+| Exchange admin | Create, Read, Update, Delete | Read, Update - *only groups they own*, Delete - *only groups they own* | Create, Read, Update, Delete | Create, Read, Update, Delete |

+## Tax FAQ

+### Why is there a 22% tax rate on my invoice now from Microsoft Srl Italy compared to last monthΓÇÖs invoice from Microsoft Ireland?

+This is a result of the Billing entity change from Microsoft Ireland to Microsoft Srl. Prior to the change, purchases were considered cross-border and the presence of a VAT ID resulted in Reverse Charge (0% tax). With local invoicing, transactions are not cross-border and the tax rate of 22% applies. Partners in Italy were invoiced from Microsoft Srl Italy on September 1, 2023. Customer Led and Field Led migrated to Microsoft Srl Italy on March 1, 2024.

+ Microsoft 365 generates the specific data that you need to place into the DNS TXT verification record. To get the data, run this command.

+This command gives you output like:

+This command gives you output like:

+This command doesn't return any output, so to confirm that the command worked, run this command.

+Next, get the sign-in name of the account to which you want to add a license, also known as the user principal name (UPN).

+- **ActiveUnits** is the number of licenses that you purchased for the subscription.

+- **ConsumedUnits** is the number of licenses that you assigned to users for the subscription.

+Here's a partial list of service plans and their corresponding Microsoft 365 services.

+Here's an example command block for the account named belindan@contoso.com, for the contoso:ENTERPRISEPACK license, and the service plans to disable are RMS_S_ENTERPRISE, SWAY, INTUNE_O365, and YAMMER_ENTERPRISE:

+To perform this administration task for multiple users, create a comma-separated value (CSV) text file that contains the UserPrincipalName and UsageLocation fields. Here's an example:

+The scenarios described earlier in this article can be achieved with out-of-the-box capabilities from Microsoft. You can extend even further with third-party apps in [AppSource](https://appsource.microsoft.com) and custom apps that you or our partners build for you with Power Platform, Teams, and Viva extensibility.

+- M365-collaboration

+- m365-frontline

+- highpri

+- m365solution-frontline

+- m365solution-scenario

+- M365-collaboration

+- m365-frontline

+- teams-1p-app-admin

+- highpri

+- microsoftcloud-healthcare

+- microsoftcloud-retail

+- microsoftcloud-healthcare

+- microsoftcloud-retail

+- m365solution-healthcare

+- m365solution-scenario

+- m365-frontline

+- highpri

+- m365initiative-meetings

+- m365-virtual-appointments

+- teams-1p-app-admin

+The reseller relationship is established to authorize MSPs to manage orders and purchases for the customer. This arrangement provides MSPs with visibility into the subscriptions the customer has acquired through them, ensuring that they can effectively support and service those subscriptions. It can take 24 hours or longer for changes in the reseller relationship to be reflected in Lighthouse. This procedural timeframe does not affect an MSP's pre-existing knowledge of the subscriptions.

+Unlike the reseller relationship, the delegated admin relationship is established to authorize MSPs to access and manage the customer's data and resources. This relationship is based on the consent of the customer and can be revoked at any time. Changes to the delegated admin relationship are reflected immediately in Lighthouse, ensuring that access to customer data is protected in line with the privileges the customer has granted the MSP. This is especially important for scenarios such as security incident response, where timely and accurate data access is crucial.

+- **Standard protection rules**: Are the minimum set of rules which Microsoft recommends you always enable, while you're evaluating the affect and configuration needs of the other ASR rules. These rules typically have minimal-to-no noticeable impact on the end user.

+- **Other rules**: Rules that require some measure of following the documented deployment steps [Plan > Test (audit) > Enable (block/warn modes)], as documented in the [Attack surface reduction rules deployment guide](attack-surface-reduction-rules-deployment.md)

+Toast notifications are generated for all rules in Block mode. Rules in any other mode don't generate toast notifications.

+- **Not configured** or **Disable**: The state in which the ASR rule isn't enabled or is disabled. The code for this state = 0.

+When the allow button is clicked, the block is suppressed for 24 hours. After 24 hours, the end-user will need to allow the block again. The warn mode for ASR rules is only supported for RS5+ (1809+) devices. If bypass is assigned to ASR rules on devices with older versions, the rule will be in blocked mode.

+- `AsrVulnerableSignedDriverAudited`

+- `AsrVulnerableSignedDriverBlocked`

+- `AsrAdobeReaderChildProcessAudited`

+- `AsrAdobeReaderChildProcessBlocked`

+- `AsrOfficeChildProcessAudited`

+- `AsrOfficeChildProcessBlocked`

+Enabling this rule doesn't provide additional protection if you have LSA protection enabled since the ASR rule and LSA protection work similarly. However, when LSA protection cannot be enabled, this rule can be configured to provide equivalent protection against malware that target `lsass.exe`.

+>

+> In this scenario, the ASR rule is classified as "not applicable" in Defender for Endpoint settings in the Microsoft Defender portal.

+>

+> The *Block credential stealing from the Windows local security authority subsystem* ASR rule doesn't support WARN mode.

+>

+- `AsrLsassCredentialTheftAudited`

+- `AsrLsassCredentialTheftBlocked`

+- `AsrExecutableEmailContentAudited`

+- `AsrExecutableEmailContentBlocked`

+- `AsrUntrustedExecutableAudited`

+- `AsrUntrustedExecutableBlocked`

+- `AsrObfuscatedScriptAudited`

+- `AsrObfuscatedScriptBlocked`

+- `AsrScriptExecutableDownloadAudited`

+- `AsrScriptExecutableDownloadBlocked`

+- `AsrExecutableOfficeContentAudited`

+- `AsrExecutableOfficeContentBlocked`

+- `AsrOfficeProcessInjectionAudited`

+- `AsrOfficeProcessInjectionBlocked`

+- `AsrOfficeCommAppChildProcessAudited`

+- `AsrOfficeCommAppChildProcessBlocked`

+> [!NOTE]

+> If `CcmExec.exe` (SCCM Agent) is detected on the device, the ASR rule is classified as "not applicable" in Defender for Endpoint settings in the Microsoft Defender portal.

+- `AsrPersistenceThroughWmiAudited`

+- `AsrPersistenceThroughWmiBlocked`

+- `AsrPsexecWmiChildProcessAudited`

+- `AsrPsexecWmiChildProcessBlocked`

+- `AsrUntrustedUsbProcessAudited`

+- `AsrUntrustedUsbProcessBlocked`

+- `AsrOfficeMacroWin32ApiCallsAudited`

+- `AsrOfficeMacroWin32ApiCallsBlocked`

+- `AsrRansomwareAudited`

+- `AsrRansomwareBlocked`

+- [Attack surface reduction rules report](attack-surface-reduction-rules-report.md)

+- To create a rule for an individual user on Windows, create an entry with a `Sid` condition foreach user in a [rule](#rules)

+Intune doesn't honor the ordering of the rules. The rules can be evaluated in any order, so make sure to explicitly exclude groups of devices that aren't in scope for the rule.

+| `IncludedIdList` | The groups that the policy applies to. If multiple groups are added, the media must be a member of each group in the list to be included. | The Group ID/GUID must be used at this instance. <br/><br/>The following example shows the usage of GroupID: `<IncludedIdList> <GroupId> {EAA4CCE5-F6C9-4760-8BAD-FDCC76A2ACA1}</GroupId> </IncludedIdList>` |

+| `ExcludedIDList` | The groups that the policy doesn't apply to. If multiple groups are added, the media must be a member of a group in the list to be excluded. | The Group ID/GUID must be used at this instance. |

+| `Entry` | One PolicyRule can have multiple entries; each entry with a unique GUID tells device control one restriction. | See Entry properties table below to get details. |

+| `name` | String, name of the policy and displays on the toast based on the policy setting. | |

+| `includeGroups` | The groups that the policy is applied to. If multiple groups are specified, the policy applies to any media in all those groups. If not specified, the rule applies to all devices. | The ID value inside the group must be used in this instance. If multiple groups are in the includeGroups, it's `AND`. <br/> `"includeGroups": ["3f082cd3-f701-4c21-9a6a-ed115c28e217"]` |

+| `excludeGroups` | The group that the policy doesn't apply to. | The `id` value inside the group must be used in this instance. If multiple groups are in the excludeGroups, it's `OR`. |

+| AccessMask | Applies the action only if the access operations match the access mask - The access mask is the bit-wise OR of the access values:<br><br> 1 - Device Read<br>2 - Device Write<br>4 - Device Execute<br>8 - File Read<br>16 - File Write<br>32 - File Execute<br>64 - Print<br><br>For example:<br>Device Read, Write, and Execute = 7 (1+2+4)<br>Device Read, Disk Read = 9 (1+8)<br>

+- Deploy Full Disk Access: you may already have previously created and deployed this [https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/fulldisk.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/fulldisk.mobileconfig) for other MDE features. You need to grant Full Disk Access permission for a new application: `com.microsoft.dlp.daemon`.

+<details><summary>Example 2: [demo.mobileconfig](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/macOS/mobileconfig/demo.mobileconfig)</summary>

+</details>

+## Understanding policies

+Policies determine the behavior of device control for macOS. The policy is targeted via Intune or JAMF to a collection of machines or users.

+The Device Control for macOS policy includes settings, groups, and rules:

+> You can also use the scripts at [mdatp-devicecontrol/tree/main/python#readme at main - microsoft/mdatp-devicecontrol (github.com)](https://github.com/microsoft/mdatp-devicecontrol/tree/main/python#readme) to translate Windows Device Control policy to macOS Device Control policy or translate macOS Device Control V1 policy to this V2 policy.

+> [!NOTE]

+> There are [known issues](#known-issues) with device control for macOS that customers should consider when creating policies.

+### Best practices

+Device control for macOS has similar capabilities to Device control for Windows, but macOS and Windows provide different underlying capabilities to manage devices, so there are some important differences:

+- macOS doesn't have a centralized Device Manager or view of devices. Access is granted/denied to applications that interact with devices. This is why on macOS there are a richer set of [access types](#access-types). For example on a ```portableDevice``` device control for macOS can deny or allow ```download_photos_from_device```.

+- To stay consistent with Windows, there are ```generic_read```,```generic_write``` and ```generic_execute``` access types. Policies with generic access types don't need to be changed if/when additional specific access types are added in the future. The best practice is to use generic access types unless there's a specific need to deny/allow a more specific operation.

+- Creating a ```deny``` policy using generic access types is the best way to attempt to completely block all operations for that type of device (e.g. Android phones), but there may still be gaps if the operation is performed using an application that isn't supported by macOS device control.

+Here are the properties you can use when you create the groups, rules, and settings in device control policy for macOS.

+| appleDevice | download_photos_from_device | generic_read | download photo from the specific iOS device to local machine |

+ - [] - Device Control isn't configured on this machine.

+ - ["v1"] - You are on a preview version of Device Control. Migrate to version 2 using this guide. v1 is considered obsolete and not described in this documentation.

+ - ["v1","v2"] - You have both v1 and v2 enabled. Offboard from v1.

+- `v2_full_disk_access` - if not `approved`, then Device Control can't prevent some or all operations

+You are able to see the policy event on Advanced hunting and Device Control report. For more information, see [Protect your organization's data with Device Control](device-control-report.md).

+## Known Issues

+>[!WARNING]

+>In macOS Sonoma 14.3.1, Apple made a change to the [handling of Bluetooth devices](https://developer.apple.com/forums/thread/738748) that impacts Defender for Endpoint device controls ability to intercept and block access to Bluetooth devices. At this time, the recommended mitigation is to use a version of macOS less than 14.3.1.

+>[!WARNING]

+>Device Control on macOS restricts Android devices that are connected using PTP mode **only**. Device control does not restrict other modes such as File Transfer, USB Tethering and MIDI

+Troubleshooting mode is disabled by default, and requires you to turn it on for a device (and/or group of devices) for a limited time. Troubleshooting mode is exclusively an enterprise-only feature, and requires access to [Microsoft Defender portal](https://security.microsoft.com/).

+1. Go to the [Microsoft Defender portal](https://security.microsoft.com/), and sign in.

+ > The current SHA256 hash of 'XMDEClientAnalyzerBinary.zip' that is downloaded from this link is: '9D0552DBBD1693D2E2ED55F36147019CFECFDC009E76BAC4186CF03CD691B469'

+ echo '9D0552DBBD1693D2E2ED55F36147019CFECFDC009E76BAC4186CF03CD691B469 XMDEClientAnalyzerBinary.zip' | sha256sum -c

+ echo '9D0552DBBD1693D2E2ED55F36147019CFECFDC009E76BAC4186CF03CD691B469 XMDEClientAnalyzerBinary.zip' | shasum -a 256 -c

+ - **SupportToolMacOSBinary.zip** : For Mac devices

+6. Unzip one of the above 2 zip files based on the machine you need to investigate.\

+When using a terminal, unzip the file by entering one of the following commands based on OS type:

+ - Mac

+ unzip -q SupportToolMacOSBinary.zip

+ echo '36C2B13AE657456119F3DC2A898FD9D354499A33F65015670CE2CD8A937F3C66 XMDEClientAnalyzer.zip' | sha256sum -c

+ echo '36C2B13AE657456119F3DC2A898FD9D354499A33F65015670CE2CD8A937F3C66 XMDEClientAnalyzer.zip' | shasum -a 256 -c

+Recently, Microsoft Defender for Endpoint extended its protection capabilities to the firmware level with a new [Unified Extensible Firmware Interface (UEFI)](/windows-hardware/drivers/bringup/unified-extensible-firmware-interface) scanner.

+- [Microsoft Defender Antivirus](microsoft-defender-antivirus-windows.md) as the primary antivirus product and in active mode. UEFI scanner doesn't work with [EDR in block mode](edr-in-block-mode.md) (with Microsoft Defender Antivirus in passive mode).

+- [Real-time protection](configure-protection-features-microsoft-defender-antivirus.md) is turned on

+- [Behavior monitoring](behavior-monitor.md) is turned on

+- Devices are running a current [Microsoft Defender Antivirus platform version](microsoft-defender-antivirus-updates.md#monthly-platform-and-engine-versions)

+- Devices are running one of the following versions of Windows:

+ - Windows 10, Windows 11 or newer on client devices

+ - Windows Server 2019, Windows Server 2022, or newer versions

+ - [Windows Server 2012 R2 and Windows Server 2016](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/defending-windows-server-2012-r2-and-2016/ba-p/2783292) with the [unified Defender for Endpoint client](/microsoft-365/security/defender-endpoint/configure-server-endpoints#new-windows-server-2012-r2-and-2016-functionality-in-the-modern-unified-solution) installed

+## What is the UEFI scanner?

+Technically, the firmware isn't stored and isn't accessible from main memory. As opposed to other software, it's stored in SPI flash storage, so the new UEFI scanner must follow the hardware protocol provided by hardware manufacturers. To be compatible and be up to date with all platforms, it needs to take into consideration protocol differences.

+## How do you turn on the UEFI scanner?

+## How do you manage the UEFI scanner?

+It's a built-in functionality of Microsoft Defender Antivirus. Thus, there is no additional management.

+Defender for Endpoint customers can see these detections raised as alerts in the [Microsoft Defender portal](https://security.microsoft.com/), empowering security operations teams to investigate and respond to firmware attacks and suspicious activities at the firmware level in their environments.

+To detect unknown threats in SPI flash, signals from the UEFI scanner are analyzed to identify anomalies and where they have been executed. Anomalies are reported to the Microsoft Defender portal for investigation.

+These events can likewise be queried through advanced hunting as shown:

+```kusto

+This level of visibility is also available in the [Microsoft Defender portal](https://www.microsoft.com/security/technology/threat-protection), which delivers an even broader cross-domain defense that coordinates protection across endpoints, identities, email, and apps.

+> Defender for Identity experiences will also adhere to permissions granted from [Microsoft Defender for Cloud Apps](https://security.microsoft.com/cloudapps/permissions/roles). For more information, see [Microsoft Defender for Identity role groups](https://go.microsoft.com/fwlink/?linkid=2202729).

+> Exception: If you have configured [Scoped deployment](/defender-cloud-apps/scoped-deployment) for Microsoft Defender for Identity alerts in the Microsoft Defender for Cloud Apps portal, these permissions do not carry over. You need to explicitly grant the Security operations \ Security data \ Security data basics (read) permissions for the relevant portal users.

+|Security data basics|Read|View info about incidents, alerts, investigations, advanced hunting, devices, submissions, evaluation lab, and reports.|