Updates from: 05/15/2021 03:10:38
Category Microsoft Docs article Related commit history on GitHub Change details
admin Delete A User https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/delete-a-user.md
description: "Learn how to delete a user account. Decide what to do with the use
If you are a global administrator, when you delete a user you can also give another user access to their email, and choose what to do with their OneDrive content.
-### Things to consider...
+### Things to consider
Before you begin, think about what you want to do with the user's email and OneDrive content, and whether you want to keep the license or stop paying for it.
Since the guided experience walks through the steps to delete a user, here's how
1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834822" target="_blank">Active users</a> page.
-2. Select the names of the users that you want to delete, select **More options** (**...**), and then choose **Delete user**.
+2. Select the names of the users that you want to delete, select the three dots (more actions), and then choose **Delete user**.
Although you deleted the user's account, **you're still paying for the license**. See the next procedure to stop paying for the license. Or, you can assign the license to another user. It won't be assigned to someone automatically.
Later when you go through the steps to add another person to your business, you'
## Delete many users at the same time
-See the [Remove-MsolUser](https://docs.microsoft.com/powershell/module/msonline/remove-msoluser) PowerShell cmdlet.
+See the [Remove-MsolUser](/powershell/module/msonline/remove-msoluser) PowerShell cmdlet.
## Fix issues with deleting a user
admin What Subscription Do I Have https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/admin-overview/what-subscription-do-i-have.md
If you're an admin, you can verify which subscriptions your organization has by
## Related content [Subscriptions and billing](../../commerce/index.yml) (links)+
+[View your bill or invoice](../../commerce/billing-and-payments/view-your-bill-or-invoice.md) (article)
+
+[Paying for your subscription](../../commerce/billing-and-payments/pay-for-your-subscription.md) (article)
+
+[Change your billing addresses](../../commerce/billing-and-payments/change-your-billing-addresses.md) (article)
admin Find And Fix Issues https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/get-help-with-domains/find-and-fix-issues.md
description: "Learn to track down any problems you run into while setting up a c
Getting your domain set up to work with Microsoft 365 can be challenging. The DNS system is nitpicky to work with, and the DNS setup for your domain affects important business activities, like email! > [!NOTE]
-> You can check for problems with your domain by checking its status. Go to **Setup** > **Domains** and view the notifications in the **Status** column. If you see an issue, select More actions (three dots), and then choose **Check health**. The pane that opens will describe any issues occurring with your domain.
+> You can check for problems with your domain by checking its status. Go to **Setup** > **Domains** and view the notifications in the **Status** column. If you see an issue, select the three dots (more actions), and then choose **Check health**. The pane that opens will describe any issues occurring with your domain.
## What's going on?
admin Assign Licenses To Users https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/assign-licenses-to-users.md
When you use the **Active users** page to assign licenses, you assign users lice
2. Select the circles next to the names of the users that you want to assign licenses to.
-3. At the top, select **More options (...)**, then select **Manage product licenses**.
+3. At the top, select the three dots (more actions), then select **Manage product licenses**.
4. In the **Manage product licenses** pane, select **Add to existing product license assignments** \> **Next**. 5. In the **Add to existing products** pane, switch the toggle to the **On** position for the license that you want the selected users to have.\ By default, all services associated with those licenses are automatically assigned to the users. You can limit which services are available to the users. Switch the toggles to the **Off** position for the services that you don't want the users to have.
admin Remove Licenses From Users https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/remove-licenses-from-users.md
When you use the **Active users** page to unassign licenses, you unassign produc
::: moniker-end 2. Select the circles next to the names of the users that you want to unassign licenses for.
-3. At the top, select **More options (...)**, then select **Manage product licenses**.
+3. At the top, select the three dots (more actions), then select **Manage product licenses**.
4. In the **Manage product licenses** pane, select **Replace existing product license assignments** \> **Next**. 5. At the bottom of the **Replace existing products** pane, select the **Remove all product licenses from the selected users** check box, then select **Replace** \> **Close**.
admin Search In The Mac https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/search-in-the-mac.md
Users can be found by display name, last name, first name, username, primary ema
:::image type="content" source="../../media/User-search-stock-picture-domain-blanked.png" alt-text="Screenshot: Search for a user Felix Henderson":::
-If you select the "More actions" menu next to their name, you can reset their password.
+If you select the three dots (more actions) menu next to their name, you can reset their password.
:::image type="content" source="../../media/User-search-stock-picture-reset-password-domain-blanked.png" alt-text="Screenshot: User search with the option to reset password from search result":::
admin Add Partner https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/misc/add-partner.md
Follow the steps on the providers page to either search for, or to get matched w
1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847745" target="_blank">Subscriptions</a> page. 2. If you have more than one subscription, select the subscription that you want to edit.
-3. On the right, under the subscription cost, choose **More actions** > **Add partner of record**.
+3. On the right, under the subscription cost, select the three dots (more actions) > **Add partner of record**.
4. Type the Microsoft Partner ID for the partner you're adding, select **Check ID**, and then **Submit**. You can get the partner's Microsoft Partner ID by asking the partner for it. 5. The partner ID displays on the **Subscriptions** page.
admin Deleted User https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/misc/deleted-user.md
You may have to delete a [user](../add-users/add-users.md) in your organization.
::: moniker-end
-2. Select a user, and then above the list of users select **More options** (**...**), and then choose **Delete user**.
+2. Select a user, and then above the list of users select the three dots (more actions), and then choose **Delete user**.
3. In the deletion confirmation pane, select **Delete user**. <br/>[Read full article.](../add-users/delete-a-user.md)
admin New Subscription Names https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/new-subscription-names.md
We've changed some of our Office 365 and Microsoft 365 subscription names. You d
- **Office 365 ProPlus** is now **Microsoft 365 Apps for enterprise** [Learn more!](https://go.microsoft.com/fwlink/?linkid=2120533)+
+## Related content
+
+[Subscriptions and billing](../commerce/index.yml) (links)
+
+[View your bill or invoice](../commerce/billing-and-payments/view-your-bill-or-invoice.md) (article)
+
+[Paying for your subscription](../commerce/billing-and-payments/pay-for-your-subscription.md) (article)
+
+[Change your billing addresses](../commerce/billing-and-payments/change-your-billing-addresses.md) (article)
admin Priority Accounts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/setup/priority-accounts.md
Add priority accounts from the Active users page.
1. Go to the admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">https://admin.microsoft.com</a>.
-2. Go to **Users** > **Active users** and choose **...** at the top of the page. Select **Manage priority accounts**.
+2. Go to **Users** > **Active users** and select the three dots (more actions) at the top of the page. Select **Manage priority accounts**.
3. Select **Add accounts**, and on the **Add Priority accounts** page, in the search field, type the name of the person you want to add to the priority accounts list.
admin Whats New In Preview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/whats-new-in-preview.md
::: moniker-end
-We're continuously adding new features to [the Microsoft 365 admin center](https://docs.microsoft.com/microsoft-365/business-video/admin-center-overview), fixing issues we learn about, and making changes based on your feedback. Take a look below to see what's available for you today. Some features get rolled out at different speeds to our customers. If you aren't seeing a feature yet, [try adding yourself to targeted release](manage/release-options-in-office-365.md).
+We're continuously adding new features to [the Microsoft 365 admin center](../business-video/admin-center-overview.md), fixing issues we learn about, and making changes based on your feedback. Take a look below to see what's available for you today. Some features get rolled out at different speeds to our customers. If you aren't seeing a feature yet, [try adding yourself to targeted release](manage/release-options-in-office-365.md).
And if you'd like to know what's new with other Microsoft cloud
And if you'd like to know what's new with other Microsoft cloud
- [What's new in Microsoft 365 Defender](../security/mtp/whats-new.md) - [What's new in the SharePoint admin center](/sharepoint/what-s-new-in-admin-center) - [Office updates](/OfficeUpdates/)-- [How to check Windows release health](https://docs.microsoft.com/windows/deployment/update/check-release-health)
+- [How to check Windows release health](/windows/deployment/update/check-release-health)
## April 2021
Priority accounts are only available to organizations that meet both of the foll
There are two ways to get started: -- Go to **Users**, and then in the "more actions" menu select **Manage priority accounts** to add users to the list.
+- Go to **Users**, and then in the three dots (more actions) menu select **Manage priority accounts** to add users to the list.
- Go to **Setup**, find the setup task **Monitor your most important accounts**, and then select **Get started**. For more info on priority accounts, check out [Monitoring priority accounts](./setup/priority-accounts.md).
We've started rolling out a new Search experience for the admin center, and we c
- The Search box moved to the header area where it says "Microsoft 365 admin center" so you now search from any page, not just the Home page. We've even got a shortcut: **Alt+S**. - Search is smarter and will give you better results, even faster. Try typing "2fa" to get started. - Search results are organized by the type of item or action you can take.
- - **Users**: Select the user's name and you can edit that user right there. If you select the "more actions" menu next to their name, you can reset their password. You can search by display name, last name, first name, username or primary email address, and email aliases. But to get an exact match, search by primary email address or username.
+ - **Users**: Select the user's name and you can edit that user right there. If you select the three dots (more actions) menu next to their name, you can reset their password. You can search by display name, last name, first name, username or primary email address, and email aliases. But to get an exact match, search by primary email address or username.
- **Groups**: Edit the group from any page, add members, assign owners. - **Actions**: Similar to how you can search for a user and then reset their password, you can also search "reset password" from any page and then reset one or more passwords for users. - **Navigation**: Results under Navigation can quickly help you get to a page in the admin center quickly. For example, searching "roles" will take you to the Roles page for Azure AD roles.
business-video Admin Center Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-video/admin-center-overview.md
If you have permission to access the admin center, you'll see **Admin** in the l
At the top of the admin center, review the top actions for you. You may see different actions depending on what you've already set up, such as creating new accounts, using Teams, setting up email, and installing Office apps.
-Under **Your organization** on the **Users** tab is a list of people who can access apps and services, add new users, reset passwords, or use the **More actions** menu. Select a person to view or edit their information and settings.
+Under **Your organization** on the **Users** tab is a list of people who can access apps and services, add new users, reset passwords, or use the three dots (more actions) menu. Select a person to view or edit their information and settings.
-On the **Teams** tab, create a new team or manage existing teams. You can manage the members of a team or select **More actions** to change other Teams settings.
+On the **Teams** tab, create a new team or manage existing teams. You can manage the members of a team or select the three dots (more actions) to change other Teams settings.
-On the **Subscriptions** tab, add more products, add licenses, or use the **More actions** menu to modify licenses or payment method.
+On the **Subscriptions** tab, add more products, add licenses, or use the three dots (more actions) menu to modify licenses or payment method.
On the **Learn** tab, browse videos and articles about the admin center and other Microsoft 365 features. To explore more advanced features of the admin center, open the navigation menu and expand the headings to see more. Select **Show all** to see everything in the navigation menu or use the search bar to quickly find what you're looking for.
Specialist workspaces, like Security or Device management, allow for more granul
To get to the Microsoft 365 admin center, go to [admin.microsoft.com](https://admin.microsoft.com) or, if you're already signed in, select the app launcher, and choose **Admin**.
-On the home page, you can create cards for tasks that you perform frequently. To add a new card, select **Add card**, then select the plus sign next to the card you want to add. When you are finished, close the window. You can rearrange the cards by selecting and then dragging them to where you want. To remove a card, select **More actions**, and then choose **Remove**.
+On the home page, you can create cards for tasks that you perform frequently. To add a new card, select **Add card**, then select the plus sign next to the card you want to add. When you are finished, close the window. You can rearrange the cards by selecting and then dragging them to where you want. To remove a card, select the three dots (more actions), and then choose **Remove**.
To view more admin tasks, expand the navigation menu. You'll find advanced configuration settings in the additional admin centers at the bottom.
business-video Create Sensitivity Labels https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-video/create-sensitivity-labels.md
Sensitivity labels allow you to classify and protect content that is sensitive t
1. Optionally, turn on **Endpoint data loss prevention**. Select **Next**. 1. Optionally, turn on **Auto labeling**. Add a condition. For example, under **Detect content that contains**, select **Add a condition**. Enter the condition; for example, add a condition that if passport, Social Security, or other sensitive information is detected, the label will be added. Select **Next**. 1. Review your settings, and select **Create**. Your label has been created. Repeat this process for any additional labels you want.
-1. By default, labels appear in Office apps in this order: **Confidential**, **Internal**, and **Public**. To change the order, for each label, select **More actions** (the ellipsis), and then move the label up or down. Typically, permissions are listed from the lowest to highest level of permissions.
-1. To add a sub-label to a label, select **More actions**, then **Add sub level**.
+1. By default, labels appear in Office apps in this order: **Confidential**, **Internal**, and **Public**. To change the order, for each label, select the three dots (more actions), and then move the label up or down. Typically, permissions are listed from the lowest to highest level of permissions.
+1. To add a sub-label to a label, select the three dots (more actions), then **Add sub level**.
1. When finished, choose **Publish labels**, **Choose labels to publish**, and then **Add**. Select the labels you want to publish, and then select **Add**, **Done**, and then **Next**. 1. By default, the new label policy is applied to everyone. If you want to limit who the policy is applied to, select **Choose users or groups**, and then **Add**. Select who you want the policy to apply to, and then select **Add**, **Done**, and then **Next**. 1. If you want a default label for documents and email, select the label you want from the drop-down list. Review the remaining settings, adjust as needed, and then select **Next**.
commerce Change Payment Frequency https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/change-payment-frequency.md
When you buy a subscription, you choose monthly or annual billing. To change how
2. On the **Products** tab, select the subscription that you want to change. 3. On the subscription details page, in the **Subscription and payment settings** section, select **Edit billing frequency**. 4. In the **Edit billing frequency** pane, choose the option for how often you want to be billed, then select **Change**.+
+## Related content
+
+[View your bill or invoice](../../commerce/billing-and-payments/view-your-bill-or-invoice.md) (article)
+
+[Paying for your subscription](../../commerce/billing-and-payments/pay-for-your-subscription.md) (article)
+
+[Learn how to find and view your bill or invoice](view-your-bill-or-invoice.md) (article)
+
+[Change your billing addresses](change-your-billing-addresses.md) (article)
commerce Manage Billing Profiles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/manage-billing-profiles.md
Last updated 04/02/2021
# Understand billing profiles
-For commercial customers who buy products and services from Microsoft, billing profiles let you customize what items are included on your invoice, and how you pay your invoices.
+A billing profile contains a payment method, Bill-to information, and other invoice settings, such as purchase order number and email invoice preference. You use a billing profile to pay for the products that you buy from Microsoft. A billing profile is automatically created when a user makes a self-service purchase. Each billing profile is invoiced separately.
-Billing profiles include the following information:
+> [!NOTE]
+>
+> Billing profiles are not available to customers who buy products and services from Microsoft.com or on the **Purchase services** page of the Microsoft 365 admin center.
-- **Billing account** &ndash; Name of the billing account the profile is related to-- **Payment methods** &ndash; Credit or debit cards, bank accounts, check, or wire transfer-- **Contact information** &ndash; Billing address and a contact name-- **Invoice settings** &ndash; Currency based on the country of the billing account, an optional PO number, and the option to receive invoices as email attachments-- **Permissions** &ndash; Permissions that allow you to change the billing profile, pay bills, or use the payment method on the billing profile to make purchases
+## What are billing profile roles?
-Use billing profiles to control your purchases and customize your invoice. A monthly invoice is generated for the products bought with the
-billing profile. You can customize the invoice such as update the purchase order number and email invoice preference.
-
-A billing profile is automatically created for your billing account during your first purchase. You can create billing profiles on the
-<a href="https://go.microsoft.com/fwlink/p/?linkid=2103629" target="_blank">Billing profiles</a> page to set up more invoices. For example, you can use different billing profiles when you make purchases for each
-department in your organization. On your next billing date, you'll receive an invoice for each billing profile.
-
-## Billing profile roles
-
-Roles on billing profiles have permissions to control purchases, and view and manage invoices. Assign these roles to users who track, organize, and pay invoices, like members of the procurement team in your organization.
+Roles on billing profiles have permissions to control purchases, and view and manage invoices. Assign these roles to users who track, organize, and pay invoices. For example, members of the procurement team in your organization.
| Role | Description | |-- | |
Roles on billing profiles have permissions to control purchases, and view and ma
| Billing profile reader | Read-only view of everything in a billing profile | | Invoice manager | View and pay bills, and has a read-only view of everything in a billing profile |
-## View billing profiles
+## View my billing profiles
+
+> [!NOTE]
+>
+> If you follow these steps and the billing profiles list is empty, it means that you donΓÇÖt have a billing profile, and canΓÇÖt use this feature.
1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2102895" target="_blank">Bills & payments</a> page.
-2. Choose **Billing profiles**, and then choose a billing profile from the list.
+2. Select the **Billing profile** tab, then select a billing profile from the list.
- - On the **Overview** tab, you can edit billing profile details, and turn on or off sending an invoice by email.
- - On the **Permissions** tab, you can assign roles to users to pay invoices.
- - On the **Azure credit balance** tab, Azure customers can see transaction balance history for the Azure credits used by that billing profile.
- - On the **Azure credits** tab, Azure customers can see a list of Azure credits associated with that billing profile, and their expiration dates.
+Each billing profile includes the following information:
- > [!NOTE]
- > If you don't have any Azure credits, you won't see the **Azure credit balance** or **Azure credits** tabs.
+- **Billing profile name and status** &ndash; The unique name of the billing profile, and whether the billing profile is active or disabled for purchasing.
+- **Invoice settings** &ndash; Currency based on the country of the billing account, information about invoice frequency and date, the option to receive invoices as email attachments, and an optional PO number field
+- **Payment methods** &ndash; Shows the primary and backup payment method, if any, for the profile
+- **Billing account** &ndash; Name of the billing account the profile is related to. For more information about billing accounts, see [Understand billing accounts](../manage-billing-accounts.md).
+- **Contact information** &ndash; Billing address and contact name and email address
+- **Billing profile roles** &ndash; A list of people who are assigned one of the billing profile roles to do things for that profile. For example, pay bills, add a PO number, or replace the payment method that is used to make purchases.
+
+> [!NOTE]
+>
+> You can only assign billing profile roles to users in your organization.
## Need help? Contact support If you have questions or need help with your Azure charges, <a href="https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/newsupportrequest" target="_blank">create a support request with Azure support</a>.
-If you have questions or need help with your billing profile in Microsoft 365 admin center, [contact support for business products](../../business-video/get-help-support.md).
+If you have questions or need help with your billing profile in Microsoft 365 admin center, [contact support](../../business-video/get-help-support.md).
+
+## Related content
+
+[How to pay for your subscription with a billing profile](pay-for-subscription-billing-profile.md) (article)\
+[Understand billing accounts](../manage-billing-accounts.md) (article)\
+[Manage payment methods](manage-payment-methods.md) (article)
commerce Manage Payment Methods https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/manage-payment-methods.md
You can change the payment method used to pay for a single subscription.
1. In the admin center, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page. 2. On the **Products** tab, find the subscription that you want to pay for with the alternate payment method.
-3. Select **More actions** (three dots), then select **Replace payment method**.
+3. Select the three dots (more actions), then select **Replace payment method**.
4. In the **Replace payment method** pane, from the drop-down list, choose an alternate payment method, or choose to add a payment method. 5. If you add a payment method, enter the card or account details, then select **Save**. 6. Verify that the selected payment method is correct, then select **Replace**.
commerce Understand Your Invoice https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/understand-your-invoice.md
Payment instructions depend on your payment method and are provided at the botto
Azure prepayment is available as a payment method only for eligible Azure product and services.
+## Related content
+
+[Understand your bill or invoice for Microsoft 365 for business](understand-your-invoice2.md) (article)
+
+[Track Microsoft Customer Agreement Azure credit balance](/azure/billing/billing-mca-check-azure-credits-balance) (article)
+
+[Review your Microsoft Customer Agreement invoice](/azure/cost-management-billing/understand/review-customer-agreement-bill) (article)
+
+[Get started with your Microsoft Customer Agreement billing account](/azure/billing/billing-mca-overview) (article)
++ ## Need help? Contact support If you have questions or need help with your Azure credits, <a href="https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/newsupportrequest" target="_blank">create a support request with Azure support</a>.
commerce Understand Your Invoice2 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/understand-your-invoice2.md
If you pay by invoice, you can add or change the purchase order (PO) number for
## Related content
+[Learn how to find and view your bill or invoice](view-your-bill-or-invoice.md) (article)
+
+[Change your billing addresses](change-your-billing-addresses.md) (article)
+
+[Change your organization's address, technical contact email, and other information](../../admin/manage/change-address-contact-and-more.md) (article)
+ [Pay for your Microsoft 365 for business subscription](pay-for-your-subscription.md) (article)\+ [Minecraft: Education Edition payment options](/education/windows/school-get-minecraft) (article)
commerce Close Your Account https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/close-your-account.md
If your organization uses Active Directory that synchronizes with Microsoft Azur
## Step 2: Cancel all active subscriptions 1. In the admin center, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page.
-2. On the **Products** tab, find an active subscription. Select **More actions** (three dots), then select **Cancel subscription**.
+2. On the **Products** tab, find an active subscription. Select the three dots (more actions), then select **Cancel subscription**.
3. In the **Cancel subscription** pane, choose a reason why you're canceling. Optionally, provide any feedback. 4. Select **Save**. 5. Repeat steps 1 through 4 to cancel all active subscriptions.
commerce Buy Licenses https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/licenses/buy-licenses.md
If youΓÇÖve removed licenses from a subscription, the next thing to do is [delet
1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850626" target="_blank">Your products</a> page. ::: moniker-end
-2. On the **Products** tab, find the subscription for which you want to buy or remove licenses. Select **More actions** (three dots), then select **Buy licenses**. [What if I don't see the Buy licenses or Remove licenses buttons?](#what-if-i-dont-see-the-buy-licenses-or-remove-licenses-buttons)
+2. On the **Products** tab, find the subscription for which you want to buy or remove licenses. Select the three dots (more actions), then select **Buy licenses**. [What if I don't see the Buy licenses or Remove licenses buttons?](#what-if-i-dont-see-the-buy-licenses-or-remove-licenses-buttons)
3. If you want to reduce the number of licenses, at the top of the **Buy licenses** pane, select **remove licenses**. 4. To buy or remove licenses, under **New quantity** in the **Total licenses** box, enter the total number of licenses that you want for this subscription. For example, if you have 100 licenses and you want to add five more, enter 105. If you want to remove five of them, enter 95. 5. Select **Save**.
commerce Manage Licenses For Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/licenses/manage-licenses-for-devices.md
When you unassign licenses from a group, you remove the licenses from all device
1. In the admin center, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=842264" target="_blank">Licenses</a> page. 2. On the **Licenses** page, choose **Microsoft 365 Apps for Education (device)** or **Microsoft 365 Apps for enterprise (device)**.
-3. On the next page, choose a subscription, choose **More actions**, then choose **Unassign licenses**.
+3. On the next page, choose a subscription, select the three dots (more actions), and then choose **Unassign licenses**.
4. In the **Unassign licenses** dialog box, choose **Unassign**.
commerce Manage Billing Accounts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/manage-billing-accounts.md
Title: Manage billing accounts
+ Title: Understand billing accounts
f1.keywords: - NOCSH
- AdminSurgePortfolio - commerce_billing search.appverid: MET150
-description: "Learn about billing accounts and how to manage them."
+description: "Learn about billing accounts and how they're used to manage account settings, invoices, payment methods, and purchases."
Last updated 03/17/2021
-# Manage billing accounts
+# Understand billing accounts
A billing account is created when you sign up to try or buy Microsoft products. You use your billing account to manage your account settings, invoices, payment methods, and purchases. You can have access to multiple billing accounts. For example, you signed up for Microsoft 365 directly, or you have access to your organization's Enterprise Agreement, Microsoft Product & Services Agreement or Microsoft Customer Agreement. For each of these scenarios, you would have a separate billing account.
commerce Allowselfservicepurchase Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/allowselfservicepurchase-powershell.md
To remove the **MSCommerce** PowerShell module from your computer, run the follo
```powershell Uninstall-Module -Name MSCommerce ```-->+
+## Related content
+
+[Manage self-service purchases (Admin)](manage-self-service-purchases-admins.md) (article)
+
+[Self-service purchase FAQ](self-service-purchase-faq.yml) (article)
commerce Cancel Your Subscription https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/cancel-your-subscription.md
If you added your own domain name to use with your subscription, you must remove
::: moniker range="o365-worldwide" 1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page.
-2. Find the subscription that you want to cancel. Select **More actions** (three dots), then select **Cancel subscription**.
+2. Find the subscription that you want to cancel. Select the three dots (more actions), then select **Cancel subscription**.
3. In the **Cancel subscription** pane, choose a reason why you're canceling. Optionally, provide any feedback. 4. Select **Save**.
Your subscription now appears in a **Disabled** state, and has reduced functiona
::: moniker-end 2. Select the **Products** tab.
-3. Find the subscription that you want to cancel. Select **More actions** (three dots), then select **Cancel subscription**.
+3. Find the subscription that you want to cancel. Select the three dots (more actions), then select **Cancel subscription**.
4. In the **Cancel subscription** pane, choose a reason why you're canceling. Optionally, provide any feedback. 5. Select **Save**.
commerce Change Plans Manually https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/change-plans-manually.md
The licenses for the current subscription will be removed later; you'll only pay
2. Select the circles next to the names of the users for whom you want to replace existing licenses.
-3. At the top, select **More options** (**...**), and then choose **Manage product licenses**.
+3. At the top, select the three dots (more actions), and then choose **Manage product licenses**.
4. Select **Replace existing product license assignments** \> **Next**.
commerce Manage Self Service Purchases Users https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/manage-self-service-purchases-users.md
You can view a list of all self-service purchased subscriptions that you bought.
## Cancel a subscription 1. In the admin center, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page.
-2. On the **Products** tab, find the subscription that you want to cancel. Select **More actions** (three dots), then select **Cancel subscription**.
+2. On the **Products** tab, find the subscription that you want to cancel. Select the three dots (more actions), then select **Cancel subscription**.
3. In the **Cancel subscription** pane, choose a reason why you're canceling. Optionally, provide any feedback you have. 4. Select **Save**.
commerce Reactivate Your Subscription https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/reactivate-your-subscription.md
You must be a Global or Billing admin to reactivate a subscription. For more inf
::: moniker-end
-2. On the **Products** tab, find the subscription that you want to reactivate. Select **More actions** (three dots), then select **Reactivate this subscription**.\
+2. On the **Products** tab, find the subscription that you want to reactivate. Select the three dots (more actions), then select **Reactivate this subscription**.\
If you don't see **Reactivate this subscription**, [contact support](../../business-video/get-help-support.md). 3. In the **Reactivate this subscription** pane, select a payment method from the drop-down list, or select **Add payment method**. 4. Select **Save**.
compliance Apply Sensitivity Label Automatically https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/apply-sensitivity-label-automatically.md
When you select the **Sensitive info types** option, you see the same list of se
Similarly to when you configure DLP policies, you can then refine your condition by changing the instance count and match accuracy. For example:
-![Options for match accuracy and instance count](../media/sensitivity-labels-instance-count-match-accuracy.png)
+![Options for match accuracy and instance count](../media/sit-confidence-level.png)
You can learn more about these configuration options from the DLP documentation: [Tuning rules to make them easier or harder to match](data-loss-prevention-policies.md#tuning-rules-to-make-them-easier-or-harder-to-match).
compliance Auditing Solutions Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/auditing-solutions-overview.md
Microsoft 365 auditing solutions provide an integrated solution to help organiza
Microsoft 365 provides two auditing solutions: Basic Audit and Advanced Audit.
+![Key capabilities of Basic Audit and Advanced Audit](..\media\AuditingSolutionsComparison.png)
+ ### Basic Audit Basic Audit provides with you with the ability to log and search for audited activities and power your forensic, IT, compliance, and legal investigations.
The first step is to set up Basic Audit and then start running audit log searche
3. Search the audit log. After completing step 1 and step 2, users in your organization can use the audit log search tool (or corresponding cmdlet) to search for audited activities.
+For more detailed instructions, see [Set up Basic Audit](set-up-basic-audit.md).
+ ### Set up Advanced Audit If your organization has a subscription that supports Advanced Audit, perform the following steps to set up and use the additional capabilities in Advanced Audit.
If your organization has a subscription that supports Advanced Audit, perform th
4. Search for crucial events and other activities when conducting forensic investigations. After completing step 1 and step 2, you can search the audit log for crucial events and other activities during forensic investigations of compromised accounts and other types of security or compliance investigations.
+For more detailed instructions, see [Set up Advanced Audit](set-up-advanced-audit.md).
+ ## Training Training your security operations team, IT administrators, and compliance investigators team in Basic Audit and Advanced Audit can help your organization get started more quickly using auditing to help with your investigations. Microsoft 365 provides the following resource to help these users in your organization getting started with auditing: [Describe the audit capabilities in Microsoft 365](/learn/modules/describe-audit-capabilities-microsoft-365).
compliance Close Reopen Delete Core Ediscovery Cases https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/close-reopen-delete-core-ediscovery-cases.md
When you reopen a case, any eDiscovery holds that were in place when the case wa
When the process is complete, the status of the case is changed to **Active** on the **Core eDiscovery** page.
-7. (Optional) To turn on any holds associated with the reopened case, go to **Holds** tab, select a hold, and then select the checkbox under **Status** on the hold flyout page.
+6. (Optional) To turn on any holds associated with the reopened case, go to **Holds** tab, select a hold, and then select the checkbox under **Status** on the hold flyout page.
## Delete a case
To delete a case:
3. On the case home page, under **Status**, click **Delete case**.
- ![Reopen a closed case](../media/eDiscoveryCaseHomePageDelete.png)
+ ![Delete a case](../media/eDiscoveryCaseHomePageDelete.png)
If the case you're trying to delete still contains eDiscovery holds, you'll receive an error message. You'll have to delete all holds associated with the case and then try again to delete the case.
compliance Content Search Reference https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/content-search-reference.md
This article describes features and functionality of Content search.
## Content search limits -- For a description of the limits that are applied to content searches, see [Limits for Content search](limits-for-content-search.md).
-
-- Microsoft collects performance information for Content searches run by all organizations in the service. While the complexity of the search query can impact search times, the biggest factor that affects how long searches take is the number of mailboxes searched. Although Microsoft doesn't provide a Service Level Agreement for search times, the following table lists average search times for a Content Search based on the number of mailboxes included in the search.
-
- |**Number of mailboxes**|**Average search time**|
- |:--|:--|
- |100 <br/> |30 seconds <br/> |
- |1,000 <br/> |45 seconds <br/> |
- |10,000 <br/> |4 minutes <br/> |
- |25,000 <br/> |10 minutes <br/> |
- |50,000 <br/> |20 minutes <br/> |
- |100,000 <br/> |25 minutes <br/> |
- |||
+For a description of the limits that are applied to Content searches, see [Limits for Content search](limits-for-content-search.md).
## Building a search query
Keep the following things in mind when using the keyword list to create a search
- When you run a content search, Microsoft 365 automatically checks your search query for unsupported characters and for Boolean operators that may not be capitalized. Unsupported characters are often hidden and typically cause a search error or return unintended results. For more information about the unsupported characters that are checked, see [Check your Content Search query for errors](check-your-content-search-query-for-errors.md). -- If you have a search query that contains keywords for non-English characters (such as Chinese characters), you can click **Query language-country/region**![Query language-country/region icon in Content search](../media/8d4b60c8-e1f1-40f9-88ae-ee2a7eca0886.png) and select a language-country culture code value for the search. The default language/region is neutral. How can you tell if you need to change the language setting for a content search? If you're certain content locations contain the non-English characters you're searching for, but the search returns no results, the language setting may be the cause.
+- If you have a search query that contains keywords for non-English characters (such as Chinese characters), you can click **Query language-country/region**![Query language-country/region icon in Content search](../media/8d4b60c8-e1f1-40f9-88ae-ee2a7eca0886.png) and select a language-country culture code value for the search. The default language/region is neutral. How can you tell if you need to change the language setting for a content search? If you're certain content locations contain the non-English characters you're searching for, but the search returns no results, the language setting may be the cause.
## Partially indexed items
compliance Create A Custom Sensitive Information Type In Scc Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-a-custom-sensitive-information-type-in-scc-powershell.md
audience: Admin
-localization_priority: Priority
+localization_priority: Normal
- M365-security-compliance search.appverid:
What all of the below patterns have in common is that they all reference the sam
When satisfied, a pattern returns a count and confidence level, which you can use in the conditions in your policy. When you add a condition for detecting a sensitive information type to a policy, you can edit the count and confidence level as shown here. Confidence level (also called match accuracy) is explained later in this topic.
-![Instance count and match accuracy options](../media/11d0b51e-7c3f-4cc6-96d8-b29bcdae1aeb.png)
+![Instance count and match accuracy options](../media/sit-confidence-level.png)
When you create your regular expression, keep in mind that there are potential issues to be aware of. For example, if you write and upload a regex that identifies too much content, this can impact performance. To learn more about these potential issues, see the later section [Potential validation issues to be aware of](#potential-validation-issues-to-be-aware-of).
The more evidence that a pattern requires, the more confidence you have that an
The Pattern element has a required confidenceLevel attribute. You can think of the value of confidenceLevel (an integer between 1 and 100) as a unique ID for each pattern in an entity ΓÇö the patterns in an entity must have different confidence levels that you assign. The precise value of the integer doesn't matter ΓÇö simply pick numbers that make sense to your compliance team. After you upload your custom sensitive information type and then create a policy, you can reference these confidence levels in the conditions of the rules that you create.
-![XML markup showing Pattern elements with different values for confidenceLevel attribute](../media/301e0ba1-2deb-4add-977b-f6e9e18fba8b.png)
+![XML markup showing Pattern elements with different values for confidenceLevel attribute](../media/sit-xml-markedup-2.png)
In addition to confidenceLevel for each Pattern, the Entity has a recommendedConfidence attribute. The recommended confidence attribute can be thought of as the default confidence level for the rule. When you create a rule in a policy, if you don't specify a confidence level for the rule to use, that rule will match based on the recommended confidence level for the entity. Please note that the recommendedConfidence attribute is mandatory for each Entity ID in the Rule Package, if missing you won't be able to save policies that use the Sensitive Information Type.
compliance Create Test Tune Dlp Policy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-test-tune-dlp-policy.md
When editing a rule within a DLP policy you can change:
- The conditions, including the type and number of instances of sensitive data that will trigger the rule. - The actions that are taken, such as restricting access to the content. - User notifications, which are policy tips that are displayed to the user in their email client or web browser.-- User overrides, which determines whether users can choose to proceed with their email or file sharing anyway.
+- User overrides determines whether users can choose to proceed with their email or file sharing anyway.
- Incident reports, to notify administrators. ![Options to edit parts of a rule](../media/DLP-create-test-tune-editing-options.png)
This driver's license case is a good example to dig into. The reason this false
One option is to remove the Australian driver's license information type from the policy. It's in there because it's part of the DLP policy template, but we're not forced to use it. If you're only interested in Tax File Numbers and not driver's licenses, you can just remove it. For example, you can remove it from the low volume rule in the policy, but leave it in the high volume rule so that lists of multiple drivers licenses are still detected.-
-![Option to delete sensitive info type from rule](../media/DLP-create-test-tune-delete-low-volume-rule.png)
-Another option is to simply increase the instance count, so that a low volume of driver's licenses is only detected when there are multiple instances.
+Another option is to increase the instance count, so that a low volume of driver's licenses is only detected when there are multiple instances.
![Option to edit the instance count](../media/DLP-create-test-tune-edit-instance-count.png)
-In addition to changing the instance count, you can also adjust the match accuracy (or confidence level). If your sensitive information type has multiple patterns, you can adjust the match accuracy in your rule, so that your rule matches only specific patterns. For example, to help reduce false positives, you can set the match accuracy of your rule so that it matches only the pattern with the highest confidence level. Understanding how confidence level is calculated is a bit tricky (and beyond the scope of this post), but here's a good explanation of [how to use confidence level to tune your rules](data-loss-prevention-policies.md#match-accuracy).
+In addition to changing the instance count, you can also adjust the match accuracy (or confidence level). If your sensitive information type has multiple patterns, you can adjust the match accuracy in your rule, so that your rule matches only specific patterns. For example, to help reduce false positives, you can set the match accuracy of your rule so that it matches only the pattern with the highest confidence level. For more information on confidence levels, see [How to use confidence level to tune your rules](data-loss-prevention-policies.md#match-accuracy).
Finally, if you want to get even a bit more advanced, you can customize any sensitive information type -- for example, you can remove "Sydney NSW" from the list of keywords for [Australia driver's license number](sensitive-information-type-entity-definitions.md#australia-drivers-license-number), to eliminate the false positive triggered above. To learn how to do this by using XML and PowerShell, see [customizing a built-in sensitive information type](customize-a-built-in-sensitive-information-type.md).
compliance Differences Between Estimated And Actual Ediscovery Search Results https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/differences-between-estimated-and-actual-ediscovery-search-results.md
This topic applies to searches that you can run using one of the following Micro
- Content search - Core eDiscovery
-When you run an eDiscovery search, the tool you're using will return an estimate of the number of items (and their total size) that meet the search criteria. For example, when you run a search in the Microsoft 365 compliance center, the estimated search results are displayed on the flyout page for the selected search.
+When you run an eDiscovery search, the tool you're using will return an estimate of the number of items (and their total size) that match the search criteria. For example, when you run a search in the Microsoft 365 compliance center, the estimated search results are displayed on the flyout page for the selected search.
-![Estimate of results displayed in details pane of selected search](../media/74e4ce83-40be-41a9-b60f-5ad447e79fe4.png)
+![Estimate of results displayed on the search flyout page](../media/EstimatedSearchResults1.png)
This is the same estimate of total size and number of items that is displayed in the eDiscovery Export Tool when you export results to a local computer and in the Export Summary report that's downloaded with the search results.
Here are some reasons for these differences:
- **Unindexed items**. Items that are unindexed for search can cause differences between estimated and actual search results. You can include unindexed items when you export the search results. If you include unindexed items when exporting search results, there might be more items that are exported. This will cause a difference between the estimated and exported search results.
- When using the Content search tool, you have the option to include unindexed items in the search estimate. The number of unindexed items returned by the search is listed on the flyout page together with the other estimated search results. Any unindexed items would also be included in the total size of the estimated search results. When you export search results, you have the option to include or not include unindexed items. How you configure these options might result in differences between estimated and the actual search results that are downloaded.
+ When using the Content search tool, you have the option to include unindexed items when you export search results. The number of unindexed items returned by the search is listed on the flyout page together with the other estimated search results. Any unindexed items would also be included in the total size of the estimated search results. When you export search results, you have the option to include or not include unindexed items. How you configure these options might result in differences between estimated and the actual search results that are downloaded.
-- **Exporting the results of a Content Search that includes all content locations**. If the search that you're exporting results from was a search of all content locations in your organization, then only the unindexed items from content locations that contain items that match the search criteria will be exported. In other words, if no search results are found in a mailbox or site, then any unindexed items in that mailbox or site won't be exported. However, unindexed items from all content locations (even those that don't contain items that match the search query) will be included in the estimated search results.
+- **Exporting the results of a Content search that includes all content locations**. If the search that you're exporting results from was a search of all content locations in your organization, then only the unindexed items from content locations that contain items that match the search criteria will be exported. In other words, if no search results are found in a mailbox or site, then any unindexed items in that mailbox or site won't be exported. However, unindexed items from all content locations (even those that don't contain items that match the search query) will be included in the estimated search results.
Alternatively, if the search that you're exporting results from included specific content locations, then unindexed items (that aren't excluded by the search criteria) from all the content locations specified in the search will be exported. In this case, the estimated number of unindexed items and the number of unindexed items that are exported should be the same. The reason for not exporting unindexed items from every location in the organization is because it might increase the likelihood of export errors and increase the time it takes to export and download the search results. -- **Unindexed items in SharePoint and OneDrive not included in search estimates**. Unindexed items from SharePoint sites and OneDrive for Business accounts aren't included in the estimated search results. This is because the SharePoint index doesn't contain data for unindexed items. Only unindexed items from mailboxes are included in the search estimates. However, if you include unindexed items when exporting search results, unindexed items in SharePoint and OneDrive are included. This can result in differences between the estimated results (which don't include unindexed items in SharePoint and OneDrive sites) and the actual items that are downloaded. The rule about exporting unindexed items only from content locations that contain items that match the search criteria still applies in this situation.
+- **Unindexed items in SharePoint and OneDrive not included in the search estimates**. Unindexed items from SharePoint sites and OneDrive for Business accounts aren't included in the estimated search results. This is because the SharePoint index doesn't contain data for unindexed items. Only unindexed items from mailboxes are included in the search estimates. However, if you include unindexed items when exporting search results, unindexed items in SharePoint and OneDrive are included, which will increase the number of items that are actually exported. This will result in differences between the estimated results (which don't include unindexed items in SharePoint and OneDrive sites) and the actual items that are downloaded. The rule about exporting unindexed items only from content locations that contain items that match the search criteria still applies in this situation.
-- **Raw file formats versus exported file formats**. For Exchange items, the estimated size of the search results is calculated by using the raw Exchange message sizes. However, email messages are exported in a PST file or as individual messages (which are formatted as EML files). Both of these export options use a different file format than raw Exchange messages, which results in the total exported file size being different than the estimated file size.--- **Document versions**. For SharePoint documents, multiple versions of a document aren't included in the estimated search results. But you have the option to include all document versions when you export the search results, which will increase the actual number (and total size) of the exported documents.
+- **Document versions in SharePoint and OneDrive**. When searching SharePoint sites and OneDrive accounts, multiple versions of a document aren't included in the count of estimated search results. But you have the option to include all document versions when you export the search results. If you include document versions when exporting search results, the actual number (and total size) of the exported items will be increased.
-- **De-duplication**. For Exchange items, de-duplication reduces the number of items that are exported. You have the option to de-duplicate the search results when you export them. For Exchange messages, this means that only a single instance of a message is exported, even though that message might be found in multiple mailboxes. The estimated search results include every instance of a message. So if you choose the de-duplication option when exporting search results, the actual number of items that are exported might be considerably less than the estimated number of items.-
- Another thing to keep in mind if you choose the de-duplication option is that all Exchange items are exported in a single PST file and the folder structure from the source mailboxes isn't preserved. The exported PST file just contains the email items. However, a search results report contains an entry for each exported message that identifies the source mailbox where the message is located. This helps you identify all mailboxes that contain a duplicate message. If you don't enable de-duplication, a separate PST file is exported for each mailbox included in the search.
+- **SharePoint folders**. If the name of folders in SharePoint matches a search query, the search estimate will include a count of those folders (but not the items in those folders). When you export the search results, the items in folder are exported but the actual folder in not exported. The result is that the number of exported items export will more than the number of estimated search results. If a folder is empty, then the number of actual search results exported will be reduced by one item, because the actual folder isn't exported.
+- **SharePoint lists**. If the name of a SharePoint list matches a search query, the search estimate will include a count of all the items in the list. When you export the search results, the list (and the list items) is exported as a single CSV file. This will reduce the actual number of items actually exported. If the list contains attachments, the attachments will be exported as separate documents, which will also increase the number of items exported.
+- **Raw file formats versus exported file formats**. For Exchange items, the estimated size of the search results is calculated by using the raw Exchange message sizes. However, email messages are exported in a PST file or as individual messages (which are formatted as EML files). Both of these export options use a different file format than raw Exchange messages, which results in the total exported file size being different than the estimated file size.
+- **De-duplication of Exchange items during export**. For Exchange items, de-duplication reduces the number of items that are exported. You have the option to de-duplicate the search results when you export them. For Exchange messages, this means that only a single instance of a message is exported, even though that message might be found in multiple mailboxes. The estimated search results include every instance of a message. So if you choose the de-duplication option when exporting search results, the actual number of items that are exported might be considerably less than the estimated number of items.
+ Another thing to keep in mind if you choose the de-duplication option is that all Exchange items are exported in a single PST file and the folder structure from the source mailboxes isn't preserved. The exported PST file just contains the email items. However, a search results report contains an entry for each exported message that identifies the source mailbox where the message is located. This helps you identify all mailboxes that contain a duplicate message. If you don't enable de-duplication, a separate PST file is exported for each mailbox included in the search.
> [!NOTE]
-> If you don't select the **Include items that are encrypted or have an unrecognized format** option when you export search results or just download the reports, the index error reports are downloaded but they don't have any entries. This doesn't mean there aren't any indexing errors. It just means that unindexed items weren't included in the export.
+> If you don't select the **Include items that are encrypted or have an unrecognized format** option when you export search results or just download the reports, the index error reports are downloaded but they don't have any entries. This doesn't mean there aren't any indexing errors. It just means that unindexed items weren't included in the export.
compliance Export Search Results https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/export-search-results.md
The first step is to prepare the search results for exporting. When you prepare
5. Configure the following additional options:
- ![Exchange options](../media/OtherExportOptions.png)
+ ![Configure other export options](../media/OtherExportOptions.png)
1. Select the **Enable de-duplication for Exchange content** checkbox to exclude duplicate messages.
compliance Hold Distribution Errors https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/hold-distribution-errors.md
To reduce the number of errors related to eDiscovery holds, we recommend the fol
- If a hold distribution is still pending, with a status of either `On (Pending)` or `Off (Pending)`, wait until the hold distribution is complete before you make any further updates.
+- Check whether a hold policy is pending before you make any further updates to it. Run the following commands or save them to a PowerShell script.
+
+ ```powershell
+ $status = Get-CaseHoldPolicy -Identity <policyname>
+ if($status.DistributionStatus -ne "Pending"){
+ # policy no longer pending
+ Set-CaseHoldPolicy -Identity <policyname> -AddExchangeLocation $user1
+ }else{
+ # policy still pending
+ Write-Host "Hold policy still pending."
+ }
+ ```
+ - Merge your updates to an eDiscovery hold in a single bulk request rather than updating the hold policy repeatedly for each transaction. For example, to add multiple user mailboxes to an existing hold policy using the [Set-CaseHoldPolicy](/powershell/module/exchange/set-caseholdpolicy) cmdlet, run the command (or add as a code block to a script) so that it runs only once to add multiple users. **Correct** ```powershell
- Set-CaseHoldPolicy -AddExchangeLocation {$user1, $user2, $user3, $user4, $user5}
+ Set-CaseHoldPolicy -Identity <policyname> -AddExchangeLocation {$user1, $user2, $user3, $user4, $user5}
``` **Incorrect**
To reduce the number of errors related to eDiscovery holds, we recommend the fol
$users = {$user1, $user2, $user3, $user4, $user5} ForEach($user in $users) {
- Set-CaseHoldPolicy -AddExchangeLocation $user
+ Set-CaseHoldPolicy -Identity <policyname> -AddExchangeLocation $user
} ```
If you see one the following error messages when putting custodians and data sou
Set-CaseHoldPolicy <policyname> -RetryDistribution ```
+## Error: The SharePoint site is read-only or not accessible
+
+If you see the following error message when putting custodians and data sources on hold, it means that your organization's [global admin or SharePoint admin](/sharepoint/sharepoint-admin-role) has locked the site. A locked site blocks eDiscovery from placing a hold on the site.
+
+> The SharePoint site is read-only or not accessible. Please contact the site administrator to make the site writable, and then redeploy this policy.
+
+### Resolution
+
+Unlock the site (or ask an admin to unlock it) to resolve this issue. To learn more about how to change the lock state for a site, see [Lock and unlock sites](/sharepoint/manage-lock-status).
+
+## Error: The mailbox or SharePoint site may not exist
+
+If you see the following error message when putting custodians and data sources on hold, use the resolution steps to troubleshoot the issue.
+
+> The mailbox or SharePoint site may not exist. If this is incorrect, please contact Microsoft support. Otherwise, please remove it from this policy.
+
+### Resolution
+
+- Run the [Get-Mailbox](/powershell/module/exchange/get-mailbox) in Exchange Online PowerShell to check if the user mailbox exists in your organization.
+
+- Run the [Get-SPOSite](/powershell/module/sharepoint-online/get-sposite) cmdlet in SharePoint Online PowerShell to check if the site exists in your organization.
+
+- Check to see if the site URL has changed.
+ ## More information -- The guidance about updating hold policies for multiple users in the "Recommended practices" section results from the fact that the system blocks simultaneous updates to a hold policy. That means when an updated hold policy is applied to new content locations and the hold policy is in a pending state, additional content locations can't be added to the hold policy. Here are some things to keep in mind to help you mitigate this issue:
+The guidance about updating hold policies for multiple users in the "Recommended practices" section results from the fact that the system blocks simultaneous updates to a hold policy. That means when an updated hold policy is applied to new content locations and the hold policy is in a pending state, additional content locations can't be added to the hold policy. Here are some things to keep in mind to help you mitigate this issue:
- - Every time a hold updated is updated, it immediately goes into a pending state. The pending state status means the hold is being applied to content locations.
+- Every time a hold updated is updated, it immediately goes into a pending state. The pending state status means the hold is being applied to content locations.
- - If you have a script that runs a loop and adds locations to policy one by one (similar to the incorrect example shown in the "Recommended practices" section), the first content location (for example, a user mailbox) initiates the sync process that triggers the pending state. That means the other users that are added to the policy in subsequent loops result in an error.
+- If you have a script that runs a loop and adds locations to policy one by one (similar to the incorrect example shown in the "Recommended practices" section), the first content location (for example, a user mailbox) initiates the sync process that triggers the pending state. That means the other users that are added to the policy in subsequent loops result in an error.
- - If your organization is using a script that runs a loop to update the content locations for a hold policy, you must update the script so that it updates locations in a single bulk operation (as shown in the correct example in the "Recommended practices" section).
+- If your organization is using a script that runs a loop to update the content locations for a hold policy, you must update the script so that it updates locations in a single bulk operation (as shown in the correct example in the "Recommended practices" section).
compliance Limits For Content Search https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/limits-for-content-search.md
The following table lists the search limits when using the content search tool i
|The maximum number of sites (in SharePoint and OneDrive for Business) that can be previewed for search results. If there are more than 200 total sites that contain content that matches the search query, only the top 200 sites with the most search results will be available for preview. <br/> |200 <br/> | |The maximum number of items per public folder mailbox that are displayed on the preview page when previewing content search results. <br/> |100 <br/> | |The maximum number of items found in all public folder mailboxes that are displayed on the preview page when previewing content search results. <br/> |200 <br/> |
-|The maximum number of public mailboxes that can be previewed for search results. If there are more than 500 public folder mailboxes that contain content that matches the search query, only the top 500 public folder mailboxes with the most search results will be available for preview. <br/> |500 <br/> |
+|The maximum number of public folder mailboxes that can be previewed for search results. If there are more than 500 public folder mailboxes that contain content that matches the search query, only the top 500 public folder mailboxes with the most search results will be available for preview. <br/> |500 <br/> |
|The maximum number of characters for the search query (including operators and conditions) for a search. <br/><br/> **Note:** This limit takes effect after the query is expanded and includes characters from the keyword query, any search permissions filters applied to the user, and the URLs of all site locations. This means the query will get expanded against each of the keywords. For example, if a search query has 15 keywords and additional parameters and conditions, the query gets expanded 15 times, each with the other parameters and conditions in the query. So even though the number of characters in the search query may be below the limit, it's the expanded query that may contribute to exceeding this limit. <br/> |**Mailboxes:** 10,000 <br/> **Sites:** 4,000 when searching all sites or 2,000 when searching up to 20 sites <sup>2</sup> <br/> | |Maximum number of variants returned when using a prefix wildcard to search for an exact phrase in a search query or when using a prefix wildcard and the **NEAR** Boolean operator. <br/> |10,000 <sup>3</sup> <br/> | |The minimum number of alpha characters for prefix wildcards; for example, `time*`, `one*`, or `set*`. <br/> |3 <br/> |
compliance Partially Indexed Items In Content Search https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/partially-indexed-items-in-content-search.md
For a list of supported and disabled file formats, see the following topics:
Not every email message with a partially indexed file attachment or every partially indexed SharePoint document is automatically returned as a partially indexed item. That's because other message or document properties, such as the **Subject** property in email messages and the **Title** or **Author** properties for documents are indexed and available to be searched. For example, a keyword search for "financial" will return items with a partially indexed file attachment if that keyword appears in the subject of an email message or in the file name or title of a document. However, if the keyword appears only in the body of the file, the message or document would be returned as a partially indexed item.
-Similarly, messages with partially indexed file attachments and documents of a partially indexed file type are included in search results when other message or document properties, which are indexed and searchable, meet the search criteria. Message properties that are indexed for search include sent and received dates, sender and recipient, the file name of an attachment, and text in the message body. Document properties indexed for search include created and modified dates. So even though a message attachment may be a partially indexed item, the message will be included in the regular search results if the value of other message or document properties matches the search criteria.
+Similarly, messages with partially indexed file attachments and documents of a partially indexed file type are included in search results when other message or document properties, which are indexed and searchable, match the search criteria. Message properties that are indexed for search include sent and received dates, sender and recipient, the file name of an attachment, and text in the message body. Document properties indexed for search include created and modified dates. So even though a message attachment may be a partially indexed item, the message will be included in the regular search results if the value of other message or document properties matches the search criteria.
For a list of email and document properties that you can search for by using the Search feature in the Security & Compliance Center, see [Keyword queries and search conditions for eDiscovery](keyword-queries-and-search-conditions.md).
Your organization might be required to identify and perform additional analysis
Keep the following in mind about partially indexed items: -- When you run an eDiscovery search, the total number and size of partially indexed Exchange items (returned by the search query) are displayed in the search statistics on the flyout page, and labeled as **unindexed items**. Statistics about partially indexed items displayed on the flyout page don't include partially indexed items in SharePoint or OneDrive.
+- When you run an eDiscovery search, the total number and size of partially indexed Exchange items (returned by the search query) are displayed in the search statistics on the flyout page, and labeled as **unindexed items**. Statistics about partially indexed items displayed on the flyout page don't include partially indexed items in SharePoint sites or OneDrive accounts.
- If the search that you're exporting results from was a search of specific content locations or all content locations in your organization, only the unindexed items from content locations that contain items that match the search criteria will be exported. In other words, if no search results are found in a mailbox or site, then any unindexed items in that mailbox or site won't be exported. The reason for this is that exporting partially indexed items from lots of locations in the organization might increase the likelihood of export errors and increase the time it takes to export and download the search results.
Keep the following in mind about partially indexed items:
- Partially indexed items aren't available to be previewed. You have to export the search results to view partially indexed items returned by the search.
-Additionally, when you export search results and include partially indexed items in the export, partially indexed items from SharePoint items are exported to a folder named **Uncrawlable**. When you export partially indexed Exchange items, they are exported differently depending on whether or not the partially indexed items matched the search query and the configuration of the export settings.
+ Additionally, when you export search results and include partially indexed items in the export, partially indexed items from SharePoint items are exported to a folder named **Uncrawlable**. When you export partially indexed Exchange items, they are exported differently depending on whether or not the partially indexed items matched the search query and the configuration of the export settings.
-The following table shows the export behavior of indexed and partially indexed items and whether or not each is included for the different export configuration settings.
+- The following table shows the export behavior of indexed and partially indexed items and whether or not each is included for the different export configuration settings.
-|**Export configuration**|**Indexed items that match search query**|**Partially indexed items that match search query**|**Partially indexed items that don't match search query**|
-|:--|:--|:--|:--|
-|Export only indexed items <br/> |Exported<br/> |Exported (included with the indexed items that are exported)<br/> |Not exported <br/>|
-|Export only partially indexed items <br/> |Not exported <br/> |Exported (as partially indexed items)<br/> |Exported (as partially indexed items)|
-|Export indexed and partially indexed items <br/> |Exported<br/> |Exported (included with the indexed items that are exported)<br/> |Exported (as partially indexed items)<br/>|
-||||
-
-## Partially indexed items excluded from the search results
-
-If an item is partially indexed but it doesn't meet the search query criteria, it won't be included as a partially indexed item in the search results. In other words, the item is excluded from the search results. Similarly, if you choose to include partially indexed items when you export the results of a search, partially indexed items that were excluded from the search results won't be exported.
-
-One exception to this rule is when you create a query-based hold that's associated with an eDiscovery case. If you create a query-based eDiscovery hold, all partially indexed items are placed on hold. This includes partially indexed items that don't match the search query criteria. For more information about creating query-based eDiscovery holds, see [Create an eDiscovery hold](create-ediscovery-holds.md).
+ |**Export configuration**|**Indexed items that match search query**|**Partially indexed items that match search query**|**Partially indexed items that don't match search query**|
+ |:--|:--|:--|:--|
+ |Export only indexed items <br/> |Exported<br/> |Exported (included with the indexed items that are exported)<br/> |Not exported <br/>|
+ |Export only partially indexed items <br/> |Not exported <br/> |Exported (as partially indexed items)<br/> |Exported (as partially indexed items)|
+ |Export indexed and partially indexed items <br/> |Exported<br/> |Exported (included with the indexed items that are exported)<br/> |Exported (as partially indexed items)<br/>|
+ ||||
## Indexing limits for messages
For a list of indexing limits for SharePoint documents, see [Search limits for S
|Maximum annotation tokens <br/> |2 million <br/> |When an email message is indexed, each word is annotated with different processing instructions that specify how that word should be indexed. Each set of processing instructions is called an annotation token. To maintain the quality of service in Office 365, there is a limit of 2 million annotation tokens for an email message. <br/> | |Maximum body size in index <br/> |67 million characters <br/> |The total number of characters in the body of an email message and all its attachments. When an email message is indexed, all text in the body of the message and in all attachments is concatenated into a single string. The maximum size of this string that is indexed is 67 million characters. <br/> | |Maximum unique tokens in body <br/> |1 million <br/> |As previously explained, tokens are the result of extracting text from content, removing punctuation and spaces, and then dividing it into words (called tokens) that are stored in the index. For example, the phrase `"cat, mouse, bird, dog, dog"` contains 5 tokens. But only 4 of these are unique tokens. There is a limit of 1 million unique tokens per email message, which helps prevent the index from getting too large with random tokens. <br/> |
+||||
## More information about partially indexed items - As previously stated, because message and document properties and their metadata are indexed, a keyword search might return results if that keyword appears in the indexed metadata. However, that same keyword search might not return the same item if the keyword only appears in the content of an item with an unsupported file type. In this case, the item would be returned as a partially indexed item. -- If a partially indexed item is included in the search results because it met the search query criteria (and wasn't excluded), then it won't be included as a partially indexed item in the estimated search statistics. Also, it won't be included with partially indexed items when you export search results.
+- If a partially indexed item is included in the search results because it matched the search query criteria, then it won't be included as a partially indexed item in the estimated search statistics. Also, it won't be included with partially indexed items when you export search results.
- Although a file type is supported for indexing and is indexed, there can be indexing or search errors that will cause a file to be returned as a partially indexed item. For example, searching a very large Excel file might be partially successful (because the first 4 MB are indexed), but then fails because the file size limit is exceeded. In this case, it's possible that the same file is returned with the search results and as a partially indexed item.
For a list of indexing limits for SharePoint documents, see [Search limits for S
- Email messages protected using Azure Rights Management are indexed and will be included in the search results if they match the search query. Rights-protected email messages are decrypted and can be previewed and exported. This functionality requires that you are assigned the RMS Decrypt role, which is assigned by default to the eDiscover Manager role group.
+- If you create a query-based hold that's associated with an eDiscovery case, all partially indexed items are placed on hold. This includes partially indexed items that don't match the search query criteria for the hold. For more information about creating query-based eDiscovery holds, see [Create an eDiscovery hold](create-ediscovery-holds.md).
+ ## See also [Investigating partially indexed items in eDiscovery](investigating-partially-indexed-items-in-ediscovery.md)
compliance Preview Ediscovery Search Results https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/preview-ediscovery-search-results.md
To preview a sample of results returned by a search:
3. On the bottom of the flyout page, click **Review sample**.
- A page is displayed containing up a sample of the search results.
+ ![Click Review sample on the flyout page to preview results](../media/PreviewSearchResults1.png)
+
+ A page is displayed containing a sample of the search results.
4. Select an item to view its contents in the reading pane.
+ ![Preview items in the reading pane](../media/PreviewSearchResults2.png)
+
+ In the previous screenshot, notice that keywords from the search query are highlighted when you preview items.
+
+## How the search result samples are selected
+
+A maximum of 1,000 randomly selected items are available to preview. In addition to being randomly selected, items available for preview must also meet the following criteria:
+
+- A maximum of 100 items from a single content location (a mailbox or a site) can be previewed. This means that it's possible that less than 1,000 items might be available for preview. For example, if you search four mailboxes and the search returns 1,500 estimated items, only 400 will be available for preview because only 100 items from each mailbox can be previewed.
+
+- For mailbox items, only email messages are available to preview. Items like tasks, calendar items, and contacts can't be previewed.
+
+- For site items, only documents are available to preview. Items like folders, lists, or list attachments can't be previewed.
+ ## File types supported when previewing search results You can preview supported file types in the preview pane. If a file type isn't supported, you have to download a copy of the file to your local computer (by clicking **Download original item**). For .aspx Web pages, the URL for the page is included though you may not have permissions to access the page. Unindexed items aren't available for previewing.
Also, the following file container types are supported. You can view the list of
- .zip -- .gzip
+- .gzip
compliance Search The Audit Log In Security And Compliance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance.md
The following table lists the activities that can be logged by mailbox audit log
|Friendly name|Operation|Description| |:--|:--|:--| |Accessed mailbox items|MailItemsAccessed|Messages were read or accessed in mailbox. Audit records for this activity are triggered in one of two ways: when a mail client (such as Outlook) performs a bind operation on messages or when mail protocols (such as Exchange ActiveSync or IMAP) sync items in a mail folder. This activity is only logged for users with an Office 365 or Microsoft 365 E5 license. Analyzing audit records for this activity is useful when investigating compromised email account. For more information, see the "Access to crucial events for investigations" section in [Advanced Audit](advanced-audit.md#access-to-crucial-events-for-investigations). |
-|Added delegate mailbox permissions|AddMailboxPermissions|An administrator assigned the FullAccess mailbox permission to a user (known as a delegate) to another person's mailbox. The FullAccess permission allows the delegate to open the other person's mailbox, and read and manage the contents of the mailbox.|
+|Added delegate mailbox permissions|Add-MailboxPermission|An administrator assigned the FullAccess mailbox permission to a user (known as a delegate) to another person's mailbox. The FullAccess permission allows the delegate to open the other person's mailbox, and read and manage the contents of the mailbox.|
|Added or removed user with delegate access to calendar folder|UpdateCalendarDelegation|A user was added or removed as a delegate to the calendar of another user's mailbox. Calendar delegation gives someone else in the same organization permissions to manage the mailbox owner's calendar.| |Added permissions to folder|AddFolderPermissions|A folder permission was added. Folder permissions control which users in your organization can access folders in a mailbox and the messages located in those folders.| |Copied messages to another folder|Copy|A message was copied to another folder.|
contentunderstanding Index https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/index.md
Title: "Introduction to Microsoft SharePoint Syntex"--++ audience: admin
description: "Learn how to find resources for Microsoft SharePoint Syntex."
# Introduction to Microsoft SharePoint Syntex
-Microsoft SharePoint Syntex is an Office 365 service that helps organizations to:
+Microsoft SharePoint Syntex is an Microsoft 365 service that helps organizations to:
- Use advanced AI and machine teaching to amplify human experiences - Automate content processing
enterprise Monitor Connectivity https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/monitor-connectivity.md
Once you've deployed Microsoft 365, you can maintain Microsoft 365 connectivity
||| |:--|:--| |**Getting notified of new Microsoft 365 endpoints** <br/> |If you're [Managing Microsoft 365 endpoints](https://support.office.com/article/99cab9d4-ef59-4207-9f2b-3728eb46bf9a), you'll want to receive notifications when we publish new endpoints, you can subscribe to our RSS feed using your favorite RSS reader. Here is how to [subscribe via Outlook](https://go.microsoft.com/fwlink/p/?LinkId=532416) or you can [have the RSS feed updates emailed to you](https://go.microsoft.com/fwlink/p/?LinkId=532417). <br/> |
-|**Use System Center to Monitor Microsoft 365** <br/> |If you're using Microsoft System Center, you can download the [System Center Management Pack for Office 365](https://www.microsoft.com/download/details.aspx?id=43708) to begin monitoring Microsoft 365 today. For more detailed guidance, please see the management pack operations guide or this blog post [Office365 Monitoring using System Centre Operations Manager](https://blogs.msdn.com/b/mvpawardprogram/archive/2015/07/08/office365-monitoring-using-system-centre-operations-manager.aspx) <br/> |
+|**Use System Center to Monitor Microsoft 365** <br/> |If you're using Microsoft System Center, you can download the [System Center Management Pack for Office 365](https://www.microsoft.com/download/details.aspx?id=43708) to begin monitoring Microsoft 365 today. For more detailed guidance, please see the management pack operations guide. <br/> |
|**Monitoring the health of Azure ExpressRoute** <br/> |If you are connecting to Microsoft 365 using Azure ExpressRoute for Microsoft 365, you'll want to ensure that you're using both the Microsoft 365 Service Health Dashboard as well as the Azure [Reducing troubleshooting time with Azure Resource health](https://azure.microsoft.com/blog/reduce-troubleshooting-time-with-azure-resource-health/) <br/> | |**Using Azure AD Connect Health with AD FS** <br/> |If you're using AD FS for Single Sign-On with Microsoft 365, you'll want to begin [using Azure AD Connect Health to monitor your AD FS infrastructure](/azure/active-directory/hybrid/how-to-connect-health-adfs). <br/> | |**Programmatically monitor Microsoft 365** <br/> |Refer to our guidance on the [Microsoft 365 Management API](/office/office-365-management-api/office-365-management-apis-overview). <br/> |
Here's a short link you can use to come back: [https://aka.ms/monitorconnectivit
[Microsoft 365 integration with on-premises environments](microsoft-365-integration.md)
-[Managing Microsoft 365 endpoints](managing-office-365-endpoints.md)
+[Managing Microsoft 365 endpoints](managing-office-365-endpoints.md)
includes Office 365 Germany Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/office-365-germany-endpoints.md
<!--THIS FILE IS AUTOMATICALLY GENERATED. MANUAL CHANGES WILL BE OVERWRITTEN.--> <!--Please contact the Office 365 Endpoints team with any questions.--> <!--Germany endpoints version 2020120100-->
-<!--File generated 2021-05-13 14:01:07.6541-->
+<!--File generated 2021-05-14 11:01:14.7055-->
## Exchange Online
includes Office 365 Operated By 21Vianet Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/office-365-operated-by-21vianet-endpoints.md
<!--THIS FILE IS AUTOMATICALLY GENERATED. MANUAL CHANGES WILL BE OVERWRITTEN.--> <!--Please contact the Office 365 Endpoints team with any questions.--> <!--China endpoints version 2021032900-->
-<!--File generated 2021-05-13 14:01:03.5639-->
+<!--File generated 2021-05-14 11:01:13.4398-->
## Exchange Online
includes Office 365 U.S. Government Dod Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/office-365-u.s.-government-dod-endpoints.md
<!--THIS FILE IS AUTOMATICALLY GENERATED. MANUAL CHANGES WILL BE OVERWRITTEN.--> <!--Please contact the Office 365 Endpoints team with any questions.--> <!--USGovDoD endpoints version 2021042900-->
-<!--File generated 2021-05-13 14:01:01.0990-->
+<!--File generated 2021-05-14 11:01:10.8055-->
## Exchange Online
includes Office 365 U.S. Government Gcc High Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/office-365-u.s.-government-gcc-high-endpoints.md
<!--THIS FILE IS AUTOMATICALLY GENERATED. MANUAL CHANGES WILL BE OVERWRITTEN.--> <!--Please contact the Office 365 Endpoints team with any questions.--> <!--USGovGCCHigh endpoints version 2021012800-->
-<!--File generated 2021-05-13 14:01:02.3230-->
+<!--File generated 2021-05-14 11:01:12.2177-->
## Exchange Online
includes Office 365 Worldwide Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/office-365-worldwide-endpoints.md
<!--THIS FILE IS AUTOMATICALLY GENERATED. MANUAL CHANGES WILL BE OVERWRITTEN.--> <!--Please contact the Office 365 Endpoints team with any questions.--> <!--Worldwide endpoints version 2021042900-->
-<!--File generated 2021-05-13 14:00:43.7058-->
+<!--File generated 2021-05-14 11:00:43.1204-->
## Exchange Online
knowledge Index https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/knowledge/index.md
Title: "Introduction to Microsoft Viva Topics"--++ audience:
description: "Learn how to find resources for Microsoft Viva Topics."
</br>
-Viva Topics is an Office 365 service that helps organizations to transform information to knowledge.
+Viva Topics is an Microsoft 365 service that helps organizations to transform information to knowledge.
The resources on this page are designed to get you started with learning about and using Viva Topics in your organization. ## Get started
-The resources in this section help you learn more about what Viva Topics is and how it can help you.
+The resources in this section help you learn more about what Viva Topics is and how it can help you.
| If you're looking for this information: | Go to this resource: | |:--|:--|
security Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction.md
If you are configuring attack surface reduction rules by using Group Policy or P
|Rule name|GUID|File & folder exclusions|Minimum OS supported| ||::|||
-|[Block abuse of exploited vulnerable signed drivers](#block-abuse-of-exploited-vulnerable-signed-drivers)|`56a863a9-875e-4185-98a7-b882c64b5ce5`|Supported|[Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)|
+|[Block abuse of exploited vulnerable signed drivers](#block-abuse-of-exploited-vulnerable-signed-drivers)|`56a863a9-875e-4185-98a7-b882c64b5ce5`|Supported|[Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater) |
|[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes)|`7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c`|Supported|[Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater| |[Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes)|`D4F940AB-401B-4EFC-AADC-AD5F3C50688A`|Supported|[Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater| |[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem)|`9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2`|Supported|[Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater|
This rule prevents an application from writing a vulnerable, signed driver to di
This rule does not block a driver already existing on the system from being loaded.
+>[!NOTE]
+>
+> This rule can be configured using [MEM OMA-URI](enable-attack-surface-reduction.md#mem) for MEM OMA-URI custom rules procedural information.
+>
+> This rule can also be configured using [PowerShell](enable-attack-surface-reduction.md#powershell).
+>
+> You can use this Web site to [Submit a driver for analysis](https://www.microsoft.com/en-us/wdsi/driversubmission).
+ This rule is supported in all versions in which ASR is supported; which is: - [Windows 10 Pro, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
Intune Name: `Block abuse of exploited vulnerable signed drivers`
GUID: `56a863a9-875e-4185-98a7-b882c64b5ce5`
-See [Microsoft Endpoint Manager custom procedure](enable-attack-surface-reduction.md#microsoft-endpoint-manager-custom-procedure) for MEM custom rules procedure information.
-
-You can run this command in the command line to enable the ASR rule:
-
-```powershell
-"& {&'Add-MpPreference' -AttackSurfaceReductionRules_Ids 56a863a9-875e-4185-98a7-b882c64b5ce5 -AttackSurfaceReductionRules_Actions Enabled"}
-```
-
-You can use this Web site to [Submit a driver for analysis](https://www.microsoft.com/en-us/wdsi/driversubmission).
- ### Block Adobe Reader from creating child processes This rule prevents attacks by blocking Adobe Reader from creating processes.
security Configure Advanced Scan Types Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-advanced-scan-types-microsoft-defender-antivirus.md
ms.technology: mde- Last updated : 05/06/2021+ # Configure Microsoft Defender Antivirus scanning options
To configure the Group Policy settings described in the following table:
4. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
-Description | Location and setting | Default setting (if not configured) | PowerShell `Set-MpPreference` parameter or WMI property for `MSFT_MpPreference` class
-|||
-Email scanning See [Email scanning limitations](#ref1)| Scan > Turn on e-mail scanning | Disabled | `-DisableEmailScanning`
-Scan [reparse points](/windows/win32/fileio/reparse-points) | Scan > Turn on reparse point scanning | Disabled | Not available
-Scan mapped network drives | Scan > Run full scan on mapped network drives | Disabled | `-DisableScanningMappedNetworkDrivesForFullScan`
- Scan archive files (such as .zip or .rar files). The [extensions exclusion list](configure-extension-file-exclusions-microsoft-defender-antivirus.md) will take precedence over this setting. | Scan > Scan archive files | Enabled | `-DisableArchiveScanning`
-Scan files on the network | Scan > Scan network files | Disabled | `-DisableScanningNetworkFiles`
-Scan packed executables | Scan > Scan packed executables | Enabled | Not available
-Scan removable drives during full scans only | Scan > Scan removable drives | Disabled | `-DisableRemovableDriveScanning`
-Specify the level of subfolders within an archive folder to scan | Scan > Specify the maximum depth to scan archive files | 0 | Not available
- Specify the maximum CPU load (as a percentage) during a scan. Note: This is not a hard limit but rather a guidance for the scanning engine to not exceed this maximum on average. | Scan > Specify the maximum percentage of CPU utilization during a scan | 50 | `-ScanAvgCPULoadFactor`
- Specify the maximum size (in kilobytes) of archive files that should be scanned. The default, **0**, applies no limit | Scan > Specify the maximum size of archive files to be scanned | No limit | Not available
- Configure low CPU priority for scheduled scans | Scan > Configure low CPU priority for scheduled scans | Disabled | Not available
+| Description | Location and setting | Default setting (if not configured) | PowerShell `Set-MpPreference` parameter or WMI property for `MSFT_MpPreference` class |
+|||||
+| Email scanning See [Email scanning limitations](#ref1)| Scan > Turn on e-mail scanning | Disabled | `-DisableEmailScanning` |
+|Scan [reparse points](/windows/win32/fileio/reparse-points) | Scan > Turn on reparse point scanning | Disabled | Not available |
+| Scan mapped network drives | Scan > Run full scan on mapped network drives | Disabled | `-DisableScanningMappedNetworkDrivesForFullScan`|
+ Scan archive files (such as .zip or .rar files). The [extensions exclusion list](configure-extension-file-exclusions-microsoft-defender-antivirus.md) will take precedence over this setting. | Scan > Scan archive files | Enabled | `-DisableArchiveScanning` |
+| Scan files on the network | Scan > Scan network files | Disabled | `-DisableScanningNetworkFiles` |
+| Scan packed executables | Scan > Scan packed executables | Enabled | Not available |
+| Scan removable drives during full scans only | Scan > Scan removable drives | Disabled | `-DisableRemovableDriveScanning` |
+| Specify the level of subfolders within an archive folder to scan | Scan > Specify the maximum depth to scan archive files | 0 | Not available |
+| Specify the maximum CPU load (as a percentage) during a scan. Note: This is not a hard limit but rather a guidance for the scanning engine to not exceed this maximum on average. Manually run scans will ignore this setting and run without any CPU limits. | Scan > Specify the maximum percentage of CPU utilization during a scan | 50 | `-ScanAvgCPULoadFactor` |
+| Specify the maximum size (in kilobytes) of archive files that should be scanned. The default, **0**, applies no limit | Scan > Specify the maximum size of archive files to be scanned | No limit | Not available |
+| Configure low CPU priority for scheduled scans | Scan > Configure low CPU priority for scheduled scans | Disabled | Not available |
> [!NOTE] > If real-time protection is turned on, files are scanned before they are accessed and executed. The scanning scope includes all files, including files on mounted removable media, such as USB drives. If the device performing the scan has real-time protection or on-access protection turned on, the scan will also include network shares.
If Microsoft Defender Antivirus detects a threat inside an email, it will show y
- [Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md) - [Configure and run on-demand Microsoft Defender Antivirus scans](run-scan-microsoft-defender-antivirus.md) - [Configure scheduled Microsoft Defender Antivirus scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)-- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
security Enable Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction.md
The following procedures for enabling ASR rules include instructions for how to
4. Select **OK** on the three configuration panes. Then select **Create** if you're creating a new endpoint protection file or **Save** if you're editing an existing one.
+## MEM
+
+You can use Microsoft Endpoint Manager (MEM) OMA-URI to configure custom ASR rules. The following procedure uses the rule [Block abuse of exploited vulnerable signed drivers](attack-surface-reduction.md#block-abuse-of-exploited-vulnerable-signed-drivers) for the example.
+
+1. Open the Microsoft Endpoint Manager (MEM) admin center. In the **Home** menu, click **Devices**, select **Configuration profile**, and then click **Create profile**.
+
+ > [!div class="mx-imgBorder"]
+ > ![MEM Create Profile](images/mem01-create-profile.png)
+
+2. In **Create a profile**, in the following two drop-down lists, select the following:
+
+ - In **Platform**, select **Windows 10 and later**
+ - In **Profile type**, select **Templates**
+
+ Select **Custom**, and then click **Create**.
+
+ > [!div class="mx-imgBorder"]
+ > ![MEM rule profile attributes](images/mem02-profile-attributes.png)
+
+3. The Custom template tool opens to step **1 Basics**. In **1 Basics**, in **Name**, type a name for your template, and in **Description** you can type a description (optional).
+
+ > [!div class="mx-imgBorder"]
+ > ![MEM basic attributes](images/mem03-1-basics.png)
+
+4. Click **Next**. Step **2 Configuration settings** opens. For OMA-URI Settings, click **Add**. Two options now appear: **Add** and **Export**.
+
+ > [!div class="mx-imgBorder"]
+ > ![MEM Configuration settings](images/mem04-2-configuration-settings.png)
+
+5. Click **Add** again. The **Add Row OMA-URI Settings** opens. In **Add Row**, do the following:
+
+ - In **Name**, type a name for the rule.
+ - In **Description**, type a brief description.
+ - In **OMA-URI**, type or paste the specific OMA-URI link for the rule that you are adding.
+ - In **Data type**, select **String**.
+ - In **Value**, type or paste the GUID value, the \= sign and the State value with no spaces (_GUID=StateValue_). Where: {0 : Disable (Disable the ASR rule)}, {1 : Block (Enable the ASR rule)}, {2 : Audit (Evaluate how the ASR rule would impact your organization if enabled)}, {6 : Warn (Enable the ASR rule but allow the end-user to bypass the block)}
+
+ > [!div class="mx-imgBorder"]
+ > ![MEM OMA URI configuration](images/mem05-add-row-oma-uri.png)
+
+6. Click **Save**. **Add Row** closes. In **Custom**, click **Next**. In step **3 Scope tags**, scope tags are optional. Do one of the following:
+
+ - Click **Select Scope tags**, select the scope tag (optional) and then click **Next**.
+ - Or click **Next**
+
+7. In step **4 Assignments**, in **Included Groups** - for the groups that you want this rule to apply - select from the following options:
+
+ - **Add groups**
+ - **Add all users**
+ - **Add all devices**
+
+ > [!div class="mx-imgBorder"]
+ > ![MEM assignments](images/mem06-4-assignments.png)
+
+8. In **Excluded groups**, select any groups that you want to exclude from this rule, and then click **Next**.
+
+9. In step **5 Applicability Rules** for the following settings, do the following:
+
+ - In **Rule**, select either **Assign profile if**, or **DonΓÇÖt assign profile if**
+ - In **Property**, select the property to which you want this rule to apply
+ - In **Value**, enter the applicable value or value range
+
+ > [!div class="mx-imgBorder"]
+ > ![MEM Applicability rules](images/mem07-5-applicability-rules.png)
+
+10. Click **Next**. In step **6 Review + create**, review the settings and information you have selected and entered, and then click **Create**.
+
+ > [!div class="mx-imgBorder"]
+ > ![MEM Review and create](images/mem08-6-review-create.png)
+
+ > [!NOTE]
+ > Rules are active and live within minutes.
+
+>[!NOTE]
+> Conflict handling:
+>
+> If you assign a device two different ASR policies, the way conflict is handled is rules that are assigned different states, there is no conflict management in place, and the result is an error.
+>
+> Non-conflicting rules will not result in an error, and the rule will be applied correctly. The result is that the first rule is applied, and subsequent non-conflicting rules are merged into the policy.
+ ## MDM Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule.
Example:
> [!WARNING] > Do not use quotes as they are not supported for either the **Value name** column or the **Value** column.
-## Microsoft Endpoint Manager custom procedure
-
-You can use a Microsoft Endpoint Manager (MEM) admin center to configure custom ASR rules.
-
-1. Open the Microsoft Endpoint Manager (MEM) admin center. In the **Home** menu, click **Devices**, select **Configuration profile**, and then click **Create profile**.
-
- ![MEM Create Profile](images/mem01-create-profile.png)
-
-2. In **Create a profile**, in the following two drop-down lists, select the following:
-
- - In **Platform**, select **Windows 10 and later**
- - In **Profile type**, select **Templates**
-
- Select **Custom**, and then click **Create**.
-
- ![MEM rule profile attributes](images/mem02-profile-attributes.png)
-
-3. The Custom template tool opens to step **1 Basics**. In **1 Basics**, in **Name**, type a name for your template, and in **Description** you can type a description (optional ).
-
- ![MEM basic attributes](images/mem03-1-basics.png)
-
-4. Click **Next**. Step **2 Configuration settings** opens. For OMA-URI Settings, click **Add**. Two options now appear: **Add** and **Export**.
-
- ![MEM Configuration settings](images/mem04-2-configuration-settings.png)
-
-5. Click **Add** again. The **Add Row OMA-URI Settings** opens. In **Add Row**, do the following:
-
- - In **Name**, type a name for the rule.
- - In **Description**, type a brief description.
- - In **OMA-URI**, type or paste the specific OMA-URI link for the rule that you are adding.
- - In **Data type**, select **String**.
- - In **Value**, type or paste the GUID value, the \= sign and the State value with no spaces (_GUID=StateValue_). Where: {0 : Disable (Disable the ASR rule)}, {1 : Block (Enable the ASR rule)}, {2 : Audit (Evaluate how the ASR rule would impact your organization if enabled)}, {6 : Warn (Enable the ASR rule but allow the end-user to bypass the block)}
-
- ![MEM OMA URI configuration](images/mem05-add-row-oma-uri.png)
-
-6. Click **Save**. **Add Row** closes. In **Custom**, click **Next**. In step **3 Scope tags**, scope tags are optional. Do one of the following:
-
- - Click **Select Scope tags**, select the scope tag (optional) and then click **Next**.
- - Or click **Next**
-
-7. In step **4 Assignments**, in **Included Groups** - for the groups that you want this rule to apply - select from the following options:
-
- - **Add groups**
- - **Add all users**
- - **Add all devices**
-
- ![MEM assignments](images/mem06-4-assignments.png)
-
-8. In **Excluded groups**, select any groups that you want to exclude from this rule, and then click **Next**.
-
-9. In step **5 Applicability Rules** for the following settings, do the following:
-
- - In **Rule**, select either **Assign profile if**, or **DonΓÇÖt assign profile if**
- - In **Property**, select the property to which you want this rule to apply
- - In **Value**, enter the applicable value or value range
-
- ![MEM Applicability rules](images/mem07-5-applicability-rules.png)
-
-10. Click **Next**. In step **6 Review + create**, review the settings and information you have selected and entered, and then click **Create**.
-
- ![MEM Review and create](images/mem08-6-review-create.png)
-
->[!NOTE]
-> Rules are active and live within minutes.
-
->[!NOTE]
-> Conflict handling:
-> If you assign a device two different ASR policies, the way conflict is handled is rules that are assigned different states, there is no conflict management in place, and the result is an error.
-> Non-conflicting rules will not result in an error, and the rule will be applied correctly. The result is that the first rule is applied, and subsequent non-conflicting rules are merged into the policy.
- ## PowerShell > [!WARNING]
security Linux Whatsnew https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-whatsnew.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+## 101.29.64 (30.121042.12964.0)
+
+- Performance improvements & bug fixes
+ ## 101.25.72 (30.121022.12563.0) - Microsoft Defender for Endpoint on Linux is now available in preview for US Government customers. For more information, see [Microsoft Defender for Endpoint for US Government customers](gov.md).
security Mcafee To Microsoft Defender Migration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mcafee-to-microsoft-defender-migration.md
- m365solution-overview Previously updated : 03/03/2021 Last updated : 05/14/2021
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-If you are planning to switch from McAfee Endpoint Security (McAfee) to [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender for Endpoint), you're in the right place. Use this article as a guide.
+If you are planning to switch from McAfee Endpoint Security (McAfee) to [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md) (Microsoft Defender for Endpoint), you're in the right place. Use this article as a guide.
:::image type="content" source="images/mcafee-mde-migration.png" alt-text="Overview of migrating from McAfee to Defender for Endpoint":::
When you switch from McAfee to Microsoft Defender for Endpoint, you follow a pro
|Phase |Description | |--|--| |[Prepare for your migration](mcafee-to-microsoft-defender-prepare.md) |During the [**Prepare**](mcafee-to-microsoft-defender-prepare.md) phase, you update your organization's devices, get Microsoft Defender for Endpoint, plan your roles and permissions, and grant access to the Microsoft Defender Security Center. You also configure your device proxy and internet settings to enable communication between your organization's devices and Microsoft Defender for Endpoint. |
-|[Set up Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-setup.md) |During the [**Setup**](mcafee-to-microsoft-defender-setup.md) phase, you enable Microsoft Defender Antivirus and make sure it's in passive mode, and you configure settings & exclusions for Microsoft Defender Antivirus, Microsoft Defender for Endpoint, and McAfee. You also create device groups, collections, and organizational units. Finally, you configure your antimalware policies and real-time protection settings.|
-|[Onboard to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-onboard.md) |During the [**Onboard**](mcafee-to-microsoft-defender-onboard.md) phase, you onboard your devices to Microsoft Defender for Endpoint and verify that those devices are communicating with Microsoft Defender for Endpoint. Last, you uninstall McAfee and make sure that protection through Microsoft Defender Antivirus & Microsoft Defender for Endpoint is in active mode. |
+|[Set up Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-setup.md) |During the [**Setup**](mcafee-to-microsoft-defender-setup.md) phase, you enable Microsoft Defender Antivirus and set it to passive mode. You also configure settings & exclusions for Microsoft Defender Antivirus and your existing endpoint protection solution. Then, you create your device groups, collections, and organizational units. Finally, you configure your antimalware policies and real-time protection settings.|
+|[Onboard to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-onboard.md) |During the [**Onboard**](mcafee-to-microsoft-defender-onboard.md) phase, you onboard your devices to Microsoft Defender for Endpoint, confirm that Microsoft Defender Antivirus is running in passive mode, and verify that your endpoints are communicating with Defender for Endpoint. Then, you uninstall McAfee and make sure that Defender for Endpoint is working correctly. |
## What's included in Microsoft Defender for Endpoint?
-In this migration guide, we focus on [next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) and [endpoint detection and response](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response) capabilities as a starting point for moving to Microsoft Defender for Endpoint. However, Microsoft Defender for Endpoint includes much more than antivirus and endpoint protection. Microsoft Defender for Endpoint is a unified platform for preventative protection, post-breach detection, automated investigation, and response. The following table summarizes features and capabilities in Microsoft Defender for Endpoint.
+In this migration guide, we focus on [next-generation protection](microsoft-defender-antivirus-in-windows-10.md) and [endpoint detection and response](overview-endpoint-detection-response.md) capabilities as a starting point for moving to Microsoft Defender for Endpoint. However, Microsoft Defender for Endpoint includes much more than antivirus and endpoint protection. Microsoft Defender for Endpoint is a unified platform for preventative protection, post-breach detection, automated investigation, and response. The following table summarizes features and capabilities in Microsoft Defender for Endpoint.
| Feature/Capability | Description | |||
-| [Threat & vulnerability management](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt) | Threat & vulnerability management capabilities help identify, assess, and remediate weaknesses across your endpoints (such as devices). |
-| [Attack surface reduction](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction) | Attack surface reduction rules help protect your organization's devices and applications from cyberthreats and attacks. |
-| [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) | Next-generation protection includes Microsoft Defender Antivirus to help block threats and malware. |
-| [Endpoint detection and response](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response) | Endpoint detection and response capabilities detect, investigate, and respond to intrusion attempts and active breaches. |
+| [Threat & vulnerability management](next-gen-threat-and-vuln-mgt.md) | Threat & vulnerability management capabilities help identify, assess, and remediate weaknesses across your endpoints (such as devices). |
+| [Attack surface reduction](overview-attack-surface-reduction.md) | Attack surface reduction rules help protect your organization's devices and applications from cyberthreats and attacks. |
+| [Next-generation protection](microsoft-defender-antivirus-in-windows-10.md) | Next-generation protection includes Microsoft Defender Antivirus to help block threats and malware. |
+| [Endpoint detection and response](overview-endpoint-detection-response.md) | Endpoint detection and response capabilities detect, investigate, and respond to intrusion attempts and active breaches. |
| [Advanced hunting](advanced-hunting-overview.md) | Advanced hunting capabilities enable your security operations team to locate indicators and entities of known or potential threats. |
-| [Behavioral blocking and containment](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/behavioral-blocking-containment) | Behavioral blocking and containment capabilities help identify and stop threats, based on their behaviors and process trees even when the threat has started execution. |
-| [Automated investigation and remediation](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations) | Automated investigation and response capabilities examine alerts and take immediate remediation action to resolve breaches. |
-| [Threat hunting service](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-threat-experts) (Microsoft Threat Experts) | Threat hunting services provide security operations teams with expert level monitoring and analysis, and to help ensure that critical threats aren't missed. |
+| [Behavioral blocking and containment](behavioral-blocking-containment.md) | Behavioral blocking and containment capabilities help identify and stop threats, based on their behaviors and process trees even when the threat has started execution. |
+| [Automated investigation and remediation](automated-investigations.md) | Automated investigation and response capabilities examine alerts and take immediate remediation action to resolve breaches. |
+| [Threat hunting service](microsoft-threat-experts.md) (Microsoft Threat Experts) | Threat hunting services provide security operations teams with expert level monitoring and analysis, and to help ensure that critical threats aren't missed. |
-**Want to learn more? See [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection).**
+**Want to learn more? See [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md).**
## Next step
security Mcafee To Microsoft Defender Onboard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mcafee-to-microsoft-defender-onboard.md
- m365solution-scenario Previously updated : 05/10/2021 Last updated : 05/14/2021
**Welcome to Phase 3 of [migrating from McAfee Endpoint Security (McAfee) to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-migration.md#the-migration-process)**. This migration phase includes the following steps: 1. [Onboard devices to Microsoft Defender for Endpoint](#onboard-devices-to-microsoft-defender-for-endpoint).+ 2. [Run a detection test](#run-a-detection-test).
-3. [Uninstall McAfee](#uninstall-mcafee).
-4. [Make sure Microsoft Defender for Endpoint is in active mode](#make-sure-microsoft-defender-for-endpoint-is-in-active-mode).
+
+3. [Confirm that Microsoft Defender Antivirus is in passive mode](#confirm-that-microsoft-defender-antivirus-is-in-passive-mode).
+
+4. [Get updates for Microsoft Defender Antivirus](#get-updates-for-microsoft-defender-antivirus).
+
+5. [Uninstall McAfee](#uninstall-mcafee).
+
+6. [Make sure Defender for Endpoint is working correctly](#make-sure-defender-for-endpoint-is-working-correctly).
## Onboard devices to Microsoft Defender for Endpoint
Deployment methods vary, depending on which operating system is selected. Refer to the resources listed in the table below to get help with onboarding.
-|Operating system |Method |
+| Operating system |Method |
|||
-|Windows 10 |- [Group Policy](configure-endpoints-gp.md)<br/>- [Configuration Manager](configure-endpoints-sccm.md)<br/>- [Mobile Device Management (Intune)](configure-endpoints-mdm.md)<br/>- [Local script](configure-endpoints-script.md) <p>**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. |
-|- Windows 8.1 Enterprise <br/>- Windows 8.1 Pro <br/>- Windows 7 SP1 Enterprise <br/>- Windows 7 SP1 Pro | [Microsoft Monitoring Agent](onboard-downlevel.md)<p>**NOTE**: Microsoft Monitoring Agent is now Azure Log Analytics agent. To learn more, see [Log Analytics agent overview](/azure/azure-monitor/platform/log-analytics-agent). |
-|- Windows Server 2019 and later <br/>- Windows Server 2019 core edition <br/>- Windows Server version 1803 and later |- [Local script](configure-endpoints-script.md) <br/>- [Group Policy](configure-endpoints-gp.md) <br/>- [Configuration Manager](configure-endpoints-sccm.md) <br/>- [System Center Configuration Manager](configure-endpoints-sccm.md) <br/>- [VDI onboarding scripts for non-persistent devices](configure-endpoints-vdi.md) <p>**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. |
-|- Windows Server 2016 <br/>- Windows Server 2012 R2 <br/>- Windows Server 2008 R2 SP1 |- [Microsoft Defender Security Center](configure-server-endpoints.md)<br/>- [Azure Defender](/azure/security-center/security-center-wdatp) |
-|macOS<br/>- 11.3.1 (Big Sur)<br/>- 10.15 (Catalina)<br/>- 10.14 (Mojave)<p>iOS<p>Linux:<br/>- RHEL 7.2+<br/>- CentOS Linux 7.2+<br/>- Ubuntu 16 LTS, or higher LTS<br/>- SLES 12+<br/>- Debian 9+<br/>- Oracle Linux 7.2 |[Onboard non-Windows devices](configure-endpoints-non-windows.md) |
+| Windows 10 | [Group Policy](configure-endpoints-gp.md)<p>[Configuration Manager](configure-endpoints-sccm.md)<p>[Mobile Device Management (Intune)](configure-endpoints-mdm.md)<p>[Local script](configure-endpoints-script.md) <br/>**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. |
+| Windows 8.1 Enterprise <p>Windows 8.1 Pro <p>Windows 7 SP1 Enterprise<p>Windows 7 SP1 Pro | [Microsoft Monitoring Agent](onboard-downlevel.md)<br/>**NOTE**: Microsoft Monitoring Agent is now Azure Log Analytics agent. To learn more, see [Log Analytics agent overview](/azure/azure-monitor/platform/log-analytics-agent). |
+| Windows Server 2019 and later<p>Windows Server 2019 core edition<p>Windows Server version 1803 and later | [Local script](configure-endpoints-script.md)<p>[Group Policy](configure-endpoints-gp.md)<p>[Configuration Manager](configure-endpoints-sccm.md)<p>[System Center Configuration Manager](configure-endpoints-sccm.md)<p>[VDI onboarding scripts for non-persistent devices](configure-endpoints-vdi.md) <br/>**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. |
+| Windows Server 2016 <p>Windows Server 2012 R2<p>Windows Server 2008 R2 SP1 | [Microsoft Defender Security Center](configure-server-endpoints.md)<p>[Azure Defender](/azure/security-center/security-center-wdatp) |
+|macOS:<p>11.3.1 (Big Sur)<p>10.15 (Catalina)<p>10.14 (Mojave) |[Onboard non-Windows devices](configure-endpoints-non-windows.md) |
+|iOS |[Onboard non-Windows devices](configure-endpoints-non-windows.md) |
+|Linux:<p>RHEL 7.2+<p>CentOS Linux 7.2+<p>Ubuntu 16 LTS, or higher LTS<p>SLES 12+<p>Debian 9+<p>Oracle Linux 7.2 |[Onboard non-Windows devices](configure-endpoints-non-windows.md) |
## Run a detection test To verify that your onboarded devices are properly connected to Microsoft Defender for Endpoint, you can run a detection test. - |Operating system |Guidance | |||
-|- Windows 10 <br/>- Windows Server 2019 <br/>- Windows Server, version 1803 <br/>- Windows Server 2016 <br/>- Windows Server 2012 R2 |See [Run a detection test](run-detection-test.md). <p>Visit the Microsoft Defender for Endpoint demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)) and try one or more of the scenarios. For example, try the **Cloud-delivered protection** demo scenario. |
-|macOS<br/>- 11.3.1 (Big Sur)<br/>- 10.15 (Catalina)<br/>- 10.14 (Mojave) |Download and use the DIY app at [https://aka.ms/mdatpmacosdiy](https://aka.ms/mdatpmacosdiy). <p>For more information, see [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md). |
-|Linux:<br/>- RHEL 7.2+<br/>- CentOS Linux 7.2+<br/>- Ubuntu 16 LTS, or higher LTS<br/>- SLES 12+<br/>- Debian 9+<br/>- Oracle Linux 7.2 |1. Run the following command, and look for a result of **1**: <br/>`mdatp health --field real_time_protection_enabled`. <p>2. Open a Terminal window, and run the following command: <br/>`curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt`. <p>3. Run the following command to list any detected threats: <br/>`mdatp threat list`. <p>For more information, see [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md). |
+| Windows 10<p>Windows Server 2019 <p>Windows Server, version 1803 <p>Windows Server 2016 <p>Windows Server 2012 R2 |See [Run a detection test](run-detection-test.md). <p>Visit the Microsoft Defender for Endpoint demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)) and try one or more of the scenarios. For example, try the **Cloud-delivered protection** demo scenario. |
+|macOS<p>11.3.1 (Big Sur)<p>10.15 (Catalina)<p>10.14 (Mojave) |Download and use the DIY app at [https://aka.ms/mdatpmacosdiy](https://aka.ms/mdatpmacosdiy). <p>For more information, see [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md). |
+|Linux:<p>RHEL 7.2+<p>CentOS Linux 7.2+<p>Ubuntu 16 LTS, or higher LTS<p>SLES 12+<p>Debian 9+<p>Oracle Linux 7.2 |1. Run the following command, and look for a result of **1**: <br/>`mdatp health --field real_time_protection_enabled`. <p>2. Open a Terminal window, and run the following command: <br/>`curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt`. <p>3. Run the following command to list any detected threats: <br/>`mdatp threat list`. <p>For more information, see [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md). |
-## Uninstall McAfee
+## Confirm that Microsoft Defender Antivirus is in passive mode
+
+Now that your endpoints have been onboarded to Defender for Endpoint, your next step is to make sure Microsoft Defender Antivirus is running in passive mode. You can use either Command Prompt or PowerShell to perform this task, as described in the following table:
+
+|Method |What to do |
+|||
+|Command Prompt |1. On a Windows device, open Command Prompt as an administrator.<p> 2. Type `sc query windefend`, and then press Enter.<p> 3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. |
+|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.<p> 2. Run the [Get-MpComputerStatus](/powershell/module/defender/Get-MpComputerStatus) cmdlet. <p> 3. In the list of results, look for either **AMRunningMode: Passive Mode** or **AMRunningMode: SxS Passive Mode**.|
+
+> [!NOTE]
+> You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
+
+### Set Microsoft Defender Antivirus on Windows Server to passive mode manually
+
+To set Microsoft Defender Antivirus to passive mode on Windows Server, version 1803 or newer, or Windows Server 2019, follow these steps:
-Now that you have onboarded your organization's devices to Microsoft Defender for Endpoint, your next step is to uninstall McAfee.
+1. Open Registry Editor, and then navigate to
+`Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`.
+
+2. Edit (or create) a DWORD entry called **ForcePassiveMode**, and specify the following settings:
+
+ - Set the DWORD's value to `1`.
+ - Under **Base**, select **Hexadecimal**.
+
+ > [!NOTE]
+ > You can use other methods to set the registry key, such as the following:
+ > - Group Policy Preference
+ > - Local Group Policy Object tool
+ > - A package in Configuration Manager
+
+### Start Microsoft Defender Antivirus on Windows Server 2016
+
+If you are using Windows Server 2016, you might have to start Microsoft Defender Antivirus manually. You can do this by using the PowerShell cmdlet `mpcmdrun.exe -wdenable` on the device.
+
+## Get updates for Microsoft Defender Antivirus
+
+Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques, even if Microsoft Defender Antivirus is running in passive mode.
+
+There are two types of updates related to keeping Microsoft Defender Antivirus up to date:
+- Security intelligence updates
+- Product updates
+
+To get your updates, follow the guidance in [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).
++
+## Uninstall McAfee
-To get help with this step, go to your McAfee ServicePortal ([http://mysupport.mcafee.com](http://mysupport.mcafee.com)).
+Now that you have onboarded your organization's devices to Microsoft Defender for Endpoint, your next step is to uninstall McAfee. To get help with this step, go to your McAfee ServicePortal ([http://mysupport.mcafee.com](http://mysupport.mcafee.com)).
-## Make sure Microsoft Defender for Endpoint is in active mode
+## Make sure Defender for Endpoint is working correctly
Now that you have uninstalled McAfee, your next step is to make sure that Microsoft Defender Antivirus and endpoint detection and response are enabled and in active mode.
security Mcafee To Microsoft Defender Prepare https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mcafee-to-microsoft-defender-prepare.md
- m365solution-scenario Previously updated : 05/10/2021 Last updated : 05/14/2021
|*You are here!*| | |
-**Welcome to the Prepare phase of [migrating from McAfee Endpoint Security (McAfee) to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-migration.md#the-migration-process)**.
+**Welcome to the Prepare phase of [migrating from McAfee Endpoint Security (McAfee) to Defender for Endpoint](mcafee-to-microsoft-defender-migration.md#the-migration-process)**.
This migration phase includes the following steps: 1. [Get and deploy updates across your organization's devices](#get-and-deploy-updates-across-your-organizations-devices)
-2. [Get Microsoft Defender for Endpoint](#get-microsoft-defender-for-endpoint).
+
+2. [Get Defender for Endpoint](#get-microsoft-defender-for-endpoint).
+ 3. [Grant access to the Microsoft Defender Security Center](#grant-access-to-the-microsoft-defender-security-center).+ 4. [Configure device proxy and internet connectivity settings](#configure-device-proxy-and-internet-connectivity-settings). ## Get and deploy updates across your organization's devices
-As a best practice, keep your organization's devices and endpoints up to date. Make sure your McAfee Endpoint Security (McAfee) solution is up to date, and that the operating systems and apps your organization is also have the latest updates. Doing this now can help prevent problems later as you migrate to Microsoft Defender for Endpoint and Microsoft Defender Antivirus.
+As a best practice, keep your organization's devices and endpoints up to date. Make sure your McAfee Endpoint Security (McAfee) solution is up to date, and that the operating systems and apps your organization is also have the latest updates. Doing this now can help prevent problems later as you migrate to Defender for Endpoint.
### Make sure your McAfee solution is up to date
Need help updating your organization's devices? See the following resources:
## Get Microsoft Defender for Endpoint
-Now that you've updated your organization's devices, the next step is to get Microsoft Defender for Endpoint, assign licenses, and make sure the service is provisioned.
+Now that you've updated your organization's devices, the next step is to get Defender for Endpoint, assign licenses, and make sure the service is provisioned.
-1. Buy or try Microsoft Defender for Endpoint today. [Start a free trial or request a quote](https://aka.ms/mdatp).
+1. Buy or try Defender for Endpoint today. [Start a free trial or request a quote](https://aka.ms/mdatp).
2. Verify that your licenses are properly provisioned. [Check your license state](production-deployment.md#check-license-state).
-3. As a global administrator or security administrator, set up your dedicated cloud instance of Microsoft Defender for Endpoint. See [Microsoft Defender for Endpoint setup: Tenant configuration](production-deployment.md#tenant-configuration).
+3. As a global administrator or security administrator, set up your dedicated cloud instance of Defender for Endpoint. See [Defender for Endpoint setup: Tenant configuration](production-deployment.md#tenant-configuration).
-4. If endpoints (such as devices) in your organization use a proxy to access the internet, see [Microsoft Defender for Endpoint setup: Network configuration](production-deployment.md#network-configuration).
+4. If endpoints (such as devices) in your organization use a proxy to access the internet, see [Defender for Endpoint setup: Network configuration](production-deployment.md#network-configuration).
At this point, you are ready to grant access to your security administrators and security operators who will use the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)). > [!NOTE]
-> The Microsoft Defender Security Center is sometimes referred to as the Microsoft Defender for Endpoint portal.
+> The Microsoft Defender Security Center is sometimes referred to as the Defender for Endpoint portal.
## Grant access to the Microsoft Defender Security Center
-The Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) is where you access and configure features and capabilities of Microsoft Defender for Endpoint. To learn more, see [Overview of the Microsoft Defender Security Center](use.md).
+The Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) is where you access and configure features and capabilities of Defender for Endpoint. To learn more, see [Overview of the Microsoft Defender Security Center](use.md).
Permissions to the Microsoft Defender Security Center can be granted by using either basic permissions or role-based access control (RBAC). We recommend using RBAC so that you have more granular control over permissions.
Permissions to the Microsoft Defender Security Center can be granted by using ei
2. Set up and configure RBAC. We recommend using [Intune](/mem/intune/fundamentals/what-is-intune) to configure RBAC, especially if your organization is using a combination of Windows 10, macOS, iOS, and Android devices. See [setting up RBAC using Intune](/mem/intune/fundamentals/role-based-access-control). If your organization requires a method other than Intune, choose one of the following options:+ - [Configuration Manager](/mem/configmgr/core/servers/deploy/configure/configure-role-based-administration)+ - [Advanced Group Policy Management](/microsoft-desktop-optimization-pack/agpm)+ - [Windows Admin Center](/windows-server/manage/windows-admin-center/overview) 3. Grant access to the Microsoft Defender Security Center. (Need help? See [Manage portal access using RBAC](rbac.md)). ## Configure device proxy and internet connectivity settings
-To enable communication between your devices and Microsoft Defender for Endpoint, configure proxy and internet settings. The following table includes links to resources you can use to configure your proxy and internet settings for various operating systems and capabilities:
+To enable communication between your devices and Defender for Endpoint, configure proxy and internet settings. The following table includes links to resources you can use to configure your proxy and internet settings for various operating systems and capabilities:
|Capabilities | Operating System | Resources | |--|--|--|
-|[Endpoint detection and response](overview-endpoint-detection-response.md) (EDR) |- [Windows 10](/windows/release-health/release-information) <br/>- [Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019)<br/>- [Windows Server 1803 or later](/windows-server/get-started/whats-new-in-windows-server-1803) |[Configure machine proxy and internet connectivity settings](configure-proxy-internet.md) |
-|EDR |- [Windows Server 2016](/windows/release-health/status-windows-10-1607-and-windows-server-2016) <br/>- [Windows Server 2012 R2](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<br/>- [Windows Server 2008 R2 SP1](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)<br/>- [Windows 8.1](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<br/>- [Windows 7 SP1](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |[Configure proxy and internet connectivity settings](onboard-downlevel.md#configure-proxy-and-internet-connectivity-settings) |
-|EDR |macOS: <br/>- 11.3.1 (Big Sur)<br/>- 10.15 (Catalina)<br/>- 10.14 (Mojave) |[Microsoft Defender for Endpoint on macOS: Network connections](microsoft-defender-endpoint-mac.md#network-connections) |
-|[Microsoft Defender Antivirus](microsoft-defender-antivirus-in-windows-10.md) |- [Windows 10](/windows/release-health/release-information) <br/>- [Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019)<br/>- [Windows Server 1803 or later](/windows-server/get-started/whats-new-in-windows-server-1803) <br/>- [Windows Server 2016](/windows-server/get-started/whats-new-in-windows-server-2016) |[Configure and validate Microsoft Defender Antivirus network connections](configure-network-connections-microsoft-defender-antivirus.md)<br/> |
-|Antivirus |macOS: <br/>- 10.15 (Catalina)<br/>- 10.14 (Mojave) <br/>- 10.13 (High Sierra) |[Microsoft Defender for Endpoint on macOS: Network connections](microsoft-defender-endpoint-mac.md#network-connections) |
-|Antivirus |Linux: <br/>- RHEL 7.2+<br/>- CentOS Linux 7.2+<br/>- Ubuntu 16 LTS, or higher LTS<br/>- SLES 12+<br/>- Debian 9+<br/>- Oracle Linux 7.2 |[Microsoft Defender for Endpoint on Linux: Network connections](microsoft-defender-endpoint-linux.md#network-connections)
+| [Endpoint detection and response](overview-endpoint-detection-response.md) (EDR) | [Windows 10](/windows/release-health/release-information) <p> [Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019)<p>[Windows Server 1803 or later](/windows-server/get-started/whats-new-in-windows-server-1803) | [Configure machine proxy and internet connectivity settings](configure-proxy-internet.md) |
+|EDR | [Windows Server 2016](/windows/release-health/status-windows-10-1607-and-windows-server-2016) <p>[Windows Server 2012 R2](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<p>[Windows Server 2008 R2 SP1](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)<p>[Windows 8.1](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<p>[Windows 7 SP1](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) | [Configure proxy and internet connectivity settings](onboard-downlevel.md#configure-proxy-and-internet-connectivity-settings) |
+|EDR |macOS: <p>11.3.1 (Big Sur)<p>10.15 (Catalina)<p>10.14 (Mojave) | [Defender for Endpoint on macOS: Network connections](microsoft-defender-endpoint-mac.md#network-connections) |
+|[Microsoft Defender Antivirus](microsoft-defender-antivirus-in-windows-10.md) | [Windows 10](/windows/release-health/release-information) <p> [Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019)<p>[Windows Server 1803 or later](/windows-server/get-started/whats-new-in-windows-server-1803) <p>[Windows Server 2016](/windows-server/get-started/whats-new-in-windows-server-2016) |[Configure and validate Microsoft Defender Antivirus network connections](configure-network-connections-microsoft-defender-antivirus.md) |
+|Antivirus |macOS: <p>11.3.1 (Big Sur)<p>10.15 (Catalina)<p>10.14 (Mojave) |[Defender for Endpoint on macOS: Network connections](microsoft-defender-endpoint-mac.md#network-connections) |
+|Antivirus |Linux: <p>RHEL 7.2+<p>CentOS Linux 7.2+<p>Ubuntu 16 LTS, or higher LTS<p>SLES 12+<p>Debian 9+<p>Oracle Linux 7.2 |[Defender for Endpoint on Linux: Network connections](microsoft-defender-endpoint-linux.md#network-connections)
## Next step
-**Congratulations**! You have completed the **Prepare** phase of [migrating from McAfee to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-migration.md#the-migration-process)!
+**Congratulations**! You have completed the **Prepare** phase of [migrating from McAfee to Defender for Endpoint](mcafee-to-microsoft-defender-migration.md#the-migration-process)!
-- [Proceed to set up Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-setup.md).
+- [Proceed to set up Defender for Endpoint](mcafee-to-microsoft-defender-setup.md).
security Mcafee To Microsoft Defender Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mcafee-to-microsoft-defender-setup.md
- m365solution-scenario Previously updated : 03/03/2021 Last updated : 05/14/2021
|--|--|--| ||*You are here!* | |
-**Welcome to the Setup phase of [migrating from McAfee Endpoint Security (McAfee) to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-migration.md#the-migration-process)**. This phase includes the following steps:
-1. [Enable Microsoft Defender Antivirus and confirm it's in passive mode](#enable-microsoft-defender-antivirus-and-confirm-its-in-passive-mode).
-2. [Get updates for Microsoft Defender Antivirus](#get-updates-for-microsoft-defender-antivirus).
+**Welcome to the Setup phase of [migrating from McAfee Endpoint Security (McAfee) to Defender for Endpoint](mcafee-to-microsoft-defender-migration.md#the-migration-process)**. This phase includes the following steps:
+
+1. [Reinstall or enable Microsoft Defender Antivirus on your endpoints](#reinstall-or-enable-microsoft-defender-antivirus-on-your-endpoints).
+
+2. [Configure Defender for Endpoint](#configure-defender-for-endpoint).
+ 3. [Add Microsoft Defender for Endpoint to the exclusion list for McAfee](#add-microsoft-defender-for-endpoint-to-the-exclusion-list-for-mcafee).+ 4. [Add McAfee to the exclusion list for Microsoft Defender Antivirus](#add-mcafee-to-the-exclusion-list-for-microsoft-defender-antivirus).
-5. [Add McAfee to the exclusion list for Microsoft Defender for Endpoint](#add-mcafee-to-the-exclusion-list-for-microsoft-defender-for-endpoint).
-6. [Set up your device groups, device collections, and organizational units](#set-up-your-device-groups-device-collections-and-organizational-units).
-7. [Configure antimalware policies and real-time protection](#configure-antimalware-policies-and-real-time-protection).
-## Enable Microsoft Defender Antivirus and confirm it's in passive mode
+5. [Set up your device groups, device collections, and organizational units](#set-up-your-device-groups-device-collections-and-organizational-units).
+
+6. [Configure antimalware policies and real-time protection](#configure-antimalware-policies-and-real-time-protection).
+
+## Reinstall or enable Microsoft Defender Antivirus on your endpoints
+
+On certain versions of Windows, Microsoft Defender Antivirus is likely uninstalled or disabled when your non-Microsoft antivirus/antimalware solution was installed. For more information, see [Microsoft Defender Antivirus compatibility](microsoft-defender-antivirus-compatibility.md).
-On certain versions of Windows, such as Windows Server, Microsoft Defender Antivirus might have been uninstalled or disabled when your McAfee solution was installed. This is because Microsoft Defender Antivirus does not enter passive or disabled mode when you install a third-party antivirus product, such as McAfee. (To learn more about this, see [Microsoft Defender Antivirus compatibility](microsoft-defender-antivirus-compatibility.md).)
+On Windows clients, when a non-Microsoft antivirus/antimalware solution is installed, Microsoft Defender Antivirus is disabled automatically until those devices are onboarded to Defender for Endpoint. When the client endpoints are onboarded to Defender for Endpoint, Microsoft Defender Antivirus goes into passive mode until the non-Microsoft antivirus solution is uninstalled. Microsoft Defender Antivirus should still be installed, but is likely disabled at this point of the migration process. Unless Microsoft Defender Antivirus has been uninstalled, you do not need to take any action for your Windows clients.
+
+On Windows servers, when a non-Microsoft antivirus/antimalware in installed, Microsoft Defender Antivirus is disabled manually (if not uninstalled). The following tasks help ensure that Microsoft Defender Antivirus is installed and set to passive mode on Windows Server.
This step of the migration process includes the following tasks:-- [Setting DisableAntiSpyware to false on Windows Server](#set-disableantispyware-to-false-on-windows-server)
+- [Setting DisableAntiSpyware to false on Windows Server](#set-disableantispyware-to-false-on-windows-server) (only if necessary)
- [Reinstalling Microsoft Defender Antivirus on Windows Server](#reinstall-microsoft-defender-antivirus-on-windows-server); - [Setting Microsoft Defender Antivirus to passive mode on Windows Server](#set-microsoft-defender-antivirus-to-passive-mode-on-windows-server)-- [Enabling Microsoft Defender Antivirus on your Windows client devices](#enable-microsoft-defender-antivirus-on-your-windows-client-devices); and-- [Confirming that Microsoft Defender Antivirus is set to passive mode](#confirm-that-microsoft-defender-antivirus-is-in-passive-mode). ### Set DisableAntiSpyware to false on Windows Server
The [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-m
`Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender` <br/>
-> [!NOTE]
-> When using the DISM command within a task sequence running PS, the following path to cmd.exe is required.
-> Example:<br/>
-> `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`<br/>
-> `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`<br/>
+ > [!NOTE]
+ > When using the DISM command within a task sequence running PS, the following path to cmd.exe is required.
+ > Examples:
+ >
+ > `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`<br/>
+ >
+ > `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`<br/>
3. To verify Microsoft Defender Antivirus is running, use the following PowerShell cmdlet: <br/> `Get-Service -Name windefend`
-#### Are you using Windows Server 2016?
+ Look for a status of *Running*.
+
+### Set Microsoft Defender Antivirus to passive mode on Windows Server
+
+1. Open Registry Editor, and then navigate to
+`Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`.
+
+2. Edit (or create) a DWORD entry called **ForcePassiveMode**, and specify the following settings:
+
+ - Set the DWORD's value to `1`.
+
+ - Under Base, select **Hexadecimal**.
+
+> [!NOTE]
+> After onboarding to Defender for Endpoint, you might have to set Microsoft Defender Antivirus to passive mode on Windows Server.
+
+### Are you using Windows Server 2016?
+
+If you have endpoints running Windows Server 2016, you cannot run Microsoft Defender Antivirus alongside a non-Microsoft antivirus/antimalware solution. Microsoft Defender Antivirus cannot run in passive mode on Windows Server 2016. In this case, you'll need to uninstall the non-Microsoft antivirus/antimalware solution, and install/enable Microsoft Defender Antivirus instead. To learn more, see [Antivirus solution compatibility with Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility).
If you're using Windows Server 2016 and are having trouble enabling Microsoft Defender Antivirus, use the following PowerShell cmdlet: `mpcmdrun -wdenable`
-> [!TIP]
-> Still need help? See [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-defender-antivirus-on-windows-server.md).
+For more information, see [Microsoft Defender Antivirus on Windows Server](microsoft-defender-antivirus-on-windows-server.md).
### Set Microsoft Defender Antivirus to passive mode on Windows Server
-Because your organization is still using McAfee, you must set Microsoft Defender Antivirus to passive mode. That way, McAfee and Microsoft Defender Antivirus can run side by side until you have finished onboarding to Microsoft Defender for Endpoint.
+Because your organization is still using McAfee, you must set Microsoft Defender Antivirus to passive mode. That way, McAfee and Microsoft Defender Antivirus can run side by side until you have finished onboarding to Defender for Endpoint.
1. Open Registry Editor, and then navigate to <br/> `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`.
Because your organization is still using McAfee, you must set Microsoft Defender
>- [Group Policy Preference](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn581922(v=ws.11)) >- [A package in Configuration Manager](/mem/configmgr/apps/deploy-use/packages-and-programs)
-### Enable Microsoft Defender Antivirus on your Windows client devices
+## Configure Defender for Endpoint
-Because your organization has been using McAfee as your primary antivirus solution, Microsoft Defender Antivirus is most likely disabled on your organization's Windows devices. This step of the migration process involves enabling Microsoft Defender Antivirus.
-
-To enable Microsoft Defender Antivirus, we recommend using Intune. However, you can any of the methods that are listed in the following table:
+This step of the migration process involves configuring Defender for Endpoint. We recommend using Intune; however, you can any of the methods that are listed in the following table:
|Method |What to do | |||
-|[Intune](/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager) <p>**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.<p>2. Select **Devices** > **Configuration profiles**, and then select the profile type you want to configure. <br/>If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](/intune/device-restrictions-configure).<p>3. Select **Properties**, and then select **Configuration settings: Edit**.<p>4. Expand **Microsoft Defender Antivirus**. <p>5. Enable **Cloud-delivered protection**.<p>6. In the **Prompt users before sample submission** dropdown, select **Send all samples automatically**.<p>7. In the **Detect potentially unwanted applications** dropdown, select **Enable** or **Audit**.<p>8. Select **Review + save**, and then choose **Save**.<p>For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](/intune/device-profiles).|
+|[Intune](/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager) <p>**NOTE**: Intune is now part of Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.<p>2. Select **Devices** > **Configuration profiles**, and then select the profile type you want to configure. <br/>If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](/intune/device-restrictions-configure).<p>3. Select **Properties**, and then select **Configuration settings: Edit**.<p>4. Expand **Microsoft Defender Antivirus**. <p>5. Enable **Cloud-delivered protection**.<p>6. In the **Prompt users before sample submission** dropdown, select **Send all samples automatically**.<p>7. In the **Detect potentially unwanted applications** dropdown, select **Enable** or **Audit**.<p>8. Select **Review + save**, and then choose **Save**.<p>For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](/intune/device-profiles).|
|Control Panel in Windows |Follow the guidance here: [Turn on Microsoft Defender Antivirus](/mem/intune/user-help/turn-on-defender-windows). <p>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
-|[Advanced Group Policy Management](/microsoft-desktop-optimization-pack/agpm/) <br/>or<br/>[Group Policy Management Console](use-group-policy-microsoft-defender-antivirus.md) |1. Go to `Computer configuration > Administrative templates > Windows components > Microsoft Defender Antivirus`. <p>2. Look for a policy called **Turn off Microsoft Defender Antivirus**.<br/> <br/>3. Choose **Edit policy setting**, and make sure that policy is disabled. This enables Microsoft Defender Antivirus. <p>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
-
-### Confirm that Microsoft Defender Antivirus is in passive mode
-
-Microsoft Defender Antivirus can run alongside McAfee if you set Microsoft Defender Antivirus to passive mode. You can use either Command Prompt or PowerShell to perform this task, as described in the following table:
-
-|Method |What to do |
-|||
-|Command Prompt |1. On a Windows device, open Command Prompt as an administrator. <p>2. Type `sc query windefend`, and then press Enter.<p>3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. |
-|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.<p>2. Run the [Get-MpComputerStatus](/powershell/module/defender/Get-MpComputerStatus) cmdlet. <p>3. In the list of results, look for either **AMRunningMode: Passive Mode** or **AMRunningMode: SxS Passive Mode**.|
-
-> [!NOTE]
-> You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
-
-## Get updates for Microsoft Defender Antivirus
-
-Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques, even if Microsoft Defender Antivirus is running in [passive mode](microsoft-defender-antivirus-compatibility.md).
-
-There are two types of updates related to keeping Microsoft Defender Antivirus up to date:
-- Security intelligence updates-- Product updates-
-To get your updates, follow the guidance in [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).
+|[Advanced Group Policy Management](/microsoft-desktop-optimization-pack/agpm/) <br/>or<br/>[Group Policy Management Console](use-group-policy-microsoft-defender-antivirus.md) |1. Go to `Computer configuration > Administrative templates > Windows components > Microsoft Defender Antivirus`. <p>2. Look for a policy called **Turn off Microsoft Defender Antivirus**.<p>3. Choose **Edit policy setting**, and make sure that policy is disabled. This enables Microsoft Defender Antivirus. <p>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
## Add Microsoft Defender for Endpoint to the exclusion list for McAfee
-This step of the setup process involves adding Microsoft Defender for Endpoint to the exclusion list for McAfee and any other security products your organization is using.
+This step of the setup process involves adding Defender for Endpoint to the exclusion list for McAfee and any other security products your organization is using.
> [!TIP] > To get help configuring exclusions, refer to McAfee documentation, such as the following article: [McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows: Configuring exclusions](https://docs.mcafee.com/bundle/endpoint-security-10.5.0-threat-prevention-product-guide-epolicy-orchestrator-windows/page/GUID-71C5FB4B-A143-43E6-8BF0-8B2C16ABE6DA.html).
The specific exclusions to configure depend on which version of Windows your end
|OS |Exclusions | |--|--|
-|- Windows 10, [version 1803](/windows/release-health/status-windows-10-1803) or later (See [Windows 10 release information](/windows/release-health/release-information))<br/>- Windows 10, version 1703 or [1709](/windows/release-health/status-windows-10-1709) with [KB4493441](https://support.microsoft.com/help/4493441) installed <br/>- [Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019)<br/>- [Windows Server, version 1803](/windows-server/get-started/whats-new-in-windows-server-1803) |`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`<p>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`<p>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`<p>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`<br/> |
-|- [Windows 8.1](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2) <br/>- [Windows 7](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)<br/>- [Windows Server 2016](/windows/release-health/status-windows-10-1607-and-windows-server-2016)<br/>- [Windows Server 2012 R2](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<br/>- [Windows Server 2008 R2 SP1](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |`C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`<p>**NOTE**: Where Monitoring Host Temporary Files 6\45 can be different numbered subfolders.<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe`<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe`<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe`<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe`<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe`<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` |
+| Windows 10, [version 1803](/windows/release-health/status-windows-10-1803) or later (See [Windows 10 release information](/windows/release-health/release-information))<p>Windows 10, version 1703 or [1709](/windows/release-health/status-windows-10-1709) with [KB4493441](https://support.microsoft.com/help/4493441) installed <p>[Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019)<p>[Windows Server, version 1803](/windows-server/get-started/whats-new-in-windows-server-1803) |`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`<p>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`<p>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`<p>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`<br/> |
+| [Windows 8.1](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2) <p>[Windows 7](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)<p>[Windows Server 2016](/windows/release-health/status-windows-10-1607-and-windows-server-2016)<p>[Windows Server 2012 R2](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<p>[Windows Server 2008 R2 SP1](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |`C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`<p>**NOTE**: Where Monitoring Host Temporary Files 6\45 can be different numbered subfolders.<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe`<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe`<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe`<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe`<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe`<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` |
## Add McAfee to the exclusion list for Microsoft Defender Antivirus During this step of the setup process, you add McAfee and your other security solutions to the Microsoft Defender Antivirus exclusion list.
-When you add [exclusions to Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md), you should add path and process exclusions. Keep the following points in mind:
-- Path exclusions exclude specific files and whatever those files access.-- Process exclusions exclude whatever a process touches, but does not exclude the process itself.-- If you list each executable (.exe) as both a path exclusion and a process exclusion, the process and whatever it touches are excluded.-- List your process exclusions using their full path and not by their name only. (The name-only method is less secure.)
+When you add [exclusions to Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md), you should add path and process exclusions.
You can choose from several methods to add your exclusions to Microsoft Defender Antivirus, as listed in the following table: |Method | What to do| |--|--|
-|[Intune](/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager) <p>**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.<p>2. Select **Devices** > **Configuration profiles**, and then select the profile that you want to configure.<p>3. Under **Manage**, select **Properties**. <p>4. Select **Configuration settings: Edit**.<p>5. Expand **Microsoft Defender Antivirus**, and then expand **Microsoft Defender Antivirus Exclusions**.<p>6. Specify the files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. For reference, see [Microsoft Defender Antivirus exclusions](/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions).<p>7. Choose **Review + save**, and then choose **Save**. |
+|[Intune](/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager) <p>**NOTE**: Intune is now part of Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.<p>2. Select **Devices** > **Configuration profiles**, and then select the profile that you want to configure.<p>3. Under **Manage**, select **Properties**. <p>4. Select **Configuration settings: Edit**.<p>5. Expand **Microsoft Defender Antivirus**, and then expand **Microsoft Defender Antivirus Exclusions**.<p>6. Specify the files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. For reference, see [Microsoft Defender Antivirus exclusions](/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions).<p>7. Choose **Review + save**, and then choose **Save**. |
|[Microsoft Endpoint Configuration Manager](/mem/configmgr/) |1. Using the [Configuration Manager console](/mem/configmgr/core/servers/manage/admin-console), go to **Assets and Compliance** > **Endpoint Protection** > **Antimalware Policies**, and then select the policy that you want to modify. <p>2. Specify exclusion settings for files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. | |[Group Policy Object](/previous-versions/windows/desktop/Policy/group-policy-objects) | 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.<p>2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.<p>3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**.<br/>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.<p>4. Double-click the **Path Exclusions** setting and add the exclusions.<br/>- Set the option to **Enabled**.<br/>- Under the **Options** section, click **Show...**.<br/>- Specify each folder on its own line under the **Value name** column.<br/>- If you specify a file, make sure to enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.<p>5. Click **OK**.<p>6. Double-click the **Extension Exclusions** setting and add the exclusions.<br/>- Set the option to **Enabled**.<br/>- Under the **Options** section, click **Show...**.<br/>- Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.<p>7. Click **OK**. |
-|Local group policy object |1. On the endpoint or device, open the Local Group Policy Editor. <p>2. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Exclusions**. <br/>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.<p>3. Specify your path and process exclusions. |
+|Local group policy object |1. On the endpoint or device, open the Local Group Policy Editor. <p>2. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Exclusions**. <p>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.<p>3. Specify your path and process exclusions. |
|Registry key |1. Export the following registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\exclusions`.<p>2. Import the registry key. Here are two examples:<br/>- Local path: `regedit.exe /s c:\temp\ MDAV_Exclusion.reg` <br/>- Network share: `regedit.exe /s \\FileServer\ShareName\MDAV_Exclusion.reg` |
-## Add McAfee to the exclusion list for Microsoft Defender for Endpoint
-
-> [!IMPORTANT]
-> In general, you shouldn't have to add exclusions for Defender for Endpoint, especially if you have already defined exclusions for Microsoft Defender Antivirus. However, if you run into issues where Microsoft Defender Antivirus won't stay in passive mode, perform the following task. Otherwise, skip this section and proceed to [Set up your device groups, device collections, and organizational units](#set-up-your-device-groups-device-collections-and-organizational-units).
-
-To add exclusions to Microsoft Defender for Endpoint, you create [indicators](indicator-file.md).
-
-1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in.
-
-2. In the navigation pane, choose **Settings** > **Rules** > **Indicators**.
-
-3. On the **File hashes** tab, choose **Add indicator**.
+Keep the following points in mind:
-3. On the **Indicator** tab, specify the following settings:
- - File hash (Need help? See [Find a file hash using CMPivot](#find-a-file-hash-using-cmpivot) in this article.)
- - Under **Expires on (UTC)**, choose **Never**.
-
-4. On the **Action** tab, specify the following settings:
- - **Response Action**: **Allow**
- - Title and description
-
-5. On the **Scope** tab, under **Device groups**, select either **All devices in my scope** or **Select from list**.
-
-6. On the **Summary** tab, review the settings, and then click **Save**.
-
-### Find a file hash using CMPivot
-
-CMPivot is an in-console utility for Configuration Manager. CMPivot provides access to the real-time state of devices in your environment. It immediately runs a query on all currently connected devices in the target collection and returns the results. To learn more, see [CMPivot overview](/mem/configmgr/core/servers/manage/cmpivot-overview).
-
-To use CMPivot to get your file hash, follow these steps:
-
-1. Review the [prerequisites](/mem/configmgr/core/servers/manage/cmpivot#prerequisites).
-
-2. [Start CMPivot](/mem/configmgr/core/servers/manage/cmpivot#start-cmpivot).
-
-3. Connect to Configuration Manager (`SCCM_ServerName.DomainName.com`).
+- Path exclusions exclude specific files and whatever those files access.
-4. Select the **Query** tab.
-
-5. In the **Device Collection** list, and choose **All Systems (default)**.
+- Process exclusions exclude whatever a process touches, but does not exclude the process itself.
-6. In the query box, type the following query:<br/>
+- If you list each executable (.exe) as both a path exclusion and a process exclusion, the process and whatever it touches are excluded.
-```kusto
-File(c:\\windows\\notepad.exe)
-| project Hash
-```
-> [!NOTE]
-> In the query above, replace *notepad.exe* with the your third-party security product process name.
+- List your process exclusions using their full path and not by their name only. (The name-only method is less secure.)
## Set up your device groups, device collections, and organizational units
Using Configuration Manager and your device collection(s), configure your antima
## Next step
-**Congratulations**! You have completed the Setup phase of [migrating from McAfee to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-migration.md#the-migration-process)!
+**Congratulations**! You have completed the Setup phase of [migrating from McAfee to Defender for Endpoint](mcafee-to-microsoft-defender-migration.md#the-migration-process)!
-- [Proceed to Phase 3: Onboard to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-onboard.md)
+- [Proceed to Phase 3: Onboard to Defender for Endpoint](mcafee-to-microsoft-defender-onboard.md)
security Microsoft Defender Antivirus On Windows Server https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-on-windows-server.md
By default, Windows Update does not download and install updates automatically o
|Method |Description | |||
-|**Windows Update** in Control Panel |- **Install updates automatically** results in all updates being automatically installed, including Windows Defender Security intelligence updates. <br/>- **Download updates but let me choose whether to install them** allows Windows Defender to download and install Security intelligence updates automatically, but other updates are not automatically installed. |
+|**Windows Update** in Control Panel | **Install updates automatically** results in all updates being automatically installed, including Windows Defender Security intelligence updates. <p>**Download updates but let me choose whether to install them** allows Windows Defender to download and install Security intelligence updates automatically, but other updates are not automatically installed. |
|**Group Policy** | You can set up and manage Windows Update by using the settings available in Group Policy, in the following path: **Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates** |
-|The **AUOptions** registry key |The following two values allow Windows Update to automatically download and install Security intelligence updates: <br/>- **4** - **Install updates automatically**. This value results in all updates being automatically installed, including Windows Defender Security intelligence updates. <br/>- **3** - **Download updates but let me choose whether to install them**. This value allows Windows Defender to download and install Security intelligence updates automatically, but other updates are not automatically installed. |
+|The **AUOptions** registry key | The following two values allow Windows Update to automatically download and install Security intelligence updates: <p>**4** - **Install updates automatically**. This value results in all updates being automatically installed, including Windows Defender Security intelligence updates. <p>**3** - **Download updates but let me choose whether to install them**. This value allows Windows Defender to download and install Security intelligence updates automatically, but other updates are not automatically installed. |
To ensure that protection from malware is maintained, we recommend that you enable the following
security Switch To Microsoft Defender Migration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-microsoft-defender-migration.md
- m365solution-overview Previously updated : 05/10/2021 Last updated : 05/14/2021 ms.technology: mde
If you are planning to switch from a non-Microsoft endpoint protection solution
When you make the switch to Defender for Endpoint, you begin with your non-Microsoft solution in active mode, configure Defender for Endpoint in passive mode, onboard to Defender for Endpoint, and then set Defender for Endpoint to active mode and remove the non-Microsoft solution. > [!TIP]
-> - If you're currently using McAfee Endpoint Security (McAfee), see [Migrate from McAfee to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-migration.md).
-> - If you're currently using Symantec Endpoint Protection (Symantec), see [Migrate from Symantec to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-endpoint-migration.md).
+> - If you're currently using McAfee Endpoint Security (McAfee), see [Migrate from McAfee to Defender for Endpoint](mcafee-to-microsoft-defender-migration.md).
+> - If you're currently using Symantec Endpoint Protection (Symantec), see [Migrate from Symantec to Defender for Endpoint](symantec-to-microsoft-defender-endpoint-migration.md).
## The migration process
-When you switch to Microsoft Defender for Endpoint, you follow a process that can be divided into three phases, as described in the following table:
+When you switch to Defender for Endpoint, you follow a process that can be divided into three phases, as described in the following table:
![Migration phases - prepare, setup, onboard](images/phase-diagrams/migration-phases.png) |Phase |Description | |--|--|
-|[Prepare for your migration](switch-to-microsoft-defender-prepare.md) |During [the **Prepare** phase](switch-to-microsoft-defender-prepare.md), you update your organization's devices, get Microsoft Defender for Endpoint, plan your roles and permissions, and grant access to the Microsoft Defender Security Center. You also configure your device proxy and internet settings to enable communication between your organization's devices and Microsoft Defender for Endpoint. |
-|[Set up Microsoft Defender for Endpoint](switch-to-microsoft-defender-setup.md) |During [the **Setup** phase](switch-to-microsoft-defender-setup.md), you enable Microsoft Defender Antivirus and make sure it's in passive mode. You also configure settings & exclusions for Microsoft Defender Antivirus and your existing endpoint protection solution. Then, you create your device groups, collections, and organizational units. Finally, you configure your antimalware policies and real-time protection settings.|
-|[Onboard to Microsoft Defender for Endpoint](switch-to-microsoft-defender-onboard.md) |During [the **Onboard** phase](switch-to-microsoft-defender-onboard.md), you onboard your devices to Microsoft Defender for Endpoint and verify that those devices are communicating with Microsoft Defender for Endpoint. Last, you uninstall your existing endpoint protection solution and make sure that protection through Microsoft Defender Antivirus & Microsoft Defender for Endpoint is in active mode. |
+|[Prepare for your migration](switch-to-microsoft-defender-prepare.md) |During [the **Prepare** phase](switch-to-microsoft-defender-prepare.md), you update your organization's devices, get Defender for Endpoint, plan your roles and permissions, and grant access to the Microsoft Defender Security Center. You also configure your device proxy and internet settings to enable communication between your organization's devices and Defender for Endpoint. |
+|[Set up Defender for Endpoint](switch-to-microsoft-defender-setup.md) |During [the **Setup** phase](switch-to-microsoft-defender-setup.md), you enable Microsoft Defender Antivirus and set it to passive mode. You also configure settings & exclusions for Microsoft Defender Antivirus and your existing endpoint protection solution. Then, you create your device groups, collections, and organizational units. Finally, you configure your antimalware policies and real-time protection settings.|
+|[Onboard to Defender for Endpoint](switch-to-microsoft-defender-onboard.md) |During [the **Onboard** phase](switch-to-microsoft-defender-onboard.md), you onboard your devices to Defender for Endpoint, confirm that Microsoft Defender Antivirus is running in passive mode, and verify that your endpoints are communicating with Defender for Endpoint. Then, you uninstall your existing endpoint protection solution and make sure that Defender for Endpoint working correctly. |
## What's included in Microsoft Defender for Endpoint?
-In this migration guide, we focus on [next-generation protection](microsoft-defender-antivirus-in-windows-10.md) and [endpoint detection and response](overview-endpoint-detection-response.md) capabilities as a starting point for moving to Microsoft Defender for Endpoint. However, Microsoft Defender for Endpoint includes much more than antivirus and endpoint protection. Microsoft Defender for Endpoint is a unified platform for preventative protection, post-breach detection, automated investigation, and response. The following table summarizes features and capabilities in Microsoft Defender for Endpoint.
+In this migration guide, we focus on [next-generation protection](microsoft-defender-antivirus-in-windows-10.md) and [endpoint detection and response](overview-endpoint-detection-response.md) capabilities as a starting point for moving to Defender for Endpoint. However, Defender for Endpoint includes much more than antivirus and endpoint protection. Defender for Endpoint is a unified platform for preventative protection, post-breach detection, automated investigation, and response. The following table summarizes features and capabilities in Defender for Endpoint.
| Feature/Capability | Description | |||
In this migration guide, we focus on [next-generation protection](microsoft-defe
| [Automated investigation and remediation](automated-investigations.md) | Automated investigation and response capabilities examine alerts and take immediate remediation action to resolve breaches. | | [Threat hunting service](microsoft-threat-experts.md) (Microsoft Threat Experts) | Threat hunting services provide security operations teams with expert level monitoring and analysis, and to help ensure that critical threats aren't missed. |
-**Want to learn more? See [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md).**
+**Want to learn more? See [Defender for Endpoint](microsoft-defender-endpoint.md).**
## Next step
security Switch To Microsoft Defender Onboard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-microsoft-defender-onboard.md
- m365solution-migratetomdatp Previously updated : 05/13/2021 Last updated : 05/14/2021
|| |*You are here!* |
-**Welcome to Phase 3 of [switching to Microsoft Defender for Endpoint](switch-to-microsoft-defender-migration.md#the-migration-process)**. This migration phase includes the following steps:
+**Welcome to Phase 3 of [switching to Defender for Endpoint](switch-to-microsoft-defender-migration.md#the-migration-process)**. This migration phase includes the following steps:
-1. [Onboard devices to Microsoft Defender for Endpoint](#onboard-devices-to-microsoft-defender-for-endpoint).
+1. [Onboard devices to Defender for Endpoint](#onboard-devices-to-microsoft-defender-for-endpoint).
2. [Run a detection test](#run-a-detection-test).
-3. [Uninstall your non-Microsoft solution](#uninstall-your-non-microsoft-solution).
+3. [Confirm that Microsoft Defender Antivirus is in passive mode on your endpoints](#confirm-that-microsoft-defender-antivirus-is-in-passive-mode-on-your-endpoints).
-4. [Make sure Microsoft Defender for Endpoint is in active mode](#make-sure-microsoft-defender-for-endpoint-is-in-active-mode).
+4. [Get updates for Microsoft Defender Antivirus](#get-updates-for-microsoft-defender-antivirus).
+
+5. [Uninstall your non-Microsoft solution](#uninstall-your-non-microsoft-solution).
+
+6. [Make sure Defender for Endpoint is working correctly](#make-sure-defender-for-endpoint-is-working-correctly).
## Onboard devices to Microsoft Defender for Endpoint
### Onboarding methods
-Deployment methods vary, depending on which operating system is selected. Refer to the resources listed in the table below to get help with onboarding.
+Deployment methods vary, depending on operating system and preferred methods. The following table lists resources to help you onboard to Defender for Endpoint:
|Operating systems |Methods | |||
-|Windows 10 |[Group Policy](configure-endpoints-gp.md)<p>[Configuration Manager](configure-endpoints-sccm.md)<p>[Mobile Device Management (Intune)](configure-endpoints-mdm.md)<p>[Local script](configure-endpoints-script.md) <p>A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. |
-|Windows 8.1 Enterprise <p>Windows 8.1 Pro <p>Windows 7 SP1 Enterprise <p>Windows 7 SP1 Pro | [Microsoft Monitoring Agent](onboard-downlevel.md) <p>The Microsoft Monitoring Agent is now the Azure Log Analytics agent. To learn more, see [Log Analytics agent overview](/azure/azure-monitor/platform/log-analytics-agent). |
-|Windows Server 2019 and later <p>Windows Server 2019 core edition <p>Windows Server version 1803 and later |[Local script](configure-endpoints-script.md) <p>[Group Policy](configure-endpoints-gp.md) <p>[Configuration Manager](configure-endpoints-sccm.md) <p>[System Center Configuration Manager](configure-endpoints-sccm.md) <p>[VDI onboarding scripts for non-persistent devices](configure-endpoints-vdi.md) <p>A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. |
-|Windows Server 2016 <p>Windows Server 2012 R2 <p>Windows Server 2008 R2 SP1 |[Microsoft Defender Security Center](configure-server-endpoints.md)<p>[Azure Defender](/azure/security-center/security-center-wdatp) |
-|macOS:<p>11.3.1 (Big Sur) <p>10.15 (Catalina)<p>10.14 (Mojave)<p>iOS |[Onboard non-Windows devices](configure-endpoints-non-windows.md) |
+| Windows 10 | [Group Policy](configure-endpoints-gp.md)<p>[Configuration Manager](configure-endpoints-sccm.md)<p>[Mobile Device Management (Intune)](configure-endpoints-mdm.md)<p>[Local script](configure-endpoints-script.md) <p>**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. |
+| Windows 8.1 Enterprise <p>Windows 8.1 Pro <p>Windows 7 SP1 Enterprise <p>Windows 7 SP1 Pro | [Microsoft Monitoring Agent](onboard-downlevel.md)<p>**NOTE**: Microsoft Monitoring Agent is now Azure Log Analytics agent. To learn more, see [Log Analytics agent overview](/azure/azure-monitor/platform/log-analytics-agent). |
+| Windows Server 2019 and later <p>Windows Server 2019 core edition <p>Windows Server version 1803 and later | [Local script](configure-endpoints-script.md) <p>[Group Policy](configure-endpoints-gp.md) <p>[Configuration Manager](configure-endpoints-sccm.md) <p>[System Center Configuration Manager](configure-endpoints-sccm.md) <p>[VDI onboarding scripts for non-persistent devices](configure-endpoints-vdi.md) <p>**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. |
+| Windows Server 2016 <p>Windows Server 2012 R2 <p>Windows Server 2008 R2 SP1 | [Microsoft Defender Security Center](configure-server-endpoints.md)<p>[Azure Defender](/azure/security-center/security-center-wdatp) |
+|macOS:<p>11.3.1 (Big Sur) <p>10.15 (Catalina)<p>10.14 (Mojave)|[Onboard non-Windows devices](configure-endpoints-non-windows.md) |
|iOS |[Onboard non-Windows devices](configure-endpoints-non-windows.md) | |Linux:<p>RHEL 7.2+<p>CentOS Linux 7.2+<p>Ubuntu 16 LTS, or higher LTS<p>SLES 12+<p>Debian 9+<p>Oracle Linux 7.2 |[Onboard non-Windows devices](configure-endpoints-non-windows.md) | ## Run a detection test
-To verify that your onboarded devices are properly connected to Microsoft Defender for Endpoint, you can run a detection test.
+To verify that your onboarded devices are properly connected to Defender for Endpoint, you can run a detection test.
|Operating system |Guidance | |||
-|Windows 10 <p>Windows Server 2019 <p>Windows Server, version 1803 <p>Windows Server 2016 <p>Windows Server 2012 R2 |See [Run a detection test](run-detection-test.md). <p>Visit the Microsoft Defender for Endpoint demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)) and try one or more of the scenarios. For example, try the **Cloud-delivered protection** demo scenario. |
-|macOS:<p>11.3.1 (Big Sur) <p>10.15 (Catalina)<p>10.14 (Mojave) |Download and use the DIY app at [https://aka.ms/mdatpmacosdiy](https://aka.ms/mdatpmacosdiy). <p>For more information, see [Microsoft Defender for Endpoint on macOS](microsoft-defender-endpoint-mac.md). |
-|Linux:<p>RHEL 7.2+<p>CentOS Linux 7.2+<p>Ubuntu 16 LTS, or higher LTS<p>SLES 12+<p>Debian 9+<p>Oracle Linux 7.2 |1. Run the following command, and look for a result of **1**: <br/>`mdatp health --field real_time_protection_enabled`. <p>2. Open a Terminal window, and run the following command: <br/>`curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt`. <p>3. Run the following command to list any detected threats: <br/>`mdatp threat list`. <p>For more information, see [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md). |
+| Windows 10 <p>Windows Server 2019 <p>Windows Server, version 1803 <p>Windows Server 2016 <p>Windows Server 2012 R2 | See [Run a detection test](run-detection-test.md). <p>Visit the Defender for Endpoint demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)) and try one or more of the scenarios. For example, try the **Cloud-delivered protection** demo scenario. |
+| macOS:<p>11.3.1 (Big Sur) <p>10.15 (Catalina)<p>10.14 (Mojave) |Download and use the DIY app at [https://aka.ms/mdatpmacosdiy](https://aka.ms/mdatpmacosdiy). <p>For more information, see [Defender for Endpoint on macOS](microsoft-defender-endpoint-mac.md). |
+| Linux:<p>RHEL 7.2+<p>CentOS Linux 7.2+<p>Ubuntu 16 LTS, or higher LTS<p>SLES 12+<p>Debian 9+<p>Oracle Linux 7.2 |1. Run the following command, and look for a result of **1**: <br/>`mdatp health --field real_time_protection_enabled`. <p>2. Open a Terminal window, and run the following command: <br/>`curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt`. <p>3. Run the following command to list any detected threats: <br/>`mdatp threat list`. <p>For more information, see [Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md). |
-## Uninstall your non-Microsoft solution
+## Confirm that Microsoft Defender Antivirus is in passive mode on your endpoints
+
+Now that your endpoints have been onboarded to Defender for Endpoint, your next step is to make sure Microsoft Defender Antivirus is running in passive mode. You can use either Command Prompt or PowerShell to perform this task, as described in the following table:
+
+|Method |What to do |
+|||
+|Command Prompt | 1. On a Windows device, open Command Prompt as an administrator.<p>2. Type `sc query windefend`, and then press Enter.<p>3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. |
+|PowerShell | 1. On a Windows device, open Windows PowerShell as an administrator.<p>2. Run the [Get-MpComputerStatus](/powershell/module/defender/Get-MpComputerStatus) cmdlet. <p>3. In the list of results, look for either **AMRunningMode: Passive Mode** or **AMRunningMode: SxS Passive Mode**. |
+
+> [!NOTE]
+> You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
+
+### Set Microsoft Defender Antivirus on Windows Server to passive mode manually
+
+To set Microsoft Defender Antivirus to passive mode on Windows Server, version 1803 or newer, or Windows Server 2019, follow these steps:
+
+1. Open Registry Editor, and then navigate to <br/>
+ `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`.
-Now that you have onboarded your organization's devices to Microsoft Defender for Endpoint, your next step is to uninstall your non-Microsoft endpoint protection solution.
+2. Edit (or create) a DWORD entry called **ForcePassiveMode**, and specify the following settings:
+ - Set the DWORD's value to **1**.
+ - Under **Base**, select **Hexadecimal**.
-To get help with this step, reach out to your solution provider's technical support team.
+> [!NOTE]
+> You can use other methods to set the registry key, such as the following:
+>- [Group Policy Preference](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn581922(v=ws.11))
+>- [Local Group Policy Object tool](/windows/security/threat-protection/security-compliance-toolkit-10#what-is-the-local-group-policy-object-lgpo-tool)
+>- [A package in Configuration Manager](/mem/configmgr/apps/deploy-use/packages-and-programs)
-## Make sure Microsoft Defender for Endpoint is in active mode
+### Start Microsoft Defender Antivirus on Windows Server 2016
-Now that you have uninstalled your non-Microsoft endpoint protection solution, your next step is to make sure that Microsoft Defender Antivirus and Microsoft Defender for Endpoint are enabled and in active mode.
+If you are using Windows Server 2016, you might have to start Microsoft Defender Antivirus manually. You can do this by using the PowerShell cmdlet `mpcmdrun.exe -wdenable` on the device.
-To do this, visit the Microsoft Defender for Endpoint demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)). Try one or more of the demo scenarios on that page, including at least the following:
+## Get updates for Microsoft Defender Antivirus
+
+Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques, even if Microsoft Defender Antivirus is running in [passive mode](/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).
+
+There are two types of updates related to keeping Microsoft Defender Antivirus up to date:
+- Security intelligence updates
+- Product updates
+
+To get your updates, follow the guidance in [Manage Microsoft Defender Antivirus updates and apply baselines](/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus).
+
+## Uninstall your non-Microsoft solution
+
+Now that you have onboarded your organization's devices to Defender for Endpoint, and Microsoft Defender Antivirus is installed and enabled, your next step is to uninstall your non-Microsoft endpoint protection solution. To get help with this task, reach out to your solution provider's technical support team.
+
+## Make sure Defender for Endpoint is working correctly
+
+Now that you have onboarded to Defender for Endpoint, and you have uninstalled your former non-Microsoft solution, your next step is to make sure that Defender for Endpoint working correctly. One good way to do this is by visiting the Defender for Endpoint demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)). Try one or more of the demo scenarios on that page, including at least the following:
- Cloud-delivered protection - Potentially Unwanted Applications (PUA) - Network Protection (NP)
-> [!IMPORTANT]
-> If you are using Windows Server 2016, you might have to start Microsoft Defender Antivirus manually. You can do this by using the PowerShell cmdlet `mpcmdrun.exe -wdenable` on the device.
- ## Next steps
-**Congratulations**! You have completed your [migration to Microsoft Defender for Endpoint](switch-to-microsoft-defender-migration.md#the-migration-process)!
+**Congratulations**! You have completed your [migration to Defender for Endpoint](switch-to-microsoft-defender-migration.md#the-migration-process)!
- [Visit your security operations dashboard](security-operations-dashboard.md) in the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)). -- [Manage Microsoft Defender for Endpoint, post migration](manage-atp-post-migration.md).
+- [Manage Defender for Endpoint, post migration](manage-atp-post-migration.md).
security Switch To Microsoft Defender Prepare https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-microsoft-defender-prepare.md
- m365solution-migratetomdatp Previously updated : 05/13/2021 Last updated : 05/14/2021
|--|--|--| |*You are here!*| | |
-**Welcome to the Prepare phase of [switching to Microsoft Defender for Endpoint](switch-to-microsoft-defender-migration.md#the-migration-process)**.
+**Welcome to the Prepare phase of [switching to Defender for Endpoint](switch-to-microsoft-defender-migration.md#the-migration-process)**.
This migration phase includes the following steps: 1. [Get and deploy updates across your organization's devices](#get-and-deploy-updates-across-your-organizations-devices)
-2. [Get Microsoft Defender for Endpoint](#get-microsoft-defender-for-endpoint).
+2. [Get Defender for Endpoint](#get-microsoft-defender-for-endpoint).
3. [Grant access to the Microsoft Defender Security Center](#grant-access-to-the-microsoft-defender-security-center).
This migration phase includes the following steps:
## Get and deploy updates across your organization's devices
-As a best practice, keep your organization's devices and endpoints up to date. Make sure your existing endpoint protection and antivirus solution is up to date, and that the operating systems and apps your organization is also have the latest updates. Doing this now can help prevent problems later as you migrate to Microsoft Defender for Endpoint and Microsoft Defender Antivirus.
+As a best practice, keep your organization's devices and endpoints up to date. Make sure your existing endpoint protection and antivirus solution is up to date, and that the operating systems and apps your organization is also have the latest updates. Doing this now can help prevent problems later as you migrate to Defender for Endpoint and Microsoft Defender Antivirus.
### Make sure your existing solution is up to date
Need help updating your organization's devices? See the following resources:
## Get Microsoft Defender for Endpoint
-Now that you've updated your organization's devices, the next step is to get Microsoft Defender for Endpoint, assign licenses, and make sure the service is provisioned.
+Now that you've updated your organization's devices, the next step is to get Defender for Endpoint, assign licenses, and make sure the service is provisioned.
-1. Buy or try Microsoft Defender for Endpoint today. [Start a free trial or request a quote](https://aka.ms/mdatp).
+1. Buy or try Defender for Endpoint today. [Start a free trial or request a quote](https://aka.ms/mdatp).
2. Verify that your licenses are properly provisioned. [Check your license state](production-deployment.md#check-license-state).
-3. As a global administrator or security administrator, set up your dedicated cloud instance of Microsoft Defender for Endpoint. See [Microsoft Defender for Endpoint setup: Tenant configuration](production-deployment.md#tenant-configuration).
+3. As a global administrator or security administrator, set up your dedicated cloud instance of Defender for Endpoint. See [Defender for Endpoint setup: Tenant configuration](production-deployment.md#tenant-configuration).
-4. If endpoints (such as devices) in your organization use a proxy to access the internet, see [Microsoft Defender for Endpoint setup: Network configuration](production-deployment.md#network-configuration).
+4. If endpoints (such as devices) in your organization use a proxy to access the internet, see [Defender for Endpoint setup: Network configuration](production-deployment.md#network-configuration).
At this point, you are ready to grant access to your security administrators and security operators who will use the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)). > [!NOTE]
-> The Microsoft Defender Security Center is sometimes referred to as the Microsoft Defender for Endpoint portal, and can be accessed at [https://aka.ms/MDATPportal](https://aka.ms/MDATPportal).
+> The Microsoft Defender Security Center is sometimes referred to as the Defender for Endpoint portal, and can be accessed at [https://aka.ms/MDATPportal](https://aka.ms/MDATPportal).
## Grant access to the Microsoft Defender Security Center
-The Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) is where you access and configure features and capabilities of Microsoft Defender for Endpoint. To learn more, see [Overview of the Microsoft Defender Security Center](use.md).
+The Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) is where you access and configure features and capabilities of Defender for Endpoint. To learn more, see [Overview of the Microsoft Defender Security Center](use.md).
Permissions to the Microsoft Defender Security Center can be granted by using either basic permissions or role-based access control (RBAC). We recommend using RBAC so that you have more granular control over permissions.
Permissions to the Microsoft Defender Security Center can be granted by using ei
## Configure device proxy and internet connectivity settings
-To enable communication between your devices and Microsoft Defender for Endpoint, configure proxy and internet settings. The following table includes links to resources you can use to configure your proxy and internet settings for various operating systems and capabilities:
+To enable communication between your devices and Defender for Endpoint, configure proxy and internet settings. The following table includes links to resources you can use to configure your proxy and internet settings for various operating systems and capabilities:
|Capabilities | Operating System | Resources | |--|--|--| |[Endpoint detection and response](overview-endpoint-detection-response.md) (EDR) |[Windows 10](/windows/release-health/release-information) <p>[Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019)<p>[Windows Server 1803 or later](/windows-server/get-started/whats-new-in-windows-server-1803) |[Configure machine proxy and internet connectivity settings](configure-proxy-internet.md) | |EDR |[Windows Server 2016](/windows/release-health/status-windows-10-1607-and-windows-server-2016) <p>[Windows Server 2012 R2](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<p>[Windows Server 2008 R2 SP1](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)<p>[Windows 8.1](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<p>[Windows 7 SP1](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |[Configure proxy and internet connectivity settings](onboard-downlevel.md#configure-proxy-and-internet-connectivity-settings) |
-|EDR |macOS: <p>11.3.1 (Big Sur)<p>10.15 (Catalina)<p>10.14 (Mojave) |[Microsoft Defender for Endpoint on macOS: Network connections](microsoft-defender-endpoint-mac.md#network-connections) |
+|EDR |macOS: <p>11.3.1 (Big Sur)<p>10.15 (Catalina)<p>10.14 (Mojave) |[Defender for Endpoint on macOS: Network connections](microsoft-defender-endpoint-mac.md#network-connections) |
|[Microsoft Defender Antivirus](microsoft-defender-antivirus-in-windows-10.md) |[Windows 10](/windows/release-health/release-information) <p>[Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019)<p>[Windows Server 1803 or later](/windows-server/get-started/whats-new-in-windows-server-1803) <p>[Windows Server 2016](/windows-server/get-started/whats-new-in-windows-server-2016) |[Configure and validate Microsoft Defender Antivirus network connections](configure-network-connections-microsoft-defender-antivirus.md)<br/> |
-|Antivirus |macOS: <p>11.3.1 (Big Sur)<p>10.15 (Catalina)<p>10.14 (Mojave) |[Microsoft Defender for Endpoint on macOS: Network connections](microsoft-defender-endpoint-mac.md#network-connections) |
-|Antivirus |Linux: <p>RHEL 7.2+<p>CentOS Linux 7.2+<p>Ubuntu 16 LTS, or higher LTS<p>SLES 12+<p>Debian 9+<p>Oracle Linux 7.2 |[Microsoft Defender for Endpoint on Linux: Network connections](microsoft-defender-endpoint-linux.md#network-connections) |
+|Antivirus |macOS: <p>11.3.1 (Big Sur)<p>10.15 (Catalina)<p>10.14 (Mojave) |[Defender for Endpoint on macOS: Network connections](microsoft-defender-endpoint-mac.md#network-connections) |
+|Antivirus |Linux: <p>RHEL 7.2+<p>CentOS Linux 7.2+<p>Ubuntu 16 LTS, or higher LTS<p>SLES 12+<p>Debian 9+<p>Oracle Linux 7.2 |[Defender for Endpoint on Linux: Network connections](microsoft-defender-endpoint-linux.md#network-connections) |
## Next step
-**Congratulations**! You have completed the **Prepare** phase of [switching to Microsoft Defender for Endpoint](switch-to-microsoft-defender-migration.md#the-migration-process)!
+**Congratulations**! You have completed the **Prepare** phase of [switching to Defender for Endpoint](switch-to-microsoft-defender-migration.md#the-migration-process)!
-- [Proceed to set up Microsoft Defender for Endpoint](switch-to-microsoft-defender-setup.md).
+- [Proceed to set up Defender for Endpoint](switch-to-microsoft-defender-setup.md).
security Switch To Microsoft Defender Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-microsoft-defender-setup.md
- m365solution-migratetomdatp Previously updated : 05/13/2021 Last updated : 05/14/2021
|--|--|--| ||*You are here!* | |
-**Welcome to the Setup phase of [switching to Microsoft Defender for Endpoint](switch-to-microsoft-defender-migration.md#the-migration-process)**. This phase includes the following steps:
+**Welcome to the Setup phase of [switching to Defender for Endpoint](switch-to-microsoft-defender-migration.md#the-migration-process)**. This phase includes the following steps:
-1. [Enable Microsoft Defender Antivirus and confirm it's in passive mode](#enable-microsoft-defender-antivirus-and-confirm-its-in-passive-mode).
+1. [Reinstall/enable Microsoft Defender Antivirus on your endpoints](#reinstallenable-microsoft-defender-antivirus-on-your-endpoints).
-2. [Get updates for Microsoft Defender Antivirus](#get-updates-for-microsoft-defender-antivirus).
+2. [Configure Defender for Endpoint](#configure-defender-for-endpoint).
-3. [Add Microsoft Defender for Endpoint to the exclusion list for your existing endpoint solution](#add-microsoft-defender-for-endpoint-to-the-exclusion-list-for-your-existing-solution).
+3. [Add Defender for Endpoint to the exclusion list for your existing solution](#add-microsoft-defender-for-endpoint-to-the-exclusion-list-for-your-existing-solution).
4. [Add your existing solution to the exclusion list for Microsoft Defender Antivirus](#add-your-existing-solution-to-the-exclusion-list-for-microsoft-defender-antivirus).
6. [Configure antimalware policies and real-time protection](#configure-antimalware-policies-and-real-time-protection).
-## Enable Microsoft Defender Antivirus and confirm it's in passive mode
-On certain versions of Windows, such as Windows Server, Microsoft Defender Antivirus might have been uninstalled or disabled when your McAfee solution was installed. When you get ready to onboard your endpoints to Defender for Endpoint, Microsoft Defender Antivirus does not enter passive or disabled mode automatically.
+## Reinstall/enable Microsoft Defender Antivirus on your endpoints
-On Windows Server, you cannot have Microsoft Defender Antivirus in active mode alongside a non-Microsoft antivirus/antimalware solution, such as McAfee, Symantec, or others. To learn more about what happens with Defender for Endpoint and antivirus solutions, see [Microsoft Defender Antivirus compatibility](/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).
+On certain versions of Windows, Microsoft Defender Antivirus is likely uninstalled or disabled when your non-Microsoft antivirus/antimalware solution was installed. For more information, see [Microsoft Defender Antivirus compatibility](microsoft-defender-antivirus-compatibility.md).
-To help ensure that Microsoft Defender Antivirus is enabled and in passive mode, complete the following tasks described in this article:
+On Windows clients, when a non-Microsoft antivirus/antimalware solution is installed, Microsoft Defender Antivirus is disabled automatically until those devices are onboarded to Defender for Endpoint. When the client endpoints are onboarded to Defender for Endpoint, Microsoft Defender Antivirus goes into passive mode until the non-Microsoft antivirus solution is uninstalled. Microsoft Defender Antivirus should still be installed, but is likely disabled at this point of the migration process. Unless Microsoft Defender Antivirus has been uninstalled, you do not need to take any action for your Windows clients.
-- [Setting DisableAntiSpyware to false on Windows Server](#set-disableantispyware-to-false-on-windows-server)
+On Windows servers, when a non-Microsoft antivirus/antimalware in installed, Microsoft Defender Antivirus is disabled manually (if not uninstalled). The following tasks help ensure that Microsoft Defender Antivirus is installed and set to passive mode on Windows Server.
-- [Reinstalling Microsoft Defender Antivirus on Windows Server](#reinstall-microsoft-defender-antivirus-on-windows-server);
+- [Set DisableAntiSpyware to false on Windows Server](#set-disableantispyware-to-false-on-windows-server) (only if necessary)
-- [Setting Microsoft Defender Antivirus to passive mode on Windows Server](#set-microsoft-defender-antivirus-to-passive-mode-on-windows-server)
+- [Reinstall Microsoft Defender Antivirus on Windows Server](#reinstall-microsoft-defender-antivirus-on-windows-server)
-- [Enabling Microsoft Defender Antivirus on your Windows client devices](#enable-microsoft-defender-antivirus-on-your-windows-client-devices); and--- [Confirming that Microsoft Defender Antivirus is set to passive mode](#confirm-that-microsoft-defender-antivirus-is-in-passive-mode).
+- [Set Microsoft Defender Antivirus to passive mode on Windows Server](#set-microsoft-defender-antivirus-to-passive-mode-on-windows-server)
### Set DisableAntiSpyware to false on Windows Server
-The [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) registry key was used in the past to disable Microsoft Defender Antivirus, and deploy another antivirus product, such as McAfee. In general, you should not have this registry key on your Windows devices and endpoints; however, if you do have `DisableAntiSpyware` configured, here's how to set its value to false:
+The [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) registry key was used in the past to disable Microsoft Defender Antivirus, and deploy another antivirus product, such as McAfee, Symantec, or others. In general, you should not have this registry key on your Windows devices and endpoints; however, if you do have `DisableAntiSpyware` configured, here's how to set its value to false:
1. On your Windows Server device, open Registry Editor.
The [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-m
### Reinstall Microsoft Defender Antivirus on Windows Server
-> [!NOTE]
+> [!IMPORTANT]
> The following procedure applies only to endpoints or devices that are running the following versions of Windows: > - Windows Server 2019 > - Windows Server, version 1803 (core-only mode)
-> - Windows Server 2016 (see important information in [Are you using Windows Server 2016?](#are-you-using-windows-server-2016))
+> - Windows Server 2016 (see the following section, [Are you using Windows Server 2016?](#are-you-using-windows-server-2016))
1. As a local administrator on the endpoint or device, open Windows PowerShell.
The [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-m
3. To verify Microsoft Defender Antivirus is running, use the following PowerShell cmdlet: <br/> `Get-Service -Name windefend`
-#### Are you using Windows Server 2016?
-
-If you have endpoints running Windows Server 2016, you cannot run Microsoft Defender Antivirus alongside a non-Microsoft antivirus/antimalware solution. Microsoft Defender Antivirus cannot run in passive mode on Windows Server 2016. In this case, you'll need to uninstall the non-Microsoft antivirus/antimalware solution, and install/enable Microsoft Defender Antivirus instead. To learn more, see [Antivirus solution compatibility with Defender for Endpoint](microsoft-defender-antivirus-compatibility.md).
-
-If you're using Windows Server 2016 and are having trouble enabling Microsoft Defender Antivirus, use the following PowerShell cmdlet:
-
-`mpcmdrun -wdenable`
-
-> [!TIP]
-> Still need help? See [Microsoft Defender Antivirus on Windows Server](microsoft-defender-antivirus-on-windows-server.md).
+ Look for a status of *Running*.
### Set Microsoft Defender Antivirus to passive mode on Windows Server
-> [!IMPORTANT]
-> You can set Microsoft Defender Antivirus to passive mode on Windows Server, version 1803 or newer, or Windows Server 2019. But Passive mode is not supported on Windows Server 2016. To learn more, see [Antivirus solution compatibility with Microsoft Defender for Endpoint](defender-compatibility.md).
-
-Because your organization is still using your existing endpoint protection solution, you must set Microsoft Defender Antivirus to passive mode. That way, your existing solution and Microsoft Defender Antivirus can run side by side until you have finished onboarding to Microsoft Defender for Endpoint.
- 1. Open Registry Editor, and then navigate to <br/> `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`.
Because your organization is still using your existing endpoint protection solut
- Under **Base**, select **Hexadecimal**. > [!NOTE]
-> You can use other methods to set the registry key, such as the following:
->- [Group Policy Preference](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn581922(v=ws.11))
->- [Local Group Policy Object tool](/windows/security/threat-protection/security-compliance-toolkit-10#what-is-the-local-group-policy-object-lgpo-tool)
->- [A package in Configuration Manager](/mem/configmgr/apps/deploy-use/packages-and-programs)
+> After onboarding to Defender for Endpoint, you might have to set Microsoft Defender Antivirus to passive mode on Windows Server.
-### Enable Microsoft Defender Antivirus on your Windows client devices
+### Are you using Windows Server 2016?
-Because your organization has been using a non-Microsoft antivirus solution, Microsoft Defender Antivirus is most likely disabled on your organization's Windows devices. This step of the migration process involves enabling Microsoft Defender Antivirus.
+If you have endpoints running Windows Server 2016, you cannot run Microsoft Defender Antivirus alongside a non-Microsoft antivirus/antimalware solution. Microsoft Defender Antivirus cannot run in passive mode on Windows Server 2016. In this case, you'll need to uninstall the non-Microsoft antivirus/antimalware solution, and install/enable Microsoft Defender Antivirus instead. To learn more, see [Antivirus solution compatibility with Defender for Endpoint](microsoft-defender-antivirus-compatibility.md).
-To enable Microsoft Defender Antivirus, we recommend using Intune. However, you can any of the methods that are listed in the following table:
+If you're using Windows Server 2016 and are having trouble enabling Microsoft Defender Antivirus, use the following PowerShell cmdlet:
-|Method |What to do |
-|||
-|[Intune](/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager) <br/>**NOTE**: Intune is now Microsoft Endpoint Manager. | 1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.<p> 2. Select **Devices** > **Configuration profiles**, and then select the profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](/intune/device-restrictions-configure).<p> 3. Select **Properties**, and then select **Configuration settings: Edit**.<p> 4. Expand **Microsoft Defender Antivirus**. <p> 5. Enable **Cloud-delivered protection**.<p> 6. In the **Prompt users before sample submission** dropdown, select **Send all samples automatically**.<p> 7. In the **Detect potentially unwanted applications** dropdown, select **Enable** or **Audit**.<p> 8. Select **Review + save**, and then choose **Save**.<p>**TIP**: For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](/intune/device-profiles).|
-|Control Panel in Windows |Follow the guidance here: [Turn on Microsoft Defender Antivirus](/mem/intune/user-help/turn-on-defender-windows). <p>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
-|[Advanced Group Policy Management](/microsoft-desktop-optimization-pack/agpm/) <br/>or<br/>[Group Policy Management Console](/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus) | 1. Go to **Computer configuration** > **Administrative templates** > **Windows components** > **Microsoft Defender Antivirus**. <p> 2. Look for a policy called **Turn off Microsoft Defender Antivirus**.<p> 3. Choose **Edit policy setting**, and make sure that policy is disabled. This action enables Microsoft Defender Antivirus. <p>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
+`mpcmdrun -wdenable`
+For more information, see [Microsoft Defender Antivirus on Windows Server](microsoft-defender-antivirus-on-windows-server.md).
-### Confirm that Microsoft Defender Antivirus is in passive mode
+## Configure Defender for Endpoint
-Microsoft Defender Antivirus can run alongside your existing endpoint protection solution if you set Microsoft Defender Antivirus to passive mode. You can use either Command Prompt or PowerShell to perform this task, as described in the following table:
+This step of the migration process involves configuring Microsoft Defender Antivirus for your endpoints. We recommend using Intune; however, you can any of the methods that are listed in the following table:
|Method |What to do | |||
-|Command Prompt | 1. On a Windows device, open Command Prompt as an administrator.<p>2. Type `sc query windefend`, and then press Enter.<p>3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. |
-|PowerShell | 1. On a Windows device, open Windows PowerShell as an administrator.<p>2. Run the [Get-MpComputerStatus](/powershell/module/defender/Get-MpComputerStatus) cmdlet. <p>3. In the list of results, look for either **AMRunningMode: Passive Mode** or **AMRunningMode: SxS Passive Mode**. |
-
-> [!NOTE]
-> You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
-
-## Get updates for Microsoft Defender Antivirus
-
-Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques, even if Microsoft Defender Antivirus is running in [passive mode](/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).
-
-There are two types of updates related to keeping Microsoft Defender Antivirus up to date:
-- Security intelligence updates-- Product updates-
-To get your updates, follow the guidance in [Manage Microsoft Defender Antivirus updates and apply baselines](/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus).
+|[Intune](/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager) <br/>**NOTE**: Intune is now part of Microsoft Endpoint Manager. | 1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.<p> 2. Select **Devices** > **Configuration profiles**, and then select the profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](/intune/device-restrictions-configure).<p> 3. Select **Properties**, and then select **Configuration settings: Edit**.<p> 4. Expand **Microsoft Defender Antivirus**. <p> 5. Enable **Cloud-delivered protection**.<p> 6. In the **Prompt users before sample submission** dropdown, select **Send all samples automatically**.<p> 7. In the **Detect potentially unwanted applications** dropdown, select **Enable** or **Audit**.<p> 8. Select **Review + save**, and then choose **Save**.<p>**TIP**: For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](/intune/device-profiles).|
+|Control Panel in Windows |Follow the guidance here: [Turn on Microsoft Defender Antivirus](/mem/intune/user-help/turn-on-defender-windows). <p>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
+|[Advanced Group Policy Management](/microsoft-desktop-optimization-pack/agpm/) <br/>or<br/>[Group Policy Management Console](/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus) | 1. Go to **Computer configuration** > **Administrative templates** > **Windows components** > **Microsoft Defender Antivirus**. <p> 2. Look for a policy called **Turn off Microsoft Defender Antivirus**.<p> 3. Choose **Edit policy setting**, and make sure that policy is disabled. This action enables Microsoft Defender Antivirus. <p>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
## Add Microsoft Defender for Endpoint to the exclusion list for your existing solution
-This step of the setup process involves adding Microsoft Defender for Endpoint to the exclusion list for your existing endpoint protection solution and any other security products your organization is using.
+This step of the setup process involves adding Defender for Endpoint to the exclusion list for your existing endpoint protection solution and any other security products your organization is using.
> [!TIP] > To get help configuring exclusions, refer to your solution provider's documentation.
The specific exclusions to configure will depend on which version of Windows you
|OS |Exclusions | |--|--| |Windows 10, [version 1803](/windows/release-health/status-windows-10-1803) or later (See [Windows 10 release information](/windows/release-health/release-information))<p>Windows 10, version 1703 or 1709 with [KB4493441](https://support.microsoft.com/help/4493441) installed <p>[Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019)<p>[Windows Server, version 1803](/windows-server/get-started/whats-new-in-windows-server-1803) |`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`<p>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`<p>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`<p>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`<p> |
-|[Windows 8.1](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2) <p>[Windows 7](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)<p>[Windows Server 2016](/windows/release-health/status-windows-10-1607-and-windows-server-2016)<p>[Windows Server 2012 R2](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<p>[Windows Server 2008 R2 SP1](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |`C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`<p>**NOTE**: Where Monitoring Host Temporary Files 6\45 can be different numbered subfolders. <p>`C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe`<br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe`<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe`<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe`<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe`<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` |
+|[Windows 8.1](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2) <p>[Windows 7](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)<p>[Windows Server 2016](/windows/release-health/status-windows-10-1607-and-windows-server-2016)<p>[Windows Server 2012 R2](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<p>[Windows Server 2008 R2 SP1](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |`C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`<p>**NOTE**: Monitoring Host Temporary Files 6\45 can be different numbered subfolders. <p>`C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe`<br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe`<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe`<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe`<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe`<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` |
## Add your existing solution to the exclusion list for Microsoft Defender Antivirus
-During this step of the setup process, you add your existing solution to the Microsoft Defender Antivirus exclusion list.
+During this step of the setup process, you add your existing solution to the Microsoft Defender Antivirus exclusion list. You can choose from several methods to add your exclusions to Microsoft Defender Antivirus, as listed in the following table:
-When you add [exclusions to Microsoft Defender Antivirus scans](/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus), you should add path and process exclusions. Keep the following points in mind:
+|Method | What to do|
+|--|--|
+|[Intune](/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager) <br/>**NOTE**: Intune is now part of Microsoft Endpoint Manager. | 1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.<p> 2. Select **Devices** > **Configuration profiles**, and then select the profile that you want to configure.<p> 3. Under **Manage**, select **Properties**.<p> 4. Select **Configuration settings: Edit**.<p> 5. Expand **Microsoft Defender Antivirus**, and then expand **Microsoft Defender Antivirus Exclusions**.<p> 6. Specify the files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. For reference, see [Microsoft Defender Antivirus exclusions](/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions).<p> 7. Choose **Review + save**, and then choose **Save**. |
+|[Microsoft Endpoint Configuration Manager](/mem/configmgr/) | 1. Using the [Configuration Manager console](/mem/configmgr/core/servers/manage/admin-console), go to **Assets and Compliance** > **Endpoint Protection** > **Antimalware Policies**, and then select the policy that you want to modify. <p> 2. Specify exclusion settings for files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. |
+|[Group Policy Object](/previous-versions/windows/desktop/Policy/group-policy-objects) | 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and then select **Edit**.<p> 2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.<p> 3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**.<br/>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.<p> 4. Double-click the **Path Exclusions** setting and add the exclusions.<br/>- Set the option to **Enabled**.<br/>- Under the **Options** section, select **Show...**.<br/>- Specify each folder on its own line under the **Value name** column.<br/>- If you specify a file, make sure to enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.<p> 5. Select **OK**.<p> 6. Double-click the **Extension Exclusions** setting and add the exclusions.<br/>- Set the option to **Enabled**.<br/>- Under the **Options** section, select **Show...**.<br/>- Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.<p> 7. Select **OK**. |
+|Local group policy object |1. On the endpoint or device, open the Local Group Policy Editor. <p>2. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Exclusions**.<p>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.<p>3. Specify your path and process exclusions. |
+|Registry key |1. Export the following registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\exclusions`.<p>2. Import the registry key. Here are two examples:<br/>- Local path: `regedit.exe /s c:\temp\ MDAV_Exclusion.reg` <br/>- Network share: `regedit.exe /s \\FileServer\ShareName\MDAV_Exclusion.reg` |
-- Path exclusions exclude specific files and whatever those files access.
+### Keep the following points about exclusions in mind
-- Process exclusions exclude whatever a process touches, but does not exclude the process itself.
+When you add [exclusions to Microsoft Defender Antivirus scans](/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus), you should add path and process exclusions. Keep the following points in mind:
-- If you list each executable (.exe) as both a path exclusion and a process exclusion, the process and whatever it touches are excluded.
+- *Path exclusions* exclude specific files and whatever those files access.
+
+- *Process exclusions* exclude whatever a process touches, but does not exclude the process itself.
- List your process exclusions using their full path and not by their name only. (The name-only method is less secure.)
-You can choose from several methods to add your exclusions to Microsoft Defender Antivirus, as listed in the following table:
+- If you list each executable (.exe) as both a path exclusion and a process exclusion, the process and whatever it touches are excluded.
-|Method | What to do|
-|--|--|
-|[Intune](/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager) <br/>**NOTE**: Intune is now Microsoft Endpoint Manager. | 1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.<p> 2. Select **Devices** > **Configuration profiles**, and then select the profile that you want to configure.<p> 3. Under **Manage**, select **Properties**.<p> 4. Select **Configuration settings: Edit**.<p> 5. Expand **Microsoft Defender Antivirus**, and then expand **Microsoft Defender Antivirus Exclusions**.<p> 6. Specify the files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. For reference, see [Microsoft Defender Antivirus exclusions](/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions).<p> 7. Choose **Review + save**, and then choose **Save**. |
-|[Microsoft Endpoint Configuration Manager](/mem/configmgr/) | 1. Using the [Configuration Manager console](/mem/configmgr/core/servers/manage/admin-console), go to **Assets and Compliance** > **Endpoint Protection** > **Antimalware Policies**, and then select the policy that you want to modify. <p> 2. Specify exclusion settings for files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. |
-|[Group Policy Object](/previous-versions/windows/desktop/Policy/group-policy-objects) | 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and then select **Edit**.<p> 2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.<p> 3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**.<br/>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.<p> 4. Double-click the **Path Exclusions** setting and add the exclusions.<br/>- Set the option to **Enabled**.<br/>- Under the **Options** section, select **Show...**.<br/>- Specify each folder on its own line under the **Value name** column.<br/>- If you specify a file, make sure to enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.<p> 5. Select **OK**.<p> 6. Double-click the **Extension Exclusions** setting and add the exclusions.<br/>- Set the option to **Enabled**.<br/>- Under the **Options** section, select **Show...**.<br/>- Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.<p> 7. Select **OK**. |
-|Local group policy object |1. On the endpoint or device, open the Local Group Policy Editor. <p>2. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Exclusions**.<p>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.<p>3. Specify your path and process exclusions. |
-|Registry key |1. Export the following registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\exclusions`.<p>2. Import the registry key. Here are two examples:<br/>- Local path: `regedit.exe /s c:\temp\ MDAV_Exclusion.reg` <br/>- Network share: `regedit.exe /s \\FileServer\ShareName\MDAV_Exclusion.reg` |
## Set up your device groups, device collections, and organizational units
+Device groups, device collections, and organizational units enable your security team to manage and assign security policies efficiently and effectively. The following table describes each of these groups and how to configure them. Your organization might not use all three collection types.
+ | Collection type | What to do | |--|--|
-|[Device groups](/microsoft-365/security/defender-endpoint/machine-groups) (formerly called *machine groups*) enable your security operations team to configure security capabilities, such as automated investigation and remediation.<p>Device groups are also useful for assigning access to those devices so that your security operations team can take remediation actions if needed. <p>Device groups are created in the Microsoft Defender Security Center. |1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).<p>2. In the navigation pane on the left, choose **Settings** > **Permissions** > **Device groups**. <p>3. Choose **+ Add device group**.<p>4. Specify a name and description for the device group.<p>5. In the **Automation level** list, select an option. (We recommend **Full - remediate threats automatically**.) To learn more about the various automation levels, see [How threats are remediated](/microsoft-365/security/defender-endpoint/automated-investigations#how-threats-are-remediated).<p>6. Specify conditions for a matching rule to determine which devices belong to the device group. For example, you can choose a domain, OS versions, or even use [device tags](/microsoft-365/security/defender-endpoint/machine-tags).<p>7. On the **User access** tab, specify roles that should have access to the devices that are included in the device group. <p>8. Choose **Done**. |
+|[Device groups](/microsoft-365/security/defender-endpoint/machine-groups) (formerly called *machine groups*) enable your security operations team to configure security capabilities, such as automated investigation and remediation.<p>Device groups are also useful for assigning access to those devices so that your security operations team can take remediation actions if needed. <p>Device groups are created in the [Microsoft Defender Security Center](microsoft-defender-security-center.md). |1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).<p>2. In the navigation pane on the left, choose **Settings** > **Permissions** > **Device groups**. <p>3. Choose **+ Add device group**.<p>4. Specify a name and description for the device group.<p>5. In the **Automation level** list, select an option. (We recommend **Full - remediate threats automatically**.) To learn more about the various automation levels, see [How threats are remediated](/microsoft-365/security/defender-endpoint/automated-investigations#how-threats-are-remediated).<p>6. Specify conditions for a matching rule to determine which devices belong to the device group. For example, you can choose a domain, OS versions, or even use [device tags](/microsoft-365/security/defender-endpoint/machine-tags).<p>7. On the **User access** tab, specify roles that should have access to the devices that are included in the device group. <p>8. Choose **Done**. |
|[Device collections](/mem/configmgr/core/clients/manage/collections/introduction-to-collections) enable your security operations team to manage applications, deploy compliance settings, or install software updates on the devices in your organization.<p>Device collections are created by using [Configuration Manager](/mem/configmgr/). |Follow the steps in [Create a collection](/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_create). | |[Organizational units](/azure/active-directory-domain-services/create-ou) enable you to logically group objects such as user accounts, service accounts, or computer accounts. You can then assign administrators to specific organizational units, and apply group policy to enforce targeted configuration settings.<p> Organizational units are defined in [Azure Active Directory Domain Services](/azure/active-directory-domain-services). | Follow the steps in [Create an Organizational Unit in an Azure Active Directory Domain Services managed domain](/azure/active-directory-domain-services/create-ou). |
Using Configuration Manager and your device collection(s), configure your antima
## Next step
-**Congratulations**! You have completed the Setup phase of [switching to Microsoft Defender for Endpoint](switch-to-microsoft-defender-migration.md#the-migration-process)!
+**Congratulations**! You have completed the Setup phase of [switching to Defender for Endpoint](switch-to-microsoft-defender-migration.md#the-migration-process)!
-- [Proceed to Phase 3: Onboard to Microsoft Defender for Endpoint](switch-to-microsoft-defender-onboard.md)
+- [Proceed to Phase 3: Onboard to Defender for Endpoint](switch-to-microsoft-defender-onboard.md)
security Symantec To Microsoft Defender Atp Onboard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/symantec-to-microsoft-defender-atp-onboard.md
- M365-security-compliance - m365solution-symantecmigrate Previously updated : 03/03/2021 Last updated : 05/14/2021
**Welcome to Phase 3 of [migrating from Symantec to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-endpoint-migration.md#the-migration-process)**. This migration phase includes the following steps: 1. [Onboard devices to Microsoft Defender for Endpoint](#onboard-devices-to-microsoft-defender-for-endpoint).+ 2. [Run a detection test](#run-a-detection-test).
-3. [Uninstall Symantec](#uninstall-symantec).
-4. [Make sure Microsoft Defender for Endpoint is in active mode](#make-sure-microsoft-defender-for-endpoint-is-in-active-mode).
+
+3. [Confirm that Microsoft Defender Antivirus is in passive mode on your endpoints](#confirm-that-microsoft-defender-antivirus-is-in-passive-mode-on-your-endpoints).
+
+4. [Get updates for Microsoft Defender Antivirus](#get-updates-for-microsoft-defender-antivirus).
+
+5. [Uninstall Symantec](#uninstall-symantec).
+
+6. [Make sure Microsoft Defender for Endpoint is working correctly](#make-sure-microsoft-defender-for-endpoint-is-working-correctly).
## Onboard devices to Microsoft Defender for Endpoint 1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in.+ 2. Choose **Settings** > **Device management** > **Onboarding**. + 3. In the **Select operating system to start onboarding process** list, select an operating system. + 4. Under **Deployment method**, select an option. Follow the links and prompts to onboard your organization's devices. Need help? See [Onboarding methods](#onboarding-methods) (in this article). ### Onboarding methods
Deployment methods vary, depending on which operating system is selected. Refer
|Operating system |Method | |||
-|Windows 10 |- [Group Policy](configure-endpoints-gp.md)<br/>- [Configuration Manager](configure-endpoints-sccm.md)<br/>- [Mobile Device Management (Intune)](configure-endpoints-mdm.md)<br/>- [Local script](configure-endpoints-script.md) <p>**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. |
-|- Windows 8.1 Enterprise <br/>- Windows 8.1 Pro <br/>- Windows 7 SP1 Enterprise <br/>- Windows 7 SP1 Pro | [Microsoft Monitoring Agent](onboard-downlevel.md#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-for-endpoint)<p>**NOTE**: Microsoft Monitoring Agent is now Azure Log Analytics agent. To learn more, see [Log Analytics agent overview](/azure/azure-monitor/platform/log-analytics-agent). |
-|- Windows Server 2019 and later <br/>- Windows Server 2019 core edition <br/>- Windows Server version 1803 and later |- [Local script](configure-endpoints-script.md) <br/>- [Group Policy](configure-endpoints-gp.md) <br/>- [Configuration Manager](configure-endpoints-sccm.md) <br/>- [System Center Configuration Manager](configure-endpoints-sccm.md#onboard-devices-using-system-center-configuration-manager)<br/>- [VDI onboarding scripts for non-persistent devices](configure-endpoints-vdi.md) <p>**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. |
-|- Windows Server 2016 <br/>- Windows Server 2012 R2 <br/>- Windows Server 2008 R2 SP1 |- [Microsoft Defender Security Center](configure-server-endpoints.md)<br/>- [Azure Defender](/azure/security-center/security-center-wdatp) |
-|macOS<br/>- 10.15 (Catalina)<br/>- 10.14 (Mojave)<br/>- 10.13 (High Sierra)<p>iOS<p>Linux:<br/>- RHEL 7.2+<br/>- CentOS Linux 7.2+<br/>- Ubuntu 16 LTS, or higher LTS<br/>- SLES 12+<br/>- Debian 9+<br/>- Oracle Linux 7.2 |[Onboard non-Windows devices](configure-endpoints-non-windows.md) |
+|Windows 10 | [Group Policy](configure-endpoints-gp.md)<p>[Configuration Manager](configure-endpoints-sccm.md)<p>[Mobile Device Management (Intune)](configure-endpoints-mdm.md)<p>[Local script](configure-endpoints-script.md) <br/>**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. |
+| Windows 8.1 Enterprise <p>Windows 8.1 Pro <p>Windows 7 SP1 Enterprise<p>Windows 7 SP1 Pro | [Microsoft Monitoring Agent](onboard-downlevel.md#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-for-endpoint)<br/>**NOTE**: Microsoft Monitoring Agent is now Azure Log Analytics agent. To learn more, see [Log Analytics agent overview](/azure/azure-monitor/platform/log-analytics-agent). |
+| Windows Server 2019 and later <p>Windows Server 2019 core edition<p>Windows Server version 1803 and later | [Local script](configure-endpoints-script.md)<p>[Group Policy](configure-endpoints-gp.md)<p>[Configuration Manager](configure-endpoints-sccm.md)<p>[System Center Configuration Manager](configure-endpoints-sccm.md#onboard-devices-using-system-center-configuration-manager)<p>[VDI onboarding scripts for non-persistent devices](configure-endpoints-vdi.md) <br/>**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. |
+| Windows Server 2016<p>Windows Server 2012 R2<p>Windows Server 2008 R2 SP1 | [Microsoft Defender Security Center](configure-server-endpoints.md)<p>[Azure Defender](/azure/security-center/security-center-wdatp) |
+|macOS<p>11.3.1 (Big Sur) <p>10.15 (Catalina)<p>10.14 (Mojave) |[Onboard non-Windows devices](configure-endpoints-non-windows.md) |
+|iOS |[Onboard non-Windows devices](configure-endpoints-non-windows.md) |
+|Linux:<p>RHEL 7.2+<p>CentOS Linux 7.2+<p>Ubuntu 16 LTS, or higher LTS<p>SLES 12+<p>Debian 9+<p>Oracle Linux 7.2 |[Onboard non-Windows devices](configure-endpoints-non-windows.md) |
## Run a detection test
To verify that your onboarded devices are properly connected to Microsoft Defend
|Operating system |Guidance | |||
-|- Windows 10 <br/>- Windows Server 2019 <br/>- Windows Server, version 1803 <br/>- Windows Server 2016 <br/>- Windows Server 2012 R2 |See [Run a detection test](run-detection-test.md). <p>Visit the Microsoft Defender for Endpoint demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)) and try one or more of the scenarios. For example, try the **Cloud-delivered protection** demo scenario. |
-|macOS<br/>- 11.3.1 (Big Sur)<br/>- 10.15 (Catalina)<br/>- 10.14 (Mojave) |Download and use the DIY app at [https://aka.ms/mdatpmacosdiy](https://aka.ms/mdatpmacosdiy). <p>For more information, see [Microsoft Defender for Endpoint on macOS](microsoft-defender-endpoint-mac.md). |
-|Linux:<br/>- RHEL 7.2+<br/>- CentOS Linux 7.2+<br/>- Ubuntu 16 LTS, or higher LTS<br/>- SLES 12+<br/>- Debian 9+<br/>- Oracle Linux 7.2 |1. Run the following command, and look for a result of **1**: <br/>`mdatp health --field real_time_protection_enabled`. <p>2. Open a Terminal window, and run the following command: <br/>`curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt`. <p>3. Run the following command to list any detected threats: <br/>`mdatp threat list`. <p>For more information, see [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md). |
+| Windows 10<p>Windows Server 2019<p>Windows Server, version 1803<p>Windows Server 2016<p>Windows Server 2012 R2 |See [Run a detection test](run-detection-test.md). <p>Visit the Microsoft Defender for Endpoint demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)) and try one or more of the scenarios. For example, try the **Cloud-delivered protection** demo scenario. |
+|macOS:<p>11.3.1 (Big Sur)<p>10.15 (Catalina)<p>10.14 (Mojave) |Download and use the DIY app at [https://aka.ms/mdatpmacosdiy](https://aka.ms/mdatpmacosdiy). <p>For more information, see [Microsoft Defender for Endpoint on macOS](microsoft-defender-endpoint-mac.md). |
+|Linux:<p>RHEL 7.2+<p>CentOS Linux 7.2+<p>Ubuntu 16 LTS, or higher LTS<p>SLES 12+<p>Debian 9+<p>Oracle Linux 7.2 |1. Run the following command, and look for a result of **1**: <br/>`mdatp health --field real_time_protection_enabled`. <p>2. Open a Terminal window, and run the following command: <br/>`curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt`. <p>3. Run the following command to list any detected threats: <br/>`mdatp threat list`. <p>For more information, see [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md). |
+
+## Confirm that Microsoft Defender Antivirus is in passive mode on your endpoints
+
+Now that your endpoints have been onboarded to Defender for Endpoint, your next step is to make sure Microsoft Defender Antivirus is running in passive mode. You can use either Command Prompt or PowerShell to perform this task, as described in the following table:
+
+| Method | What to do |
+|:--|:--|
+| Command Prompt | 1. On a Windows device, open Command Prompt as an administrator. <p>2. Type `sc query windefend`, and then press Enter. <p>3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. |
+|PowerShell | 1. On a Windows device, open Windows PowerShell as an administrator. <p>2. Run the `Get-MpComputerStatus` cmdlet. <p>3. In the list of results, look for either **AMRunningMode: Passive Mode** or **AMRunningMode: SxS Passive Mode**. |
+
+> [!NOTE]
+> You might see Windows Defender Antivirus instead of Microsoft Defender Antivirus in some versions of Windows.
+
+### Set Microsoft Defender Antivirus on Windows Server to passive mode manually
+
+To set Microsoft Defender Antivirus to passive mode on Windows Server, version 1803 or newer, or Windows Server 2019, follow these steps:
+
+1. Open Registry Editor, and then navigate to
+`Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`.
+
+2. Edit (or create) a DWORD entry called **ForcePassiveMode**, and specify the following settings:
+
+ - Set the DWORD's value to 1.
+ - Under Base, select Hexadecimal.
+
+> [!NOTE]
+> You can use other methods to set the registry key, such as the following:
+> - Group Policy Preference
+> - Local Group Policy Object tool
+> - A package in Configuration Manager
+
+### Start Microsoft Defender Antivirus on Windows Server 2016
+
+If you are using Windows Server 2016, you might have to start Microsoft Defender Antivirus manually. You can do this by using the PowerShell cmdlet `mpcmdrun.exe -wdenable` on the device.
+
+## Get updates for Microsoft Defender Antivirus
+
+Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques, even if Microsoft Defender Antivirus is running in passive mode.
+
+There are two types of updates related to keeping Microsoft Defender Antivirus up to date:
+
+- Security intelligence updates
+- Product updates
+
+To get your updates, follow the guidance in [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).
## Uninstall Symantec Now that you have onboarded your organization's devices to Microsoft Defender for Endpoint, your next step is to uninstall Symantec. 1. [Disable Tamper Protection](https://knowledge.broadcom.com/external/article?legacyId=tech192023) in Symantec.+ 2. Delete the uninstall password for Symantec:<br/>+ 1. On your Windows devices, open Registry Editor as an administrator.+ 2. Go to `HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC`.+ 3. Look for an entry named **SmcInstData**. + 4. Right-click the item, and then choose **Delete**. + 3. Remove Symantec from your devices. If you need help with this, see Broadcom's documentation. Here are a few Broadcom resources: + - [Uninstall Symantec Endpoint Protection](https://knowledge.broadcom.com/external/article/156148/uninstall-symantec-endpoint-protection.html)+ - Windows devices: [Manually uninstall Endpoint Protection 14 clients on Windows](https://knowledge.broadcom.com/external/article?articleId=170040)
+
- macOS computers: [Remove Symantec software for Mac using RemoveSymantecMacFiles](https://knowledge.broadcom.com/external/article?articleId=151387)
+
- Linux devices: [Frequently Asked Questions for Endpoint Protection on Linux](https://knowledge.broadcom.com/external/article?articleId=162054)
-## Make sure Microsoft Defender for Endpoint is in active mode
+## Make sure Microsoft Defender for Endpoint is working correctly
-Now that you have uninstalled Symantec, your next step is to make sure that Microsoft Defender Antivirus and Microsoft Defender for Endpoint are enabled and in active mode.
-
-To do this, visit the Microsoft Defender for Endpoint demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)). Try one or more of the demo scenarios on that page, including at least the following:
+Now that you have uninstalled Symantec, your next step is to make sure that Defender for Endpoint is working correctly. Visit the Microsoft Defender for Endpoint demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)). Try one or more of the demo scenarios on that page, including at least the following:
- Cloud-delivered protection - Potentially Unwanted Applications (PUA) - Network Protection (NP)
-> [!IMPORTANT]
-> If you are using Windows Server 2016, you might have to start Microsoft Defender Antivirus manually. You can do this by using the PowerShell cmdlet `mpcmdrun.exe -wdenable` on the device.
- ## Next steps **Congratulations**! You have completed your [migration from Symantec to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-endpoint-migration.md#the-migration-process)!
security Symantec To Microsoft Defender Atp Prepare https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/symantec-to-microsoft-defender-atp-prepare.md
- M365-security-compliance - m365solution-symantecmigrate Previously updated : 03/03/2021 Last updated : 05/14/2021
|*You are here!*| | |
-**Welcome to the Prepare phase of [migrating from Symantec to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-endpoint-migration.md#the-migration-process)**.
+**Welcome to the Prepare phase of [migrating from Symantec to Defender for Endpoint](symantec-to-microsoft-defender-endpoint-migration.md#the-migration-process)**.
This migration phase includes the following steps:
-1. [Get Microsoft Defender for Endpoint](#get-microsoft-defender-for-endpoint).
-2. [Grant access to the Microsoft Defender Security Center](#grant-access-to-the-microsoft-defender-security-center).
-3. [Configure device proxy and internet connectivity settings](#configure-device-proxy-and-internet-connectivity-settings).
+
+1. [Update your organization's devices](#update-your-organizations-devices).
+
+2. [Get Microsoft Defender for Endpoint](#get-microsoft-defender-for-endpoint).
+
+3. [Grant access to the Microsoft Defender Security Center](#grant-access-to-the-microsoft-defender-security-center).
+
+4. [Configure device proxy and internet connectivity settings](#configure-device-proxy-and-internet-connectivity-settings)
+
+## Update your organization's devices
+
+As a best practice, keep your organization's devices and endpoints up to date. Make sure your existing endpoint protection and antivirus solution is up to date, and that the operating systems and apps your organization is also have the latest updates. Doing this now can help prevent problems later as you migrate to Defender for Endpoint.
+
+### Make sure Symantec is up to date
+
+Keep your existing endpoint protection solution up to date, and make sure that your organization's devices have the latest security updates.
+
+Need help? See Broadcom's documentation: [Symantec Endpoint Protection Installation and Administration Guide](https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all.html)
+
+### Make sure your endpoints are up to date
+
+Need help updating your organization's devices? See the following resources:
++
+|OS |Resource |
+|||
+|Windows | [Microsoft Update](https://www.update.microsoft.com/) |
+|macOS | [How to update the software on your Mac](https://support.apple.com/HT201541) |
+|iOS | [Update your iPhone, iPad, or iPod touch](https://support.apple.com/HT204204) |
+|Android | [Check & update your Android version](https://support.google.com/android/answer/7680439) |
+|Linux | [Linux 101: Updating Your System](https://www.linux.com/training-tutorials/linux-101-updating-your-system) |
+ ## Get Microsoft Defender for Endpoint
-To get started, you must have Microsoft Defender for Endpoint, with licenses assigned and provisioned.
+Now that you've updated your organization's devices, the next step is to get Defender for Endpoint, assign licenses, and make sure the service is provisioned.
+
+1. Buy or try Defender for Endpoint today. [Visit Defender for Endpoint to start a free trial or request a quote](https://aka.ms/mdatp).
-1. Buy or try Microsoft Defender for Endpoint today. [Visit Microsoft Defender for Endpoint to start a free trial or request a quote](https://aka.ms/mdatp).
2. Verify that your licenses are properly provisioned. [Check your license state](production-deployment.md#check-license-state).
-3. As a global administrator or security administrator, set up your dedicated cloud instance of Microsoft Defender for Endpoint. See [Microsoft Defender for Endpoint setup: Tenant configuration](production-deployment.md#tenant-configuration).
-4. If endpoints (such as devices) in your organization use a proxy to access the internet, see [Microsoft Defender for Endpoint setup: Network configuration](production-deployment.md#network-configuration).
+
+3. As a global administrator or security administrator, set up your dedicated cloud instance of Defender for Endpoint. See [Defender for Endpoint setup: Tenant configuration](production-deployment.md#tenant-configuration).
+
+4. If endpoints (such as devices) in your organization use a proxy to access the internet, see [Defender for Endpoint setup: Network configuration](production-deployment.md#network-configuration).
At this point, you are ready to grant access to your security administrators and security operators who will use the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)). > [!NOTE]
-> The Microsoft Defender Security Center is sometimes referred to as the Microsoft Defender for Endpoint portal.
+> The Microsoft Defender Security Center is sometimes referred to as the Defender for Endpoint portal.
## Grant access to the Microsoft Defender Security Center
-The Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) is where you access and configure features and capabilities of Microsoft Defender for Endpoint. To learn more, see [Overview of the Microsoft Defender Security Center](use.md).
+The Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) is where you access and configure features and capabilities of Defender for Endpoint. To learn more, see [Overview of the Microsoft Defender Security Center](use.md).
Permissions to the Microsoft Defender Security Center can be granted by using either basic permissions or role-based access control (RBAC). We recommend using RBAC so that you have more granular control over permissions. 1. Plan the roles and permissions for your security administrators and security operators. See [Role-based access control](prepare-deployment.md#role-based-access-control).
-2. Set up and configure RBAC. We recommend using [Intune](/mem/intune/fundamentals/what-is-intune) to configure RBAC, especially if your organization is using a combination of Windows 10, macOS, iOS, and Android devices. See [setting up RBAC using Intune](/mem/intune/fundamentals/role-based-access-control).<br/>
+
+2. Set up and configure RBAC. We recommend using [Intune](/mem/intune/fundamentals/what-is-intune) to configure RBAC, especially if your organization is using a combination of Windows 10, macOS, iOS, and Android devices. See [setting up RBAC using Intune](/mem/intune/fundamentals/role-based-access-control).
+ If your organization requires a method other than Intune, choose one of the following options:+ - [Configuration Manager](/mem/configmgr/core/servers/deploy/configure/configure-role-based-administration)+ - [Advanced Group Policy Management](/microsoft-desktop-optimization-pack/agpm)+ - [Windows Admin Center](/windows-server/manage/windows-admin-center/overview)+ 3. Grant access to the Microsoft Defender Security Center. (Need help? See [Manage portal access using RBAC](rbac.md)). ## Configure device proxy and internet connectivity settings
-To enable communication between your devices and Microsoft Defender for Endpoint, configure proxy and internet settings. The following table includes links to resources you can use to configure your proxy and internet settings for various operating systems and capabilities:
+To enable communication between your devices and Defender for Endpoint, configure proxy and internet settings. The following table includes links to resources you can use to configure your proxy and internet settings for various operating systems and capabilities:
|Capabilities | Operating System | Resources | |:-|:-|:|
-|[Endpoint detection and response](overview-endpoint-detection-response.md) (EDR) |- [Windows 10](/windows/release-health/release-information/) <br/>- [Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019)<br/>- [Windows Server 1803 or later](/windows-server/get-started/whats-new-in-windows-server-1803) |[Configure machine proxy and internet connectivity settings](configure-proxy-internet.md) |
-|EDR |- [Windows Server 2016](/windows/release-health/status-windows-10-1607-and-windows-server-2016) <br/>- [Windows Server 2012 R2](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<br/>- [Windows Server 2008 R2 SP1](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)<br/>- [Windows 8.1](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<br/>- [Windows 7 SP1](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |[Configure proxy and internet connectivity settings](onboard-downlevel.md#configure-proxy-and-internet-connectivity-settings) |
-|EDR |macOS: <br/>- 10.15 (Catalina)<br/>- 10.14 (Mojave) <br/>- 10.13 (High Sierra) |[Microsoft Defender for Endpoint on macOS: Network connections](microsoft-defender-endpoint-mac.md#network-connections) |
-|[Microsoft Defender Antivirus](microsoft-defender-antivirus-in-windows-10.md) |- [Windows 10](/windows/release-health/release-information/) <br/>- [Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019)<br/>- [Windows Server 1803 or later](/windows-server/get-started/whats-new-in-windows-server-1803) <br/>- [Windows Server 2016](/windows-server/get-started/whats-new-in-windows-server-2016) |[Configure and validate Microsoft Defender Antivirus network connections](configure-network-connections-microsoft-defender-antivirus.md)<br/> |
-|Antivirus |macOS: <br/>- 11.3.1 (Big Sur)<br/>- 10.15 (Catalina)<br/>- 10.14 (Mojave) |[Microsoft Defender for Endpoint on Mac: Network connections](microsoft-defender-endpoint-mac.md#network-connections) |
-|Antivirus |Linux: <br/>- RHEL 7.2+<br/>- CentOS Linux 7.2+<br/>- Ubuntu 16 LTS, or higher LTS<br/>- SLES 12+<br/>- Debian 9+<br/>- Oracle Linux 7.2 |[Microsoft Defender for Endpoint on Linux: Network connections](microsoft-defender-endpoint-linux.md#network-connections) |
+|[Endpoint detection and response](overview-endpoint-detection-response.md) (EDR) | [Windows 10](/windows/release-health/release-information/) <p> [Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019)<p>[Windows Server 1803 or later](/windows-server/get-started/whats-new-in-windows-server-1803) |[Configure machine proxy and internet connectivity settings](configure-proxy-internet.md) |
+|EDR | [Windows Server 2016](/windows/release-health/status-windows-10-1607-and-windows-server-2016) <p>[Windows Server 2012 R2](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<p>[Windows Server 2008 R2 SP1](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)<p>[Windows 8.1](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<p>[Windows 7 SP1](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |[Configure proxy and internet connectivity settings](onboard-downlevel.md#configure-proxy-and-internet-connectivity-settings) |
+|EDR |macOS: <p>11.3.1 (Big Sur)<p>10.15 (Catalina)<p>10.14 (Mojave) |[Defender for Endpoint on macOS: Network connections](microsoft-defender-endpoint-mac.md#network-connections) |
+|[Microsoft Defender Antivirus](microsoft-defender-antivirus-in-windows-10.md) |[Windows 10](/windows/release-health/release-information/)<p>[Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019)<p>[Windows Server 1803 or later](/windows-server/get-started/whats-new-in-windows-server-1803)<p>[Windows Server 2016](/windows-server/get-started/whats-new-in-windows-server-2016) |[Configure and validate Microsoft Defender Antivirus network connections](configure-network-connections-microsoft-defender-antivirus.md) |
+|Antivirus |macOS: <p>11.3.1 (Big Sur)<p>10.15 (Catalina)<p>10.14 (Mojave) |[Defender for Endpoint on Mac: Network connections](microsoft-defender-endpoint-mac.md#network-connections) |
+|Antivirus |Linux: <p>RHEL 7.2+<p>CentOS Linux 7.2+<p>Ubuntu 16 LTS, or higher LTS<p>SLES 12+<p>Debian 9+<p>Oracle Linux 7.2 |[Defender for Endpoint on Linux: Network connections](microsoft-defender-endpoint-linux.md#network-connections) |
## Next step
-**Congratulations**! You have completed the **Prepare** phase of [migrating from Symantec to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-endpoint-migration.md#the-migration-process)!
-- [Proceed to set up Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-setup.md).
+**Congratulations**! You have completed the **Prepare** phase of [migrating from Symantec to Defender for Endpoint](symantec-to-microsoft-defender-endpoint-migration.md#the-migration-process)!
+- [Proceed to set up Defender for Endpoint](symantec-to-microsoft-defender-atp-setup.md).
security Symantec To Microsoft Defender Atp Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/symantec-to-microsoft-defender-atp-setup.md
- M365-security-compliance - m365solution-symantecmigrate Previously updated : 05/10/2021 Last updated : 05/14/2021
||*You are here!* | |
-**Welcome to the Setup phase of [migrating from Symantec to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-endpoint-migration.md#the-migration-process)**. This phase includes the following steps:
-1. [Enable or reinstall Microsoft Defender Antivirus (for certain versions of Windows)](#enable-or-reinstall-microsoft-defender-antivirus-for-certain-versions-of-windows).
-2. [Enable Microsoft Defender Antivirus](#enable-microsoft-defender-antivirus).
-3. [Get updates for Microsoft Defender Antivirus](#get-updates-for-microsoft-defender-antivirus).
-4. [Add Microsoft Defender for Endpoint to the exclusion list for Symantec](#add-microsoft-defender-for-endpoint-to-the-exclusion-list-for-symantec).
-5. [Add Symantec to the exclusion list for Microsoft Defender Antivirus](#add-symantec-to-the-exclusion-list-for-microsoft-defender-antivirus).
-6. [Set up your device groups, device collections, and organizational units](#set-up-your-device-groups-device-collections-and-organizational-units).
-7. [Configure antimalware policies and real-time protection](#configure-antimalware-policies-and-real-time-protection).
+**Welcome to the Setup phase of [migrating from Symantec to Defender for Endpoint](symantec-to-microsoft-defender-endpoint-migration.md#the-migration-process)**. This phase includes the following steps:
-## Enable or reinstall Microsoft Defender Antivirus (for certain versions of Windows)
+1. [Reinstall/enable Microsoft Defender Antivirus on your endpoints](#reinstallenable-microsoft-defender-antivirus-on-your-endpoints).
-> [!TIP]
-> If you're running Windows 10, you do not need to perform this task. Proceed to **[Enable Microsoft Defender Antivirus](#enable-microsoft-defender-antivirus)**.
+2. [Configure Defender for Endpoint](#configure-defender-for-endpoint).
+
+3. [Add Microsoft Defender for Endpoint to the exclusion list for Symantec](#add-microsoft-defender-for-endpoint-to-the-exclusion-list-for-symantec).
+
+4. [Add Symantec to the exclusion list for Microsoft Defender Antivirus](#add-symantec-to-the-exclusion-list-for-microsoft-defender-antivirus).
+
+5. [Set up your device groups, device collections, and organizational units](#set-up-your-device-groups-device-collections-and-organizational-units).
+
+6. [Configure antimalware policies and real-time protection](#configure-antimalware-policies-and-real-time-protection).
+
+## Reinstall/enable Microsoft Defender Antivirus on your endpoints
+
+On certain versions of Windows, Microsoft Defender Antivirus is likely uninstalled or disabled when your non-Microsoft antivirus/antimalware solution was installed. For more information, see [Microsoft Defender Antivirus compatibility](/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).
+
+On Windows clients, when a non-Microsoft antivirus/antimalware solution is installed, Microsoft Defender Antivirus is disabled automatically until those devices are onboarded to Defender for Endpoint. When the client endpoints are onboarded to Defender for Endpoint, Microsoft Defender Antivirus goes into passive mode until the non-Microsoft antivirus solution is uninstalled. Microsoft Defender Antivirus should still be installed, but is likely disabled at this point of the migration process. Unless Microsoft Defender Antivirus has been uninstalled, you do not need to take any action for your Windows clients.
+
+On Windows servers, when a non-Microsoft antivirus/antimalware in installed, Microsoft Defender Antivirus is disabled manually (if not uninstalled). The following tasks help ensure that Microsoft Defender Antivirus is installed and set to passive mode on Windows Server.
+
+- Set DisableAntiSpyware to false on Windows Server (only if necessary)
+
+- Reinstall Microsoft Defender Antivirus on Windows Server
+
+- Set Microsoft Defender Antivirus to passive mode on Windows Server
+
+### Set DisableAntiSpyware to false on Windows Server
+
+The DisableAntiSpyware registry key was used in the past to disable Microsoft Defender Antivirus, and deploy another antivirus product, Symantec. In general, you should not have this registry key on your Windows devices and endpoints; however, if you do have `DisableAntiSpyware` configured, here's how to set its value to false:
+
+1. On your Windows Server device, open Registry Editor.
-On certain versions of Windows, Microsoft Defender Antivirus might have been uninstalled or disabled. This is because Microsoft Defender Antivirus does not enter passive or disabled mode when you install a third-party antivirus product, such as Symantec. To learn more, see [Microsoft Defender Antivirus compatibility](/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).
+2. Navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender`.
-Now that you're moving from Symantec to Microsoft Defender for Endpoint, you'll need to enable or reinstall Microsoft Defender Antivirus, and set it to passive mode.
+3. In that folder, look for a DWORD entry called **DisableAntiSpyware**.
+
+ - If you do not see that entry, you're all set.
+ - If you do see DisableAntiSpyware, proceed to step 4.
+
+4. Right-click the DisableAntiSpyware DWORD, and then choose **Modify**.
+
+5. Set the value to `0`. (This action sets the registry key's value to *false*.)
+
+> [!TIP]
+> To learn more about this registry key, see **[DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware)**.
### Reinstall Microsoft Defender Antivirus on Windows Server
Now that you're moving from Symantec to Microsoft Defender for Endpoint, you'll
> - Windows Server 2019 > - Windows Server, version 1803 (core-only mode) > - Windows Server 2016
->
-> Microsoft Defender Antivirus is built into Windows 10, but it might be disabled. In this case, proceed to [Enable Microsoft Defender Antivirus](#enable-microsoft-defender-antivirus).
1. As a local administrator on the endpoint or device, open Windows PowerShell.
-1. Run the following PowerShell cmdlets:<br/>
- `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features` <br/>
+1. Run the following PowerShell cmdlets:
+
+ `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`
+
`Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender` > [!NOTE] > When using the DISM command within a task sequence running PS, the following path to cmd.exe is required.
- > Example:<br/>
+ > Examples:
+ >
> `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`<br/>
+ >
> `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`<br/> 3. To verify Microsoft Defender Antivirus is running, use the following PowerShell cmdlet: <br/> `Get-Service -Name windefend`
-#### Are you using Windows Server 2016?
-
-If you're using Windows Server 2016 and are having trouble enabling Microsoft Defender Antivirus, use the following PowerShell cmdlet:
-
-`mpcmdrun -wdenable`
-
-> [!TIP]
-> Still need help? See [Microsoft Defender Antivirus on Windows Server 2016 and 2019](/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016).
- ### Set Microsoft Defender Antivirus to passive mode on Windows Server
-Because your organization is still using Symantec, you must set Microsoft Defender Antivirus to passive mode. That way, Symantec and Microsoft Defender Antivirus can run side by side until you have finished onboarding to Microsoft Defender for Endpoint.
- 1. Open Registry Editor, and then navigate to <br/> `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`.
Because your organization is still using Symantec, you must set Microsoft Defend
>- [Group Policy Preference](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn581922(v=ws.11)) >- [Local Group Policy Object tool](/windows/security/threat-protection/security-compliance-toolkit-10#what-is-the-local-group-policy-object-lgpo-tool) >- [A package in Configuration Manager](/mem/configmgr/apps/deploy-use/packages-and-programs)
+>
+> After onboarding to Defender for Endpoint, you might have to set Microsoft Defender Antivirus to passive mode on Windows Server.
-## Enable Microsoft Defender Antivirus
+### Are you using Windows Server 2016?
-Because your organization has been using Symantec as your primary antivirus solution, Microsoft Defender Antivirus is most likely disabled on your organization's Windows devices. This step of the migration process involves enabling Microsoft Defender Antivirus.
+If you have endpoints running Windows Server 2016, you cannot run Microsoft Defender Antivirus alongside a non-Microsoft antivirus/antimalware solution. Microsoft Defender Antivirus cannot run in passive mode on Windows Server 2016. In this case, you'll need to uninstall the non-Microsoft antivirus/antimalware solution, and install/enable Microsoft Defender Antivirus instead. To learn more, see [Antivirus solution compatibility with Defender for Endpoint](microsoft-defender-antivirus-compatibility.md).
-To enable Microsoft Defender Antivirus, we recommend using Intune. However, you can any of the methods that are listed in the following table:
+If you're using Windows Server 2016 and are having trouble enabling Microsoft Defender Antivirus, use the following PowerShell cmdlet:
-|Method |What to do |
-|||
-|[Intune](/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager) <br/>**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.<p>2. Select **Devices** > **Configuration profiles**, and then select the profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](/intune/device-restrictions-configure).<p>3. Select **Properties**, and then select **Configuration settings: Edit**.<p>4. Expand **Microsoft Defender Antivirus**. <p>5. Enable **Cloud-delivered protection**.<p>6. In the **Prompt users before sample submission** dropdown, select **Send all samples automatically**.<p>7. In the **Detect potentially unwanted applications** dropdown, select **Enable** or **Audit**.<p>8. Select **Review + save**, and then choose **Save**.<br/>For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](/intune/device-profiles).|
-|Control Panel in Windows |Follow the guidance here: [Turn on Microsoft Defender Antivirus](/mem/intune/user-help/turn-on-defender-windows). <br/>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
-|[Advanced Group Policy Management](/microsoft-desktop-optimization-pack/agpm/) <br/>or<br/>[Group Policy Management Console](/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus) |1. Go to `Computer configuration > Administrative templates > Windows components > Microsoft Defender Antivirus`. <p>2. Look for a policy called **Turn off Microsoft Defender Antivirus**.<p>3. Choose **Edit policy setting**, and make sure that policy is disabled. This enables Microsoft Defender Antivirus. <p>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
+`mpcmdrun -wdenable`
-### Verify that Microsoft Defender Antivirus is in passive mode
+For more information, see [Microsoft Defender Antivirus on Windows Server](microsoft-defender-antivirus-on-windows-server.md).
-Microsoft Defender Antivirus can run alongside Symantec if you set Microsoft Defender Antivirus to passive mode. You can use either Command Prompt or PowerShell to perform this task, as described in the following table:
+## Configure Defender for Endpoint
+
+This step of the migration process involves configuring Microsoft Defender Antivirus for your endpoints. We recommend using Intune; however, you can any of the methods that are listed in the following table:
|Method |What to do | |||
-|Command Prompt |1. On a Windows device, open Command Prompt as an administrator. <p>2. Type `sc query windefend`, and then press Enter.<p>3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. |
-|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.<p>2. Run the [Get-MpComputerStatus](/powershell/module/defender/Get-MpComputerStatus) cmdlet.<p>3. In the list of results, look for either **AMRunningMode: Passive Mode** or **AMRunningMode: SxS Passive Mode**.|
-
-> [!NOTE]
-> You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
-
-## Get updates for Microsoft Defender Antivirus
-
-Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques, even if Microsoft Defender Antivirus is running in [passive mode](/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).
-
-There are two types of updates related to keeping Microsoft Defender Antivirus up to date:
-- Security intelligence updates-- Product updates-
-To get your updates, follow the guidance in [Manage Microsoft Defender Antivirus updates and apply baselines](/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus).
+|[Intune](/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager) <br/>**NOTE**: Intune is now part of Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.<p>2. Select **Devices** > **Configuration profiles**, and then select the profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](/intune/device-restrictions-configure).<p>3. Select **Properties**, and then select **Configuration settings: Edit**.<p>4. Expand **Microsoft Defender Antivirus**. <p>5. Enable **Cloud-delivered protection**.<p>6. In the **Prompt users before sample submission** dropdown, select **Send all samples automatically**.<p>7. In the **Detect potentially unwanted applications** dropdown, select **Enable** or **Audit**.<p>8. Select **Review + save**, and then choose **Save**.<br/>For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](/intune/device-profiles).|
+|Control Panel in Windows |Follow the guidance here: [Turn on Microsoft Defender Antivirus](/mem/intune/user-help/turn-on-defender-windows). <br/>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
+|[Advanced Group Policy Management](/microsoft-desktop-optimization-pack/agpm/) <br/>or<br/>[Group Policy Management Console](/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus) |1. Go to `Computer configuration > Administrative templates > Windows components > Microsoft Defender Antivirus`. <p>2. Look for a policy called **Turn off Microsoft Defender Antivirus**.<p>3. Choose **Edit policy setting**, and make sure that policy is disabled. This enables Microsoft Defender Antivirus. <p>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
## Add Microsoft Defender for Endpoint to the exclusion list for Symantec
-This step of the setup process involves adding Microsoft Defender for Endpoint to the exclusion list for Symantec and any other security products your organization is using. The specific exclusions to configure depend on which version of Windows your endpoints or devices are running, and are listed in the following table:
+This step of the setup process involves adding Defender for Endpoint to the exclusion list for Symantec and any other security products your organization is using. The specific exclusions to configure depend on which version of Windows your endpoints or devices are running, and are listed in the following table:
|OS |Exclusions | |--|--|
-|- Windows 10, [version 1803](/windows/release-health/status-windows-10-1803) or later (See [Windows 10 release information](/windows/release-health/release-information))<br/>- Windows 10, version 1703 or 1709 with [KB4493441](https://support.microsoft.com/help/4493441) installed <br/>- [Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019)<br/>- [Windows Server, version 1803](/windows-server/get-started/whats-new-in-windows-server-1803) |`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`<p>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`<p>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`<p>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`<p> |
-|- [Windows 8.1](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2) <p>- [Windows 7](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)<p>- [Windows Server 2016](/windows/release-health/status-windows-10-1607-and-windows-server-2016)<p>- [Windows Server 2012 R2](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<p>- [Windows Server 2008 R2 SP1](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |`C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`<p>**NOTE**: Where Monitoring Host Temporary Files 6\45 can be different numbered subfolders.<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe`<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe`<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe`<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe`<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe`<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` |
+| Windows 10, [version 1803](/windows/release-health/status-windows-10-1803) or later (See [Windows 10 release information](/windows/release-health/release-information))<p> Windows 10, version 1703 or 1709 with [KB4493441](https://support.microsoft.com/help/4493441) installed <p> [Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019)<p> [Windows Server, version 1803](/windows-server/get-started/whats-new-in-windows-server-1803) |`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`<p>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`<p>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`<p>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`<p> |
+| [Windows 8.1](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2) <p> [Windows 7](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)<p> [Windows Server 2016](/windows/release-health/status-windows-10-1607-and-windows-server-2016)<p> [Windows Server 2012 R2](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<p> [Windows Server 2008 R2 SP1](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |`C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`<p>**NOTE**: Where Monitoring Host Temporary Files 6\45 can be different numbered subfolders.<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe`<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe`<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe`<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe`<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe`<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` |
## Add Symantec to the exclusion list for Microsoft Defender Antivirus
-During this step of the setup process, you add Symantec and your other security solutions to the Microsoft Defender Antivirus exclusion list.
+During this step of the setup process, you add your existing solution to the Microsoft Defender Antivirus exclusion list. You can choose from several methods to add your exclusions to Microsoft Defender Antivirus, as listed in the following table:
> [!NOTE] > To get an idea of which processes and services to exclude, see Broadcom's [Processes and services used by Endpoint Protection 14](https://knowledge.broadcom.com/external/article/170706/processes-and-services-used-by-endpoint.html).
-When you add [exclusions to Microsoft Defender Antivirus scans](/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus), you should add path and process exclusions. Keep the following points in mind:
-- Path exclusions exclude specific files and whatever those files access.-- Process exclusions exclude whatever a process touches, but does not exclude the process itself.-- If you list each executable (.exe) as both a path exclusion and a process exclusion, the process and whatever it touches are excluded.-- List your process exclusions using their full path and not by their name only. (The name-only method is less secure.)-
-You can choose from several methods to add your exclusions to Microsoft Defender Antivirus, as listed in the following table:
- |Method | What to do| |--|--|
-|[Intune](/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager) <br/>**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.<p>2. Select **Devices** > **Configuration profiles**, and then select the profile that you want to configure.<p>3. Under **Manage**, select **Properties**. <p>4. Select **Configuration settings: Edit**.<p>5. Expand **Microsoft Defender Antivirus**, and then expand **Microsoft Defender Antivirus Exclusions**.<p>6. Specify the files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. For reference, see [Microsoft Defender Antivirus exclusions](/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions).<p>7. Choose **Review + save**, and then choose **Save**. |
+|[Intune](/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager) <br/>**NOTE**: Intune is now part of Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.<p>2. Select **Devices** > **Configuration profiles**, and then select the profile that you want to configure.<p>3. Under **Manage**, select **Properties**. <p>4. Select **Configuration settings: Edit**.<p>5. Expand **Microsoft Defender Antivirus**, and then expand **Microsoft Defender Antivirus Exclusions**.<p>6. Specify the files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. For reference, see [Microsoft Defender Antivirus exclusions](/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions).<p>7. Choose **Review + save**, and then choose **Save**. |
|[Microsoft Endpoint Configuration Manager](/mem/configmgr/) |1. Using the [Configuration Manager console](/mem/configmgr/core/servers/manage/admin-console), go to **Assets and Compliance** > **Endpoint Protection** > **Antimalware Policies**, and then select the policy that you want to modify. <p>2. Specify exclusion settings for files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. |
-|[Group Policy Object](/previous-versions/windows/desktop/Policy/group-policy-objects) | 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.<p>2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.<p>3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**.<br/>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.<p>4. Double-click the **Path Exclusions** setting and add the exclusions.<p>- Set the option to **Enabled**.<p>- Under the **Options** section, click **Show...**.<p>- Specify each folder on its own line under the **Value name** column.<p>- If you specify a file, make sure to enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.<p>5. Click **OK**.<p>6. Double-click the **Extension Exclusions** setting and add the exclusions.<p>- Set the option to **Enabled**.<p>- Under the **Options** section, click **Show...**.<p>- Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.<br/>7. Click **OK**. |
+|[Group Policy Object](/previous-versions/windows/desktop/Policy/group-policy-objects) | 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and then select **Edit**.<p>2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.<p>3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**.<br/>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.<p>4. Double-click the **Path Exclusions** setting and add the exclusions.<br/>- Set the option to **Enabled**.<br/>- Under the **Options** section, select **Show...**.<br/>- Specify each folder on its own line under the **Value name** column.<br/>- If you specify a file, make sure to enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.<p>5. Select **OK**.<p>6. Double-click the **Extension Exclusions** setting and add the exclusions.<br/>- Set the option to **Enabled**.<br/>- Under the **Options** section, select **Show...**.<br/>- Enter each file extension on its own line under the **Value name** column.<br/>- Enter **0** in the **Value** column.<p>7. Select **OK**. |
|Local group policy object |1. On the endpoint or device, open the Local Group Policy Editor. <p>2. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Exclusions**. <br/>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.<p>3. Specify your path and process exclusions. | |Registry key |1. Export the following registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\exclusions`.<p>2. Import the registry key. Here are two examples:<br/>- Local path: `regedit.exe /s c:\temp\ MDAV_Exclusion.reg` <br/>- Network share: `regedit.exe /s \\FileServer\ShareName\MDAV_Exclusion.reg` |
+When you add [exclusions to Microsoft Defender Antivirus scans](/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus), you should add path and process exclusions. Keep the following points in mind:
+- Path exclusions exclude specific files and whatever those files access.
+- Process exclusions exclude whatever a process touches, but does not exclude the process itself.
+- If you list each executable (.exe) as both a path exclusion and a process exclusion, the process and whatever it touches are excluded.
+- List your process exclusions using their full path and not by their name only. (The name-only method is less secure.)
+ ## Set up your device groups, device collections, and organizational units
+Device groups, device collections, and organizational units enable your security team to manage and assign security policies efficiently and effectively. The following table describes each of these groups and how to configure them. Your organization might not use all three collection types.
+ | Collection type | What to do | |--|--|
-|[Device groups](/microsoft-365/security/defender-endpoint/machine-groups) (formerly called machine groups) enable your security operations team to configure security capabilities, such as automated investigation and remediation.<br/> Device groups are also useful for assigning access to those devices so that your security operations team can take remediation actions if needed. <br/>Device groups are created in the Microsoft Defender Security Center. |1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).<p>2. In the navigation pane on the left, choose **Settings** > **Permissions** > **Device groups**. <p>3. Choose **+ Add device group**.<p>4. Specify a name and description for the device group.<p>5. In the **Automation level** list, select an option. (We recommend **Full - remediate threats automatically**.) To learn more about the various automation levels, see [How threats are remediated](/microsoft-365/security/defender-endpoint/automated-investigations#how-threats-are-remediated).<p>6. Specify conditions for a matching rule to determine which devices belong to the device group. For example, you can choose a domain, OS versions, or even use [device tags](/microsoft-365/security/defender-endpoint/machine-tags).<br/> <br/>7. On the **User access** tab, specify roles that should have access to the devices that are included in the device group. <p>8. Choose **Done**. |
+|[Device groups](/microsoft-365/security/defender-endpoint/machine-groups) (formerly called machine groups) enable your security operations team to configure security capabilities, such as automated investigation and remediation.<br/> Device groups are also useful for assigning access to those devices so that your security operations team can take remediation actions if needed. <br/>Device groups are created in the Microsoft Defender Security Center. |1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).<p>2. In the navigation pane on the left, choose **Settings** > **Permissions** > **Device groups**. <p>3. Choose **+ Add device group**.<p>4. Specify a name and description for the device group.<p>5. In the **Automation level** list, select an option. (We recommend **Full - remediate threats automatically**.) To learn more about the various automation levels, see [How threats are remediated](/microsoft-365/security/defender-endpoint/automated-investigations#how-threats-are-remediated).<p>6. Specify conditions for a matching rule to determine which devices belong to the device group. For example, you can choose a domain, OS versions, or even use [device tags](/microsoft-365/security/defender-endpoint/machine-tags).<p>7. On the **User access** tab, specify roles that should have access to the devices that are included in the device group. <p>8. Choose **Done**. |
|[Device collections](/mem/configmgr/core/clients/manage/collections/introduction-to-collections) enable your security operations team to manage applications, deploy compliance settings, or install software updates on the devices in your organization. <br/>Device collections are created by using [Configuration Manager](/mem/configmgr/). |Follow the steps in [Create a collection](/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_create). | |[Organizational units](/azure/active-directory-domain-services/create-ou) enable you to logically group objects such as user accounts, service accounts, or computer accounts. You can then assign administrators to specific organizational units, and apply group policy to enforce targeted configuration settings.<br/> Organizational units are defined in [Azure Active Directory Domain Services](/azure/active-directory-domain-services). | Follow the steps in [Create an Organizational Unit in an Azure Active Directory Domain Services managed domain](/azure/active-directory-domain-services/create-ou). |
Using Configuration Manager and your device collection(s), configure your antima
## Next step
-**Congratulations**! You have completed the Setup phase of [migrating from Symantec to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-endpoint-migration.md#the-migration-process)!
-- [Proceed to Phase 3: Onboard to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-onboard.md)
+**Congratulations**! You have completed the Setup phase of [migrating from Symantec to Defender for Endpoint](symantec-to-microsoft-defender-endpoint-migration.md#the-migration-process)!
+- [Proceed to Phase 3: Onboard to Defender for Endpoint](symantec-to-microsoft-defender-atp-onboard.md)
security Symantec To Microsoft Defender Endpoint Migration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/symantec-to-microsoft-defender-endpoint-migration.md
- m365solution-symantecmigrate - m365solution-overview Previously updated : 05/10/2021 Last updated : 05/14/2021
When you switch from Symantec to Microsoft Defender for Endpoint, you follow a p
|Phase |Description | |--|--|
-|[Prepare for your migration](symantec-to-microsoft-defender-atp-prepare.md) |During the **Prepare** phase, you get Microsoft Defender for Endpoint, plan your roles and permissions, and grant access to the Microsoft Defender Security Center. You also configure your device proxy and internet settings to enable communication between your organization's devices and Microsoft Defender for Endpoint. |
-|[Set up Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-setup.md) |During the **Setup** phase, you configure settings and exclusions for Microsoft Defender Antivirus and Symantec Endpoint Protection. You also create device groups, collections, and organizational units. Finally, you configure your antimalware policies and real-time protection settings.|
-|[Onboard to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-onboard.md) |During the **Onboard** phase, you onboard your devices to Microsoft Defender for Endpoint and verify that those devices are communicating with Microsoft Defender for Endpoint. Last, you uninstall Symantec and make sure protection through Microsoft Defender for Endpoint is in active mode. |
+|[Prepare for your migration](symantec-to-microsoft-defender-atp-prepare.md) |During the **Prepare** phase, you update your organization's devices, get Microsoft Defender for Endpoint, plan your roles and permissions, and grant access to the Microsoft Defender Security Center. You also configure your device proxy and internet settings to enable communication between your organization's devices and Defender for Endpoint. |
+|[Set up Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-setup.md) |During the **Setup** phase, you enable Microsoft Defender Antivirus and set it to passive mode. You also configure settings & exclusions for Microsoft Defender Antivirus and Symantec Endpoint Protection. Then, you create your device groups, collections, and organizational units. Finally, you configure your antimalware policies and real-time protection settings.|
+|[Onboard to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-onboard.md) |During the **Onboard** phase, you onboard your devices to Microsoft Defender for Endpoint, confirm that Microsfot Defender Antivirus is running in passive mode, and verify that your endpoints are communicating with Defender for Endpoint. Then, you uninstall Symantec and make sure that Defender for Endpoint is working correctly. |
## What's included in Microsoft Defender for Endpoint?
solutions End Life Cycle Groups Teams Sites Yammer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/end-life-cycle-groups-teams-sites-yammer.md
Conversations can be moved to another Yammer group by any user, not just owners
**Export network data** Yammer network administrators [export network data](/yammer/manage-security-and-compliance/export-yammer-enterprise-data). However, doing so will export all conversations for the entire network. The resulting export lists the Group ID. It's possible to filter conversations based on this ID.+
+## Related topics
+
+[Remove a former employee and secure data](/microsoft-365/admin/add-users/remove-former-employee)
solutions Plan Organization Lifecycle Governance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/plan-organization-lifecycle-governance.md
Expiration policies are a good way to limit group sprawl by ensuring that groups
[Collaboration governance planning step-by-step](collaboration-governance-overview.md#collaboration-governance-planning-step-by-step)
-[Create your collaboration governance plan](collaboration-governance-first.md)
+[Create your collaboration governance plan](collaboration-governance-first.md)
+
+[Remove a former employee and secure data](/microsoft-365/admin/add-users/remove-former-employee)