subscription with [monthly allocations](/microsoft-365/security/defender/before-you-begin-defender-experts#eligibility-and-licensing). However, it's not a security incident response service. It's intended to provide a better understanding of complex threats affecting your organization. Engage with your own security incident response team to address urgent security incident response issues. If you don't have your own security incident response team and would like Microsoft's help, create a support request in the [Premier Services Hub](/services-hub/). -Select **Ask Defender Experts** directly inside the Microsoft 365 security portal to get swift and accurate responses to all your threat hunting questions. Experts can provide insight to better understand the complex threats your organization may face. Experts on Demand can help to: +Select **Ask Defender Experts** directly inside the Microsoft 365 security portal to get swift and accurate responses to all your threat hunting questions. Experts can provide insight to better understand the complex threats your organization might face. Ask Defender Experts can help: - Gather additional information on alerts and incidents, including root causes and scope - Gain clarity into suspicious devices, alerts, or incidents and take next steps if faced with an advanced attacker - Determine risks and available protections related to threat actors, campaigns, or emerging attacker techniques -The option to **Ask Defender Experts** is available in several places throughout the portal: +### Required permissions for submitting inquiries in the Ask Defender Experts panel -- ***Device page actions menu***+You need to select the following permissions before submitting inquires to our Defender experts. For more details about role-based access control (RBAC) permissions, see: [Microsoft Defender for Endpoint and Microsoft Defender XDR RBAC permissions](/microsoft-365/security/defender/compare-rbac-roles#map-defender-for-endpoint-and-defender-vulnerability-management-permissions-to-the-microsoft-defender-xdr-rbac-permissions). -![Screenshot of the Ask Defender Experts menu option in the Device page action menu in the Microsoft Defender portal.](../../media/mte/defenderexperts/device-page-actions-menu.png) +|**Product name**|**Product RBAC permission**| +|||| +| Microsoft Defender for Endpoint RBAC | Manage security settings in the Security Center| +| Microsoft Defender XDR Unified RBAC | Authorization and settings \ Security settings \ Core security settings (manage)</br>Authorization and settings \ Security settings \ Detection tuning (manage) | -- ***Device inventory page flyout menu***+### Where to find Ask Defender Experts -![Screenshot of the Ask Defender Experts menu option in the Device inventory page flyout menu in the Microsoft Defender portal.](../../media/mte/defenderexperts/device-inventory-flyout-menu.png) +The option to **Ask Defender Experts** is available in several places throughout the portal: -- ***Alerts page flyout menu***+- **Device page actions menu** -![Screenshot of the Ask Defender Experts menu option in the Alerts page flyout menu in the Microsoft Defender portal.](../../media/mte/defenderexperts/alerts-flyout-menu.png) + ![Screenshot of the Ask Defender Experts menu option in the Device page action menu in the Microsoft Defender portal.](../../media/mte/defenderexperts/device-page-actions-menu.png) -- ***Incidents page actions menu***+- **Device inventory page flyout menu** -![Screenshot of the Ask Defender Experts menu option in the Incidents page actions menu in the Microsoft Defender portal.](../../media/mte/defenderexperts/incidents-page-actions-menu.png) + ![Screenshot of the Ask Defender Experts menu option in the Device inventory page flyout menu in the Microsoft Defender portal.](../../media/mte/defenderexperts/device-inventory-flyout-menu.png) -> [!NOTE] -> If you'd like to track the status of your Experts on Demand cases through Microsoft Services Hub, reach out to your Customer Success Account Manager. Watch this [video](https://www.microsoft.com/videoplayer/embed/RE4pk9f) for a quick overview of the Microsoft Services Hub. +- **Alerts page flyout menu** ++ ![Screenshot of the Ask Defender Experts menu option in the Alerts page flyout menu in the Microsoft Defender portal.](../../media/mte/defenderexperts/alerts-flyout-menu.png) ++- **Incidents page actions menu** ++ ![Screenshot of the Ask Defender Experts menu option in the Incidents page actions menu in the Microsoft Defender portal.](../../media/mte/defenderexperts/incidents-page-actions-menu.png) ### Sample questions you can ask from Defender Experts |
security | Security Copilot In Microsoft 365 Defender | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/security-copilot-in-microsoft-365-defender.md | audience: ITPro - m365-security - tier1+ - security-copilot search.appverid: - MOE150 |
security | Security Copilot M365d Create Incident Report | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/security-copilot-m365d-create-incident-report.md | audience: ITPro - m365-security - tier1+ - security-copilot search.appverid: - MOE150 |
security | Security Copilot M365d Guided Response | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/security-copilot-m365d-guided-response.md | audience: ITPro - m365-security - tier1+ - security-copilot search.appverid: - MOE150 |
security | Security Copilot M365d Incident Summary | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/security-copilot-m365d-incident-summary.md | audience: ITPro - m365-security - tier1+ - security-copilot search.appverid: - MOE150 |
security | Security Copilot M365d Script Analysis | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/security-copilot-m365d-script-analysis.md | audience: ITPro - m365-security - tier1+ - security-copilot search.appverid: - MOE150 |
security | Microsoft 365 Zero Trust | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/microsoft-365-zero-trust.md | |
security | Anti Malware Policies Configure | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-malware-policies-configure.md | You can configure anti-malware policies in the Microsoft Defender portal or in P For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users or groups, enter an asterisk (\*) by itself to see all available values. - Multiple values in the same condition use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). + You can use a condition only once, but the condition can contain multiple values: - Different conditions use AND logic (for example, _\<recipient1\>_ and _\<member of group1\>_). The recipient must satisfy _all_ of the specified conditions, which is typically difficult or redundant. For more information, see [Recipient filters in anti-malware policies](anti-malware-protection-about.md#recipient-filters-in-anti-malware-policies). + - Multiple **values** of the **same condition** use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). If the recipient matches **any** of the specified values, the policy is applied to them. + - Different **types of conditions** use AND logic. The recipient must match **all** of the specified conditions for the policy to apply to them. For example, you configure a condition with the following values: + - Users: `romain@contoso.com` + - Groups: Executives - - **Exclude these users, groups, and domains**: To add exceptions for the internal recipients that the policy applies to (recipient exceptions), select this option and configure the exceptions. The settings and behavior are exactly like the conditions. + The policy is applied to `romain@contoso.com` _only_ if he's also a member of the Executives group. Otherwise, the policy isn't applied to him. ++ - **Exclude these users, groups, and domains**: To add exceptions for the internal recipients that the policy applies to (recipient exceptions), select this option and configure the exceptions. ++ You can use an exception only once, but the exception can contain multiple values: ++ - Multiple **values** of the **same exception** use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). If the recipient matches **any** of the specified values, the policy isn't applied to them. + - Different **types of exceptions** use OR logic (for example, _\<recipient1\>_ or _\<member of group1\>_ or _\<member of domain1\>_). If the recipient matches **any** of the specified exception values, the policy isn't applied to them. When you're finished on the **Users and domains** page, select **Next**. |
security | Anti Spam Policies Asf Settings About | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-spam-policies-asf-settings-about.md | The following **Mark as spam** ASF settings set the SCL of detected messages to |**Empty messages** (_MarkAsSpamEmptyMessages_)|Messages with no subject, no content in the message body, and no attachments are marked as high confidence spam.|`X-CustomSpam: Empty Message`| |**Embedded tags in HTML** (_MarkAsSpamEmbedTagsInHtml_)|Messages that contain `<embed>` HTML tags are marked as high confidence spam. <br><br> This tag allows the embedding of different kinds of documents in an HTML document (for example, sounds, videos, or pictures).|`X-CustomSpam: Embed tag in html`| |**JavaScript or VBScript in HTML** (_MarkAsSpamJavaScriptInHtml_)|Messages that use JavaScript or Visual Basic Script Edition in HTML are marked as high confidence spam. <br><br> These scripting languages are used in email messages to cause specific actions to automatically occur.|`X-CustomSpam: Javascript or VBscript tags in HTML`|-|**Form tags in HTML** (MarkAsSpamFormTagsInHtml_)|Messages that contain `<form>` HTML tags are marked as high confidence spam. <br><br> This tag is used to create website forms. Email advertisements often include this tag to solicit information from the recipient.|`X-CustomSpam: Form tag in html`| -|**Frame or iframe tags in HTML** (MarkAsSpamFramesInHtml_)|Messages that contain `<frame>` or `<iframe>` HTML tags are marked as high confidence spam. <br><br> These tags are used in email messages to format the page for displaying text or graphics.|`X-CustomSpam: IFRAME or FRAME in HTML`| -|**Web bugs in HTML** (MarkAsSpamWebBugsInHtml_)|A _web bug_ (also known as a _web beacon_) is a graphic element (often as small as one pixel by one pixel) that's used in email messages to determine whether the recipient read the message. <br><br> Messages that contain web bugs are marked as high confidence spam. <br><br> Legitimate newsletters might use web bugs, although many consider this an invasion of privacy. |`X-CustomSpam: Web bug`| -|**Object tags in HTML** (MarkAsSpamObjectTagsInHtml_)|Messages that contain `<object>` HTML tags are marked as high confidence spam. <br><br> This tag allows plug-ins or applications to run in an HTML window.|`X-CustomSpam: Object tag in html`| +|**Form tags in HTML** (_MarkAsSpamFormTagsInHtml_)|Messages that contain `<form>` HTML tags are marked as high confidence spam. <br><br> This tag is used to create website forms. Email advertisements often include this tag to solicit information from the recipient.|`X-CustomSpam: Form tag in html`| +|**Frame or iframe tags in HTML** (_MarkAsSpamFramesInHtml_)|Messages that contain `<frame>` or `<iframe>` HTML tags are marked as high confidence spam. <br><br> These tags are used in email messages to format the page for displaying text or graphics.|`X-CustomSpam: IFRAME or FRAME in HTML`| +|**Web bugs in HTML** (_MarkAsSpamWebBugsInHtml_)|A _web bug_ (also known as a _web beacon_) is a graphic element (often as small as one pixel by one pixel) that's used in email messages to determine whether the recipient read the message. <br><br> Messages that contain web bugs are marked as high confidence spam. <br><br> Legitimate newsletters might use web bugs, although many consider this an invasion of privacy. |`X-CustomSpam: Web bug`| +|**Object tags in HTML** (_MarkAsSpamObjectTagsInHtml_)|Messages that contain `<object>` HTML tags are marked as high confidence spam. <br><br> This tag allows plug-ins or applications to run in an HTML window.|`X-CustomSpam: Object tag in html`| |**Sensitive words** (MarkAsSpamSensitiveWordList_)|Microsoft maintains a dynamic but non-editable list of words that are associated with potentially offensive messages. <br><br> Messages that contain words from the sensitive word list in the subject or message body are marked as high confidence spam.|`X-CustomSpam: Sensitive word in subject/body`|-|**SPF record: hard fail** (MarkAsSpamSpfRecordHardFail_)|Messages sent from an IP address that isn't specified in the SPF Sender Policy Framework (SPF) record in DNS for the source email domain are marked as high confidence spam. <br><br> Test mode isn't available for this setting.|`X-CustomSpam: SPF Record Fail`| +|**SPF record: hard fail** (_MarkAsSpamSpfRecordHardFail_)|Messages sent from an IP address that isn't specified in the SPF Sender Policy Framework (SPF) record in DNS for the source email domain are marked as high confidence spam. <br><br> Test mode isn't available for this setting.|`X-CustomSpam: SPF Record Fail`| The following **Mark as spam** ASF settings set the SCL of detected messages to 6, which corresponds to a **Spam** filter verdict and the corresponding action in anti-spam policies. |Anti-spam policy setting|Description|X-header added| ||||-|**Sender ID filtering hard fail** (MarkAsSpamFromAddressAuthFail_)|Messages that hard fail a conditional Sender ID check are marked as spam. <br><br> This setting combines an SPF check with a Sender ID check to help protect against message headers that contain forged senders. <br><br> Test mode isn't available for this setting.|`X-CustomSpam: SPF From Record Fail`| -|**Backscatter** (MarkAsSpamNdrBackscatter_)|_Backscatter_ is useless non-delivery reports (also known as NDRs or bounce messages) caused by forged senders in email messages. For more information, see [Backscatter messages and EOP](anti-spam-backscatter-about.md). <br><br> You don't need to configure this setting in the following environments, because legitimate NDRs are delivered and backscatter is marked as spam: <ul><li>Microsoft 365 organizations with Exchange Online mailboxes.</li><li>On-premises email organizations where you route _outbound_ email through EOP.</li></ul> <br><br> In standalone EOP environments that protect inbound email to on-premises mailboxes, turning this setting on or off has the following result: <ul><li> **On**: Legitimate NDRs are delivered, and backscatter is marked as spam.</li><li>**Off**: Legitimate NDRs and backscatter go through normal spam filtering. Most legitimate NDRs are delivered to the original message sender. Some, but not all backscatter is marked as spam. By definition, backscatter can be delivered only to the spoofed sender, not to the original sender.</li></ul> <br><br> Test mode isn't available for this setting.|`X-CustomSpam: Backscatter NDR`| +|**Sender ID filtering hard fail** (_MarkAsSpamFromAddressAuthFail_)|Messages that hard fail a conditional Sender ID check are marked as spam. <br><br> This setting combines an SPF check with a Sender ID check to help protect against message headers that contain forged senders. <br><br> Test mode isn't available for this setting.|`X-CustomSpam: SPF From Record Fail`| +|**Backscatter** (_MarkAsSpamNdrBackscatter_)|_Backscatter_ is useless non-delivery reports (also known as NDRs or bounce messages) caused by forged senders in email messages. For more information, see [Backscatter messages and EOP](anti-spam-backscatter-about.md). <br><br> You don't need to configure this setting in the following environments, because legitimate NDRs are delivered and backscatter is marked as spam: <ul><li>Microsoft 365 organizations with Exchange Online mailboxes.</li><li>On-premises email organizations where you route _outbound_ email through EOP.</li></ul> <br><br> In standalone EOP environments that protect inbound email to on-premises mailboxes, turning this setting on or off has the following result: <ul><li> **On**: Legitimate NDRs are delivered, and backscatter is marked as spam.</li><li>**Off**: Legitimate NDRs and backscatter go through normal spam filtering. Most legitimate NDRs are delivered to the original message sender. Some, but not all backscatter is marked as spam. By definition, backscatter can be delivered only to the spoofed sender, not to the original sender.</li></ul> <br><br> Test mode isn't available for this setting.|`X-CustomSpam: Backscatter NDR`| |
security | Anti Spam Policies Configure | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-spam-policies-configure.md | You can configure anti-spam policies in the Microsoft Defender portal or in Powe For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users or groups, enter an asterisk (\*) by itself to see all available values. - Multiple values in the same condition use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). + You can use a condition only once, but the condition can contain multiple values: - Different conditions use AND logic (for example, _\<recipient1\>_ and _\<member of group1\>_). The recipient must satisfy _all_ of the specified conditions, which is typically difficult or redundant. For more information, see [Recipient filters in anti-spam policies](anti-spam-protection-about.md#recipient-filters-in-anti-spam-policies). + - Multiple **values** of the **same condition** use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). If the recipient matches **any** of the specified values, the policy is applied to them. + - Different **types of conditions** use AND logic. The recipient must match **all** of the specified conditions for the policy to apply to them. For example, you configure a condition with the following values: + - Users: `romain@contoso.com` + - Groups: Executives - - **Exclude these users, groups, and domains**: To add exceptions for the internal recipients that the policy applies to (recipient exceptions), select this option and configure the exceptions. The settings and behavior are exactly like the conditions. + The policy is applied to `romain@contoso.com` _only_ if he's also a member of the Executives group. Otherwise, the policy isn't applied to him. ++ - **Exclude these users, groups, and domains**: To add exceptions for the internal recipients that the policy applies to (recipient exceptions), select this option and configure the exceptions. ++ You can use an exception only once, but the exception can contain multiple values: ++ - Multiple **values** of the **same exception** use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). If the recipient matches **any** of the specified values, the policy isn't applied to them. + - Different **types of exceptions** use OR logic (for example, _\<recipient1\>_ or _\<member of group1\>_ or _\<member of domain1\>_). If the recipient matches **any** of the specified exception values, the policy isn't applied to them. When you're finished on the **Users, groups, and domains** page, select **Next**. You can configure anti-spam policies in the Microsoft Defender portal or in Powe > > For **High confidence phishing**, the **Move message to Junk Email folder** action is effectively deprecated. Although you might be able to select the **Move message to Junk Email folder** action, high confidence phishing messages are always quarantined (equivalent to selecting **Quarantine message**). >- > Users can't release their own messages that were quarantined as high confidence phishing, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to _request_ the release of their quarantined high-confidence phishing messages. + > Users can't release their own messages that were quarantined as high confidence phishing, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to _request_ the release of their quarantined high confidence phishing messages. - **Intra-Organizational messages to take action on**: Controls whether spam filtering and the corresponding verdict actions are applied to internal messages (messages sent between users within the organization). The available values are: - **Default**: This is the default value. This value is the same as selecting **High confidence phishing messages**. |
security | Anti Spam Protection About | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-spam-protection-about.md | These settings aren't configured in the default anti-spam policy by default, or ⁴ If the spam filtering verdict quarantines messages by default (**Quarantine message** is already selected when you get to the page), the default quarantine policy name is shown in the **Select quarantine policy** box. If you _change_ the action of a spam filtering verdict to **Quarantine message**, the **Select quarantine policy** box is blank by default. A blank value means the default quarantine policy for that verdict is used. When you later view or edit the anti-spam policy settings, the quarantine policy name is shown. For more information about the quarantine policies that are used by default for spam filter verdicts, see [EOP anti-spam policy settings](recommended-settings-for-eop-and-office365.md#eop-anti-spam-policy-settings). - ⁵ Users can't release their own messages that were quarantined as high confidence phishing, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to _request_ the release of their quarantined high-confidence phishing messages. + ⁵ Users can't release their own messages that were quarantined as high confidence phishing, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to _request_ the release of their quarantined high confidence phishing messages. - **Intra-Organizational messages to take action on**: Controls whether spam filtering and the corresponding verdict actions are applied to internal messages (messages sent between users within the organization). The action that's configured in the policy for the specified spam filter verdicts is taken on messages sent between internal users. The available values are: - **Default**: This is the default value. This value is the same as selecting **High confidence phishing messages**. |
security | Connection Filter Policies Configure | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/connection-filter-policies-configure.md | appliesto: In Microsoft 365 organizations with Exchange Online mailboxes or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, _connection filtering_ and the default connection filter policy identify good or bad source email servers by IP addresses. The key components of the default connection filter policy are: -- **IP Allow List**: Skip spam filtering for all incoming messages from the specified source IP addresses or IP address ranges. All incoming messages are scanned for malware and high-confidence phishing. For other scenarios where spam filtering still occurs on messages from servers in the IP Allow List, see the [Scenarios where messages from sources in the IP Allow List are still filtered](#scenarios-where-messages-from-sources-in-the-ip-allow-list-are-still-filtered) section later in this article. For more information about how the IP Allow List should fit into your overall safe senders strategy, see [Create safe sender lists in EOP](create-safe-sender-lists-in-office-365.md).+- **IP Allow List**: Skip spam filtering for all incoming messages from the specified source IP addresses or IP address ranges. All incoming messages are scanned for malware and high confidence phishing. For other scenarios where spam filtering still occurs on messages from servers in the IP Allow List, see the [Scenarios where messages from sources in the IP Allow List are still filtered](#scenarios-where-messages-from-sources-in-the-ip-allow-list-are-still-filtered) section later in this article. For more information about how the IP Allow List should fit into your overall safe senders strategy, see [Create safe sender lists in EOP](create-safe-sender-lists-in-office-365.md). - **IP Block List**: Block all incoming messages from the specified source IP addresses or IP address ranges. The incoming messages are rejected, aren't marked as spam, and no other filtering occurs. For more information about how the IP Block List should fit into your overall blocked senders strategy, see [Create block sender lists in EOP](create-block-sender-lists-in-office-365.md). To verify that you've successfully modified the default connection filter policy The following sections identify additional items that you need to know about when you configure the IP Allow List. > [!NOTE]-> All incoming messages are scanned for malware and high-confidence phishing, regardless of whether the message source is in the IP Allow List. +> All incoming messages are scanned for malware and high confidence phishing, regardless of whether the message source is in the IP Allow List. ### Skip spam filtering for a CIDR IP outside of the available range |
security | Quarantine About | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-about.md | Whether a detected message is quarantined by default depends on the following fa - The protection feature that detected the message. For example, the following detections are always quarantined: - Malware detections by [anti-malware policies](anti-malware-policies-configure.md) and [Safe Attachments policies](safe-attachments-policies-configure.md), including [Built-in protection](preset-security-policies.md) for Safe Attachments<sup>\*</sup>.- - High-confidence phishing detections by [anti-spam policies](anti-spam-policies-configure.md). + - High confidence phishing detections by [anti-spam policies](anti-spam-policies-configure.md). - Whether you're using the Standard and/or Strict [preset security policies](preset-security-policies.md). The Strict profile quarantines more types of detections than the Standard profile. <sup>\*</sup> Malware filtering is skipped on SecOps mailboxes that are identified in the advanced delivery policy. For more information, see [Configure the advanced delivery policy for third-party phishing simulations and email delivery to SecOps mailboxes](advanced-delivery-policy-configure.md). The default quarantine policies that are assigned to protection feature verdicts Admins can create and apply custom quarantine policies that define less restrictive or more restrictive capabilities for users, and also turn on quarantine notifications. For more information, see [Create quarantine policies](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-defender-portal). > [!NOTE]-> Users can't release their own messages that were quarantined as malware by anti-malware or Safe Attachments policies, or as high confidence phishing by anti-spam policies, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to _request_ the release of their quarantined malware or high-confidence phishing messages. +> Users can't release their own messages that were quarantined as malware by anti-malware or Safe Attachments policies, or as high confidence phishing by anti-spam policies, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to _request_ the release of their quarantined malware or high confidence phishing messages. Both users and admins can work with quarantined messages: |
security | Quarantine Policies | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-policies.md | The rest of this step explains how to assign quarantine policies for supported f ## Assign quarantine policies in supported policies in the Microsoft Defender portal > [!NOTE]-> Users can't release their own messages that were quarantined as **malware** by anti-malware or Safe Attachments policies, or as **high confidence phishing** by anti-spam policies, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to _request_ the release of their quarantined malware or high-confidence phishing messages. +> Users can't release their own messages that were quarantined as **malware** by anti-malware or Safe Attachments policies, or as **high confidence phishing** by anti-spam policies, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to _request_ the release of their quarantined malware or high confidence phishing messages. ### Anti-spam policies If you'd rather use PowerShell to assign quarantine policies in anti-spam polici Specify a different quarantine policy to turn on quarantine notifications or change the default end-user capabilities on quarantined messages for that particular spam filtering verdict. - Users can't release their own messages that were quarantined as high confidence phishing, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to _request_ the release of their quarantined high-confidence phishing messages. + Users can't release their own messages that were quarantined as high confidence phishing, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to _request_ the release of their quarantined high confidence phishing messages. - In PowerShell, a new anti-spam policy in PowerShell requires a spam filter policy using the **New-HostedContentFilterPolicy** cmdlet (settings), and an exclusive spam filter rule using the **New-HostedContentFilterRule** cmdlet (recipient filters). For instructions, see [Use PowerShell to create anti-spam policies](anti-spam-policies-configure.md#use-powershell-to-create-anti-spam-policies). |
security | Quarantine Quarantine Notifications | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-quarantine-notifications.md | The actions that are available for messages in the quarantine notification depen Selecting the action opens an informational web page that acknowledges the message was released from quarantine (for example, **Spam message was released from quarantine**). The **Release status** value of the message on the **Email** tab of the **Quarantine** page is **Released**. The message is delivered to the user's Inbox (or some other folder, depending on any [Inbox rules](https://support.microsoft.com/office/c24f5dea-9465-4df4-ad17-a50704d66c59) in the mailbox). - Users can't release their own messages that were quarantined as **malware** by anti-malware or Safe Attachments policies, or as **high confidence phishing** by anti-spam policies, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to _request_ the release of their quarantined malware or high-confidence phishing messages. + Users can't release their own messages that were quarantined as **malware** by anti-malware or Safe Attachments policies, or as **high confidence phishing** by anti-spam policies, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to _request_ the release of their quarantined malware or high confidence phishing messages. - **Request release**: Available for messages that were quarantined by features using a quarantine policy with the **Limited access** permission group or the individual **Allow recipients to request a message to be released from quarantine** (_PermissionToRequestRelease_) permission. For example, custom quarantine policies. |
security | Recommended Settings For Eop And Office365 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365.md | Admins can create or use quarantine policies with more restrictive or less restr |**Quarantine policy** for **High confidence spam** (_HighConfidenceSpamQuarantineTag_)|DefaultFullAccessPolicy┬╣|DefaultFullAccessWithNotificationPolicy|DefaultFullAccessWithNotificationPolicy|The quarantine policy is meaningful only if high confidence spam detections are quarantined.| |**Phishing** detection action (_PhishSpamAction_)|**Move message to Junk Email folder** (`MoveToJmf`)<sup>\*</sup>|**Quarantine message** (`Quarantine`)|**Quarantine message** (`Quarantine`)|<sup>\*</sup> The default value is **Move message to Junk Email folder** in the default anti-spam policy and in new anti-spam policies that you create in PowerShell. The default value is **Quarantine message** in new anti-spam policies that you create in the Defender portal.| |**Quarantine policy** for **Phishing** (_PhishQuarantineTag_)|DefaultFullAccessPolicy┬╣|DefaultFullAccessWithNotificationPolicy|DefaultFullAccessWithNotificationPolicy|The quarantine policy is meaningful only if phishing detections are quarantined.|-|**High confidence phishing** detection action (_HighConfidencePhishAction_)|**Quarantine message** (`Quarantine`)|**Quarantine message** (`Quarantine`)|**Quarantine message** (`Quarantine`)|Users can't release their own messages that were quarantined as high confidence phishing, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to _request_ the release of their quarantined high-confidence phishing messages.| +|**High confidence phishing** detection action (_HighConfidencePhishAction_)|**Quarantine message** (`Quarantine`)|**Quarantine message** (`Quarantine`)|**Quarantine message** (`Quarantine`)|Users can't release their own messages that were quarantined as high confidence phishing, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to _request_ the release of their quarantined high confidence phishing messages.| |**Quarantine policy** for **High confidence phishing** (_HighConfidencePhishQuarantineTag_)|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy|| |**Bulk compliant level (BCL) met or exceeded** (_BulkSpamAction_)|**Move message to Junk Email folder** (`MoveToJmf`)|**Move message to Junk Email folder** (`MoveToJmf`)|**Quarantine message** (`Quarantine`)|| |**Quarantine policy** for **Bulk compliant level (BCL) met or exceeded** (_BulkQuarantineTag_)|DefaultFullAccessPolicy┬╣|DefaultFullAccessPolicy|DefaultFullAccessWithNotificationPolicy|The quarantine policy is meaningful only if bulk detections are quarantined.| |
security | Zero Hour Auto Purge | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/zero-hour-auto-purge.md | For more information about configuring spam filtering verdicts, see [Configure a For _read or unread messages_ that are identified as _high confidence phishing_ after delivery, ZAP quarantines the message. By default, only admins can view and manage quarantined high confidence phishing messages. But, admins can create and use _quarantine policies_ to define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy). > [!NOTE]-> Users can't release their own messages that were quarantined as high confidence phishing, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to _request_ the release of their quarantined high-confidence phishing messages. +> Users can't release their own messages that were quarantined as high confidence phishing, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to _request_ the release of their quarantined high confidence phishing messages. ZAP for high confidence phishing is enabled by default. For more information, see [Secure by Default in Office 365](secure-by-default.md). ZAP takes action on a message based on the configuration of anti-spam policies a ### How is ZAP affected by the exceptions to protection features in EOP and Defender for Office 365? -ZAP actions might be overridden by [Safe sender lists](create-safe-sender-lists-in-office-365.md), mail flow rules, and other organizational block and allow settings. For malware and high-confidence phishing verdicts, ZAP always takes action to protect users. Carefully consider the implications of bypassing filtering, as it may affect the security posture of your organization. +ZAP actions might be overridden by [Safe sender lists](create-safe-sender-lists-in-office-365.md), Exchange mail flow rules (transport rules), and other organizational block and allow settings. However, for malware and high confidence phishing verdicts, there are very few scenarios where ZAP doesn't act on messages to protect users: ++- [Third-party phishing simulation URLs identified in the Advanced delivery policy](advanced-delivery-policy-configure.md#use-the-microsoft-defender-portal-to-configure-third-party-phishing-simulations-in-the-advanced-delivery-policy) (high confidence phishing). +- [SecOps mailboxes identified in the Advanced delivery policy](advanced-delivery-policy-configure.md#use-the-microsoft-defender-portal-to-configure-secops-mailboxes-in-the-advanced-delivery-policy) (malware and high confidence phishing). +- The MX record for your Microsoft 365 domain points to another service or device, and you use a mail flow rule to [bypass spam filtering](/exchange/security-and-compliance/mail-flow-rules/use-rules-to-set-scl) (high confidence phishing). +- [Admin submissions of false positives to Microsoft](submissions-admin.md#report-good-email-to-microsoft). By default, allow entries for domains and email addresses, files, and URLs exist for 30 days (malware and high confidence phishing). ++It's important for you to carefully consider the implications of bypassing filtering, as it could compromise the security posture of your organizatione. ### What are the licensing requirements for ZAP? |
security | Strengthen Security Posture Track Maintain | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/strengthen-security-posture-track-maintain.md | f1.keywords: - strengthen security posture -+ audience: Admin description: Learn how to strengthen your organization's security posture - track and maintain. |