Updates from: 04/15/2021 03:18:34
Category Microsoft Docs article Related commit history on GitHub Change details
admin Whats New In Preview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/whats-new-in-preview.md
And if you'd like to know what's new with other Microsoft cloud
- [Office updates](/OfficeUpdates/) - [How to check Windows release health](https://docs.microsoft.com/windows/deployment/update/check-release-health)
+## April 2021
+
+### Admin mobile app
+
+### Manage licenses and bills from the Admin mobile app
+
+- You can now view all available and assigned licenses for your subscriptions. You can also assign or un-assign licenses to users, and add or remove licenses.
+- You can now view detailed invoices in the app.
+- These updates are available on both [Android](https://go.microsoft.com/fwlink/p/?linkid=2159786) and [iOS](https://go.microsoft.com/fwlink/p/?linkid=2159787) devices.
++
+### Updated Message center feed in the Admin mobile app
+
+- You now have a more flexible reading experience of the Message center feed. You now have the ability to filter messages based on service or tags and mark messages as favorite. Bulk actions for marking messages as read, unread or archived has also been added.
+- These updates are available on both [Android](https://go.microsoft.com/fwlink/p/?linkid=2159786) and [iOS](https://go.microsoft.com/fwlink/p/?linkid=2159787) devices.
++ ## Ignite 2021 (March) Welcome to Microsoft Ignite. We hope you were able to attend some of one of our sessions: [Microsoft Ignite 2021](https://myignite.microsoft.com/sessions). Here's a few of the things we talked about at Ignite.
Domain management can be complicated, and we've released a new feature to make t
### Keeping up with Office What's New management
-A few months ago, we added a setting that lets you manage the [What's New messages that show up in a user's Office apps](#office-whats-new-management). This month, we released a new Home page card that will help you act quickly and keep track of the **What's New** messages that you want shown to the users in your organization.
+A few months ago, we added a setting that lets you manage the What's New messages that show up in a user's Office apps. This month, we released a new Home page card that will help you act quickly and keep track of the **What's New** messages that you want shown to the users in your organization.
### Docs, training, and videos (June)
A couple of changes in the groups area this month:
- **What's new in Microsoft 365 video series**: This month, we're focused on custom search capabilities for SharePoint Online, the Office "What's New" management feature that lets you show or hide specific features from end-users via the in-app help pane, the latest security and compliance updates in Yammer, and more. Here's the latest episode: [What's New in Microsoft 365](https://go.microsoft.com/fwlink/p/?linkid=2118096) - **Docs move**: We combined the Office 365 admin web articles with the Microsoft 365 content and you might've noticed the new URL. For example, this article used to be hosted at: **docs.microsoft.com/Office365/Admin/whats-new-in-preview**, but the URL is now: **docs.microsoft.com/microsoft-365/admin/whats-new-in-preview**. If you've bookmarked pages, you should update your links; however, content links will be redirected to the new content repo.-
-## January 2020 - Happy New Year
-
-> [!NOTE]
-> Did you know that there's a [What's New in Microsoft 365](https://go.microsoft.com/fwlink/p/?linkid=2118096) video series on YouTube? It highlights the latest features that we've rolled out to users. Every month, we'll start linking to the latest episode in the [Videos, training, and docs](#videos-training-and-docs) section. <br> <br> Here's the latest episode: [What's New in Microsoft 365](https://go.microsoft.com/fwlink/p/?linkid=2118096)
-
-### Dark mode
-
-When we first rolled out dark mode, it was only available on the Home page. Dark mode is now out of preview and is in Targeted release across most pages in the admin center.
-
-1. First, you'll need to turn on Targeted Release: Go to **Settings** \> **Settings** \> **Organization profile** \> **Release preferences**.
-1. And then to turn on dark mode, go to the **Home** page, and then select the **Dark mode** button. (It's next to the **Search** field and this article's **What's new** link.)
-1. For any page that has dark mode available, the button is at the top of the page, next to **The new admin center** toggle.
-
-### Office What's New management
-
-Admins want control over how Microsoft communicates "What's New" to their users in the Office apps - and you now have that control. Go to **Settings** \> **Office What's New management Preview**. Select a feature to view its details, and then you can select the **Hide from users** button if you don't want your users to see a particular "what's new" message. For example, your organization might be waiting to let users know about a feature until everyone in your org is trained on it.
-
-![Screen capture of Office What's New preview with a feature's details pane open.](../media/whatsnew-officemgmt-preview.png)
-
-This feature was first released to preview in November, but there have been a few feature updates that you should know about: [Office What's New management preview updates now available](https://techcommunity.microsoft.com/t5/microsoft-365-blog/office-what-s-new-management-preview/ba-p/1020438)
-
-### Partners
-
-Howdy, Partners! (Couldn't help myself.) We've got an update for you this month, as well. There's a new feature that allows Partners to give CSP customers the option to accept their Microsoft Customer Agreement (MCA) in the **Billing accounts** section of the admin center. In this new experience:
-
-1. The customer receives an invitation email with a link to accept the partner relationship and the MCA.
-2. After the customer signs in, they can view and accept the MCA and partner permissions - right from the admin center.
-
-### Resource mailboxes
-
-The Resource mailboxes list has been updated to the new style. In the Microsoft 365 admin center, go to **Resources** \> **Rooms & equipment**.
-
-### Videos, training, and docs (January)
-
-Check out the small business admin training that we released in January:
--- [Create your business website](https://support.microsoft.com/office/3325d50e-d131-403c-a278-7f3296fe33a9)-- [Find answers and help](https://support.microsoft.com/office/7f681212-c649-4a3e-a43b-32b1d1e58988)-- [Get help or support](https://support.microsoft.com/office/18948a4c-3eb1-4b30-b1bc-a4cc29eb7655)-- [Delete a user](https://support.microsoft.com/office/6bcdad7b-732a-4260-997a-8c176bc3d9d6)-- [Choose a Microsoft subscription](https://support.microsoft.com/office/b9f7c78e-430f-4117-89ec-2eeb1dced2ca)-- [Overview of Microsoft 365 for business security](https://support.microsoft.com/office/3274b159-a825-46d7-9421-7d6e209389d1)
compliance Sensitivity Labels Coauthoring https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-coauthoring.md
If a support engineer disables this setting for your tenant:
- The new metadata format and location for Office documents that were used while the setting was enabled will not be copied to the original format and location. As a result, this labeling information for unencrypted Word, Excel, and PowerPoint files will be lost. -- Co-authoring and AutoSave no longer work in your tenant.
+- Co-authoring and AutoSave no longer work in your tenant for labeled and encrypted documents.
- Sensitivity labels remain enabled for Office files in OneDrive and SharePoint.
enterprise Office 365 Network Mac Perf Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/office-365-network-mac-perf-overview.md
The Microsoft 365 Admin Center now includes aggregated network connectivity metr
When you first navigate to the network performance page, you will see an overview pane containing a map of global network performance, a network assessment scoped to the entire tenant, and a list of current issues. From the overview, you can drill down to view specific network performance metrics and issues by location. For more information, see [Network performance overview in the Microsoft 365 Admin Center](#network-connectivity-overview-in-the-microsoft-365-admin-center).
-You may be asked to join the public preview for this feature on behalf of your organization. Acceptance usually happened immediately and then you will see the network connectivity page.
+You may be asked to join the public preview for this feature on behalf of your organization. Acceptance usually happens immediately, after which you would see the network connectivity page.
-On navigating to the network connectivity page, you will see an overview pane containing a map of global network performance, a network assessment scoped to the entire tenant, and a list of current issues. To access this page you must be an administrator for the organization within Microsoft 365. The Report Reader administrative role will have read access to this information. To configure locations and other elements of network connectivity an administrator must be part of a server administrator role such as the Service support admin role. From the overview, you can drill down to view specific network performance metrics and issues by location. For more information, see [Network connectivity overview in the Microsoft 365 Admin Center](#network-connectivity-overview-in-the-microsoft-365-admin-center).
+On navigating to the network connectivity page, you will see an overview pane containing a map of global network performance, a network assessment scoped to the entire tenant, percentage of your users working remotely vs onsite, and a list of current issues to take action on or to research further. To access this page, you must be an administrator for the organization within Microsoft 365. The Report Reader administrative role will have read access to this information. To configure locations and other elements of network connectivity an administrator must be part of a server administrator role such as the Service support admin role. From the overview, you can drill down to view specific network performance metrics and issues by location.
## Pre-requisites for network connectivity assessments to appear
To get started, turn on your location opt-in setting to automatically collect da
### 1. Enable Windows Location Services
-For this option, you must have at least two computers running at each office location that support the pre-requisites. OneDrive for Windows version must be up-to-date and installed on each computer. For more information on OneDrive versions, see the [OneDrive release notes](https://support.office.com/article/onedrive-release-notes-845dcf18-f921-435e-bf28-4e24b95e5fc0). Network measurements are planned to be added in other Office 365 client applications in the near future.
+For this option, you must have at least two computers running at each office location that support the pre-requisites. OneDrive for Windows version must be up-to-date and installed on each computer. For more information on OneDrive versions, see the [OneDrive release notes](https://support.office.com/article/onedrive-release-notes-845dcf18-f921-435e-bf28-4e24b95e5fc0). Network measurements are planned to be added to other Office 365 client applications in the near future.
Windows Location Service must be consented on the machines. You can test this by running the **Maps** app and locating yourself. It can be enabled on a single machine with **Settings | Privacy | Location** where the setting _Allow apps to access your location_ must be enabled. Windows Location Services consent can be deployed to PCs using MDM or Group Policy with the setting _LetAppsAccessLocation_.
Measurement samples and office locations should start to appear 24 hours after t
### 2. Add locations and provide LAN subnet information
-For this option, neither Windows Location Services nor Wi-Fi are required. Your OneDrive for Windows version must be up-to-date and installed on each computer at the location.
+For this option, neither Windows Location Services nor Wi-Fi are required. Your OneDrive for Windows version must be up-to-date and installed on at least one computer at the location.
-You also need to add locations in the Admin Center network connectivity page or to import those from a CSV file. The locations added must include your office LAN subnet information.
+You also need to add locations in the in the **Locations page** or to import them from a CSV file. The locations added must include your office LAN subnet information.
-Since you are adding the locations, you can have multiple offices defined within a city.
+This option allows you to have multiple offices defined within a city.
All test measurements from client machines include the LAN subnet information, which is correlated with the office location details that you have entered. Measurement samples and office locations should start to appear 24 hours after these pre-requisites have been met. ### 3. Manually gather test reports with the Microsoft 365 network connectivity test tool
-For this option, you need to identify a person at each location. Ask them to browse to [Microsoft 365 network connectivity test](https://connectivity.office.com) on a Windows machine on which they have administrative permissions. On the web site, they need to sign-in to their Office 365 account for the same organization that you want to see the results. Then they should click **Run test**. During the test there is a downloaded Connectivity test EXE. They need to open and execute that also. Once the tests are completed, the test result is uploaded to Office 365.
+For this option, you need to identify a person at each location. Ask them to browse to [Microsoft 365 network connectivity test](https://connectivity.office.com) on a Windows machine on which they have administrative permissions. On the web site, they need to sign-in to their Office 365 account for the same organization that you want to see the results. Then they should click **Run test**. During the test there is a downloaded Connectivity test EXE. They need to open and execute that. Once the tests are completed, the test result is uploaded to the Admin Center.
Test reports are linked to a location if it was added with LAN subnet information, otherwise they are shown at the city location only.
Measurement samples and office locations should start to appear 2-3 minutes afte
## How do I use this information?
-**Network insights**, their related performance recommendations and network assessments are intended to help in designing network perimeters for your office locations. Each insight provides details about the performance characteristics for a specific common issue for each geographic location where users are accessing your tenant. **Performance recommendations** for each network insight offer specific network architecture design changes you can make to improve user experience related to Microsoft 365 network connectivity. The network assessment shows how network connectivity impacts user experience, allowing for comparison of different user location network connections.
+**Network insights**, their related performance recommendations and network assessments are intended to help in designing network perimeters for your office locations. Each insight provides details about the performance characteristics for a specific common networking issue for each geographic location where users are accessing your tenant. **Performance recommendations** for each network insight offer specific network architecture design changes you can make to improve user experience related to Microsoft 365 network connectivity. The network assessment shows how network connectivity impacts user experience, allowing for comparison of different user location network connections.
**Network assessments** distill an aggregate of many network performance metrics into a snapshot of your enterprise network health, represented by a points value from 0 - 100. Network assessments are scoped to both the entire tenant and for each geographic location from which users connect to your tenant, providing Microsoft 365 administrators with an easy way to instantly grasp a gestalt of the enterprise's network health and quickly drill down into a detailed report for any global office location.
Complex enterprises with multiple office locations and non-trivial network perim
> [!div class="mx-imgBorder"] > ![Customer network to cloud](../media/m365-mac-perf/m365-mac-perf-first-last-mile.png)
-Many enterprises have network perimeter configurations which have grown over time and are primarily designed to accommodate employee Internet web site access where most web sites are not known in advance and are untrusted. The prevailing and necessary focus is avoiding malware and fishing attacks from these unknown web sites. This network configuration strategy, while helpful for security purposes, can lead to degradation of Microsoft 365 user performance and user experience.
+Many enterprises have network perimeter configurations which have grown over time and are primarily designed to accommodate employee Internet web site access where most web sites are not known in advance and are untrusted. The prevailing and necessary focus is avoiding malware and phishing attacks from these unknown web sites. This network configuration strategy, while helpful for security purposes, can lead to degradation of Microsoft 365 user performance and user experience.
## How we can solve these challenges Enterprises can improve general user experience and secure their environment by following [Office 365 connectivity principles](./microsoft-365-network-connectivity-principles.md) and by using the Microsoft 365 Admin Center network connectivity feature. In most cases, following these general principles will have a significant positive impact on end user latency, service reliability and overall performance of Microsoft 365.
-Microsoft is sometimes asked to investigate network performance issues with Microsoft 365 for large enterprise customers, and these frequently have a root cause related to the customers network perimeter infrastructure. When a common root cause of a customer network perimeter issue is found we seek to identify simple test measurements that identifies it. A test with a measurement threshold that identifies a specific problem is valuable because we can test the same measurement at any location, tell whether this root cause is present there and share it as a network insight with the administrator.
+Microsoft is sometimes asked to investigate network performance issues with Microsoft 365 for large enterprise customers, and these frequently have a root cause related to the customer's network perimeter infrastructure. When a common root cause of a customer network perimeter issue is found we seek to identify simple test measurements that identifies it. A test with a measurement threshold that identifies a specific problem is valuable because we can test the same measurement at any location, tell whether this root cause is present there and share it as a network insight with the administrator.
Some network insights will merely indicate a problem that needs further investigation. A network insight where we have enough tests to show a specific remediation action to correct the root cause is listed as a **recommended action**. These recommendations, based on live metrics that reveal values that fall outside a predetermined threshold, are much more valuable than general best practice advice since they are specific to your environment and will show the actual improvement once the recommended changes have been made.
The overview page also shows the network assessment for the customer as a weight
> [!div class="mx-imgBorder"] > ![Network assessment](../media/m365-mac-perf/m365-mac-perf-overview-score.png)
-You can view a table view of the locations where they can be filtered, sorted, and edited in the locations tab. Locations with specific recommendations may also include an estimated potential latency improvement. This is calculated by taking the median latency of your organization users at the location and subtracting the median latency for all organizations in the same city.
+You can view a table view of the locations where they can be filtered, sorted, and edited in the **Locations** tab. Locations with specific recommendations may also include an estimated potential latency improvement. This is calculated by taking the median latency of your organization users at the location and subtracting the median latency for all organizations in the same city.
> [!div class="mx-imgBorder"] > ![Network insights locations](../media/m365-mac-perf/m365-mac-perf-locations.png)
The details tab on the office location page shows the specific measurement resul
> [!div class="mx-imgBorder"] > ![Location-specific details](../media/m365-mac-perf/m365-mac-perf-locations-plan-details-all.png) + ## Sharing network assessment data with Microsoft By default, the network assessments for your organization and the network insights are shared with Microsoft employees. This does not include any personal data from your staff but only the specific network assessment metrics and network insights shown in the admin center for your office locations. It also does not include your office location names or street addresses so you would need to tell them the city and support ID of the office you want to discuss. If this is turned off, the Microsoft engineers that you are discussing your network connectivity with cannot view any of this information. Enabling this setting only shares future data starting the day after you enable it.
By default, the network assessments for your organization and the network insigh
For LAN subnet office identification, you need to add each location in advance. Instead of adding individual office locations in the **Locations** tab you can import them from a CSV file. You may be able to obtain this data from other places you have stored it such as the Call Quality Dashboard or Active Directory Sites and Services
-In the CSV file a discovered city location shows in the userEntered column as blank, and a manually added office location shows as 1.
+In the CSV file, a discovered city location shows in the userEntered column as blank, and a manually added office location shows as 1.
1. In the main _Connectivity to Microsoft 365_ window, click the **Locations** tab.
In the CSV file a discovered city location shows in the userEntered column as bl
1. Open the CSV and add your locations by filling out the following fields on a new line for each location you want to add. Leave all other fields blank; values you enter in other fields will be ignored.
- 1. **userEntered** (required): Must be 1 for a new LAN Subnet office location
+ 1. **userEntered** (required): Must be 1 for a new LAN Subnet office location being added
+ 1. **Name** (required): The name of the office location
1. **Address** (required): The physical address of the office 1. **Latitude** (optional): Populated from Bing maps lookup of the address if blank 1. **Longitude** (optional): Populated from Bing maps lookup of the address if blank
In the CSV file a discovered city location shows in the userEntered column as bl
1. When you have added your office locations and saved the file, click the **Browse** button next to the **Upload the completed** field and select the saved CSV file.
-1. The file will be automatically validated. If there are validation errors, you will see the error message _There are some errors in the import file. Review the errors, correct the import file, and then try again._ Click the link **Open error details** for a list of specific field validation errors.
+1. The file will be automatically validated. If there are validation errors, you will see the error message: _There are some errors in the import file. Review the errors, correct the import file, and then try again._ Click the link **Open error details** for a list of specific field validation errors.
> [!div class="mx-imgBorder"] > ![CSV import error message](../media/m365-mac-perf/m365-mac-perf-import-error.png)
-1. If there are no errors in the file, you will see the message _The report is ready. Found x locations to add and x locations to update._ Click the **Import** button to upload the CSV.
+1. If there are no errors in the file, you will see the message: _The report is ready. Found x locations to add and x locations to update._ Click the **Import** button to upload the CSV.
> [!div class="mx-imgBorder"] > ![CSV import ready message](../media/m365-mac-perf/m365-mac-perf-import-ready.png)
The Microsoft 365 service front door is an entry point on Microsoft's global net
### What is an optimal Microsoft 365 service front door?
-An optimal Microsoft 365 service front door is one that is closest to your network egress, generally in your city or metro area. Use the [Microsoft 365 connectivity test tool (preview)](office-365-network-mac-perf-onboarding-tool.md) to determine location of your in-use Microsoft 365 service front door and optimal service front door. If the tool determines your in-use front door is optimal, then you are optimally connecting into Microsoft's global network.
+An optimal Microsoft 365 service front door is one that is closest to your network egress, generally in your city or metro area. Use the [Microsoft 365 connectivity test tool (preview)](office-365-network-mac-perf-onboarding-tool.md) to determine the location of your in-use Microsoft 365 service front door and optimal service front door. If the tool determines your in-use front door is optimal, you are optimally connecting to Microsoft's global network.
### What is an internet egress location?
-The internet egress location is the location where your network traffic exits your enterprise network and connects to the Internet. This is also identified as the location where you have a Network Address Translation (NAT) device and usually where you connect with an Internet Service Provider (ISP). If you see a long distance between your location and your internet egress location, then this may indicate a significant WAN backhaul.
+The internet egress location is the location where your network traffic exits your enterprise network and connects to the Internet. This is also identified as the location where you have a Network Address Translation (NAT) device and usually where you connect with an Internet Service Provider (ISP). If you see a long distance between your location and your internet egress location, this may indicate a significant WAN backhaul.
### What license is needed for this capability?
knowledge Topic Experiences Discovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/knowledge/topic-experiences-discovery.md
Name (required),Expansion,MatchType- Exact/Partial (required)
In the CSV template, enter the following information about the topics you want to exclude: - **Name**: Type the name of the topic you want to exclude. There are two ways to do this:
- - Exact match: You can include the exact name or acronym (for example, *Contoso* or *ATL*).
+ - Exact match: You can exclude the exact name or acronym (for example, *Contoso* or *ATL*).
- Partial match: You can exclude all topics that have a specific word in it. For example, *arc* will exclude all topics with the word *arc* in it, such as *Arc circle*, *Plasma arc welding*, or *Training arc*. Note that it will not exclude topics in which the text is included as part of a word, such as *Architecture*. - **Stands for (optional)**: If you want to exclude an acronym, type the words the acronym stands for. - **MatchType-Exact/Partial**: Type whether the name you entered was an *exact* or *partial* match type.
managed-desktop Device Requirements https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/service-description/device-requirements.md
The device must have been made by one of these manufacturers:
The device must have this software preinstalled: - Windows 10 Enterprise, Pro, or Pro Workstation edition-- the 64-bit version of Microsoft Office click-to-run
+- the 64-bit version of Microsoft 365 Apps for enterprise
- All applicable device drivers
Devices must have these capabilities:
- Enabled for UEFI secure boot - Trusted Platform Module 2.0 - Capable of virtualization-based security -- Supports Hypervisor-protected code integrity
+- [Hypervisor-protected code integrity](/windows-hardware/drivers/bringup/device-guard-and-credential-guard) supported by the BIOS
For more about these capabilities and the technologies related to them that the service uses, see [Microsoft Managed Desktop technologies](../intro/technologies.md).
Devices should meet or exceed following limits for storage and memory:
If the device was made after July 1, 2020, it should also have an IR camera, fingerprint reader, or both, in order to support [Windows Hello](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security).
-## Recommended requirements
+## Recommended features
-Though they are not absolute requirements, your users will have a much better experience if you choose devices that have these features:
+Your users will have a much better experience if you choose devices that have these features:
- Either an Intel vPro-platform processor or an AMD Ryzen Pro processor - Boot drive of the SSD type with a capacity of at least 256 GB
+- Internal device memory (RAM) of at least 16 GB
- Support for Modern Standby - Device is of Secured-core PC type-- Supports Kernel DMA Protection
+- Supports Kernel DMA Protection
security TOC https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/TOC.md
### [Microsoft Defender for Endpoint on iOS]() #### [Overview of Microsoft Defender for Endpoint on iOS](microsoft-defender-endpoint-ios.md)
+#### [What's New](ios-whatsnew.md)
#### [Deploy]() ##### [Deploy Microsoft Defender for Endpoint on iOS via Intune](ios-install.md)
security Configure Server Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-server-endpoints.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - Windows Server 2008 R2 SP1
ms.technology: mde
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configserver-abovefoldlink) - Defender for Endpoint extends support to also include the Windows Server operating system. This support provides advanced attack detection and investigation capabilities seamlessly through the Microsoft Defender Security Center console. For a practical guidance on what needs to be in place for licensing and infrastructure, see [Protecting Windows Servers with Defender for Endpoint](https://techcommunity.microsoft.com/t5/What-s-New/Protecting-Windows-Server-with-Windows-Defender-ATP/m-p/267114#M128). For guidance on how to download and use Windows Security Baselines for Windows servers, see [Windows Security Baselines](https://docs.microsoft.com/windows/device-security/windows-security-baselines).
-<br>
- ## Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016 You can onboard Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016 to Defender for Endpoint by using any of the following options:
You can onboard Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows
- **Option 2**: [Onboard through Azure Security Center](#option-2-onboard-windows-servers-through-azure-security-center) - **Option 3**: [Onboard through Microsoft Endpoint Manager version 2002 and later](#option-3-onboard-windows-servers-through-microsoft-endpoint-manager-version-2002-and-later) - After completing the onboarding steps using any of the provided options, you'll need to [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients). - > [!NOTE] > Defender for Endpoint standalone server license is required, per node, in order to onboard a Windows server through Microsoft Monitoring Agent (Option 1), or through Microsoft Endpoint Manager (Option 3). Alternatively, an Azure Defender for Servers license is required, per node, in order to onboard a Windows server through Azure Security Center (Option 2), see [Supported features available in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-services). - ### Option 1: Onboard by installing and configuring Microsoft Monitoring Agent (MMA)+ You'll need to install and configure MMA for Windows servers to report sensor data to Defender for Endpoint. For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). If you're already using System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), attach the Microsoft Monitoring Agent (MMA) to report to your Defender for Endpoint workspace through Multihoming support. In general, you'll need to take the following steps:+ 1. Fulfill the onboarding requirements outlined in **Before you begin** section. 2. Turn on server monitoring from Microsoft Defender Security center. 3. Install and configure MMA for the server to report sensor data to Defender for Endpoint. 4. Configure and update System Center Endpoint Protection clients. - > [!TIP] > After onboarding the device, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Defender for Endpoint endpoint](run-detection-test.md).
+#### Before you begin
-#### Before you begin
Perform the following steps to fulfill the onboarding requirements:
- - [Update for customer experience and diagnostic telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
+For Windows Server 2008 R2 SP1 or Windows Server 2012 R2, ensure that you install the following hotfix:
- - Install the [February monthly update rollup](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598)
- - Install either [.NET framework 4.5](https://www.microsoft.com/download/details.aspx?id=30653) (or later) or [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework)
-
- > [!NOTE]
- > If you are managing your Windows Server 2008 R2 SP1 with SCCM, the SCCM client agent installs .Net Framework 4.5.2. So you don't need to install the .NET framework 4.5 (or later).
-
+- [Update for customer experience and diagnostic telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
+
+For Windows Server 2008 R2 SP1, ensure that you fulfill the following requirements:
+
+- Install the [February monthly update rollup](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598)
+- Install either [.NET framework 4.5](https://www.microsoft.com/download/details.aspx?id=30653) (or later) or [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework)
> [!NOTE]
- > This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2008 R2 SP1 and Windows Server 2012 R2.
+ > If you are managing your Windows Server 2008 R2 SP1 with SCCM, the SCCM client agent installs .Net Framework 4.5.2. So you don't need to install the .NET framework 4.5 (or later).
+For Windows Server 2008 R2 SP1 and Windows Server 2012 R2: [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients).
-<span id="server-mma"/>
+> [!NOTE]
+> This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2008 R2 SP1 and Windows Server 2012 R2.
### Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Microsoft Defender for Endpoint 1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603). 2. Using the Workspace ID and Workspace key obtained in the previous procedure, choose any of the following installation methods to install the agent on the Windows server:
- - [Manually install the agent using setup](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-setup-wizard). <br>
+ - [Manually install the agent using setup](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-setup-wizard).
On the **Agent Setup Options** page, choose **Connect the agent to Azure Log Analytics (OMS)**. - [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-command-line). - [Configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-dsc-in-azure-automation).
Perform the following steps to fulfill the onboarding requirements:
> [!NOTE] > If you are a [US Government customer](gov.md), under "Azure Cloud" you'll need to choose "Azure US Government" if using the setup wizard, or if using a command line or a script - set the "OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE" parameter to 1. -
-<span id="server-proxy"/>
- ### Configure Windows server proxy and Internet connectivity settings if needed
-If your servers need to use a proxy to communicate with Defender for Endpoint, use one of the following methods to configure the MMA to use the proxy server:
+If your servers need to use a proxy to communicate with Defender for Endpoint, use one of the following methods to configure the MMA to use the proxy server:
- [Configure the MMA to use a proxy server](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#install-agent-using-setup-wizard) - [Configure Windows to use a proxy server for all connections](configure-proxy-internet.md)
-If a proxy or firewall is in use, please ensure that servers can access all of the Microsoft Defender for Endpoint service URLs directly and without SSL interception. For more information, see [enable access to Defender for Endpoint service URLs](configure-proxy-internet.md#enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server). Use of SSL interception will prevent the system from communicating with the Defender for Endpoint service.
+If a proxy or firewall is in use, please ensure that servers can access all of the Microsoft Defender for Endpoint service URLs directly and without SSL interception. For more information, see [enable access to Defender for Endpoint service URLs](configure-proxy-internet.md#enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server). Use of SSL interception will prevent the system from communicating with the Defender for Endpoint service.
Once completed, you should see onboarded Windows servers in the portal within an hour. ### Option 2: Onboard Windows servers through Azure Security Center+ 1. In the Microsoft Defender Security Center navigation pane, select **Settings** > **Device management** > **Onboarding**. 2. Select **Windows Server 2008 R2 SP1, 2012 R2 and 2016** as the operating system. 3. Click **Onboard Servers in Azure Security Center**.
-4. Follow the onboarding instructions in [Microsoft Defender for Endpoint with Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp).
+4. Follow the onboarding instructions in [Microsoft Defender for Endpoint with Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp) and If you are using Azure ARC, Follow the onboarding instructions in [Enabling the Microsoft Defender for Endpoint integration](https://docs.microsoft.com/azure/security-center/security-center-wdatp#enabling-the-microsoft-defender-for-endpoint-integration).
After completing the onboarding steps, you'll need to [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients). > [!NOTE]
+>
> - For onboarding via Azure Defender for Servers (previously Azure Security Center Standard Edition) to work as expected, the server must have an appropriate workspace and key configured within the Microsoft Monitoring Agent (MMA) settings.
-> - Once configured, the appropriate cloud management pack is deployed on the machine and the sensor process (MsSenseS.exe) will be deployed and started.
+> - Once configured, the appropriate cloud management pack is deployed on the machine and the sensor process (MsSenseS.exe) will be deployed and started.
> - This is also required if the server is configured to use an OMS Gateway server as proxy. ### Option 3: Onboard Windows servers through Microsoft Endpoint Manager version 2002 and later
-You can onboard Windows Server 2012 R2 and Windows Server 2016 by using Microsoft Endpoint Manager version 2002 and later. For more information, see [Microsoft Defender for Endpoint
- in Microsoft Endpoint Manager current branch](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/defender-advanced-threat-protection).
-After completing the onboarding steps, you'll need to [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients).
+You can onboard Windows Server 2012 R2 and Windows Server 2016 by using Microsoft Endpoint Manager version 2002 and later. For more information, see [Microsoft Defender for Endpoint in Microsoft Endpoint Manager current branch](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/defender-advanced-threat-protection).
-<br>
+After completing the onboarding steps, you'll need to [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients).
## Windows Server (SAC) version 1803, Windows Server 2019, and Windows Server 2019 Core edition+ You can onboard Windows Server (SAC) version 1803, Windows Server 2019, or Windows Server 2019 Core edition by using the following deployment methods: -- [Local script](configure-endpoints-script.md)
+- [Local script](configure-endpoints-script.md)
- [Group Policy](configure-endpoints-gp.md) - [Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) - [System Center Configuration Manager 2012 / 2012 R2 1511 / 1602](configure-endpoints-sccm.md#onboard-devices-using-system-center-configuration-manager) - [VDI onboarding scripts for non-persistent devices](configure-endpoints-vdi.md) > [!NOTE]
+>
> - The Onboarding package for Windows Server 2019 through Microsoft Endpoint Manager currently ships a script. For more information on how to deploy scripts in Configuration Manager, see [Packages and programs in Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/packages-and-programs). > - A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, or Microsoft Endpoint Configuration Manager.
Support for Windows Server provides deeper insight into server activities, cover
1. Configure Defender for Endpoint onboarding settings on the Windows server using the same tools and methods for Windows 10 devices. For more information, see [Onboard Windows 10 devices](configure-endpoints.md).
-2. If you're running a third-party antimalware solution, you'll need to apply the following Microsoft Defender AV passive mode settings. Verify that it was configured correctly:
+2. If you're running a third-party anti-malware solution, you'll need to apply the following Microsoft Defender AV passive mode settings. Verify that it was configured correctly:
1. Set the following registry entry: - Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`
Support for Windows Server provides deeper insight into server activities, cover
```sc.exe query Windefend``` If the result is 'The specified service doesn't exist as an installed service', then you'll need to install Microsoft Defender AV. For more information, see [Microsoft Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10).
-
- For information on how to use Group Policy to configure and manage Microsoft Defender Antivirus on your Windows servers, see [Use Group Policy settings to configure and manage Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus).
-<br>
+ For information on how to use Group Policy to configure and manage Microsoft Defender Antivirus on your Windows servers, see [Use Group Policy settings to configure and manage Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus).
## Integration with Azure Security Center+ Defender for Endpoint can integrate with Azure Security Center to provide a comprehensive Windows server protection solution. With this integration, Azure Security Center can use the power of Defender for Endpoint to provide improved threat detection for Windows Servers. The following capabilities are included in this integration:+ - Automated onboarding - Defender for Endpoint sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/azure/security-center/security-center-onboarding). > [!NOTE]
The following capabilities are included in this integration:
- Server investigation - Azure Security Center customers can access Microsoft Defender Security Center to perform detailed investigation to uncover the scope of a potential breach. > [!IMPORTANT]
-> - When you use Azure Security Center to monitor servers, a Defender for Endpoint tenant is automatically created (in the US for US users, in the EU for European and UK users).<br>
+>
+> - When you use Azure Security Center to monitor servers, a Defender for Endpoint tenant is automatically created (in the US for US users, in the EU for European and UK users).
Data collected by Defender for Endpoint is stored in the geo-location of the tenant as identified during provisioning. > - If you use Defender for Endpoint before using Azure Security Center, your data will be stored in the location you specified when you created your tenant even if you integrate with Azure Security Center at a later time.
-> - Once configured, you cannot change the location where your data is stored. If you need to move your data to another location, you need to contact Microsoft Support to reset the tenant. <br>
+> - Once configured, you cannot change the location where your data is stored. If you need to move your data to another location, you need to contact Microsoft Support to reset the tenant.
Server endpoint monitoring utilizing this integration has been disabled for Office 365 GCC customers.
-<br>
- ## Configure and update System Center Endpoint Protection clients Defender for Endpoint integrates with System Center Endpoint Protection. The integration provides visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware. The following steps are required to enable this integration:+ - Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie). - [Configure the SCEP client Cloud Protection Service membership](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus) to the **Advanced** setting.
-<br>
- ## Offboard Windows servers+ You can offboard Windows Server (SAC), Windows Server 2019, and Windows Server 2019 Core edition in the same method available for Windows 10 client devices. For other Windows server versions, you have two options to offboard Windows servers from the service:+ - Uninstall the MMA agent - Remove the Defender for Endpoint workspace configuration
For other Windows server versions, you have two options to offboard Windows serv
> Offboarding causes the Windows server to stop sending sensor data to the portal but data from the Windows server, including reference to any alerts it has had will be retained for up to 6 months. ### Uninstall Windows servers by uninstalling the MMA agent+ To offboard the Windows server, you can uninstall the MMA agent from the Windows server or detach it from reporting to your Defender for Endpoint workspace. After offboarding the agent, the Windows server will no longer send sensor data to Defender for Endpoint. For more information, see [To disable an agent](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#to-disable-an-agent). ### Remove the Defender for Endpoint workspace configuration+ To offboard the Windows server, you can use either of the following methods: - Remove the Defender for Endpoint workspace configuration from the MMA agent
To offboard the Windows server, you can use either of the following methods:
```
-<br>
+## Onboarding Servers with no management solution
+
+### Using Group Policy
+
+**Step-1: Create the necessary files to copy down to the servers.**
+
+1. Navigate to c:\windows\sysvol\domain\scripts (Change control could be needed on one of the domain controllers.)
+1. Create a folder named MMA.
+1. Download the following and place in the MMA folder:
+
+ **Update for customer experience and diagnostic telemetry (Windows Server 2008 R2 and Windows Server 2012 R2)**
+
+ [For Windows 2008 R2 x64](https://www.microsoft.com/download/details.aspx?familyid=1bd1d18d-4631-4d8e-a897-327925765f71)
+
+ [For Windows 2012 R2 x64](https://www.microsoft.com/download/details.aspx?familyid=94cf6d85-017a-4c4c-afca-7d00721b500f)
+
+ > [!NOTE]
+ > This article assumes you are using x64-based servers
+ (MMA Agent .exe x64 [New SHA-2 compliant version](https://go.microsoft.com/fwlink/?LinkId=828603))
+
+**Step-2: Create a file name DeployMMA.cmd (using notepad)**
+Add the following lines to the cmd file. Note that you will need your WORKSPACE ID and KEY.
+
+```dos
+@echo off
+cd "C:"
+IF EXIST "C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe" (
+exit
+) ELSE (
+wusa.exe c:\Windows\MMA\Windows6.1-KB123456-x86.msu /quiet /norestart
+wusa.exe c:\Windows\MMA\Windows8.1-KB123456-x86.msu /quiet /norestart
+"c:\windows\MMA\MMASetup-AMD64.exe" /C:"setup.exe /qn ADD_OPINSIGHTS_WORKSPACE=1
+OPINSIGHTS_WORKSPACE_ID=<your workspace ID>
+OPINSIGHTS_WORKSPACE_KEY=<your workspace key>== AcceptEndUserLicenseAgreement=1"
+)
+```
+
+## Group Policy Configuration
+
+Create a new group policy specifically for onboarding devices such as ΓÇ£Microsoft Defender for Endpoint OnboardingΓÇ¥.
+
+- Create a Group Policy Folder named ΓÇ£c:\windows\MMAΓÇ¥
+
+ :::image type="content" source="images/grppolicyconfig1.png" alt-text="folders":::
+
+ **This will add a new folder on every server that gets the GPO applied, called MMA, and will be stored in c:\windows. This will contain the installation files for the MMA, prerequisites, and install script.**
+
+- Create a Group Policy Files preference for each of the files stored in Net logon.
+
+ :::image type="content" source="images/grppolicyconfig2.png" alt-text="group policy image1":::
+
+It copies the files from DOMAIN\NETLOGON\MMA\filename to
+C:\windows\MMA\filename ΓÇô **so the installation files are local to the server**:
++
+For the two KBs (one for Windows Server 2008R2/Windows 7 and the other for Windows Server 2012 R2) repeat the process but create item level targeting on the COMMON tab, so the file only gets copied to the appropriate platform/Operating system version in scope:
++
+- For Windows Server 2008 R2 you need (and it will only copy down) Windows6.1-BJ3080149-x64.msu
+- For Windows Server 2012 R2 you need (and it will only copy down) Windows8.1-BJ3080149-x64.msu
+
+Once this is done, you'll need to create a start-up script policy:
++
+The name of the file to run here is c:\windows\MMA\DeployMMA.cmd
+Once the server is restarted as part of the start-up process it will install the Update for customer experience and diagnostic telemetry KB, and then install the MMAAgent, while setting the workspace id and key, and the server will be onboarded.
+
+You could also use an **immediate task** to run the deployMMA.cmd if you do not want to reboot all the servers.
+This could be done in two phases. First create **the files and the folder in** GPO ΓÇô Give the system time to ensure the GPO has been applied, and all the servers have the install files. Then, add the immediate task. This will achieve the same result without requiring a reboot.
+
+As the Script has an exit method and wont re-run if the MMA is installed, you could also use a daily scheduled task to achieve the same result. Similar to an Configuration Manager compliance policy it will check daily to ensure the MMA is present.
+++++
+As mentioned in the onboarding documentation for Server specifically around Server 2008 R2 please see below:
+
+For Windows Server 2008 R2 PS1, ensure that you fulfill the following requirements:
+
+- Install the [February 2018 monthly update rollup](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598)
+
+- Install either [.NET framework 4.5](https://www.microsoft.com/download/details.aspx?id=30653) (or later) or [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework)
+
+Please check the KBs are present before onboarding Windows Server 2008 R2
+This process allows you to onboard all the servers if you donΓÇÖt have Configuration Manager managing Servers.
## Related topics+ - [Onboard Windows 10 devices](configure-endpoints.md) - [Onboard non-Windows devices](configure-endpoints-non-windows.md) - [Configure proxy and Internet connectivity settings](configure-proxy-internet.md)
security Contact Support https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/contact-support.md
In case the suggested articles are not sufficient, you can open a service reques
Learn how to open support tickets by contacting Defender for Endpoint support. --
+> [!Note]
+> If you have a permier support contract with Microsoft, you will see the premier tag on the widget. If not, contact your Microsoft account manager.
### Contact support This option is available by clicking the icon that looks like a headset. You will then get the following page to submit your support case:
This option is available by clicking the icon that looks like a headset. You wil
## Related topics - [Troubleshoot service issues](troubleshoot-mdatp.md)-- [Check service health](service-status.md)
+- [Check service health](service-status.md)
security Device Discovery Faq https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-discovery-faq.md
ARP, FTP, HTTP, ICMP, LLMNR, NBNS, RDP, SIP, SMTP, SNMP, SSH, Telnet, UPNP, WSD,
As device discovery uses passive methods to discover devices in the network, any device that communicates with your onboarded devices in the corporate network can be discovered and listed in the inventory. You can exclude devices from active probing only. ## How frequent is the active probing?
- Devices will actively be probed when changes in device characteristics are observed, and once a week to make sure the existing information is up-to-date.
+ Devices will actively be probed when changes in device characteristics are observed (every 1 to 3 weeks) to make sure the existing information is up-to-date.
## My security tool raised alert on UnicastScanner.ps1 or port scanning activity initiated by it, what should I do? The active probing scripts are signed by Microsoft and are safe. You can add the following path to your exclusion list:
security Enable Network Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-network-protection.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
+> [!TIP]
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
[Network protection](network-protection.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the internet. You can [audit network protection](evaluate-network-protection.md) in a test environment to view which apps would be blocked before you enable it.
-[Learn more about network filtering configuration options](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#network-filtering)
+[Learn more about network filtering configuration options](/mem/intune/protect/endpoint-protection-windows-10#network-filtering)
## Check if network protection is enabled Check if network protection has been enabled on a local device by using Registry editor. 1. Select the **Start** button in the task bar and type **regedit** to open Registry editor
-1. Choose **HKEY_LOCAL_MACHINE** from the side menu
-1. Navigate through the nested menus to **SOFTWARE** > **Policies** > **Microsoft** > **Windows Defender** > **Windows Defender Exploit Guard** > **Network Protection**
-1. Select **EnableNetworkProtection** to see the current state of network protection on the device
+
+2. Choose **HKEY_LOCAL_MACHINE** from the side menu
+
+3. Navigate through the nested menus to **SOFTWARE** > **Policies** > **Microsoft** > **Windows Defender** > **Windows Defender Exploit Guard** > **Network Protection**
+
+4. Select **EnableNetworkProtection** to see the current state of network protection on the device
* 0, or **Off** * 1, or **On**
Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://d
1. Sign into the Microsoft Endpoint Manager admin center (https://endpoint.microsoft.com)
-2. Create or edit an [endpoint protection configuration profile](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-configure)
+2. Create or edit an [endpoint protection configuration profile](/mem/intune/protect/endpoint-protection-configure)
-3. Under "Configuration Settings" in the profile flow, go to **Microsoft Defender Exploit Guard** > **Network filtering** > **Network protection** > **Enable** or **Audit only**
+3. Under **Configuration Settings** in the profile flow, go to **Microsoft Defender Exploit Guard** > **Network filtering** > **Network protection** > **Enable** or **Audit only**
### Group Policy
Confirm network protection is enabled on a local computer by using Registry edit
1. Select **Start** and type **regedit** to open **Registry Editor**.
-2. Navigate to **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection**
+2. Navigate to **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\EnableNetworkProtection**
3. Select **EnableNetworkProtection** and confirm the value: * 0=Off
security Mac Exclusions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-exclusions.md
ms.technology: mde
This article provides information on how to define exclusions that apply to on-demand scans, and real-time protection and monitoring. >[!IMPORTANT]
->The exclusions described in this article don't apply to other Defender for Endpoint for Mac capabilities, including endpoint detection and response (EDR). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections.
+>The exclusions described in this article don't apply to other Defender for Endpoint on Mac capabilities, including endpoint detection and response (EDR). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections.
-You can exclude certain files, folders, processes, and process-opened files from Defender for Endpoint for Mac scans.
+You can exclude certain files, folders, processes, and process-opened files from Defender for Endpoint on Mac scans.
-Exclusions can be useful to avoid incorrect detections on files or software that are unique or customized to your organization. They can also be useful for mitigating performance issues caused by Defender for Endpoint for Mac.
+Exclusions can be useful to avoid incorrect detections on files or software that are unique or customized to your organization. They can also be useful for mitigating performance issues caused by Defender for Endpoint on Mac.
>[!WARNING]
->Defining exclusions lowers the protection offered by Defender for Endpoint for Mac. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.
+>Defining exclusions lowers the protection offered by Defender for Endpoint on Mac. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.
## Supported exclusion types
-The follow table shows the exclusion types supported by Defender for Endpoint for Mac.
+The follow table shows the exclusion types supported by Defender for Endpoint on Mac.
Exclusion | Definition | Examples ||
Wildcard | Description | Example | Matches | Does not match
### From the management console
-For more information on how to configure exclusions from JAMF, Intune, or another management console, see [Set preferences for Defender for Endpoint for Mac](mac-preferences.md).
+For more information on how to configure exclusions from JAMF, Intune, or another management console, see [Set preferences for Defender for Endpoint on Mac](mac-preferences.md).
### From the user interface
In the following Bash snippet, replace `test.txt` with a file that conforms to y
curl -o test.txt https://www.eicar.org/download/eicar.com.txt ```
-If Defender for Endpoint for Mac reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm that the contents are the same as what is described on the [EICAR test file website](http://2016.eicar.org/86-0-Intended-use.html).
+If Defender for Endpoint on Mac reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm that the contents are the same as what is described on the [EICAR test file website](http://2016.eicar.org/86-0-Intended-use.html).
If you do not have Internet access, you can create your own EICAR test file. Write the EICAR string to a new text file with the following Bash command:
security Mac Install With Intune https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-with-intune.md
ms.technology: mde
# Intune-based deployment for Microsoft Defender for Endpoint on macOS + [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
This topic describes how to deploy Microsoft Defender for Endpoint on macOS thro
Before you get started, see [the main Microsoft Defender for Endpoint on macOS page](microsoft-defender-endpoint-mac.md) for a description of prerequisites and system requirements for the current software version. + ## Overview
-The following table summarizes the steps you would need to take to deploy and manage Microsoft Defender for Endpoint for Macs, via Intune. More detailed steps are available below.
+The following table summarizes the steps you would need to take to deploy and manage Microsoft Defender for Endpoint on Macs, via Intune. More detailed steps are available below.
| Step | Sample file names | BundleIdentifier | |-|-|-|
security Mac Install With Other Mdm https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-with-other-mdm.md
ms.technology: mde
Before you get started, see [the main Microsoft Defender for Endpoint on macOS page](microsoft-defender-endpoint-mac.md) for a description of prerequisites and system requirements for the current software version. + ## Approach > [!CAUTION]+ > Currently, Microsoft officially supports only Intune and JAMF for the deployment and management of Microsoft Defender for Endpoint on macOS. Microsoft makes no warranties, express or implied, with respect to the information provided below. If your organization uses a Mobile Device Management (MDM) solution that is not officially supported, this does not mean you are unable to deploy or run Microsoft Defender for Endpoint on macOS.
In order to deploy the package to your enterprise, use the instructions associat
### License settings Set up [a system configuration profile](mac-install-with-jamf.md). + Your MDM solution may call it something like "Custom Settings Profile", as Microsoft Defender for Endpoint on macOS is not part of macOS. Use the property list, jamf/WindowsDefenderATPOnboarding.plist, which can be extracted from an onboarding package downloaded from [Microsoft Defender Security Center](mac-install-with-jamf.md).
security Mac Jamfpro Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-jamfpro-policies.md
ms.technology: mde
**Applies to:** -- [Defender for Endpoint for Mac](microsoft-defender-endpoint-mac.md)
+- [Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md)
This page will guide you through the steps you need to take to set up macOS policies in Jamf Pro.
These steps are applicable of macOS 10.15 (Catalina) or newer.
Alternatively, you can download [netfilter.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/netfilter.mobileconfig) and upload it to JAMF Configuration Profiles as described in [Deploying Custom Configuration Profiles using Jamf Pro|Method 2: Upload a Configuration Profile to Jamf Pro](https://www.jamf.com/jamf-nation/articles/648/deploying-custom-configuration-profiles-using-jamf-pro). + ## Step 10: Schedule scans with Microsoft Defender for Endpoint on macOS Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint on macOS](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp). + ## Step 11: Deploy Microsoft Defender for Endpoint on macOS 1. Navigate to where you saved `wdav.pkg`.
security Mac Privacy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-privacy.md
ms.technology: mde
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) - Microsoft is committed to providing you with the information and controls you need to make choices about how your data is collected and used when youΓÇÖre using Microsoft Defender for Endpoint on macOS. This topic describes the privacy controls available within the product, how to manage these controls with policy settings and more details on the data events that are collected.
security Microsoft Defender Antivirus In Windows 10 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
-localization_priority: priority
+localization_priority: Priority
For information on how to configure next-generation protection services, see [Co
- [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-defender-antivirus-on-windows-server.md) - [Microsoft Defender Antivirus management and configuration](configuration-management-reference-microsoft-defender-antivirus.md)-- [Evaluate Microsoft Defender Antivirus protection](evaluate-microsoft-defender-antivirus.md)
+- [Evaluate Microsoft Defender Antivirus protection](evaluate-microsoft-defender-antivirus.md)
security Microsoft Defender Endpoint Android https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-android.md
Title: Microsoft Defender ATP on Android
+ Title: Microsoft Defender for Endpoint on Android
-description: Describes how to install and use Microsoft Defender ATP for Android
+description: Describes how to install and use Microsoft Defender for Endpoint on Android
keywords: microsoft, defender, atp, android, installation, deploy, uninstallation, intune search.product: eADQiWindows 10XVcnh search.appverid: met150
security Microsoft Defender Endpoint Ios https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-ios.md
Title: Microsoft Defender ATP for iOS overview
+ Title: Microsoft Defender ATP on iOS
description: Describes how to install and use Microsoft Defender ATP for iOS keywords: microsoft, defender, atp, ios, overview, installation, deploy, uninstallation, intune
security Network Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/network-protection.md
Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that might host phishing scams, exploits, and other malicious content on the Internet. Network protection expands the scope of [Microsoft Defender SmartScreen](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview) to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname).
-Network protection is supported on Windows, beginning with Windows 10, version 1709. Network protection is not yet supported on other operating systems, but web protection is supported using th new Microsoft Edge based on Chromium. To learn more, see [Web protection](web-protection-overview.md).
+Network protection is supported on Windows, beginning with Windows 10, version 1709. Network protection is not yet supported on other operating systems, but web protection is supported using the new Microsoft Edge based on Chromium. To learn more, see [Web protection](web-protection-overview.md).
-network protection extends the protection in [Web protection](web-protection-overview.md) to the operating system level. It provides web protection functionality in Edge to other supported browsers and non-browser applications. In addition, network protection provides visibility and blocking of indicators of compromise (IOCs) when used with [Endpoint detection and response](overview-endpoint-detection-response.md). For example, network protection works with your [custom indicators](manage-indicators.md).
+Network protection extends the protection in [Web protection](web-protection-overview.md) to the operating system level. It provides web protection functionality in Edge to other supported browsers and non-browser applications. In addition, network protection provides visibility and blocking of indicators of compromise (IOCs) when used with [Endpoint detection and response](overview-endpoint-detection-response.md). For example, network protection works with your [custom indicators](manage-indicators.md).
For more information about how to enable network protection, see [Enable network protection](enable-network-protection.md). Use Group Policy, PowerShell, or MDM CSPs to enable and manage network protection in your network.
security Troubleshoot Onboarding https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-onboarding.md
If the verification fails and your environment is using a proxy to connect to th
If you encounter issues while onboarding a server, go through the following verification steps to address possible issues. -- [Ensure Microsoft Monitoring Agent (MMA) is installed and configured to report sensor data to the service](configure-server-endpoints.md#server-mma)-- [Ensure that the server proxy and Internet connectivity settings are configured properly](configure-server-endpoints.md#server-proxy)
+- [Ensure Microsoft Monitoring Agent (MMA) is installed and configured to report sensor data to the service](configure-server-endpoints.md)
+- [Ensure that the server proxy and Internet connectivity settings are configured properly](configure-server-endpoints.md)
You might also need to check the following:
security M365d Enable https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-enable.md
Once the service is provisioned, it adds:
- [Advanced hunting](advanced-hunting-overview.md) capabilities - Threat analytics
-![Image of Microsoft 365 security center navigation pane with Microsoft 365 Defender features](../../media/mtp-enable/mtp-on.png)
+![Image of Microsoft 365 security center navigation pane with Microsoft 365 Defender features](../../media/overview-incident.png)
*Microsoft 365 security center with incidents management and other Microsoft 365 Defender capabilities* ### Getting Microsoft Defender for Identity data
security About Defender For Office 365 Trial https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/about-defender-for-office-365-trial.md
Powerful experiences help identify, prioritize, and investigate threats, with ad
### Response and remediation
-Extensive incident response and automation capabilities amplify your security teamΓÇÖs effectiveness and efficiency.
+Extensive incident response and automation capabilities amplify your security team's effectiveness and efficiency.
- [Automated investigation and response (AIR) in Microsoft Defender for Office 365](office-365-air.md)
security Anti Spoofing Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-spoofing-protection.md
Microsoft differentiates between two different types of spoofed messages:
- `reason=000` indicates the message failed explicit email authentication. `reason=001` indicates the message failed implicit email authentication.
- - SFTY is the safety level of the message. 9 indicates phishing, .22 indicates cross-domain spoofing.
+ - `SFTY` is the safety level of the message. 9 indicates phishing, .22 indicates cross-domain spoofing.
> [!NOTE] > If you've gotten a message like ***compauth=fail reason=###*** and need to know about composite authentication (compauth), and the values related to spoofing, see [*Anti-spam message headers in Microsoft 365*](anti-spam-message-headers.md). Or go directly to the [*reason*](anti-spam-message-headers.md) codes.
security How Policies And Protections Are Combined https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/how-policies-and-protections-are-combined.md
There are two major factors that determine which policy is applied to a message:
- **The priority of the email protection type**: This order is not configurable, and is described in the following table:
+ <br>
+ **** |Priority|Email protection|Category|Where to manage|
There are two major factors that determine which policy is applied to a message:
<sup>\*</sup> These features are only available in anti-phishing policies in Microsoft Defender for Office 365. -- **The priority of the policy**: For each protection type (anti-spam, anti-malware, anti-phishing, etc.), there's a default policy that applies to everyone, but you can create custom policies that apply to specific users. Each custom policy has a priority value that determines the order that the policies are applied in. The default policy is always applied last.
+- **The priority of the policy**: For each type of policy (anti-spam, anti-malware, anti-phishing, etc.), there's a default policy that applies to everyone, but you can create custom policies that apply to specific users. Each custom policy has a priority value that determines the order that the policies are applied in. The default policy is always applied last.
If a user is defined in multiple policies of the same type, only the policy with the highest priority is applied to them. Any remaining policies of that type are not evaluated for the user (including the default policy). For example, consider the following anti-phishing policies in Microsoft Defender for Office 365 **that apply to the same users**, and a message that's identified as both user impersonation and spoofing:
- ****
+<br>
- |Policy name|Priority|User impersonation|Anti-spoofing|
- |||||
- |Policy A|1|On|Off|
- |Policy B|2|Off|On|
- |
+****
+
+|Policy name|Priority|User impersonation|Anti-spoofing|
+|||||
+|Policy A|1|On|Off|
+|Policy B|2|Off|On|
+|
1. The message is marked and treated as spoof, because spoofing has a higher priority (4) than user impersonation (5). 2. Policy A is applied to the users because it has a higher priority than Policy B.
security Mdo Email Entity Page https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-email-entity-page.md
There are new capabilities that come with this email entity page. Here's the lis
### Email preview for Cloud mailboxes
-Admins can preview emails in Cloud mailboxes, ***if*** the mails are still present in the Cloud. In case of a soft delete (by an admin, or user), or ZAP (to quarantine), emails are no longer present in the Cloud location. In that case, admins won't be able to preview those specific mails. Emails that were dropped, or where delivery failed, never actually made it into the mailbox. As a result, admins wonΓÇÖt be able to preview those emails either.
+Admins can preview emails in Cloud mailboxes, ***if*** the mails are still present in the Cloud. In case of a soft delete (by an admin, or user), or ZAP (to quarantine), emails are no longer present in the Cloud location. In that case, admins won't be able to preview those specific mails. Emails that were dropped, or where delivery failed, never actually made it into the mailbox. As a result, admins won't be able to preview those emails either.
> [!WARNING] > Previewing emails requires a special role called ***Preview*** to be assigned to admins. You can add this role by going to **Permissions & roles** > **Email & collaboration roles** in *security.microsoft.com*, or **Permissions** in *protection.office.com*. Add the ***Preview*** role to any of the role groups, or a copy of a role group that allows admins in your organization to work in Threat Explorer.
security Office 365 Air https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/office-365-air.md
Permissions are granted through certain roles, such as those that are described
## Changes are coming soon in your security center
-If youΓÇÖre already using AIR capabilities in Microsoft Defender for Office 365, youΓÇÖre about to see some changes in the [improved Microsoft 365 security center](../defender/overview-security-center.md).
+If you're already using AIR capabilities in Microsoft Defender for Office 365, you're about to see some changes in the [improved Microsoft 365 security center](../defender/overview-security-center.md).
:::image type="content" source="../../media/m3d-action-center-unified.png" alt-text="Unified Action center":::
The new and improved security center brings together AIR capabilities in [Micros
> - Office 365 Security & Compliance Center (<https://protection.office.com>) > - Microsoft Defender Security Center (<https://securitycenter.windows.com>) >
-> In addition to the URL changing, thereΓÇÖs a new look and feel, designed to give your security team a more streamlined experience, with visibility to more threat detections in one place.
+> In addition to the URL changing, there's a new look and feel, designed to give your security team a more streamlined experience, with visibility to more threat detections in one place.
### What to expect
The following table lists changes and improvements coming to AIR in Microsoft De
|Item|What's changing?| |||
-|**Investigations** page|The updated **Investigations** page is more consistent with what you see in [Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/automated-investigations). YouΓÇÖll see some general format and styling changes that align with the new, unified **Investigations** view. For example, the investigation graph has a more unified format.|
+|**Investigations** page|The updated **Investigations** page is more consistent with what you see in [Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/automated-investigations). You'll see some general format and styling changes that align with the new, unified **Investigations** view. For example, the investigation graph has a more unified format.|
|**Users** tab|The **Users** tab is now the **Mailboxes** tab. Details about users are listed on the **Mailbox** tab.| |**Email** tab|The **Email** tab has been removed; visit the **Entities** tab to see a list of email and email cluster items.| |**Entities** tab|The **Entities** tab has a tab-in-tab style that includes an all-summary view, and the ability to filter by entity type. The **Entities** tab now includes a **Go hunting** option in addition to the **Open in Explorer** option. You can now use either [Threat Explorer](threat-explorer.md) or [advanced hunting](../defender-endpoint/advanced-hunting-overview.md) to find entities and threats, and filter on results.|
security Office 365 Evaluation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/office-365-evaluation.md
URL links in the email message bodies won't wrap, to lessen customer impact.
### Email routing
-Prepare the corresponding details that you will need to set up how your email is currently routed, including the name of the inbound connector that routes your mail. If you are just using Exchange Online Protection, you wonΓÇÖt have a connector.ΓÇ»[Learn about mail flow and email routing](/office365/servicedescriptions/exchange-online-service-description/mail-flow)
+Prepare the corresponding details that you will need to set up how your email is currently routed, including the name of the inbound connector that routes your mail. If you are just using Exchange Online Protection, you won't have a connector.ΓÇ»[Learn about mail flow and email routing](/office365/servicedescriptions/exchange-online-service-description/mail-flow)
Supported email routing scenarios include: