Updates from: 04/22/2021 03:32:05
Category Microsoft Docs article Related commit history on GitHub Change details
admin Office 365 Groups Ww https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/office-365-groups-ww.md
You can also export the report data into an Excel .csv file by selecting the **E
|Messages in Yammer (liked) <br/> |The number of messages liked in the Yammer group over the reporting period. <br/> | |Members <br/> |The number of members in the group. <br/> | |External members |The number of external users in the group.|
-|||
+|||
+
+## Related content
+
+[Microsoft 365 Reports in the admin center](activity-reports.md) (article)
+[Reports in the Security & Compliance Center](../../compliance/reports-in-security-and-compliance.md) (article)
+[Microsoft 365 Reports in the admin center - Active Users](../../admin/activity-reports/active-users-ww.md) (article)
+
admin Office 365 Groups https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/office-365-groups.md
You can get a view into groups activity by looking at the **Groups**, **Activity
|10, <br/> |Select or tap **More Actions** button ![Mobile OWA More Actions](../../media/80044eef-2368-4c7e-8d31-7155b029e0cf.png) next to a column heading to add or remove columns from the report. <br/> ![Groups report - choose columns](../../media/d7fb95d6-2a2e-4144-b80d-581223e48043.png)| |11, <br/> |You can also export the report data into an Excel .csv file by selecting the **Export** link. This exports data of all users and enables you to do simple sorting and filtering for further analysis. If you have less than 2000 users, you can sort and filter within the table in the report itself. If you have more than 2000 users, in order to filter and sort, you will need to export the data. <br/> | |||
-
++
admin Business Assist https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/misc/business-assist.md
Only organizations that are eligible will see the option to buy Business Assist.
2. Select **Details** on the **Small Business Assist for Microsoft 365** and complete your purchase. > [!div class="nextstepaction"] > [Buy now](https://go.microsoft.com/fwlink/p/?linkid=2158423)
admin Manage https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/multi-tenant/manage.md
description: "Learn how to use the tenant switcher and about the multi-tenant vi
# Multi-tenant management
-Multi-tenant management offers a unified form of management that allows admins the ability to administer all the tenants they manage from a single location. If you manage multiple tenants, you can:
+Multi-tenant management offers a unified form of management that allows Microsoft 365 partner admins the ability to administer all the tenants they manage from a single location. If you're a partner who manages multiple tenants, you can:
- Move quickly between tenants you manage. - Assess service health, products, and billing across multiple tenants. - On the **All tenants** page, you can quickly see the health of all your tenants' services, any open service requests, your products and billing, and the number of users in that tenant. - ## Move between tenants 1. In the Microsoft 365 admin center, select the org name.
Multi-tenant management offers a unified form of management that allows admins t
- Search for, or select the tenant you want to manage - You can also pin your most often visited tenant to the top of the list. - If you've marked a tenant as a favorite, it's automatically expanded so you can immediately view the status details. ## View service health for all accounts
The service health view shows you if any incidents or advisories are affecting t
1. In the Microsoft 365 admin center, in the multi-tenant view, select **Service Health**. 2. On the **Service health** page aggregated view, you can also see the total number of incidents, the total number of advisories affecting any of the managed tenants, and the number of services with active incidents. You can also see how many of your tenants are affected by incidents and advisories.
-
+ - You can use the filter option to view issues by issue type or by service - You can review issues under **All services** or **All issues** tabs.
admin Buy Or Try Subscriptions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/services-in-china/buy-or-try-subscriptions.md
- Title: "Buy or try subscriptions for Office 365 operated by 21Vianet"-- NOCSH-----
-localization_priority: Normal
--- M365-subscription-management-- Adm_O365-- Adm_NonTOC-- commerce--- MET150-- GEA150
-description: "Learn how to try an Office 365 subscription or buy it right away, add subscriptions, or get add-ons to an existing Office 365 account operated by 21Vianet in China."
-monikerRange: 'o365-21vianet'
--
-# Buy or try subscriptions for Office 365 operated by 21Vianet
-
-> [!NOTE]
-> This article applies to Office 365 operated by 21Vianet in China.
-
-## Buy or try Office 365
-
-You can buy a subscription right away, or you can try Office 365 for up to 30 days. If you like it, you can buy your trial subscription and keep the domain, data, and configuration you set up in your trial.
-
-1. Go to [Compare Office 365 for business plans](https://go.microsoft.com/fwlink/p/?linkid=393691&amp;clcid=0x409) and select the name of the plan you want to buy. Then, select **Buy now**.
-
-2. Create an account by filling out the **Just a few details** page.
-
-3. Follow the instructions to set up your 30-day trial or to complete your purchase.
-
-## Buy your trial subscription
-
-1. [Sign in to Office 365](https://go.microsoft.com/fwlink/p/?linkid=513813) with your work or school account.
-
-2. If you're not already on the start page, select **Office 365** in the top-left hand corner.
-
- ![Button to navigate to the Office 365 Start Page](../../media/2fc597ab-ae33-4e5a-aec1-e60e48beac62.png)
-
-3. At the top right-hand corner of the page, under the navigation bar, select **Purchase**.
-
- ![Button to purchase your Office 365 trial](../../media/73fba4ad-6879-460b-8ef1-f2efb2ee4104.png)
-
-4. On the **Purchase subscriptions** page, you'll see the different plans that you can buy. The plan that you've been trying is identified by the **In Trial** banner.
-
- > [!IMPORTANT]
- > If you purchase a different plan from your trial plan, you have to reassign your licenses from your trial plan to your new plan (before your 90-day grace period ends after your trial plan expires) in order to retain your data, accounts, and configuration. Otherwise, you will lose your data, accounts, and configuration.
-
-5. Select the subscription that you want to purchase and then select **Buy now**.
-
-6. Follow the steps to check out.
-
-## Add subscriptions or add-ons to an existing Office 365 account
-
-1. In the [admin center](https://go.microsoft.com/fwlink/p/?linkid=850627), go to the **Billing** \> **Purchase services** page.
-
-2. Select the service(s) that you'd like to purchase, select **Buy**, and then select **Check out now**.
-
-3. Follow the instructions to complete your purchase.
-
-## Payment options
-
-You can pay for your subscription by:
--- Invoice--- Online payment using Alipay or China UnionPay-
-Proof of payment will be provided in the form of Fapiaos. You can submit your Fapiao request to our [Fapiao system](https://go.microsoft.com/fwlink/p/?LinkId=395314) about three (3) days after you have paid. For more information, see [Apply for a Fapiao for Office 365 operated by 21Vianet](apply-for-a-fapiao.md).
-
-> [!NOTE]
-> International credit cards are not accepted.
admin View Your Bill Or Get A Fapiao https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/services-in-china/view-your-bill-or-get-a-fapiao.md
- Title: "View your bill or get a Fapiao in Office 365 operated by 21Vianet"-- NOCSH-----
-localization_priority: Normal
--- M365-subscription-management -- Adm_O365-- Adm_NonTOC-- commerce--- MET150-- GEA150
-description: "View your billing statement or invoice about your Office 365 operated by 21Vianet in China."
-monikerRange: 'o365-21vianet'
--
-# View your bill or get a Fapiao in Office 365 operated by 21Vianet
-
-You can view your billing statement or invoice for information about your Office 365 operated by 21Vianet subscription charges. You can also obtain a Fapiao (your final proof of purchase). You can submit your Fapiao request to our [Fapiao management system](https://go.microsoft.com/fwlink/p/?linkid=837465) about three days after you have paid.
-
-## Find your billing statement or request a Fapiao
-
-1. In the [admin center](https://go.microsoft.com/fwlink/p/?linkid=850627), go to the **Billing** \> **Bills & payments** page.
-
-2. Find the invoice you want, select to view, or choose to download the PDF.
-
- - To request a Fapiao, select **Get Fapiaos**.
-
- > [!NOTE]
- > You need a registered account to access the [fapiao management system](https://go.microsoft.com/fwlink/p/?linkid=837465). If you haven't already set up an account, see [Apply for a Fapiao for Office 365 operated by 21Vianet](apply-for-a-fapiao.md).
admin Enable Usage Analytics https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/usage-analytics/enable-usage-analytics.md
To enable the template app, you have to be a **Global administrator**.
See [about admin roles](../add-users/about-admin-roles.md) for more information.
-1. In the admin center, go to the **Reports** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2074756" target="_blank">Usage</a> page.
+1. In the admin center, go to the **Settings** \> **Org settings** \> **Services** tab.
-2. On the **Usage** page, locate the **Microsoft 365 usage analytics** card, and select **Get started**.
+2. On the **Services** tab, select **Reports**.
-3. On the Reports panel that opens, set **Make data available to Microsoft 365 usage analytics for Power BI** to **On** \> **Save**.
+3. On the Reports panel that opens, set **Make report data available to Microsoft 365 usage analytics for Power BI** to **On** \> **Save**.
The data collection process will complete in two to 48 hours depending on the size of your tenant. The **Go to Power BI** button will be enabled (no longer gray) when data collection is complete.
To make the data that is collected for all reports anonymous, you have to be a g
2. Select **Reports**, and then choose to **Display anonymous identifiers**. This setting gets applied both to the usage reports as well as to the template app.
-3. Select **Save changes**.
+3. Select **Save changes**.
business-video Overview Online Meetings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-video/overview-online-meetings.md
They'll need to download the [free version](https://support.microsoft.com/office
If you frequently collaborate closely on projects with a client, customer, or partner, consider so [creating a team for your clients](https://support.microsoft.com/office/11fbb083-52ee-434d-8c6e-63711fdafac7) you can easily invite them to meetings and also have conversations, share files, and track projects all in Microsoft Teams.
-Download an infographic to get a quick overview of how to join or host an online meeting with Microsoft Teams.
+Download an infographic to get a quick overview of how to join or host an online meeting with Microsoft Teams:
-Download an infographic to get a quick overview of how to join or host an online meeting with Microsoft Teams. [PDF](https://go.microsoft.com/fwlink/?linkid=2078712) | [PowerPoint](https://go.microsoft.com/fwlink/?linkid=2079515)
+[PDF](https://go.microsoft.com/fwlink/?linkid=2078712) | [PowerPoint](https://go.microsoft.com/fwlink/?linkid=2079515)
## 1. Schedule a meeting
business Manage Windows Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business/manage-windows-devices.md
If you do not see the policy **Enable automatic MDM enrollment using default Azu
- If you plan to use a central policy store for your entire domain, add the contents of PolicyDefinitions there. 6. In case you have several Domain Controllers, wait for SYSVOL to replicate for the policies to be available. This procedure will work for any future version of the Administrative Templates as well.
-At this point you should be able to see the policy **Enable automatic MDM enrollment using default Azure AD credentials** available.
+At this point you should be able to see the policy **Enable automatic MDM enrollment using default Azure AD credentials** available.
+
+## Related content
+
+[Synchronize domain users to Microsoft 365](manage-domain-users.md) (article)
+[Create a group in the admin center](../admin/create-groups/create-groups.md) (article)
+[Tutorial: Configure hybrid Azure Active Directory join for managed domains](/azure/active-directory/devices/hybrid-azuread-join-managed-domains.md) (article)
commerce View Your Bill Or Invoice https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/view-your-bill-or-invoice.md
You must be a Global or Billing admin to do the steps described in this article.
3. On the summary page, you can see the items, quantity, price, discount, and total for all items in the invoice. 4. To print or save a PDF copy of the invoice, select **Download PDF**. +
+## Request a Fapiao
+
+You can submit your Fapiao request to our [Fapiao management system](https://go.microsoft.com/fwlink/p/?linkid=837465) about three (3) days after you have paid.
+
+1. In the <a href=ΓÇ¥https://go.microsoft.com/fwlink/p/?linkid=850627ΓÇ¥ target=ΓÇ¥_blankΓÇ¥>admin center</a>, go to the **Billing** > **Bills & payments** page.
+
+2. Find the invoice that you want, and then select **Get Fapiaos**.
+
+> [!NOTE]
+
+> You need a registered account to access the [Fapiao management system](https://go.microsoft.com/fwlink/p/?linkid=837465). If you haven't already set up an account, see [Apply for a Fapiao for Office 365 operated by 21Vianet](../../admin/services-in-chin).
++ ## Receive a copy of your billing statement in email You can choose to receive a copy of your billing statement as an email attachment. If you do, be aware that:
commerce Switch Plans Manually https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/switch-plans-manually.md
- Title: "Switch Microsoft 365 for business plans manually"-- NOCSH-----
-localization_priority: Normal
--- M365-subscription-management -- Adm_O365-- Adm_NonTOC-- commerce--- BCS160-- MET150-- MOE150-- BEA160-
-description: "Switch Microsoft 365 for business subscriptions manually by buying a new subscription and ensuring that both the subscriptions are listed and active."
--
-# Switch Microsoft 365 for business plans manually
-
-> [!NOTE]
-> This article applies to the old admin center. To view the article about the new admin center, see [Change plans manually](change-plans-manually.md). The new admin center is available to all Microsoft 365 admins, and you can opt in by selecting the **Try the new admin center** toggle located at the top of the Home page. For more information, see [About the new Microsoft 365 admin center](../../admin/microsoft-365-admin-center-preview.md).
-
-## Step 1: Decide how to switch plans
-
-The best way to switch all your users from one plan to another is to use the [Use the Switch plans button](switch-to-a-different-plan.md#use-the-switch-plans-button). Sometimes this isn't possible. Do a manual switch instead:
-
-- If the **Switch plans** button isn't there.--- If, when you select the **Switch plans** button, the plan you want isn't listed.--- If you don't want to switch all your users in the same way. Some businesses need different users subscribed to different plans. Use a manual switch for this.-
-To continue with a manual switch, read [Step 2: Buy a new subscription](#step-2-buy-a-new-subscription) in this topic.
-
-## Step 2: Buy a new subscription
-
- **Already purchased?** If you already have a subscription you want to move users to, skip this step and go to [Step 3: Check your new subscription and licenses](#step-3-check-your-new-subscription-and-licenses) in this topic.
-
-- OR -
-
- **Purchase a new subscription and licenses:** Follow the steps in [Buy another Microsoft 365 for business subscription](../try-or-buy-microsoft-365.md) to buy a new subscription.
-
-Make sure you purchase a subscription for the same organization that the users are in now. For example, check the email addresses for the users you want to move. If their email addresses include @contoso.com, you must purchase a new subscription for contoso.com. Include a license for each user that you want to move.
-
- **If you need help choosing a plan**, see the [Microsoft 365 for business product comparison](https://go.microsoft.com/fwlink/p/?linkid=842056) page, or [call support](../../admin/contact-support-for-business-products.md).
-
-## Step 3: Check your new subscription and licenses
--
-1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Subscriptions</a> page.
---
-1. In the admin center, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=847745" target="_blank">Subscriptions</a> page.
---
-1. In the admin center, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=850626" target="_blank">Subscriptions</a> page.
--
-2. **Verify that both subscriptions are listed and active**
-
- The subscription that you're moving users from and the subscription that you're moving users to must be listed together. If the new subscription isn't there when you first check, try again later. Check that both subscriptions are listed under **ACTIVE**. [The new subscription isn't listed, or isn't active](#the-new-subscription-isnt-listed-or-isnt-active).
-
-3. **Check that you have enough licenses for each user**
-
- Each user needs a license that matches their subscription. So if you want to move ten users to Microsoft 365 Business Premium, you'll need to make sure ten licenses are available.
-
-4. **Need more licenses for the new subscription?** Go to the **Subscriptions** page and [Buy licenses for your Microsoft 365 for business subscription](../licenses/buy-licenses.md).
-
- [What about the old licenses?](#what-about-the-old-licenses)
-
-### The new subscription isn't listed, or isn't active
--- **If you purchased a subscription by invoice** and a credit check is required, it can take up to two working days before the subscription is available.--- **If you purchased two subscriptions and they are not both listed here**, they may have been purchased for different organizations (for different domains). Subscriptions can't cross organization boundaries.--- **If you know you have an additional subscription**, and it's not listed here, or not listed under **ACTIVE**, [call support](../../admin/contact-support-for-business-products.md).-
-### What about the old licenses?
-
-The licenses for the current subscription will be removed later; you'll only pay for the new user licenses from then on.
-
-## Step 4: Reassign licenses
-
-### Reassign a license for one user
--
-1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834822" target="_blank">Active users</a> page.
---
-1. In the admin center, go to the **Users** > <a href="https://go.microsoft.com/fwlink/p/?linkid=847686" target="_blank">Active users</a> page.
---
-1. In the admin center, go to the **Users** > <a href="https://go.microsoft.com/fwlink/p/?linkid=850628" target="_blank">Active users</a> page.
--
-2. On the **Active users** page, select the box next to the name of the user who you want to assign a license to.
-
-3. On the right, in the **Product licenses** row, select **Edit**.
-
-4. In the **Product licenses** pane, switch the toggle to the **On** position for the license you want to assign to this user. By default, all services associated with that license are automatically assigned to the user.
-
- > [!TIP]
- > To limit which services are available to the user, switch the toggles to the **Off** position for the services that you want to remove for that user. For example, if you want the user to have access to all available services except Skype for Business Online, you can switch the toggle for the Skype for Business Online service to the **Off** position.
-
-5. Switch the toggle to the **Off** position for licenses that this user no longer needs.
-
-6. At the bottom of the **Product licenses** pane, select **Assign** \> **Close** \> **Close**.
-
-### Reassign licenses for multiple users at once
--
-1. In the Admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834822" target="_blank">Active users</a> page.
---
-1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847686" target="_blank">Active users</a> page.
---
-1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850628" target="_blank">Active users</a> page.
--
-2. Select the boxes next to the names of the users who you want to replace existing licenses for.
-
-3. In the **Bulk actions** pane, choose **Edit product licenses**.
-
-4. In the **Assign products** pane, select **Replace existing product license assignments** \> **Next**.
-
-5. Switch the toggle to the **On** position for the products you want to assign to these users.
-
- > [!TIP]
- > - To limit which services are available to the user, switch to toggles to the **Off** position for the services that you want to remove for that user. For example, if you want the user to have access to all available services except Skype for Business Online, you can switch the toggle for the Skype for Business Online service to the **Off** position.
- > - Any previous license assignments for the selected users will be removed.
-
-6. At the bottom of the **Replace existing products** pane, select **Replace** \> **Close**.
-
-## Step 5: Cancel subscriptions or remove licenses that you no longer need (Optional)
-
-If you moved all users from one subscription to another, and you no longer need the original subscription, you can [cancel the subscription](cancel-your-subscription.md).
-
-If you moved only some users to a different subscription, [remove licenses](../licenses/buy-licenses.md) that you no longer need.
-
-## Call support to help you switch plans
-
-[Call support](../../admin/contact-support-for-business-products.md)
commerce Switch To A Different Plan https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/switch-to-a-different-plan.md
- Title: "Switch to a different Microsoft 365 for business plan"-- NOCSH-----
-localization_priority: Normal
--- M365-subscription-management-- Adm_O365-- Adm_TOC-- commerce--- SaRA-- AdminSurgePortfolio-- BCS160-- MET150-- MOE150-- BEA160-- GEA150
-description: "Learn how to switch to a new Microsoft 365 for business subscription."
--
-# Switch to a different Microsoft 365 for business plan
-
-When your business changes, or you need more features, you can switch plans.
-
-The easiest way to switch plans is to use the **Switch plans** button in the admin center. However, using the **Switch plans** button isn't supported in all situations. In some cases, you might be able to switch plans manually.
--
-**Need something else?**
-- [Cancel your subscription](cancel-your-subscription.md)-- [Upgrade Microsoft 365 Family to a business subscription](https://support.microsoft.com/office/9322ffb8-a35d-4407-8ebe-ed6ea0859b9f.aspx)-- [Call Microsoft Support](../../admin/contact-support-for-business-products.md)-
-## Use the Switch plans button
-
-When you use the **Switch plans** button, you're led through the process of buying a new plan that you can switch your current plan to, all users are automatically assigned licenses in the new plan, and your old plan is canceled for you.
--
-1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Subscriptions</a> page.
---
-1. In the admin center, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=847745" target="_blank">Subscriptions</a> page.
---
-1. In the admin center, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=850626" target="_blank">Subscriptions</a> page.
--
-2. Select **Switch plans** to view the list of new plans that are available.
-
- [The Switch plans button isn't there](#the-switch-plans-button-isnt-there) | [I don't see the plan I want](#i-dont-see-the-plan-i-want)
-
-3. Select a plan to see the new total cost per month. Be sure to read the **key information**, then select **Next** to check out.
-
- [Help me choose a new plan](https://go.microsoft.com/fwlink/p/?linkid=842056).
-
-4. Select **Chat now** on the **Checkout** page if you need help.
-
- When you finish checkout, Microsoft 365 takes a few minutes to finalize the switch. You can start using your new subscription right away.
-
-## The Switch plans button isn't there
-
-If the **Switch plans** button isn't available, you can try to [switch plans manually](switch-plans-manually.md) or [call Support](../../admin/contact-support-for-business-products.md). For more information, see [Why can't I switch plans?](why-can-t-i-switch-plans.md)
-
-Here's why this can happen:
-
-- You're using more than one Microsoft 365 plan. You can only use the **Switch plans** button if all users subscribe to the same plan.--- You're already using Office 365 Enterprise E5, so you already have all the functionality available in Office 365.-
-## I don't see the plan I want
-
-When you use the **Switch plans** button, the plans that you can switch to are displayed based on the services in your current plan. You can only use the **Switch plans** button to switch to a plan that has the same data-related services, or to a higher version. This ensures that users don't lose data related to those services during the switch.
-
-To compare plans before switching, see the [Microsoft 365 for business product comparison](https://go.microsoft.com/fwlink/p/?linkid=842056) page. For technical specifications, see [Microsoft 365 Service Descriptions](/office365/servicedescriptions/office-365-service-descriptions-technet-library).
-
-If you want to switch to a plan with fewer services, you can [switch plans manually](switch-plans-manually.md), or [Call Microsoft Support](../../admin/contact-support-for-business-products.md) for help.
-
-## Why some switches take longer
-
- **Credit checks when switching plans**: If you pay by invoice, or reach a certain level of cost, a credit check might be required. A credit check can take up to two business days. Users will have full access to their current plan until you switch them to the new one.
-
- **Verification of non-profit status**: It normally takes 30 days to complete the verification process for your non-profit status. If it has been more than 30 days, please contact support.
-
-## Call support to help you switch plans
-
-[Call support](../../admin/contact-support-for-business-products.md)
commerce Upgrade To Different Plan https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/upgrade-to-different-plan.md
description: "Learn how to upgrade to a different plan."
When your business changes, or you need more features, you can upgrade plans. The easiest way to do this is to use the **Upgrade** tab in the admin center. However, using the **Upgrade** tab isn't supported in all situations. In some cases, you might be able to change plans manually.
-> [!NOTE]
-> This article applies to the new admin center. If you're not using the new Microsoft 365 admin center, you can turn it on by selecting the **Try the new admin center** toggle located at the top of the Home page. To view the article about the old admin center, see [Switch to a different Microsoft 365 for business plan](switch-to-a-different-plan.md).
- ## Use the Upgrade tab When you use the **Upgrade** tab, you're led through the process of buying a new plan. All users are automatically assigned licenses in the new plan, and your old plan is canceled for you.
commerce Why Can T I Switch Plans https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/why-can-t-i-switch-plans.md
- Title: "Why can't I switch Microsoft 365 for business plans?"-- NOCSH-----
-localization_priority: Normal
--- M365-subscription-management -- Adm_O365-- Adm_NonTOC-- commerce--- BCS160-- MET150-- MOE150-- BEA160-- GEA150-
-description: "Understand the reasons why sometimes switching plans has to be done manually or by calling support."
--
-# Why can't I switch Microsoft 365 for business plans?
-
-> [!NOTE]
-> This article applies to the old admin center. To view the article about the admin center (preview), see [Why can't I upgrade plans?](upgrade-to-different-plan.md#why-cant-i-upgrade-plans). The preview is available to all Microsoft 365 admins, you can opt in by selecting **Try the preview** toggle located at the top of the Home page. For more information, see [About the new Microsoft 365 admin center](../../admin/microsoft-365-admin-center-preview.md).
-
-If you don't see the **Switch plans** button, your plan can't be switched automatically. In some cases, you might be able to resolve the issue so that you can use the **Switch plans** button, or you might be able to [switch plans manually](switch-plans-manually.md), instead. Position your mouse over the info icon to view a message that explains why the **Switch plans** button is not available. Use the information in this article to resolve the issue.
-
- **Need something else?** [Buy another subscription](../try-or-buy-microsoft-365.md) | [Cancel your subscription](cancel-your-subscription.md) | [Subscriptions and billing](../index.yml) | [Call support](../../admin/contact-support-for-business-products.md)
-
-## Why isn't the Switch plans button available for my subscription?
-
-### You can't switch subscriptions now because you have more users than licenses.
-
-To use the **Switch plans** button to switch plans automatically, all of your users need to be assigned valid licenses. If you have assigned more licenses than you have purchased, you'll see an alert on the <a href="https://go.microsoft.com/fwlink/p/?linkid=842264" target="_blank">Licenses</a> page that says you have a licensing conflict that needs to be resolved. [Learn how to resolve license conflicts](../../commerce/licenses/buy-licenses.md). After you have resolved any licensing conflicts, you should see the **Switch plans** button. If not, you can [switch plans manually](switch-plans-manually.md), or [call support](../../admin/contact-support-for-business-products.md).
-
-### You can't switch subscriptions right now because this subscription isn't fully set up or the service isn't available.
-
-To see if there are provisioning or service health issues, in the admin center, go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=842900" target="_blank">Service health</a> page, or select **Health** \> **Service health**.
-
-If you find that a service is not fully provisioned, or you have a service health issue, please wait a few hours for your service to become available, and try again. If you still have a problem, please [call support](../../admin/contact-support-for-business-products.md).
-
-### You can't switch plans because another plan is in the process of being switched and is pending a credit check.
-
-Wait until the credit check has been completed before switching plans. Credit checks can take up to two working days.
-
-### Currently, this subscription is not eligible to switch plans.
-
-You can [switch plans manually](switch-plans-manually.md) or [call support](../../admin/contact-support-for-business-products.md).
-
-### I see a different message than what's listed here.
-
-You can [switch plans manually](switch-plans-manually.md) or [call support](../../admin/contact-support-for-business-products.md).
-
-## Additional reasons the Switch plans button is unavailable
-
-### You have a prepaid plan
-
-If you've paid for your subscription in advance, you might be able to [switch plans manually](switch-plans-manually.md). However, you won't receive a credit for unused time remaining on your current subscription if you switch plans before the current plan expires.
-
-You can also [call support](../../admin/contact-support-for-business-products.md) for help.
-
-### You have a government or non-profit plan
-
-If you have a government or non-profit plan, you can [switch plans manually](switch-plans-manually.md) or [call support](../../admin/contact-support-for-business-products.md) for help.
-
-### 3,000 or more licenses have been purchased and assigned for the subscription
-
-The **Switch plans** button is unavailable for subscriptions that have 3,000 or more licenses assigned to users. However, you might be able to [switch plans manually](switch-plans-manually.md). You can also [call support](../../admin/contact-support-for-business-products.md) for help.
-
-### The subscription that you want to switch from has a temporary issue
-
-The **Switch plans** button can become temporarily unavailable because the service is in the process of switching a high volume of plans. Try again in about an hour after your first attempt.
-
-### The plan that you want to switch to isn't a supported option
-
-When you switch plans, the plans that are available for you to switch to are displayed based on the services in your current plan. You can only switch to a plan that has the same data-related services, such as Exchange Online or SharePoint Online, or to a higher version of them. This ensures that users don't lose data related to those services during the switch.
-
-If your plan isn't eligible to switch plans automatically, you might be able to [switch plans manually](switch-plans-manually.md), instead. You can also [call support](../../admin/contact-support-for-business-products.md) for help.
-
-> [!NOTE]
-> Manually switching from an Office 365 Small Business, Office 365 Small Business Premium, or Office 365 Midsize Business plan is not supported.
-
-## Call support to help you switch plans
-
-[Call support](../../admin/contact-support-for-business-products.md)
commerce Try Or Buy Microsoft 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/try-or-buy-microsoft-365.md
business and try it out for 30 days.
> [!NOTE] > You must use a credit card when you sign up for a free trial. At the end of your free trial period, your trial subscription is automatically converted to a paid subscription. Your credit card isn't billed until the end of the trial period. ++
+> [!IMPORTANT]
+> **Payment options for Office 365 operated by 21Vianet in China**
+> International credit cards are not accepted. You can pay for your subscription by:
+> - Invoice
+> - Online payment using Alipay or China UnionPay
+> Proof of payment will be provided in the form of Fapiaos. You can submit your Fapiao request to our [Fapiao system](https://go.microsoft.com/fwlink/p/?LinkId=395314) about three (3) days after you have paid. For more information, see [Apply for a Fapiao for Office 365 operated by 21Vianet](../admin/services-in-chin).
++ ## Before you begin You don't need an existing Microsoft account to sign up for a free
compliance Apply Sensitivity Label Automatically https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/apply-sensitivity-label-automatically.md
There are two different methods for automatically applying a sensitivity label t
- For these Office files, Open XML format is supported (such as .docx and .xlsx) but not Microsoft Office 97-2003 format (such as .doc and .xls). - If you have Exchange mail flow rules or data loss prevention (DLP) policies that apply IRM encryption: When content is identified by these rules or policies and an auto-labeling policy, the label is applied. If that label applies encryption, the IRM settings from the Exchange mail flow rules or DLP policies are ignored. However, if that label doesn't apply encryption, the IRM settings from the mail flow rules or DLP policies are applied in addition to the label. - Email that has IRM encryption with no label will be replaced by a label with any encryption settings when there is a match by using auto-labeling.
- - Incoming email is labeled when there is a match with your auto-labeling conditions. However, if the label is configured for encryption, that encryption isn't applied.
+ - Incoming email is labeled when there is a match with your auto-labeling conditions:
+ - If the label is configured for [encryption](encryption-sensitivity-labels.md), that encryption isn't applied.
+ - If the label is configured to apply [dynamic markings](sensitivity-labels-office-apps.md#dynamic-markings-with-variables), be aware that this can result in the names of people outside your organization.
- When the label applies encryption, the [Rights Management issuer and Rights Management owner](/azure/information-protection/configure-usage-rights#rights-management-issuer-and-rights-management-owner) is the person who sends the email.
compliance Audit Log Search Script https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/audit-log-search-script.md
When there are situations where you need to manually retrieve auditing data for
```powershell Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled ```
-
+ The value of `True` for the **UnifiedAuditLogIngestionEnabled** property indicates that audit log search is turned on. - You have to be assigned the View-Only Audit Logs or Audit Logs role in Exchange Online to run successfully the script. By default, these roles are assigned to the Compliance Management and Organization Management role groups on the Permissions page in the Exchange admin center. For more information, see the "Requirements to search the audit log" section in [Search the audit log in the compliance center](search-the-audit-log-in-security-and-compliance.md#requirements-to-search-the-audit-log).
After you've connected to Exchange Online PowerShell, the next step is to create
1. Save the following text to a Windows PowerShell script by using a filename suffix of .ps1. For example, SearchAuditLog.ps1.
-```powershell
-#Modify the values for the following variables to configure the audit log search.
-$logFile = "d:\AuditLogSearch\AuditLogSearchLog.txt"
-$outputFile = "d:\AuditLogSearch\AuditLogRecords.csv"
-[DateTime]$start = [DateTime]::UtcNow.AddDays(-1)
-[DateTime]$end = [DateTime]::UtcNow
-$record = "AzureActiveDirectory"
-$resultSize = 5000
-$intervalMinutes = 60
-
-#Start script
-[DateTime]$currentStart = $start
-[DateTime]$currentEnd = $start
-
-Function Write-LogFile ([String]$Message)
-{
- $final = [DateTime]::Now.ToUniversalTime().ToString("s") + ":" + $Message
- $final | Out-File $logFile -Append
-}
-
-Write-LogFile "BEGIN: Retrieving audit records between $($start) and $($end), RecordType=$record, PageSize=$resultSize."
-Write-Host "Retrieving audit records for the date range between $($start) and $($end), RecordType=$record, ResultsSize=$resultSize"
-
-$totalCount = 0
-while ($true)
-{
- $currentEnd = $currentStart.AddMinutes($intervalMinutes)
- if ($currentEnd -gt $end)
- {
- $currentEnd = $end
- }
-
- if ($currentStart -eq $currentEnd)
- {
- break
- }
-
- $sessionID = [Guid]::NewGuid().ToString() + "_" + "ExtractLogs" + (Get-Date).ToString("yyyyMMddHHmmssfff")
- Write-LogFile "INFO: Retrieving audit records for activities performed between $($currentStart) and $($currentEnd)"
- Write-Host "Retrieving audit records for activities performed between $($currentStart) and $($currentEnd)"
- $currentCount = 0
-
- $sw = [Diagnostics.StopWatch]::StartNew()
- do
- {
- $results = Search-UnifiedAuditLog -StartDate $currentStart -EndDate $currentEnd -RecordType $record -SessionId $sessionID -SessionCommand ReturnLargeSet -ResultSize $resultSize
-
- if (($results | Measure-Object).Count -ne 0)
- {
- $results | export-csv -Path $outputFile -Append -NoTypeInformation
-
- $currentTotal = $results[0].ResultCount
- $totalCount += $results.Count
- $currentCount += $results.Count
- Write-LogFile "INFO: Retrieved $($currentCount) audit records out of the total $($currentTotal)"
-
- if ($currentTotal -eq $results[$results.Count - 1].ResultIndex)
- {
- $message = "INFO: Successfully retrieved $($currentTotal) audit records for the current time range. Moving on!"
- Write-LogFile $message
- Write-Host "Successfully retrieved $($currentTotal) audit records for the current time range. Moving on to the next interval." -foregroundColor Yellow
- ""
- break
- }
- }
- }
- while (($results | Measure-Object).Count -ne 0)
-
- $currentStart = $currentEnd
-}
-
-Write-LogFile "END: Retrieving audit records between $($start) and $($end), RecordType=$record, PageSize=$resultSize, total count: $totalCount."
-Write-Host "Script complete! Finished retrieving audit records for the date range between $($start) and $($end). Total count: $totalCount" -foregroundColor Green
-```
+ ```powershell
+ #Modify the values for the following variables to configure the audit log search.
+ $logFile = "d:\AuditLogSearch\AuditLogSearchLog.txt"
+ $outputFile = "d:\AuditLogSearch\AuditLogRecords.csv"
+ [DateTime]$start = [DateTime]::UtcNow.AddDays(-1)
+ [DateTime]$end = [DateTime]::UtcNow
+ $record = "AzureActiveDirectory"
+ $resultSize = 5000
+ $intervalMinutes = 60
+
+ #Start script
+ [DateTime]$currentStart = $start
+ [DateTime]$currentEnd = $start
+
+ Function Write-LogFile ([String]$Message)
+ {
+ $final = [DateTime]::Now.ToUniversalTime().ToString("s") + ":" + $Message
+ $final | Out-File $logFile -Append
+ }
+
+ Write-LogFile "BEGIN: Retrieving audit records between $($start) and $($end), RecordType=$record, PageSize=$resultSize."
+ Write-Host "Retrieving audit records for the date range between $($start) and $($end), RecordType=$record, ResultsSize=$resultSize"
+
+ $totalCount = 0
+ while ($true)
+ {
+ $currentEnd = $currentStart.AddMinutes($intervalMinutes)
+ if ($currentEnd -gt $end)
+ {
+ $currentEnd = $end
+ }
+
+ if ($currentStart -eq $currentEnd)
+ {
+ break
+ }
+
+ $sessionID = [Guid]::NewGuid().ToString() + "_" + "ExtractLogs" + (Get-Date).ToString("yyyyMMddHHmmssfff")
+ Write-LogFile "INFO: Retrieving audit records for activities performed between $($currentStart) and $($currentEnd)"
+ Write-Host "Retrieving audit records for activities performed between $($currentStart) and $($currentEnd)"
+ $currentCount = 0
+
+ $sw = [Diagnostics.StopWatch]::StartNew()
+ do
+ {
+ $results = Search-UnifiedAuditLog -StartDate $currentStart -EndDate $currentEnd -RecordType $record -SessionId $sessionID -SessionCommand ReturnLargeSet -ResultSize $resultSize
+
+ if (($results | Measure-Object).Count -ne 0)
+ {
+ $results | export-csv -Path $outputFile -Append -NoTypeInformation
+
+ $currentTotal = $results[0].ResultCount
+ $totalCount += $results.Count
+ $currentCount += $results.Count
+ Write-LogFile "INFO: Retrieved $($currentCount) audit records out of the total $($currentTotal)"
+
+ if ($currentTotal -eq $results[$results.Count - 1].ResultIndex)
+ {
+ $message = "INFO: Successfully retrieved $($currentTotal) audit records for the current time range. Moving on!"
+ Write-LogFile $message
+ Write-Host "Successfully retrieved $($currentTotal) audit records for the current time range. Moving on to the next interval." -foregroundColor Yellow
+ ""
+ break
+ }
+ }
+ }
+ while (($results | Measure-Object).Count -ne 0)
+
+ $currentStart = $currentEnd
+ }
+
+ Write-LogFile "END: Retrieving audit records between $($start) and $($end), RecordType=$record, PageSize=$resultSize, total count: $totalCount."
+ Write-Host "Script complete! Finished retrieving audit records for the date range between $($start) and $($end). Total count: $totalCount" -foregroundColor Green
+ ```
2. Modify the variables listed in the following table to configure the search criteria. The script includes sample values for these variables, but you should change them (unless stated otherwise) to meet your specific requirements.
+ <br>
+
+ ****
+ |Variable|Sample value|Description| |||| |`$logFile`|"d:\temp\AuditSearchLog.txt"|Specifies the name and location for the log file that contains information about the progress of the audit log search performed by the script. The script writes UTC timestamps to the log file.|
The script displays progress messages while it's running. After the script is fi
## Step 3: Format and view the audit records
-After you've run the script and exported the audit records to a CSV file, you may want to format the CSV to make easier to review and analyze the audit records. One way to do this is to the Power Query JSON transform feature in Excel to split each property in the JSON object in the **AuditData** column into its own column. For step-by-step instructions, see "Step 2: Format the exported audit log using the Power Query Editor" in [Export, configure, and view audit log records](export-view-audit-log-records.md#step-2-format-the-exported-audit-log-using-the-power-query-editor).
+After you've run the script and exported the audit records to a CSV file, you may want to format the CSV to make easier to review and analyze the audit records. One way to do this is to the Power Query JSON transform feature in Excel to split each property in the JSON object in the **AuditData** column into its own column. For step-by-step instructions, see "Step 2: Format the exported audit log using the Power Query Editor" in [Export, configure, and view audit log records](export-view-audit-log-records.md#step-2-format-the-exported-audit-log-using-the-power-query-editor).
compliance Create Sensitivity Labels https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-sensitivity-labels.md
In comparison, when you delete a label:
- For Office on the web: Users don't see the label name on status bar or in the **Sensitivity** column. The label information in the metadata remains only if the label didn't apply encryption. If the label applied encryption, and you've enabled [sensitivity labels for SharePoint and OneDrive](sensitivity-labels-sharepoint-onedrive-files.md), the label information in the metadata is removed and the encryption is removed.
-When you remove a sensitivity label from a label policy, or delete a sensitivity label, these changes can take up to one hour to replicate to all users and services.
+When you remove a sensitivity label from a label policy, or delete a sensitivity label, these changes can take up to 24 hours to replicate to all users and services.
## Next steps
compliance Delete Items In The Recoverable Items Folder Of Mailboxes On Hold https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/delete-items-in-the-recoverable-items-folder-of-mailboxes-on-hold.md
Additionally, you need to get the mailbox client access settings so you can temp
> [!TIP] > If there are too many values in the *InPlaceHolds* property and not all of them are displayed, you can run the `Get-OrganizationConfig | Select-Object -ExpandProperty InPlaceHolds` command to display each value on a separate line.
-6. Run the following command to get the current size and total number of items in folders and subfolders in the Recoverable Items folder in the user's primary mailbox.
+6. Run the following command to determine if a delay hold is applied to the mailbox.
+
+ ```powershell
+ Get-Mailbox <username> | FL DelayHoldApplied,DelayReleaseHoldApplied
+ ```
+
+ If the value of the *DelayHoldApplied* or *DelayReleaseHoldApplied* property is set to **True**, a delay hold is applied to the mailbox and must be removed. For more information about delay holds, see [Step 4: Remove the delay hold from the mailbox](#step-4-remove-the-delay-hold-from-the-mailbox).
+
+ If the value of either properties is set to **False**, a delay hold is not applied to the mailbox, and you can skip Step 4.
+
+7. Run the following command to get the current size and total number of items in folders and subfolders in the Recoverable Items folder in the user's primary mailbox.
```powershell Get-MailboxFolderStatistics <username> -FolderScope RecoverableItems | FL Name,FolderAndSubfolderSize,ItemsInFolderAndSubfolders
Perform the following steps in Exchange Online PowerShell.
``` > [!NOTE]
- > It might take up to 60 minutes to disable all client access methods to the mailbox. Note that disabling these access methods won't disconnect the mailbox owner they're currently signed in. If the owner isn't signed in, then they won't be able to access their mailbox after these access methods are disabled.
+ > It might take up to 60 minutes to disable all client access methods to the mailbox. Note that disabling these access methods won't disconnect the mailbox owner if they are currently signed in. If the owner isn't signed in, they won't be able to access their mailbox after these access methods are disabled.
2. Run the following command to increase the deleted item retention period the maximum of 30 days. This assumes that the current setting is less than 30 days.
After you've identified the name of the eDiscovery case and the hold, go to the
After any type of hold is removed from a mailbox, the value of the *DelayHoldApplied* or *DelayReleaseHoldApplied* mailbox property is set to **True**. This occurs the next time the Managed Folder Assistant processes the mailbox and detects that a hold has been removed. This is called a *delay hold* and means the actual removal of the hold is delayed for 30 days to prevent data from being permanently deleted from the mailbox. (The purpose of a delay hold is to give admins an opportunity to search for or recover mailbox items that will be purged after a hold is removed.) When a delay hold is placed on the mailbox, the mailbox is still considered to be on hold for an unlimited duration, as if the mailbox was on Litigation Hold. After 30 days, the delay hold expires, and Microsoft 365 will automatically attempt to remove the delay hold (by setting the *DelayHoldApplied* or *DelayReleaseHoldApplied* property to **False**) so that the hold is removed. For more information about a delay hold, see the "Managing mailboxes on delay hold" section in [How to identify the type of hold placed on an Exchange Online mailbox](identify-a-hold-on-an-exchange-online-mailbox.md#managing-mailboxes-on-delay-hold).
-Before you can delete items in Step 5, you have to remove a delay hold from the mailbox. First, determine if the delay hold is applied to the mailbox by running the following command in Exchange Online PowerShell:
-
-```powershell
-Get-Mailbox <username> | FL DelayHoldApplied,DelayReleaseHoldApplied
-```
-
-If the value of either the *DelayHoldApplied* or *DelayReleaseHoldApplied* property is set to **False**, a delay hold has not been placed on the mailbox. You can go to Step 5 and delete items in the Recoverable Items folder.
- If the value of the *DelayHoldApplied* or *DelayReleaseHoldApplied* property is set to **True**, run one of the following commands to remove the delay hold: ```powershell
compliance Insider Risk Management Cases https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-cases.md
The case queue lists all active and closed cases for your organization, in addit
- **User**: The user for the case. If anonymization for usernames is enabled, anonymized information is displayed. - **Time case opened**: The time that has passed since the case was opened. - **Total policy alerts**: The number of policy matches included in the case. This number may increase if new alerts are added to the case.-- **Last updated**: The time that has passed since there has been an added case note or change in the case state.
+- **Case last updated**: The time that has passed since there has been an added case note or change in the case state.
- **Last updated by**: The name of the insider risk management analyst or investigator that last updated the case. ![Insider risk management Cases dashboard](../media/insider-risk-cases-dashboard.png)
Selecting a case opens the case management tools and allows analysts and investi
### Case overview
-The **Case overview** tab summarizes the alert activity and risk level history for the case.
+The **Case overview** tab summarizes the case details for risk analysts and investigators. It includes the following information in the **About this case** area
-- The **Alerts** widget shows the policy matches for the case, including the status of the alert, the alert risk severity, and when the alert was detected. -- The **Risk level history** chart displays the user risk level over the last 30 days. The line chart allows analysts and investigators to quickly see the trend in overall user risk over time. -- The **Risk activity content** widget summarizes the types of data and content contained in alerts added to the case. This widget gives an all-up view of the entire data and content set at risk in the case.
+- **Status**: The current status of the case, either Active or Closed.
+- **Case created on**: The date and time the case was created.
+- **User's risk score**: The current calculated risk level of the user for the case. This score is calculated every 24 hours and uses alert risk scores from all active alerts associated to the user.
+- **Email**: The email alias of the user for the case.
+- **Organization or department**: The organization or department that the user is assigned to.
+- **Manager name**: The name of the user's manager.
+- **Manager email**: The email alias of the user's manager.
-The **Case details** pane is available on all case management tabs and summarizes the case details for risk analysts and investigators. It includes the following areas:
+The **Case overview** tab also includes an **Alerts** section that includes the following information about policy match alerts associated with the case:
-- **Case name**: The name of the case, prefixed with an autogenerated case sequence number and the name of the risk associated with the policy template that the first confirmed alert matches. -- **Case status**: The current status of the case, either *Active* or *Closed*.-- **User's risk score**: The current calculated risk level of the user for the case. This score is calculated every 24 hours and uses the alert risk scores from all active alerts associated to the user.-- **Alerts confirmed**: List of alerts for the user confirmed for the case.-- **Related content**: List of content, sorted by content sources and types. For example, for case alert content in SharePoint Online, you may see folder or file names listed that are associated with the risk activity for alerts in the case.
+- **Policy matches**: The name of the insider risk management policy associated with the match alerts for user activity.
+- **Status**: Status of the alert.
+- **Severity**: Severity of the alert.
+- **Time detected**: The time that has passed since the alert was generated.
![Insider risk management case details](../media/insider-risk-case-details.png)
To add a note to a case:
### Contributors
-The **Contributors** tab in the case is where risk analysts and investigators can add other reviewers to the case. Be default, all users assigned the **Insider Risk Management Analysts** and **Insider Risk Management Investigators** roles are listed as contributors for each active and closed case. Only users assigned the **Insider Risk Management Investigators** role have permission to view files and messages in the Content explorer.
+The **Contributors** tab in the case is where risk analysts and investigators can add other reviewers to the case. Be default, all users assigned the **Insider Risk Management Analysts** and the **Insider Risk Management Investigators** roles are listed as contributors for each active and closed case. Only users assigned the **Insider Risk Management Investigators** role have permission to view files and messages in the Content explorer.
Temporary access to a case can be granted by adding a user as a contributor. Contributors have all case management control on the specific case except:
compliance Insider Risk Management Content Explorer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-content-explorer.md
# Insider risk management Content explorer
-The insider risk management **Content explorer** allows users assigned the *Insider Risk Management Investigators* role to examine the context and details of content associated with activity in alerts. The case data in Content explorer is refreshed daily to include new activity. For all alerts that are confirmed to a case, copies of data and message files are archived as a snapshot in time of the items, while maintaining the original files and messages in the storage sources. The copying of data and messages is transparent to the user associated with the alert and to the owner of the content. For new cases, it usually takes about an hour for content to populate in Content explorer. For cases with large amounts of content, it may take longer to create a snapshot. If content is still loading in Content explorer, you will see a progress indicator that displays the completion percentage.
+The insider risk management **Content explorer** allows users assigned the *Insider Risk Management Investigators* role to examine the context and details of content associated with activity in alerts. The case data in Content explorer is refreshed daily to include new activity. For all alerts that are confirmed to a case, copies of data and message files are archived as a snapshot in time of the items, while maintaining the original files and messages in the storage sources. If needed, case data files may be exported as a portable document file (PDF) or in the original file format.
+
+The copying of data and messages is transparent to the user associated with the alert and to the owner of the content. For new cases, it usually takes about an hour for content to populate in Content explorer. For cases with large amounts of content, it may take longer to create a snapshot. If content is still loading in Content explorer, you will see a progress indicator that displays the completion percentage.
In some cases, data associated with a case may not be available as a snapshot for review in Content explorer. This situation may occur when case data has been deleted or moved, or when a temporary error occurs when processing case data. If this situation occurs, select **View files** in the warning bar to view the file names, file path, and reason for the failure for each file. If needed, this information can be exported to a .csv (comma-separated values) file.
To add or remove column headings for the content queue, use the **Edit columns**
| **Title** | The title of the document. The Title property is metadata that's specified in Office documents. It's different than the file name of the document. | | **To** | The recipient of an email message in the To field. |
-## Advanced search conditions
-
-You can add search conditions to narrow the scope of a search and return a more refined set of results. Each condition adds a clause to the search query that is created and run when you start the search. A condition is logically connected to the keyword query (specified in the keyword box) by a logical operator (which is represented as c:c) that is similar in functionality to the AND operator. That means that items have to satisfy both the keyword query and one or more conditions to be included in the search results. This functionality is how conditions help to narrow your results.
-
-For advanced filter and search tools, expand the **Filter** pane on the left side of the content queue. Select the **Add a condition** button to open the condition list:
+## Filtering
-### Operators used with conditions
+You can use one or more filters to narrow the scope of a search and return a more refined set of results. To set a filter, select **Filters** at the top of the content queue. Many filters include additional filtering options to help narrow the results returned by the filter. For example, the *Date* filter includes controls to configure a *Start date* and *Ending date* for the **Date** filter. Select one or more filter items from the following categories:
-|**Operator**|**Query equivalent**|**Description**|
-|:--|:-|:--|
-| **After** |`property>date`| Used with date conditions. Returns items that were sent, received, or modified after the specified date.|
-| **Before** |`property<date`| Used with date conditions. Returns items that were sent, received, or modified before the specified date.|
-| **Between** |`date..date`| Use with date and size conditions. When used with a date condition, returns items there were sent, received, or modified within the specified date range. When used with a size condition, returns items whose size is within the specified range.|
-| **Contains all of** |`(property:value) OR (property:value)`| Used with conditions for properties that specify a string value. Returns items that contain all of one or more specified string values. |
-| **Contains any of** |`(property:value) OR (property:value)`| Used with conditions for properties that specify a string value. Returns items that contain any part of one or more specified string values.|
-| **Contains none of** |`-property:value` <br/> `NOT property:value`| Used with conditions for properties that specify a string value. Returns items that don't contain any part of the specified string value.|
-| **Doesn't equal any of** |`-property=value` <br/> `NOT property=value`| Used with conditions for properties that specify a string value. Returns items that don't contain the specific string.|
-| **Equals** |`size=value`| Returns items that are equal to the specified size.<sup>1</sup>|
-| **Equals any of** |`(property=value) OR (property=value)`| Used with conditions for properties that specify a string value. Returns items that are an exact match of one or more specified string values.|
-| **Equals none of** |`(property=value) OR (property=value)`| Used with conditions for properties that specify a string value. Returns items that do not match one or more specified string values. |
-| **Greater than** |`size>value`| Returns items where the specified property is greater than the specified value.<sup>1</sup>|
-| **Greater or equal** |`size>=value`| Returns items where the specified property is greater than or equal to the specified value.<sup>1</sup>|
-| **Less than** |`size<value`| Returns items that are greater than or equal to the specific value.<sup>1</sup>|
-| **Less or equal** |`size<=value`| Returns items that are greater than or equal to the specific value.<sup>1</sup>|
-| **Not equal** |`size<>value`| Returns items that don't equal the specified size.<sup>1</sup>|
+### Common filters
-> [!NOTE]
-> <sup>1</sup> This operator is available only for conditions that use the Size property.
-
-### Common property conditions
-
-| **Condition option** | **Description** |
+| **Filter** | **Description** |
|:|:-|
-| **Date** | For email, the date a message was received by a recipient or sent by the sender. For documents, the date a document was last modified. |
-| **Sender/Author** | For email, the person who sent a message. For documents, the person cited in the author field from Office documents. You can type more than one name, separated by commas. Two or more values are logically connected by the **OR** operator. |
-| **Size** | For both email and documents, the size of the item (in bytes). |
+| **Date (UTC)** | For email, the date a message was received by a recipient or sent by the sender. For documents, the date a document was last modified. |
+| **Sender/Author** | For email, the person who sent a message. For documents, the person cited in the *Author* field from Office documents. You can type more than one name, separated by commas. |
+| **Source** | The location of the document in your organization. For example, a specific SharePoint site location. |
| **Subject/Title** | For email, the text in the subject line of a message. For documents, the title of the document. The Title property in documents is metadata specified in Microsoft Office documents. You can type the name of more than one subject/title, separated by commas. Two or more values are logically connected by the OR operator. |
-### Email property conditions
+### Email filters
-The following table lists email message property conditions available in the Content explorer.
-
-| **Condition option** | **Description** |
+| **Filter** | **Description** |
|:|:-| | **Bcc** | The Bcc field of an email message. | | **Cc** | The Cc field of an email message. |
-| **Email security** | Security setting of the message. |
-| **Email sensitivity** | Sensitivity setting of the message. |
-| **Email set ID** | Group ID for all messages in the same email set. |
-| **From** | The sender of an email message. |
-| **Has attachment** | Indicates whether a message has an attachment. Use the values **true** or **false**. |
-| **Importance** | The importance of an email message, which a sender can specify when sending a message. By default, messages are sent with normal importance, unless the sender sets the importance as **high** or **low**. |
-| **Meeting end date** | Meeting end date for meetings. |
-| **Meeting start date** | Meeting start date for meetings. |
-| **Message kind** | The type of email message to search for. Possible values: contacts, docs, email, external data, faxes, im, journals, meetings, microsoft teams (returns items from chats, meetings, and calls in Microsoft Teams), notes, posts, rssfeeds, tasks, voicemail |
-| **Participant domain** | List of all domains of participants of a message. |
+| **Has attachment** | Indicates whether a message has an attachment. Values are listed as **true** or **false**. |
+| **Is email attachment** | If the document is an attachment, the value is listed as **Yes**. |
+| **Is embedded document** | If the document is embedded in the email message, the value is listed as **Yes**. |
+| **Is inline attachment** | If the document is an inline attachment in the email message, the value is listed as **Yes**. |
| **Participants** | All the people fields in an email message. These fields are From, To, Cc, and Bcc. | | **Received** | The date that an email message was received by a recipient. | | **Recipient domains** | List of all domains of recipients of a message. |
+| **Recipients** | The email message recipients. |
| **Sender** | Sender (From) field for message types. Format is **DisplayName \<SmtpAddress>**. | | **Sender domain** | Domain of the sender. |
-| **Subject** | The text in the subject line of an email message. <br/> **Note:** When you use the Subject property in a query, the search returns all messages in which the subject line contains the text you're searching for. In other words, the query doesn't return only those messages that have an exact match. For example, if you search for `subject:"Quarterly Financials"`, your results will include messages with the subject "Quarterly Financials 2018". |
| **To** | The To field of an email message. | | **Unique in email set** | False if there's a duplicate of the attachment in its email set. |
-## Document property conditions
-
-The following table lists documents property conditions available the Content explorer. Many of these property conditions are shared with review sets included in [Advanced eDiscovery cases](document-metadata-fields-in-Advanced-eDiscovery.md).
+## Document filters
-| **Condition option** | **Description** |
+| **Filters** | **Description** |
|:|:-|
-| **Attorney-client privilege score** | Attorney-client privilege model content score. |
-| **Author** | The author field from Office documents, which persists if a document is copied. For example, if a user creates a document and the emails it to someone else who then uploads it to SharePoint, the document will still retain the original author. |
| **Compliance labels** | Compliance labels applied in Office 365. |
-| **Compound path** | Human readable path that describes the source of the item. |
-| **Conversation ID** | Conversation Id from the message. |
-| **Created time** | The time the file or email message was created. |
-| **Custodian** | Name of the custodian the item was associated with. |
-| **Dominant theme** | Dominant theme as calculated for analytics. |
-| **Family ID** | Family Id groups together all items; for email, this field includes the message and all attachments; for documents, this field includes the document and any embedded items. |
-| **File class** | For content from SharePoint and OneDrive: **Document**; for content from Exchange: **Email or **Attachment**. |
-| **File types** | The extension of a file; for example, docx, one, pptx, or xlsx. |
-| **Has attorney participant** | True when at least one of the participants is found in the attorney list; otherwise, the value is False. |
-| **Immutable ID** | Immutable Id as stored in Office 365. |
-| **Inclusive type** | Inclusive type calculated for analytics: **0** - not inclusive; **1** - inclusive; **2** - inclusive minus; **3** - inclusive copy. |
-| **Item class** | Item class supplied by exchange server; for example, **IPM.Note** |
-| **Last modified** | The date that a document was last changed. |
-| **Load ID** | Load Id, in which the item was loaded into a review set. |
-| **Location name** | String that identifies the source of the item. For exchange, this field will be the SMTP address of the mailbox. For SharePoint and OneDrive, the URL to the site collection. |
-| **Marked as representative** | One document from each set of exact duplicates is marked as representatives. |
-| **Native file extension** | Native extension of the item. |
-| **Native file name** | Native file name of the item. |
-| **NdEtSortExclAttach** | Concatenation of email set and ND set for efficient sorting at review time; D is added as a prefix to ND sets and E is added to email sets. |
-| **Pivot ID** | The ID of a pivot. |
-| **Potentially privileged** | True if attorney-client privilege detection model considers the document potentially privileged. |
-| **Processing status** | Processing status after the item was added to a review set. |
-| **Read percentile** | Read percentile for the document based on Relevance. |
-| **Relevance score** | Relevance score of a document based on Relevance. |
-| **Relevance tag** | Relevance score of a document based on Relevance. |
-| **Representative ID** | Numeric identifier of each set of exact duplicates. |
-| **Tags** | Tags applied in a review set. |
-| **Themes list** | Themes list as calculated for analytics. |
-| **Title** | The title of the document. The Title property is metadata that's specified in Office documents. It's different than the file name of the document. |
-| **Was remediated** | True if the item was remediated, otherwise False. |
-| **Word count** | The number of words in a file. |
+| **Created time (UTC)** | The date and time the file or email message was created. The date and time are in Coordinated Universal Time (UTC). |
+| **Last modified date (UTC)** | The date that a document was last changed. The date and time are in Coordinated Universal Time (UTC). |
+| **File extension** | The extension type of the file. |
+| **User activity events** | Activity for items related to specific user activity in a case. For example, when you select a link to 'Explore Content' for an activity in the **User Activity** page of a case, this filter is used to display items related to that activity. |
+| **Work product** | The type of work product for the document. For example, annotations or tags in the document. |
compliance Retention Policies Teams https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention-policies-teams.md
For other workloads, see:
Teams chats messages and channel messages can be deleted by using retention policies for Teams, and in addition to the text in the messages, the following items can be retained for compliance reasons: Embedded images, tables, hypertext links, links to other Teams messages and files, and [card content](/microsoftteams/platform/task-modules-and-cards/what-are-cards). Chat messages include all the names of the people in the chat, and channel messages include the team name and the message title (if supplied). > [!NOTE]
-> Including card content is a recent addition and now fully rolled out to tenants. For more information, see [Microsoft 365 compliance capabilities for Adaptive Card content through apps in Teams now available](https://techcommunity.microsoft.com/t5/microsoft-teams-blog/microsoft-365-compliance-capabilities-for-adaptive-card-content/ba-p/2095869).
+> Including card content in a retention policy for Teams is a fairly recent addition. For more information, see [Microsoft 365 compliance capabilities for Adaptive Card content through apps in Teams now available](https://techcommunity.microsoft.com/t5/microsoft-teams-blog/microsoft-365-compliance-capabilities-for-adaptive-card-content/ba-p/2095869).
Teams messages in private channels are currently not supported for retention policies. Code snippets, recorded voice memos from the Teams mobile client, thumbnails, announcement images, and reactions from others in the form of emoticons are not retained when you use retention policies for Teams.
compliance Sensitivity Labels Office Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-office-apps.md
The numbers listed are the minimum Office application version required for each
|[Require a justification to change a label](sensitivity-labels.md#what-label-policies-can-do) | 1910+ | 16.21+ | 4.7.1+ | 4.0.39+ | Yes | |[Provide help link to a custom help page](sensitivity-labels.md#what-label-policies-can-do) | 1910+ | 16.21+ | 4.7.1+ | 4.0.39+ | Yes | |[Mark the content](sensitivity-labels.md#what-sensitivity-labels-can-do) | 1910+ | 16.21+ | 4.7.1+ | 4.0.39+ | Yes |
-|[Dynamic markings with variables](#dynamic-markings-with-variables) <sup>1</sup> | 1910+ | 16.21+ | 4.7.1+ | 4.0.39+ | Yes |
+|[Dynamic markings with variables](#dynamic-markings-with-variables) | 1910+ | 16.21+ | 4.7.1+ | 4.0.39+ | Yes |
|[Assign permissions now](encryption-sensitivity-labels.md#assign-permissions-now) | 1910+ | 16.21+ | 4.7.1+ | 4.0.39+ | Yes | |[Let users assign permissions: <br /> - Do Not Forward](encryption-sensitivity-labels.md#let-users-assign-permissions) | 1910+ | 16.21+ | 4.7.1+ | 4.0.39+ | Yes | |[Let users assign permissions: <br /> - Encrypt-Only](encryption-sensitivity-labels.md#let-users-assign-permissions) |2011+ | Rolling out: 16.48+ | Rolling out: 4.2112.0+ | Rolling out: 4.2112.0+ | Yes |
-|[Require users to apply a label to their email and documents](#require-users-to-apply-a-label-to-their-email-and-documents) | Rolling out: 2101+ | 16.43+ <sup>2</sup> | Under review | Under review | Yes |
+|[Require users to apply a label to their email and documents](#require-users-to-apply-a-label-to-their-email-and-documents) | Rolling out: 2101+ | 16.43+ <sup>\*</sup> | Under review | Under review | Yes |
|[Audit label-related user activity](data-classification-activity-explorer.md) | 2011+ | Under review | Under review | Under review | Under review |
-|[Apply a sensitivity label to content automatically](apply-sensitivity-label-automatically.md) | 2009+ | 16.44+ <sup>2</sup> | Under review | Under review | Yes |
+|[Apply a sensitivity label to content automatically](apply-sensitivity-label-automatically.md) | 2009+ | 16.44+ <sup>\*</sup> | Under review | Under review | Yes |
|[Different settings for default label and mandatory labeling](#outlook-specific-options-for-default-label-and-mandatory-labeling) | Under review | Rolling out: 16.43.1108+ | Rolling out: 4.2111+ | Rolling out: 4.2111+ | Rolling out | | **Footnotes:**
-<sup>1</sup>
-Currently, only the [Item.Label and If.App variables](#dynamic-markings-with-variables) are supported
-<br />
-<sup>2</sup>
+<sup>\*</sup>
Requires the [new Outlook for Mac](https://support.microsoft.com/office/the-new-outlook-for-mac-6283be54-e74d-434e-babb-b70cefc77439)
For these scenarios, using their Office apps, a user with built-in labeling can
> [!IMPORTANT] > Currently, not all apps on all platforms support dynamic content markings that you can specify for your headers, footers, and watermarks. For apps that don't support this capability, they apply the markings as the original text specified in the label configuration, rather than resolving the variables. >
-> The Azure Information Protection unified labeling client supports dynamic markings and all listed variables. For labeling built in to Office, see the tables in the [capabilities](#support-for-sensitivity-label-capabilities-in-apps) section on this page for minimum versions, and then the following table to identify the variables supported.
+> The Azure Information Protection unified labeling client supports dynamic markings. For labeling built in to Office, see the tables in the [capabilities](#support-for-sensitivity-label-capabilities-in-apps) section on this page for minimum versions supported.
When you configure a sensitivity label for content markings, you can use the following variables in the text string for your header, footer, or watermark: | Variable | Description | Example when label applied | | -- | -- | - |
-| `${Item.Label}` | Label display name of the label applied <br /><br> Built-in labeling: Supported by Word, Excel, PowerPoint, and Outlook | **General**|
-| `${Item.Name}` | File name or email subject of the content being labeled <br /><br> Built-in labeling: Supported by Word, Excel, PowerPoint | **Sales.docx** |
-| `${Item.Location}` | Path and file name of the document being labeled, or the email subject for an email being labeled <br /><br> Built-in labeling: Supported by Word, Excel, PowerPoint | **\\\Sales\2020\Q3\Report.docx**|
-| `${User.Name}` | Display name of the user applying the label <br /><br> Built-in labeling: Supported by Word, Excel, PowerPoint | **Richard Simone** |
-| `${User.PrincipalName}` | Azure AD user principal name (UPN) of the user applying the label <br /><br> Built-in labeling: Supported by Word, Excel, PowerPoint | **rsimone\@contoso.com** |
-| `${Event.DateTime}` | Date and time when the content is labeled, in the local time zone of the user applying the label <br /><br> Built-in labeling: Supported by Word, Excel, PowerPoint | **8/10/2020 1:30 PM** |
+| `${Item.Label}` | Label display name of the label applied | **General**|
+| `${Item.Name}` | File name or email subject of the content being labeled | **Sales.docx** |
+| `${Item.Location}` | Path and file name of the document being labeled, or the email subject for an email being labeled | **\\\Sales\2020\Q3\Report.docx**|
+| `${User.Name}` | Display name of the user applying the label | **Richard Simone** |
+| `${User.PrincipalName}` | Azure AD user principal name (UPN) of the user applying the label | **rsimone\@contoso.com** |
+| `${Event.DateTime}` | Date and time when the content is labeled, in the local time zone of the user applying the label | **8/10/2020 1:30 PM** |
> [!NOTE] > The syntax for these variables is case-sensitive.
knowledge Set Up Topic Experiences https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/knowledge/set-up-topic-experiences.md
This video shows the process for setting up Topics in Microsoft 365.
<br>
+## Assign licenses
+
+You must assign licenses for the users who will be using Topics. Only users with a license can see information on topics including highlights, topic cards, topic pages and the topic center.
+
+To assign licenses:
+
+1. In the Microsoft 365 admin center, under **Users**, click **Active users**.
+
+2. Select the users that you want to license, and click **Licenses and apps**.
+
+3. Under **Licenses**, select **Viva Topics**.
+
+4. Under **Apps**, make sure **Graph Connectors Search with Index (Viva Topics)** and **Viva Topics** are both selected.
+
+ > [!div class="mx-imgBorder"]
+ > ![Microsoft Viva Topics licenses in the Microsoft 365 admin center](../media/topic-experiences-licenses.png)
+
+5. Click **Save changes**.
+
+It may take up to an hour for users to get access to Topics after the licenses are assigned.
+ ## Set up Topics To set up Topics
To set up Topics
Note that the first time topic discovery is enabled, it may take up to two weeks for all suggested topics to appear in the Manage Topics view. Topic discovery continues as new content or updates to content are made. It is normal to have fluctuations in the number of suggested topics in your organization as Viva Topics evaluates new information.
-## Assign licenses
-
-Once you have configured topic experiences, you must assign licenses for the users who will be using Topics. Only users with a license can see information on topics including highlights, topic cards, topic pages and the topic center.
-
-To assign licenses:
-
-1. In the Microsoft 365 admin center, under **Users**, click **Active users**.
-
-2. Select the users that you want to license, and click **Licenses and apps**.
-
-3. Under **Licenses**, select **Viva Topics**.
-
-4. Under **Apps**, make sure **Graph Connectors Search with Index (Viva Topics)** and **Viva Topics** are both selected.
-
- > [!div class="mx-imgBorder"]
- > ![Microsoft Viva Topics licenses in the Microsoft 365 admin center](../media/topic-experiences-licenses.png)
-
-5. Click **Save changes**.
- ## Manage topic experiences Once you have set up Topics, you can change the settings that you chose during setup in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal#/featureexplorer/csi/KnowledgeManagement). See the following references:
security Microsoft 365 Security For Bdm https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/Microsoft-365-security-for-bdm.md
This article is organized by priority of work, starting with protecting those ac
[![Thumb image Microsoft 365 BDM security recommendations spreadsheet](../downloads/microsoft-365-bdm-security-recommendations-spreadsheet-thumb.png)](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/downloads/Microsoft-365-BDM-security-recommendations-spreadsheet.xlsx)
-Microsoft provides you with the Secure Score tool within your tenant to automatically analyze your security posture based on your regular activities, assign a score, and provide security improvement recommendations. Before taking the actions recommended in this article, take note of your current score and recommendations. The actions recommended in this article will increase your score. The goal is not to achieve the max score, but to be aware of opportunities to protect your environment in a way that do not negatively affect productivity for your users. See [Microsoft Secure Score](defender/microsoft-secure-score.md).
+Microsoft provides you with the Secure Score tool within your tenant to automatically analyze your security posture based on your regular activities, assign a score, and provide security improvement recommendations. Before taking the actions recommended in this article, take note of your current score and recommendations. The actions recommended in this article will increase your score. The goal is not to achieve the max score, but to be aware of opportunities to protect your environment in a way that does not negatively affect productivity for your users. See [Microsoft Secure Score](defender/microsoft-secure-score.md).
![Follow these steps to mitigate risks to your business.](../media/security/security-for-bdms-overview.png)
One more thing before we get started . . . be sure to [turn on the audit log](..
## Protect privileged accounts
-As a first step, we recommend ensuring critical accounts in the environment are given an extra layer of protection as these accounts have access and permissions to manage and alter critical services and resources which can negatively impact the entire organization, if compromised. Protecting privileged accounts is one of the most effective ways to protect against an attacker who seeks to elevate the permissions of a compromised account to an administrative one.
+As a first step, we recommend ensuring critical accounts in the environment are given an extra layer of protection as these accounts have access and permissions to manage and alter critical services and resources, which can negatively impact the entire organization, if compromised. Protecting privileged accounts is one of the most effective ways to protect against an attacker who seeks to elevate the permissions of a compromised account to an administrative one.
|Recommendation |E3 |E5 | ||||
The following diagram illustrates these capabilities.
![Recommended capabilities for protecting privileged accounts](../media/m365-security-bdm-illustrations-privileged-accounts.png) Additional recommendations:-- Ensure accounts that are synchronized from on-premises are not assigned admin roles for cloud services. This helps prevent an attacker from leveraging on-premises accounts to gain administrative access to cloud services.
+- Ensure accounts that are synchronized from on-premises are not assigned admin roles for cloud services. This helps prevent an attacker from applying on-premises accounts to gain administrative access to cloud services.
- Ensure service accounts are not assigned admin roles. These accounts are often not monitored and set with passwords that do not expire. Start by ensuring the AADConnect and ADFS services accounts are not Global Admins by default. - Remove licenses from admin accounts. Unless there is a specific use case to assign licenses to specific admin accounts, remove licenses from these accounts.
The following diagram illustrates these capabilities.
## Protect against unknown threats
-After adding extra protections to your privileged accounts and protecting against known attacks, shift your attention to protecting against unknown threats. The more determined and advanced adversaries use innovative and new, unknown methods to attack organizations. With Microsoft's vast telemetry of data gathered over billions of devices, applications, and services, we are able to perform Defender for Office 365 on Windows, Office 365, and Azure to prevent against Zero Day attacks, utilizing sand box environments, and checking validity before allowing access to your content.
+After adding extra protections to your privileged accounts and protecting against known attacks, shift your attention to protecting against unknown threats. The more determined and advanced adversaries use innovative and new, unknown methods to attack organizations. With Microsoft's vast telemetry of data gathered over billions of devices, applications, and services, we are able to perform Defender for Office 365 on Windows, Office 365, and Azure to prevent against Zero-Day attacks, utilizing sand box environments, and checking validity before allowing access to your content.
|Recommendation |E3 |E5 | ||||
-|**Configure Microsoft Defender for Office 365**:<br>* Safe Attachments<br>* Safe Links<br>* ATP for SharePoint, OneDrive, and Microsoft Teams<br>* Anti-phishing in Defender for Office 365 protection| |![green check mark](../media/green-check-mark.png) |
+|**Configure Microsoft Defender for Office 365**:<br>* Safe Attachments<br>* Safe Links<br>* Microsoft Defender for Endpoint for SharePoint, OneDrive, and Microsoft Teams<br>* Anti-phishing in Defender for Office 365 protection| |![green check mark](../media/green-check-mark.png) |
|**Configure Microsoft Defender for Endpoint capabilities**:<br>* Windows Defender Antivirus <br>* Exploit protection <br> * Attack surface reduction <br> * Hardware-based isolation <br>* Controlled folder access | |![green check mark](../media/green-check-mark.png) | |**Use Microsoft Cloud App Security** to discover SaaS apps and begin to use behavior analytics and anomaly detection. | |![green check mark](../media/green-check-mark.png) |
The following diagram illustrates these capabilities.
Additional recommendations: - Secure partner channel communications like Emails using TLS. - Open Teams Federation only to Partners you communicate with.-- Do not add sender domains, individual senders, or source IPs to your allow list as this allows these to bypass spam and malware checks ΓÇö A common practice with customers is adding their own accepted domains or a number of other domains where email flow issues may have been reported to the allow list. Do not add domains in the Spam and Connection Filtering list as this potentially bypasses all spam checks.
+- Do not add sender domains, individual senders, or source IPs to your allowlist as this allows these to bypass spam and malware checks ΓÇö A common practice with customers is adding their own accepted domains or a number of other domains where email flow issues may have been reported to the allowlist. Do not add domains in the Spam and Connection Filtering list as this potentially bypasses all spam checks.
- Enable outbound spam notifications ΓÇö Enable outbound spam notifications to a distribution list internally to the Helpdesk or IT Admin team to report if any of the internal users are sending out Spam emails externally. This could be an indicator that the account has been compromised. - Disable Remote PowerShell for all users ΓÇö Remote PowerShell is mainly used by Admins to access services for administrative purposes or programmatic API access. We recommended disabling this option for non-Admin users to avoid reconnaissance unless they have a business requirement to access it. -- Block access to the Microsoft Azure Management portal to all non-administrators. You can accomplish this by creating a conditional access rule to block all users, with the exception of admins.
+- Block access to the Microsoft Azure Management portal to all non-administrators. You can accomplish this by creating a conditional access rule to block all users, except for admins.
## Assume breach While Microsoft takes every possible measure to prevent against threats and attacks, we recommend always working under the "Assume Breach" mindset. Even if an Attacker has managed to intrude into the environment, we need to make sure they are unable to exfiltrate data or identity information from the environment. For this reason, we recommend enabling protection against sensitive data leaks such as Social Security numbers, credit cards numbers, additional personal information, and other organizational level confidential information.
-The "Assume Breach" mindset requires implementing a zero trust network strategy, which means users are not fully trusted just because they are internal to the network. Instead, as part of authorization of what users can do, sets of conditions are specified, and when such conditions are met, certain controls are enforced. Conditions may include device health status, application being accessed, operations being performed and user risk. For example, a device enrollment action should always trigger MFA authentication to ensure no rouge devices are added to your environment.
+The "Assume Breach" mindset requires implementing a zero trust network strategy, which means users are not fully trusted just because they are internal to the network. Instead, as part of authorization of what users can do, sets of conditions are specified, and when such conditions are met, certain controls are enforced. Conditions may include device health status, application being accessed, operations being performed, and user risk. For example, a device enrollment action should always trigger MFA authentication to ensure no rouge devices are added to your environment.
-A zero trust network strategy also requires that you know where your information is stored and apply appropriate controls for classification, protection, and retention. To effectively protect your most critical and sensitive assets you need to first identify where these are located and take inventory, which can be challenging. Next, work with your organization to define a governance strategy. Defining a classification schema for an organization and configuring policies, labels, and conditions requires careful planning and preparation. It is important to realize that this is not an IT driven process. Be sure to work with your legal and compliance team to develop an appropriate classification and labeling schema for your organization's data.
+A zero trust network strategy also requires that you know where your information is stored and apply appropriate controls for classification, protection, and retention. To effectively protect your most critical and sensitive assets you need to first identify where these are located and take inventory, which can be challenging. Next, work with your organization to define a governance strategy. Defining a classification schema for an organization and configuring policies, labels, and conditions require careful planning and preparation. It is important to realize that this is not an IT driven process. Be sure to work with your legal and compliance team to develop an appropriate classification and labeling schema for your organization's data.
Microsoft 365 information protection capabilities can help you discover what information you have, where it is stored, and which information requires additional protection. Information protection is a continuous process and Microsoft 365 capabilities provide you with visibility into how users are using and distributing sensitive information, where your information is currently stored, and where it flows. You can also see how users handling information that is regulated to be sure the appropriate labels and protections are applied. |Recommendation |E3|E5 | ||||
-|**Review and optimize your conditional access and related policies to align with your objectives for a zero trust network**. Protecting against known threats includes implementing a set of [recommended policies](./office-365-security/microsoft-365-policies-configurations.md). Review your implementation of these policies to ensure you're protecting your apps and data against hackers who have gained access to your network. Note that the recommended Intune app protection policy for Windows 10 enables Windows Information Protection (WIP). WIP protects against accidental leaks of your organization data through apps and services, like email, social media, and the public cloud. | |![green check mark](../media/green-check-mark.png)|
+|**Review and optimize your conditional access and related policies to align with your objectives for a zero trust network**. Protecting against known threats includes implementing a set of [recommended policies](./office-365-security/microsoft-365-policies-configurations.md). Review your implementation of these policies to ensure you're protecting your apps and data against hackers who have gained access to your network. The recommended Intune app protection policy for Windows 10 enables Windows Information Protection (WIP). WIP protects against accidental leaks of your organization data through apps and services, like email, social media, and the public cloud. | |![green check mark](../media/green-check-mark.png)|
|**Disable external email forwarding**. Hackers who gain access to a user's mailbox can steal your mail by setting the mailbox to automatically forward email. This can happen even without the user's awareness. You can prevent this from happening by configuring a mail flow rule.|![green check mark](../media/green-check-mark.png) |![green check mark](../media/green-check-mark.png)| |**Disable anonymous external calendar sharing**. By default external anonymous calendar sharing is allowed. [Disable calendar sharing](/exchange/sharing/sharing-policies/modify-a-sharing-policy) to reduce potential leaks of sensitive information.|![green check mark](../media/green-check-mark.png) |![green check mark](../media/green-check-mark.png)| |**Configure data loss prevention policies for sensitive data**. Create a Data Loss Prevention Policy in the Security &amp; Compliance center to discover and protect sensitive data such as credit card numbers, Social Security numbers and bank account numbers. Microsoft 365 includes many predefined sensitive information types you can use in data loss prevention policies. You can also create your own sensitive information types for sensitive data that is custom to your environment. |![green check mark](../media/green-check-mark.png)|![green check mark](../media/green-check-mark.png)|
security TOC https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/TOC.md
####### [List alerts](get-alerts.md) ####### [Create alert](create-alert-by-reference.md) ####### [Update Alert](update-alert.md)
+####### [Batch update alert](batch-update-alerts.md)
####### [Get alert information by ID](get-alert-info-by-id.md) ####### [Get alert related domains information](get-alert-related-domain-info.md) ####### [Get alert related file information](get-alert-related-files-info.md)
###### [Indicators]() ####### [Indicators methods and properties](ti-indicator.md)
+####### [Import Indicators](import-ti-indicators.md)
####### [Submit Indicator](post-ti-indicator.md) ####### [List Indicators](get-ti-indicators-collection.md) ####### [Delete Indicator](delete-ti-indicator-by-id.md)
security Advanced Features https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-features.md
Enabling the Skype for Business integration gives you the ability to communicate
## Microsoft Defender for Identity integration
-The integration with Azure Advanced Threat Protection allows you to pivot directly into another Microsoft Identity security product. Azure Advanced Threat Protection augments an investigation with additional insights about a suspected compromised account and related resources. By enabling this feature, you'll enrich the device-based investigation capability by pivoting across the network from an identify point of view.
+The integration with Microsoft Defender for Identity allows you to pivot directly into another Microsoft Identity security product. Microsoft Defender for Identity augments an investigation with additional insights about a suspected compromised account and related resources. By enabling this feature, you'll enrich the device-based investigation capability by pivoting across the network from an identify point of view.
> [!NOTE] > You'll need to have the appropriate license to enable this feature.
The integration with Azure Advanced Threat Protection allows you to pivot direct
This feature is only available if you have an active Office 365 E5 or the Threat Intelligence add-on. For more information, see the Office 365 Enterprise E5 product page.
-When you turn this feature on, you'll be able to incorporate data from Office 365 Advanced Threat Protection into Microsoft Defender Security Center to conduct a comprehensive security investigation across Office 365 mailboxes and Windows devices.
+When you turn this feature on, you'll be able to incorporate data from Microsoft Defender for Office 365 into Microsoft Defender Security Center to conduct a comprehensive security investigation across Office 365 mailboxes and Windows devices.
> [!NOTE] > You'll need to have the appropriate license to enable this feature.
security Advanced Hunting Devicealertevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-hunting-devicealertevents-table.md
Title: DeviceAlertEvents table in the advanced hunting schema description: Learn about alert generation events in the DeviceAlertEvents table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, DeviceAlertEvents, alert, severity, category
+keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, microsoft defender for endpoint, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, DeviceAlertEvents, alert, severity, category
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Advanced Hunting Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-hunting-overview.md
Title: Overview of advanced hunting in Microsoft Defender ATP
-description: Use threat hunting capabilities in Microsoft Defender ATP to build queries that find threats and weaknesses in your network
-keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp, search, query, telemetry, custom detections, schema, kusto, time zone, UTC
+ Title: Overview of advanced hunting in Microsoft Defender for Endpoint
+description: Use threat hunting capabilities in Microsoft Defender for Endpoint to build queries that find threats and weaknesses in your network
+keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, microsoft defender for endpoint, wdatp, search, query, telemetry, custom detections, schema, kusto, time zone, UTC
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Advanced Hunting Schema Reference https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-hunting-schema-reference.md
Title: Advanced hunting schema reference description: Learn about the tables in the advanced hunting schema to understand the data you can run threat hunting queries on.
-keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, data
+keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, microsoft defender for endpoint, wdatp search, query, telemetry, schema reference, kusto, table, data
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Alerts Queue https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/alerts-queue.md
Title: View and organize the Microsoft Defender ATP Alerts queue
-description: Learn about how the Microsoft Defender ATP alerts queues work, and how to sort and filter lists of alerts.
+ Title: View and organize the Microsoft Defender for Endpoint Alerts queue
+description: Learn about how the Microsoft Defender for Endpoint alerts queues work, and how to sort and filter lists of alerts.
keywords: alerts, queues, alerts queue, sort, order, filter, manage alerts, new, in progress, resolved, newest, time in queue, severity, time period, microsoft threat experts alerts search.product: eADQiWindows 10XVcnh search.appverid: met150
security Android Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-configure.md
Title: Configure Microsoft Defender for Endpoint on Android features description: Describes how to configure Microsoft Defender for Endpoint on Android
-keywords: microsoft, defender, atp, mde, android, configuration
+keywords: microsoft, defender, Microsoft Defender for Endpoint, mde, android, configuration
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
ms.technology: mde
-# Configure Defender for Endpoint for Android features
+# Configure Defender for Endpoint on Android features
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-## Conditional Access with Defender for Endpoint for Android
+## Conditional Access with Defender for Endpoint on Android
Microsoft Defender for Endpoint on Android along with Microsoft Intune and Azure Active Directory enables enforcing Device compliance and Conditional Access policies based on device risk levels. Defender for Endpoint is a Mobile Threat Defense (MTD) solution that you can deploy to leverage this capability via Intune.
-For more information about how to set up Defender for Endpoint for Android and Conditional Access, see [Defender for Endpoint and
+For more information about how to set up Defender for Endpoint on Android and Conditional Access, see [Defender for Endpoint and
Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection). ## Configure custom indicators > [!NOTE]
-> Defender for Endpoint for Android only supports creating custom indicators for IP addresses and URLs/domains.
+> Defender for Endpoint on Android only supports creating custom indicators for IP addresses and URLs/domains.
-Defender for Endpoint for Android enables admins to configure custom indicators to support Android devices as well. For more information on how to configure custom indicators, see [Manage indicators](manage-indicators.md).
+Defender for Endpoint on Android enables admins to configure custom indicators to support Android devices as well. For more information on how to configure custom indicators, see [Manage indicators](manage-indicators.md).
## Configure web protection
-Defender for Endpoint for Android allows IT Administrators the ability to configure the web protection feature. This capability is available within the Microsoft Endpoint Manager Admin center.
+Defender for Endpoint on Android allows IT Administrators the ability to configure the web protection feature. This capability is available within the Microsoft Endpoint Manager Admin center.
> [!NOTE]
-> Defender for Endpoint for Android would use a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device.
+> Defender for Endpoint on Android would use a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device.
For more information, see [Configure web protection on devices that run Android](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection-manage-android). ## Related topics
security Android Intune https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-intune.md
Title: Deploy Microsoft Defender for Endpoint on Android with Microsoft Intune description: Describes how to deploy Microsoft Defender for Endpoint on Android with Microsoft Intune
-keywords: microsoft, defender, atp, mde, android, installation, deploy, uninstallation,
+keywords: microsoft, defender, Microsoft Defender for Endpoint, mde, android, installation, deploy, uninstallation,
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
ms.technology: mde
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-Learn how to deploy Defender for Endpoint for Android on Intune
+Learn how to deploy Defender for Endpoint on Android on Intune
Company Portal enrolled devices. For more information about Intune device enrollment, see [Enroll your device](https://docs.microsoft.com/mem/intune/user-help/enroll-device-android-company-portal). > [!NOTE]
-> **Defender for Endpoint for Android is now available on [Google Play](https://play.google.com/store/apps/details?id=com.microsoft.scmx)** <br>
+> **Defender for Endpoint on Android is now available on [Google Play](https://play.google.com/store/apps/details?id=com.microsoft.scmx)** <br>
> You can connect to Google Play from Intune to deploy Defender for Endpoint app across Device Administrator and Android Enterprise entrollment modes. Updates to the app are automatic via Google Play. ## Deploy on Device Administrator enrolled devices
-**Deploy Defender for Endpoint for Android on Intune Company Portal - Device
+**Deploy Defender for Endpoint on Android on Intune Company Portal - Device
Administrator enrolled devices**
-Learn how to deploy Defender for Endpoint for Android on Intune Company Portal - Device Administrator enrolled devices.
+Learn how to deploy Defender for Endpoint on Android on Intune Company Portal - Device Administrator enrolled devices.
### Add as Android store app
center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \>
![Image of Microsoft Endpoint Manager Admin Center add app info](images/mda-addappinfo.png)
-3. In the *Assignments* section, go to the **Required** section and select **Add group.** You can then choose the user group(s) that you would like to target Defender for Endpoint for Android app. Choose **Select** and then **Next**.
+3. In the *Assignments* section, go to the **Required** section and select **Add group.** You can then choose the user group(s) that you would like to target Defender for Endpoint on Android app. Choose **Select** and then **Next**.
>[!NOTE] >The selected user group should consist of Intune enrolled users.
completed successfully.
### Complete onboarding and check status
-1. Once Defender for Endpoint for Android has been installed on the device, you'll see the app icon.
+1. Once Defender for Endpoint on Android has been installed on the device, you'll see the app icon.
![Icon on mobile device](images/7cf9311ad676ec5142002a4d0c2323ca.jpg)
-2. Tap the Microsoft Defender ATP app icon and follow the on-screen instructions
-to complete onboarding the app. The details include end-user acceptance of Android permissions required by Defender for Endpoint for Android.
+2. Tap the Microsoft Defender for Endpoint app icon and follow the on-screen instructions
+to complete onboarding the app. The details include end-user acceptance of Android permissions required by Defender for Endpoint on Android.
3. Upon successful onboarding, the device will start showing up on the Devices list in Microsoft Defender Security Center.
list in Microsoft Defender Security Center.
## Deploy on Android Enterprise enrolled devices
-Defender for Endpoint for Android supports Android Enterprise enrolled devices.
+Defender for Endpoint on Android supports Android Enterprise enrolled devices.
For more information on the enrollment options supported by Intune, see [Enrollment Options](https://docs.microsoft.com/mem/intune/enrollment/android-enroll).
obtains for it to work. Review them and then select **Approve**.
![A screenshot of Defender for Endpoint preview app approval](images/206b3d954f06cc58b3466fb7a0bd9f74.png) 5. You'll be presented with the Approval settings page. The page confirms
-your preference to handle new app permissions that Defender for Endpoint for
+your preference to handle new app permissions that Defender for Endpoint on
Android might ask. Review the choices and select your preferred option. Select **Done**.
Defender for Endpoint to your apps list.
![Image of Android app](images/9fc07ffc150171f169dc6e57fe6f1c74.png)
-8. Select the **Refresh** button in the Android apps screen and Microsoft
-Defender ATP should be visible in the apps list.
+8. Select the **Refresh** button in the Android apps screen and Microsoft Defender for Endpoint should be visible in the apps list.
> [!div class="mx-imgBorder"] > ![Image of list of Android apps](images/fa4ac18a6333335db3775630b8e6b353.png)
Defender ATP should be visible in the apps list.
1. In the **Create app configuration policy** page, enter the following details:
- - Name: Microsoft Defender ATP.
+ - Name: Microsoft Defender for Endpoint.
- Choose **Android Enterprise** as platform. - Choose **Work Profile only** as Profile Type. - Click **Select App**, choose **Microsoft Defender ATP**, select **OK** and then **Next**.
Setup a VPN client in the work profile to automatically connect and reconnect to
- Select **Custom** in VPN client dropdown list Custom VPN in this case is Defender for Endpoint VPN which is used to provide the Web Protection feature. > [!NOTE]
- > Microsoft Defender ATP app must be installed on userΓÇÖs device, in order to functioning of auto setup of this VPN.
+ > Microsoft Defender for Endpoint app must be installed on userΓÇÖs device, in order to functioning of auto setup of this VPN.
-- Enter **Package ID** of the Microsoft Defender ATP app in Google Play store. For the Defender app URL https://play.google.com/store/apps/details?id=com.microsoft.scmx, Package ID is **com.microsoft.scmx**
+- Enter **Package ID** of the Microsoft Defender for Endpoint app in Google Play store. For the Defender app URL https://play.google.com/store/apps/details?id=com.microsoft.scmx, Package ID is **com.microsoft.scmx**
- **Lockdown mode** Not configured (Default) ![Image of devices configuration profile enable Always-on VPN](images/3autosetupofvpn.png)
and then your onboarding should be successful.
![Image of mobile device with Microsoft Defender for Endpoint app](images/mda-devicesafe.png)
-4. At this stage the device is successfully onboarded onto Defender for Endpoint for Android. You can verify this on the [Microsoft Defender Security
+4. At this stage the device is successfully onboarded onto Defender for Endpoint on Android. You can verify this on the [Microsoft Defender Security
Center](https://securitycenter.microsoft.com) by navigating to the **Devices** page.
security Android Privacy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-privacy.md
Title: Microsoft Defender ATP for Android - Privacy information
-description: Privacy controls, how to configure policy settings that impact privacy and information about the diagnostic data collected in Microsoft Defender ATP for Android.
-keywords: microsoft, defender, atp, android, privacy, diagnostic
+ Title: Microsoft Defender for Endpoint on Android - Privacy information
+description: Privacy controls, how to configure policy settings that impact privacy and information about the diagnostic data collected in Microsoft Defender for Endpoint on Android.
+keywords: microsoft, defender, Microsoft Defender for Endpoint, android, privacy, diagnostic
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
ms.technology: mde
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-Defender for Endpoint for Android collects information from your configured Android devices and stores it in the same tenant where you have Defender for Endpoint. The information is collected to help keep Defender for Endpoint for iOS secure, up-to-date, performing as expected, and to support the service.
+Defender for Endpoint on Android collects information from your configured Android devices and stores it in the same tenant where you have Defender for Endpoint. The information is collected to help keep Defender for Endpoint for Android secure, up-to-date, performing as expected, and to support the service.
For more information about data storage, see [Microsoft Defender for Endpoint data storage and privacy](data-storage-privacy.md).
Information about **malicious** Android application packages (APKs) on the devic
- Azure tenant ID - GUID that identifies your organization within Azure Active Directory
- - Microsoft Defender ATP org ID - Unique identifier associated with
+ - Microsoft Defender for Endpoint org ID - Unique identifier associated with
the enterprise that the device belongs to. Allows Microsoft to identify whether issues are impacting a select set of enterprises and how many enterprises are impacted 
security Android Support Signin https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-support-signin.md
Title: Troubleshoot issues on Microsoft Defender for Endpoint on Android description: Troubleshoot issues for Microsoft Defender for Endpoint on Android
-keywords: microsoft, defender, atp, mde, android, cloud, connectivity, communication
+keywords: microsoft, defender, Microsoft Defender for Endpoint, mde, android, cloud, connectivity, communication
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Android Terms https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-terms.md
Title: Microsoft Defender ATP for Android Application license terms
+ Title: Microsoft Defender for Endpoint on Android Application license terms
-description: Describes the Microsoft Defender ATP for Android license terms
-keywords: microsoft, defender, atp, android,license, terms, application, use, installation, service, feedback, scope,
+description: Describes the Microsoft Defender for Endpoint on Android license terms
+keywords: microsoft, defender, Microsoft Defender for Endpoint, android, license, terms, application, use, installation, service, feedback, scope,
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
DO NOT USE THE APPLICATION.**
enforce and rely upon any provision of these Terms that grants them a benefit or rights.
-9. **TRADEMARK NOTICES.** Microsoft, Microsoft Defender ATP, MDATP, and
+9. **TRADEMARK NOTICES.** Microsoft, Microsoft Defender for Endpoint, and
Microsoft 365 are registered or common-law trademarks of Microsoft Corporation in the United States and/or other countries.
security Api Explorer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api-explorer.md
Title: API Explorer in Microsoft Defender ATP
+ Title: API Explorer in Microsoft Defender for Endpoint
description: Use the API Explorer to construct and do API queries, test, and send requests for any available API keywords: api, explorer, send, request, get, post,
security Api Hello World https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api-hello-world.md
Title: Hello World for Microsoft Defender for Endpoint API
-description: Create a practice 'Hello world'-style API call to the Microsoft Defender for Endpoint (Microsoft Defender ATP) API.
-keywords: apis, supported apis, advanced hunting, query
+description: Create a practice 'Hello world'-style API call to the Microsoft Defender for Endpoint API.
+keywords: apis, supported apis, advanced hunting, query, microsoft defender atp, microsoft defender for endpoint
search.product: eADQiWindows 10XVcnh ms.prod: m365-security ms.mktglfcycl: deploy
security Api Microsoft Flow https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api-microsoft-flow.md
Title: Microsoft Defender ATP Flow connector
+ Title: Microsoft Defender for Endpoint Flow connector
-description: Use Microsoft Defender ATP Flow connector to automate security and create a flow that will be triggered any time a new alert occurs on your tenant.
+description: Use Microsoft Defender for Endpoint Flow connector to automate security and create a flow that will be triggered any time a new alert occurs on your tenant.
keywords: flow, supported apis, api, Microsoft flow, query, automation search.product: eADQiWindows 10XVcnh ms.prod: m365-security
security Api Portal Mapping https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api-portal-mapping.md
Title: Microsoft Defender ATP detections API fields
+ Title: Microsoft Defender for Endpoint detections API fields
description: Understand how the Detections API fields map to the values in Microsoft Defender Security Center keywords: detections, detections fields, fields, api, fields, pull Detections, rest api, request, response search.product: eADQiWindows 10XVcnh
security Api Power Bi https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api-power-bi.md
Title: Microsoft Defender ATP APIs connection to Power BI
+ Title: Microsoft Defender for Endpoint APIs connection to Power BI
description: Create a Power Business Intelligence (BI) report on top of Microsoft Defender for Endpoint APIs. keywords: apis, supported apis, Power BI, reports
The first example demonstrates how to connect Power BI to Advanced Hunting API a
For more information see the [Power BI report templates](https://github.com/microsoft/MicrosoftDefenderATP-PowerBI). ## Sample reports
-View the Microsoft Defender ATP Power BI report samples. For more information, see [Browse code samples](https://docs.microsoft.com/samples/browse/?products=mdatp).
+View the Microsoft Defender for Endpoint Power BI report samples. For more information, see [Browse code samples](https://docs.microsoft.com/samples/browse/?products=mdatp).
## Related topic
security Api Release Notes https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api-release-notes.md
Title: Microsoft Defender for Endpoint API release notes description: Release notes for updates made to the Microsoft Defender for Endpoint set of APIs.
-keywords: microsoft defender for endpoint api release notes, mde, apis, mdatp api, updates, notes, release
+keywords: Microsoft Defender for Endpoint API release notes, mde, APIs, Microsoft Defender for Endpoint API, updates, notes, release
search.product: eADQiWindows 10XVcnh ms.prod: m365-security ms.mktglfcycl: deploy
security Api Terms Of Use https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api-terms-of-use.md
Title: Microsoft Defender ATP API license and terms of use
+ Title: Microsoft Defender for Endpoint API license and terms of use
description: Description of the license and terms of use for Microsoft Defender APIs keywords: license, terms, apis, legal, notices, code of conduct search.product: eADQiWindows 10XVcnh
security Apis Intro https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/apis-intro.md
Title: Access the Microsoft Defender for Endpoint APIs
-description: Learn how you can use APIs to automate workflows and innovate based on Microsoft Defender ATP capabilities
-keywords: apis, api, wdatp, open api, microsoft defender atp api, public api, supported apis, alerts, device, user, domain, ip, file, advanced hunting, query
+description: Learn how you can use APIs to automate workflows and innovate based on Microsoft Defender for Endpoint capabilities
+keywords: apis, api, wdatp, open api, microsoft defender for endpoint api, microsoft defender atp, public api, supported apis, alerts, device, user, domain, ip, file, advanced hunting, query
search.product: eADQiWindows 10XVcnh ms.prod: m365-security ms.mktglfcycl: deploy
You can access Defender for Endpoint API with **Application Context** or **User
2. Assign the desired permission to the application, for example, 'Read Alerts', 'Isolate Machines'. 3. Create a key for this Application. 4. Get token using the application with its key.
- 5. Use the token to access Microsoft Defender ATP API
+ 5. Use the token to access the Microsoft Defender for Endpoint API
For more information, see [Get access with application context](exposed-apis-create-app-webapp.md).
You can access Defender for Endpoint API with **Application Context** or **User
1. Create AAD Native-Application. 2. Assign the desired permission to the application, e.g 'Read Alerts', 'Isolate Machines' etc. 3. Get token using the application with user credentials.
- 4. Use the token to access Microsoft Defender ATP API
+ 4. Use the token to access the Microsoft Defender for Endpoint API
For more information, see [Get access with user context](exposed-apis-create-app-nativeapp.md).
security Attack Simulations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-simulations.md
Title: Experience Microsoft Defender ATP through simulated attacks
-description: Run the provided attack scenario simulations to experience how Microsoft Defender ATP can detect, investigate, and respond to breaches.
-keywords: wdatp, test, scenario, attack, simulation, simulated, diy, Microsoft Defender for Endpoint
+ Title: Experience Microsoft Defender for Endpoint through simulated attacks
+description: Run the provided attack scenario simulations to experience how Microsoft Defender for Endpoint can detect, investigate, and respond to breaches.
+keywords: test, scenario, attack, simulation, simulated, diy, Microsoft Defender for Endpoint
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
ms.technology: mde
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-attacksimulations-abovefoldlink) >[!TIP]
->- Learn about the latest enhancements in Microsoft Defender ATP: [What's new in Defender for Endpoint?](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
+>- Learn about the latest enhancements in Microsoft Defender for Endpoint: [What's new in Defender for Endpoint?](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
>- Defender for Endpoint demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). You might want to experience Defender for Endpoint before you onboard more than a few devices to the service. To do this, you can run controlled attack simulations on a few test devices. After running the simulated attacks, you can review how Defender for Endpoint surfaces malicious activity and explore how it enables an efficient response.
security Attack Surface Reduction Faq https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-faq.md
Title: Attack surface reduction frequently asked questions (FAQ)
-description: Find answers to frequently asked questions about Microsoft Defender ATP's attack surface reduction rules.
+description: Find answers to frequently asked questions about Microsoft Defender for Endpoint's attack surface reduction rules.
keywords: Attack surface reduction rules, asr, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, microsoft defender for endpoint search.product: eADQiWindows 10XVcnh ms.pagetype: security
security Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction.md
Title: Use attack surface reduction rules to prevent malware infection description: Attack surface reduction rules can help prevent exploits from using apps and scripts to infect devices with malware.
-keywords: Attack surface reduction rules, asr, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, Microsoft Defender for Endpoint, Microsoft Defender ATP
+keywords: Attack surface reduction rules, asr, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, Microsoft Defender for Endpoint
search.product: eADQiWindows 10XVcnh ms.prod: m365-security ms.mktglfcycl: manage
security Automated Investigations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/automated-investigations.md
Title: Use automated investigations to investigate and remediate threats description: Understand the automated investigation flow in Microsoft Defender for Endpoint.
-keywords: automated, investigation, detection, defender atp
+keywords: automated, investigation, detection, Microsoft Defender for Endpoint
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Automation Levels https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/automation-levels.md
Title: Automation levels in automated investigation and remediation description: Get an overview of automation levels and how they work in Microsoft Defender for Endpoint
-keywords: automated, investigation, level, defender atp
+keywords: automated, investigation, level, Microsoft Defender for Endpoint
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
The following table describes each level of automation and how it works.
|Automation level | Description| |:|:| |**Full - remediate threats automatically** <br/>(also referred to as *full automation*)| With full automation, remediation actions are performed automatically. All remediation actions that are taken can be viewed in the [Action Center](auto-investigation-action-center.md) on the **History** tab. If necessary, a remediation action can be undone.<br/><br/>***Full automation is recommended** and is selected by default for tenants that were created on or after August 16, 2020 with Microsoft Defender for Endpoint, with no device groups defined yet.* |
-|**Semi - require approval for any remediation** <br/>(also referred to as *semi-automation*)| With this level of semi-automation, approval is required for *any* remediation action. Such pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **Pending** tab.<br/><br/>*This level of semi-automation is selected by default for tenants that were created before August 16, 2020 with Microsoft Defender ATP, with no device groups defined.*|
+|**Semi - require approval for any remediation** <br/>(also referred to as *semi-automation*)| With this level of semi-automation, approval is required for *any* remediation action. Such pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **Pending** tab.<br/><br/>*This level of semi-automation is selected by default for tenants that were created before August 16, 2020 with Microsoft Defender for Endpoint, with no device groups defined.*|
|**Semi - require approval for core folders remediation** <br/>(also a type of *semi-automation*) | With this level of semi-automation, approval is required for any remediation actions needed on files or executables that are in core folders. Core folders include operating system directories, such as the **Windows** (`\windows\*`).<br/><br/>Remediation actions can be taken automatically on files or executables that are in other (non-core) folders. <br/><br/>Pending actions for files or executables in core folders can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **Pending** tab. <br/><br/>Actions that were taken on files or executables in other folders can be viewed in the [Action Center](auto-investigation-action-center.md), on the **History** tab. | |**Semi - require approval for non-temp folders remediation** <br/>(also a type of *semi-automation*)| With this level of semi-automation, approval is required for any remediation actions needed on files or executables that are *not* in temporary folders. <br/><br/>Temporary folders can include the following examples: <br/>- `\users\*\appdata\local\temp\*`<br/>- `\documents and settings\*\local settings\temp\*` <br/>- `\documents and settings\*\local settings\temporary\*`<br/>- `\windows\temp\*`<br/>- `\users\*\downloads\*`<br/>- `\program files\` <br/>- `\program files (x86)\*`<br/>- `\documents and settings\*\users\*`<br/><br/>Remediation actions can be taken automatically on files or executables that are in temporary folders. <br/><br/>Pending actions for files or executables that are not in temporary folders can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **Pending** tab.<br/><br/>Actions that were taken on files or executables in temporary folders can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **History** tab. | |**No automated response** <br/>(also referred to as *no automation*) | With no automation, automated investigation does not run on your organization's devices. As a result, no remediation actions are taken or pending as a result of automated investigation. However, other threat protection features, such as [protection from potentially unwanted applications](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus), can be in effect, depending on how your antivirus and next-generation protection features are configured.<br/><br/>***Using the *no automation* option is not recommended**, because it reduces the security posture of your organization's devices. [Consider setting up your automation level to full automation (or at least semi-automation)](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/machine-groups)*. |
security Behavioral Blocking Containment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/behavioral-blocking-containment.md
Title: Behavioral blocking and containment description: Learn about behavioral blocking and containment capabilities in Microsoft Defender for Endpoint
-keywords: Microsoft Defender ATP, EDR in block mode, passive mode blocking
+keywords: Microsoft Defender for Endpoint, EDR in block mode, passive mode blocking
search.product: eADQiWindows 10XVcnh ms.pagetype: security
security Client Behavioral Blocking https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/client-behavioral-blocking.md
Title: Client behavioral blocking description: Client behavioral blocking is part of behavioral blocking and containment capabilities in Microsoft Defender for Endpoint
-keywords: behavioral blocking, rapid protection, client behavior, Microsoft Defender ATP, microsoft defender for endpoint
+keywords: behavioral blocking, rapid protection, client behavior, Microsoft Defender for Endpoint
search.product: eADQiWindows 10XVcnh ms.pagetype: security
security Common Errors https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/common-errors.md
Title: Common Microsoft Defender for Endpoint API errors description: List of common Microsoft Defender for Endpoint API errors with descriptions.
-keywords: apis, mdatp api, errors, troubleshooting
+keywords: APIs, Microsoft Defender for Endpoint API, errors, troubleshooting
search.product: eADQiWindows 10XVcnh ms.prod: m365-security ms.mktglfcycl: deploy
security Configure Email Notifications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-email-notifications.md
Title: Configure alert notifications in Microsoft Defender for Endpoint description: You can use Microsoft Defender for Endpoint to configure email notification settings for security alerts, based on severity and other criteria.
-keywords: email notifications, configure alert notifications, microsoft defender for endpoint, microsoft defender for endpoint notifications, microsoft defender for endpoint alerts, windows 10 enterprise, windows 10 education
+keywords: email notifications, configure alert notifications, Microsoft Defender for Endpoint, Microsoft Defender for Endpoint notifications, Microsoft Defender for Endpoint alerts, windows 10 enterprise, windows 10 education
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Configure Endpoints Gp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-gp.md
Title: Onboard Windows 10 devices to Microsoft Defender for Endpoint via Group Policy description: Use Group Policy to deploy the configuration package on Windows 10 devices so that they are onboarded to the service.
-keywords: configure devices using group policy, device management, configure Windows ATP devices, onboard Microsoft Defender for Endpoint devices, group policy
+keywords: configure devices using group policy, device management, configure Microsoft Defender for Endpoint devices, onboard Microsoft Defender for Endpoint devices, group policy
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Configure Endpoints Mdm https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-mdm.md
Title: Onboard Windows 10 devices using Mobile Device Management tools description: Use Mobile Device Management tools to deploy the configuration package on devices so that they are onboarded to the service.
-keywords: onboard devices using mdm, device management, onboard Windows ATP devices, onboard Microsoft Defender for Endpoint devices, mdm
+keywords: onboard devices using mdm, device management, onboard Microsoft Defender for Endpoint devices, mdm
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Configure Endpoints Non Windows https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-non-windows.md
Title: Onboard non-Windows devices to the Microsoft Defender for Endpoint service description: Configure non-Windows devices so that they can send sensor data to the Microsoft Defender for Endpoint service.
-keywords: onboard non-Windows devices, macos, linux, device management, configure Windows ATP devices, configure Microsoft Defender for Endpoint devices
+keywords: onboard non-Windows devices, macos, linux, device management, configure Microsoft Defender for Endpoint devices
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
You'll need to know the exact Linux distros and macOS versions that are compatib
You'll need to take the following steps to onboard non-Windows devices: 1. Select your preferred method of onboarding:
- - For macOS devices, you can choose to onboard through Microsoft Defender for Endpoint or through a third-party solution. For more information, see [Microsoft Defender for Endpoint for Mac](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-mac).
+ - For macOS devices, you can choose to onboard through Microsoft Defender for Endpoint or through a third-party solution. For more information, see [Microsoft Defender for Endpoint on Mac](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-mac).
- For other non-Windows devices choose **Onboard non-Windows devices through third-party integration**. 1. In the navigation pane, select **Interoperability** > **Partners**. Make sure the third-party solution is listed.
security Configure Endpoints Sccm https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-sccm.md
Title: Onboard Windows 10 devices using Configuration Manager description: Use Configuration Manager to deploy the configuration package on devices so that they are onboarded to the service.
-keywords: onboard devices using sccm, device management, configure Windows ATP devices, configure Microsoft Defender for Endpoint devices
+keywords: onboard devices using sccm, device management, configure Microsoft Defender for Endpoint devices
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Configure Endpoints Script https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-script.md
Title: Onboard Windows 10 devices using a local script description: Use a local script to deploy the configuration package on devices so that they are onboarded to the service.
-keywords: configure devices using a local script, device management, configure Windows ATP devices, configure Microsoft Defender for Endpoint devices
+keywords: configure devices using a local script, device management, configure Microsoft Defender for Endpoint devices
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Configure Endpoints Vdi https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-vdi.md
Title: Onboard non-persistent virtual desktop infrastructure (VDI) devices
-description: Deploy the configuration package on virtual desktop infrastructure (VDI) device so that they are onboarded to the Microsoft Defender for Endpoint service.
-keywords: configure virtual desktop infrastructure (VDI) device, vdi, device management, configure Windows ATP endpoints, configure Microsoft Defender for Endpoint endpoints
+description: Deploy the configuration package on virtual desktop infrastructure (VDI) device so that they are onboarded to Microsoft Defender for Endpoint service.
+keywords: configure virtual desktop infrastructure (VDI) device, vdi, device management, configure Microsoft Defender for Endpoint, endpoints
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Configure Machines Asr https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-machines-asr.md
Title: Optimize ASR rule deployment and detections description: Optimize your attack surface reduction (ASR) rules to identify and prevent typical malware exploits.
-keywords: onboard, Intune management, MDATP, WDATP, Microsoft Defender, Windows Defender, advanced threat protection, attack surface reduction, ASR, security baseline
+keywords: onboard, Intune management, Microsoft Defender for Endpoint, Microsoft Defender, Windows Defender, attack surface reduction, ASR, security baseline
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Configure Machines Onboarding https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-machines-onboarding.md
Title: Get devices onboarded to Microsoft Defender for Endpoint description: Track onboarding of Intune-managed devices to Microsoft Defender for Endpoint and increase onboarding rate.
-keywords: onboard, Intune management, MDATP, WDATP, Microsoft Defender, Windows Defender, advanced threat protection, configuration management
+keywords: onboard, Intune management, Microsoft Defender for Endpoint, Microsoft Defender, Windows Defender, configuration management
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
From the device compliance page, create a configuration profile specifically for
For more information, [read about using Intune device configuration profiles to onboard devices to Defender for Endpoint](https://docs.microsoft.com/intune/advanced-threat-protection#onboard-devices-by-using-a-configuration-profile).
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
+>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
## Related topics - [Ensure your devices are configured properly](configure-machines.md)
security Configure Machines Security Baseline https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-machines-security-baseline.md
Title: Increase compliance to the Microsoft Defender for Endpoint security baseline description: The Microsoft Defender for Endpoint security baseline sets security controls to provide optimal protection.
-keywords: Intune management, MDATP, WDATP, MDE, Microsoft Defender for Endpoint, advanced threat protection ASR, security baseline
+keywords: Intune management, Microsoft Defender for Endpoint, Microsoft Defender, Microsoft Defender for Endpoint ASR, security baseline
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Configure Machines https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-machines.md
Title: Ensure your devices are configured properly description: Properly configure devices to boost overall resilience against threats and enhance your capability to detect and respond to attacks.
-keywords: onboard, Intune management, MDATP, WDATP, Microsoft Defender, Windows Defender, advanced threat protection, attack surface reduction, ASR, security baseline
+keywords: onboard, Intune management, Microsoft Defender for Endpoint, Microsoft Defender, Windows Defender, attack surface reduction, ASR, security baseline
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Configure Proxy Internet https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-proxy-internet.md
The wildcards (*) used in *.ods.opinsights.azure.com, *.oms.opinsights.azure.com
The *.blob.core.windows.net URL endpoint can be replaced with the URLs shown in the ΓÇ£Firewall Rule: *.blob.core.windows.netΓÇ¥ section of the test results. > [!NOTE]
-> In the case of onboarding via Azure Security Center (ASC), multiple workspaces maybe used. You will need to perform the TestCloudConnection.exe procedure above on an onboarded machine from each workspace (to determine if there are any changes to the *.blob.core.windows.net URLs between the workspaces).
+> In the case of onboarding via Azure Defender, multiple workspaces maybe used. You will need to perform the TestCloudConnection.exe procedure above on an onboarded machine from each workspace (to determine if there are any changes to the *.blob.core.windows.net URLs between the workspaces).
## Verify client connectivity to Microsoft Defender for Endpoint service URLs
security Configure Server Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-server-endpoints.md
Title: Onboard Windows servers to the Microsoft Defender for Endpoint service description: Onboard Windows servers so that they can send sensor data to the Microsoft Defender for Endpoint sensor.
-keywords: onboard server, server, 2012r2, 2016, 2019, server onboarding, device management, configure Windows ATP servers, onboard Microsoft Defender for Endpoint servers, onboard Microsoft Defender for Endpoint servers
+keywords: onboard server, server, 2012r2, 2016, 2019, server onboarding, device management, configure Microsoft Defender for Endpoint servers, onboard Microsoft Defender for Endpoint servers, onboard Microsoft Defender for Endpoint servers
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
You can onboard Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows
After completing the onboarding steps using any of the provided options, you'll need to [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients). > [!NOTE]
-> Defender for Endpoint standalone server license is required, per node, in order to onboard a Windows server through Microsoft Monitoring Agent (Option 1), or through Microsoft Endpoint Manager (Option 3). Alternatively, an Azure Defender for Servers license is required, per node, in order to onboard a Windows server through Azure Security Center (Option 2), see [Supported features available in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-services).
+> Defender for Endpoint standalone server license is required, per node, in order to onboard a Windows server through Microsoft Monitoring Agent (Option 1), or through Microsoft Endpoint Manager (Option 3). Alternatively, an Azure Defender for Servers license is required, per node, in order to onboard a Windows server through Azure Security Center (Option 2), see [Supported features available in Azure Defender](https://docs.microsoft.com/azure/security-center/security-center-services).
### Option 1: Onboard by installing and configuring Microsoft Monitoring Agent (MMA)
Once completed, you should see onboarded Windows servers in the portal within an
3. Click **Onboard Servers in Azure Security Center**.
-4. Follow the onboarding instructions in [Microsoft Defender for Endpoint with Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp) and If you are using Azure ARC, Follow the onboarding instructions in [Enabling the Microsoft Defender for Endpoint integration](https://docs.microsoft.com/azure/security-center/security-center-wdatp#enabling-the-microsoft-defender-for-endpoint-integration).
+4. Follow the onboarding instructions in [Microsoft Defender for Endpoint with Azure Defender](https://docs.microsoft.com/azure/security-center/security-center-wdatp) and If you are using Azure ARC, Follow the onboarding instructions in [Enabling the Microsoft Defender for Endpoint integration](https://docs.microsoft.com/azure/security-center/security-center-wdatp#enabling-the-microsoft-defender-for-endpoint-integration).
After completing the onboarding steps, you'll need to [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients). > [!NOTE] >
-> - For onboarding via Azure Defender for Servers (previously Azure Security Center Standard Edition) to work as expected, the server must have an appropriate workspace and key configured within the Microsoft Monitoring Agent (MMA) settings.
+> - For onboarding via Azure Defender for Servers to work as expected, the server must have an appropriate workspace and key configured within the Microsoft Monitoring Agent (MMA) settings.
> - Once configured, the appropriate cloud management pack is deployed on the machine and the sensor process (MsSenseS.exe) will be deployed and started. > - This is also required if the server is configured to use an OMS Gateway server as proxy.
Support for Windows Server provides deeper insight into server activities, cover
For information on how to use Group Policy to configure and manage Microsoft Defender Antivirus on your Windows servers, see [Use Group Policy settings to configure and manage Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus).
-## Integration with Azure Security Center
+## Integration with Azure Defender
-Defender for Endpoint can integrate with Azure Security Center to provide a comprehensive Windows server protection solution. With this integration, Azure Security Center can use the power of Defender for Endpoint to provide improved threat detection for Windows Servers.
+Defender for Endpoint can integrate with Azure Defender to provide a comprehensive Windows server protection solution. With this integration, Azure Defender can use the power of Defender for Endpoint to provide improved threat detection for Windows Servers.
The following capabilities are included in this integration: -- Automated onboarding - Defender for Endpoint sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/azure/security-center/security-center-onboarding).
+- Automated onboarding - Defender for Endpoint sensor is automatically enabled on Windows Servers that are onboarded to Azure Defender. For more information on Azure Defender onboarding, see [Onboarding to Azure Defender Standard for enhanced security](https://docs.microsoft.com/azure/security-center/security-center-onboarding).
> [!NOTE] > The integration between Azure Defender for Servers and Microsoft Defender for Endpoint has been expanded to support [Windows Server 2019 and Windows Virtual Desktop (WVD)](https://docs.microsoft.com/azure/security-center/release-notes#microsoft-defender-for-endpoint-integration-with-azure-defender-now-supports-windows-server-2019-and-windows-10-virtual-desktop-wvd-in-preview). -- Windows servers monitored by Azure Security Center will also be available in Defender for Endpoint - Azure Security Center seamlessly connects to the Defender for Endpoint tenant, providing a single view across clients and servers. In addition, Defender for Endpoint alerts will be available in the Azure Security Center console.-- Server investigation - Azure Security Center customers can access Microsoft Defender Security Center to perform detailed investigation to uncover the scope of a potential breach.
+- Windows servers monitored by Azure Defender will also be available in Defender for Endpoint - Azure Defender seamlessly connects to the Defender for Endpoint tenant, providing a single view across clients and servers. In addition, Defender for Endpoint alerts will be available in the Azure Defender console.
+- Server investigation - Azure Defender customers can access Microsoft Defender Security Center to perform detailed investigation to uncover the scope of a potential breach.
> [!IMPORTANT]
->
-> - When you use Azure Security Center to monitor servers, a Defender for Endpoint tenant is automatically created (in the US for US users, in the EU for European and UK users).
+> - When you use Azure Defender to monitor servers, a Defender for Endpoint tenant is automatically created (in the US for US users, in the EU for European and UK users).<br>
Data collected by Defender for Endpoint is stored in the geo-location of the tenant as identified during provisioning.
-> - If you use Defender for Endpoint before using Azure Security Center, your data will be stored in the location you specified when you created your tenant even if you integrate with Azure Security Center at a later time.
-> - Once configured, you cannot change the location where your data is stored. If you need to move your data to another location, you need to contact Microsoft Support to reset the tenant.
+> - If you use Defender for Endpoint before using Azure Defender, your data will be stored in the location you specified when you created your tenant even if you integrate with Azure Defender at a later time.
+> - Once configured, you cannot change the location where your data is stored. If you need to move your data to another location, you need to contact Microsoft Support to reset the tenant. <br>
Server endpoint monitoring utilizing this integration has been disabled for Office 365 GCC customers. ## Configure and update System Center Endpoint Protection clients
security Configure Vulnerability Email Notifications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-vulnerability-email-notifications.md
Title: Configure vulnerability email notifications in Microsoft Defender for Endpoint description: Use Microsoft Defender for Endpoint to configure email notification settings for vulnerability events.
-keywords: email notifications, configure alert notifications, microsoft defender for endpoint, microsoft defender for endpoint notifications, microsoft defender for endpoint alerts, windows 10 enterprise, windows 10 education
+keywords: email notifications, configure alert notifications, Microsoft Defender for Endpoint, Microsoft Defender for Endpoint notifications, Microsoft Defender for Endpoint alerts, windows 10 enterprise, windows 10 education
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10
security Contact Support Usgov https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/contact-support-usgov.md
Title: Contact Microsoft Defender for Endpoint support for US Government customers description: Learn how to contact Microsoft Defender for Endpoint support for US Government customers
-keywords: support, contact, premier support, solutions, problems, case, government, gcc, gcc-m, gcc-h, defender, endpoint, mdatp, mde
+keywords: support, contact, premier support, solutions, problems, case, government, gcc, gcc-m, gcc-h, defender, endpoint, Microsoft Defender for Endpoint, mde
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Data Storage Privacy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/data-storage-privacy.md
Title: Microsoft Defender for Endpoint data storage and privacy description: Learn about how Microsoft Defender for Endpoint handles privacy and data that it collects.
-keywords: Microsoft Defender for Endpoint, Microsoft Defender for Endpoint, data storage and privacy, storage, privacy, licensing, geolocation, data retention, data
+keywords: Microsoft Defender for Endpoint, data storage and privacy, storage, privacy, licensing, geolocation, data retention, data
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Defender Compatibility https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-compatibility.md
Title: Microsoft Defender Antivirus compatibility with Defender for Endpoint description: Learn about how Windows Defender works with Microsoft Defender for Endpoint and how it functions when a third-party antimalware client is used.
-keywords: windows defender compatibility, defender, microsoft defender atp, defender for endpoint, antivirus, mde
+keywords: windows defender compatibility, defender, Microsoft Defender for Endpoint, defender for endpoint, antivirus, mde
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Defender Endpoint False Positives Negatives https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-false-positives-negatives.md
Title: Address false positives/negatives in Microsoft Defender for Endpoint description: Learn how to handle false positives or false negatives in Microsoft Defender for Endpoint.
-keywords: antivirus, exception, exclusion, defender atp, false positive, false negative, blocked file, blocked url
+keywords: antivirus, exception, exclusion, Microsoft Defender for Endpoint, false positive, false negative, blocked file, blocked url
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Enable Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction.md
- Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
+**Requirements**
+You can set attack surface reduction rules for devices that are running any of the following editions and versions of Windows:
+
+- Windows 10 Pro, version 1709 or later
+- Windows 10 Enterprise, version 1709 or later
+- Windows Server, version 1803 (Semi-Annual Channel) or later
+- Windows Server 2019
+
+Although attack surface reduction rules don't require a Windows E5 license, if you have Windows E5, you get advanced management capabilities. These capabilities available only in Windows E5 include monitoring, analytics, and workflows available in Defender for Endpoint, as well as reporting and configuration capabilities in the Microsoft 365 security center. These advanced capabilities aren't available with a Windows Professional or Windows E3 license; however, if you do have those licenses, you can use Event Viewer and Microsoft Defender Antivirus logs to review your attack surface reduction rule events.
+ Each ASR rule contains one of four settings: - **Not configured**: Disable the ASR rule
The values to enable (Block), disable, warn, or enable in audit mode are:
- 0 : Disable (Disable the ASR rule) - 1 : Block (Enable the ASR rule) - 2 : Audit (Evaluate how the ASR rule would impact your organization if enabled)-- 6 : Warn (Enable the ASR rule but allow the end-user to bypass the block)
+- 6 : Warn (Enable the ASR rule but allow the end-user to bypass the block). Warn mode is now available for most of the ASR rules.
Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions.
Example:
5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Select **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
-> [!WARNING]
-> Do not use quotes as they are not supported for either the **Value name** column or the **Value** column.
+ > [!WARNING]
+ > Do not use quotes as they are not supported for either the **Value name** column or the **Value** column.
## PowerShell
security Evaluation Lab https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/evaluation-lab.md
Title: Microsoft Defender for Endpoint evaluation lab description: Learn about Microsoft Defender for Endpoint capabilities, run attack simulations, and see how it prevents, detects, and remediates threats.
-keywords: evaluate mdatp, evaluation, lab, simulation, windows 10, windows server 2019, evaluation lab
+keywords: evaluate Microsoft Defender for Endpoint, evaluation, lab, simulation, windows 10, windows server 2019, evaluation lab
search.product: eADQiWindows 10XVcnh ms.prod: m365-security ms.mktglfcycl: deploy
security Event Error Codes https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/event-error-codes.md
See <a href="configure-endpoints.md" data-raw-source="[Onboard Windows 10 device
</tr> <tr> <td>42</td>
-<td>Microsoft Defender for Endpoint WDATP component failed to perform action. Component: %1, Action: %2, Exception Type: %3, Exception message: %4</td>
+<td>Microsoft Defender for Endpoint component failed to perform action. Component: %1, Action: %2, Exception Type: %3, Exception message: %4</td>
<td>Internal error. The service failed to start.</td> <td>If this error persists, contact Support.</td> </tr> <tr> <td>43</td>
-<td>Microsoft Defender for Endpoint WDATP component failed to perform action. Component: %1, Action: %2, Exception Type: %3, Exception Error: %4, Exception message: %5</td>
+<td>Microsoft Defender for Endpoint component failed to perform action. Component: %1, Action: %2, Exception Type: %3, Exception Error: %4, Exception message: %5</td>
<td>Internal error. The service failed to start.</td> <td>If this error persists, contact Support.</td> </tr>
See <a href="configure-endpoints.md" data-raw-source="[Onboard Windows 10 device
</tr> <tr> <td>81</td>
- <td>Failed to create Windows Defender Advanced Threat Protection ETW autologger. Failure code: %1</td>
+ <td>Failed to create Microsoft Defender for Endpoint ETW autologger. Failure code: %1</td>
<td>Failed to create the ETW session.</td> <td>Reboot the device. If this error persists, contact Support.</td> </tr> <tr> <td>82</td>
- <td>Failed to remove Windows Defender Advanced Threat Protection ETW autologger. Failure code: %1</td>
+ <td>Failed to remove Microsoft Defender for Endpoint ETW autologger. Failure code: %1</td>
<td>Failed to delete the ETW session.</td> <td>Contact Support.</td> </tr>
See <a href="configure-endpoints.md" data-raw-source="[Onboard Windows 10 device
</tr> <tr> <td>85</td>
- <td>Failed to trigger Windows Defender Advanced Threat Protection executable. Failure code: %1</td>
+ <td>Failed to trigger Microsoft Defender for Endpoint executable. Failure code: %1</td>
<td>Starring SenseIR executable failed.</td> <td>Reboot the device. If this error persists, contact Support.</td> </tr>
See <a href="configure-endpoints.md" data-raw-source="[Onboard Windows 10 device
</tr> <tr> <td>94</td>
- <td>Windows Defender Advanced Threat Protection executable has started</td>
+ <td>Microsoft Defender for Endpoint executable has started</td>
<td>The SenseCE executable has started.</td> <td>Normal operating notification; no action required.</td> </tr> <tr> <td>95</td>
- <td>Windows Defender Advanced Threat Protection executable has ended</td>
+ <td>Microsoft Defender for Endpoint executable has ended</td>
<td>The SenseCE executable has ended.</td> <td>Normal operating notification; no action required.</td> </tr> <tr> <td>96</td>
- <td>Windows Defender Advanced Threat Protection Init has called. Result code: %2</td>
+ <td>Microsoft Defender for Endpoint Init has called. Result code: %2</td>
<td>The SenseCE executable has called MCE initialization.</td> <td>Normal operating notification; no action required.</td> </tr>
See <a href="configure-endpoints.md" data-raw-source="[Onboard Windows 10 device
</tr> <tr> <td>100</td>
- <td>Windows Defender Advanced Threat Protection executable failed to start. Failure code: %1</td>
+ <td>Microsoft Defender for Endpoint executable failed to start. Failure code: %1</td>
<td>The SenseCE executable has failed to start.</td> <td>Reboot the device. If this error persists, contact Support.</td> </tr> <tr> <td>102</td>
- <td>Windows Defender Advanced Threat Protection Network Detection and Response executable has started</td>
+ <td>Microsoft Defender for Endpoint Network Detection and Response executable has started</td>
<td>The SenseNdr executable has started.</td> <td>Normal operating notification; no action required.</td> </tr> <tr> <td>103</td>
- <td>Windows Defender Advanced Threat Protection Network Detection and Response executable has ended</td>
+ <td>Microsoft Defender for Endpoint Network Detection and Response executable has ended</td>
<td>The SenseNdr executable has ended.</td> <td>Normal operating notification; no action required.</td> </tr>
security Fix Unhealthy Sensors https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/fix-unhealthy-sensors.md
This status indicates that there's limited communication between the device and
The following suggested actions can help fix issues related to a misconfigured device with impaired communications: - [Ensure the device has Internet connection](troubleshoot-onboarding.md#troubleshoot-onboarding-issues-on-the-device)</br>
- The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender for Endpoint service.
+ The Microsoft Defender for Endpoint sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender for Endpoint service.
- [Verify client connectivity to Microsoft Defender for Endpoint service URLs](configure-proxy-internet.md#verify-client-connectivity-to-microsoft-defender-for-endpoint-service-urls)</br> Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Microsoft Defender for Endpoint service URLs.
A misconfigured device with status ΓÇÿNo sensor dataΓÇÖ has communication with t
Follow theses actions to correct known issues related to a misconfigured device with status ΓÇÿNo sensor dataΓÇÖ: - [Ensure the device has Internet connection](troubleshoot-onboarding.md#troubleshoot-onboarding-issues-on-the-device)</br>
- The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender for Endpoint service.
+ The Microsoft Defender for Endpoint sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender for Endpoint service.
- [Verify client connectivity to Microsoft Defender for Endpoint service URLs](configure-proxy-internet.md#verify-client-connectivity-to-microsoft-defender-for-endpoint-service-urls)</br> Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Microsoft Defender for Endpoint service URLs.
security Get All Recommendations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-all-recommendations.md
Title: List all recommendations description: Retrieves a list of all security recommendations affecting the organization.
-keywords: apis, graph api, supported apis, get, security recommendations, mdatp tvm api, threat and vulnerability management, threat and vulnerability management api
+keywords: apis, graph api, supported apis, get, security recommendations, Microsoft Defender for Endpoint tvm api, threat and vulnerability management, threat and vulnerability management api
search.product: eADQiWindows 10XVcnh ms.prod: m365-security ms.mktglfcycl: deploy
security Get All Vulnerabilities By Machines https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-all-vulnerabilities-by-machines.md
Title: Get all vulnerabilities by machine and software description: Retrieves a list of all the vulnerabilities affecting the organization by Machine and Software
-keywords: apis, graph api, supported apis, get, vulnerability information, mdatp tvm api
+keywords: apis, graph api, supported apis, get, vulnerability information, Microsoft Defender for Endpoint tvm api
search.product: eADQiWindows 10XVcnh ms.prod: m365-security ms.mktglfcycl: deploy
security Get All Vulnerabilities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-all-vulnerabilities.md
Title: Get all vulnerabilities description: Retrieves a list of all the vulnerabilities affecting the organization
-keywords: apis, graph api, supported apis, get, vulnerability information, mdatp tvm api
+keywords: apis, graph api, supported apis, get, vulnerability information, Microsoft Defender for Endpoint tvm api
search.product: eADQiWindows 10XVcnh ms.prod: m365-security ms.mktglfcycl: deploy
security Get Discovered Vulnerabilities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-discovered-vulnerabilities.md
Title: Get discovered vulnerabilities description: Retrieves a collection of discovered vulnerabilities related to a given device ID.
-keywords: apis, graph api, supported apis, get, list, file, information, discovered vulnerabilities, threat & vulnerability management api, mdatp tvm api
+keywords: apis, graph api, supported apis, get, list, file, information, discovered vulnerabilities, threat & vulnerability management api, Microsoft Defender for Endpoint tvm api
search.product: eADQiWindows 10XVcnh ms.prod: m365-security ms.mktglfcycl: deploy
security Get Installed Software https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-installed-software.md
Title: Get installed software description: Retrieves a collection of installed software related to a given device ID.
-keywords: apis, graph api, supported apis, get, list, file, information, software inventory, installed software per device, threat & vulnerability management api, mdatp tvm api
+keywords: apis, graph api, supported apis, get, list, file, information, software inventory, installed software per device, threat & vulnerability management api, Microsoft Defender for Endpoint tvm api
search.product: eADQiWindows 10XVcnh ms.prod: m365-security ms.mktglfcycl: deploy
security Get Machinegroups Collection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-machinegroups-collection.md
Title: Get RBAC machine groups collection API
-description: Learn how to use the Get KB collection API to retrieve a collection of RBAC device groups in Microsoft Defender Advanced Threat Protection.
+description: Learn how to use the Get KB collection API to retrieve a collection of RBAC device groups in Microsoft Defender for Endpoint.
keywords: apis, graph api, supported apis, get, RBAC, group search.product: eADQiWindows 10XVcnh search.appverid: met150
security Get Machines By Software https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-machines-by-software.md
Title: List devices by software description: Retrieve a list of devices that has this software installed.
-keywords: apis, graph api, supported apis, get, list devices, devices list, list devices by software, mdatp tvm api
+keywords: apis, graph api, supported apis, get, list devices, devices list, list devices by software, Microsoft Defender for Endpoint tvm api
search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy
security Get Machines By Vulnerability https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-machines-by-vulnerability.md
Title: List devices by vulnerability description: Retrieves a list of devices affected by a vulnerability.
-keywords: apis, graph api, supported apis, get, devices list, vulnerable devices, mdatp tvm api
+keywords: apis, graph api, supported apis, get, devices list, vulnerable devices, Microsoft Defender for Endpoint tvm api
search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy
security Get Missing Kbs Machine https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-missing-kbs-machine.md
Title: Get missing KBs by device ID description: Retrieves missing security updates by device ID
-keywords: apis, graph api, supported apis, get, list, file, information, device id, threat & vulnerability management api, mdatp tvm api
+keywords: apis, graph api, supported apis, get, list, file, information, device id, threat & vulnerability management api, Microsoft Defender for Endpoint tvm api
search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy
security Get Missing Kbs Software https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-missing-kbs-software.md
Title: Get missing KBs by software ID description: Retrieves missing security updates by software ID
-keywords: apis, graph api, supported apis, get, list, file, information, software id, threat & vulnerability management api, mdatp tvm api
+keywords: apis, graph api, supported apis, get, list, file, information, software id, threat & vulnerability management api, Microsoft Defender for Endpoint tvm api
search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy
security Get Security Recommendations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-security-recommendations.md
Title: Get security recommendations description: Retrieves a collection of security recommendations related to a given device ID.
-keywords: apis, graph api, supported apis, get, list, file, information, security recommendation per device, threat & vulnerability management api, mdatp tvm api
+keywords: apis, graph api, supported apis, get, list, file, information, security recommendation per device, threat & vulnerability management api, Microsoft Defender for Endpoint tvm api
search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy
security Get Software By Id https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-software-by-id.md
Title: Get software by Id description: Retrieves a list of exposure scores by device group.
-keywords: apis, graph api, supported apis, get, software, mdatp tvm api
+keywords: apis, graph api, supported apis, get, software, Microsoft Defender for Endpoint tvm api
search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy
security Get Software Ver Distribution https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-software-ver-distribution.md
Title: List software version distribution description: Retrieves a list of your organization's software version distribution
-keywords: apis, graph api, supported apis, get, software version distribution, mdatp tvm api
+keywords: apis, graph api, supported apis, get, software version distribution, Microsoft Defender for Endpoint tvm api
search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy
security Get Software https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-software.md
Title: List software description: Retrieves a list of software inventory
-keywords: apis, graph api, supported apis, get, list, file, information, software inventory, threat & vulnerability management api, mdatp tvm api
+keywords: apis, graph api, supported apis, get, list, file, information, software inventory, threat & vulnerability management api, Microsoft Defender for Endpoint tvm api
search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy
security Get Vuln By Software https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-vuln-by-software.md
Title: List vulnerabilities by software description: Retrieve a list of vulnerabilities in the installed software.
-keywords: apis, graph api, supported apis, get, vulnerabilities list, mdatp tvm api
+keywords: apis, graph api, supported apis, get, vulnerabilities list, Microsoft Defender for Endpoint tvm api
search.product: eADQiWindows 10XVcnh ms.prod: m365-security ms.mktglfcycl: deploy
security Get Vulnerability By Id https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-vulnerability-by-id.md
Title: Get vulnerability by ID description: Retrieves vulnerability information by its ID.
-keywords: apis, graph api, supported apis, get, vulnerability information, mdatp tvm api
+keywords: apis, graph api, supported apis, get, vulnerability information, Microsoft Defender for Endpoint tvm api
search.product: eADQiWindows 10XVcnh ms.prod: m365-security ms.mktglfcycl: deploy
security Gov https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/gov.md
Title: Microsoft Defender for Endpoint for US Government customers description: Learn about the Microsoft Defender for Endpoint for US Government customers requirements and capabilities available
-keywords: government, gcc, high, requirements, capabilities, defender, defender atp, mdatp, endpoint, dod
+keywords: government, gcc, high, requirements, capabilities, defender, Microsoft Defender for Endpoint, endpoint, dod
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Grant Mssp Access https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/grant-mssp-access.md
Title: Grant access to managed security service provider (MSSP)
-description: Take the necessary steps to configure MSSP integration with the Microsoft Defender ATP
+description: Take the necessary steps to configure MSSP integration with the Microsoft Defender for Endpoint
keywords: managed security service provider, mssp, configure, integration search.product: eADQiWindows 10XVcnh search.appverid: met150
security Information Protection In Windows Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/information-protection-in-windows-overview.md
Information protection is an integral part of Microsoft 365 Enterprise suite, pr
>[!TIP]
-> Read our blog post about how Microsoft Defender for Endpoint (formerly known as Microsoft Defender ATP) integrates with Microsoft Information Protection to [discover, protect, and monitor sensitive data on Windows devices](https://cloudblogs.microsoft.com/microsoftsecure/2019/01/17/windows-defender-atp-integrates-with-microsoft-information-protection-to-discover-protect-and-monitor-sensitive-data-on-windows-devices/).
+> Read our blog post about how Microsoft Defender for Endpoint integrates with Microsoft Information Protection to [discover, protect, and monitor sensitive data on Windows devices](https://cloudblogs.microsoft.com/microsoftsecure/2019/01/17/windows-defender-atp-integrates-with-microsoft-information-protection-to-discover-protect-and-monitor-sensitive-data-on-windows-devices/).
Defender for Endpoint applies the following methods to discover, classify, and protect data:
security Investigate Domain https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-domain.md
Title: Investigate Microsoft Defender for Endpoint domains description: Use the investigation options to see if devices and servers have been communicating with malicious domains.
-keywords: investigate domain, domain, malicious domain, microsoft defender atp, alert, URL
+keywords: investigate domain, domain, malicious domain, Microsoft Defender for Endpoint, alert, URL
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Investigate Ip https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-ip.md
Title: Investigate an IP address associated with an alert description: Use the investigation options to examine possible communication between devices and external IP addresses.
-keywords: investigate, investigation, IP address, alert, microsoft defender atp, external IP
+keywords: investigate, investigation, IP address, alert, Microsoft Defender for Endpoint, external IP
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Investigate Machines https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-machines.md
The **Missing KBs** tab lists the missing security updates for the device.
### Active alerts
-The **Azure Advanced Threat Protection** card will display a high-level overview of alerts related to the device and their risk level, if you have enabled the Azure ATP feature, and there are any active alerts. More information is available in the "Alerts" drill down.
+The **Azure Advanced Threat Protection** card will display a high-level overview of alerts related to the device and their risk level, if you have enabled the Microsoft Defender for Identity feature, and there are any active alerts. More information is available in the "Alerts" drill down.
![Image of active alerts card](images/risk-level-small.png) >[!NOTE]
->You'll need to enable the integration on both Azure ATP and Defender for Endpoint to use this feature. In Defender for Endpoint, you can enable this feature in advanced features. For more information on how to enable advanced features, see [Turn on advanced features](advanced-features.md).
+>You'll need to enable the integration on both Microsoft Defender for Identity and Defender for Endpoint to use this feature. In Defender for Endpoint, you can enable this feature in advanced features. For more information on how to enable advanced features, see [Turn on advanced features](advanced-features.md).
### Logged on users
security Investigate User https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-user.md
Title: Investigate a user account in Microsoft Defender for Endpoint description: Investigate a user account for potential compromised credentials or pivot on the associated user account during an investigation.
-keywords: investigate, account, user, user entity, alert, microsoft defender atp
+keywords: investigate, account, user, user entity, alert, Microsoft Defender for Endpoint
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
A clickable user account link is available in these views, that will take you to
When you investigate a user account entity, you'll see: -- User account details, Azure Advanced Threat Protection (Azure ATP) alerts, and logged on devices, role, logon type, and other details
+- User account details, Microsoft Defender for Identity alerts, and logged on devices, role, logon type, and other details
- Overview of the incidents and user's devices - Alerts related to this user - Observed in organization (devices logged on to)
When you investigate a user account entity, you'll see:
### User details
-The **User details** pane on left provides information about the user, such as related open incidents, active alerts, SAM name, SID, Azure ATP alerts, number of devices the user is logged on to, when the user was first and last seen, role, and logon types. Depending on the integration features you've enabled, you'll see other details. For example, if you enable the Skype for business integration, you'll be able to contact the user from the portal. The **Azure ATP alerts** section contains a link that will take you to the Azure ATP page, if you have enabled the Azure ATP feature, and there are alerts related to the user. The Azure ATP page will provide more information about the alerts.
+The **User details** pane on left provides information about the user, such as related open incidents, active alerts, SAM name, SID, Microsoft Defender for Identity alerts, number of devices the user is logged on to, when the user was first and last seen, role, and logon types. Depending on the integration features you've enabled, you'll see other details. For example, if you enable the Skype for business integration, you'll be able to contact the user from the portal. The **Azure ATP alerts** section contains a link that will take you to the Microsoft Defender for Identity page, if you have enabled the Microsoft Defender for Identity feature, and there are alerts related to the user. The Microsoft Defender for Identity page will provide more information about the alerts.
>[!NOTE]
->You'll need to enable the integration on both Azure ATP and Defender for Endpoint to use this feature. In Defender for Endpoint, you can enable this feature in advanced features. For more information on how to enable advanced features, see [Turn on advanced features](advanced-features.md).
+>You'll need to enable the integration on both Microsoft Defender for Identity and Defender for Endpoint to use this feature. In Defender for Endpoint, you can enable this feature in advanced features. For more information on how to enable advanced features, see [Turn on advanced features](advanced-features.md).
The Overview, Alerts, and Observed in organization are different tabs that display various attributes about the user account.
security Ios Configure Features https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-configure-features.md
Title: Configure Microsoft Defender for Endpoint on iOS features description: Describes how to deploy Microsoft Defender for Endpoint on iOS features
-keywords: microsoft, defender, atp, ios, configure, features, ios
+keywords: microsoft, defender, Microsoft Defender for Endpoint, ios, configure, features, ios
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
ms.technology: mde
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) > [!NOTE]
-> Defender for Endpoint for iOS would use a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device.
+> Defender for Endpoint on iOS would use a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device.
-## Conditional Access with Defender for Endpoint for iOS
+## Conditional Access with Defender for Endpoint on iOS
Microsoft Defender for Endpoint on iOS along with Microsoft Intune and Azure Active Directory enables enforcing Device compliance and Conditional Access policies based on device risk levels. Defender for Endpoint is a Mobile Threat Defense (MTD) solution that you can deploy to leverage this capability via Intune.
-For more information about how to set up Conditional Access with Defender for Endpoint for iOS, see [Defender for Endpoint and Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection).
+For more information about how to set up Conditional Access with Defender for Endpoint on iOS, see [Defender for Endpoint and Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection).
## Web Protection and VPN
-By default, Defender for Endpoint for iOS includes and enables the web protection feature. [Web protection](web-protection-overview.md) helps to secure devices against web threats and protect users from phishing attacks. Defender for Endpoint for iOS uses a VPN in order to provide this protection. Please note this is a local VPN and unlike traditional VPN, network traffic is not sent outside the device.
+By default, Defender for Endpoint on iOS includes and enables the web protection feature. [Web protection](web-protection-overview.md) helps to secure devices against web threats and protect users from phishing attacks. Defender for Endpoint on iOS uses a VPN in order to provide this protection. Please note this is a local VPN and unlike traditional VPN, network traffic is not sent outside the device.
While enabled by default, there might be some cases that require you to disable VPN. For example, you want to run some apps that do not work when a VPN is configured. In such cases, you can choose to disable VPN from the app on the device by following the steps below:
Follow the steps below to create a compliance policy against jailbroken devices.
## Configure custom indicators
-Defender for Endpoint for iOS enables admins to configure custom indicators on iOS devices as well. For more information on how to configure custom indicators, see [Manage indicators](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/manage-indicators).
+Defender for Endpoint on iOS enables admins to configure custom indicators on iOS devices as well. For more information on how to configure custom indicators, see [Manage indicators](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/manage-indicators).
> [!NOTE]
-> Defender for Endpoint for iOS supports creating custom indicators only for IP addresses and URLs/domains.
+> Defender for Endpoint on iOS supports creating custom indicators only for IP addresses and URLs/domains.
## Report unsafe site
security Ios Install https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-install.md
Title: App-based deployment for Microsoft Defender for Endpoint on iOS description: Describes how to deploy Microsoft Defender for Endpoint on iOS using an app
-keywords: microsoft, defender, atp, ios, app, installation, deploy, uninstallation, intune
+keywords: microsoft, defender, Microsoft Defender for Endpoint, ios, app, installation, deploy, uninstallation, intune
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
ms.technology: mde
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink)
-This topic describes deploying Defender for Endpoint for iOS on Intune Company Portal enrolled devices. For more information about Intune device enrollment, see [Enroll iOS/iPadOS devices in Intune](https://docs.microsoft.com/mem/intune/enrollment/ios-enroll).
+This topic describes deploying Defender for Endpoint on iOS on Intune Company Portal enrolled devices. For more information about Intune device enrollment, see [Enroll iOS/iPadOS devices in Intune](https://docs.microsoft.com/mem/intune/enrollment/ios-enroll).
## Before you begin - Ensure you have access to [Microsoft Endpoint manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -- Ensure iOS enrollment is done for your users. Users need to have a Defender for Endpoint license assigned in order to use Defender for Endpoint for iOS. Refer to [Assign licenses to users](https://docs.microsoft.com/azure/active-directory/users-groups-roles/licensing-groups-assign) for instructions on how to assign licenses.
+- Ensure iOS enrollment is done for your users. Users need to have a Defender for Endpoint license assigned in order to use Defender for Endpoint on iOS. Refer to [Assign licenses to users](https://docs.microsoft.com/azure/active-directory/users-groups-roles/licensing-groups-assign) for instructions on how to assign licenses.
> [!NOTE] > Microsoft Defender for Endpoint on iOS is now available in the [Apple App Store](https://aka.ms/mdatpiosappstore). ## Deployment steps
-Deploy Defender for Endpoint for iOS via Intune Company Portal.
+Deploy Defender for Endpoint on iOS via Intune Company Portal.
### Add iOS store app
Deploy Defender for Endpoint for iOS via Intune Company Portal.
1. Select **iOS 11.0** as the Minimum operating system. Review the rest of information about the app and click **Next**.
-1. In the *Assignments* section, go to the **Required** section and select **Add group**. You can then choose the user group(s) that you would like to target Defender for Endpoint for iOS app. Click **Select** and then **Next**.
+1. In the *Assignments* section, go to the **Required** section and select **Add group**. You can then choose the user group(s) that you would like to target Defender for Endpoint on iOS app. Click **Select** and then **Next**.
> [!NOTE] > The selected user group should consist of Intune enrolled users.
Deploy Defender for Endpoint for iOS via Intune Company Portal.
## Complete onboarding and check status
-1. Once Defender for Endpoint for iOS has been installed on the device, you
+1. Once Defender for Endpoint on iOS has been installed on the device, you
will see the app icon. ![A screen shot of a smart phone Description automatically generated](images/41627a709700c324849bf7e13510c516.png)
-2. Tap the Defender for Endpoint app icon and follow the on-screen instructions to complete the onboarding steps. The details include end-user acceptance of iOS permissions required by Defender for Endpoint for iOS.
+2. Tap the Defender for Endpoint app icon and follow the on-screen instructions to complete the onboarding steps. The details include end-user acceptance of iOS permissions required by Defender for Endpoint on iOS.
3. Upon successful onboarding, the device will start showing up on the Devices list in Microsoft Defender Security Center.
Intune allows you to configure the Defender for iOS app through an App Configura
## Next Steps
-[Configure Defender for Endpoint for iOS features](ios-configure-features.md)
+[Configure Defender for Endpoint on iOS features](ios-configure-features.md)
security Ios Privacy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-privacy.md
Title: Privacy information - Microsoft Defender for Endpoint on iOS description: Describes privacy information for Microsoft Defender for Endpoint on iOS
-keywords: microsoft, defender, atp, ios, policy, overview
+keywords: microsoft, defender, Microsoft Defender for Endpoint, ios, policy, overview
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
ms.technology: mde
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink) > [!NOTE]
-> Defender for Endpoint for iOS uses a VPN to provide the Web Protection feature. This is not a regular VPN and is a local or self-looping VPN that does not take traffic outside the device. **Microsoft or your organization, does not see your browsing activity.**
+> Defender for Endpoint on iOS uses a VPN to provide the Web Protection feature. This is not a regular VPN and is a local or self-looping VPN that does not take traffic outside the device. **Microsoft or your organization, does not see your browsing activity.**
-Defender for Endpoint for iOS collects information from your configured iOS devices and stores it in the same tenant where you have Defender for Endpoint. The information is collected to help keep Defender for Endpoint for iOS secure, up-to-date, performing as expected, and to support the service.
+Defender for Endpoint on iOS collects information from your configured iOS devices and stores it in the same tenant where you have Defender for Endpoint. The information is collected to help keep Defender for Endpoint on iOS secure, up-to-date, performing as expected, and to support the service.
For more information about data storage, see [Microsoft Defender for Endpoint data storage and privacy](data-storage-privacy.md). ## Required data
-Required data consists of data that is necessary to make Defender for Endpoint for iOS work as expected. This data is essential to the operation of the service and can include data related to the end user, organization, device, and apps.
+Required data consists of data that is necessary to make Defender for Endpoint on iOS work as expected. This data is essential to the operation of the service and can include data related to the end user, organization, device, and apps.
Here is a list of the types of data being collected:
security Ios Terms https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-terms.md
Title: Microsoft Defender for Endpoint on iOS Application license terms description: Describes the Microsoft Defender for Endpoint on iOS license terms
-keywords: microsoft, defender, atp, iOS, license, terms, application, use, installation, service, feedback, scope,
+keywords: microsoft, defender, Microsoft Defender for Endpoint, iOS, license, terms, application, use, installation, service, feedback, scope
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Ios Whatsnew https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-whatsnew.md
Title: What's new in Microsoft Defender for Endpoint on iOS description: Learn about the major changes for previous versions of Microsoft Defender for Endpoint on iOS.
-keywords: microsoft, defender, atp, mac, installation, macos, whatsnew
+keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, installation, macos, whatsnew
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Linux Exclusions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-exclusions.md
Title: Configure and validate exclusions for Microsoft Defender for Endpoint on Linux description: Provide and validate exclusions for Microsoft Defender for Endpoint on Linux. Exclusions can be set for files, folders, and processes.
-keywords: microsoft, defender, atp, linux, exclusions, scans, antivirus
+keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, exclusions, scans, antivirus
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
ms.technology: mde
This article provides information on how to define exclusions that apply to on-demand scans, and real-time protection and monitoring. > [!IMPORTANT]
-> The exclusions described in this article don't apply to other Defender for Endpoint for Linux capabilities, including endpoint detection and response (EDR). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections.
+> The exclusions described in this article don't apply to other Defender for Endpoint on Linux capabilities, including endpoint detection and response (EDR). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections.
-You can exclude certain files, folders, processes, and process-opened files from Defender for Endpoint for Linux scans.
+You can exclude certain files, folders, processes, and process-opened files from Defender for Endpoint on Linux scans.
-Exclusions can be useful to avoid incorrect detections on files or software that are unique or customized to your organization. They can also be useful for mitigating performance issues caused by Defender for Endpoint for Linux.
+Exclusions can be useful to avoid incorrect detections on files or software that are unique or customized to your organization. They can also be useful for mitigating performance issues caused by Defender for Endpoint on Linux.
> [!WARNING]
-> Defining exclusions lowers the protection offered by Defender for Endpoint for Linux. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.
+> Defining exclusions lowers the protection offered by Defender for Endpoint on Linux. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.
## Supported exclusion types
-The follow table shows the exclusion types supported by Defender for Endpoint for Linux.
+The follow table shows the exclusion types supported by Defender for Endpoint on Linux.
Exclusion | Definition | Examples ||
Wildcard | Description | Example | Matches | Does not match
### From the management console
-For more information on how to configure exclusions from Puppet, Ansible, or another management console, see [Set preferences for Defender for Endpoint for Linux](linux-preferences.md).
+For more information on how to configure exclusions from Puppet, Ansible, or another management console, see [Set preferences for Defender for Endpoint on Linux](linux-preferences.md).
### From the command line
In the following Bash snippet, replace `test.txt` with a file that conforms to y
curl -o test.txt https://www.eicar.org/download/eicar.com.txt ```
-If Defender for Endpoint for Linux reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm that the contents are the same as what is described on the [EICAR test file website](http://2016.eicar.org/86-0-Intended-use.html).
+If Defender for Endpoint on Linux reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm that the contents are the same as what is described on the [EICAR test file website](http://2016.eicar.org/86-0-Intended-use.html).
If you do not have Internet access, you can create your own EICAR test file. Write the EICAR string to a new text file with the following Bash command:
security Linux Install Manually https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-install-manually.md
Title: Deploy Microsoft Defender for Endpoint on Linux manually description: Describes how to deploy Microsoft Defender for Endpoint on Linux manually from the command line.
-keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos
+keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
Before you get started, see [Microsoft Defender for Endpoint on Linux](microsoft
## Configure the Linux software repository
-Defender for Endpoint for Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insiders-fast*, *insiders-slow*, or *prod*. Each of these channels corresponds to a Linux software repository. Instructions for configuring your device to use one of these repositories are provided below.
+Defender for Endpoint on Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insiders-fast*, *insiders-slow*, or *prod*. Each of these channels corresponds to a Linux software repository. Instructions for configuring your device to use one of these repositories are provided below.
The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in *insiders-fast* are the first ones to receive updates and new features, followed later by *insiders-slow* and lastly by *prod*.
In order to preview new features and provide early feedback, it is recommended t
sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/[distro]/[version]/[channel].repo ```
- For example, if you are running CentOS 7 and want to deploy Defender for Endpoint for Linux from the *prod* channel:
+ For example, if you are running CentOS 7 and want to deploy Defender for Endpoint on Linux from the *prod* channel:
```bash sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/centos/7/prod.repo
Download the onboarding package from Microsoft Defender Security Center:
> ```bash > mdatp health --field definitions_status > ```
- > Please note that you may also need to configure a proxy after completing the initial installation. See [Configure Defender for Endpoint for Linux for static proxy discovery: Post-installation configuration](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/linux-static-proxy-configuration#post-installation-configuration).
+ > Please note that you may also need to configure a proxy after completing the initial installation. See [Configure Defender for Endpoint on Linux for static proxy discovery: Post-installation configuration](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/linux-static-proxy-configuration#post-installation-configuration).
5. Run a detection test to verify that the device is properly onboarded and reporting to the service. Perform the following steps on the newly onboarded device:
Download the onboarding package from Microsoft Defender Security Center:
curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt ```
- - The file should have been quarantined by Defender for Endpoint for Linux. Use the following command to list all the detected threats:
+ - The file should have been quarantined by Defender for Endpoint on Linux. Use the following command to list all the detected threats:
```bash mdatp threat list
See [Log installation issues](linux-resources.md#log-installation-issues) for mo
## Operating system upgrades
-When upgrading your operating system to a new major version, you must first uninstall Defender for Endpoint for Linux, install the upgrade, and finally reconfigure Defender for Endpoint for Linux on your device.
+When upgrading your operating system to a new major version, you must first uninstall Defender for Endpoint on Linux, install the upgrade, and finally reconfigure Defender for Endpoint on Linux on your device.
## How to migrate from Insiders-Fast to Production channel
When upgrading your operating system to a new major version, you must first unin
## Uninstallation
-See [Uninstall](linux-resources.md#uninstall) for details on how to remove Defender for Endpoint for Linux from client devices.
+See [Uninstall](linux-resources.md#uninstall) for details on how to remove Defender for Endpoint on Linux from client devices.
security Linux Install With Ansible https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-install-with-ansible.md
Title: Deploy Microsoft Defender for Endpoint on Linux with Ansible-+ description: Describes how to deploy Microsoft Defender for Endpoint on Linux using Ansible.
-keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos
+keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
ms.technology: mde
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink)
-This article describes how to deploy Defender for Endpoint for Linux using Ansible. A successful deployment requires the completion of all of the following tasks:
+This article describes how to deploy Defender for Endpoint on Linux using Ansible. A successful deployment requires the completion of all of the following tasks:
- [Download the onboarding package](#download-the-onboarding-package) - [Create Ansible YAML files](#create-ansible-yaml-files)
This article describes how to deploy Defender for Endpoint for Linux using Ansib
## Prerequisites and system requirements
-Before you get started, see [the main Defender for Endpoint for Linux page](microsoft-defender-endpoint-linux.md) for a description of prerequisites and system requirements for the current software version.
+Before you get started, see [the main Defender for Endpoint on Linux page](microsoft-defender-endpoint-linux.md) for a description of prerequisites and system requirements for the current software version.
In addition, for Ansible deployment, you need to be familiar with Ansible administration tasks, have Ansible configured, and know how to deploy playbooks and tasks. Ansible has many ways to complete the same task. These instructions assume availability of supported Ansible modules, such as *apt* and *unarchive* to help deploy the package. Your organization might use a different workflow. Refer to the [Ansible documentation](https://docs.ansible.com/) for details.
Create a subtask or role files that contribute to an playbook or task.
- Add the Defender for Endpoint repository and key.
- Defender for Endpoint for Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insiders-fast*, *insiders-slow*, or *prod*. Each of these channels corresponds to a Linux software repository.
+ Defender for Endpoint on Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insiders-fast*, *insiders-slow*, or *prod*. Each of these channels corresponds to a Linux software repository.
The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in *insiders-fast* are the first ones to receive updates and new features, followed later by *insiders-slow* and lastly by *prod*.
See [Log installation issues](linux-resources.md#log-installation-issues) for mo
## Operating system upgrades
-When upgrading your operating system to a new major version, you must first uninstall Defender for Endpoint for Linux, install the upgrade, and finally reconfigure Defender for Endpoint for Linux on your device.
+When upgrading your operating system to a new major version, you must first uninstall Defender for Endpoint on Linux, install the upgrade, and finally reconfigure Defender for Endpoint on Linux on your device.
## References
security Linux Install With Puppet https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-install-with-puppet.md
Title: Deploy Microsoft Defender for Endpoint on Linux with Puppet description: Describes how to deploy Microsoft Defender for Endpoint on Linux using Puppet.
-keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos
+keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
ms.technology: mde
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink)
-This article describes how to deploy Defender for Endpoint for Linux using Puppet. A successful deployment requires the completion of all of the following tasks:
+This article describes how to deploy Defender for Endpoint on Linux using Puppet. A successful deployment requires the completion of all of the following tasks:
- [Download the onboarding package](#download-the-onboarding-package) - [Create Puppet manifest](#create-a-puppet-manifest)
This article describes how to deploy Defender for Endpoint for Linux using Puppe
## Prerequisites and system requirements
- For a description of prerequisites and system requirements for the current software version, see [the main Defender for Endpoint for Linux page](microsoft-defender-endpoint-linux.md).
+ For a description of prerequisites and system requirements for the current software version, see [the main Defender for Endpoint on Linux page](microsoft-defender-endpoint-linux.md).
In addition, for Puppet deployment, you need to be familiar with Puppet administration tasks, have Puppet configured, and know how to deploy packages. Puppet has many ways to complete the same task. These instructions assume availability of supported Puppet modules, such as *apt* to help deploy the package. Your organization might use a different workflow. Refer to the [Puppet documentation](https://puppet.com/docs) for details.
Download the onboarding package from Microsoft Defender Security Center:
## Create a Puppet manifest
-You need to create a Puppet manifest for deploying Defender for Endpoint for Linux to devices managed by a Puppet server. This example makes use of the *apt* and *yumrepo* modules available from puppetlabs, and assumes that the modules have been installed on your Puppet server.
+You need to create a Puppet manifest for deploying Defender for Endpoint on Linux to devices managed by a Puppet server. This example makes use of the *apt* and *yumrepo* modules available from puppetlabs, and assumes that the modules have been installed on your Puppet server.
Create the folders *install_mdatp/files* and *install_mdatp/manifests* under the modules folder of your Puppet installation. This folder is typically located in */etc/puppetlabs/code/environments/production/modules* on your Puppet server. Copy the mdatp_onboard.json file created above to the *install_mdatp/files* folder. Create an *init.pp* file that contains the deployment instructions:
install_mdatp
### Contents of `install_mdatp/manifests/init.pp`
-Defender for Endpoint for Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insiders-fast*, *insiders-slow*, or *prod*. Each of these channels corresponds to a Linux software repository.
+Defender for Endpoint on Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insiders-fast*, *insiders-slow*, or *prod*. Each of these channels corresponds to a Linux software repository.
The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in *insiders-fast* are the first ones to receive updates and new features, followed later by *insiders-slow* and lastly by *prod*.
If the product is not healthy, the exit code (which can be checked through `echo
## Operating system upgrades
-When upgrading your operating system to a new major version, you must first uninstall Defender for Endpoint for Linux, install the upgrade, and finally reconfigure Defender for Endpoint for Linux on your device.
+When upgrading your operating system to a new major version, you must first uninstall Defender for Endpoint on Linux, install the upgrade, and finally reconfigure Defender for Endpoint on Linux on your device.
## Uninstallation
security Linux Preferences https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-preferences.md
Title: Set preferences for Microsoft Defender for Endpoint on Linux description: Describes how to configure Microsoft Defender for Endpoint on Linux in enterprises.
-keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos
+keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
ms.technology: mde
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink) >[!IMPORTANT]
->This topic contains instructions for how to set preferences for Defender for Endpoint for Linux in enterprise environments. If you are interested in configuring the product on a device from the command-line, see [Resources](linux-resources.md#configure-from-the-command-line).
+>This topic contains instructions for how to set preferences for Defender for Endpoint on Linux in enterprise environments. If you are interested in configuring the product on a device from the command-line, see [Resources](linux-resources.md#configure-from-the-command-line).
-In enterprise environments, Defender for Endpoint for Linux can be managed through a configuration profile. This profile is deployed from the management tool of your choice. Preferences managed by the enterprise take precedence over the ones set locally on the device. In other words, users in your enterprise are not able to change preferences that are set through this configuration profile.
+In enterprise environments, Defender for Endpoint on Linux can be managed through a configuration profile. This profile is deployed from the management tool of your choice. Preferences managed by the enterprise take precedence over the ones set locally on the device. In other words, users in your enterprise are not able to change preferences that are set through this configuration profile.
This article describes the structure of this profile (including a recommended profile that you can use to get started) and instructions on how to deploy the profile.
The following configuration profile will:
"cloudService":{ "automaticDefinitionUpdateEnabled":true, "automaticSampleSubmissionConsent":"safe",
- "enabled":true
+ "enabled":true,
"proxy":"http://proxy.server:port/" } }
The following configuration profile contains entries for all settings described
"enabled":true, "diagnosticLevel":"optional", "automaticSampleSubmissionConsent":"safe",
- "automaticDefinitionUpdateEnabled":true
+ "automaticDefinitionUpdateEnabled":true,
"proxy": "http://proxy.server:port/" } }
To verify that your /etc/opt/microsoft/mdatp/managed/mdatp_managed.json is worki
## Configuration profile deployment
-Once you've built the configuration profile for your enterprise, you can deploy it through the management tool that your enterprise is using. Defender for Endpoint for Linux reads the managed configuration from the */etc/opt/microsoft/mdatp/managed/mdatp_managed.json* file.
+Once you've built the configuration profile for your enterprise, you can deploy it through the management tool that your enterprise is using. Defender for Endpoint on Linux reads the managed configuration from the */etc/opt/microsoft/mdatp/managed/mdatp_managed.json* file.
security Linux Privacy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-privacy.md
Title: Privacy for Microsoft Defender for Endpoint on Linux description: Privacy controls, how to configure policy settings that impact privacy and information about the diagnostic data collected in Microsoft Defender for Endpoint on Linux.
-keywords: microsoft, defender, atp, linux, privacy, diagnostic
+keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, privacy, diagnostic
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
ms.technology: mde
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink)
-Microsoft is committed to providing you with the information and controls you need to make choices about how your data is collected and used when youΓÇÖre using Defender for Endpoint for Linux.
+Microsoft is committed to providing you with the information and controls you need to make choices about how your data is collected and used when youΓÇÖre using Defender for Endpoint on Linux.
This topic describes the privacy controls available within the product, how to manage these controls with policy settings and more details on the data events that are collected. ## Overview of privacy controls in Microsoft Defender for Endpoint on Linux
-This section describes the privacy controls for the different types of data collected by Defender for Endpoint for Linux.
+This section describes the privacy controls for the different types of data collected by Defender for Endpoint on Linux.
### Diagnostic data
There are three levels for controlling sample submission:
If you're an IT administrator, you might want to configure these controls at the enterprise level.
-The privacy controls for the various types of data described in the preceding section are described in detail in [Set preferences for Defender for Endpoint for Linux](linux-preferences.md).
+The privacy controls for the various types of data described in the preceding section are described in detail in [Set preferences for Defender for Endpoint on Linux](linux-preferences.md).
As with any new policy settings, you should carefully test them out in a limited, controlled environment to ensure the settings that you configure have the desired effect before you implement the policy settings more widely in your organization.
The following fields are considered common for all events:
| org_id | Unique identifier associated with the enterprise that the device belongs to. Allows Microsoft to identify whether issues are impacting a select set of enterprises and how many enterprises are impacted. | | hostname | Local device name (without DNS suffix). Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. | | product_guid | Unique identifier of the product. Allows Microsoft to differentiate issues impacting different flavors of the product. |
-| app_version | Version of the Defender for Endpoint for Linux application. Allows Microsoft to identify which versions of the product are showing an issue so that it can correctly be prioritized.|
+| app_version | Version of the Defender for Endpoint on Linux application. Allows Microsoft to identify which versions of the product are showing an issue so that it can correctly be prioritized.|
| sig_version | Version of security intelligence database. Allows Microsoft to identify which versions of the security intelligence are showing an issue so that it can correctly be prioritized. | | supported_compressions | List of compression algorithms supported by the application, for example `['gzip']`. Allows Microsoft to understand what types of compressions can be used when it communicates with the application. | | release_ring | Ring that the device is associated with (for example Insider Fast, Insider Slow, Production). Allows Microsoft to identify on which release ring an issue may be occurring so that it can correctly be prioritized. |
The following fields are collected:
| Field | Description | | - | -- |
-| version | Version of Defender for Endpoint for Linux. |
+| version | Version of Defender for Endpoint on Linux. |
| instance_id | Unique identifier generated on kernel extension startup. | | trace_level | Trace level of the kernel extension. | | subsystem | The underlying subsystem used for real-time protection. |
The following fields are collected:
Diagnostic logs are collected only with the consent of the user as part of the feedback submission feature. The following files are collected as part of the support logs: - All files under */var/log/microsoft/mdatp*-- Subset of files under */etc/opt/microsoft/mdatp* that are created and used by Defender for Endpoint for Linux
+- Subset of files under */etc/opt/microsoft/mdatp* that are created and used by Defender for Endpoint on Linux
- Product installation and uninstallation logs under */var/log/microsoft_mdatp_\*.log* ### Optional diagnostic data
security Linux Pua https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-pua.md
Title: Detect and block potentially unwanted applications with Microsoft Defender for Endpoint on Linux description: Detect and block Potentially Unwanted Applications (PUA) using Microsoft Defender for Endpoint on Linux.
-keywords: microsoft, defender, atp, linux, pua, pus
+keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, pua, pus
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
ms.technology: mde
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink)
-The potentially unwanted application (PUA) protection feature in Defender for Endpoint for Linux can detect and block PUA files on endpoints in your network.
+The potentially unwanted application (PUA) protection feature in Defender for Endpoint on Linux can detect and block PUA files on endpoints in your network.
These applications are not considered viruses, malware, or other types of threats, but might perform actions on endpoints that adversely affect their performance or use. PUA can also refer to applications that are considered to have poor reputation.
These applications can increase the risk of your network being infected with mal
## How it works
-Defender for Endpoint for Linux can detect and report PUA files. When configured in blocking mode, PUA files are moved to the quarantine.
+Defender for Endpoint on Linux can detect and report PUA files. When configured in blocking mode, PUA files are moved to the quarantine.
-When a PUA is detected on an endpoint, Defender for Endpoint for Linux keeps a record of the infection in the threat history. The history can be visualized from the Microsoft Defender Security Center portal or through the `mdatp` command-line tool. The threat name will contain the word "Application".
+When a PUA is detected on an endpoint, Defender for Endpoint on Linux keeps a record of the infection in the threat history. The history can be visualized from the Microsoft Defender Security Center portal or through the `mdatp` command-line tool. The threat name will contain the word "Application".
## Configure PUA protection
-PUA protection in Defender for Endpoint for Linux can be configured in one of the following ways:
+PUA protection in Defender for Endpoint on Linux can be configured in one of the following ways:
- **Off**: PUA protection is disabled. - **Audit**: PUA files are reported in the product logs, but not in Microsoft Defender Security Center. No record of the infection is stored in the threat history and no action is taken by the product.
mdatp threat policy set --type potentially_unwanted_application --action [off|au
### Use the management console to configure PUA protection:
-In your enterprise, you can configure PUA protection from a management console, such as Puppet or Ansible, similarly to how other product settings are configured. For more information, see the [Threat type settings](linux-preferences.md#threat-type-settings) section of the [Set preferences for Defender for Endpoint for Linux](linux-preferences.md) article.
+In your enterprise, you can configure PUA protection from a management console, such as Puppet or Ansible, similarly to how other product settings are configured. For more information, see the [Threat type settings](linux-preferences.md#threat-type-settings) section of the [Set preferences for Defender for Endpoint on Linux](linux-preferences.md) article.
## Related articles -- [Set preferences for Defender for Endpoint for Linux](linux-preferences.md)
+- [Set preferences for Defender for Endpoint on Linux](linux-preferences.md)
security Linux Resources https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-resources.md
Title: Microsoft Defender for Endpoint on Linux resources description: Describes resources for Microsoft Defender for Endpoint on Linux, including how to uninstall it, how to collect diagnostic logs, CLI commands, and known issues with the product.
-keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos
+keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
The detailed log will be saved to `/var/log/microsoft/mdatp_install.log`. If you
## Uninstall
-There are several ways to uninstall Defender for Endpoint for Linux. If you are using a configuration tool such as Puppet, follow the package uninstallation instructions for the configuration tool.
+There are several ways to uninstall Defender for Endpoint on Linux. If you are using a configuration tool such as Puppet, follow the package uninstallation instructions for the configuration tool.
### Manual uninstallation
security Linux Schedule Scan Atp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-schedule-scan-atp.md
Title: How to schedule scans with Microsoft Defender for Endpoint (Linux) description: Learn how to schedule an automatic scanning time for Microsoft Defender for Endpoint (Linux) to better protect your organization's assets.
-keywords: microsoft, defender, atp, linux, scans, antivirus, microsoft defender for endpoint (linux)
+keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, scans, antivirus, microsoft defender for endpoint (linux)
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Linux Static Proxy Configuration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-static-proxy-configuration.md
Title: Microsoft Defender for Endpoint on Linux static proxy discovery description: Describes how to configure Microsoft Defender for Endpoint on Linux, for static proxy discovery.
-keywords: microsoft, defender, atp, linux, installation, proxy
+keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, installation, proxy
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Linux Support Connectivity https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-support-connectivity.md
Title: Troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint on Linux description: Troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint on Linux
-keywords: microsoft, defender, atp, linux, cloud, connectivity, communication
+keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, cloud, connectivity, communication
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
ms.technology: mde
## Run the connectivity test
-To test if Defender for Endpoint for Linux can communicate to the cloud with the current network settings, run a connectivity test from the command line:
+To test if Defender for Endpoint on Linux can communicate to the cloud with the current network settings, run a connectivity test from the command line:
```bash mdatp connectivity test
OK https://cdn.x.cp.wd.microsoft.com/ping
> [!WARNING] > PAC, WPAD, and authenticated proxies are not supported. Ensure that only a static proxy or transparent proxy is being used. >
-> SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL inspection and your proxy server to directly pass through data from Defender for Endpoint for Linux to the relevant URLs without interception. Adding your interception certificate to the global store will not allow for interception.
+> SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL inspection and your proxy server to directly pass through data from Defender for Endpoint on Linux to the relevant URLs without interception. Adding your interception certificate to the global store will not allow for interception.
If a static proxy is required, add a proxy parameter to the above command, where `proxy_address:port` correspond to the proxy address and port:
To use a static proxy, the `mdatp.service` file must be modified. Ensure the lea
Also ensure that the correct static proxy address is filled in to replace `address:port`.
-If this file is correct, try running the following command in the terminal to reload Defender for Endpoint for Linux and propagate the setting:
+If this file is correct, try running the following command in the terminal to reload Defender for Endpoint on Linux and propagate the setting:
```bash sudo systemctl daemon-reload; sudo systemctl restart mdatp
security Linux Support Events https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-support-events.md
Title: Troubleshoot missing events or alerts issues for Microsoft Defender for Endpoint on Linux description: Troubleshoot missing events or alerts issues in Microsoft Defender for Endpoint on Linux.
-keywords: microsoft, defender, atp, linux, events
+keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, events
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Linux Support Install https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-support-install.md
Title: Troubleshoot installation issues for Microsoft Defender for Endpoint on Linux description: Troubleshoot installation issues for Microsoft Defender for Endpoint on Linux
-keywords: microsoft, defender, atp, linux, installation
+keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, installation
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Linux Support Perf https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-support-perf.md
Title: Troubleshoot performance issues for Microsoft Defender for Endpoint on Linux
-description: Troubleshoot performance issues in Microsoft Defender Endpoint on Linux.
-keywords: microsoft, defender, atp, linux, performance
+description: Troubleshoot performance issues in Microsoft Defender for Endpoint on Linux.
+keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, performance
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
ms.technology: mde
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink)
-This article provides some general steps that can be used to narrow down performance issues related to Defender for Endpoint for Linux.
+This article provides some general steps that can be used to narrow down performance issues related to Defender for Endpoint on Linux.
-Real-time protection (RTP) is a feature of Defender for Endpoint for Linux that continuously monitors and protects your device against threats. It consists of file and process monitoring and other heuristics.
+Real-time protection (RTP) is a feature of Defender for Endpoint on Linux that continuously monitors and protects your device against threats. It consists of file and process monitoring and other heuristics.
-Depending on the applications that you are running and your device characteristics, you may experience suboptimal performance when running Defender for Endpoint for Linux. In particular, applications or system processes that access many resources over a short timespan can lead to performance issues in Defender for Endpoint for Linux.
+Depending on the applications that you are running and your device characteristics, you may experience suboptimal performance when running Defender for Endpoint on Linux. In particular, applications or system processes that access many resources over a short timespan can lead to performance issues in Defender for Endpoint on Linux.
Before starting, **please make sure that other security products are not currently running on the device**. Multiple security products may conflict and impact the host performance. The following steps can be used to troubleshoot and mitigate these issues:
-1. Disable real-time protection using one of the following methods and observe whether the performance improves. This approach helps narrow down whether Defender for Endpoint for Linux is contributing to the performance issues.
+1. Disable real-time protection using one of the following methods and observe whether the performance improves. This approach helps narrow down whether Defender for Endpoint on Linux is contributing to the performance issues.
If your device is not managed by your organization, real-time protection can be disabled from the command line:
The following steps can be used to troubleshoot and mitigate these issues:
Configuration property updated ```
- If your device is managed by your organization, real-time protection can be disabled by your administrator using the instructions in [Set preferences for Defender for Endpoint for Linux](linux-preferences.md).
+ If your device is managed by your organization, real-time protection can be disabled by your administrator using the instructions in [Set preferences for Defender for Endpoint on Linux](linux-preferences.md).
If the performance problem persists while real-time protection is off, the origin of the problem could be the endpoint detection and response component. In this case please contact customer support for further instructions and mitigation.
-2. To find the applications that are triggering the most scans, you can use real-time statistics gathered by Defender for Endpoint for Linux.
+2. To find the applications that are triggering the most scans, you can use real-time statistics gathered by Defender for Endpoint on Linux.
> [!NOTE] > This feature is available in version 100.90.70 or newer.
The following steps can be used to troubleshoot and mitigate these issues:
125  CrashPlanService 164 ```
- To improve the performance of Defender for Endpoint for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Defender for Endpoint for Linux](linux-exclusions.md).
+ To improve the performance of Defender for Endpoint on Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Defender for Endpoint on Linux](linux-exclusions.md).
>[!NOTE] > The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off are not counted. Additionally, only events which triggered scans are counted.
-5. Configure Microsoft Defender Endpoint on Linux with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection.
+5. Configure Microsoft Defender for Endpoint on Linux with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection.
- For more information, see [Configure and validate exclusions for Microsoft Defender for Endpoint for Linux](linux-exclusions.md).
+ For more information, see [Configure and validate exclusions for Microsoft Defender for Endpoint on Linux](linux-exclusions.md).
security Linux Update MDE Linux https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-update-MDE-Linux.md
Title: How to schedule an update of the Microsoft Defender for Endpoint (Linux) description: Learn how to schedule an update of the Microsoft Defender for Endpoint (Linux) to better protect your organization's assets.
-keywords: microsoft, defender, atp, linux, scans, antivirus, microsoft defender for endpoint (linux)
+keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, scans, antivirus, microsoft defender for endpoint (linux)
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Linux Updates https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-updates.md
Title: Deploy updates for Microsoft Defender for Endpoint for Linux
+ Title: Deploy updates for Microsoft Defender for Endpoint on Linux
-description: Describes how to deploy updates for Microsoft Defender for Endpoint for Linux in enterprise environments.
-keywords: microsoft, defender, atp, linux, updates, deploy
+description: Describes how to deploy updates for Microsoft Defender for Endpoint on Linux in enterprise environments.
+keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, updates, deploy
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
ms.technology: mde
Microsoft regularly publishes software updates to improve performance, security, and to deliver new features. > [!WARNING]
-> Each version of Defender for Endpoint for Linux has an expiration date, after which it will no longer continue to protect your device. You must update the product prior to this date. To check the expiration date, run the following command:
+> Each version of Defender for Endpoint on Linux has an expiration date, after which it will no longer continue to protect your device. You must update the product prior to this date. To check the expiration date, run the following command:
> ```bash > mdatp health --field product_expiration > ```
-To update Defender for Endpoint for Linux manually, execute one of the following commands:
+To update Defender for Endpoint on Linux manually, execute one of the following commands:
## RHEL and variants (CentOS and Oracle Linux)
security Linux Whatsnew https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-whatsnew.md
Title: What's new in Microsoft Defender for Endpoint on Linux description: List of major changes for Microsoft Defender for Endpoint on Linux.
-keywords: microsoft, defender, atp, linux, whatsnew, release
+keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, whatsnew, release
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Mac Device Control Intune https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-device-control-intune.md
Title: Examples of device control policies for Intune description: Learn how to use device control policies using examples that can be used with Intune.
-keywords: microsoft, defender, atp, mac, device, control, usb, removable, media, intune
+keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, device, control, usb, removable, media, intune
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Mac Device Control Jamf https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-device-control-jamf.md
Title: Examples of device control policies for JAMF description: Learn how to use device control policies using examples that can be used with JAMF.
-keywords: microsoft, defender, endpoint, atp, mac, device, control, usb, removable, media, jamf
+keywords: microsoft, defender, endpoint, Microsoft Defender for Endpoint, mac, device, control, usb, removable, media, jamf
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Mac Device Control Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-device-control-overview.md
Title: Device control for macOS description: Learn how to configure Microsoft Defender for Endpoint on Mac to reduce threats from removable storage such as USB devices.
-keywords: microsoft, defender, atp, mac, device, control, usb, removable, media
+keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, device, control, usb, removable, media
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Mac Exclusions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-exclusions.md
Title: Configure and validate exclusions for Microsoft Defender for Endpoint for Mac
-description: Provide and validate exclusions for Microsoft Defender for Endpoint for Mac. Exclusions can be set for files, folders, and processes.
-keywords: microsoft, defender, atp, mac, exclusions, scans, antivirus
+ Title: Configure and validate exclusions for Microsoft Defender for Endpoint on Mac
+description: Provide and validate exclusions for Microsoft Defender for Endpoint on Mac. Exclusions can be set for files, folders, and processes.
+keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, exclusions, scans, antivirus
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Mac Install Jamfpro Login https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-jamfpro-login.md
Title: Log in to Jamf Pro description: Log in to Jamf Pro
-keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamfpro, macos, catalina, mojave, high sierra
+keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, installation, deploy, uninstallation, intune, jamfpro, macos, catalina, mojave, high sierra
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Mac Install Manually https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-manually.md
Title: Manual deployment for Microsoft Defender for Endpoint on macOS description: Install Microsoft Defender for Endpoint on macOS manually, from the command line.
-keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra
+keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
To complete this process, you must have admin privileges on the device.
curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt ```
- 1. The file should have been quarantined by Defender for Endpoint for Mac. Use the following command to list all the detected threats:
+ 1. The file should have been quarantined by Defender for Endpoint on Mac. Use the following command to list all the detected threats:
```bash mdatp threat list
To complete this process, you must have admin privileges on the device.
The system should display the following message:
- > Microsoft Defender ATP - macOS EDR DIY test file<br/>
+ > Microsoft Defender for Endpoint - macOS EDR DIY test file<br/>
> Corresponding alert will be available in the MDATP portal. 11. Click **Open**.
See [Logging installation issues](mac-resources.md#logging-installation-issues)
## Uninstallation
-See [Uninstalling](mac-resources.md#uninstalling) for details on how to remove Microsoft Defender for Endpoint for macOS from client devices.
+See [Uninstalling](mac-resources.md#uninstalling) for details on how to remove Microsoft Defender for Endpoint on macOS from client devices.
security Mac Install With Intune https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-with-intune.md
Title: Intune-based deployment for Microsoft Defender for Endpoint on macOS
-description: Install Microsoft Defender for Endpoint on macOS, using Microsoft Intune.
-keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra
+ Title: Intune-based deployment for Microsoft Defender for Endpoint on Mac
+description: Install Microsoft Defender for Endpoint on Mac, using Microsoft Intune.
+keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Mac Install With Jamf https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-with-jamf.md
Title: Deploying Microsoft Defender for Endpoint for macOS with Jamf Pro
-description: Deploying Microsoft Defender for Endpoint for macOS with Jamf Pro
-keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamfpro, macos, catalina, mojave, high sierra
+ Title: Deploying Microsoft Defender for Endpoint on macOS with Jamf Pro
+description: Deploying Microsoft Defender for Endpoint on macOS with Jamf Pro
+keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, installation, deploy, uninstallation, intune, jamfpro, macos, catalina, mojave, high sierra
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Mac Install With Other Mdm https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-with-other-mdm.md
Title: Deployment with a different Mobile Device Management (MDM) system for Microsoft Defender for Endpoint for Mac
-description: Install Microsoft Defender for Endpoint for Mac on other management solutions.
-keywords: microsoft, defender, atp, mac, installation, deploy, macos, catalina, mojave, high sierra
+ Title: Deployment with a different Mobile Device Management (MDM) system for Microsoft Defender for Endpoint on Mac
+description: Install Microsoft Defender for Endpoint on Mac on other management solutions.
+keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, installation, deploy, macos, catalina, mojave, high sierra
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Mac Jamfpro Device Groups https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-jamfpro-device-groups.md
Title: Set up device groups in Jamf Pro
-description: Learn how to set up device groups in Jamf Pro for Microsoft Defender for Endpoint for macOS
-keywords: device, group, microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamfpro, macos, catalina, mojave, high sierra
+description: Learn how to set up device groups in Jamf Pro for Microsoft Defender for Endpoint on macOS
+keywords: device, group, microsoft, defender, Microsoft Defender for Endpoint, mac, installation, deploy, uninstallation, intune, jamfpro, macos, catalina, mojave, high sierra
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Mac Jamfpro Enroll Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-jamfpro-enroll-devices.md
Title: Enroll Microsoft Defender for Endpoint for macOS devices into Jamf Pro
-description: Enroll Microsoft Defender for Endpoint for macOS devices into Jamf Pro
-keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamfpro, macos, catalina, mojave, high sierra
+ Title: Enroll Microsoft Defender for Endpoint on macOS devices into Jamf Pro
+description: Enroll Microsoft Defender for Endpoint on macOS devices into Jamf Pro
+keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, installation, deploy, uninstallation, intune, jamfpro, macos, catalina, mojave, high sierra
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Mac Jamfpro Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-jamfpro-policies.md
Title: Set up the Microsoft Defender for Endpoint for macOS policies in Jamf Pro
-description: Learn how to set up the Microsoft Defender Endpoint for macOS policies in Jamf Pro
-keywords: policies, microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamfpro, macos, catalina, mojave, high sierra
+ Title: Set up the Microsoft Defender for Endpoint on macOS policies in Jamf Pro
+description: Learn how to set up the Microsoft Defender for Endpoint on macOS policies in Jamf Pro
+keywords: policies, microsoft, defender, Microsoft Defender for Endpoint, mac, installation, deploy, uninstallation, intune, jamfpro, macos, catalina, mojave, high sierra
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint
7. Select **Open**. Set the **Display Name** to **Microsoft Defender Advanced Threat Protection and Microsoft Defender Antivirus**.
- **Manifest File** is not required. Microsoft Defender Advanced Threat Protection works without Manifest File.
+ **Manifest File** is not required. Microsoft Defender for Endpoint works without Manifest File.
**Options tab**<br> Keep default values.
security Mac Preferences https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-preferences.md
Title: Set preferences for Microsoft Defender for Endpoint for Mac
-description: Configure Microsoft Defender for Endpoint for Mac in enterprise organizations.
-keywords: microsoft, defender, atp, mac, management, preferences, enterprise, intune, jamf, macos, catalina, mojave, high sierra
+ Title: Set preferences for Microsoft Defender for Endpoint on Mac
+description: Configure MMicrosoft Defender for Endpoint on Mac in enterprise organizations.
+keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, management, preferences, enterprise, intune, jamf, macos, catalina, mojave, high sierra
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
Specify a process for which all file activity is excluded from scanning. The pro
#### Allowed threats
-Specify threats by name that are not blocked by Defender for Endpoint for Mac. These threats will be allowed to run.
+Specify threats by name that are not blocked by Defender for Endpoint on Mac. These threats will be allowed to run.
|Section|Value| |:|:|
security Mac Privacy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-privacy.md
Title: Privacy for Microsoft Defender for Endpoint for Mac
-description: Privacy controls, how to configure policy settings that impact privacy and information about the diagnostic data collected in Microsoft Defender for Endpoint for Mac.
-keywords: microsoft, defender, atp, mac, privacy, diagnostic
+ Title: Privacy for Microsoft Defender for Endpoint on Mac
+description: Privacy controls, how to configure policy settings that impact privacy and information about the diagnostic data collected in Microsoft Defender for Endpoint on Mac.
+keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, privacy, diagnostic
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Mac Pua https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-pua.md
Title: Detect and block potentially unwanted applications with Microsoft Defender for Endpoint for Mac
-description: Detect and block Potentially Unwanted Applications (PUA) using Microsoft Defender for Endpoint for Mac.
-keywords: microsoft, defender, atp, mac, pua, pus
+ Title: Detect and block potentially unwanted applications with Microsoft Defender for Endpoint on Mac
+description: Detect and block Potentially Unwanted Applications (PUA) using Microsoft Defender on Endpoint for Mac.
+keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, pua, pus
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Mac Resources https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-resources.md
Title: Resources for Microsoft Defender for Endpoint for Mac
-description: Resources for Microsoft Defender for Endpoint for Mac, including how to uninstall it, how to collect diagnostic logs, CLI commands, and known issues with the product.
-keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra
+ Title: Resources for Microsoft Defender for Endpoint on Mac
+description: Resources for Microsoft Defender for Endpoint on Mac, including how to uninstall it, how to collect diagnostic logs, CLI commands, and known issues with the product.
+keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Mac Schedule Scan https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-schedule-scan.md
Title: How to schedule scans with MDATP for macOS
+ Title: How to schedule scans with Microsoft Defender for Endpoint on macOS
description: Learn how to schedule an automatic scanning time for Microsoft Defender for Endpoint in macOS to better protect your organization's assets.
-keywords: microsoft, defender, atp, mac, scans, antivirus
+keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, scans, antivirus
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Mac Support Install https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-support-install.md
Title: Troubleshoot installation issues for Microsoft Defender for Endpoint for Mac
-description: Troubleshoot installation issues in Microsoft Defender for Endpoint for Mac.
-keywords: microsoft, defender, atp, mac, install
+ Title: Troubleshoot installation issues for Microsoft Defender for Endpoint on Mac
+description: Troubleshoot installation issues in Microsoft Defender for Endpoint on Mac.
+keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, install
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Mac Support Kext https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-support-kext.md
Title: Troubleshoot kernel extension issues in Microsoft Defender for Endpoint on macOS description: Troubleshoot kernel extension-related issues in Microsoft Defender for Endpoint on macOS.
-keywords: microsoft, defender, atp, mac, kernel, extension
+keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, kernel, extension
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Mac Support License https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-support-license.md
Title: Troubleshoot license issues for Microsoft Defender for Endpoint for Mac
-description: Troubleshoot license issues in Microsoft Defender for Endpoint for Mac.
-keywords: microsoft, defender, atp, mac, performance
+ Title: Troubleshoot license issues for Microsoft Defender for Endpoint on Mac
+description: Troubleshoot license issues in Microsoft Defender for Endpoint on Mac.
+keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, performance
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Mac Support Perf https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-support-perf.md
Title: Troubleshoot performance issues for Microsoft Defender for Endpoint on macOS description: Troubleshoot performance issues in Microsoft Defender for Endpoint on macOS.
-keywords: microsoft, defender, atp, mac, performance
+keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, performance
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
The following steps can be used to troubleshoot and mitigate these issues:
2. Open Finder and navigate to **Applications** > **Utilities**. Open **Activity Monitor** and analyze which applications are using the resources on your system. Typical examples include software updaters and compilers.
-1. To find the applications that are triggering the most scans, you can use real-time statistics gathered by Defender for Endpoint for Mac.
+1. To find the applications that are triggering the most scans, you can use real-time statistics gathered by Defender for Endpoint on Mac.
> [!NOTE] > This feature is available in version 100.90.70 or newer.
security Mac Sysext Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-sysext-policies.md
Title: New configuration profiles for macOS Catalina and newer versions of macOS description: This topic describes the changes that are must be made in order to benefit from the system extensions, which are a replacement for kernel extensions on macOS Catalina and newer versions of macOS.
-keywords: microsoft, defender, atp, mac, kernel, system, extensions, catalina
+keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, kernel, system, extensions, catalina
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Mac Sysext Preview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-sysext-preview.md
Title: Microsoft Defender for Endpoint for Mac - system extensions (Preview)
-description: This article contains instructions for trying out the system extensions functionality of Microsoft Defender for Endpoint for Mac. This functionality is currently in public preview.
-keywords: microsoft, defender, atp, mac, kernel, system, extensions, catalina
+ Title: Microsoft Defender for Endpoint on Mac - system extensions (Preview)
+description: This article contains instructions for trying out the system extensions functionality of Microsoft Defender for Endpoint on Mac. This functionality is currently in public preview.
+keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, kernel, system, extensions, catalina
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
ms.technology: mde
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-In alignment with macOS evolution, we are preparing a Defender for Endpoint for Mac update that leverages system extensions instead of kernel extensions. This update will only apply to macOS Catalina (10.15.4) and later versions of macOS.
+In alignment with macOS evolution, we are preparing a Defender for Endpoint on Mac update that leverages system extensions instead of kernel extensions. This update will only apply to macOS Catalina (10.15.4) and later versions of macOS.
This functionality is currently in public preview. This article describes how to enable this functionality on your device. You can try out this feature locally on your own device or configure it remotely through a management tool.
These steps assume you already have Defender for Endpoint running on your device
defaults write com.microsoft.autoupdate2 ChannelName -string Beta ```
- Alternatively, if you're in a managed environment (JAMF or Intune), you can configure the update channel remotely. For more information, see [Deploy updates for Microsoft Defender for Endpoint for Mac: Set the channel name](mac-updates.md#set-the-channel-name).
+ Alternatively, if you're in a managed environment (JAMF or Intune), you can configure the update channel remotely. For more information, see [Deploy updates for Microsoft Defender for Endpoint on Mac: Set the channel name](mac-updates.md#set-the-channel-name).
## Deployment steps
Follow the deployment steps that correspond to your environment and your preferr
1. After all deployment prerequisites are met, restart your device to launch the system extension approval and activation process.
- You'll see a series of system prompts to approve the Defender for Endpoint system extensions. You must approve **all** prompts from the series, because macOS requires an explicit approval for each extension that Defender for Endpoint for Mac installs on the device.
+ You'll see a series of system prompts to approve the Defender for Endpoint system extensions. You must approve **all** prompts from the series, because macOS requires an explicit approval for each extension that Defender for Endpoint on Mac installs on the device.
For each approval, select **Open Security Preferences** and then select **Allow** to allow the system extension to run.
security Mac Updates https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-updates.md
Title: Deploy updates for Microsoft Defender for Endpoint for Mac
-description: Control updates for Microsoft Defender for Endpoint for Mac in enterprise environments.
-keywords: microsoft, defender, atp, mac, updates, deploy
+ Title: Deploy updates for Microsoft Defender for Endpoint on Mac
+description: Control updates for Microsoft Defender for Endpoint on Mac in enterprise environments.
+keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, updates, deploy
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Mac Whatsnew https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-whatsnew.md
Title: What's new in Microsoft Defender for Endpoint on Mac description: Learn about the major changes for previous versions of Microsoft Defender for Endpoint on Mac.
-keywords: microsoft, defender, atp, mac, installation, macos, whatsnew
+keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, installation, macos, whatsnew
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Manage Atp Post Migration Configuration Manager https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-atp-post-migration-configuration-manager.md
Title: Manage Microsoft Defender for Endpoint using Configuration Manager description: Learn how to manage Microsoft Defender for Endpoint with Configuration Manager
-keywords: post-migration, manage, operations, maintenance, utilization, Configuration Manager, windows defender advanced threat protection, atp, edr
+keywords: post-migration, manage, operations, maintenance, utilization, Configuration Manager, Microsoft Defender for Endpoint, edr
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Manage Atp Post Migration Group Policy Objects https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-atp-post-migration-group-policy-objects.md
Title: Manage Microsoft Defender for Endpoint using Group Policy Objects description: Learn how to manage Microsoft Defender for Endpoint with Group Policy Objects
-keywords: post-migration, manage, operations, maintenance, utilization, PowerShell, windows defender advanced threat protection, atp, edr
+keywords: post-migration, manage, operations, maintenance, utilization, PowerShell, Microsoft Defender for Endpoint, edr
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Manage Atp Post Migration Intune https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-atp-post-migration-intune.md
Title: Manage Microsoft Defender for Endpoint using Intune description: Learn how to manage Microsoft Defender for Endpoint with Intune
-keywords: post-migration, manage, operations, maintenance, utilization, intune, windows defender advanced threat protection, atp, edr
+keywords: post-migration, manage, operations, maintenance, utilization, intune, Microsoft Defender for Endpoint, edr
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Manage Atp Post Migration Other Tools https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-atp-post-migration-other-tools.md
Title: Manage Microsoft Defender for Endpoint using PowerShell, WMI, and MPCmdRun.exe description: Learn how to manage Microsoft Defender for Endpoint with PowerShell, WMI, and MPCmdRun.exe
-keywords: post-migration, manage, operations, maintenance, utilization, PowerShell, WMI, MPCmdRun.exe, windows defender advanced threat protection, atp, edr
+keywords: post-migration, manage, operations, maintenance, utilization, PowerShell, WMI, MPCmdRun.exe, Microsoft Defender for Endpoint, edr
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Manage Atp Post Migration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-atp-post-migration.md
Title: Manage Microsoft Defender for Endpoint post migration description: Now that you've made the switch to Microsoft Defender for Endpoint, your next step is to manage your threat protection features
-keywords: post-migration, manage, operations, maintenance, utilization, windows defender advanced threat protection, atp, edr
+keywords: post-migration, manage, operations, maintenance, utilization, Microsoft Defender for Endpoint, edr
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Management Apis https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/management-apis.md
Acknowledging that customer environments and structures can vary, Defender for E
## Endpoint onboarding and portal access
-Device onboarding is fully integrated into Microsoft Endpoint Manager and Microsoft Intune for client devices and Azure Security Center for server devices, providing complete end-to-end experience of configuration, deployment, and monitoring. In addition, Microsoft Defender for Endpoint supports Group Policy and other third-party tools used for devices management.
+Device onboarding is fully integrated into Microsoft Endpoint Manager and Microsoft Intune for client devices and Azure Defender for server devices, providing complete end-to-end experience of configuration, deployment, and monitoring. In addition, Microsoft Defender for Endpoint supports Group Policy and other third-party tools used for devices management.
Defender for Endpoint provides fine-grained control over what users with access to the portal can see and do through the flexibility of role-based access control (RBAC). The RBAC model supports all flavors of security teams structure: - Globally distributed organizations and security teams
security Mcafee To Microsoft Defender Migration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mcafee-to-microsoft-defender-migration.md
Title: Migrate from McAfee to Microsoft Defender for Endpoint description: Make the switch from McAfee to Microsoft Defender for Endpoint. Read this article for an overview.
-keywords: migration, windows defender advanced threat protection, atp, edr
+keywords: migration, Microsoft Defender for Endpoint, edr
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Mcafee To Microsoft Defender Onboard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mcafee-to-microsoft-defender-onboard.md
Title: McAfee to Microsoft Defender for Endpoint - Onboard description: This is phase 3, Onboard, for migrating from McAfee to Microsoft Defender for Endpoint.
-keywords: migration, windows defender advanced threat protection, atp, edr
+keywords: migration, Microsoft Defender for Endpoint, edr
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
|--|--|--| || |*You are here!* |
-**Welcome to Phase 3 of [migrating from McAfee Endpoint Security (McAfee) to Microsoft Defender Advanced Threat Protection (Microsoft Defender for Endpoint)](mcafee-to-microsoft-defender-migration.md#the-migration-process)**. This migration phase includes the following steps:
+**Welcome to Phase 3 of [migrating from McAfee Endpoint Security (McAfee) to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-migration.md#the-migration-process)**. This migration phase includes the following steps:
1. [Onboard devices to Microsoft Defender for Endpoint](#onboard-devices-to-microsoft-defender-for-endpoint). 2. [Run a detection test](#run-a-detection-test).
Deployment methods vary, depending on which operating system is selected. Refer
|Windows 10 |- [Group Policy](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/configure-endpoints-gp)<br/>- [Configuration Manager](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/configure-endpoints-sccm)<br/>- [Mobile Device Management (Intune)](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/configure-endpoints-mdm)<br/>- [Local script](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/configure-endpoints-script) <br/><br/>**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. | |- Windows 8.1 Enterprise <br/>- Windows 8.1 Pro <br/>- Windows 7 SP1 Enterprise <br/>- Windows 7 SP1 Pro | [Microsoft Monitoring Agent](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/onboard-downlevel#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-atp)<br/><br/>**NOTE**: Microsoft Monitoring Agent is now Azure Log Analytics agent. To learn more, see [Log Analytics agent overview](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). | |- Windows Server 2019 and later <br/>- Windows Server 2019 core edition <br/>- Windows Server version 1803 and later |- [Local script](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/configure-endpoints-script) <br/>- [Group Policy](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/configure-endpoints-gp) <br/>- [Configuration Manager](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/configure-endpoints-sccm) <br/>- [System Center Configuration Manager](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/configure-endpoints-sccm#onboard-windows-10-devices-using-earlier-versions-of-system-center-configuration-manager) <br/>- [VDI onboarding scripts for non-persistent devices](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/configure-endpoints-vdi) <br/><br/>**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. |
-|- Windows Server 2016 <br/>- Windows Server 2012 R2 <br/>- Windows Server 2008 R2 SP1 |- [Microsoft Defender Security Center](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/configure-server-endpoints#option-1-onboard-servers-through-microsoft-defender-security-center)<br/>- [Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp) |
+|- Windows Server 2016 <br/>- Windows Server 2012 R2 <br/>- Windows Server 2008 R2 SP1 |- [Microsoft Defender Security Center](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/configure-server-endpoints#option-1-onboard-servers-through-microsoft-defender-security-center)<br/>- [Azure Defender](https://docs.microsoft.com/azure/security-center/security-center-wdatp) |
|macOS<br/>- 10.15 (Catalina)<br/>- 10.14 (Mojave)<br/>- 10.13 (High Sierra)<br/><br/>iOS<br/><br/>Linux:<br/>- RHEL 7.2+<br/>- CentOS Linux 7.2+<br/>- Ubuntu 16 LTS, or higher LTS<br/>- SLES 12+<br/>- Debian 9+<br/>- Oracle Linux 7.2 |[Onboard non-Windows devices](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/configure-endpoints-non-windows) | ## Run a detection test
To verify that your onboarded devices are properly connected to Microsoft Defend
|Operating system |Guidance | ||| |- Windows 10 <br/>- Windows Server 2019 <br/>- Windows Server, version 1803 <br/>- Windows Server 2016 <br/>- Windows Server 2012 R2 |See [Run a detection test](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/run-detection-test). <br/><br/>Visit the Microsoft Defender for Endpoint demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)) and try one or more of the scenarios. For example, try the **Cloud-delivered protection** demo scenario. |
-|macOS<br/>- 10.15 (Catalina)<br/>- 10.14 (Mojave)<br/>- 10.13 (High Sierra) |Download and use the DIY app at [https://aka.ms/mdatpmacosdiy](https://aka.ms/mdatpmacosdiy). <br/><br/>For more information, see [Microsoft Defender for Endpoint for Mac](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-atp-mac). |
-|Linux:<br/>- RHEL 7.2+<br/>- CentOS Linux 7.2+<br/>- Ubuntu 16 LTS, or higher LTS<br/>- SLES 12+<br/>- Debian 9+<br/>- Oracle Linux 7.2 |1. Run the following command, and look for a result of **1**: <br/>`mdatp health --field real_time_protection_enabled`. <br/><br/>2. Open a Terminal window, and run the following command: <br/>`curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt`. <br/><br/>3. Run the following command to list any detected threats: <br/>`mdatp threat list`. <br/><br/>For more information, see [Microsoft Defender for Endpoint for Linux](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-atp-linux). |
+|macOS<br/>- 10.15 (Catalina)<br/>- 10.14 (Mojave)<br/>- 10.13 (High Sierra) |Download and use the DIY app at [https://aka.ms/mdatpmacosdiy](https://aka.ms/mdatpmacosdiy). <br/><br/>For more information, see [Microsoft Defender for Endpoint on Mac](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-atp-mac). |
+|Linux:<br/>- RHEL 7.2+<br/>- CentOS Linux 7.2+<br/>- Ubuntu 16 LTS, or higher LTS<br/>- SLES 12+<br/>- Debian 9+<br/>- Oracle Linux 7.2 |1. Run the following command, and look for a result of **1**: <br/>`mdatp health --field real_time_protection_enabled`. <br/><br/>2. Open a Terminal window, and run the following command: <br/>`curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt`. <br/><br/>3. Run the following command to list any detected threats: <br/>`mdatp threat list`. <br/><br/>For more information, see [Microsoft Defender for Endpoint on Linux](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-atp-linux). |
## Uninstall McAfee
To do this, visit the Microsoft Defender for Endpoint demo scenarios site ([http
**Congratulations**! You have completed your [migration from McAfee to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-migration.md#the-migration-process)! - [Visit your security operations dashboard](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/security-operations-dashboard) in the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)). -- [Manage Microsoft Defender Advanced Threat Protection, post migration](manage-atp-post-migration.md).
+- [Manage Microsoft Defender for Endpoint, post migration](manage-atp-post-migration.md).
security Mcafee To Microsoft Defender Prepare https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mcafee-to-microsoft-defender-prepare.md
Title: McAfee to Microsoft Defender for Endpoint - Prepare description: This is phase 1, Prepare, for migrating from McAfee to Microsoft Defender for Endpoint.
-keywords: migration, windows defender advanced threat protection, atp, edr
+keywords: migration, Microsoft Defender for Endpoint, edr
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Mcafee To Microsoft Defender Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mcafee-to-microsoft-defender-setup.md
Title: McAfee to Microsoft Defender for Endpoint - Setup description: This is phase 2, Setup, for migrating from McAfee to Microsoft Defender for Endpoint.
-keywords: migration, windows defender advanced threat protection, atp, edr
+keywords: migration, Microsoft Defender for Endpoint, edr
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Microsoft Defender Endpoint Android https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-android.md
Title: Microsoft Defender for Endpoint on Android description: Describes how to install and use Microsoft Defender for Endpoint on Android
-keywords: microsoft, defender, atp, android, installation, deploy, uninstallation, intune
+keywords: microsoft, defender, Microsoft Defender for Endpoint, android, installation, deploy, uninstallation, intune
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
This topic describes how to install, configure, update, and use Defender for End
- Access to the Microsoft Defender Security Center portal. > [!NOTE]
- > Microsoft Intune is the only supported Mobile Device Management (MDM) solution for deploying Microsoft Defender for Endpoint on Android. Currently only enrolled devices are supported for enforcing Defender for Endpoint for Android related device compliance policies in Intune.
+ > Microsoft Intune is the only supported Mobile Device Management (MDM) solution for deploying Microsoft Defender for Endpoint on Android. Currently only enrolled devices are supported for enforcing Defender for Endpoint on Android related device compliance policies in Intune.
- Access [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), to deploy the
security Microsoft Defender Endpoint Ios https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-ios.md
Title: Microsoft Defender for Endpoint on iOS
-description: Describes how to install and use Microsoft Defender for Endpoint for iOS
-keywords: microsoft, defender, atp, ios, overview, installation, deploy, uninstallation, intune
+description: Describes how to install and use Microsoft Defender for Endpoint on iOS
+keywords: microsoft, defender, Microsoft Defender for Endpoint, ios, overview, installation, deploy, uninstallation, intune
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Microsoft Defender Endpoint Linux https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-linux.md
Title: Microsoft Defender for Endpoint on Linux
-description: Describes how to install and use Microsoft Defender for Endpoint for Linux.
-keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos
+description: Describes how to install and use Microsoft Defender for Endpoint on Linux.
+keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
ms.technology: mde
This topic describes how to install, configure, update, and use Microsoft Defender for Endpoint on Linux. > [!CAUTION]
-> Running other third-party endpoint protection products alongside Microsoft Defender for Endpoint on Linux is likely to lead to performance problems and unpredictable side effects. If non-Microsoft endpoint protection is an absolute requirement in your environment, you can still safely take advantage of Defender for Endpoint for Linux EDR functionality after configuring the antivirus functionality to run in [Passive mode](linux-preferences.md#enable--disable-passive-mode).
+> Running other third-party endpoint protection products alongside Microsoft Defender for Endpoint on Linux is likely to lead to performance problems and unpredictable side effects. If non-Microsoft endpoint protection is an absolute requirement in your environment, you can still safely take advantage of Defender for Endpoint on Linux EDR functionality after configuring the antivirus functionality to run in [Passive mode](linux-preferences.md#enable--disable-passive-mode).
## How to install Microsoft Defender for Endpoint on Linux
If you experience any installation failures, refer to [Troubleshooting installat
- Minimum kernel version 3.10.0-327 - The `fanotify` kernel option must be enabled > [!CAUTION]
- > Running Defender for Endpoint for Linux side by side with other `fanotify`-based security solutions is not supported. It can lead to unpredictable results, including hanging the operating system.
+ > Running Defender for Endpoint on Linux side by side with other `fanotify`-based security solutions is not supported. It can lead to unpredictable results, including hanging the operating system.
- Disk space: 1GB-- /opt/microsoft/mdatp/sbin/wdavdaemon requires executable permission. For more information, see "Ensure that the daemon has executable permission" in [Troubleshoot installation issues for Microsoft Defender for Endpoint for Linux](/microsoft-365/security/defender-endpoint/linux-support-install).
+- /opt/microsoft/mdatp/sbin/wdavdaemon requires executable permission. For more information, see "Ensure that the daemon has executable permission" in [Troubleshoot installation issues for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-support-install).
- Memory: 1GB > [!NOTE] > Please make sure that you have free disk space in /var.
security Microsoft Defender Endpoint Mac https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-mac.md
Title: Microsoft Defender for Endpoint on Mac description: Learn how to install, configure, update, and use Microsoft Defender for Endpoint on Mac.
-keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, big sur, catalina, mojave, mde for mac
+keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, installation, deploy, uninstallation, intune, jamf, macos, big sur, catalina, mojave, mde for mac
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Microsoft Defender Endpoint https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint.md
Title: Microsoft Defender for Endpoint description: Microsoft Defender for Endpoint is an enterprise endpoint security platform that helps defend against advanced persistent threats.
-keywords: introduction to Microsoft Defender for Endpoint, introduction to Microsoft Defender Advanced Threat Protection, introduction to Microsoft Defender for Endpoint, cybersecurity, advanced persistent threat, enterprise security, machine behavioral sensor, cloud security, analytics, threat intelligence, attack surface reduction, next-generation protection, automated investigation and remediation, microsoft threat experts, secure score, advanced hunting, microsoft threat protection, cyber threat hunting
+keywords: introduction to Microsoft Defender for Endpoint, introduction to Microsoft Defender for Endpoint, cybersecurity, advanced persistent threat, enterprise security, machine behavioral sensor, cloud security, analytics, threat intelligence, attack surface reduction, next-generation protection, automated investigation and remediation, microsoft threat experts, secure score, advanced hunting, Microsoft 365 Defender, cyber threat hunting
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
Defender for Endpoint uses the following combination of technology built into Wi
<a href="#apis"><center><b>Centralized configuration and administration, APIs</a></b></center></td> </tr> <tr>
-<td colspan="7"><a href="#mtp"><center><b>Microsoft Threat Protection</a></center></b></td>
+<td colspan="7"><a href="#mtp"><center><b>Microsoft 365 Defender</a></center></b></td>
</tr> </table> <br>
Integrate Microsoft Defender for Endpoint into your existing workflows.
**[Integration with Microsoft solutions](threat-protection-integration.md)** <br> Defender for Endpoint directly integrates with various Microsoft solutions, including:-- Azure Security Center
+- Azure Defender
- Azure Sentinel - Intune - Microsoft Cloud App Security
security Migrating Asr Rules https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/migrating-asr-rules.md
Title: Migrating from a third-party HIPS to ASR rules description: Describes how to approach a migration from a third-party Host Intrusion Prevention System (HIPS) solution into ASR rules.
-keywords: Attack surface reduction rules, asr, asr rules, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, Microsoft Defender for Endpoint, Microsoft Defender ATP
+keywords: Attack surface reduction rules, asr, asr rules, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, Microsoft Defender for Endpoint
search.product: eADQiWindows 10XVcnh ms.prod: m365-security
This article helps you to map common rules to Microsoft Defender for Endpoint.
- **Applies to**- All Processes - **Processes**- N/A - **Operation**- Registry Modifications-- **Examples of Files/Folders, Registry Keys/Values, Processes,Services**- *\Software*,HKCU\Environment\UserInitMprLogonScript,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs*\StartExe, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*\Debugger,HKEY_CURRENT_USER\Software\Microsoft\HtmlHelp Author\location,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit*\MonitorProcess
+- **Examples of Files/Folders, Registry Keys/Values, Processes, Services**- *\Software*,HKCU\Environment\UserInitMprLogonScript,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs*\StartExe, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*\Debugger, HKEY_CURRENT_USER\Software\Microsoft\HtmlHelp Author\location, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit*\MonitorProcess
- **Attack Surface Reduction rules**- ASR rules block the attack techniques and not the Indicators of Compromise (IOC). Blocking a specific file extension isn't always useful, because it doesn't prevent a device from compromise. It only partially thwarts an attack until attackers create a new type of extension for the payload. - **Other recommended features**- Having Microsoft Defender AV enabled, along with Cloud Protection and Behavior Analysis is highly recommended. We recommend you use additional prevention, such as the ASR rule "Use advanced protection against ransomware". This provides a greater level of protection against ransomware attacks. Furthermore, several of these registry keys are monitored by Microsoft Defender for Endpoint, such as ASEP techniques, which will trigger specific alerts. Additionally, the registry keys used require a minimum of Local Admin or Trusted Installer privileges can be modified. Using a locked down environment, with minimum administrative accounts or rights, is recommended. Other system configurations can be enabled, including "Disable SeDebug for non-required roles" that are part of our wider security recommendations.
This article helps you to map common rules to Microsoft Defender for Endpoint.
- **Applies to**- Untrusted Programs from USB - **Processes**- * - **Operation**- Process Execution-- **Examples of Files/Folders, Registry Keys/Values, Processes,
+- **Examples of Files/Folders, Registry Keys/Values, Processes,
- **Attack Surface Reduction rules**- ASR rules have a built-in rule to prevent the launch of untrusted and unsigned programs from removable drives: "Block untrusted and unsigned processes that run from USB", GUID "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4". - **Other recommended features**- Please explore additional controls for USB devices and other removable media using Microsoft Defender for Endpoint:[How to control USB devices and other removable media using Microsoft Defender for Endpoint](/windows/security/threat-protection/device-control/control-usb-devices-using-intune).
This article helps you to map common rules to Microsoft Defender for Endpoint.
- **Applies to**- Mshta - **Processes**- mshta.exe - **Operation**- Process Execution-- **Examples of Files/Folders, Registry Keys/Values, Processes,Services**- powershell.exe, cmd.exe, regsvr32.exe
+- **Examples of Files/Folders, Registry Keys/Values, Processes, Services**- powershell.exe, cmd.exe, regsvr32.exe
- **Attack Surface Reduction rules**- ASR rules don't contain any specific rule to prevent child processes from "mshta.exe". This control is within the remit of Exploit Protection or Windows Defender Application Control. - **Other recommended features**- Enable Windows Defender Application Control to prevent mshta.exe from being executed altogether. If your organization requires "mshta.exe" for line of business apps, configure a specific Windows Defender Exploit Protection rule, to prevent mshta.exe from launching child processes.
This article helps you to map common rules to Microsoft Defender for Endpoint.
- **Applies to**- Outlook - **Processes**- outlook.exe - **Operation**- Process Execution-- **Examples of Files/Folders, Registry Keys/Values, Processes,Services**- powershell.exe-- **Attack Surface Reduction rules**- ASR rules have a built-in rule to prevent Office communication apps (Outlook, Skype and Teams) from launching child processes: "Block Office communication application from creating child processes", GUID "26190899-1602-49e8-8b27-eb1d0a1ce869".
+- **Examples of Files/Folders, Registry Keys/Values, Processes, Services**- powershell.exe
+- **Attack Surface Reduction rules**- ASR rules have a built-in rule to prevent Office communication apps (Outlook, Skype, and Teams) from launching child processes: "Block Office communication application from creating child processes", GUID "26190899-1602-49e8-8b27-eb1d0a1ce869".
- **Other recommended features**- We recommend enabling PowerShell constrained language mode to minimize the attack surface from PowerShell.
This article helps you to map common rules to Microsoft Defender for Endpoint.
- **Applies to**- Office - **Processes**- winword.exe, powerpnt.exe, excel.exe - **Operation**- Process Execution-- **Examples of Files/Folders, Registry Keys/Values, Processes,Services**- powershell.exe, cmd.exe, wscript.exe, mshta.exe, EQNEDT32.EXE, regsrv32.exe
+- **Examples of Files/Folders, Registry Keys/Values, Processes, Services**- powershell.exe, cmd.exe, wscript.exe, mshta.exe, EQNEDT32.EXE, regsrv32.exe
- **Attack Surface Reduction rules**- ASR rules have a built-in rule to prevent Office apps from launching child processes: "Block all Office applications from creating child processes", GUID "D4F940AB-401B-4EFC-AADC-AD5F3C50688A". - **Other recommended features**- N/A
This article helps you to map common rules to Microsoft Defender for Endpoint.
- **Applies to**- Office - **Processes**- winword.exe, powerpnt.exe, excel.exe - **Operation**- File Creation-- **Examples of Files/Folders, Registry Keys/Values, Processes,Services**- C:\Users*\AppData**.exe, C:\ProgramData**.exe, C:\ProgramData**.com, C:\Users*AppData\Local\Temp**.com, C:\Users*\Downloads**.exe, C:\Users*\AppData**.scf, C:\ProgramData**.scf, C:\Users\Public*.exe, C:\Users*\Desktop***.exe
+- **Examples of Files/Folders, Registry Keys/Values, Processes, Services**- C:\Users*\AppData**.exe, C:\ProgramData**.exe, C:\ProgramData**.com, C:\Users*AppData\Local\Temp**.com, C:\Users*\Downloads**.exe, C:\Users*\AppData**.scf, C:\ProgramData**.scf, C:\Users\Public*.exe, C:\Users*\Desktop***.exe
- **Attack Surface Reduction rules**- N/A. ### Block Wscript from reading certain types of files
This article helps you to map common rules to Microsoft Defender for Endpoint.
- **Attack Surface Reduction rules**- Overall, ASR rules aren't designed to function as an Application manager. - **Other recommended features**- To prevent users from launching specific processes or programs, it's recommended to use Windows Defender Application Control. Microsoft Defender for Endpoint File and Cert indicators, can be used in an Incident Response scenario (shouldn't be seen as an application control mechanism).
-### Block unauthorized changes to MDATP AV configurations
+### Block unauthorized changes to Microsoft Defender Antivirus configurations
- **Applies to**- All Processes - **Processes**- * - **Operation**- Registry Modifications - **Examples of Files/Folders, Registry Keys/Values, Processes, Services**- HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware, HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\AllowRealTimeMonitoring, and so on. - **Attack Surface Reduction rules**- ASR rules don't cover these scenarios because they're part of the Microsoft Defender for Endpoint built-in protection.-- **Other recommended features**- Tamper Protection (opt-in, managed from Intune) prevents unauthorized changes to DisableAntiVirus, DisableAntiSpyware, DisableRealtimeMonitoring, DisableOnAccessProtection, DisableBehaviorMonitoring and DisableIOAVProtection registry keys (and more).
+- **Other recommended features**- Tamper Protection (opt-in, managed from Intune) prevents unauthorized changes to DisableAntiVirus, DisableAntiSpyware, DisableRealtimeMonitoring, DisableOnAccessProtection, DisableBehaviorMonitoring, and DisableIOAVProtection registry keys (and more).
See also
security Migration Guides https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/migration-guides.md
Title: Migration guides to make the switch to Microsoft Defender for Endpoint
-description: Learn how to make the switch from a non-Microsoft threat protection solution to Microsoft Defender for Endpoint
+description: Learn how to make the switch from a non-Microsoft 365 Defender solution to Microsoft Defender for Endpoint
search.appverid: MET150
ms.technology: mde
## Migration guides
-If you're considering switching from a non-Microsoft threat protection solution to Microsoft Defender for Endpoint with Microsoft Defender Antivirus, check out our migration guidance. Select the scenario that best represents where you are in your deployment process, and see the guidance.
+If you're considering switching from a non-Microsoft 365 Defender solution to Microsoft Defender for Endpoint with Microsoft Defender Antivirus, check out our migration guidance. Select the scenario that best represents where you are in your deployment process, and see the guidance.
|Scenario |Guidance | |:--|:--|
security Next Gen Threat And Vuln Mgt https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt.md
Title: Threat and vulnerability management description: This new capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
-keywords: threat & vulnerability management, threat and vulnerability management, MDATP TVM, MDATP-TVM, vulnerability management, vulnerability assessment, threat and vulnerability scanning, secure configuration assessment, microsoft defender for endpoint, microsoft defender atp, endpoint vulnerabilities, next generation
+keywords: threat & vulnerability management, threat and vulnerability management, Microsoft Defender for Endpoint TVM, Microsoft Defender for Endpoint-TVM, vulnerability management, vulnerability assessment, threat and vulnerability scanning, secure configuration assessment, Microsoft Defender for Endpoint, endpoint vulnerabilities, next generation
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Offboard Machine Api https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/offboard-machine-api.md
Title: Offboard machine API
-description: Learn how to use an API to offboard a device from Windows Defender Advanced Threat Protection (WDATP).
+description: Learn how to use an API to offboard a device from Microsoft Defender for Endpoint.
keywords: apis, graph api, supported apis, collect investigation package search.product: eADQiWindows 10XVcnh ms.prod: m365-security
security Offboard Machines https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/offboard-machines.md
Title: Offboard devices from the Microsoft Defender for Endpoint service description: Onboard Windows 10 devices, servers, non-Windows devices from the Microsoft Defender for Endpoint service
-keywords: offboarding, microsoft defender for endpoint offboarding, windows atp offboarding
+keywords: offboarding, Microsoft Defender for Endpoint offboarding, offboarding
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Old Index https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/old-index.md
Title: Threat Protection (Windows 10) description: Microsoft Defender for Endpoint is a unified platform for preventative protection, post-breach detection, automated investigation, and response.
-keywords: threat protection, Microsoft Defender Advanced Threat Protection, attack surface reduction, next-generation protection, endpoint detection and response, automated investigation and response, microsoft threat experts, Microsoft Secure Score for Devices, advanced hunting, cyber threat hunting, web threat protection
+keywords: threat protection, Microsoft Defender for Endpoint, attack surface reduction, next-generation protection, endpoint detection and response, automated investigation and response, microsoft threat experts, Microsoft Secure Score for Devices, advanced hunting, cyber threat hunting, web threat protection
search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy
security Onboard Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboard-configure.md
Title: Onboard devices to the Microsoft Defender for Endpoint service description: Onboard Windows 10 devices, servers, non-Windows devices and learn how to run a detection test.
-keywords: onboarding, microsoft defender for endpoint onboarding, windows atp onboarding, sccm, group policy, mdm, local script, detection test
+keywords: onboarding, Microsoft Defender for Endpoint onboarding, sccm, group policy, mdm, local script, detection test
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Onboard Offline Machines https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboard-offline-machines.md
For more information about onboarding methods, see the following articles:
- Configure Azure Log Analytics IP as a proxy - Azure Log Analytics Workspace Key & ID
- - Azure Security Center (ASC)
+ - Azure Defender
- [Security Policy \> Log Analytics Workspace](https://docs.microsoft.com/azure/security-center/security-center-wdatp#enable-windows-defender-atp-integration) - [Threat Detection \> Allow Defender for Endpoint to access my data](https://docs.microsoft.com/azure/security-center/security-center-wdatp#enable-windows-defender-atp-integration)
security Onboard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboard.md
Topic | Description
[Configure attack surface reduction capabilities](configure-attack-surface-reduction.md) | Configure attack surface reduction capabilities, to ensure that settings are properly applied, and exploit mitigation techniques are set. [Configure next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features) | Configure next-generation protection to catch all types of emerging threats. [Configure Microsoft Threat Experts capabilities](configure-microsoft-threat-experts.md) | Configure and manage cybersecurity threat intelligence from Microsoft Threat Experts.
-[Configure Microsoft Threat Protection integration](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/threat-protection-integration) | Configure other solutions that integrate with Defender for Endpoint.
+[Configure Microsoft 365 Defender integration](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/threat-protection-integration) | Configure other solutions that integrate with Defender for Endpoint.
[Management and API support](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/management-apis) | Pull alerts to your Security Information and Event Management (SIEM) or use APIs to create custom alerts. Create and build Power BI reports.
security Onboarding Endpoint Configuration Manager https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboarding-endpoint-configuration-manager.md
Title: Onboarding using Microsoft Endpoint Configuration Manager description: Learn how to onboard to Microsoft Defender for Endpoint using Microsoft Endpoint Configuration Manager
-keywords: onboarding, configuration, deploy, deployment, endpoint configuration manager, mdatp, advanced threat protection, collection creation, endpoint detection response, next generation protection, attack surface reduction, microsoft endpoint configuration manager
+keywords: onboarding, configuration, deploy, deployment, endpoint configuration manager, Microsoft Defender for Endpoint, collection creation, endpoint detection response, next generation protection, attack surface reduction, microsoft endpoint configuration manager
search.product: eADQiWindows 10XVcnh ms.prod: m365-security ms.mktglfcycl: deploy
security Onboarding Endpoint Manager https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboarding-endpoint-manager.md
Title: Onboarding using Microsoft Endpoint Manager description: Learn how to onboard to Microsoft Defender for Endpoint using Microsoft Endpoint Manager
-keywords: onboarding, configuration, deploy, deployment, endpoint manager, mdatp, advanced threat protection, collection creation, endpoint detection response, next generation protection, attack surface reduction, microsoft endpoint manager
+keywords: onboarding, configuration, deploy, deployment, endpoint manager, Microsoft Defender for Endpoint, collection creation, endpoint detection response, next generation protection, attack surface reduction, microsoft endpoint manager
search.product: eADQiWindows 10XVcnh ms.prod: m365-security ms.mktglfcycl: deploy
security Onboarding https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboarding.md
The following table lists the available tools based on the endpoint that you nee
| Endpoint | Tool options | |--||
-| **Windows** | [Local script (up to 10 devices)](configure-endpoints-script.md) <br> [Group Policy](configure-endpoints-gp.md) <br> [Microsoft Endpoint Manager/ Mobile Device Manager](configure-endpoints-mdm.md) <br> [Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) <br> [VDI scripts](configure-endpoints-vdi.md) <br> [Azure Security Center](configure-server-endpoints.md#integration-with-azure-security-center) |
+| **Windows** | [Local script (up to 10 devices)](configure-endpoints-script.md) <br> [Group Policy](configure-endpoints-gp.md) <br> [Microsoft Endpoint Manager/ Mobile Device Manager](configure-endpoints-mdm.md) <br> [Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) <br> [VDI scripts](configure-endpoints-vdi.md) <br> [Integration with Azure Defender](configure-server-endpoints.md#integration-with-azure-defender) |
| **macOS** | [Local scripts](mac-install-manually.md) <br> [Microsoft Endpoint Manager](mac-install-with-intune.md) <br> [JAMF Pro](mac-install-with-jamf.md) <br> [Mobile Device Management](mac-install-with-other-mdm.md) | | **Linux Server** | [Local script](linux-install-manually.md) <br> [Puppet](linux-install-with-puppet.md) <br> [Ansible](linux-install-with-ansible.md)| | **iOS** | [App-based](ios-install.md) |
security Overview Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction.md
Title: Overview of attack surface reduction description: Learn about the attack surface reduction capabilities of Microsoft Defender for Endpoint.
-keywords: asr, attack surface reduction, microsoft defender atp, microsoft defender for endpoint, microsoft defender, antivirus, av, windows defender
+keywords: asr, attack surface reduction, Microsoft Defender for Endpoint, microsoft defender, antivirus, av, windows defender
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Overview Endpoint Detection Response https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response.md
Title: Overview of endpoint detection and response capabilities description: Learn about the endpoint detection and response capabilities in Microsoft Defender for Endpoint
-keywords: microsoft defender for endpoint, endpoint detection and response, response, detection, cybersecurity, protection
+keywords: Microsoft Defender for Endpoint, endpoint detection and response, response, detection, cybersecurity, protection
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Supported Response Apis https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/supported-response-apis.md
Title: Supported Microsoft Defender Advanced Threat Protection response APIs
-description: Learn about the specific response-related Microsoft Defender Advanced Threat Protection API calls.
+ Title: Supported Microsoft Defender for Endpoint response APIs
+description: Learn about the specific response-related Microsoft Defender for Endpoint API calls.
keywords: response apis, graph api, supported apis, actor, alerts, device, user, domain, ip, file search.product: eADQiWindows 10XVcnh search.appverid: met150
security Switch To Microsoft Defender Onboard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-microsoft-defender-onboard.md
Title: Switch to Microsoft Defender for Endpoint - Onboard description: This is phase 3, Onboard, for migrating from a non-Microsoft solution to Microsoft Defender for Endpoint.
-keywords: migration, windows defender advanced threat protection, atp, edr
+keywords: migration, Microsoft Defender for Endpoint, edr
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
Deployment methods vary, depending on which operating system is selected. Refer
|Windows 10 |- [Group Policy](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/configure-endpoints-gp)<br/>- [Configuration Manager](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/configure-endpoints-sccm)<br/>- [Mobile Device Management (Intune)](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/configure-endpoints-mdm)<br/>- [Local script](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/configure-endpoints-script) <br/><br/>**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. | |- Windows 8.1 Enterprise <br/>- Windows 8.1 Pro <br/>- Windows 7 SP1 Enterprise <br/>- Windows 7 SP1 Pro | [Microsoft Monitoring Agent](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/onboard-downlevel#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-atp)<br/><br/>**NOTE**: Microsoft Monitoring Agent is now Azure Log Analytics agent. To learn more, see [Log Analytics agent overview](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). | |- Windows Server 2019 and later <br/>- Windows Server 2019 core edition <br/>- Windows Server version 1803 and later |- [Local script](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/configure-endpoints-script) <br/>- [Group Policy](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/configure-endpoints-gp) <br/>- [Configuration Manager](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/configure-endpoints-sccm) <br/>- [System Center Configuration Manager](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/configure-endpoints-sccm#onboard-windows-10-devices-using-earlier-versions-of-system-center-configuration-manager) <br/>- [VDI onboarding scripts for non-persistent devices](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/configure-endpoints-vdi) <br/><br/>**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. |
-|- Windows Server 2016 <br/>- Windows Server 2012 R2 <br/>- Windows Server 2008 R2 SP1 |- [Microsoft Defender Security Center](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/configure-server-endpoints#option-1-onboard-servers-through-microsoft-defender-security-center)<br/>- [Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp) |
+|- Windows Server 2016 <br/>- Windows Server 2012 R2 <br/>- Windows Server 2008 R2 SP1 |- [Microsoft Defender Security Center](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/configure-server-endpoints#option-1-onboard-servers-through-microsoft-defender-security-center)<br/>- [Azure Defender](https://docs.microsoft.com/azure/security-center/security-center-wdatp) |
|macOS<br/>- 10.15 (Catalina)<br/>- 10.14 (Mojave)<br/>- 10.13 (High Sierra)<br/><br/>iOS<br/><br/>Linux:<br/>- RHEL 7.2+<br/>- CentOS Linux 7.2+<br/>- Ubuntu 16 LTS, or higher LTS<br/>- SLES 12+<br/>- Debian 9+<br/>- Oracle Linux 7.2 |[Onboard non-Windows devices](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/configure-endpoints-non-windows) | ## Run a detection test
security Switch To Microsoft Defender Prepare https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-microsoft-defender-prepare.md
Title: Switch to Microsoft Defender for Endpoint - Prepare description: This is phase 1, Prepare, for migrating to Microsoft Defender for Endpoint.
-keywords: migration, windows defender advanced threat protection, atp, edr
+keywords: migration, Microsoft Defender for Endpoint, edr
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Switch To Microsoft Defender Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-microsoft-defender-setup.md
Title: Switch to Microsoft Defender for Endpoint - Setup description: This is phase 2, Setup, for switching to Microsoft Defender for Endpoint.
-keywords: migration, windows defender advanced threat protection, atp, edr
+keywords: migration, Microsoft Defender for Endpoint, edr
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Symantec To Microsoft Defender Atp Onboard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/symantec-to-microsoft-defender-atp-onboard.md
Title: Symantec to Microsoft Defender for Endpoint - Phase 3, Onboarding description: This is Phase 3, Onboarding, of migrating from Symantec to Microsoft Defender for Endpoint
-keywords: migration, windows defender advanced threat protection, atp, edr
+keywords: migration, Microsoft Defender for Endpoint, edr
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
Deployment methods vary, depending on which operating system is selected. Refer
|Windows 10 |- [Group Policy](configure-endpoints-gp.md)<br/>- [Configuration Manager](configure-endpoints-sccm.md)<br/>- [Mobile Device Management (Intune)](configure-endpoints-mdm.md)<br/>- [Local script](configure-endpoints-script.md) <br/><br/>**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. | |- Windows 8.1 Enterprise <br/>- Windows 8.1 Pro <br/>- Windows 7 SP1 Enterprise <br/>- Windows 7 SP1 Pro | [Microsoft Monitoring Agent](onboard-downlevel.md#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-for-endpoint)<br/><br/>**NOTE**: Microsoft Monitoring Agent is now Azure Log Analytics agent. To learn more, see [Log Analytics agent overview](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). | |- Windows Server 2019 and later <br/>- Windows Server 2019 core edition <br/>- Windows Server version 1803 and later |- [Local script](configure-endpoints-script.md) <br/>- [Group Policy](configure-endpoints-gp.md) <br/>- [Configuration Manager](/configure-endpoints-sccm.md) <br/>- [System Center Configuration Manager](configure-endpoints-sccm.md#onboard-devices-using-system-center-configuration-manager)<br/>- [VDI onboarding scripts for non-persistent devices](configure-endpoints-vdi.md) <br/><br/>**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. |
-|- Windows Server 2016 <br/>- Windows Server 2012 R2 <br/>- Windows Server 2008 R2 SP1 |- [Microsoft Defender Security Center](configure-server-endpoints.md)<br/>- [Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp) |
+|- Windows Server 2016 <br/>- Windows Server 2012 R2 <br/>- Windows Server 2008 R2 SP1 |- [Microsoft Defender Security Center](configure-server-endpoints.md)<br/>- [Azure Defender](https://docs.microsoft.com/azure/security-center/security-center-wdatp) |
|macOS<br/>- 10.15 (Catalina)<br/>- 10.14 (Mojave)<br/>- 10.13 (High Sierra)<br/><br/>iOS<br/><br/>Linux:<br/>- RHEL 7.2+<br/>- CentOS Linux 7.2+<br/>- Ubuntu 16 LTS, or higher LTS<br/>- SLES 12+<br/>- Debian 9+<br/>- Oracle Linux 7.2 |[Onboard non-Windows devices](configure-endpoints-non-windows.md) | ## Run a detection test
security Symantec To Microsoft Defender Atp Prepare https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/symantec-to-microsoft-defender-atp-prepare.md
Title: Symantec to Microsoft Defender for Endpoint - Phase 1, Preparing description: This is Phase 1, Prepare, of migrating from Symantec to Microsoft Defender for Endpoint.
-keywords: migration, windows defender advanced threat protection, atp, edr
+keywords: migration, Microsoft Defender for Endpoint, edr
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Symantec To Microsoft Defender Atp Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/symantec-to-microsoft-defender-atp-setup.md
Title: Symantec to Microsoft Defender for Endpoint - Phase 2, Setting Up description: This is Phase 2, Setup, of migrating from Symantec to Microsoft Defender for Endpoint
-keywords: migration, windows defender advanced threat protection, atp, edr
+keywords: migration, Microsoft Defender for Endpoint, edr
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Symantec To Microsoft Defender Endpoint Migration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/symantec-to-microsoft-defender-endpoint-migration.md
Title: Migrate from Symantec to Microsoft Defender for Endpoint description: Get an overview of how to make the switch from Symantec to Microsoft Defender for Endpoint
-keywords: migration, windows defender advanced threat protection, atp, edr
+keywords: migration, Microsoft Defender for Endpoint, edr
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Threat Analytics Analyst Reports https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/threat-analytics-analyst-reports.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
security Threat And Vuln Mgt Event Timeline https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/threat-and-vuln-mgt-event-timeline.md
Title: Event timeline in threat and vulnerability management description: Event timeline is a risk news feed that helps you interpret how risk is introduced into the organization, and which mitigations happened to reduce it.
-keywords: event timeline, mdatp event timeline, mdatp tvm event timeline, threat and vulnerability management, Microsoft Defender for Endpoint
+keywords: event timeline, Microsoft Defender for Endpoint event timeline, Microsoft Defender for Endpoint tvm event timeline, threat and vulnerability management, Microsoft Defender for Endpoint
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Threat Protection Integration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/threat-protection-integration.md
Title: Integrate Microsoft Defender for Endpoint with other Microsoft solutions
-description: Learn how Microsoft Defender for Endpoint integrates with other Microsoft solutions, including Microsoft Defender for Identity and Azure Security Center.
+description: Learn how Microsoft Defender for Endpoint integrates with other Microsoft solutions, including Microsoft Defender for Identity and Azure Defender.
ms.prod: m365-security
-keywords: microsoft 365 defender, conditional access, office, advanced threat protection, microsoft defender for identity, microsoft defender for office, azure security center, microsoft cloud app security, azure sentinel
+keywords: microsoft 365 defender, conditional access, office, Microsoft Defender for Endpoint, microsoft defender for identity, microsoft defender for office, Azure Defender, microsoft cloud app security, azure sentinel
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.mktglfcycl: deploy
ms.technology: mde
Microsoft Defender for Endpoint directly integrates with various Microsoft solutions.
-### Azure Security Center
+### Azure Defender
Microsoft Defender for Endpoint provides a comprehensive server protection solution, including endpoint detection and response (EDR) capabilities on Windows Servers. ### Azure Sentinel
Microsoft Defender for Endpoint's dynamic device risk score is integrated into t
Microsoft Cloud App Security leverages Microsoft Defender for Endpoint endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Microsoft Defender for Endpoint monitored devices. ### Microsoft Defender for Identity
-Suspicious activities are processes running under a user context. The integration between Microsoft Defender for Endpoint and Azure ATP provides the flexibility of conducting cyber security investigation across activities and identities.
+Suspicious activities are processes running under a user context. The integration between Microsoft Defender for Endpoint and Microsoft Defender for Identity provides the flexibility of conducting cyber security investigation across activities and identities.
### Microsoft Defender for Office
-[Defender for Office 365](https://docs.microsoft.com/office365/securitycompliance/office-365-atp) helps protect your organization from malware in email messages or files through ATP Safe Links, ATP Safe Attachments, advanced Anti-Phishing, and spoof intelligence capabilities. The integration between Office 365 ATP and Microsoft Defender for Endpoint enables security analysts to go upstream to investigate the entry point of an attack. Through threat intelligence sharing, attacks can be contained and blocked.
+[Defender for Office 365](https://docs.microsoft.com/office365/securitycompliance/office-365-atp) helps protect your organization from malware in email messages or files through Safe Links, Safe Attachments, advanced Anti-Phishing, and spoof intelligence capabilities. The integration between Microsoft Defender for Office 365 and Microsoft Defender for Endpoint enables security analysts to go upstream to investigate the entry point of an attack. Through threat intelligence sharing, attacks can be contained and blocked.
>[!NOTE] > Defender for Office 365 data is displayed for events within the last 30 days. For alerts, Defender for Office 365 data is displayed based on first activity time. After that, the data is no longer available in Defender for Office 365.
security Time Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/time-settings.md
Title: Microsoft Defender Security Center time zone settings description: Use the info contained here to configure the Microsoft Defender Security Center time zone settings and view license information.
-keywords: settings, Microsoft Defender, cybersecurity threat intelligence, advanced threat protection, time zone, utc, local time, license
+keywords: settings, Microsoft Defender, cybersecurity threat intelligence, Microsoft Defender for Endpoint, time zone, utc, local time, license
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Troubleshoot Asr https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-asr.md
Title: Troubleshoot problems with attack surface reduction rules description: Resources and sample code to troubleshoot issues with attack surface reduction rules in Microsoft Defender for Endpoint.
-keywords: troubleshoot, error, fix, windows defender eg, asr, rules, hips, troubleshoot, audit, exclusion, false positive, broken, blocking, microsoft defender for endpoint, microsoft defender advanced threat protection
+keywords: troubleshoot, error, fix, windows defender eg, asr, rules, hips, troubleshoot, audit, exclusion, false positive, broken, blocking, Microsoft Defender for Endpoint
search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: m365-security
security Troubleshoot Cloud Connect Mdemac https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-cloud-connect-mdemac.md
Title: Troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint on macOS description: This topic describes how to troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint on macOS
-keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra
+keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Troubleshoot Mdatp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-mdatp.md
Title: Troubleshoot Microsoft Defender for Endpoint service issues description: Find solutions and workarounds to known issues such as server errors when trying to access the service.
-keywords: troubleshoot microsoft defender for endpoint, troubleshoot Windows ATP, server error, access denied, invalid credentials, no data, dashboard portal, allow, event viewer
+keywords: troubleshoot Microsoft Defender for Endpoint, server error, access denied, invalid credentials, no data, dashboard portal, allow, event viewer
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
Support of use of comma as a separator in numbers are not supported. Regions whe
>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-troubleshoot-belowfoldlink) ## Microsoft Defender for Endpoint tenant was automatically created in Europe
-When you use Azure Security Center to monitor servers, a Microsoft Defender for Endpoint tenant is automatically created. The Microsoft Defender for Endpoint data is stored in Europe by default.
+When you use Azure Defender to monitor servers, a Microsoft Defender for Endpoint tenant is automatically created. The Microsoft Defender for Endpoint data is stored in Europe by default.
security Troubleshoot Np https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-np.md
Title: Troubleshoot problems with Network protection description: Resources and sample code to troubleshoot issues with Network protection in Microsoft Defender for Endpoint.
-keywords: troubleshoot, error, fix, windows defender eg, asr, rules, hips, troubleshoot, audit, exclusion, false positive, broken, blocking, microsoft defender for endpoint, microsoft defender advanced threat protection
+keywords: troubleshoot, error, fix, windows defender eg, asr, rules, hips, troubleshoot, audit, exclusion, false positive, broken, blocking, Microsoft Defender for Endpoint
search.product: eADQiWindows 10XVcnh ms.prod: m365-security ms.mktglfcycl: manage
security Troubleshoot Onboarding https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-onboarding.md
First, you should check that the service is set to start automatically when Wind
### Ensure the device has an Internet connection
-The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender for Endpoint service.
+The Microsoft Defender for Endpoint sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender for Endpoint service.
WinHTTP is independent of the Internet browsing proxy settings and other user context applications and must be able to detect the proxy servers that are available in your particular environment.
security Tvm Assign Device Value https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-assign-device-value.md
Title: Assign device value - threat and vulnerability management description: Learn how to assign a low, normal, or high value to a device to help you differentiate between asset priorities.
-keywords: microsoft defender for endpoint device value, threat and vulnerability management device value, high value devices, device value exposure score
+keywords: Microsoft Defender for Endpoint device value, threat and vulnerability management device value, high value devices, device value exposure score
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Tvm Dashboard Insights https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-dashboard-insights.md
Title: Dashboard insights - threat and vulnerability management description: The threat and vulnerability management dashboard can help SecOps and security admins address cybersecurity threats and build their organization's security resilience.
-keywords: mdatp-tvm, mdatp-tvm dashboard, threat & vulnerability management, threat and vulnerability management, risk-based threat & vulnerability management, security configuration, Microsoft Secure Score for Devices, exposure score
+keywords: Microsoft Defender for Endpoint-tvm, Microsoft Defender for Endpoint-tvm dashboard, threat & vulnerability management, threat and vulnerability management, risk-based threat & vulnerability management, security configuration, Microsoft Secure Score for Devices, exposure score
search.appverid: met150 search.product: eADQiWindows 10XVcnh ms.prod: m365-security
security Tvm End Of Support Software https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-end-of-support-software.md
Title: Plan for end-of-support software and software versions description: Discover and plan for software and software versions that are no longer supported and won't receive security updates.
-keywords: threat and vulnerability management, mdatp tvm security recommendation, cybersecurity recommendation, actionable security recommendation
+keywords: threat and vulnerability management, Microsoft Defender for Endpoint tvm security recommendation, cybersecurity recommendation, actionable security recommendation
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Tvm Exception https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-exception.md
Title: Create and view exceptions for security recommendations - threat and vulnerability management description: Create and monitor exceptions for security recommendations in threat and vulnerability management.
-keywords: microsoft defender for endpoint tvm remediation, mdatp tvm, threat and vulnerability management, threat & vulnerability management, threat & vulnerability management remediation, tvm remediation intune, tvm remediation sccm
+keywords: Microsoft Defender for Endpoint tvm remediation, Microsoft Defender for Endpoint tvm, threat and vulnerability management, threat & vulnerability management, threat & vulnerability management remediation, tvm remediation intune, tvm remediation sccm
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Tvm Exposure Score https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-exposure-score.md
Title: Exposure score in threat and vulnerability management description: The threat and vulnerability management exposure score reflects how vulnerable your organization is to cybersecurity threats.
-keywords: exposure score, mdatp exposure score, mdatp tvm exposure score, organization exposure score, tvm organization exposure score, threat and vulnerability management, Microsoft Defender for Endpoint
+keywords: exposure score, Microsoft Defender for Endpoint exposure score, Microsoft Defender for Endpoint tvm exposure score, organization exposure score, tvm organization exposure score, threat and vulnerability management, Microsoft Defender for Endpoint
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Tvm Hunt Exposed Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-hunt-exposed-devices.md
Title: Hunt for exposed devices description: Learn how threat and vulnerability management can be used to help security admins, IT admins, and SecOps collaborate.
-keywords: mdatp-tvm scenarios, mdatp, tvm, tvm scenarios, reduce threat & vulnerability exposure, reduce threat and vulnerability, improve security configuration, increase Microsoft Secure Score for Devices, increase threat & vulnerability Microsoft Secure Score for Devices, Microsoft Secure Score for Devices, exposure score, security controls
+keywords: Microsoft Defender for Endpoint-tvm scenarios, Microsoft Defender for Endpoint, tvm, tvm scenarios, reduce threat & vulnerability exposure, reduce threat and vulnerability, improve security configuration, increase Microsoft Secure Score for Devices, increase threat & vulnerability Microsoft Secure Score for Devices, Microsoft Secure Score for Devices, exposure score, security controls
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Tvm Microsoft Secure Score Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-microsoft-secure-score-devices.md
Title: Microsoft Secure Score for Devices description: Your score for devices shows the collective security configuration state of your devices across application, operating system, network, accounts, and security controls.
-keywords: Microsoft Secure Score for Devices, mdatp Microsoft Secure Score for Devices, secure score, configuration score, threat and vulnerability management, security controls, improvement opportunities, security configuration score over time, security posture, baseline
+keywords: Microsoft Secure Score for Devices, Microsoft Defender for Endpoint Microsoft Secure Score for Devices, secure score, configuration score, threat and vulnerability management, security controls, improvement opportunities, security configuration score over time, security posture, baseline
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Tvm Prerequisites https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-prerequisites.md
Title: Prerequisites & permissions - threat and vulnerability management description: Before you begin using threat and vulnerability management, make sure you have the relevant configurations and permissions.
-keywords: threat & vulnerability management permissions prerequisites, threat and vulnerability management permissions prerequisites, MDATP TVM permissions prerequisites, vulnerability management
+keywords: threat & vulnerability management permissions prerequisites, threat and vulnerability management permissions prerequisites, Microsoft Defender for Endpoint TVM permissions prerequisites, vulnerability management
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Tvm Remediation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-remediation.md
Title: Remediate vulnerabilities with threat and vulnerability management description: Remediate security weaknesses discovered through security recommendations, and create exceptions if needed, in threat and vulnerability management.
-keywords: microsoft defender for endpoint tvm remediation, mdatp tvm, threat and vulnerability management, threat & vulnerability management, threat & vulnerability management remediation, tvm remediation intune, tvm remediation sccm
+keywords: Microsoft Defender for Endpoint tvm remediation, Microsoft Defender for Endpoint tvm, threat and vulnerability management, threat & vulnerability management, threat & vulnerability management remediation, tvm remediation intune, tvm remediation sccm
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Tvm Security Recommendation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-security-recommendation.md
Title: Security recommendations by threat and vulnerability management description: Get actionable security recommendations prioritized by threat, likelihood to be breached, and value, in threat and vulnerability management.
-keywords: threat and vulnerability management, mdatp tvm security recommendation, cybersecurity recommendation, actionable security recommendation
+keywords: threat and vulnerability management, Microsoft Defender for Endpoint tvm security recommendation, cybersecurity recommendation, actionable security recommendation
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Tvm Software Inventory https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-software-inventory.md
Title: Software inventory in threat and vulnerability management description: The software inventory page for Microsoft Defender for Endpoint's threat and vulnerability management shows how many weaknesses and vulnerabilities have been detected in software.
-keywords: threat and vulnerability management, microsoft defender for endpoint, microsoft defender for endpoint software inventory, mdatp threat & vulnerability management, mdatp threat & vulnerability management software inventory, mdatp tvm software inventory, tvm software inventory
+keywords: threat and vulnerability management, Microsoft Defender for Endpoint, Microsoft Defender for Endpoint software inventory, Microsoft Defender for Endpoint threat & vulnerability management, Microsoft Defender for Endpoint threat & vulnerability management software inventory, Microsoft Defender for Endpoint tvm software inventory, tvm software inventory
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Tvm Supported Os https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-supported-os.md
Title: Supported operating systems and platforms for threat and vulnerability management description: Ensure that you meet the operating system or platform requisites for threat and vulnerability management, so the activities in your all devices are properly accounted for.
-keywords: threat & vulnerability management, threat and vulnerability management, operating system, platform requirements, prerequisites, mdatp-tvm supported os, mdatp-tvm,
+keywords: threat & vulnerability management, threat and vulnerability management, operating system, platform requirements, prerequisites, Microsoft Defender for Endpoint-tvm supported os, Microsoft Defender for Endpoint-tvm,
search.appverid: met150 search.product: eADQiWindows 10XVcnh ms.prod: m365-security
security Tvm Vulnerable Devices Report https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-vulnerable-devices-report.md
Title: Vulnerable devices report - threat and vulnerability management description: A report showing vulnerable device trends and current statistics. The goal is for you to understand the breath and scope of your device exposure.
-keywords: mdatp-tvm vulnerable devices, mdatp, tvm, reduce threat & vulnerability exposure, reduce threat and vulnerability, monitor security configuration
+keywords: Microsoft Defender for Endpoint-tvm vulnerable devices, Microsoft Defender for Endpoint, tvm, reduce threat & vulnerability exposure, reduce threat and vulnerability, monitor security configuration
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Tvm Weaknesses https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-weaknesses.md
Title: Vulnerabilities in my organization - threat and vulnerability management description: Lists the common vulnerabilities and exposures (CVE) ID of weaknesses found in the software running in your organization. Discovered by the Microsoft Defender for Endpoint threat and vulnerability management capability.
-keywords: mdatp threat & vulnerability management, threat and vulnerability management, mdatp tvm weaknesses page, finding weaknesses through tvm, tvm vulnerability list, vulnerability details in tvm
+keywords: Microsoft Defender for Endpoint threat & vulnerability management, threat and vulnerability management, Microsoft Defender for Endpoint tvm weaknesses page, finding weaknesses through tvm, tvm vulnerability list, vulnerability details in tvm
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Tvm Zero Day Vulnerabilities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-zero-day-vulnerabilities.md
Title: Mitigate zero-day vulnerabilities - threat and vulnerability management description: Learn how to find and mitigate zero-day vulnerabilities in your environment through threat and vulnerability management.
-keywords: mdatp tvm zero day vulnerabilities, tvm, threat & vulnerability management, zero day, 0-day, mitigate 0 day vulnerabilities, vulnerable CVE
+keywords: Microsoft Defender for Endpoint tvm zero day vulnerabilities, tvm, threat & vulnerability management, zero day, 0-day, mitigate 0 day vulnerabilities, vulnerable CVE
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Whats New In Microsoft Defender Atp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/whats-new-in-microsoft-defender-atp.md
Title: What's new in Microsoft Defender for Endpoint description: See what features are generally available (GA) in the latest release of Microsoft Defender for Endpoint, as well as security features in Windows 10 and Windows Server.
-keywords: what's new in microsoft defender for endpoint, ga, generally available, capabilities, available, new
+keywords: what's new in Microsoft Defender for Endpoint, ga, generally available, capabilities, available, new
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
For more information preview features, see [Preview features](https://docs.micro
- [Custom detection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-custom-detections)<BR>With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of advanced hunting through the creation of custom detection rules. -- [Integration with Azure Security Center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center)<BR> Microsoft Defender for Endpoint integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Microsoft Defender for Endpoint to provide improved threat detection for Windows Servers.
+- [Integration with AAzure Defender](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center)<BR> Microsoft Defender for Endpoint integrates with Azure Defender to provide a comprehensive server protection solution. With this integration Azure Defender can leverage the power of Microsoft Defender for Endpoint to provide improved threat detection for Windows Servers.
- [Managed security service provider (MSSP) support](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection)<BR> Microsoft Defender for Endpoint adds support for this scenario by providing MSSP integration. The integration will allow MSSPs to take the following actions: Get access to MSSP customer's Microsoft Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools.
security Advanced Hunting Aadsignineventsbeta Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-aadsignineventsbeta-table.md
Title: AADSignInEventsBeta table in the advanced hunting schema description: Learn about information associated with Azure Active Directory sign-in events table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, microsoft threat protection, microsoft 365, mtp, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, file, IP address, device, machine, user, account, identity, AAD
+keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft 365 Defender, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, file, IP address, device, machine, user, account, identity, AAD
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
ms.technology: m365d
>[!IMPORTANT] > The `AADSignInEventsBeta` table is currently in beta and is being offered on a short-term basis to allow you to hunt through Azure Active Directory (AAD) sign-in events. We will eventually move all sign-in schema information to the `IdentityLogonEvents` table.<br><br>
-> Customers who can access Microsoft 365 Defender through the Azure Security CenterΓÇÖs integrated Microsoft Defender for Endpoint solution, but do not have licenses for Microsoft Defender for Office, Microsoft Defender for Identity, or Microsoft Cloud App Security, will not be able to view this schema.
+> Customers who can access Microsoft 365 Defender through the Azure DefenderΓÇÖs integrated Microsoft Defender for Endpoint solution, but do not have licenses for Microsoft Defender for Office, Microsoft Defender for Identity, or Microsoft Cloud App Security, will not be able to view this schema.
 
security Advanced Hunting Aadspnsignineventsbeta Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-aadspnsignineventsbeta-table.md
Title: AADSpnSignInEventsBeta table in the advanced hunting schema description: Learn about information associated with Azure Active Directory service principal and managed identity sign-in events table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, microsoft threat protection, microsoft 365, mtp, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, AlertInfo, alert, entities, evidence, file, IP address, device, machine, user, account, identity, AAD
+keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft 365 Defender, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, AlertInfo, alert, entities, evidence, file, IP address, device, machine, user, account, identity, AAD
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
ms.technology: m365d
>[!IMPORTANT] > The `AADSpnSignInEventsBeta` table is currently in beta and is being offered on a short-term basis to allow you to hunt through Azure Active Directory (AAD) service principal and managed identity sign-in events. We will eventually move all sign-in schema information to the `IdentityLogonEvents` table.<br><br>
-> Customers who can access Microsoft 365 Defender through the Azure Security CenterΓÇÖs integrated Microsoft Defender for Endpoint solution, but do not have licenses for Microsoft Defender for Office, Microsoft Defender for Identity, or Microsoft Cloud App Security, will not be able to view this schema.
+> Customers who can access Microsoft 365 Defender through the Azure DefenderΓÇÖs integrated Microsoft Defender for Endpoint solution, but do not have licenses for Microsoft Defender for Office, Microsoft Defender for Identity, or Microsoft Cloud App Security, will not be able to view this schema.
security Advanced Hunting Alertevidence Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-alertevidence-table.md
Title: AlertEvidence table in the advanced hunting schema description: Learn about information associated with alerts in the AlertEvidence table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, microsoft threat protection, microsoft 365, mtp, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, AlertInfo, alert, entities, evidence, file, IP address, device, machine, user, account
+keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft 365 Defender, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, AlertInfo, alert, entities, evidence, file, IP address, device, machine, user, account
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Advanced Hunting Alertinfo Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-alertinfo-table.md
Title: AlertInfo table in the advanced hunting schema description: Learn about alert generation events in the AlertInfo table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, microsoft threat protection, microsoft 365, mtp, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, AlertInfo, alert, severity, category, MITRE, ATT&CK, Microsoft Defender ATP, MDATP, Office 365 ATP, Microsoft Cloud App Security, MCAS, and Azure ATP
+keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft 365 Defender, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, AlertInfo, alert, severity, category, MITRE, ATT&CK, Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Cloud App Security, MCAS, and Microsoft Defender for Identity
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Advanced Hunting Appfileevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-appfileevents-table.md
Title: AppFileEvents table in the advanced hunting schema description: Learn about file-related events associated with cloud apps and services in the AppFileEvents table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, microsoft threat protection, microsoft 365, mtp, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, AppFileEvents, Cloud App Security, MCAS
+keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft 365 Defender, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, AppFileEvents, Cloud App Security, MCAS
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Advanced Hunting Assignedipaddresses Function https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-assignedipaddresses-function.md
Title: AssignedIPAddresses() function in advanced hunting for Microsoft 365 Defender description: Learn how to use the AssignedIPAddresses() function to get the latest IP addresses assigned to a device
-keywords: advanced hunting, threat hunting, cyber threat hunting, microsoft threat protection, microsoft 365, mtp, m365, search, query, telemetry, schema reference, kusto, FileProfile, file profile, function, enrichment
+keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft 365 Defender, microsoft 365, m365, search, query, telemetry, schema reference, kusto, FileProfile, file profile, function, enrichment
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Advanced Hunting Best Practices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-best-practices.md
Title: Advanced hunting query best practices in Microsoft 365 Defender description: Learn how to construct fast, efficient, and error-free threat hunting queries with advanced hunting
-keywords: advanced hunting, threat hunting, cyber threat hunting, microsoft threat protection, microsoft 365, mtp, m365, search, query, telemetry, schema, kusto, avoid timeout, command lines, process id, optimize, best practice, parse, join, summarize
+keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft 365 Defender, microsoft 365, m365, search, query, telemetry, schema, kusto, avoid timeout, command lines, process id, optimize, best practice, parse, join, summarize
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Advanced Hunting Cloudappevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-cloudappevents-table.md
Title: CloudAppEvents table in the advanced hunting schema description: Learn about events from cloud apps and services in the CloudAppEvents table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, microsoft threat protection, microsoft 365, mtp, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, CloudAppEvents, Cloud App Security, MCAS
+keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft 365 Defender, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, CloudAppEvents, Cloud App Security, MCAS
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Advanced Hunting Deviceevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-deviceevents-table.md
Title: DeviceEvents table in the advanced hunting schema description: Learn about antivirus, firewall, and other event types in the miscellaneous device events (DeviceEvents) table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, microsoft threat protection, microsoft 365, mtp, m365, search, query, telemetry, schema reference, kusto, table, column, data type, security events, antivirus, firewall, exploit guard, DeviceEvents
+keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft 365 Defender, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, security events, antivirus, firewall, exploit guard, DeviceEvents
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Advanced Hunting Devicefilecertificateinfo Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-devicefilecertificateinfo-table.md
Title: DeviceFileCertificateInfo table in the advanced hunting schema description: Learn about file signing information in the DeviceFileCertificateInfo table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, microsoft threat protection, microsoft 365, mtp, m365, search, query, telemetry, schema reference, kusto, table, column, data type, digital signature, certificate, file signing, DeviceFileCertificateInfo
+keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft 365 Defender, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, digital signature, certificate, file signing, DeviceFileCertificateInfo
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Advanced Hunting Devicefileevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-devicefileevents-table.md
Title: DeviceFileEvents table in the advanced hunting schema description: Learn about file-related events in the DeviceFileEvents table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, microsoft threat protection, microsoft 365, mtp, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, filecreationevents, DeviceFileEvents, files, path, hash, sha1, sha256, md5
+keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft 365 Defender, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, filecreationevents, DeviceFileEvents, files, path, hash, sha1, sha256, md5
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Advanced Hunting Devicefromip Function https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-devicefromip-function.md
Title: DeviceFromIP() function in advanced hunting for Microsoft 365 Defender description: Learn how to use the DeviceFromIP() function to get the devices that have been assigned a specific IP address
-keywords: advanced hunting, threat hunting, cyber threat hunting, microsoft threat protection, microsoft 365, mtp, m365, search, query, telemetry, schema reference, kusto, device, devicefromIP, function, enrichment
+keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft 365 Defender, microsoft 365, m365, search, query, telemetry, schema reference, kusto, device, devicefromIP, function, enrichment
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Advanced Hunting Deviceimageloadevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-deviceimageloadevents-table.md
Title: DeviceImageLoadEvents table in the advanced hunting schema description: Learn about DLL loading events in the DeviceImageLoadEvents table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, microsoft threat protection, microsoft 365, mtp, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, imageloadevents, DeviceImageLoadEvents, DLL loading, library, file image
+keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft 365 Defender, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, imageloadevents, DeviceImageLoadEvents, DLL loading, library, file image
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Advanced Hunting Deviceinfo Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-deviceinfo-table.md
Title: DeviceInfo table in the advanced hunting schema description: Learn about OS, computer name, and other machine information in the DeviceInfo table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, microsoft threat protection, microsoft 365, mtp, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, machineinfo, DeviceInfo, device, machine, OS, platform, users
+keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft 365 Defender, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, machineinfo, DeviceInfo, device, machine, OS, platform, users
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Advanced Hunting Devicelogonevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-devicelogonevents-table.md
Title: DeviceLogonEvents table in the advanced hunting schema description: Learn about authentication or sign-in events in the DeviceLogonEvents table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, microsoft threat protection, microsoft 365, mtp, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, logonevents, DeviceLogonEvents, authentication, logon, sign in
+keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft 365 Defender, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, logonevents, DeviceLogonEvents, authentication, logon, sign in
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Advanced Hunting Devicenetworkevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-devicenetworkevents-table.md
Title: DeviceNetworkEvents table in the advanced hunting schema description: Learn about network connection events you can query from the DeviceNetworkEvents table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, microsoft threat protection, microsoft 365, mtp, m365, search, query, telemetry, schema reference, kusto, table, column, data type, devicenetworkevents, NetworkCommunicationEvents, network connection, remote ip, local ip
+keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft 365 Defender, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, devicenetworkevents, NetworkCommunicationEvents, network connection, remote ip, local ip
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Advanced Hunting Devicenetworkinfo Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-devicenetworkinfo-table.md
Title: DeviceNetworkInfo table in the advanced hunting schema description: Learn about network configuration information in the DeviceNetworkInfo table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, microsoft threat protection, microsoft 365, mtp, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, machinenetworkinfo, DeviceNetworkInfo, device, machine, mac, ip, adapter, dns, dhcp, gateway, tunnel
+keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft 365 Defender, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, machinenetworkinfo, DeviceNetworkInfo, device, machine, mac, ip, adapter, dns, dhcp, gateway, tunnel
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Advanced Hunting Deviceprocessevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-deviceprocessevents-table.md
Title: DeviceProcessEvents table in the advanced hunting schema description: Learn about the process spawning or creation events in the DeviceProcessEventstable of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, microsoft threat protection, microsoft 365, mtp, m365, search, query, telemetry, schema reference, kusto, table, column, data type, processcreationevents, DeviceProcessEvents, process id, command line, DeviceProcessEvents
+keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft 365 Defender, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, processcreationevents, DeviceProcessEvents, process id, command line, DeviceProcessEvents
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Advanced Hunting Deviceregistryevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-deviceregistryevents-table.md
Title: DeviceRegistryEvents table in the advanced hunting schema description: Learn about registry events you can query from the DeviceRegistryEvents table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, microsoft threat protection, microsoft 365, mtp, m365, search, query, telemetry, schema reference, kusto, table, column, data type, registryevents, registry, DeviceRegistryEvents, key, subkey, value
+keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft 365 Defender, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, registryevents, registry, DeviceRegistryEvents, key, subkey, value
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Advanced Hunting Devicetvmsecureconfigurationassessment Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-devicetvmsecureconfigurationassessment-table.md
Title: DeviceTvmSecureConfigurationAssessment table in the advanced hunting schema description: Learn about security assessment events in the DeviceTvmSecureConfigurationAssessment table of the advanced hunting schema. These threat & vulnerability management events provide device information as well as security configuration details, impact, and compliance information.
-keywords: advanced hunting, threat hunting, cyber threat hunting, microsoft threat protection, microsoft 365, mtp, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, DeviceTvmSecureConfigurationAssessment
+keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft 365 Defender, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, DeviceTvmSecureConfigurationAssessment
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Advanced Hunting Devicetvmsecureconfigurationassessmentkb Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md
Title: DeviceTvmSecureConfigurationAssessmentKB table in the advanced hunting schema description: Learn about the various secure configurations assessed by Threat & Vulnerability Management in the DeviceTvmSecureConfigurationAssessmentKB table of the advanced hunting schema.
-keywords: advanced hunting, threat hunting, cyber threat hunting, microsoft threat protection, microsoft 365, mtp, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, MITRE ATT&CK framework, knowledge base, KB, DeviceTvmSecureConfigurationAssessmentKB
+keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft 365 Defender, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, MITRE ATT&CK framework, knowledge base, KB, DeviceTvmSecureConfigurationAssessmentKB
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Advanced Hunting Devicetvmsoftwareinventory Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-devicetvmsoftwareinventory-table.md
Title: DeviceTvmSoftwareInventory table in the advanced hunting schema description: Learn about the inventory of software in your devices in the DeviceTvmSoftwareInventory table of the advanced hunting schema.
-keywords: advanced hunting, threat hunting, cyber threat hunting, microsoft threat protection, microsoft 365, mtp, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, OS DeviceTvmSoftwareInventoryVulnerabilities
+keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft 365 Defender, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, OS DeviceTvmSoftwareInventoryVulnerabilities
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Advanced Hunting Devicetvmsoftwareinventoryvulnerabilities Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md
Title: DeviceTvmSoftwareInventory table in the advanced hunting schema description: Learn about the inventory of software in your devices in the DeviceTvmSoftwareInventory table of the advanced hunting schema.
-keywords: advanced hunting, threat hunting, cyber threat hunting, microsoft threat protection, microsoft 365, mtp, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, OS DeviceTvmSoftwareInventoryVulnerabilities
+keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft 365 Defender, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, OS DeviceTvmSoftwareInventoryVulnerabilities
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Advanced Hunting Devicetvmsoftwarevulnerabilities Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-devicetvmsoftwarevulnerabilities-table.md
Title: DeviceTvmSoftwareVulnerabilities table in the advanced hunting schema description: Learn about the software vulnerabilities found on devices and the list of available security updates that address each vulnerability in the DeviceTvmSoftwareVulnerabilities table of the advanced hunting schema.
-keywords: advanced hunting, threat hunting, cyber threat hunting, microsoft threat protection, microsoft 365, mtp, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, OS DeviceTvmSoftwareInventoryVulnerabilities
+keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft 365 Defender, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, OS DeviceTvmSoftwareInventoryVulnerabilities
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Advanced Hunting Devicetvmsoftwarevulnerabilitieskb Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md
Title: DeviceTvmSoftwareVulnerabilitiesKB table in the advanced hunting schema description: Learn about the software vulnerabilities tracked by Threat & Vulnerability Management in the DeviceTvmSoftwareVulnerabilitiesKB table of the advanced hunting schema.
-keywords: advanced hunting, threat hunting, cyber threat hunting, microsoft threat protection, microsoft 365, mtp, m365, search, query, telemetry, schema, reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, CVSS, DeviceTvmSoftwareVulnerabilitiesKB
+keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft 365 Defender, microsoft 365, m365, search, query, telemetry, schema, reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, CVSS, DeviceTvmSoftwareVulnerabilitiesKB
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Advanced Hunting Emailattachmentinfo Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-emailattachmentinfo-table.md
Title: EmailAttachmentInfo table in the advanced hunting schema description: Learn about email attachment information in the EmailAttachmentInfo table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, microsoft threat protection, microsoft 365, mtp, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, EmailAttachmentInfo, network message id, sender, recipient, attachment id, attachment name, malware verdict
+keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft 365 Defender, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, EmailAttachmentInfo, network message id, sender, recipient, attachment id, attachment name, malware verdict
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Advanced Hunting Emailevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-emailevents-table.md
Title: EmailEvents table in the advanced hunting schema description: Learn about events associated with Microsoft 365 emails in the EmailEvents table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, microsoft threat protection, microsoft 365, mtp, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, EmailEvents, network message id, sender, recipient, attachment id, attachment name, malware verdict, phishing verdict, attachment count, link count, url count
+keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft 365 Defender, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, EmailEvents, network message id, sender, recipient, attachment id, attachment name, malware verdict, phishing verdict, attachment count, link count, url count
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Advanced Hunting Emailpostdeliveryevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-emailpostdeliveryevents-table.md
Title: EmailPostDeliveryEvents table in the advanced hunting schema description: Learn about post-delivery actions taken on Microsoft 365 emails in the EmailPostDeliveryEvents table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, microsoft threat protection, microsoft 365, mtp, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, EmailPostDeliveryEvents, network message id, sender, recipient, attachment id, attachment name, malware verdict, phishing verdict, attachment count, link count, url count
+keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft 365 Defender, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, EmailPostDeliveryEvents, network message id, sender, recipient, attachment id, attachment name, malware verdict, phishing verdict, attachment count, link count, url count
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Advanced Hunting Emailurlinfo Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-emailurlinfo-table.md
Title: EmailUrlInfo table in the advanced hunting schema description: Learn about URL or link information in the EmailUrlInfo table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, microsoft threat protection, microsoft 365, mtp, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, EmailUrlInfo, network message id, url, link
+keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft 365 Defender, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, EmailUrlInfo, network message id, url, link
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Advanced Hunting Errors https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-errors.md
Title: Handle errors in advanced hunting for Microsoft 365 Defender description: Understand errors displayed when using advanced hunting
-keywords: advanced hunting, threat hunting, cyber threat hunting, microsoft threat protection, microsoft 365, mtp, m365, search, query, telemetry, schema, kusto, timeout, resources, errors, unknown error, limits, quota, parameter, allocation
+keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft 365 Defender, microsoft 365, m365, search, query, telemetry, schema, kusto, timeout, resources, errors, unknown error, limits, quota, parameter, allocation
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Advanced Hunting Expert Training https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-expert-training.md
Title: Get expert training on advanced hunting description: Free training and guidance from advanced hunting experts
-keywords: advanced hunting, threat hunting, cyber threat hunting, microsoft threat protection, microsoft 365, mtp, m365, search, query, language, training, scenarios, basic to advanced, videos, step-by-step
+keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft 365 Defender, microsoft 365, m365, search, query, language, training, scenarios, basic to advanced, videos, step-by-step
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Advanced Hunting Extend Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-extend-data.md
Title: Extend advanced hunting coverage with the right settings description: Check auditing settings on Windows devices and other settings to help ensure that you get the most comprehensive data in advanced hunting
-keywords: advanced hunting, incident, pivot, entity, audit settings, user account management, security group management, threat hunting, cyber threat hunting, search, query, telemetry, Microsoft 365, Microsoft Threat Protection
+keywords: advanced hunting, incident, pivot, entity, audit settings, user account management, security group management, threat hunting, cyber threat hunting, search, query, telemetry, Microsoft 365, Microsoft 365 Defender
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Advanced Hunting Fileprofile Function https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-fileprofile-function.md
Title: FileProfile() function in advanced hunting for Microsoft 365 Defender description: Learn how to use the FileProfile() to enrich information about files in your advanced hunting query results
-keywords: advanced hunting, threat hunting, cyber threat hunting, microsoft threat protection, microsoft 365, mtp, m365, search, query, telemetry, schema reference, kusto, FileProfile, file profile, function, enrichment
+keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft 365 Defender, microsoft 365, m365, search, query, telemetry, schema reference, kusto, FileProfile, file profile, function, enrichment
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Advanced Hunting Find Ransomware https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-find-ransomware.md
Title: Find ransomware with advanced hunting description: Use advanced hunting to locate devices potentially affected by ransomware.
-keywords: advanced hunting, ransomware, threat hunting, cyber threat hunting, search, query, telemetry, Microsoft 365, Microsoft Threat Protection, Microsoft 365 Defender
+keywords: advanced hunting, ransomware, threat hunting, cyber threat hunting, search, query, telemetry, Microsoft 365, Microsoft 365 Defender
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Advanced Hunting Go Hunt https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-go-hunt.md
Title: Get relevant info about an entity with go hunt description: Learn how to use the go hunt tool on to quickly query for relevant information about an entity or event using advanced hunting.
-keywords: advanced hunting, incident, pivot, entity, go hunt, relevant events, threat hunting, cyber threat hunting, search, query, telemetry, Microsoft 365, Microsoft Threat Protection
+keywords: advanced hunting, incident, pivot, entity, go hunt, relevant events, threat hunting, cyber threat hunting, search, query, telemetry, Microsoft 365, Microsoft 365 Defender
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Advanced Hunting Identitydirectoryevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-identitydirectoryevents-table.md
Title: IdentityDirectoryEvents table in the advanced hunting schema description: Learn about domain controller and Active Directory events in the IdentityDirectoryEvents table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, microsoft threat protection, microsoft 365, mtp, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, IdentityDirectoryEvents, domain controller, Active Directory, Azure ATP, identities
+keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft 365 Defender, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, IdentityDirectoryEvents, domain controller, Active Directory, Microsoft Defender for Identity, identities
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Advanced Hunting Identityinfo Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-identityinfo-table.md
Title: IdentityInfo table in the advanced hunting schema description: Learn about user account information in the IdentityInfo table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, microsoft threat protection, microsoft 365, mtp, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, AccountInfo, IdentityInfo, account
+keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft 365 Defender, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, AccountInfo, IdentityInfo, account
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Advanced Hunting Identitylogonevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-identitylogonevents-table.md
Title: IdentityLogonEvents table in the advanced hunting schema description: Learn about authentication events recorded by Active Directory in the IdentityLogonEvents table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, microsoft threat protection, microsoft 365, mtp, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, IdentityLogonEvents, Azure AD, Active Directory, Azure ATP, identities
+keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft 365 Defender, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, IdentityLogonEvents, Azure AD, Active Directory, Microsoft Defender for Identity, identities
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Advanced Hunting Identityqueryevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-identityqueryevents-table.md
Title: IdentityQueryEvents table in the advanced hunting schema description: Learn about Active Directory query events in the IdentityQueryEvents table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, microsoft threat protection, microsoft 365, mtp, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, IdentityQueryEvents, Azure AD, Active Directory, Azure ATP, identities, LDAP queries
+keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft 365 Defender, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, column, data type, description, IdentityQueryEvents, Azure AD, Active Directory, Microsoft Defender for Identity, identities, LDAP queries
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Advanced Hunting Limits https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-limits.md
Title: Advanced hunting quotas and usage parameters in Microsoft 365 Defender description: Understand various quotas and usage parameters (service limits) that keep the advanced hunting service responsive
-keywords: advanced hunting, threat hunting, cyber threat hunting, microsoft threat protection, microsoft 365, mtp, m365, search, query, telemetry, schema, kusto, CPU limit, query limit, resources, maximum results, quota, parameters, allocation
+keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft 365 Defender, microsoft 365, m365, search, query, telemetry, schema, kusto, CPU limit, query limit, resources, maximum results, quota, parameters, allocation
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Advanced Hunting Migrate From Mde https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-migrate-from-mde.md
Title: Migrate advanced hunting queries from Microsoft Defender for Endpoint description: Learn how to adjust your Microsoft Defender for Endpoint queries so you can use them in Microsoft 365 Defender
-keywords: advanced hunting, threat hunting, cyber threat hunting, microsoft threat protection, microsoft 365, mtp, m365, microsoft defender atp, mdatp, search, query, telemetry, custom detections, schema, kusto, microsoft 365, mapping
+keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft 365 Defender, microsoft 365, m365, Microsoft Defender for Endpoint, search, query, telemetry, custom detections, schema, kusto, mapping
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Advanced Hunting Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-overview.md
Title: Overview - Advanced hunting description: Learn about advanced hunting queries in Microsoft 365 and how to use them to proactively find threats and weaknesses in your network
-keywords: advanced hunting, threat hunting, cyber threat hunting, microsoft threat protection, microsoft 365, mtp, m365, search, query, telemetry, custom detections, schema, kusto, microsoft 365, Microsoft Threat Protection
+keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft 365 Defender, microsoft 365, m365, search, query, telemetry, custom detections, schema, kusto
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Advanced Hunting Query Emails Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-query-emails-devices.md
Title: Hunt for threats across devices, emails, apps, and identities with advanced hunting description: Study common hunting scenarios and sample queries that cover devices, emails, apps, and identities.
-keywords: advanced hunting, Office365 data, Windows devices, Office365 emails normalize, emails, apps, identities, threat hunting, cyber threat hunting, search, query, telemetry, Microsoft 365, Microsoft Threat Protection
+keywords: advanced hunting, Office365 data, Windows devices, Office365 emails normalize, emails, apps, identities, threat hunting, cyber threat hunting, search, query, telemetry, Microsoft 365, Microsoft 365 Defender
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Advanced Hunting Query Language https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-query-language.md
Title: Learn the advanced hunting query language in Microsoft 365 Defender description: Create your first threat hunting query and learn about common operators and other aspects of the advanced hunting query language
-keywords: advanced hunting, threat hunting, cyber threat hunting, microsoft threat protection, microsoft 365, mtp, m365, search, query, language, learn, first query, telemetry, events, telemetry, custom detections, schema, kusto, operators, data types, powershell download, query example
+keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft 365 Defender, microsoft 365, m365, search, query, language, learn, first query, telemetry, events, telemetry, custom detections, schema, kusto, operators, data types, powershell download, query example
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Advanced Hunting Query Results https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-query-results.md
Title: Work with advanced hunting query results in Microsoft 365 Defender description: Make the most of the query results returned by advanced hunting in Microsoft 365 Defender
-keywords: advanced hunting, threat hunting, cyber threat hunting, microsoft threat protection, microsoft 365, mtp, m365, search, query, telemetry, custom detections, schema, kusto, microsoft 365, Microsoft Threat Protection, visualization, chart, filters, drill-down
+keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft 365 Defender, microsoft 365, m365, search, query, telemetry, custom detections, schema, kusto, visualization, chart, filters, drill-down
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Advanced Hunting Schema Changes https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-schema-changes.md
Title: Naming changes in the Microsoft 365 Defender advanced hunting schema description: Track and review naming changes tables and columns in the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, microsoft threat protection, microsoft 365, mtp, m365, search, query, telemetry, schema reference, kusto, table, data, naming changes, rename, Microsoft Threat Protection
+keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft 365 Defender, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, data, naming changes, rename
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Advanced Hunting Schema Tables https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-schema-tables.md
Title: Data tables in the Microsoft 365 Defender advanced hunting schema description: Learn about the tables in the advanced hunting schema to understand the data you can run threat hunting queries on
-keywords: advanced hunting, threat hunting, cyber threat hunting, microsoft threat protection, microsoft 365, mtp, m365, search, query, telemetry, schema reference, kusto, table, data
+keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft 365 Defender, microsoft 365, m365, search, query, telemetry, schema reference, kusto, table, data
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Advanced Hunting Shared Queries https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-shared-queries.md
Title: Use shared queries in Microsoft 365 Defender advanced hunting description: Start threat hunting immediately with predefined and shared queries. Share your queries to the public or to your organization.
-keywords: advanced hunting, threat hunting, cyber threat hunting, microsoft threat protection, microsoft 365, mtp, m365, search, query, telemetry, custom detections, schema, kusto, github repo, my queries, shared queries
+keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft 365 Defender, microsoft 365, m365, search, query, telemetry, custom detections, schema, kusto, github repo, my queries, shared queries
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Advanced Hunting Take Action https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-take-action.md
Title: Take action on advanced hunting query results in Microsoft 365 Defender description: Quickly address threats and affected assets in your advanced hunting query results
-keywords: advanced hunting, threat hunting, cyber threat hunting, microsoft threat protection, microsoft 365, mtp, m365, search, query, telemetry, take action
+keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft 365 Defender, microsoft 365, m365, search, query, telemetry, take action
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Api Advanced Hunting https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-advanced-hunting.md
Title: Microsoft 365 Defender advanced hunting API description: Learn how to run advanced hunting queries using Microsoft 365 Defender's advanced hunting API
-keywords: Advanced Hunting, APIs, api, MTP, M365 Defender, Microsoft 365 Defender
+keywords: Advanced Hunting, APIs, api, M365 Defender, Microsoft 365 Defender
search.product: eADQiWindows 10XVcnh ms.prod: m365-security ms.mktglfcycl: deploy
ms.technology: m365d
**Applies to:** -- Microsoft Threat Protection
+- Microsoft 365 Defender
> [!IMPORTANT] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
security Api Articles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-articles.md
Title: Other security and threat protection APIs description: View a list of APIs related to Microsoft security and threat protection products.
-keywords: api, security, threat protection, mde, microsoft defender for endpoint, microsoft defender atp, office 365 advanced threat protection, microsoft defender advanced threat protection, cloud app security
+keywords: api, security, threat protection, mde, Microsoft Defender for Endpoint, Microsoft Defender for Office 365, cloud app security
search.product: eADQiWindows 10XVcnh ms.prod: m365-security ms.mktglfcycl: deploy
security Api Error Codes https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-error-codes.md
Title: Common Microsoft 365 Defender REST API error codes description: Learn about the common Microsoft 365 Defender REST API error codes
-keywords: api, error, codes, common errors, mtp, api error codes
+keywords: api, error, codes, common errors, Microsoft 365 Defender, api error codes
search.product: eADQiWindows 10XVcnh ms.prod: m365-security ms.mktglfcycl: deploy
ms.technology: m365d
**Applies to:** -- Microsoft Threat Protection
+- Microsoft 365 Defender
> [!IMPORTANT] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
security Api List Incidents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-list-incidents.md
devices | All devices where alerts related to the incident were sent. | \[\] (se
Field name | Description | Example value -|-|-
-DeviceId | The device ID as designated in Microsoft Defender ATP. | 24c222b0b60fe148eeece49ac83910cc6a7ef491
+DeviceId | The device ID as designated in Microsoft Defender for Endpoint. | 24c222b0b60fe148eeece49ac83910cc6a7ef491
aadDeviceId | The device ID as designated in [Azure Active Directory](/azure/active-directory/fundamentals/active-directory-whatis). Only available for domain-joined devices. | null deviceDnsName | The fully qualified domain name for the device. | user5cx.middleeast.corp.contoso.com osPlatform | The OS platform the device is running.| WindowsServer2016
security Api Supported https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-supported.md
Title: Supported Microsoft 365 Defender APIs description: Supported Microsoft 365 Defender APIs
-keywords: MTP, APIs, api
+keywords: Microsoft 365 Defender, APIs, api
search.product: eADQiWindows 10XVcnh ms.prod: m365-security ms.mktglfcycl: deploy
All APIs along the `/api` path use the [OData](/odata/overview) Protocol; for ex
## Related articles - [Microsoft 365 Defender APIs overview](api-overview.md)-- [Access the Microsoft Threat Protection APIs](api-access.md)
+- [Access the Microsoft 365 Defender APIs](api-access.md)
- [Learn about API limits and licensing](api-terms.md) - [Understand error codes](api-error-codes.md)
security Config M365d Eval https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/config-m365d-eval.md
Title: Configure Microsoft 365 Defender pillars for the trial lab or pilot environment description: Configure Microsoft 365 Defender pillars, such as Microsoft Defender for Office 365 , Microsoft Defender for Identity, Microsoft Cloud App Security, and Microsoft Defender for Endpoint, for your trial lab or pilot environment.
-keywords: configure Microsoft Threat Protection trial, Microsoft Threat Protection trial configuration, configure Microsoft Threat Protection pilot project, configure Microsoft Threat Protection pillars, Microsoft Threat Protection pillars
+keywords: configure Microsoft 365 Defender trial, Microsoft 365 Defender trial configuration, configure Microsoft 365 Defender pilot project, configure Microsoft 365 Defender pillars, Microsoft 365 Defender pillars
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
There's a PowerShell Module called the *Office 365 Advanced Threat Protection Re
![Image of_the Microsoft Defender for Identity settings page where you should turn the Microsoft Defender for Endpoint toggle on](../../media/mtp-eval-52.png)
-> [!NOTE]
-> Windows Defender ATP has been rebranded as Microsoft Defender for Endpoint. Rebranding changes across all of our portals are being rolled out the for consistency.
- ## Configure Microsoft Cloud App Security
security Custom Detection Rules https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/custom-detection-rules.md
Title: Create and manage custom detection rules in Microsoft 365 Defender description: Learn how to create and manage custom detections rules based on advanced hunting queries
-keywords: advanced hunting, threat hunting, cyber threat hunting, microsoft threat protection, microsoft 365, mtp, m365, search, query, telemetry, custom detections, rules, schema, kusto, microsoft 365, Microsoft Threat Protection, RBAC, permissions, Microsoft Defender ATP
+keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft 365 Defender, microsoft 365, m365, search, query, telemetry, custom detections, rules, schema, kusto, RBAC, permissions, Microsoft Defender for Endpoint
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Custom Detections Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/custom-detections-overview.md
Title: Overview of custom detections in Microsoft 365 Defender description: Understand how you can use advanced hunting to create custom detections and generate alerts
-keywords: advanced hunting, threat hunting, cyber threat hunting, microsoft threat protection, microsoft 365, mtp, m365, search, query, telemetry, custom detections, schema, kusto, microsoft 365, Microsoft Threat Protection
+keywords: advanced hunting, threat hunting, cyber threat hunting, Microsoft 365 Defender, microsoft 365, m365, search, query, telemetry, custom detections, schema, kusto
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Custom Roles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/custom-roles.md
Title: Custom roles for role-based access control description: Learn how to manage custom roles in Microsoft 365 security center
-keywords: access, permissions, MTP, Microsoft Threat Protection, M365, security, MCAS, MDATP, Cloud App Security, Microsoft Defender Advanced Threat Protection, scope, scoping, RBAC, roles-based access, custom roles-based access, roles-based auth, RBAC in MDO, roles, rolegroups, permissions inheritance, fine-grained permissions
+keywords: access, permissions, Microsoft 365 Defender, M365, security, MCAS, Cloud App Security, Microsoft Defender for Endpoint, scope, scoping, RBAC, roles-based access, custom roles-based access, roles-based auth, RBAC in MDO, roles, rolegroups, permissions inheritance, fine-grained permissions
search.product: eADQiWindows 10XVcnh ms.prod: m365-security ms.mktglfcycl: deploy
security Deploy Supported Services https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/deploy-supported-services.md
Title: Deploy services supported by Microsoft 365 Defender description: Learn about the Microsoft security services that can be integrated by Microsoft 365 Defender, their licensing requirements, and deployment procedures
-keywords: deploy, licenses, supported services, provisioning, configuration Microsoft Threat Protection, M365, license eligibility, Microsoft Defender ATP, MDATP, Office 365 ATP, Azure ATP, Microsoft Cloud App Security, MCAS, advanced threat protection, E5, A5, EMS
+keywords: deploy, licenses, supported services, provisioning, configuration Microsoft 365 Defender, M365, license eligibility, Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Cloud App Security, MCAS, E5, A5, EMS
search.product: eADQiWindows 10XVcnh ms.prod: m365-security ms.mktglfcycl: deploy
security Device Profile https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/device-profile.md
Title: Device profile in Microsoft 365 security portal description: View risk and exposure levels for a device in your organization. Analyze past and present threats, and protect the device with the latest updates.
-keywords: security, malware, Microsoft 365, M365, Microsoft Threat Protection, MTP, security center, Microsoft Defender ATP, Office 365 ATP, Azure ATP, device page, device profile, machine page, machine profile
+keywords: security, malware, Microsoft 365, M365, Microsoft 365 Defender, security center, Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, device page, device profile, machine page, machine profile
ms.prod: m365-security ms.mktglfcycl: deploy localization_priority: Normal
security Generate Test Alert https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/generate-test-alert.md
Title: Generate a test Microsoft 365 Defender alert description: Generate a test alert to try how your Microsoft 365 Defender lab environment works
-keywords: Microsoft Threat Protection simulation, try Microsoft Threat Protection, generate test alert in Microsoft Threat Protection, test alert in Microsoft Threat Protection evaluation lab
+keywords: Microsoft 365 Defender simulation, try Microsoft 365 Defender, generate test alert in Microsoft 365 Defender, test alert in Microsoft 365 Defender evaluation lab
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Get Incident Notifications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/get-incident-notifications.md
Title: Get incident notifications in Microsoft 365 Defender
+ Title: Get incident notifications by email in Microsoft 365 Defender
description: Learn how to create rules to get email notifications for incidents in Microsoft 365 Defender
-keywords: incident, email, email notfications, configure, users, mailbox, email, incidents
+keywords: incident, email, email notfications, configure, users, mailbox, email, incidents, analyze, response
search.product: eADQiWindows 10XVcnh ms.prod: m365-security ms.mktglfcycl: deploy
You can set up Microsoft 365 Defender to notify your staff with an email about n
- Device group. - Only on the first update per incident.
-The email notification contains important details about the incident like the incident name, severity, and categories, among others. You can also go directly to the incident and start your investigation right away. For more information, see [Investigate incidents](investigate-incidents.md).
+The email notification contains important details about the incident like the incident name, severity, and categories, among others. You can also go directly to the incident and start your analysis right away. For more information, see [Analyze incidents](investigate-incidents.md).
You can add or remove recipients in the email notifications. New recipients get notified about incidents after they're added.
To edit an existing rule, select it from the list of rules. On the pane with the
## See also - [Incidents overview](incidents-overview.md) - [Prioritize incidents](incident-queue.md)-- [Investigate incidents](investigate-incidents.md)
+- [Analyze incidents](investigate-incidents.md)
security Incident Queue https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/incident-queue.md
Title: Prioritize incidents in Microsoft 365 Defender description: Learn how to filter incidents from the incident queue in Microsoft 365 Defender
-keywords: incident, queue, overview, devices, identities, users, mailbox, email, incidents
+keywords: incident, queue, overview, devices, identities, users, mailbox, email, incidents, analyze, response
search.product: eADQiWindows 10XVcnh ms.prod: m365-security ms.mktglfcycl: deploy
This table lists the filter names that are available.
| Status | You can choose to limit the list of incidents shown based on their status to see which ones are active or resolved. | |||
-## Incident response workflow
-
-Here's the typical workflow for responding to incidents:
-
-1. Identify and triage the highest priority incidents for investigation and resolution.
-2. For each high-priority incident, begin an [investigation](investigate-incidents.md):
-
- a. View the summary of the incident to understand it's scope and severity and what entities are affected (the **Summary** tab).
-
- b. Begin looking at the alerts to understand their origin, scope, and severity (the **Alerts** tab).
-
- c. As needed, gather information on impacted devices, users, and mailboxes (the **Devices**, **Users**, and **Mailboxes** tabs).
-
- d. See how Microsoft 365 Defender has automatically resolved some alerts (the **Investigations** tab).
-
- e. As needed, use information in the data set for the incident for more information (the **Evidence and Response** tab).
-
- As you investigate, you should be concerned with:
-
- - Containment: Reducing any additional impact on your tenant.
- - Eradication: Removing the security threat.
- - Recovery: Restoring your tenant resources to the state they were in before the incident.
-
-3. After you resolve the incident, take the time to:
-
- - Understand the type of the attack and its impact.
- - Research the attack in the security community for a security attack trend.
- - Recall the workflow you used to resolve the incident and update your standard workflows and playbooks as needed.
- - Determine whether changes in your security posture are needed and take the steps to implement them.
-
-Here's a summary of the basic process.
-- ## Next step
-After you've determined which incident requires the highest priority, select it and begin your [investigation](investigate-incidents.md).
+After you've determined which incident requires the highest priority, select it and begin your [analysis](investigate-incidents.md).
## See also - [Incidents overview](incidents-overview.md)-- [Investigate incidents](investigate-incidents.md)
+- [Analyze incidents](investigate-incidents.md)
- [Manage incidents](manage-incidents.md)
security Incidents Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/incidents-overview.md
Title: Incidents in Microsoft 365 Defender
-description: Investigate incidents seen across devices, users, and mailboxes.
-keywords: incidents, alerts, investigate, correlation, attack, machines, devices, users, identities, identity, mailbox, email, 365, microsoft, m365
+description: Investigate incidents seen across devices, users, and mailboxes in the Microsoft 365 security center.
+keywords: incidents, alerts, investigate, analyze, response, correlation, attack, machines, devices, users, identities, identity, mailbox, email, 365, microsoft, m365
search.product: eADQiWindows 10XVcnh ms.prod: m365-security ms.mktglfcycl: deploy
Here's the relationship between an incident and its data and the tabs of an inci
:::image type="content" source="../../media/incidents-overview/incidents-security-center.png" alt-text="The relationship of an incident and its data to the tabs of an incident in the Microsoft 365 security center":::
-## Next step
+## Example incident response workflow for Microsoft 365 Defender
+
+Here's an example workflow for responding to incidents in Microsoft 365 with the Microsoft 365 security center.
++
+On an ongoing basis, identify the highest priority incidents for analysis and resolution in the incident queue and get them ready for response. This is a combination of:
+
+- [Triaging](incident-queue.md) to determining the highest priority incidents through filtering and sorting of the incident queue.
+- [Managing](manage-incidents.md) incidents by modifying their title, assigning them to an analyst, and adding tags and comments.
+
+1. For each incident, begin an [attack and alert analysis](investigate-incidents.md):
+
+ a. View the summary of the incident to understand it's scope and severity and what entities are affected (the **Summary** tab).
+
+ b. Begin analyzing the alerts to understand their origin, scope, and severity (the **Alerts** tab).
+
+ c. As needed, gather information on impacted devices, users, and mailboxes (the **Devices**, **Users**, and **Mailboxes** tabs).
+
+ d. See how Microsoft 365 Defender has automatically resolved some alerts (the **Investigations** tab).
+
+ e. As needed, use information in the data set for the incident for more information (the **Evidence and Response** tab).
+
+2. After or during your analysis, address containment to reduce any additional impact of the attack and eradication of the security threat.
+
+3. As much as possible, recover from the attack by restoring your tenant resources to the state they were in before the incident.
+
+4. [Resolve](manage-incidents.md#resolve-incident) the incident and take time for post-incident learning to:
+
+ - Understand the type of the attack and its impact.
+ - Research the attack in [Threat Analytics](threat-analytics.md) and the security community for a security attack trend.
+ - Recall the workflow you used to resolve the incident and update your standard workflows, processes, policies, and playbooks as needed.
+ - Determine whether changes in your security configuration are needed and implement them.
+
+## Example security operations for Microsoft 365 Defender
+
+Here's an example of security operations for Microsoft 365 Defender.
++
+Daily tasks can include:
+
+- [Managing](manage-incidents.md) incidents
+- Reviewing [automated investigation and response (AIR)](m365d-action-center.md) actions
+- Reviewing the latest [Threat Analytics](threat-analytics.md)
+- [Responding](investigate-incidents.md) to incidents
+
+Monthly tasks can include:
+
+- Reviewing [AIR settings](m365d-configure-auto-investigation-response.md)
+- Reviewing [Secure Score](microsoft-secure-score-improvement-actions.md) and [Threat & Vulnerability Management](../defender-endpoint/next-gen-threat-and-vuln-mgt.md)
+- Reporting to your IT security management chain
+
+Quarterly tasks can include a report and briefing of security results to the Chief Information Security Officer (CISO).
+
+Annual tasks can include conducting a major incident or breach exercise to test your staff, systems, and processes.
+
+Daily, monthly, quarterly, and annual tasks can be used to update or refine processes, policies, and security configurations.
+
+## Next steps
The incident queue from the **Incidents** page lists the most recent incidents. From here, you can: - See which incidents should be [prioritized](incident-queue.md) based on severity and other factors. -- Perform an [investigation](investigate-incidents.md) of an incident.-- [Manage incidents](manage-incidents.md), which includes renaming, assigning them, classifying, and adding tags for your incident management workflow.
+- [Manage incidents](manage-incidents.md), which includes renaming, assignment, classifying, and adding tags and comments for your incident management workflow.
+- Perform an [analysis](investigate-incidents.md) of an incident.
security Investigate Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/investigate-alerts.md
Title: Investigate alerts in Microsoft 365 Defender
-description: Investigate alerts seen across devices, users, and mailboxes.
-keywords: incidents, alerts, investigate, correlation, attack, machines, devices, users, identities, identity, mailbox, email, 365, microsoft, m365
+ Title: Analyze alerts in Microsoft 365 Defender
+description: Analyze alerts seen across devices, users, and mailboxes.
+keywords: incidents, alerts, investigate, analyze, response, correlation, attack, machines, devices, users, identities, identity, mailbox, email, 365, microsoft, m365
search.product: eADQiWindows 10XVcnh ms.prod: m365-security ms.mktglfcycl: deploy
search.appverid:
- MET150 ms.technology: m365d
-# Investigate alerts in Microsoft 365 Defender
+# Analyze alerts in Microsoft 365 Defender
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)]
ms.technology: m365d
Alerts are the basis of all incidents and indicate the occurrence of malicious or suspicious events in your environment. Alerts are typically part of a broader attack and provide clues about an incident.
-In Microsoft 365 Defender, related alerts are aggregated together to form [incidents](incidents-overview.md). Incidents will always provide the broader context of an attack, however, investigating alerts can be valuable when deeper analysis is required.
+In Microsoft 365 Defender, related alerts are aggregated together to form [incidents](incidents-overview.md). Incidents will always provide the broader context of an attack, however, analyzing alerts can be valuable when deeper analysis is required.
The **Alerts queue** shows the current set of alerts. You get to the alerts queue from **Incidents & alerts > Alerts** on the quick launch of the Microsoft 365 security center ([security.microsoft.com](https://security.microsoft.com)).
The list of additional actions depends on the type of alert.
## Resolve an alert
-Once you're done investigating an alert and it can be resolved, go to the **Manage alert** pane for the alert and mark the it status as **Resolved** and classify it as either a **False alert** or **True alert**. For true alerts, specify the alert's threat type in the **Determination** field.
+Once you're done analyzing an alert and it can be resolved, go to the **Manage alert** pane for the alert and mark the it status as **Resolved** and classify it as either a **False alert** or **True alert**. For true alerts, specify the alert's threat type in the **Determination** field.
Classifying alerts and specifying their determination helps tune Microsoft 365 Defender to provide more true alerts and less false alerts. ## See also - [Incidents overview](incidents-overview.md)-- [Investigate incidents](investigate-incidents.md) - [Manage incidents](manage-incidents.md)
+- [Analyze incidents](investigate-incidents.md)
security Investigate Incidents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/investigate-incidents.md
Title: Investigate incidents in Microsoft 365 Defender
+ Title: Analyze incidents in Microsoft 365 Defender
description: Analyze incidents related to devices, users, and mailboxes.
-keywords: incident, incidents, machines, devices, users, identities, mail, email, mailbox, investigation, graph, evidence
+keywords: incident, incidents, analyze, response, machines, devices, users, identities, mail, email, mailbox, investigation, graph, evidence
search.product: eADQiWindows 10XVcnh ms.prod: m365-security ms.mktglfcycl: deploy
search.appverid:
ms.technology: m365d
-# Investigate incidents in Microsoft 365 Defender
+# Analyze incidents in Microsoft 365 Defender
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)] - **Applies to:** - Microsoft 365 Defender Microsoft 365 Defender aggregates all related alerts, assets, investigations, and evidence from across your devices, users, and mailboxes into an incident to give you a comprehensive look into the entire breadth of an attack.
-Within an incident, you investigate the alerts that affect your network, understand what they mean, and collate the evidence so that you can devise an effective remediation plan.
+Within an incident, you analyze the alerts that affect your network, understand what they mean, and collate the evidence so that you can devise an effective remediation plan.
-## Initial investigation
+## Initial analysis
Before diving into the details, take a look at the properties and summary of the incident.
Here's an example.
:::image type="content" source="../../media/investigate-incidents/incident-alerts.png" alt-text="Example of an Alerts page for an incident":::
-By default, the alerts are ordered chronologically to allow you to see how the incident played out over time. Selecting each alert takes you to the alert's main page where you can conduct an in-depth investigation of that alert.
+By default, the alerts are ordered chronologically to allow you to see how the incident played out over time. Selecting each alert takes you to the alert's main page where you can conduct an in-depth analysis of that alert.
-Learn how to use the alert queue and alert pages in [Investigate alerts](investigate-alerts.md)
+Learn how to use the alert queue and alert pages in [analyze alerts](investigate-alerts.md)
## Devices
security Investigate Users https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/investigate-users.md
Title: Investigate users in Microsoft 365 security center
-description: investigate users in the Microsoft 365 security center
-keywords: security, malware, Microsoft 365, M365, security center, monitor, report, identities, data, devices, apps
+ Title: Analyze users in Microsoft 365 security center
+description: Analyze users in the Microsoft 365 security center
+keywords: security, malware, Microsoft 365, M365, security center, monitor, report, identities, data, devices, apps, incident, analyze, response
ms.prod: m365-security ms.mktglfcycl: deploy localization_priority: Normal
search.appverid: met150
ms.technology: m365d
-# Investigate users in Microsoft 365 security center
+# Analyze users in Microsoft 365 security center
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)]
ms.technology: m365d
- Microsoft 365 Defender
-Part of your incident investigation can include user accounts. Start with the **Users** tab for an incident from **Incidents & alerts >** *incident* **> Users**.
+Part of your incident analysis can include user accounts. Start with the **Users** tab for an incident from **Incidents & alerts >** *incident* **> Users**.
:::image type="content" source="../../media/investigate-incidents/incident-users.png" alt-text="Example of a Users page for an incident":::
security M365d Enable Faq https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-enable-faq.md
Title: Frequently asked questions when turning on Microsoft 365 Defender description: Get answers to the most commonly asked questions about licensing, permissions, initial settings, and other products and services related to enabling Microsoft 365 Defender
-keywords: frequently asked questions, FAQ, GCC, get started, enable MTP, Microsoft Threat Protection, M365, security, data location, required permissions, license eligibility, settings page
+keywords: frequently asked questions, FAQ, GCC, get started, enable Microsoft 365 Defender, Microsoft 365 Defender, M365, security, data location, required permissions, license eligibility, settings page
search.product: eADQiWindows 10XVcnh ms.prod: m365-security ms.mktglfcycl: deploy
security M365d Enable https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-enable.md
Title: Turn on Microsoft 365 Defender in the Microsoft 365 security center description: Learn how to enable Microsoft 365 Defender and start integrating your security incident and response.
-keywords: get started, enable MTP, Microsoft Threat Protection, M365, security, data location, required permissions, license eligibility, settings page
+keywords: get started, enable Microsoft 365 Defender, Microsoft 365 Defender, M365, security, data location, required permissions, license eligibility, settings page
search.product: eADQiWindows 10XVcnh ms.prod: m365-security ms.mktglfcycl: deploy
security M365d Evaluation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-evaluation.md
Title: Evaluate Microsoft 365 Defender description: Set up your Microsoft 365 Defender trial lab or pilot environment to try out and experience the security solution designed to protect devices, identity, data, and applications in your organization.
-keywords: Microsoft Threat Protection trial, try Microsoft Threat Protection, evaluate Microsoft Threat Protection, Microsoft Threat Protection evaluation lab, Microsoft Threat Protection pilot, cyber security, advanced persistent threat, enterprise security, devices, device, identity, users, data, applications, incidents, automated investigation and remediation, advanced hunting
+keywords: Microsoft 365 Defender trial, try Microsoft 365 Defender, evaluate Microsoft 365 Defender, Microsoft 365 Defender evaluation lab, Microsoft 365 Defender pilot, cyber security, advanced persistent threat, enterprise security, devices, device, identity, users, data, applications, incidents, automated investigation and remediation, advanced hunting
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security M365d Permissions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-permissions.md
Title: Manage access to Microsoft 365 Defender data in the Microsoft 365 security center description: Learn how to manage permissions to data in Microsoft 365 Defender
-keywords: access, permissions, MTP, Microsoft Threat Protection, M365, security, MCAS, MDATP, Cloud App Security, Microsoft Defender Advanced Threat Protection, scope, scoping, RBAC
+keywords: access, permissions, Microsoft 365 Defender, M365, security, MCAS, Cloud App Security, Microsoft Defender for Endpoint, scope, scoping, RBAC
search.product: eADQiWindows 10XVcnh ms.prod: m365-security ms.mktglfcycl: deploy
security M365d Pilot Close https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-pilot-close.md
Title: Summarizing your pilot Microsoft 365 Defender project results description: Conclude your pilot Microsoft 365 Defender project by completing your scorecard, analyzing your report findings, and deciding how to move forward.
-keywords: Microsoft Threat Protection pilot, decide what to do next after pilot Microsoft Threat Protection project, what to do after evaluating Microsoft Threat Protection in production, transition from Microsoft Threat Protection pilot to deployment, cyber security, advanced persistent threat, enterprise security, devices, device, identity, users, data, applications, incidents, automated investigation and remediation, advanced hunting
+keywords: Microsoft 365 Defender pilot, decide what to do next after pilot Microsoft 365 Defender project, what to do after evaluating Microsoft 365 Defender in production, transition from Microsoft 365 Defender pilot to deployment, cyber security, advanced persistent threat, enterprise security, devices, device, identity, users, data, applications, incidents, automated investigation and remediation, advanced hunting
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security M365d Pilot Plan https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-pilot-plan.md
Title: Planning your pilot Microsoft 365 Defender project description: Plan your pilot Microsoft 365 Defender project with stakeholders to manage expectations and ensure successful outcome.
-keywords: Microsoft Threat Protection pilot, plan pilot Microsoft Threat Protection project, evaluate Microsoft Threat Protection in production, Microsoft Threat Protection pilot project, cyber security, advanced persistent threat, enterprise security, devices, device, identity, users, data, applications, incidents, automated investigation and remediation, advanced hunting
+keywords: Microsoft 365 Defender pilot, plan pilot Microsoft 365 Defender project, evaluate Microsoft 365 Defender in production, Microsoft 365 Defender pilot project, cyber security, advanced persistent threat, enterprise security, devices, device, identity, users, data, applications, incidents, automated investigation and remediation, advanced hunting
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security M365d Pilot Simulate https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-pilot-simulate.md
Title: Run your Microsoft 365 Defender attack simulations description: Run attack simulations for your Microsoft 365 Defender pilot project to see how it unfolds and is quickly remediated.
-keywords: Microsoft Threat Protection pilot attack simulation, run Microsoft Threat Protection pilot attack simulation, simulate attack in Microsoft Threat Protection, Microsoft Threat Protection pilot project, cyber security, advanced persistent threat, enterprise security, devices, device, identity, users, data, applications, incidents, automated investigation and remediation, advanced hunting
+keywords: Microsoft 365 Defender pilot attack simulation, run Microsoft 365 Defender pilot attack simulation, simulate attack in Microsoft 365 Defender, Microsoft 365 Defender pilot project, cyber security, advanced persistent threat, enterprise security, devices, device, identity, users, data, applications, incidents, automated investigation and remediation, advanced hunting
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security M365d Pilot https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-pilot.md
Title: Run your pilot Microsoft 365 Defender project description: Run your pilot Microsoft 365 Defender project in production to effectively determine the benefits and adoption of Microsoft 365 Defender.
-keywords: Microsoft Threat Protection pilot, run pilot Microsoft Threat Protection project, evaluate Microsoft Threat Protection in production, Microsoft Threat Protection pilot project, cyber security, advanced persistent threat, enterprise security, devices, device, identity, users, data, applications, incidents, automated investigation and remediation, advanced hunting
+keywords: Microsoft 365 Defender pilot, run pilot Microsoft 365 Defender project, evaluate Microsoft 365 Defender in production, Microsoft 365 Defender pilot project, cyber security, advanced persistent threat, enterprise security, devices, device, identity, users, data, applications, incidents, automated investigation and remediation, advanced hunting
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
Running a pilot helps you effectively determine the benefit of adoptiing Microso
This guide provides an overview of Microsoft 365 Defender and step-by-step instructions on how to set up your pilot project. Microsoft 365 Defender is a unified pre- and post-breach enterprise defense suite that natively coordinates protection, detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks. It does so by combining and orchestrating the following capabilities into a single security solution:
- - Microsoft Defender for Endpoint, the new name for Microsoft Defender Advanced Threat Protection (endpoints)
- - Microsoft Defender for Office 365, the new name for Office 365 ATP (email)
- - Microsoft Defender for Identity, the new name for Azure ATP (identity)
+ - Microsoft Defender for Endpoint (endpoints)
+ - Microsoft Defender for Office 365 (email)
+ - Microsoft Defender for Identity (identity)
- Microsoft Cloud App Security (apps) ![Image of_Microsoft 365 Defender solution for users, Microsoft Defender for Identity, for endpoints Microsoft Defender for Endpoint, for cloud apps, Microsoft Cloud App Security, and for data, Microsoft Defender for Office 365](../../media/mtp/m365pillars.png)
security M365d Time Zone https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-time-zone.md
Title: Set the time zone for Microsoft 365 Defender features description: Learn how to choose the time zone for date and time information associated with incidents, automated investigation and remediation, and advanced hunting
-keywords: time zone, date, time, MTP, Microsoft Threat Protection, M365, security, incidents, automated investigation and response, AIR, advanced hunting
+keywords: time zone, date, time, Microsoft 365 Defender, M365, security, incidents, automated investigation and response, AIR, advanced hunting
search.product: eADQiWindows 10XVcnh ms.prod: m365-security ms.mktglfcycl: deploy
security Manage Incidents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/manage-incidents.md
Title: Manage incidents in Microsoft 365 Defender description: Learn how to assign, update the status,
-keywords: incident, incidents, alerts, correlated alerts, assign, update, status, manage, classification, microsoft, 365, m365
+keywords: incident, incidents, analyze, response, alerts, correlated alerts, assign, update, status, manage, classification, microsoft, 365, m365
search.product: eADQiWindows 10XVcnh ms.prod: m365-security ms.mktglfcycl: deploy
You can display this pane from the **Manage incident** link on the:
- Properties pane of an incident in the incident queue. - **Summary** page of an incident.
-In cases where, while investigating you would like to move alerts from one incident to another, you can also do so from the **Alerts** tab, thus creating a larger or smaller incident that includes all relevant alerts.
+In cases where, while analyzing you would like to move alerts from one incident to another, you can also do so from the **Alerts** tab, thus creating a larger or smaller incident that includes all relevant alerts.
## Edit the incident name
You can add multiple comments to an incident with the **Comment** field. Each co
- [Incidents overview](incidents-overview.md) - [Prioritize incidents](incident-queue.md)-- [Investigate incidents](investigate-incidents.md)
+- [Analyze incidents](investigate-incidents.md)
security Microsoft 365 Defender https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-defender.md
Title: Microsoft 365 Defender description: Microsoft 365 Defender is a coordinated threat protection solution designed to protect devices, identity, data and applications
-keywords: introduction to Microsoft Threat Protection, cyber security, advanced persistent threat, enterprise security, devices, device, identity, users, data, applications, incidents, automated investigation and remediation, advanced hunting
+keywords: introduction to MMicrosoft 365 Defender, cyber security, advanced persistent threat, enterprise security, devices, device, identity, users, data, applications, incidents, automated investigation and remediation, advanced hunting
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Microsoft 365 Security Center Mde https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-security-center-mde.md
Title: Microsoft Defender for Endpoint in the Microsoft 365 security center description: Learn about changes from the Microsoft Defender Security Center to the Microsoft 365 security center
-keywords: Getting started with the Microsoft 365 security center, OATP, MDATP, MDO, MDE, single pane of glass, converged portal, security portal, defender security portal
+keywords: Getting started with the Microsoft 365 security center, Microsoft Defender for Office 365, Microsoft Defender for Endpoint, MDO, MDE, single pane of glass, converged portal, security portal, defender security portal
ms.prod: microsoft-365-enterprise ms.mktglfcycl: deploy localization_priority: Normal
f1.keywords:
Last updated : 04/21/2021 audience: ITPro search.appverid:
This table is a quick reference of the changes between the Microsoft Defender Se
> [!NOTE] > **Automatic investigation and remediation** is now a part of incidents. You can see Automated investigation and remediation events in the **Incident > Investigation** tab.
+> [!TIP]
+> Device search is done from Endpoints > Search.
+ ### Access and reporting |**Area** |**Description of change** |
security Microsoft 365 Security Center Mdo https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-security-center-mdo.md
Title: Microsoft Defender for Office 365 in the Microsoft 365 security center description: Learn about changes from the Office 365 Security and Compliance center to the Microsoft 365 security center.
-keywords: Microsoft 365 security, Getting started with the Microsoft 365 security center, OATP, MDATP, MDO, MDE, single pane of glass, new security portal, new defender security portal
Previously updated : 02/02/2021
+keywords: Microsoft 365 security, Getting started with the Microsoft 365 security center, Microsoft Defender for Office 365, Microsoft Defender for Endpoint, MDO, MDE, single pane of glass, new security portal, new defender security portal
Last updated : 02/21/2021
Also, check the **Related Information** section at the bottom of this article.
> [!IMPORTANT] > The Microsoft 365 Security portal (https://security.microsoft.com) combines security features in https://securitycenter.windows.com, and https://protection.office.com. However, what you see will depend on your subscription. If you only have Microsoft Defender for Office 365 Plan 1 or 2, as standalone subscriptions, for example, you won't see capabilities around Security for Endpoints and Defender for Office Plan 1 customers won't see items such as Threat Analytics.
+> [!TIP]
+> All Exchange Online Protection (EOP) functions will be included in the Microsoft 365 security center, as EOP is a core element of Defender for Office 365.
+ ## Microsoft 365 security center Home page The Home page of the portal surfaces:
security Microsoft Secure Score Whats New https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-secure-score-whats-new.md
Microsoft Teams customers will see "Restrict anonymous users from joining meetin
## December 2020
-### Added six accounts-related improvement actions for Microsoft Defender for Endpoint (previously Microsoft Defender ATP):
+### Added six accounts-related improvement actions for Microsoft Defender for Endpoint:
- Set 'Minimum password length' to '14 or more characters' - Set 'Enforce password history' to '24 or more password(s)'
Microsoft Teams customers will see "Restrict anonymous users from joining meetin
The ability to create ServiceNow tickets through Secure Score by going to **Share > ServiceNow** is no longer available. Thank you for your feedback and continued support while we determine next steps.
-### Added three services-related improvement actions for Microsoft Defender for Endpoint (previously Microsoft Defender ATP):
+### Added three services-related improvement actions for Microsoft Defender for Endpoint:
- Fix unquoted service path for Windows services - Change service executable path to a common protected location
security Mssp Access https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/mssp-access.md
Title: Provide managed security service provider (MSSP) access description: Learn about changes from the Microsoft Defender Security Center to the Microsoft 365 security center
-keywords: Getting started with the Microsoft 365 security center, OATP, MDATP, MDO, MDE, single pane of glass, converged portal, security portal, defender security portal
+keywords: Getting started with the Microsoft 365 security center, Microsoft Defender for Office 365, Microsoft Defender for Endpoint, MDO, MDE, single pane of glass, converged portal, security portal, defender security portal
ms.prod: microsoft-365-enterprise ms.mktglfcycl: deploy localization_priority: Normal
security Overview Security Center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/overview-security-center.md
Title: Microsoft 365 security center overview
+ Title: Microsoft 365 security center overview, combining MDO, MDE, MDI, and MCAS
description: Advantages in the Microsoft 365 security center, combining Microsoft Defender for Office 365 (MDO) and Microsoft Defender for Endpoint (MDE), with Microsoft Defender for Identity (MDI) and Microsoft Cloud App Security (MCAS). This article outlines Microsoft 365 security center advances for administrators. keywords: security, malware, Microsoft 365, M365, security center, monitor, report, identities, data, devices, apps ms.prod: m365-security
ms.mktglfcycl: deploy
localization_priority: Normal f1.keywords: - NOCSH Previously updated : 04/07/2021 Last updated : 04/21/2021
If you need information about what's changed from the Office 365 Security & Comp
- [Defender for Office 365 in the Microsoft 365 security center](microsoft-365-security-center-mdo.md) - [Defender for Endpoint in the Microsoft 365 security center](microsoft-365-security-center-mde.md)
+> [!NOTE]
+> The Microsoft 365 security portal uses and enforces existing roles-based access, and will move each security model into the unified portal. Each converged workload (such as MDO or MDE) has its own roles-based access. The roles already in the products will be converged into the Microsoft 365 security portal, automatically. However, roles and permissions for MCAS will still handled over in MCAS.
+ ## What to expect All the security content that you use in the Office 365 Security and Compliance Center (protection.office.com) and the Microsoft Defender security center (securitycenter.microsoft.com) can now be found in the *Microsoft 365 security center*.
The Microsoft 365 security center emphasizes *unity, clarity, and common goals*
- Common entities - Feature parity with other workloads
+> [!NOTE]
+> The unified Microsoft 365 security center will be accessible without any need for customers to take migration steps or purchase a new license. For example, this new portal will be accessible to administrators with an E3 subscription, just as it is to those with Microsoft Defender for Office 365 Plan 1 and Plan 2; however, Exchange Online Protection, or MDO Plan 1 customers will see only the security features their subscription license supports. The goal of the new center is to centralize security.
+ ## Unified investigations Converging security centers creates a single place for investigating security incidents across Microsoft 365. A primary example is **Incidents** under **Incidents & alerts** on the quick launch of the Microsoft 365 security center.
security Portals https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/portals.md
Title: Microsoft security portals and admin centers description: Find the right Microsoft admin center or portal for managing various services related to Microsoft 365 security
-keywords: security, portals, Microsoft 365, M365, security center, admin center, URL, link, MTP, Microsoft Defender ATP, Microsoft Defender Security Center, Azure ATP, Office 365 ATP, MCAS, WDSI, SCC, Intune, MDM, MEM, ASC, OATP, AATP, Cloud App Security , Azure AD, security & compliance center
+keywords: security, portals, Microsoft 365, M365, security center, admin center, URL, link, Microsoft 365 Defender, Microsoft Defender for Endpoint, Microsoft Defender Security Center, Microsoft Defender for Identity, Microsoft Defender for Office 365, MCAS, WDSI, SCC, Intune, MDM, MEM, ASC, Cloud App Security , Azure AD, security & compliance center
ms.prod: m365-security ms.mktglfcycl: deploy localization_priority: Normal
security Prepare M365d Eval https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/prepare-m365d-eval.md
Title: Prepare your Microsoft 365 Defender trial lab environment description: Prepare stakeholder sign-off, timelines, environment considerations, and adoption order when setting up your Microsoft 365 Defender trial lab or pilot environment
-keywords: MTP trial prep, MTP pilot prep, prep for running an MTP pilot project, run a pilot MTP project, deploy, prepare, stakeholder, timeline, environment, endpoint, server, management, adoption
+keywords: Microsoft 365 Defender trial prep, Microsoft 365 Defender pilot prep, prep for running a Microsoft 365 Defender pilot project, run a pilot Microsoft 365 Defender project, deploy, prepare, stakeholder, timeline, environment, endpoint, server, management, adoption
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Prerequisites https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/prerequisites.md
Title: Microsoft 365 Defender prerequisites description: Learn about the licensing, hardware and software requirements, and other configuration settings for Microsoft 365 Defender
-keywords: requirements, prerequisites, hardware, software, browser, MTP, M365, license, E5, A5, EMS, purchase
+keywords: requirements, prerequisites, hardware, software, browser, Microsoft 365 Defender, M365, license, E5, A5, EMS, purchase
search.product: eADQiWindows 10XVcnh ms.prod: m365-security ms.mktglfcycl: deploy
security Setup M365deval https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/setup-m365deval.md
Title: Set up your Microsoft 365 Defender trial lab or pilot environment description: Access Microsoft 365 Security Center then set up your Microsoft 365 Defender trial lab environment
-keywords: Microsoft Threat Protection trial setup, Microsoft Threat Protection pilot setup, try Microsoft Threat Protection, Microsoft Threat Protection evaluation lab setup
+keywords: Microsoft 365 Defender trial setup, Microsoft 365 Defender pilot setup, try Microsoft 365 Defender, Microsoft 365 Defender evaluation lab setup
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Top Scoring Industry Tests https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/top-scoring-industry-tests.md
Title: Top scoring in industry tests - Microsoft 365 Defender description: View the latest scores and analysis of Microsoft 365 Defender. It consistently achieves high scores in independent tests (AV-TEST, AV Comparatives, SE Labs, MITRE ATT&CK). View the latest scores and analysis.
-keywords: Microsoft Defender Antivirus, Windows Defender Antivirus, av reviews, antivirus test, av testing, latest av scores, detection scores, security product testing, security industry tests, industry antivirus tests, best antivirus, av-test, av-comparatives, SE labs, MITRE ATT&CK, endpoint protection platform, EPP, endpoint detection and response, EDR, Windows 10, Microsoft Defender Antivirus, WDAV, MDATP, Microsoft Threat Protection, security, malware, av, antivirus, scores, scoring, next generation protection, ranking, success
+keywords: Microsoft Defender Antivirus, Windows Defender Antivirus, av reviews, antivirus test, av testing, latest av scores, detection scores, security product testing, security industry tests, industry antivirus tests, best antivirus, av-test, av-comparatives, SE labs, MITRE ATT&CK, endpoint protection platform, EPP, endpoint detection and response, EDR, Windows 10, Microsoft Defender Antivirus, WDAV, Microsoft Defender for Endpoint, Microsoft 365 Defender, security, malware, av, antivirus, scores, scoring, next generation protection, ranking, success
ms.prod: m365-security ms.mktglfcycl: secure ms.sitesec: library
security Troubleshoot https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/troubleshoot.md
Title: Troubleshoot Microsoft 365 Defender service issues description: Find solutions and workarounds to known Microsoft 365 Defender issues
-keywords: troubleshoot Microsoft Threat Protection, troubleshoot, Azure ATP, issues, add-on, settings page
+keywords: troubleshoot Microsoft 365 Defender, troubleshoot, Microsoft Defender for Identity, issues, add-on, settings page
search.product: eADQiWindows 10XVcnh ms.prod: m365-security ms.mktglfcycl: deploy
security Whats New https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/whats-new.md
Title: What's new in Microsoft 365 Defender description: Lists the new features and functionality in Microsoft 365 Defender
-keywords: what's new in microsoft threat protection, ga, generally available, capabilities, available, new
+keywords: what's new in Microsoft 365 Defender, ga, generally available, capabilities, available, new
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Address Compromised Users Quickly https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/address-compromised-users-quickly.md
Title: Address compromised user accounts with automated investigation and response
-keywords: AIR, autoIR, ATP, automated, investigation, response, remediation, threats, advanced, threat, protection, compromised
+keywords: AIR, autoIR, Microsoft Defender for Endpoint, automated, investigation, response, remediation, threats, advanced, threat, protection, compromised
security Air Custom Reporting https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/air-custom-reporting.md
Title: Custom reporting solutions with automated investigation and response
-keywords: SIEM, API, AIR, autoIR, ATP, automated investigation, integration, custom report
+keywords: SIEM, API, AIR, autoIR, Microsoft Defender for Endpoint, automated investigation, integration, custom report
f1.keywords: - NOCSH
security Air Remediation Actions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/air-remediation-actions.md
Title: Remediation actions in Microsoft Defender for Office 365
-keywords: AIR, autoIR, ATP, automated, investigation, response, remediation, threats, advanced, threat, protection
+keywords: AIR, autoIR, Microsoft Defender for Endpoint, automated, investigation, response, remediation, threats, advanced, threat, protection
f1.keywords: - NOCSH
security Air Review Approve Pending Completed Actions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/air-review-approve-pending-completed-actions.md
Title: Review and manage remediation actions in Microsoft Defender for Office 365
-keywords: AIR, autoIR, ATP, automated, investigation, response, remediation, threats, advanced, threat, protection
+keywords: AIR, autoIR, Microsoft Defender for Endpoint, automated, investigation, response, remediation, threats, advanced, threat, protection
f1.keywords: - NOCSH
security Air View Investigation Results https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/air-view-investigation-results.md
Title: View the results of an automated investigation in Microsoft 365
-keywords: AIR, autoIR, ATP, automated, investigation, remediation, actions
+keywords: AIR, autoIR, Microsoft Defender for Endpoint, automated, investigation, remediation, actions
f1.keywords: - NOCSH
security How Policies And Protections Are Combined https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/how-policies-and-protections-are-combined.md
Title: Order and precedence of email protection
-keywords: security, malware, Microsoft 365, M365, security center, ATP, Microsoft Defender for Endpoint, Office 365 ATP, Azure ATP
+keywords: security, malware, Microsoft 365, M365, security center, Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity
f1.keywords: - NOCSH
security Integrate Office 365 Ti With Mde https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/integrate-office-365-ti-with-mde.md
Title: Use Microsoft Defender for Office 365 together with Microsoft Defender for Endpoint f1.keywords: - NOCSH
-keywords: integrate, Microsoft Defender, ATP
+keywords: integrate, Microsoft Defender, Microsoft Defender for Endpoint
security Investigate Malicious Email That Was Delivered https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/investigate-malicious-email-that-was-delivered.md
Title: Investigate malicious email that was delivered in Office 365, Find and investigate malicious email
-keywords: TIMailData-Inline, Security Incident, incident, ATP PowerShell, email malware, compromised users, email phish, email malware, read email headers, read headers, open email headers,special actions
+keywords: TIMailData-Inline, Security Incident, incident, Microsoft Defender for Endpoint PowerShell, email malware, compromised users, email phish, email malware, read email headers, read headers, open email headers,special actions
f1.keywords: - NOCSH
security Mcas Saas Access Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mcas-saas-access-policies.md
The following illustration and table provide several examples of policies that c
|Protection level|Example policies| |||
-|Baseline|Alert when files containing this sensitive information type ("Credit Card Number") are shared outside the organization <p> >Block downloads of files containing this sensitive information type (ΓÇ¥Credit card number") to unmanaged devices|
+|Baseline|Alert when files containing this sensitive information type ("Credit Card Number") are shared outside the organization <p> >Block downloads of files containing this sensitive information type ("Credit card number") to unmanaged devices|
|Sensitive|Protect downloads of files containing this sensitive information type ("Credit card number") to managed devices <p> Block downloads of files containing this sensitive information type ("Credit card number") to unmanaged devices <p> Alert when a file with on of these labels is uploaded to OneDrive for Business or Box (Customer data, Human Resources: Salary Data,Human Resources, Employee data)| |Highly regulated|Alert when files with this label ("Highly classified") are downloaded to managed devices <p> Block downloads of files with this label ("Highly classified") to unmanaged devices| |||
security Mdo Email Entity Page https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-email-entity-page.md
search.appverid:
- M365-security-compliance - m365initiative-defender-office365
-description: Microsoft Defender for Office 365 E5 and ATP P1 and ATP P2 customers can now get a 360-degree view of each email with email entity page.
+description: Microsoft Defender for Office 365 E5 and P1 and P2 customers can now get a 360-degree view of each email with email entity page.
# The Email entity page
security Office 365 Air https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/office-365-air.md
Title: Automated investigation and response in Microsoft Defender for Office 365
-keywords: AIR, autoIR, ATP, automated, investigation, response, remediation, threats, advanced, threat, protection
+keywords: AIR, autoIR, Microsoft Defender for Endpoint, automated, investigation, response, remediation, threats, advanced, threat, protection
f1.keywords: - NOCSH
security Office 365 Evaluation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/office-365-evaluation.md
Title: Evaluate Microsoft Defender for Office 365 description: Defender for Office 365 in evaluation mode creates Defender for Office 365 email policies that log verdicts, such as malware, but don't act on messages.
-keywords: evaluate Office 365, Microsoft Defender for Office 365, office 365 evaluation, try office 365, Microsoft Defender, ATP
+keywords: evaluate Office 365, Microsoft Defender for Office 365, office 365 evaluation, try office 365, Microsoft Defender, Microsoft Defender for Endpoint
f1.keywords: - NOCSH Last updated : 04/21/2021 audience: ITPro
ms.prod: m365-security
> [!IMPORTANT] > Microsoft Defender for Office 365 evaluation is in public preview. This preview version is provided without a service level agreement. Certain features might not be supported or might have constrained capabilities.
-Conducting a comprehensive security product evaluation can help give you informed decisions on upgrades and purchases. It helps to try out the security product's capabilities to assess how it can help your security operations team in their daily tasks.
+Conducting a thorough security product evaluation can help give you informed decisions on upgrades and purchases. It helps to try out the security product's capabilities to assess how it can help your security operations team in their daily tasks.
The [Microsoft Defender for Office 365](defender-for-office-365.md) evaluation experience is designed to eliminate the complexities of device and environment configuration so that you can focus on evaluating the capabilities of Microsoft Defender for Office 365. With evaluation mode, all messages sent to Exchange Online mailboxes can be evaluated without pointing MX records to Microsoft. The feature only applies to email protection and not to Office Clients like Word, SharePoint, or Teams. If you don't already have a license that supports Microsoft Defender for Office 365, you can start a [free 30-day evaluation](https://admin.microsoft.com/AdminPortal/Home#/catalog/offer-details/microsoft-defender-for-office-365-plan-2-/223860DC-15D6-42D9-A861-AE05473069FA) and test the capabilities in the Office 365 Security & Compliance center (https://protection.office.com/homepage). You'll enjoy the quick set-up and you can easily turn it off if necessary.
+> [!NOTE]
+> If you're in the unified Microsoft 365 security portal (security.microsoft.com) you can start a Defender for Office 365 evaluation here: Email & Collaboration > Policies & Rules > Threat Policies > Additional Policies.
+ ## How the evaluation works Defender for Office 365 in evaluation mode creates Defender for Office 365 email policies that log verdicts, such as malware, but don't act on messages. You are not required to change your MX record configuration.
security Threat Explorer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/threat-explorer.md
In addition to the scenarios outlined in this article, you have many more report
- [View malicious files detected in SharePoint Online, OneDrive, and Microsoft Teams](./mdo-for-spo-odb-and-teams.md) - [Get an overview of the views in Threat Explorer (and Real-time detections)](threat-explorer-views.md) - [Threat protection status report](view-email-security-reports.md#threat-protection-status-report)-- [Automated investigation and response in Microsoft Threat Protection](../defender/m365d-autoir.md)
+- [Automated investigation and response in Microsoft 365 Defender](../defender/m365d-autoir.md)
## Required licenses and permissions
security User Tags https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/user-tags.md
f1.keywords:
Previously updated : Last updated : 04/21/2021 audience: ITPro
This article explains how to configure user tags in the Security & Compliance Ce
To see how user tags are part of the strategy to help protect high-impact user accounts, see [Security recommendations for priority accounts in Microsoft 365](security-recommendations-for-priority-accounts.md).
+> [!NOTE]
+> If you use the unified Microsoft 365 security center, you can set tags here: https://security.microsoft.com/userTags.
+ ## What do you need to know before you begin? - You open the Security & Compliance Center at <https://protection.office.com/>. To go directly to the **User tags** page, open <https://protection.office.com/userTags>.
security Whats New In Defender For Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/whats-new-in-defender-for-office-365.md
Title: What's new in Microsoft Defender for Office 365 description: Learn about the new features and functionality available in the latest release of Microsoft Defender for Office 365.
-keywords: what's new in Office 365 atp, ga, generally available, capabilities, available, new
+keywords: what's new in Microsoft Defender for Office 365, ga, generally available, capabilities, available, new
search.appverid: met150 ms.sitesec: library
security Top Security Tasks For Remote Work https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/top-security-tasks-for-remote-work.md
Your Global Administrator can configure these protections:
You'll need to work with your Exchange Online administrator and SharePoint Online administrator to configure Defender for Office 365 for these workloads: -- [ATP for SharePoint, OneDrive, and Microsoft Teams](office-365-security/mdo-for-spo-odb-and-teams.md)
+- [Microsoft Defender for Endpoint for SharePoint, OneDrive, and Microsoft Teams](office-365-security/mdo-for-spo-odb-and-teams.md)
## 4: Configure Microsoft Defender for Identity
solutions Infographics For Users https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/infographics-for-users.md
+
+ Title: Microsoft 365 infographics for users
+description: These Microsoft 365 infographics can help the users in your organization understand best practices for working in Microsoft 365.
+++
+audience: ITPro
+ Last updated : 04/21/2021
+localization_priority: Normal
+
+- M365solutions
+f1.keywords: NOCSH
++
+# Microsoft 365 infographics for your users
+
+These infographics represent best practices for working and collaborating in Microsoft 365. Share them with your users to help ensure that they are taking advantage of secure storage and sharing for files, holding collaborative meetings, and more.
+
+Find more [downloadable Office infographics](https://support.microsoft.com/office/great-ways-to-work-with-office-6fe70269-b9a4-4ef0-a96e-7a5858b3bd5a) on the [Microsoft 365 training](https://support.microsoft.com/training) site.
+
+<a name="securitytips"></a>
+## Security tips
+
+Download this infographic with security tips for the members of your team - whether your team is a business or nonprofit organization, such as a political campaign:
+
+| Item | Description |
+|:--|:--|
+|[![The help protect your campaign info graphic](../medi)|
+
+<a name="sharefiles"></a>
+## Share your business files
+
+Download an infographic to get a quick overview of ways to share your business files:
+
+| Item | Description |
+|:--|:--|
+|[![Thumb image for Share your business files infographic](../medi)|
+
+<a name="onlinemeeting"></a>
+## Host online meetings
+
+Download an infographic to get a quick overview of how to join or host an online meeting with Microsoft Teams:
+
+| Item | Description |
+|:--|:--|
+|[![Thumb image for Host online meetings infographic](../medi)|
+
+<a name="workfromanywhere"></a>
+## Work from anywhere
+
+Download an infographic to get tips for working from anywhere:
+
+| Item | Description |
+|:--|:--|
+|[![Thumb image for Work from anywhere infographic](../medi)|
+
+<a name="surveywithforms"></a>
+## Survey customers with Forms
+
+Download an infographic to find out how to survey customers (internal or external) with Microsoft Forms:
+
+| Item | Description |
+|:--|:--|
+|[![Thumb image for Survey customers with Forms infographic](../media/solutions-architecture-center/m365-smbscenarios-surveywithforms-square.png)](https://go.microsoft.com/fwlink/?linkid=2079526) <br/> [Download as a PDF](https://go.microsoft.com/fwlink/?linkid=2079526) \ [Download as a PowerPoint](https://go.microsoft.com/fwlink/?linkid=2079446) | Use Microsoft Forms to find out what your customers think. Related article: [Collect information with Microsoft Forms](https://support.microsoft.com/topic/collect-information-with-microsoft-forms-a55d6e0d-04f6-45b8-b05f-b141b8ecb4d5)|