Updates from: 04/17/2024 01:48:44
Category Microsoft Docs article Related commit history on GitHub Change details
admin About Admin Roles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/about-admin-roles.md
You'll probably only need to assign the following roles in your organization. By
| Global admin | Create, Read, Update, Delete | Create, Read, Update, Delete | Create, Read, Update, Delete | Create, Read, Update, Delete | | Global reader | Read | Read | Read | Read | | User admin | Create, Read, Update, Delete, ***Can't update EXO properties*** | Create, Read, Update, Delete | Read | Read |
-| Exchange admin | Create, Read, Update, Delete | Create, Read, Update, Delete - *only groups they own* | Create, Read, Update, Delete | Create, Read, Update, Delete |
+| Exchange admin | Create, Read, Update, Delete | Read, Update - *only groups they own*, Delete - *only groups they own* | Create, Read, Update, Delete | Create, Read, Update, Delete |
| Teams admin | Create, Read, Update, Delete, ***Can't update EXO properties*** | Create, Read, Update, Delete - _only groups they own_ | Read | Read | | SharePoint admin | Create, Read, Update, Delete, ***Can't update EXO properties*** | Create, Read, Update, Delete -_only groups they own_ | Read | Read | | Billing admin | Read | Read | Read | Read |
commerce Italy Billing Info https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/italy-billing-info.md
If a Codice Fiscale/Tax ID isn't provided, e-invoices aren't issued by SDI per I
For details about making a payment, see [Payment information for Italy](/legal/pay/italy).
+## Tax FAQ
+
+### Why is there a 22% tax rate on my invoice now from Microsoft Srl Italy compared to last monthΓÇÖs invoice from Microsoft Ireland?
+
+This is a result of the Billing entity change from Microsoft Ireland to Microsoft Srl. Prior to the change, purchases were considered cross-border and the presence of a VAT ID resulted in Reverse Charge (0% tax). With local invoicing, transactions are not cross-border and the tax rate of 22% applies. Partners in Italy were invoiced from Microsoft Srl Italy on September 1, 2023. Customer Led and Field Led migrated to Microsoft Srl Italy on March 1, 2024.
+ ## Related content [View your invoice in the Microsoft 365 admin center](view-your-bill-or-invoice.md) (article)\
enterprise Add A Domain To A Client Tenancy With Windows Powershell For Delegated Access Pe https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/add-a-domain-to-a-client-tenancy-with-windows-powershell-for-delegated-access-pe.md
- seo-marvel-apr2020 - admindeeplinkMAC - has-azure-ad-ps-ref
- - azure-ad-ref-level-one-done
ms.assetid: f49b4d24-9aa0-48a6-95dd-6bae9cf53d2c description: "Summary: Use PowerShell for Microsoft 365 to add an alternate domain name to an existing customer tenant."
New-MgDomain -Id <customer TenantId> -DomainNameReferences <FQDN of new domain>
### Get the data for the DNS TXT verification record
- Microsoft 365 will generate the specific data that you need to place into the DNS TXT verification record. To get the data, run this command.
+ Microsoft 365 generates the specific data that you need to place into the DNS TXT verification record. To get the data, run this command.
```powershell Import-Module Microsoft.Graph.Identity.DirectoryManagement (Get-MgDomainVerificationDnsRecord -DomainId <domain ID, i.e. contoso.com> | Where-Object {$_.RecordType -eq "Txt"}).AdditionalProperties.text ```
-This will give you output like:
+This command gives you output like:
`MS=ms########`
Confirm the successful creation of the TXT record via nslookup. Follow this synt
nslookup -type=TXT <FQDN of registered domain> ```
-This will give you output like:
+This command gives you output like:
`Non-authoritative answer:`
In this last step, you validate to Microsoft 365 that you own the publically reg
Confirm-MgDomain -DomainId <FQDN of new domain> -InputObject @{TenantId=<customer TenantId>} ```
-This command won't return any output, so to confirm that this worked, run this command.
+This command doesn't return any output, so to confirm that the command worked, run this command.
```powershell Get-MgDomain -DomainId <FQDN of new domain>
enterprise Configure Skype For Business For Hybrid Modern Authentication https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/configure-skype-for-business-for-hybrid-modern-authentication.md
description: Learn how to configure Skype for Business on-premises to use Hybrid
- seo-marvel-apr2020 - has-azure-ad-ps-ref
- - azure-ad-ref-level-one-done
# How to configure Skype for Business on-premises to use Hybrid Modern Authentication
enterprise Disable Access To Services While Assigning User Licenses https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/disable-access-to-services-while-assigning-user-licenses.md
- PowerShell - Ent_Office_Other - has-azure-ad-ps-ref
- - azure-ad-ref-level-one-done
ms.assetid: bb003bdb-3c22-4141-ae3b-f0656fc23b9c description: "Learn how to assign licenses to user accounts and disable specific service plans at the same time using PowerShell for Microsoft 365."
Get-AzureADSubscribedSku | Select SkuPartNumber
[!INCLUDE [Azure AD PowerShell deprecation note](~/../microsoft-365/reusable-content/msgraph-powershell/includes/aad-powershell-deprecation-note.md)]
-Next, get the sign-in name of the account to which you want add a license, also known as the user principal name (UPN).
+Next, get the sign-in name of the account to which you want to add a license, also known as the user principal name (UPN).
Next, compile a list of services to enable. For a complete list of license plans (also known as product names), their included service plans, and their corresponding friendly names, see [Product names and service plan identifiers for licensing](/azure/active-directory/users-groups-roles/licensing-service-plan-reference).
In the display of the `Get-MsolAccountSku` command:
- **AccountSkuId** is a subscription for your organization in \<OrganizationName>:\<Subscription> format. The \<OrganizationName> is the value that you provided when you enrolled in Microsoft 365, and is unique for your organization. The \<Subscription> value is for a specific subscription. For example, for litwareinc:ENTERPRISEPACK, the organization name is litwareinc, and the subscription name is ENTERPRISEPACK (Office 365 Enterprise E3). -- **ActiveUnits** is the number of licenses that you've purchased for the subscription.
+- **ActiveUnits** is the number of licenses that you purchased for the subscription.
- **WarningUnits** is the number of licenses in a subscription that you haven't renewed, and that will expire after the 30-day grace period. -- **ConsumedUnits** is the number of licenses that you've assigned to users for the subscription.
+- **ConsumedUnits** is the number of licenses that you assigned to users for the subscription.
Note the AccountSkuId for your Microsoft 365 subscription that contains the users you want to license. Also, ensure that there are enough licenses to assign (subtract **ConsumedUnits** from **ActiveUnits**).
Get-MsolAccountSku | Select -ExpandProperty ServiceStatus
From the display of this command, determine which service plans you would like to disable when you assign licenses to users.
-Here is a partial list of service plans and their corresponding Microsoft 365 services.
+Here's a partial list of service plans and their corresponding Microsoft 365 services.
The following table shows the Microsoft 365 service plans and their friendly names for the most common services. Your list of service plans might be different.
Sleep -Seconds 5
Set-MsolUserLicense -UserPrincipalName $userUpn -LicenseOptions $licenseOptions -ErrorAction SilentlyContinue ```
-Here is an example command block for the account named belindan@contoso.com, for the contoso:ENTERPRISEPACK license, and the service plans to disable are RMS_S_ENTERPRISE, SWAY, INTUNE_O365, and YAMMER_ENTERPRISE:
+Here's an example command block for the account named belindan@contoso.com, for the contoso:ENTERPRISEPACK license, and the service plans to disable are RMS_S_ENTERPRISE, SWAY, INTUNE_O365, and YAMMER_ENTERPRISE:
```powershell $userUPN="belindan@contoso.com"
Set-MsolUserLicense -UserPrincipalName $userUpn -LicenseOptions $licenseOptions
### For multiple users
-To perform this administration task for multiple users, create a comma-separated value (CSV) text file that contains the UserPrincipalName and UsageLocation fields. Here is an example:
+To perform this administration task for multiple users, create a comma-separated value (CSV) text file that contains the UserPrincipalName and UsageLocation fields. Here's an example:
```powershell UserPrincipalName,UsageLocation
enterprise Dns Records For Office 365 Dod https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/dns-records-for-office-365-dod.md
- Adm_O365 - has-azure-ad-ps-ref
- - azure-ad-ref-level-one-done
search.appverid: - OGA150 - OGC150
enterprise Dns Records For Office 365 Gcc High https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/dns-records-for-office-365-gcc-high.md
- Adm_O365 - has-azure-ad-ps-ref
- - azure-ad-ref-level-one-done
search.appverid: - OGA150 - OGC150
enterprise M365 Multi Geo User Testing https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/m365-multi-geo-user-testing.md
Last updated 03/05/2024
- it-pro - has-azure-ad-ps-ref
- - azure-ad-ref-level-one-done
ms.localizationpriority: medium - M365-subscription-management
enterprise Maintain Group Membership With Microsoft 365 Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/maintain-group-membership-with-microsoft-365-powershell.md
- Ent_Office_Other - O365ITProTrain - has-azure-ad-ps-ref
- - azure-ad-ref-level-one-done
ms.assetid: 6770c5fa-b886-4512-8c67-ffd53226589e description: "Learn how to use PowerShell to maintain membership in Microsoft 365 groups."
enterprise Manage Microsoft 365 Tenants With Windows Powershell For Delegated Access Permissio https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/manage-microsoft-365-tenants-with-windows-powershell-for-delegated-access-permissio.md
f1.keywords:
- seo-marvel-apr2020 - has-azure-ad-ps-ref
- - azure-ad-ref-level-one-done
ms.assetid: f92d5116-5b66-4150-ad20-1452fc3dd712 description: In this article, learn how to use PowerShell for Microsoft 365 to manage your customer tenancies.
frontline Flw Choose Scenarios https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/flw-choose-scenarios.md
More information: [Virtual Appointments with Microsoft Teams](virtual-appointmen
## More scenarios and solutions with the digital ecosystem
-The scenarios described earlier in this article can be achieved with out-of-the-box capabilities from Microsoft. You can extend even further with third-party apps in [AppSource](https://appsource.microsoft.com/marketplace/apps?search=frontline&page=1) and custom apps that you or our partners build for you with Power Platform, Teams, and Viva extensibility.
+The scenarios described earlier in this article can be achieved with out-of-the-box capabilities from Microsoft. You can extend even further with third-party apps in [AppSource](https://appsource.microsoft.com) and custom apps that you or our partners build for you with Power Platform, Teams, and Viva extensibility.
Learn more about third-party apps in Teams at [Overview of third-party apps in Microsoft Teams](/microsoftteams/overview-third-party-apps).
frontline Flw Team Collaboration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/flw-team-collaboration.md
f1.keywords:
- NOCSH
- - M365-collaboration
- - m365-frontline
- - highpri
- - m365solution-frontline
- - m365solution-scenario
+- M365-collaboration
+- m365-frontline
+- highpri
+- m365solution-frontline
+- m365solution-scenario
ms.localizationpriority: high search.appverid: MET150 searchScope:
frontline Shifts Frontline Manager Worker Roles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/shifts-frontline-manager-worker-roles.md
f1.keywords:
- NOCSH ms.localizationpriority: high
- - M365-collaboration
- - m365-frontline
- - teams-1p-app-admin
- - highpri
- - microsoftcloud-healthcare
- - microsoftcloud-retail
+- M365-collaboration
+- m365-frontline
+- teams-1p-app-admin
+- highpri
+- microsoftcloud-healthcare
+- microsoftcloud-retail
appliesto: - Microsoft Teams - Microsoft 365 for frontline workers
frontline Virtual Appointments App https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/virtual-appointments-app.md
f1.keywords:
- NOCSH ms.localizationpriority: high
- - microsoftcloud-healthcare
- - microsoftcloud-retail
- - m365solution-healthcare
- - m365solution-scenario
- - m365-frontline
- - highpri
- - m365initiative-meetings
- - m365-virtual-appointments
- - teams-1p-app-admin
+- microsoftcloud-healthcare
+- microsoftcloud-retail
+- m365solution-healthcare
+- m365solution-scenario
+- m365-frontline
+- highpri
+- m365initiative-meetings
+- m365-virtual-appointments
+- teams-1p-app-admin
description: Get an overview of how to use the Virtual Appointments app in Teams to schedule, manage, conduct and view analytics on virtual appointments in your organization. appliesto:
lighthouse M365 Lighthouse Data Privacy And Compliance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-data-privacy-and-compliance.md
Previously updated : 02/22/2024 Last updated : 04/16/2024 audience: Admin
In Lighthouse, data access relationships play a pivotal role in governing how MS
- **Purpose:** They manage licensing, billing, and other services. - **Value added:** Resellers often provide additional support and expertise.
+The reseller relationship is established to authorize MSPs to manage orders and purchases for the customer. This arrangement provides MSPs with visibility into the subscriptions the customer has acquired through them, ensuring that they can effectively support and service those subscriptions. It can take 24 hours or longer for changes in the reseller relationship to be reflected in Lighthouse. This procedural timeframe does not affect an MSP's pre-existing knowledge of the subscriptions.
+
+Unlike the reseller relationship, the delegated admin relationship is established to authorize MSPs to access and manage the customer's data and resources. This relationship is based on the consent of the customer and can be revoked at any time. Changes to the delegated admin relationship are reflected immediately in Lighthouse, ensuring that access to customer data is protected in line with the privileges the customer has granted the MSP. This is especially important for scenarios such as security incident response, where timely and accurate data access is crucial.
+ These relationships ensure MSPs access data responsibly while enhancing customer satisfaction. By understanding and optimizing these connections, organizations can build a robust data ecosystem. ### Data feature areas
security Attack Surface Reduction Rules Reference https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference.md
- m365-security - tier2 - mde-asr Previously updated : 02/23/2024 Last updated : 04/16/2024 search.appverid: met150
This article provides information about Microsoft Defender for Endpoint attack s
Attack surface reduction rules are categorized as one of two types: -- **Standard protection rules**: Are the minimum set of rules which Microsoft recommends you always enable, while you are evaluating the impact and configuration needs of the other ASR rules. These rules typically have minimal-to-no noticeable impact on the end user.
+- **Standard protection rules**: Are the minimum set of rules which Microsoft recommends you always enable, while you're evaluating the affect and configuration needs of the other ASR rules. These rules typically have minimal-to-no noticeable impact on the end user.
-- **Other rules**: Rules which require some measure of following the documented deployment steps [Plan > Test (audit) > Enable (block/warn modes)], as documented in the [Attack surface reduction rules deployment guide](attack-surface-reduction-rules-deployment.md)
+- **Other rules**: Rules that require some measure of following the documented deployment steps [Plan > Test (audit) > Enable (block/warn modes)], as documented in the [Attack surface reduction rules deployment guide](attack-surface-reduction-rules-deployment.md)
For the easiest method to enable the standard protection rules, see: [Simplified standard protection option](attack-surface-reduction-rules-report.md#simplified-standard-protection-option).
Links to information about configuration management system versions referenced i
## Per ASR rule alert and notification details
-Toast notifications are generated for all rules in Block mode. Rules in any other mode won't generate toast notifications
+Toast notifications are generated for all rules in Block mode. Rules in any other mode don't generate toast notifications.
For rules with the "Rule State" specified:
For rules with the "Rule State" specified:
## ASR rule modes -- **Not configured** or **Disable**: The state in which the ASR rule hasn't been enabled or has been disabled. The code for this state = 0.
+- **Not configured** or **Disable**: The state in which the ASR rule isn't enabled or is disabled. The code for this state = 0.
- **Block**: The state in which the ASR rule is enabled. The code for this state is 1. - **Audit**: The state in which the ASR rule is evaluated for the effect it would have on the organization or environment if enabled (set to block or warn). The code for this state is 2. - **Warn** The state in which the ASR rule is enabled and presents a notification to the end-user, but permits the end-user to bypass the block. The code for this state is 6. _Warn mode_ is a block-mode type that alerts users about potentially risky actions. Users can choose to bypass the block warning message and allow the underlying action. Users can select **OK** to enforce the block, or select the bypass option - **Unblock** - through the end-user pop-up toast notification that is generated at the time of the block. After the warning is unblocked, the operation is allowed until the next time the warning message occurs, at which time the end-user will need to reperform the action.
-When the allow button is clicked, the block will be suppressed for 24 hours. After 24 hours, the end-user will need to allow the block again. The warn mode for ASR rules is only supported for RS5+ (1809+) devices. If bypass is assigned to ASR rules on devices with older versions, the rule will be in blocked mode.
+When the allow button is clicked, the block is suppressed for 24 hours. After 24 hours, the end-user will need to allow the block again. The warn mode for ASR rules is only supported for RS5+ (1809+) devices. If bypass is assigned to ASR rules on devices with older versions, the rule will be in blocked mode.
You can also set a rule in warn mode via PowerShell by specifying the AttackSurfaceReductionRules_Actions as "Warn". For example:
GUID: `56a863a9-875e-4185-98a7-b882c64b5ce5`
Advanced hunting action type: -- AsrVulnerableSignedDriverAudited-- AsrVulnerableSignedDriverBlocked
+- `AsrVulnerableSignedDriverAudited`
+- `AsrVulnerableSignedDriverBlocked`
<!-- Dependencies: none provided by engineering
GUID: `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c`
Advanced hunting action type: -- AsrAdobeReaderChildProcessAudited-- AsrAdobeReaderChildProcessBlocked
+- `AsrAdobeReaderChildProcessAudited`
+- `AsrAdobeReaderChildProcessBlocked`
Dependencies: Microsoft Defender Antivirus
GUID: `d4f940ab-401b-4efc-aadc-ad5f3c50688a`
Advanced hunting action type: -- AsrOfficeChildProcessAudited-- AsrOfficeChildProcessBlocked
+- `AsrOfficeChildProcessAudited`
+- `AsrOfficeChildProcessBlocked`
Dependencies: Microsoft Defender Antivirus
LSASS authenticates users who sign in on a Windows computer. Microsoft Defender
By default the state of this rule is set to block. In most cases, many processes make calls to LSASS for access rights that are not needed. For example, such as when the initial block from the ASR rule results in a subsequent call for a lesser privilege which subsequently succeeds. For information about the types of rights that are typically requested in process calls to LSASS, see: [Process Security and Access Rights](/windows/win32/procthread/process-security-and-access-rights).
-> [!NOTE]
-> The Block credential stealing from the Windows local security authority subsystem ASR rule does not support WARN mode.
+Enabling this rule doesn't provide additional protection if you have LSA protection enabled since the ASR rule and LSA protection work similarly. However, when LSA protection cannot be enabled, this rule can be configured to provide equivalent protection against malware that target `lsass.exe`.
> [!NOTE]
+>
+> In this scenario, the ASR rule is classified as "not applicable" in Defender for Endpoint settings in the Microsoft Defender portal.
+>
+> The *Block credential stealing from the Windows local security authority subsystem* ASR rule doesn't support WARN mode.
+>
> In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that simply enumerates LSASS, but has no real impact in functionality, there is no need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat. Intune name: `Flag credential stealing from the Windows local security authority subsystem`
GUID: `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2`
Advanced hunting action type: -- AsrLsassCredentialTheftAudited-- AsrLsassCredentialTheftBlocked
+- `AsrLsassCredentialTheftAudited`
+- `AsrLsassCredentialTheftBlocked`
Dependencies: Microsoft Defender Antivirus
GUID: `be9ba2d9-53ea-4cdc-84e5-9b1eeee46550`
Advanced hunting action type: -- AsrExecutableEmailContentAudited-- AsrExecutableEmailContentBlocked
+- `AsrExecutableEmailContentAudited`
+- `AsrExecutableEmailContentBlocked`
Dependencies: Microsoft Defender Antivirus
GUID: `01443614-cd74-433a-b99e-2ecdc07bfc25`
Advanced hunting action type: -- AsrUntrustedExecutableAudited-- AsrUntrustedExecutableBlocked
+- `AsrUntrustedExecutableAudited`
+- `AsrUntrustedExecutableBlocked`
Dependencies: Microsoft Defender Antivirus, Cloud Protection
GUID: `5beb7efe-fd9a-4556-801d-275e5ffc04cc`
Advanced hunting action type: -- AsrObfuscatedScriptAudited-- AsrObfuscatedScriptBlocked
+- `AsrObfuscatedScriptAudited`
+- `AsrObfuscatedScriptBlocked`
Dependencies: Microsoft Defender Antivirus, AntiMalware Scan Interface (AMSI)
GUID: `d3e037e1-3eb8-44c8-a917-57927947596d`
Advanced hunting action type: -- AsrScriptExecutableDownloadAudited-- AsrScriptExecutableDownloadBlocked
+- `AsrScriptExecutableDownloadAudited`
+- `AsrScriptExecutableDownloadBlocked`
Dependencies: Microsoft Defender Antivirus, AMSI
GUID: `3b576869-a4ec-4529-8536-b80a7769e899`
Advanced hunting action type: -- AsrExecutableOfficeContentAudited-- AsrExecutableOfficeContentBlocked
+- `AsrExecutableOfficeContentAudited`
+- `AsrExecutableOfficeContentBlocked`
Dependencies: Microsoft Defender Antivirus, RPC
GUID: `75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84`
Advanced hunting action type: -- AsrOfficeProcessInjectionAudited-- AsrOfficeProcessInjectionBlocked
+- `AsrOfficeProcessInjectionAudited`
+- `AsrOfficeProcessInjectionBlocked`
Dependencies: Microsoft Defender Antivirus
GUID: `26190899-1602-49e8-8b27-eb1d0a1ce869`
Advanced hunting action type: -- AsrOfficeCommAppChildProcessAudited-- AsrOfficeCommAppChildProcessBlocked
+- `AsrOfficeCommAppChildProcessAudited`
+- `AsrOfficeCommAppChildProcessBlocked`
Dependencies: Microsoft Defender Antivirus
This rule prevents malware from abusing WMI to attain persistence on a device.
Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden.
+> [!NOTE]
+> If `CcmExec.exe` (SCCM Agent) is detected on the device, the ASR rule is classified as "not applicable" in Defender for Endpoint settings in the Microsoft Defender portal.
+ Intune name: `Persistence through WMI event subscription` Configuration Manager name: Not available
GUID: `e6db77e5-3df2-4cf1-b95a-636979351e5b`
Advanced hunting action type: -- AsrPersistenceThroughWmiAudited-- AsrPersistenceThroughWmiBlocked
+- `AsrPersistenceThroughWmiAudited`
+- `AsrPersistenceThroughWmiBlocked`
Dependencies: Microsoft Defender Antivirus, RPC
GUID: `d1e49aac-8f56-4280-b9ba-993a6d77406c`
Advanced hunting action type: -- AsrPsexecWmiChildProcessAudited-- AsrPsexecWmiChildProcessBlocked
+- `AsrPsexecWmiChildProcessAudited`
+- `AsrPsexecWmiChildProcessBlocked`
Dependencies: Microsoft Defender Antivirus
GUID: `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4`
Advanced hunting action type: -- AsrUntrustedUsbProcessAudited-- AsrUntrustedUsbProcessBlocked
+- `AsrUntrustedUsbProcessAudited`
+- `AsrUntrustedUsbProcessBlocked`
Dependencies: Microsoft Defender Antivirus
GUID: `92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b`
Advanced hunting action type: -- AsrOfficeMacroWin32ApiCallsAudited-- AsrOfficeMacroWin32ApiCallsBlocked
+- `AsrOfficeMacroWin32ApiCallsAudited`
+- `AsrOfficeMacroWin32ApiCallsBlocked`
Dependencies: Microsoft Defender Antivirus, AMSI
GUID: `c1db55ab-c21a-4637-bb3f-a12568109d35`
Advanced hunting action type: -- AsrRansomwareAudited-- AsrRansomwareBlocked
+- `AsrRansomwareAudited`
+- `AsrRansomwareBlocked`
Dependencies: Microsoft Defender Antivirus, Cloud Protection
Dependencies: Microsoft Defender Antivirus, Cloud Protection
- [Test attack surface reduction rules](attack-surface-reduction-rules-deployment-test.md) - [Enable attack surface reduction rules](attack-surface-reduction-rules-deployment-implement.md) - [Operationalize attack surface reduction rules](attack-surface-reduction-rules-deployment-operationalize.md)-- [Attack surface reduction \(ASR\) rules report](attack-surface-reduction-rules-report.md)
+- [Attack surface reduction rules report](attack-surface-reduction-rules-report.md)
- [Attack surface reduction rules reference](attack-surface-reduction-rules-reference.md) - [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md)++ [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)]
security Device Control Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-policies.md
Entries with user or user groups can reference objects from either Entra Id or a
### Best practices for using device control with users and user groups -- To create a rule for an indidual user on Windows, create an entry with a `Sid` condition foreach user in a [rule](#rules)
+- To create a rule for an individual user on Windows, create an entry with a `Sid` condition foreach user in a [rule](#rules)
- To create a rule for a user group on Windows and Intune, **either** create an entry with a `Sid` condition for each user group in a [rule] and target the policy to a machine group in Intune **or** create a rule without conditions and target the policy with Intune to the user group.
The following image depicts configuration settings for a device control policy i
In the screenshot, the Included ID and Excluded ID are the references to included and excluded reusable settings groups. A policy can have multiple rules.
-The ordering of the rules isn't honored by Intune. The rules can be evaluated in any order, so make sure to explicitly exclude groups of devices that aren't in scope for the rule.
+Intune doesn't honor the ordering of the rules. The rules can be evaluated in any order, so make sure to explicitly exclude groups of devices that aren't in scope for the rule.
### [**XML (Windows)**](#tab/XML)
The following table provides more context for the XML code snippet:
|||| | `PolicyRule Id` | GUID, a unique ID, represents the policy and is used in reporting and troubleshooting. | You can generate the ID through [PowerShell](/powershell/module/microsoft.powershell.utility/new-guid). | | `Name` | String, the name of the policy and displays on the toast based on the policy setting. | |
-| `IncludedIdList` | The group(s) that the policy applies to. If multiple groups are added, the media must be a member of each group in the list to be included. | The Group ID/GUID must be used at this instance. <br/><br/>The following example shows the usage of GroupID: `<IncludedIdList> <GroupId> {EAA4CCE5-F6C9-4760-8BAD-FDCC76A2ACA1}</GroupId> </IncludedIdList>` |
-| `ExcludedIDList` | The group(s) that the policy doesn't apply to. If multiple groups are added, the media must be a member of a group in the list to be excluded. | The Group ID/GUID must be used at this instance. |
-| `Entry` | One PolicyRule can have multiple entries; each entry with a unique GUID tells device control one restriction. | See Entry properties table below to get details. |
+| `IncludedIdList` | The groups that the policy applies to. If multiple groups are added, the media must be a member of each group in the list to be included. | The Group ID/GUID must be used at this instance. <br/><br/>The following example shows the usage of GroupID: `<IncludedIdList> <GroupId> {EAA4CCE5-F6C9-4760-8BAD-FDCC76A2ACA1}</GroupId> </IncludedIdList>` |
+| `ExcludedIDList` | The groups that the policy doesn't apply to. If multiple groups are added, the media must be a member of a group in the list to be excluded. | The Group ID/GUID must be used at this instance. |
+| `Entry` | One PolicyRule can have multiple entries; each entry with a unique GUID tells device control one restriction. | See Entry properties table below to get details. |
### [**JSON (Mac)**](#tab/JSON)
The following table provides more context for the XML code snippet:
| Property name | Description | Options | |||| | `id` | GUID, a unique ID, represents the rule and is used in the policy. | `New-Guid (Microsoft.PowerShell.Utility) - PowerShell<br/>uuidgen` |
-| `name` | String, the name of the policy and will display on the toast based on the policy setting. | |
-| `includeGroups` | The group(s) that the policy is applied to. If multiple groups are specified, the policy applies to any media in all those groups. If not specified, the rule applies to all devices. | The ID value inside the group must be used in this instance. If multiple groups are in the includeGroups, it's `AND`. <br/> `"includeGroups": ["3f082cd3-f701-4c21-9a6a-ed115c28e217"]` |
-| `excludeGroups` | The group(s) that the policy doesn't apply to. | The `id` value inside the group must be used in this instance. If multiple groups are in the excludeGroups, it's `OR`. |
+| `name` | String, name of the policy and displays on the toast based on the policy setting. | |
+| `includeGroups` | The groups that the policy is applied to. If multiple groups are specified, the policy applies to any media in all those groups. If not specified, the rule applies to all devices. | The ID value inside the group must be used in this instance. If multiple groups are in the includeGroups, it's `AND`. <br/> `"includeGroups": ["3f082cd3-f701-4c21-9a6a-ed115c28e217"]` |
+| `excludeGroups` | The group that the policy doesn't apply to. | The `id` value inside the group must be used in this instance. If multiple groups are in the excludeGroups, it's `OR`. |
| `entries` | One rule can have multiple entries; each entry with a unique GUID tells Device Control one restriction. | See entry properties table later in this article to get the details. |
Device control policies define access (called an entry) for a set of devices. En
| Entry setting | Options | |||
-| AccessMask | Applies the action only if the access operations matches the access mask - The access mask is the bit-wise OR of the access values:<br><br> 1 - Device Read<br>2 - Device Write<br>4 - Device Execute<br>8 - File Read<br>16 - File Write<br>32 - File Execute<br>64 - Print<br><br>For example:<br>Device Read, Write and Execute = 7 (1+2+4)<br>Device Read, Disk Read = 9 (1+8)<br>
+| AccessMask | Applies the action only if the access operations match the access mask - The access mask is the bit-wise OR of the access values:<br><br> 1 - Device Read<br>2 - Device Write<br>4 - Device Execute<br>8 - File Read<br>16 - File Write<br>32 - File Execute<br>64 - Print<br><br>For example:<br>Device Read, Write, and Execute = 7 (1+2+4)<br>Device Read, Disk Read = 9 (1+8)<br>
| Action | Allow <br/> Deny <br/> AuditAllow <br/> AuditDeny | | Notification | None (default) <br/> An event is generated <br/> The user receives notification <br/> File evidence is captured |
security Mac Device Control Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-device-control-overview.md
Microsoft Defender for Endpoint Device Control feature enables you to:
- Microsoft Defender for Endpoint entitlement (can be trial) - Minimum OS version: macOS 11 or higher-- Deploy Full Disk Access: you may already have been previously created and deployed this [https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/fulldisk.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/fulldisk.mobileconfig) for other MDE features. You need to grant Full Disk Access permission for a new application: `com.microsoft.dlp.daemon`.
+- Deploy Full Disk Access: you may already have previously created and deployed this [https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/fulldisk.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/fulldisk.mobileconfig) for other MDE features. You need to grant Full Disk Access permission for a new application: `com.microsoft.dlp.daemon`.
- Enable Device Control on the MDE Preference setting: Data Loss Prevention (DLP)/Features/
Example 1: JAMF using [schema.json](https://github.com/microsoft/mdatp-xplat/tre
:::image type="content" source="media/macos-device-control-jamf-json.png" alt-text="Screenshot that shows how to enable Device Control in Microsoft Defender for Endpoint Data Loss Prevention / Features.":::
-Example 2: [demo.mobileconfig](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/macOS/mobileconfig/demo.mobileconfig)
+<details><summary>Example 2: [demo.mobileconfig](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/macOS/mobileconfig/demo.mobileconfig)</summary>
```xml <key>dlp</key>
Example 2: [demo.mobileconfig](https://github.com/microsoft/mdatp-devicecontrol/
</array> </dict> ```
+</details>
- Minimum product version: 101.91.92 or higher - Run _mdatp version_ through Terminal to see the product version on your client machine: :::image type="content" source="mediatp-version-terminal.png ":::
-## Device Control for macOS properties
+## Understanding policies
-The Device Control for macOS includes global setting, group creation and access policy rule creation:
+Policies determine the behavior of device control for macOS. The policy is targeted via Intune or JAMF to a collection of machines or users.
+
+The Device Control for macOS policy includes settings, groups, and rules:
- Global setting called 'settings' allows you to define the global environment. - Group called 'groups' allows you to create media groups. For example, authorized USB group or encrypted USB group. - Access policy rule called 'rules' allows you to create policy to restrict each group. For example, only allow authorized user to Write access-authorized USB group.
-Here are the properties you can use when you create the group and policy.
+ > [!NOTE] > We recommend you use the examples on the GitHub to understand the properties: [mdatp-devicecontrol/Removable Storage Access Control Samples/macOS/policy at main - microsoft/mdatp-devicecontrol (github.com)](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples/macOS/policy). >
-> You can also use the scripts at [mdatp-devicecontrol/Removable Storage Access Control Samples/macOS/policy/scripts at main - microsoft/mdatp-devicecontrol (github.com)](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples/macOS/policy/scripts) to translate Windows Device Control policy to macOS Device Control policy or translate macOS Device Control V1 policy to this V2 policy.
+> You can also use the scripts at [mdatp-devicecontrol/tree/main/python#readme at main - microsoft/mdatp-devicecontrol (github.com)](https://github.com/microsoft/mdatp-devicecontrol/tree/main/python#readme) to translate Windows Device Control policy to macOS Device Control policy or translate macOS Device Control V1 policy to this V2 policy.
+
+> [!NOTE]
+> There are [known issues](#known-issues) with device control for macOS that customers should consider when creating policies.
+
+### Best practices
+
+Device control for macOS has similar capabilities to Device control for Windows, but macOS and Windows provide different underlying capabilities to manage devices, so there are some important differences:
+
+- macOS doesn't have a centralized Device Manager or view of devices. Access is granted/denied to applications that interact with devices. This is why on macOS there are a richer set of [access types](#access-types). For example on a ```portableDevice``` device control for macOS can deny or allow ```download_photos_from_device```.
+- To stay consistent with Windows, there are ```generic_read```,```generic_write``` and ```generic_execute``` access types. Policies with generic access types don't need to be changed if/when additional specific access types are added in the future. The best practice is to use generic access types unless there's a specific need to deny/allow a more specific operation.
+- Creating a ```deny``` policy using generic access types is the best way to attempt to completely block all operations for that type of device (e.g. Android phones), but there may still be gaps if the operation is performed using an application that isn't supported by macOS device control.
->[!WARNING]
->In macOS Sonoma 14.3.1, Apple made a change to the [handling of Bluetooth devices](https://developer.apple.com/forums/thread/738748) that impacts Defender for Endpoint device controls ability to intercept and block access to Bluetooth devices. At this time, the recommended mitigation is to use a version of macOS less than 14.3.1.
### Settings
+Here are the properties you can use when you create the groups, rules, and settings in device control policy for macOS.
| Property name | Description | Options | |:|:|:|
The following table lists the properties you can use in entry:
|:|:|:|:| | **appleDevice** | backup_device | generic_read | | | appleDevice | update_device | generic_write | |
-| appleDevice | download_photos_from_device | generic_read | download photo(s) from the specific iOS device to local machine |
+| appleDevice | download_photos_from_device | generic_read | download photo from the specific iOS device to local machine |
| appleDevice | download_files_from_device | generic_read | download file(s) from the specific iOS device to local machine | | appleDevice | sync_content_to_device | generic_write | sync content from local machine to specific iOS device | | **portableDevice**| download_files_from_device | generic_read | |
v2_full_disk_access : "approved"
``` - `active` - feature version, you should see ["v2"]. (Device Control is enabled, but not configured.)
- - [] - Device Control is not configured on this machine
- - ["v1"] - You are on a preview version of Device Control. Please migrate to version 2 using this guide. v1 is considered obsolete and not described in this documentation.
- - ["v1","v2"] - You have both v1 and v2 enabled. Please offboard from v1.
+ - [] - Device Control isn't configured on this machine.
+ - ["v1"] - You are on a preview version of Device Control. Migrate to version 2 using this guide. v1 is considered obsolete and not described in this documentation.
+ - ["v1","v2"] - You have both v1 and v2 enabled. Offboard from v1.
- `v1_configured` - v1 configuration is applied - `v1_enforcement_level` - when v1 is enabled - `v2_configured` - v2 configuration is applied - `v2_state` - v2 status, `enabled` if fully working - `v2_sensor_connection` - if `created_ok`, then Device Control established connection to the system extension-- `v2_full_disk_access` - if not `approved`, then Device Control cannot prevent some or all operations
+- `v2_full_disk_access` - if not `approved`, then Device Control can't prevent some or all operations
## Reporting
-You'll be able to see the policy event on Advanced hunting and Device Control report. For more information, see [Protect your organization's data with Device Control](device-control-report.md).
+You are able to see the policy event on Advanced hunting and Device Control report. For more information, see [Protect your organization's data with Device Control](device-control-report.md).
## Scenarios
Create access policy rule and put into 'rules':
In this case, only have one access rule policy, but if you have multiple, make sure to add all into 'rules'. +
+## Known Issues
+
+>[!WARNING]
+>In macOS Sonoma 14.3.1, Apple made a change to the [handling of Bluetooth devices](https://developer.apple.com/forums/thread/738748) that impacts Defender for Endpoint device controls ability to intercept and block access to Bluetooth devices. At this time, the recommended mitigation is to use a version of macOS less than 14.3.1.
+
+>[!WARNING]
+>Device Control on macOS restricts Android devices that are connected using PTP mode **only**. Device control does not restrict other modes such as File Transfer, USB Tethering and MIDI
+++ ## See also - [Deploy Device Control by using Intune](mac-device-control-intune.md)
security Mac Troubleshoot Mode https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-troubleshoot-mode.md
This article describes how to enable the troubleshooting mode in Microsoft Defen
For example, if the tamper protection is enabled, certain settings can't be modified or turned off, but you can use troubleshooting mode on the device to edit those settings temporarily.
-Troubleshooting mode is disabled by default, and requires you to turn it on for a device (and/or group of devices) for a limited time. Troubleshooting mode is exclusively an enterprise-only feature, and requires access to [Microsoft Defender XDR portal](https://security.microsoft.com/).
+Troubleshooting mode is disabled by default, and requires you to turn it on for a device (and/or group of devices) for a limited time. Troubleshooting mode is exclusively an enterprise-only feature, and requires access to [Microsoft Defender portal](https://security.microsoft.com/).
## What do you need to know before you begin
or newer.
## Enable troubleshooting mode on macOS
-1. Go to the [Microsoft Defender XDR portal](https://security.microsoft.com/), and sign in.
+1. Go to the [Microsoft Defender portal](https://security.microsoft.com/), and sign in.
2. Navigate to the device page you would like to turn on troubleshooting mode. Then, select the ellipses(...) and select **Turn on troubleshooting mode**. :::image type="content" source="media/troubleshooting-mode-on-mac.png" alt-text="Screenshot displaying the screenshot of the troubleshooting mode on mac.":::
security Run Analyzer Macos Linux https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-analyzer-macos-linux.md
f1.keywords:
ms.localizationpriority: medium Previously updated : 02/02/2024 Last updated : 04/16/2024 audience: ITPro
If you're using a terminal, download the tool by entering the following command:
2. Verify the download. > [!NOTE]
- > The current SHA256 hash of 'XMDEClientAnalyzerBinary.zip' that is downloaded from this link is: '00E314DD1C1F90F0DF177189E67D0BCBF03CAF7515D4F10BD509A4BFD1889253'
+ > The current SHA256 hash of 'XMDEClientAnalyzerBinary.zip' that is downloaded from this link is: '9D0552DBBD1693D2E2ED55F36147019CFECFDC009E76BAC4186CF03CD691B469'
-
- Linux ```console
- echo '00E314DD1C1F90F0DF177189E67D0BCBF03CAF7515D4F10BD509A4BFD1889253 XMDEClientAnalyzerBinary.zip' | sha256sum -c
+ echo '9D0552DBBD1693D2E2ED55F36147019CFECFDC009E76BAC4186CF03CD691B469 XMDEClientAnalyzerBinary.zip' | sha256sum -c
``` - macOS ```console
- echo '00E314DD1C1F90F0DF177189E67D0BCBF03CAF7515D4F10BD509A4BFD1889253 XMDEClientAnalyzerBinary.zip' | shasum -a 256 -c
+ echo '9D0552DBBD1693D2E2ED55F36147019CFECFDC009E76BAC4186CF03CD691B469 XMDEClientAnalyzerBinary.zip' | shasum -a 256 -c
```
If you're using a terminal, download the tool by entering the following command:
5. Three new zip files are produced: - **SupportToolLinuxBinary.zip** : For all Linux devices
- - **SupportToolmacOSBinary.zip** : For Intel-based Mac devices
- - **SupportToolmacOS-armBinary.zip** : For Arm-based Mac devices
+ - **SupportToolMacOSBinary.zip** : For Mac devices
-6. Unzip one of the above 3 zip files based on the machine you need to investigate.\
-When using a terminal, unzip the file by entering one of the following commands based on machine type:
+6. Unzip one of the above 2 zip files based on the machine you need to investigate.\
+When using a terminal, unzip the file by entering one of the following commands based on OS type:
- Linux
When using a terminal, unzip the file by entering one of the following commands
unzip -q SupportToolLinuxBinary.zip ```
- - Intel-based Mac
+ - Mac
```console
- unzip -q SupportToolmacOSBinary.zip
- ```
-
- - For Arm-based Mac devices
-
- ```console
- unzip -q SupportToolmacOS-armBinary.zip
+ unzip -q SupportToolMacOSBinary.zip
``` 7. Run the tool as _root_ to generate diagnostic package:
When using a terminal, unzip the file by entering one of the following commands
- Linux ```console
- echo '2F33B35ABA3B5B9161E7CCD88CDC0ADACD7D27173768DD68632651950ADF77B8 XMDEClientAnalyzer.zip' | sha256sum -c
+ echo '36C2B13AE657456119F3DC2A898FD9D354499A33F65015670CE2CD8A937F3C66 XMDEClientAnalyzer.zip' | sha256sum -c
``` - macOS ```console
- echo '2F33B35ABA3B5B9161E7CCD88CDC0ADACD7D27173768DD68632651950ADF77B8 XMDEClientAnalyzer.zip' | shasum -a 256 -c
+ echo '36C2B13AE657456119F3DC2A898FD9D354499A33F65015670CE2CD8A937F3C66 XMDEClientAnalyzer.zip' | shasum -a 256 -c
``` 3. Extract the contents of XMDEClientAnalyzer.zip on the machine.\
security Uefi Scanning In Defender For Endpoint https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/uefi-scanning-in-defender-for-endpoint.md
- m365-security - tier2 search.appverid: met150 Previously updated : 12/10/2023 Last updated : 04/16/2024 # UEFI scanning in Defender for Endpoint
-Beginning June 17 2020, Microsoft Defender for Endpoint extended its protection capabilities to the firmware level with a new [Unified Extensible Firmware Interface (UEFI)](/windows-hardware/drivers/bringup/unified-extensible-firmware-interface) scanner.
+Recently, Microsoft Defender for Endpoint extended its protection capabilities to the firmware level with a new [Unified Extensible Firmware Interface (UEFI)](/windows-hardware/drivers/bringup/unified-extensible-firmware-interface) scanner.
Hardware and firmware-level attacks have continued to rise in recent years, as modern security solutions made persistence and detection evasion on the operating system more difficult. Attackers compromise the boot flow to achieve low-level malware behavior that's hard to detect, posing a significant risk to an organization's security posture.
The UEFI scanner is a new component of the [built-in antivirus](/windows/securit
## Prerequisites -- Microsoft Defender Antivirus as the primary antivirus product
+- [Microsoft Defender Antivirus](microsoft-defender-antivirus-windows.md) as the primary antivirus product and in active mode. UEFI scanner doesn't work with [EDR in block mode](edr-in-block-mode.md) (with Microsoft Defender Antivirus in passive mode).
+- [Real-time protection](configure-protection-features-microsoft-defender-antivirus.md) is turned on
+- [Behavior monitoring](behavior-monitor.md) is turned on
+- Devices are running a current [Microsoft Defender Antivirus platform version](microsoft-defender-antivirus-updates.md#monthly-platform-and-engine-versions)
+- Devices are running one of the following versions of Windows:
+ - Windows 10, Windows 11 or newer on client devices
+ - Windows Server 2019, Windows Server 2022, or newer versions
+ - [Windows Server 2012 R2 and Windows Server 2016](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/defending-windows-server-2012-r2-and-2016/ba-p/2783292) with the [unified Defender for Endpoint client](/microsoft-365/security/defender-endpoint/configure-server-endpoints#new-windows-server-2012-r2-and-2016-functionality-in-the-modern-unified-solution) installed
- > [!NOTE]
- > UEFI scanner does not work with Endpoint detection and response (EDR) in block mode, since Microsoft Defender Antivirus would be operating in passive mode.
--- Real-Time Protection should be ON-- Behavior Monitoring should be ON-- Supported version of Microsoft Defender Antivirus Platform Update (N-2)-- Windows 10, Windows 11 and newer versions, [Windows Server 2012 R2 and Windows Server 2016](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/defending-windows-server-2012-r2-and-2016/ba-p/2783292) running the unified Defender for Endpoint client, Windows Server 2019, Windows Server 2022 and newer versions-
-## How did we build the UEFI scanner?
+## What is the UEFI scanner?
The Unified Extensible Firmware Interface (UEFI) is a replacement for [legacy BIOS](/windows-hardware/drivers/bringup/smbios). If the chipset is configured correctly ([UEFI](https://uefi.org/sites/default/files/resources/UEFI%20Spec%202_6.pdf) & chipset configuration itself) and [secure boot](/windows-hardware/design/device-experiences/oem-secure-boot) is enabled, the firmware is reasonably secure. To perform a hardware-based attack, attackers exploit a vulnerable firmware or a misconfigured machine to deploy a [rootkit](https://www.microsoft.com/en-us/microsoft-365-life-hacks/privacy-and-safety/what-is-a-rootkit), which allows attackers to gain foothold on the machine.
The [Serial Peripheral Interface (SPI)](https://en.wikipedia.org/wiki/Serial_Per
Once an implant is deployed, it's hard to detect. To catch threats at this level, security solutions at the OS level rely on information from the firmware, but the chain of trust is weakened.
-Technically, the firmware is not stored and is not accessible from main memory. As opposed to other software, it is stored in SPI flash storage, so the new UEFI scanner must follow the hardware protocol provided by hardware manufacturers. To be compatible and be up to date with all platforms, it needs to take into consideration protocol differences.
+Technically, the firmware isn't stored and isn't accessible from main memory. As opposed to other software, it's stored in SPI flash storage, so the new UEFI scanner must follow the hardware protocol provided by hardware manufacturers. To be compatible and be up to date with all platforms, it needs to take into consideration protocol differences.
:::image type="content" source="media/uefi-scanner-internals-overview.png" alt-text="Screenshot that shows UEFI scanner internals overview"::: The UEFI scanner performs dynamic analysis on the firmware it gets from the hardware flash storage. By obtaining the firmware, the scanner is able to parse the firmware, enabling Defender for Endpoint to inspect firmware content at runtime.
-## How do you turn on UEFI scanner?
+## How do you turn on the UEFI scanner?
The new UEFI scanner is a component of Microsoft Defender Antivirus, thus, as long as it's the primary AV, it includes this capability to scan and access UEFI firmware.
-## How do you manage UEFI scanner?
+## How do you manage the UEFI scanner?
-It's a built-in functionality of Microsoft Defender Antivirus, thus, there is no additional management.
+It's a built-in functionality of Microsoft Defender Antivirus. Thus, there is no additional management.
## How does the UEFI scanner in Defender for Endpoint work?
Firmware scanning is orchestrated by runtime events like suspicious driver load
:::image type="content" source="media/windows-security-detecting-malicious-content-in-nvram.png" alt-text="Screenshot that shows Windows Security notification for malicious content in NVRAM":::
-Defender for Endpoint customers will also see these detections raised as alerts in [Microsoft Defender Security Center](https://security.microsoft.com/), empowering security operations teams to investigate and respond to firmware attacks and suspicious activities at the firmware level in their environments.
+Defender for Endpoint customers can see these detections raised as alerts in the [Microsoft Defender portal](https://security.microsoft.com/), empowering security operations teams to investigate and respond to firmware attacks and suspicious activities at the firmware level in their environments.
:::image type="content" source="media/mde-alert-detecting-malicious-code-in-firmware.png" alt-text="Screenshot that shows Defender for Endpoint alert detecting malicious code":::
-Security operations teams can also use the [advanced hunting](/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview) capabilities in Defender for Endpoint to hunt for these threats:
-
-```powershell
-DeviceEvents
-
-| where ActionType == "AntivirusDetection"
-
-| extend ParsedFields=parse_json(AdditionalFields)
-
-| extend ThreatName=tostring(ParsedFields.ThreatName)
-
-| where ThreatName contains_cs "UEFI"
-
-| project ThreatName=tostring(ParsedFields.ThreatName),
-
- FileName, SHA1, DeviceName, Timestamp
-
-| limit 100
-```
-
-To detect unknown threats in SPI flash, signals from the UEFI scanner are analyzed to identify anomalies and where they have been executed. Anomalies are reported to the Microsoft Defender Security Center for investigation.
+To detect unknown threats in SPI flash, signals from the UEFI scanner are analyzed to identify anomalies and where they have been executed. Anomalies are reported to the Microsoft Defender portal for investigation.
:::image type="content" source="media/mde-alert-malware-implant-in-uefi-file-system.png" alt-text="Screenshot that shows Defender for Endpoint alert for malware implant in UEFI":::
-These events can likewise be queried through Advanced Hunting as shown:
+These events can likewise be queried through advanced hunting as shown:
-```powershell
+```kusto
DeviceAlertEvents | where Title has "UEFI"
Hardware backed security features like Secure Launch and device attestation help
With its UEFI scanner, [Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) gets even richer visibility into threats at the firmware level, where attackers have been increasingly focusing their efforts on. Security operations teams can use this new level of visibility, along with the rich set of detection and response capabilities in Defender for Endpoint, to investigate and contain such advanced attacks.
-This level of visibility is also available in [Microsoft 365 Defender (M365D)](https://www.microsoft.com/security/technology/threat-protection), which delivers an even broader cross-domain defense that coordinates protection across endpoints, identities, email, and apps.
+This level of visibility is also available in the [Microsoft Defender portal](https://www.microsoft.com/security/technology/threat-protection), which delivers an even broader cross-domain defense that coordinates protection across endpoints, identities, email, and apps.
security Compare Rbac Roles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/compare-rbac-roles.md
You configured protection-related Exchange Online permissions in the Exchange ad
|MDI viewer|Security operations \ Security data \ Security data basics (read)</br>Authorization and settings \ Security settings \ Core security settings (read) </br>Authorization and settings \ System setting (read)| > [!NOTE]
-> Defender for Identity experiences will also adhere to permissions granted from [Microsoft Defender for Cloud Apps](https://security.microsoft.com/cloudapps/permissions/roles). For more information, see [Microsoft Defender for Identity role groups](https://go.microsoft.com/fwlink/?linkid=2202729).
-
+> Defender for Identity experiences will also adhere to permissions granted from [Microsoft Defender for Cloud Apps](https://security.microsoft.com/cloudapps/permissions/roles). For more information, see [Microsoft Defender for Identity role groups](https://go.microsoft.com/fwlink/?linkid=2202729).
+> Exception: If you have configured [Scoped deployment](/defender-cloud-apps/scoped-deployment) for Microsoft Defender for Identity alerts in the Microsoft Defender for Cloud Apps portal, these permissions do not carry over. You need to explicitly grant the Security operations \ Security data \ Security data basics (read) permissions for the relevant portal users.
<a name='azure-active-directory-global-roles-access'></a> ### Microsoft Entra Global roles access
security Custom Permissions Details https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/custom-permissions-details.md
Permissions for managing day-to-day operations and responding to incidents and a
|Permission name|Level|Description| ||||
-|Security data basic|Read|View info about incidents, alerts, investigations, advanced hunting, devices, submissions, evaluation lab, and reports.|
+|Security data basics|Read|View info about incidents, alerts, investigations, advanced hunting, devices, submissions, evaluation lab, and reports.|
|Alerts|Manage|Manage alerts, start automated investigations, run scans, collect investigation packages, and manage device tags.| |Response|Manage|Take response actions, approve or dismiss pending remediation actions, and manage blocked and allowed lists for automation.| |Basic live response|Manage|Initiate a live response session, download files, and perform read-only actions on devices remotely.|