+ Title: 'Quickstart: Accessing Microsoft Defender Threat Intelligence (Defender TI)'

+description: In this quickstart, learn how to access Microsoft Defender Threat Intelligence (Defender TI) in the Microsoft Defender portal, as well as configure your profile and preferences and access help resources in the Defender portal.

+# Quickstart: Learn how to access Microsoft Defender Threat Intelligence and make customizations

+>[!IMPORTANT]

+> On June 30, 2024, The Microsoft Defender Threat Intelligence (Defender TI) standalone portal (https://ti.defender.microsoft.com) will be retired and will no longer be accessible. Customers can continue using Defender TI in the [Microsoft Defender portal](https://aka.ms/mdti-intel-explorer) or with [Microsoft Copilot for Security](security-copilot-and-defender-threat-intelligence.md). [Learn more](https://aka.ms/mdti-standaloneportal)

+This guide walks you through how to access Microsoft Threat Intelligence (Defender TI) from the Microsoft Defender portal, adjust the portalΓÇÖs theme to make it easier on your eyes when using it, and find sources for enrichment so you can see more results when gathering threat intelligence.

+ :::image type="content" source="/defender/threat-intelligence/media/quickstart-intel-explorer.png" alt-text="Screenshot of the Microsoft Defender Threat Intelligence Intel explorer in the Microsoft Defender portal." lightbox="/defender/threat-intelligence/media/quickstart-intel-explorer.png":::

+- A Microsoft Entra ID or personal Microsoft account. [Sign in or create an account](https://signup.microsoft.com/)

+- A Defender TI premium license.

+ > Users without a Defender TI premium license can still access our free Defender TI offering.

+## Open Defender TI in the Microsoft Defender portal

+1. Access the [Defender portal](https://security.microsoft.com/) and complete the Microsoft authentication process. [Learn more about the Defender portal](/microsoft-365/security/defender/microsoft-365-defender-portal)

+2. Navigate to **Threat intelligence**. You can access Defender TI in the following pages:

+ - Intel profiles

+ - Intel explorer

+ - Intel projects

+ :::image type="content" source="/defender/threat-intelligence/media/quickstart-navigation.png" alt-text="Screenshot of the Microsoft Defender portal with the Threat intelligence navigation links highlighted." lightbox="/defender/threat-intelligence/media/quickstart-navigation.png":::

+## Adjust the Defender portalΓÇÖs display theme to dark or light mode

+By default, the Defender portalΓÇÖs display theme is set to light mode. To switch to dark mode, on the Defender portal, navigate to **Home** then select **Dark mode** on the upper right-right corner of the home page.

+

+

+To switch back to light mode, select **Light mode** in the same upper-right hand corner of the home page.

+

+## Get help and learn about Defender TI support resources

+Select the **Help** icon in the upper right-hand corner of the Defender portal. The side panel displays a search bar where you can type your problem or support question.

+You can also review MicrosoftΓÇÖs [licensing resources](https://www.microsoft.com/licensing/docs) and [privacy statement](https://privacy.microsoft.com/privacystatement) by selecting **Legal** and **Privacy & Cookies**, respectively, at the lower right hand of the **Help** side panel.

+## Sign out of the Defender portal

+1. Select the **My account** icon in the upper right-hand corner of the Defender portal.

+2. Select **Sign out**.

+### See also

+- [What is Microsoft Defender Threat Intelligence (Defender TI)?](index.md)

+Users can rate their experience and provide additional information about their experience via system-initiated survey prompts. These prompts occur within the Microsoft 365 products from time to time. When prompted, users can choose if they want to provide feedback. The survey prompts typically appears at the bottom right of the app. If the user decides to provide feedback, dismisses the prompt, or lets the prompt disappear on its own, that user won't see the survey again for some time. Microsoft also leverages a governance process to limit the number of these system-initiated surveys. The intent of governance is to ensure users aren't overwhelmed by the number of survey prompts.

+- **Attachments** Were any attachments (i.e. screenshots, files) collected as part of the feedback? (Yes/No).

+- **Optional Diagnostic data** If you're opted in, this data will be included with the feedback. [Learn more](/deployoffice/privacy/optional-diagnostic-data).

+- Log files: Additional log files that aren't included in Overview of diagnostic log files for Office - Microsoft Support and that may include the userΓÇÖs name or contents of the userΓÇÖs files. Examples: logs that include the element of the customerΓÇÖs file that is preventing the file from saving.

+> [!NOTE]

+> For information about what feedback data is collected about Microsoft Copilot with Microsoft 365 apps, see [Providing feedback about Microsoft Copilot with Microsoft 365 apps](https://support.microsoft.com/topic/c481c26a-e01a-4be3-bdd0-aee0b0b2a423).

+To meet MicrosoftΓÇÖs legal obligations to customers, we've added an experience in the Microsoft 365 admin center that lets administrators view, delete, and export the feedback data for their organizations. As part of their data controller responsibility, customers own all user feedback data and this functionality will assist administrators to provide direct transparency into their usersΓÇÖ experiences with Microsoft 365 products and enable user feedback data to be provided as part of any Data Subject Request. Global admins and compliance data administrators now have the ability to view, export, and delete user feedback. All other administrators, as well as readers, are able to view and export feedback data but can't perform compliance related tasks or see information about who posted the feedback (such as user name, email, or device name). To access your organization's feedback data, sign in to the Microsoft 365 admin center and customize navigation to show the health node. Access this experience by selecting **Product Feedback** under the Health node.

+- Guidance for [optimizing connectivity to Microsoft 365 services](#BKMK_OptmizeConnectivity)

+For more information on Microsoft 365 optimization methods, see the [optimizing connectivity to Microsoft 365 services](#BKMK_OptmizeConnectivity) section.

+If you use cloud-based network or security services for your Microsoft 365 traffic, ensure that the result of the hairpin is evaluated and its effect on Microsoft 365 performance is understood. This can be done by examining the number and locations of service provider locations through which the traffic is forwarded in relationship to number of your branch offices and Microsoft Global Network peering points, quality of the network peering relationship of the service provider with your ISP and Microsoft, and the performance effect of backhauling in the service provider infrastructure.

+Due to the large number of distributed locations with Microsoft 365 entry points and their proximity to end-users, routing Microsoft 365 traffic to any third-party network or security provider can have an adverse effect on Microsoft 365 connections if the provider network isn't configured for optimal Microsoft 365 peering.

+## Optimizing connectivity to Microsoft 365 services

+<a name="BKMK_OptmizeConnectivity"> </a>

+Microsoft 365 services are a collection of dynamic, interdependent, and deeply integrated products, applications, and services. When configuring and optimizing connectivity to Microsoft 365 services, it is not feasible to link specific endpoints (domains) with a few Microsoft 365 scenarios to implement allow-listing at the network level. Microsoft does not support selective allow-listing as it causes connectivity and service incidents for users. Network administrators should therefore always apply Microsoft 365 guidelines for network allow-listing and common network optimizations to the full set of required network endpoints (domains) that are [published](microsoft-365-ip-web-service.md) and updated regularly. While we are simplifying Microsoft 365 network endpoints in response to customer feedback, network administrators should be aware of the following core patterns in the existing set of endpoints today:

+ - Where possible, the published domain endpoints will include wildcards to significantly lower the network configuration effort for customers.

+ - Microsoft 365 announced a domain consolidation initiative (cloud.microsoft), providing customers a way to simplify their network configurations and automatically accrue network optimizations for this domain to many current and future Microsoft 365 services.

+ - Exclusive use of cloud.microsoft root domain for security isolation and specific functions. This enables customer network and security teams to trust Microsoft 365 domains, while improving connectivity to those endpoints and avoiding unnecessary network security processing.

+ - Certain endpoint definitions specify unique IP prefixes corresponding to their domains. This feature supports customers with intricate network structures, enabling them to apply precise network optimizations by utilizing IP prefix details.

+The following network configurations are recommended for all **ΓÇ£RequiredΓÇ¥** Microsoft 365 network endpoints (domains) and categories:

+ - Explicitly permitting Microsoft 365 network endpoints in the network devices and services that user connections go through (e.g., network perimeter security devices like proxies, firewalls, DNS, cloud-based network security solutions, etc.)

+ - Bypass Microsoft 365 domains from TLS decryption, traffic interception, deep packet inspection, and network packet and content filtering. Note that many outcomes that customers are using these network technologies for in the context of untrusted/unmanaged applications can be achieved by Microsoft 365 security features natively.

+ - Direct internet access should be prioritized for the Microsoft 365 domains by reducing reliance on wide area network (WAN) backhauling, avoiding network hairpins, and enabling a more efficient internet egress local to the users and directly to the Microsoft network.

+ - Ensure that DNS name resolution occurs close to the network egress to ensure that connections are served through the most optimal Microsoft 365 front door.

+ - Prioritize Microsoft 365 connections along the network path, ensuring capacity and quality of service for Microsoft 365 experiences.

+ - Bypass traffic intermediation devices such as proxies and VPN services.

+Customers with complex network topologies, implementing network optimizations like custom routing, IP based proxy bypass, and split tunnel VPN may require IP prefix information in addition to domains. To facilitate these customer scenarios Microsoft 365 network endpoints are grouped into categories to prioritize and ease the configuration of these additional network optimizations. Network endpoints classified under the **ΓÇ£OptimizeΓÇ¥** and **ΓÇ£AllowΓÇ¥** categories carry high traffic volumes and are sensitive to network latency and performance, and customers may want to optimize connectivity to those first. Network endpoints under the **ΓÇ£OptimizeΓÇ¥** and **ΓÇ£AllowΓÇ¥** categories have IP addresses listed along with domains. Network endpoints classified under the **ΓÇ£DefaultΓÇ¥** category do not have IP addresses associated with them as they are more dynamic in nature and IP addresses change over time.

+### Additional network considerations

+When optimizing connectivity to Microsoft 365, certain network configurations may have a negative impact on Microsoft 365 availability, interoperability, performance, and user experience. Microsoft has not tested the following network scenarios with our services, and they are known to cause connectivity issues.

+ - TLS termination or deep packet inspection of any M365 domains with customer proxies or other types of network devices or services [(Use third-party network devices or solutions with Microsoft 365 - Microsoft 365 | Microsoft Learn)](/troubleshoot/miscellaneous/office-365-third-party-network-devices).

+ - Blocking specific protocols or protocol versions such as QUIC, WebSocketΓÇÖs, etc. by intermediate network infrastructure or service.

+ - Forcing downgrade or failover of protocols (such as UDP --> TCP, TLS1.3 --> TLS1.2 --> TLS1.1) used between client applications and Microsoft 365 services.

+ - Routing connections through network infrastructure applying its own authentication such as proxy authentication.

+We recommend that customers avoid using these network techniques to traffic destined to Microsoft 365 domains and bypass these for Microsoft 365 connections.

+Microsoft recommends setting up an automated system to download and apply the M365 network endpoint list regularly. Please refer to [Change management for Microsoft 365 IP addresses and URLs for more information](managing-office-365-endpoints.md#change-management-for-microsoft-365-ip-addresses-and-urls).

+You can approach optimization as an incremental process, applying each method successively. The following table lists key optimization methods in order of their effect on latency and reliability for the largest number of users.

+ You can read about these categories and guidance for their management in [New Microsoft 365 endpoint categories](microsoft-365-network-connectivity-principles.md#optimizing-connectivity-to-microsoft-365-services).

+|[](https://go.microsoft.com/fwlink/?linkid=2206713) <br/> [PDF](https://go.microsoft.com/fwlink/?linkid=2206713) \| [Visio](https://go.microsoft.com/fwlink/?linkid=2206386) <br>Updated April 2024 |This poster provides an overview of the scenarios you can implement for your frontline workforce to increase communications, enhance wellbeing and engagement, train and onboard your workers, and manage your workforce and operations.|

+| [Team communication and collaboration](flw-team-collaboration.md) | Help your frontline workforce communicate within their store, shift, or team with Microsoft Teams. Viva Connections helps you create a dashboard that puts the information they need front and center on their devices, so they can reach out whenever they need to. | Teams<br>Outlook<br>SharePoint<br>Power Platform and Power Apps | Approvals, Chat, Files, Lists, Meet, Planner, Praise, Shifts, Walkie Talkie, Viva Connections|

+| [Simplify business processes](simplify-business-processes.md) | Use [task publishing](/microsoftteams/manage-planner-app?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json#task-publishing) to create standard processes across sites, Lists to manage information and track ongoing processes, and streamline requests with Approvals. Automated workflows can speed up and automate actions, like collecting data or routing notifications. | Teams<br>Power Platform | Planner, Lists, Approvals |

+| Frontline workers communicate on the go with Teams chat, schedule work with Shifts, check off tasks with Planner, and track items in Lists, along with other Teams functionality. | Information workers communicate over Teams with chat, meet, and calls, and use other Teams apps (depending on the specific license). |

+Microsoft 365 includes apps like Lists, Planner, and Approvals that can help you streamline operations and bring them from paper-based to digitally tracked processes. You can enhance these by adding workflow automation, custom apps, and business data tracking with Power Automate, Power Apps, and Power BI from the Power Platform. Extend even further with solutions provided by our partners in the digital ecosystem.

+|[](https://go.microsoft.com/fwlink/?linkid=2206713) <br/> [PDF](https://go.microsoft.com/fwlink/?linkid=2206713) \| [Visio](https://go.microsoft.com/fwlink/?linkid=2206386) <br>Updated April 2024 |This poster provides an overview of the scenarios you can implement for your frontline workforce to increase communications, enhance wellbeing and engagement, train and onboard your workers, and manage your workforce and operations.|

+|[](https://go.microsoft.com/fwlink/?linkid=2206475) <br/> [PDF](https://go.microsoft.com/fwlink/?linkid=2206475) \| [Visio](https://go.microsoft.com/fwlink/?linkid=2206474) <br>Updated April 2024 |This poster provides an overview of the scenarios you can implement for your frontline workforce in a healthcare setting.|

+|[](https://go.microsoft.com/fwlink/?linkid=2206476) <br/> [PDF](https://go.microsoft.com/fwlink/?linkid=2206476) \| [Visio](https://go.microsoft.com/fwlink/?linkid=2206271) <br>Updated April 2024 |This poster provides an overview of the scenarios you can implement for your frontline workforce in a retail setting.|

+| Scenario | Approvals | Virtual Appointments or Bookings | Lists | Praise | Shifts | Planner | Updates |

+- [Track and monitor work with Planner](#track-and-monitor-work-with-planner)

+### Track and monitor work with Planner

+Use Planner in Teams to track tasks for your whole frontline team. Store managers and employees can create, assign, and schedule tasks, categorize tasks, and update status at any time from any device running Teams. IT pros and admins can also publish tasks to specific teams for your organization. For example, you could publish a set of tasks for daily cleaning or steps to set up a new display.

+Learn how to [manage the Planner app for your organization](/microsoftteams/manage-planner-app?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json).

+Share the [Planner in Teams help & learning](https://support.microsoft.com/office/getting-started-with-planner-in-teams-7a5e58f1-2cee-41b0-a41d-55d512c4a59c) with your users.

+- [Viva Connections](#viva-connections)

+- [Planner](https://support.microsoft.com/office/getting-started-with-planner-in-teams-7a5e58f1-2cee-41b0-a41d-55d512c4a59c)

+The tailored frontline app experience is controlled by the **Show tailored apps** org-wide app setting on the [Manage apps](/microsoftteams/manage-apps#manage-org-wide-app-settings) page of the Teams admin center. If the feature is on, all users in your organization who have an F license get the tailored app experience.

+This experience includes a default dashboard with relevant frontline cards such as Shifts, Planner, Approvals, and Top News that can be customized to fit the needs of your organization. If your organization already set up a Viva Connections home site, it takes precedence over the default experience.

+ [Learn more about Viva Connections](https://support.microsoft.com/office/access-and-use-the-viva-connections-app-in-microsoft-teams-8b4e7f76-f305-49a9-b6d2-09378476f95b).

+- [Manage the Planner app in Teams](/microsoftteams/manage-planner-app?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json)

+- [Overview of Viva Connections](/viva/connections/viva-connections-overview)

+|Publish and track tasks for your workers so they know what needs to be done every day. |Planner |[Manage the Planner app](/microsoftteams/manage-planner-app?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json). |[Planner help & learning](https://support.microsoft.com/office/getting-started-with-planner-in-teams-7a5e58f1-2cee-41b0-a41d-55d512c4a59c)|

+|Check in on recurring responsibilities that happen on a regular basis or in-the-moment updates. |Updates | [Manage the Updates app](/microsoftteams/manage-updates-app?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json). | [Updates video training](https://support.microsoft.com/office/get-started-in-updates-c03a079e-e660-42dc-817b-ca4cfd602e5a) |

+- F plans [pin frontline worker apps](pin-teams-apps-based-on-license.md) like Walkie Talkie, Shifts, Planner, and Approvals by default in Microsoft Teams.

+**Key apps and capabilities:** Shifts, Walkie Talkie, Planner, Approvals, Praise, Lists, Updates, Viva Connections, Chat, Files

+Ensure that your workers can communicate, collaborate, and deliver great customer service with Teams apps like Shifts, Planner, Lists, Praise, and more. You can determine which apps are available for your users by enabling them in the Teams admin center or by using a team template. Learn more about [managing Teams apps](/microsoftteams/manage-apps).

+| Planner | Help employees know what they should focus on when not with customers by assigning tasks. Your corporate office can use [task publishing](/microsoftteams/manage-planner-app?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json#task-publishing) to send out tasks to locations and track progress across those locations. | [Manage the Planner app](/microsoftteams/manage-planner-app?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json) | [Use Planner](https://support.microsoft.com/office/getting-started-with-planner-in-teams-7a5e58f1-2cee-41b0-a41d-55d512c4a59c) |

+- Assign and keep track of tasks with the Planner app

+**Key apps:** Approvals, Shifts, Updates, Planner

+Ensure that your workers can communicate, collaborate, and deliver great products with apps like Shifts, Planner, Lists, Praise, and more. You can determine which apps are available for your users by enabling them in the Teams admin center or by using a team template. Learn more about [managing Teams apps](/microsoftteams/manage-apps).

+| Planner | Supervisors can assign tasks to let workers know what to focus on. Your organization's central office can use [task publishing](/microsoftteams/manage-planner-app?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json#task-publishing) to send out tasks to locations and track progress across those locations. | [Manage the Planner app](/microsoftteams/manage-planner-app?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json) | [Use Planner](https://support.microsoft.com/office/use-the-tasks-app-in-teams-e32639f3-2e07-4b62-9a8c-fd706c12c070) |

+|[](https://go.microsoft.com/fwlink/?linkid=2206476) <br/> [PDF](https://go.microsoft.com/fwlink/?linkid=2206476) \| [Visio](https://go.microsoft.com/fwlink/?linkid=2206271) <br>Updated April 2024 |This poster provides an overview of the scenarios you can implement for your frontline workforce in a retail setting.|

+**Key apps and capabilities:** Shifts, Walkie Talkie, Planner, Approvals, Praise, Lists, Updates, Viva Connections, Chat, Files

+**Key apps and capabilities:** Shifts, Walkie Talkie, Planner, Approvals, Praise, Lists, Updates, Viva Connections, Viva Engage, Chat, Files

+**Key apps:** Shifts, Planner, Lists, Approvals

+Ensure that your workers can communicate, collaborate, and deliver great customer service with apps like Shifts, Walkie Talkie, Planner, Lists, Praise, and more. You can determine which apps are available for your users by enabling them in the Teams admin center or by using a team template. Learn more about [managing Teams apps](/microsoftteams/manage-apps).

+| Planner | Help employees know what they should focus on when not with customers by assigning tasks. Operations can use [task publishing](/microsoftteams/manage-planner-app?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json#task-publishing) to send out tasks to locations and track progress across those locations. | [Manage the Planner app](/microsoftteams/manage-planner-app?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json) | [Use Planner](https://support.microsoft.com/office/getting-started-with-planner-in-teams-7a5e58f1-2cee-41b0-a41d-55d512c4a59c) |

+- The **Manage a Store** template includes channels for General, Shift Handoff, Store Readiness, and Learning, and apps such as Approvals, Lists, Shifts, Planner, and more.

+- The **Retail for Managers** template includes channels for General, Operations, and Learning, and apps such as Approvals, Planner, and more.

+|[](https://go.microsoft.com/fwlink/?linkid=2206475) <br/> [PDF](https://go.microsoft.com/fwlink/?linkid=2206475) \| [Visio](https://go.microsoft.com/fwlink/?linkid=2206474) <br>Updated April 2024 |This poster provides an overview of the scenarios you can implement for your frontline workforce in a healthcare setting.|

+### Track and monitor tasks with the Planner app

+Use [Planner](https://support.microsoft.com/office/getting-started-with-planner-in-teams-7a5e58f1-2cee-41b0-a41d-55d512c4a59c) in Teams to track to do items for your whole health team. Your health team can create, assign, and schedule tasks, categorize tasks, and update status at any time, from any device running Teams. IT pros and admins can also publish tasks to specific teams for your organization. For example, you could publish a set of tasks for new safety protocols or a new intake step to be used across a hospital.

+To learn more, see [Manage the Planner app for your organization in Microsoft Teams](/microsoftteams/manage-planner-app?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json).

+- Get help and training for your users on how to perform basic tasks in Teams on the [Teams help & learning site](https://support.microsoft.com/teams), including [quick training videos](https://support.microsoft.com/office/microsoft-teams-video-training-4f108e54-240b-4351-8084-b1089f0d21d7). This site also has help and training for the Teams apps, including [Virtual Appointments](https://support.microsoft.com/office/what-is-virtual-appointments-22df0079-e6d9-4225-bc65-22747fb2cb5f), [Lists](https://support.microsoft.com/office/get-started-with-lists-in-teams-c971e46b-b36c-491b-9c35-efeddd0297db), [Planner](https://support.microsoft.com/office/getting-started-with-planner-in-teams-7a5e58f1-2cee-41b0-a41d-55d512c4a59c), [Approvals](https://support.microsoft.com/office/what-is-approvals-a9a01c95-e0bf-4d20-9ada-f7be3fc283d3), and [Shifts](https://support.microsoft.com/office/what-is-shifts-f8efe6e4-ddb3-4d23-b81b-bb812296b821).

+|Cloud PC management | Windows 365 | Various types of data related to Cloud PC device and user management, such as: <ul><li>Metadata of Cloud PC devices, such as device name, device ID, device group, device status, and device configuration </li><li>Metadata of cloud PC users, such as username, user ID, user group, user role, and user assignment</li><li> Metadata of cloud PC connections, such as connection name, connection type, connection status, and connection details</li></ul> | Helps MSPs manage Cloud PC devices and users across customer tenants.<br><br>Helps MSPs measure and improve Cloud PC performance and user experience across customer tenants.|

+| Device management | Microsoft Intune | Various types of data related to device enrollment, device compliance, app protection, and device configuration, such as:<ul><li>Metadata of enrolled devices</li><li>Metadata of app protection policies</li><li>Metadata of device configuration profiles</li></ul> <br>Comparison of device compliance status and app protection policies with the baseline configuration | Helps MSPs manage devices across customer tenants.<br><br>Helps MSPs measure and improve device compliance and app protection across customer tenants.|

+| Device performance | Endpoint analytics |Metadata of device performance, such as device name, device ID, device group, startup performance score, restart frequency, sign-in duration, battery life, and app reliability<br><br>Metadata of device recommendations, such as name, type, impact, status, and details | Helps MSPs manage device performance across customer tenants.<br><br>Helps MSPs measure and improve device productivity and user experience across customer tenants. |

+| App management* (Preview) | Microsoft 365 Apps admin center | Metadata related to Microsoft 365 apps management, such as update channel, build and version number, and installed Microsoft 365 apps and add-ins.<br><br>Metadata of Office devices, such as OS, storage, RAM, system architecture (for example, 64-bit), last signed-in user, devices on an unsupported build, devices not on the latest build, and devices using cloud update. | Helps MSPs manage Microsoft 365 app health across customer tenants.<br><br>Helps MSPs measure and improve Office device productivity and Microsoft 365 app user experience across customer tenants. |

+| Email security | Microsoft Defender for Office 365 | Metadata of quarantined messages, such as sender, recipient, subject, date, reason for quarantine, and release status<br><br>Metadata of email threats, such as threat type, threat severity, and threat action | Helps MSPs manage quarantined messages across customer tenants.<br><br>Helps MSPs measure and improve email security and anti-phishing across customer tenants. |

+| Identity and access management | Microsoft Entra | Various types of data related to identity and access management, security and compliance, and device and user management, such as:<br><ul><li>User and tenant identity information</li><li>User and tenant license information</li><li>User and tenant security information</li><li>User MFA/SSPR information</li><li>Conditional access policies</li><li>Risky users</li><li>User and group information for assignment</li></ul><br>Comparison of Microsoft Entra data with the baseline configuration | Helps MSPs manage various aspects of Microsoft Entra across customer tenants.<br><br>Helps MSPs measure and improve identity and access management, security and compliance, and device and user management across customer tenants. |

+| Threat protection | Microsoft Defender for Business | Metadata of enrolled devices, such as device name, device type, and device ID<br><br>Metadata of threat and vulnerability information, such as threat name (for example, Trojan: Win32/Emotet), threat severity (for example, high), threat category (for example, malware), threat status (for example, active or resolved), threat action (for example, quarantine or allow), vulnerability name (for example, CVE-2021-1234), vulnerability severity (for example, critical), vulnerability category (for example, remote code execution), vulnerability exposure score (for example, 8.5 out of 10), and vulnerability remediation status (for example, pending or completed) | Helps MSPs monitor and protect devices from threats.<br><br>Helps MSPs measure and improve device security and vulnerability management across customer tenants. |

+\* This data category is in Preview, doesn't apply to everyone, and is subject to change.

+1. Add the key and value from the following table. Ensure that the **"DefenderMAMConfigs"** key is present in every policy that you create using Managed Apps route. For Managed Devices route, this key shouldn't exist. When you're done, click **Next**.

+ | `DefenderNetworkProtectionEnable` | Integer | 0 | 1 - Enable, 0 - Disable; This setting is used by IT admins to enable or disable the network protection capabilities in the defender app.|

+ |`DefenderAllowlistedCACertificates`| String | None | None-Disable; This setting is used by IT admins to establish trust for root CA and self-signed certificates.|

+ |`DefenderCertificateDetection`|Integer| 0 |2-Enable, 1 - Audit mode, 0 - Disable; When this feature is enabled with value as 2, end user notifications are sent to the user when Defender detects a bad certificate. Alerts are also sent to SOC Admins. In audit mode (1), notification alerts are sent to SOC admins, but no end user notifications are displayed to the user when Defender detects a bad certificate. Admins can disable this detection with 0 as the value and enable full feature functionality by setting 2 as the value. |

+ | `DefenderOpenNetworkDetection` | Integer | 0 |2-Enable, 1 - Audit mode, 0 - Disable; This setting is used by IT Admins to enable or disable open network detection. By default, the open network detection is disabled with value as 0 and defender does not send end user notifications or alerts to SOC admins in security portal. If switched to audit mode with value 1, notification alert is sent to SOC admin, but no end user notification is displayed to the user when defender detects an open network. If it's enabled with value 2, then end user notification is displayed and also alerts to SOC admins is sent.|

+ | `DefenderEndUserTrustFlowEnable` | Integer | 0 | 1 - Enable, 0 - Disable; This setting is used by IT admins to enable or disable the end user in-app experience to trust and untrust the unsecure and suspicious networks. |

+ | `DefenderNetworkProtectionAutoRemediation` | Integer | 1 | 1 - Enable, 0 - Disable; This setting is used by IT admins to enable or disable the remediation alerts that are sent when a user performs remediation activities like switching to safer Wi-Fi access points or deleting suspicious certificates detected by Defender. |

+ | `DefenderNetworkProtectionPrivacy` | Integer | 1 | 1 - Enable, 0 - Disable; This setting is used by IT admins to enable or disable privacy in network protection. If privacy is disabled with value 0, then user consent is shown to share the malicious wifi or certs data. If its in enabled state with value 1, then no user consent is shown and no app data is collected.|

+

+> Network protection feature will soon be enabled by default for all users. The update will be rolled out in a phased manner. As a result, users will be able to see Network Protection Card in the Defender app along with App Protection and Web Protection. Users are also required to provide **Local Network** permission. This permission is needed to enhance the existing rogue wifi detection. For more information, see [Network Protection](/microsoft-365/security/defender-endpoint/ios-configure-features#configure-network-protection).

+- partner-contribution

+Conventional security defenses that have been commonly used to protect SAP systems such as isolating infrastructure behind firewalls and limiting interactive operating system logons are no longer considered sufficient to mitigate modern sophisticated threats. It's essential to deploy modern defenses to detect and contain threats in real-time. SAP applications unlike most other workloads require basic assessment and validation before deploying Microsoft Defender for Endpoint. The enterprise security administrators should contact the SAP Basis team prior to deploying Defender for Endpoint. The SAP Basis Team should be cross trained with a basic level of knowledge about Defender for Endpoint.

+- Microsoft Defender for Endpoint on Linux requires some crontab (or other task scheduler) entries to schedule scans, log rotation, and Microsoft Defender for Endpoint updates. Enterprise Security teams normally manage these entries. Refer to [How to schedule an update of the Microsoft Defender for Endpoint (Linux)](linux-update-mde-linux.md).

+[How to schedule scans with Microsoft Defender for Endpoint (Linux)](linux-schedule-scan-mde.md)

+- SQL Server ΓÇô [Configure antivirus software to work with SQL Server - SQL Server](/troubleshoot/sql/database-engine/security/antivirus-and-sql-server)

+- [Set up exclusions for Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)

+- [Common mistakes to avoid when defining exclusions](common-exclusion-mistakes-microsoft-defender-antivirus.md)

+The following link details how to schedule a scan: [How to schedule scans with Microsoft Defender for Endpoint (Linux)](linux-schedule-scan-mde.md).

+- [Manage Microsoft Defender for Endpoint configuration settings on devices with Microsoft Endpoint Manager](security-config-management.md)

+- [Microsoft Tech Community: Microsoft Defender for Endpoint Linux - Configuration and Operation Command List](https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/microsoft-defender-for-endpoint-linux-configuration-and/ba-p/1577902)

+- [Microsoft Tech Community: Deploying Microsoft Defender for Endpoint on Linux Servers](https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/deploying-microsoft-defender-for-endpoint-on-linux-servers/ba-p/1560326)

+- [Troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint on Linux](linux-support-connectivity.md#run-the-connectivity-test)

+- [Troubleshoot performance issues for Microsoft Defender for Endpoint on Linux](linux-support-perf.md#troubleshoot-performance-issues-using-microsoft-defender-for-endpoint-client-analyzer)

+

+ Title: "Microsoft Defender Endpoint on Windows Server with SAP"

+description: Understand how Microsoft Defender for Endpoint with EDR and other advanced security capabilities interacts with SAP applications.

+ms.localizationpriority: normal

+- partner-contribution

+search.appverid: MET150

+f1.keywords: NOCSH

+audience: ITPro

+

+# Microsoft Defender for Endpoint on Windows Server with SAP

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+If your organization uses SAP, it's essential to understand the compatibility and support between [antivirus](microsoft-defender-antivirus-on-windows-server.md) and [EDR](overview-endpoint-detection-response.md) in Microsoft Defender for Endpoint and your SAP applications. This article helps you understand the support provided by SAP for endpoint protection security solutions like Defender for Endpoint and how they interact with SAP applications.

+This article applies to Microsoft Defender for Endpoint running on Windows Server with SAP applications such, as NetWeaver, S4 Hana, and SAP standalone engines, such as LiveCache. In this article, we focus on antivirus and EDR capabilities in Defender for Endpoint. For an overview of all of the Defender for Endpoint capabilities, see [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md).

+This article doesn't cover SAP client software, such as SAPGUI or Microsoft Defender Antivirus on Windows client devices.

+## Enterprise security and your SAP Basis team

+Enterprise security is a specialist role and the activities described in this article should be planned as a joint activity between your enterprise security team and the SAP Basis team. The enterprise security team needs to coordinate with the SAP Basis team and jointly design the Defender for Endpoint configuration and analyze any exclusions.

+### Get an overview of Defender for Endpoint

+Defender for Endpoint is a component of [Microsoft Defender XDR](/microsoft-365/security/defender/), and can be integrated with your SIEM/SOAR solution.

+Before you begin to plan or deploy Defender for Endpoint on Windows Server with SAP, take a moment to get an overview of Defender for Endpoint. The following video provides an overview:

+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4wDob]

+For more detailed information about Defender for Endpoint and Microsoft security offerings, see the following resources:

+- [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md)

+- [Microsoft Security documentation and training - Security documentation](/security/)

+Defender for Endpoint includes capabilities that are beyond the scope of this article. In this article, we focus on two main areas:

+- **Next-generation protection** (which includes antivirus protection). [Next-generation protection](/microsoft-365/security/defender-endpoint/next-generation-protection) is an antivirus product like other antivirus solutions for Windows environments.

+- **Endpoint Detection and Response** (EDR). [EDR capabilities](overview-endpoint-detection-response.md) detect suspicious activity and system calls, and provide an extra layer of protection against threats that bypassed antivirus protection.

+Microsoft and other security software vendors track threats and provide trend information. For information, see [Cyberthreats, viruses, and malware - Microsoft Security Intelligence](https://www.microsoft.com/en-us/wdsi/threats).

+> [!NOTE]

+> For information on Microsoft Defender for SAP on Linux, see [Deployment guidance for Microsoft Defender for Endpoint on Linux for SAP](/microsoft-365/security/defender-endpoint/mde-linux-deployment-on-sap). Defender for Endpoint on Linux is significantly different than the Windows version.

+## SAP support statement on Defender for Endpoint and other security solutions

+SAP provides basic documentation for conventional file scan antivirus solutions. Conventional file scan antivirus solutions compare file signatures against a database of known threats. When an infected file is identified, the antivirus software typically alerts and quarantines the file. The mechanisms and behavior of file scan antivirus solutions are reasonably well known and are predictable; therefore, SAP support can provide a basic level of support for SAP applications interacting with file scan antivirus software.

+File based threats are now only one possible vector for malicious software. Fileless malware and malware that lives off the land, highly polymorphic threats that mutate faster than traditional solutions can keep up with, and human-operated attacks that adapt to what adversaries find on compromised devices. Traditional antivirus security solutions aren't sufficient to stop such attacks. Artificial intelligence (AI) and device learning (ML) backed capabilities, such as behavioral blocking and containment are required. Security software such as Defender for Endpoint has advanced threat protection features to mitigate modern threats.

+Defender for Endpoint is continuously monitoring operating system calls, such as file read, file write, create socket, and other process level operations. The Defender for Endpoint EDR sensor acquires opportunistic locks on local NTFS files systems and is, therefore, unlikely to impact applications. Opportunistic locks aren't possible on remote network file systems. In rare cases, a lock could cause general nonspecific errors, such as *Access Denied* in SAP applications.

+SAP isn't able to provide any level of support for EDR/XDR software like [Microsoft Defender XDR](../defender/microsoft-365-defender.md) or [Defender for Endpoint](microsoft-defender-endpoint.md). The mechanisms in such solutions are adaptive; therefore, they're not predictable. Further, issues are potentially not reproducible. When problems are identified on systems running advanced security solutions, SAP recommends disabling the security software and then attempting to reproduce the problem. A support case can then be raised with the security software vendor.

+For more information about the SAP Support policy, see [3356389 - Antivirus or other security software affecting SAP operations](https://me.sap.com/notes/3356389).

+## Recommended SAP OSS Notes

+Here's a list of SAP articles you can use as needed:

+- [3356389 - Antivirus or other security software affecting SAP operations - SAP for Me](https://me.sap.com/notes/3356389)

+- [106267 - Virus scanner software on Windows - SAP for Me](https://me.sap.com/notes/106267)

+- [690449 - Transport buffer lock file (.LOB) remains blocked on Windows - SAP for Me](https://me.sap.com/notes/690449)

+- [2311946 - Filesystem errors on Windows - SAP for Me](https://me.sap.com/notes/2311946)

+- [2496239 - Ransomware / malware on Windows - SAP for Me](https://me.sap.com/notes/2496239)

+- [1497394 - Which files and directories should be excluded from an antivirus scan for SAP BusinessObjects Business Intelligence Platform products in Windows? - SAP for Me](https://me.sap.com/notes/1497394/E)

+## SAP applications on Windows Server: Top 10 recommendations

+1. **Limit access to SAP servers, block network ports, and take all other common security protection measures**. This first step is essential. The threat landscape has evolved from file-based viruses to file-less complex and sophisticated threats. Actions, such as **blocking ports and limiting logon/access** to VMs are **no longer considered sufficient** to fully mitigate modern threats.

+2. **Deploy Defender for Endpoint to nonproductive systems first before deploying to production systems**. Deploying Defender for Endpoint directly to production systems without testing is highly risky and can lead to downtime. If you can't delay deploying Defender for Endpoint to your production systems, consider temporarily disabling [tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) and [real-time protection](configure-protection-features-microsoft-defender-antivirus.md).

+3. **Remember that real-time protection is enabled by default in Windows Server**. If problems are identified that might be related to Defender for Endpoint, it's recommended to [configure exclusions](defender-endpoint-antivirus-exclusions.md) and/or [open a support case](contact-support.md) via the Microsoft Defender portal.

+4. **Have the SAP Basis team and your security team work together on Defender for Endpoint deployment**. The two teams need to jointly create a phased deployment, testing, and monitoring plan.

+5. **Use tools like PerfMon (Windows) to create a performance baseline before deploying and activating Defender for Endpoint**. Compare the performance utilization before and after activating Defender for Endpoint. See [perfmon](/windows-server/administration/windows-commands/perfmon).

+6. **Deploy the latest version of Defender for Endpoint and use the latest releases of Windows**, ideally Windows Server 2019 or newer. See [Minimum requirements for Microsoft Defender for Endpoint](minimum-requirements.md).

+7. **Configure certain exclusions for Microsoft Defender Antivirus**. These include:

+ - DBMS data files, log files, and temp files, including disks containing backup files

+ - The entire contents of the SAPMNT directory

+ - The entire contents of the SAPLOC directory

+ - The entire contents of the TRANS directory

+ - The entire contents of directories for standalone engines such as TREX

+

+ Advanced users can consider using [contextual file and folder exclusions](configure-contextual-file-folder-exclusions-microsoft-defender-antivirus.md).

+

+ For more information about DBMS exclusions, use the following resources:

+ - **SQL Server**: [Configure antivirus software to work with SQL Server](/troubleshoot/sql/database-engine/security/antivirus-and-sql-server)

+ - **Oracle**: [How To Configure Anti-Virus On Oracle Database Server (Doc ID 782354.1)](https://support.oracle.com/knowledge/Oracle%20Database%20Products/782354_1.html)

+ - **DB2** ΓÇô [Which DB2 directories to exclude from Linux Anti-virus software](https://www.ibm.com/support/pages/which-db2-directories-exclude-linux-anti-virus-software) (use the same commands on Windows Server)

+ - **SAP ASE**: Contact SAP

+ - **MaxDB**: Contact SAP

+8. **Verify Defender for Endpoint settings**. Microsoft Defender Antivirus with SAP applications should have the following settings in most cases:

+ - `AntivirusEnabled : True`

+ - `AntivirusSignatureAge : 0`

+ - `BehaviorMonitorEnabled : True`

+ - `DefenderSignaturesOutOfDate : False`

+ - `IsTamperProtected : True`

+ - `RealTimeProtectionEnabled : True`

+9. **Use tools, such as [Intune](/mem/intune/protect/endpoint-security) or [Defender for Endpoint security settings management](/mem/intune/protect/mde-security-integration) to set up Defender for Endpoint**. Such tools can help ensure that Defender for Endpoint is configured correctly and uniformly deployed.

+ To use Defender for Endpoint security settings management, in the Microsoft Defender portal, go to **Endpoints** > **Configuration management** > **Endpoint security policies**, and then select **Create new Policy**. For more information, see [Manage endpoint security policies in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/manage-security-policies).

+10. **Use the latest release of Defender for Endpoint**. Several new features are being implemented in Defender for Endpoint on Windows, and these features were tested with SAP systems. These new features reduce blocking and lower CPU consumption. For more information about new features, see [What's new in Microsoft Defender for Endpoint](whats-new-in-microsoft-defender-endpoint.md).

+## Deployment methodology

+SAP and Microsoft both don't recommend deploying Defender for Endpoint on Windows directly to all development, QAS, and production systems simultaneously, and/or without careful testing and monitoring. Customers who deployed Defender for Endpoint and other similar software in an uncontrolled manner without adequate testing experienced system downtime as a result.

+Defender for Endpoint on Windows and any other software or configuration change should be deployed into development systems first, validated in QAS, and only then deployed into production environments.

+Using tools, such as [Defender for Endpoint security settings management](/mem/intune/protect/mde-security-integration) to deploy Defender for Endpoint to an entire SAP landscape without testing is likely to cause downtime.

+Here's a list of what to check:

+1. **Deploy Defender for Endpoint with [tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) enabled**. If issues arise, enable [troubleshooting mode](enable-troubleshooting-mode.md), disable [tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md), disable [real-time protection](configure-protection-features-microsoft-defender-antivirus.md), and configure [scheduled scans](schedule-antivirus-scans.md).

+2. **Exclude DBMS files and executables** following your DBMS vendor recommendations.

+3. **Analyze SAPMNT, SAP TRANS_DIR, Spool, and Job Log directories**. If there are more than 100,000 files, consider archiving to reduce the number of files.

+4. **Confirm the performance limits and quotas of the shared file system used for SAPMNT**. The SMB share source could be a NetApp appliance, a Windows Server shared disk, or Azure Files SMB.

+5. **Configure exclusions so that all SAP application servers aren't scanning the SAPMNT share simultaneously**, as it could overload your shared storage server.

+6. **In general, host interface files on a dedicated non-SAP file server**. Interface files are recognized as an attack vector. Real-time protection should be activated on this dedicated file server. SAP Servers should never be used as file servers for interface files.

+ > [!NOTE]

+ > Some large SAP systems have more than 20 SAP application servers each with a connection to the same SAPMNT SMB share. 20 application servers simultaneously scanning the same SMB server may overload the SMB server. It is recommended to exclude SAPMNT from regular scans.

+>

+## Important configuration settings for Defender for Endpoint on Windows Server with SAP

+1. **Get an overview of [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md)**. In particular, review information about [next-generation protection](next-generation-protection.md) and [EDR](overview-endpoint-detection-response.md).

+ > [!NOTE]

+ > The term *Defender* is sometimes used to refer to an entire suite of products and solutions. See [What is Microsoft Defender XDR?](/microsoft-365/security/defender/microsoft-365-defender). In this article, we focus on antivirus and EDR capabilities in Defender for Endpoint.

+

+2. **Check the status of Microsoft Defender Antivirus**. Open Command Prompt, and then run these PowerShell commands:

+ - `Get-MpComputerStatus`

+ - `Get-MpPreference`

+ The most significant settings for SAP are as follows:

+ ```powershell

+ Get-MpPreference |Select-Object -Property DisableCpuThrottleOnIdleScans, DisableRealtimeMonitoring, DisableScanningMappedNetworkDrivesForFullScan , DisableScanningNetworkFiles, ExclusionPath, MAPSReporting

+ Get-MpComputerStatus |Select-Object -Property AMRunningMode, AntivirusEnabled, BehaviorMonitorEnabled, IsTamperProtected , OnAccessProtectionEnabled, RealTimeProtectionEnabled

+ ```

+

+3. **Check the status of EDR**. Open Command Prompt, and then run the following command:

+ `PS C:\Windows\System32> Get-Service -Name sense | FL *`

+ You should see output that resembles the following code snippet:

+ ```powershell

+ Name : sense

+ RequiredServices : {}

+ CanPauseAndContinue : False

+ CanShutdown : False

+ CanStop : False

+ DisplayName : Windows Defender Advanced Threat Protection Service

+ DependentServices : {}

+ MachineName : .

+ ServiceName : sense

+ ServicesDependedOn : {}

+ ServiceHandle :

+ Status : Running

+ ServiceType : Win32OwnProcess

+ StartType : Automatic

+ Site :

+ Container :

+ ```

+ The values you want to see are `Status: Running` and `StartType: Automatic`.

+

+ For more information about the output, see [Review events and errors using Event Viewer](event-error-codes.md).

+4. **Make sure that Microsoft Defender Antivirus is up to date**. The best way to make sure your antivirus protection is up to date is by using Windows Update. If you encounter issues or get an error, contact your security team.

+ For more information about updates, see [Microsoft Defender Antivirus security intelligence and product updates](microsoft-defender-antivirus-updates.md).

+5. **Make sure [behavior monitoring](behavioral-blocking-containment.md) is turned on**. If tamper protection is enabled, behavior monitoring is turned on by default. Use the default configuration of tamper protection enabled, behavior monitoring enabled, and real-time monitoring enabled unless a specific problem is identified.

+ For more information, see [Built-in protection helps guard against ransomware](built-in-protection.md).

+6. **Make sure [real-time protection is enabled](configure-real-time-protection-microsoft-defender-antivirus.md)**. The current recommendation for Defender for Endpoint on Windows is to enable real-time scanning, with tamper protection enabled, behavior monitoring enabled, and real-time monitoring enabled, unless a specific problem is identified.

+ For more information, see [Built-in protection helps guard against ransomware](built-in-protection.md).

+7. **Keep in mind how scans work with network shares**. By default, the Microsoft Defender Antivirus component on Windows scans SMB shared network file systems (for example, a Windows server share `\\server\smb-share` or a NetApp share) when these files are accessed by processes.

+ [Defender for Endpoint EDR](overview-endpoint-detection-response.md) on Windows might scan SMB shared network file systems. The EDR sensor scans certain files that are identified as interesting for EDR analysis during file modification, delete, and move operations.

+ Defender for Endpoint on Linux doesn't scan NFS file systems during [scheduled scans](linux-schedule-scan-mde.md).

+8. **Troubleshoot sense health or reliability issues**. To troubleshoot such issues, use the [Defender for Endpoint Client Analyzer tool](overview-client-analyzer.md). The Defender for Endpoint Client Analyzer can be useful when diagnosing sensor health or reliability issues on onboarded devices running either Windows, Linux, or macOS. Get the latest version of the Defender for Endpoint Client Analyzer here: [https://aka.ms/MDEAnalyzer](https://aka.ms/MDEAnalyzer).

+9. **Open a support case** if you need help. See [Contact Microsoft Defender for Endpoint support](contact-support.md).

+10. **If you're using production SAP VMs with [Microsoft Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction), keep in mind that Defender for Cloud deploys the Defender for Endpoint extension to all VMs**. If a VM isn't onboarded to Defender for Endpoint, it could be used as an attack vector. If you need more time to test Defender for Endpoint before deplying to your production environment, [contact support](contact-support.md).

+## Useful Commands: Microsoft Defender for Endpoint with SAP on Windows Server

+The following sections describe how to confirm or configure Defender for Endpoint settings by using PowerShell and Command Prompt:

+### Update Microsoft Defender Antivirus definitions manually

+Use Windows Update, or run the following command:

+`PS C:\Program Files\Windows Defender> .\MpCmdRun.exe -SignatureUpdate`

+You should see an output that resembles the following code snippet:

+```properties

+Signature update started . . .

+Service Version: 4.18.23050.9

+Engine Version: 1.1.23060.1005

+AntiSpyware Signature Version: 1.393.925.0

+Antivirus Signature Version: 1.393.925.0

+Signature update finished.

+PS C:\Program Files\Windows Defender>

+```

+Another option is to use this command:

+`PS C:\Program Files\Windows Defender> Update-MpSignature`

+For more information about these commands, see the following resources:

+- [MpCmdRun.exe](command-line-arguments-microsoft-defender-antivirus.md)

+- [Update-MpSignature](/powershell/module/defender/update-mpsignature?view=windowsserver2022-ps&preserve-view=true)

+### Determine whether EDR in block mode is turned on

+[EDR in block mode](edr-in-block-mode.md) provides added protection from malicious artifacts when Microsoft Defender Antivirus isn't the primary antivirus product and is running in passive mode. You can determine whether EDR in block mode is enabled by running the following command:

+`Get-MPComputerStatus|select AMRunningMode`

+There are two modes: Normal and Passive Mode. Testing with SAP systems was done only with `AMRunningMode = Normal` for SAP systems.

+For more information about this command, see [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus?view=windowsserver2022-ps&preserve-view=true).

+### Configure antivirus exclusions

+Before you configure exclusions, make sure that the SAP Basis team coordinates with your security team. Exclusions should be configured centrally and not at the VM level. Exclusions such as the shared SAPMNT file system should be excluded via a policy using the Intune admin tool.

+To view exclusions, use the following command:

+`Get-MpPreference | Select-Object -Property ExclusionPath`

+For more information about this command, see [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus?view=windowsserver2022-ps&preserve-view=true).

+For more information about exclusions, see the following resources:

+- [Manage exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md)

+- [Configure custom exclusions for Microsoft Defender Antivirus](configure-exclusions-microsoft-defender-antivirus.md)

+- [Contextual file and folder exclusions](configure-contextual-file-folder-exclusions-microsoft-defender-antivirus.md)

+### Configure EDR exclusions

+It isn't recommended to exclude files, paths, or processes from EDR as such exclusions comprise the protection from modern nonfile based threats. If necessary, open a support case with Microsoft Support via the Microsoft Defender portal specifying executables and/or paths to exclude. See [Contact Microsoft Defender for Endpoint support](contact-support.md).

+### Completely disable Defender for Endpoint on Windows for testing purposes

+> [!CAUTION]

+> It is not recommended to disable security software unless there is no alternative to solve or isolate a problem.

+Defender for Endpoint should be configured with [tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) turned on. To temporarily disable Defender for Endpoint to isolate problems, it's recommended to use [troubleshooting mode](/microsoft-365/security/defender-endpoint/enable-troubleshooting-mode).

+To shut down various subcomponents of the Microsoft Defender Antivirus solution, run the following commands:

+```powershell

+Set-MPPreference -DisableTamperProtection $true

+Set-MpPreference -DisableRealtimeMonitoring $true

+Set-MpPreference -DisableBehaviorMonitoring $true

+Set-MpPreference -MAPSReporting Disabled

+Set-MpPreference -DisableIOAVProtection $true

+Set-MpPreference -EnableNetworkProtection Disabled

+```

+For more information about these commands, see [Set-MpPreference](/powershell/module/defender/set-mppreference?view=windowsserver2022-ps&preserve-view=true).

+> [!IMPORTANT]

+> You can't turn off EDR subcomponents on a device. The only way to turn off EDR is to [offboard the device](configure-endpoints-script.md#offboard-devices-using-a-local-script).

+To turn off [cloud-delivered protection](cloud-protection-microsoft-defender-antivirus.md) (Microsoft Advanced Protection Service, or MAPS), run the following commands:

+```powershell

+PowerShell Set-MpPreference -MAPSReporting 0ΓÇï

+PowerShell Set-MpPreference -MAPSReporting DisabledΓÇï

+```

+For more information about cloud-delivered protection, see the following resources:

+- [Cloud protection and Microsoft Defender Antivirus](cloud-protection-microsoft-defender-antivirus.md)

+- [Cloud protection and sample submission at Microsoft Defender Antivirus](cloud-protection-microsoft-antivirus-sample-submission.md) (if you're considering whether to use automatic sample submission with your security policies)

+## Related articles

+- [Deployment guidance for Microsoft Defender for Endpoint on Linux for SAP](mde-linux-deployment-on-sap.md)

+- [Microsoft Defender Antivirus on Windows Server](microsoft-defender-antivirus-on-windows-server.md)

+- [Overview of endpoint detection and response](overview-endpoint-detection-response.md)

+To learn more about the Microsoft Defender Core service, please visit [Microsoft Defender Core service overview](/microsoft-365/security/defender-endpoint/microsoft-defender-core-service-overview).

+- [Microsoft Defender Core service overview](microsoft-defender-core-service-overview.md) is generally available for consumer devices and is coming soon for business customers.

+ - **Microsoft Defender for Endpoint Linux client version**: 101.78.13 -insiderFast(Preview)

+

+The following example shows the sequence of commands needed to the mdatp package on ubuntu 20.04 for insiders-Fast channel.

+curl -o microsoft.list https://packages.microsoft.com/config/ubuntu/20.04/insiders-fast.list

+sudo mv ./microsoft.list /etc/apt/sources.list.d/microsoft-insiders-fast.list

+- [Microsoft Defender Core service overview](microsoft-defender-core-service-overview.md) is now available for consumers and is planned to begin rolling out to enterprise customers in early 2024.

+|**Data Governance**|Grants access to data governance roles within Microsoft Purview.|Data Governance Administrator|

+## Roles in Microsoft Defender for Office 365 and Microsoft Purview

+|**Data Governance Administrator**|Delegates the first level of access for business domain creators and other application-level permissions.|Data Governance|

+ - **It appears suspicious**: Select this value only when you don't know or you're unsure of the message verdict and you would like to get a verdict from Microsoft. Select **Submit**, and then go to Step 6.

+ - **I've confirmed it's a threat**: In all other cases, select this value after you've already determined the message verdict as malicious. Select one of the following values in the **Choose a category** section that appears:

+ - **It appears clean**: Select this value only when you don't know or you're unsure of the message verdict and you would like to get a verdict from Microsoft. Select **Submit**, and then go to Step 6.

+ - **I've confirmed it's clean**: In all other cases, select this value after you've already determined the message verdict as clean. Select **Next**.

+To optimize access to Microsoft 365 cloud resources, configure your split tunneling VPN clients to exclude traffic to the **Optimize** category Microsoft 365 endpoints over the VPN connection. For more information, see [Office 365 endpoint categories](../enterprise/microsoft-365-network-connectivity-principles.md#optimizing-connectivity-to-microsoft-365-services). See [this list](../enterprise/urls-and-ip-address-ranges.md) of Optimize category endpoints.

+

+Forcing a TLS connection, or 32 of them, to go over a VPN before they then go to the service doesn't add security. It does add latency and reduces overall throughput. In some VPN solutions, it even forces UDP to tunnel through TCP, which again will have a very negative impact on streaming traffic. And, unless you're doing TLS inspection, there's no upside, all downside. A very common theme among customers, now that most of their workforce is remote, is that they're seeing significant bandwidth and performance impacts from making all their users connect using a VPN, instead of configuring split tunneling for access to [Optimize category Office 365 endpoints](../enterprise/microsoft-365-network-connectivity-principles.md#optimizing-connectivity-to-microsoft-365-services).

+Other times, hardware that was sized and purchased before the organization started to move to the cloud simply can't be scaled up to handle the new traffic patterns and loads. If you truly must route all traffic through a single egress point, and/or proxy it, be prepared to upgrade network equipment and bandwidth accordingly. Carefully monitor utilization on both, as the experience won't diminish slowly as more users onboard. Everything is fine until the tipping point is reached, then everyone suffers.

+If you're going to permit split tunneling but also use a proxy for general web traffic, make sure your PAC file defines what must go direct as well as how you define interesting traffic for what goes through the VPN tunnel. We offer sample PAC files at [https://aka.ms/ipaddrs](../enterprise/urls-and-ip-address-ranges.md) that makes this easier to manage.

+To optimize access to Microsoft 365 cloud resources, configure your split tunneling VPN clients to exclude traffic to the **Optimize** category Microsoft 365 endpoints over the VPN connection. For more information, see [Office 365 endpoint categories](../enterprise/microsoft-365-network-connectivity-principles.md#optimizing-connectivity-to-microsoft-365-services) and [the lists](../enterprise/microsoft-365-vpn-implement-split-tunnel.md#implement-vpn-split-tunneling) of Optimize category endpoints for split tunneling.