Updates from: 05/05/2023 01:30:23
Category Microsoft Docs article Related commit history on GitHub Change details
enterprise Cross Tenant Sharepoint Migration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cross-tenant-sharepoint-migration.md
The team will respond to you within a couple business days with some additional
## Prerequisites and settings -- **Microsoft SharePoint Online Powershell**. Confirm you have the most recent version installed. [Download SharePoint Online Management Shell from Official Microsoft Download Center](/download/details.aspx?id=35588)
+- **Microsoft SharePoint Online Powershell**. Confirm you have the most recent version installed. [Download SharePoint Online Management Shell from Official Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=35588)
- **Turn off service encryption with Customer Key enabled.** Confirm that the source OneDrive tenant **doesn't** have Service encryption with Microsoft Purview Customer Key enabled. If enabled on Source tenant, the migration will fail. [Learn more on Service encryption with Microsoft Purview Customer Key](/microsoft-365/compliance/customer-key-overview)
security Attack Simulations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-simulations.md
Read the walkthrough document provided with each attack scenario. Each document
> [!NOTE] > Simulation files or scripts mimic attack activity but are actually benign and will not harm or compromise the test device. >
+> You can also use the EICAR test file or the EICAR test text string to perform some tests. It is possible to test real-time protection features (create a text file, paste the EICAR text, and save the file as an executable file to your endpoint's local driveΓÇöyou will get a notification on the test endpoint and an alert in the MDE console) or EDR protection (you need to temporarily disable real-time protection on the test endpoint and save the EICAR test file, and then try to execute, copy, or move this file). After you run your tests, enable real-time protection on the test endpoint.
+>
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-attacksimulations-belowfoldlink) ## Related topics
security Configure Server Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-server-endpoints.md
Depending on the server that you're onboarding, the unified solution installs Mi
|Server version|AV|EDR| |-|-|-|
-|Windows Server 2012 R2 SP1|![Yes.](images/svg/check-yes.svg)|![Yes.](images/svg/check-yes.svg)|
+|Windows Server 2012 R2|![Yes.](images/svg/check-yes.svg)|![Yes.](images/svg/check-yes.svg)|
|Windows Server 2016|Built-in|![Yes.](images/svg/check-yes.svg)| |Windows Server 2019 or later|Built-in|Built-in|
The **onboarding package** contains the following files:
Follow these steps to download the packages:
-1. In Microsoft 365 Defender, go to **Settings > Device Management > Onboarding**.
+1. In Microsoft 365 Defender, go to **Settings > Endpoint > Onboarding**.
2. Select **Windows Server 2012 R2 and 2016**.
The following steps are only applicable if you're using a third-party anti-malwa
### Download package
-1. In Microsoft 365 Defender, go to **Settings > Device Management > Onboarding**.
+1. In Microsoft 365 Defender, go to **Settings > Endpoints > Device Management > Onboarding**.
2. Select **Windows Server 1803 and 2019**.
security Gov https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/gov.md
ms.sitesec: library
ms.pagetype: security + ms.localizationpriority: medium Previously updated : 10/12/2022 Last updated : 04/19/2023 audience: ITPro
These are the known gaps:
|Feature name|GCC|GCC High|DoD| ||::|::|::|
-|Microsoft Secure Score|![Yes](images/svg/check-yes.svg)|![No](images/svg/check-no.svg)|![No](images/svg/check-no.svg)|
+|Microsoft Secure Score|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|
|Microsoft Threat Experts|![No](images/svg/check-no.svg)|![No](images/svg/check-no.svg)|![No](images/svg/check-no.svg)| | Microsoft Defender for Endpoint Security Configuration Management|![No](images/svg/check-no.svg)|![No](images/svg/check-no.svg)|![No](images/svg/check-no.svg)|
security Machines View Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/machines-view-overview.md
Filter | Description
**First seen** </br> | Filter your view based on when the device was first seen in the network or when it was first reported by the Microsoft Defender for Endpoint sensor.</br></br>(_Computers and mobile and IoT devices only_) **Windows version** </br> | Filter by the Windows versions you're interested in investigating. If ΓÇÿfuture versionΓÇÖ appears in the Windows version field, it can mean:</br></br> - This is a pre-release build for a future Windows release</br> - The build has no version name</br> - The build version name is not yet supported </br></br> In all these scenarios, where available, the full OS version can be seen in the device details page.</br></br> (_Computers and mobile only_) **Sensor health state** </br> | Filter by the following sensor health states, for devices onboard to Microsoft Defender for Endpoint:</br> - **Active**: Devices that are actively reporting sensor data to the service.</br> - **Inactive**: Devices that have stopped sending signals for more than 7 days. </br> - **Misconfigured**: Devices that have impaired communications with service or are unable to send sensor data. </br> Misconfigured devices can further be classified to: </br> - No sensor data </br> - Impaired communications </br> For more information on how to address issues on misconfigured devices see, [Fix unhealthy sensors](/microsoft-365/security/defender-endpoint/fix-unhealthy-sensors).</br></br> (_Computers and mobile only_)
-**Onboarding status** </br> | Onboarding status indicates whether the device is currently onboarded to Microsoft Defender for Endpoint or not. You can filter by the following states: </br> - **Onboarded**: The endpoint is onboarded to Microsoft Defender for Endpoint. </br> - **Can be onboarded**: The endpoint was discovered in the network as a supported device, but it's not currently onboarded. Microsoft highly recommends onboarding these devices. </br> - **Unsupported**: The endpoint was discovered in the network, but is not supported by Microsoft Defender for Endpoint. </br> - **Insufficient info**: The system couldn't determine the supportability of the device.</br></br> (_Computers and mobile only_)
+**Onboarding status** </br> | Onboarding status indicates whether the device is currently onboarded to Microsoft Defender for Endpoint or not. Note that device discovery must be enabled for this filter to appear. You can filter by the following states: </br> - **Onboarded**: The endpoint is onboarded to Microsoft Defender for Endpoint. </br> - **Can be onboarded**: The endpoint was discovered in the network as a supported device, but it's not currently onboarded. Microsoft highly recommends onboarding these devices. </br> - **Unsupported**: The endpoint was discovered in the network, but is not supported by Microsoft Defender for Endpoint. </br> - **Insufficient info**: The system couldn't determine the supportability of the device.</br></br> (_Computers and mobile only_)
**Antivirus status** </br> | Filter the view based on whether the antivirus status is disabled, not updated or unknown.</br></br> (_Computers and mobile only_) **Group** </br> | Filter the list based on the group you're interested in investigating. </br></br> (_Computers and mobile only_) **Managed by** </br> | Managed by indicates how the device is being managed. You can filter by:</br> - Microsoft Defender for Endpoint</br> - Microsoft Intune, including co-management with Microsoft Configuration Manager via tenant attach</br>- Microsoft Configuration manager (ConfigMgr)</br> - Unknown: This could be due the running an outdated Windows version, GPO management, or another third party MDM.</br></br> (_Computers and mobile only_)
security Run Detection Test https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-detection-test.md
ms.pagetype: security
ms.localizationpriority: medium Previously updated : 09/13/2022 Last updated : 04/24/2023 audience: ITPro
Run the following PowerShell script on a newly onboarded device to verify that i
The Command Prompt window closes automatically. If successful, a new alert appears in the portal for the onboarded device in about 10 minutes.
+> [!NOTE]
+> You can also use the EICAR test string to perform this test. Create a text file, paste the EICAR line, and save the file as an executable file to your endpoint's local drive. You will receive a test endpoint notification and an alert in the Microsoft 365 Defender portal.
+ ## Related topics - [Onboard Windows devices](configure-endpoints.md)
security Run Live Response https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-live-response.md
Runs a sequence of live response commands on a device
7. Multiple live response commands can be run on a single API call. However, when a live response command fails all the subsequent actions won't be executed.
+8. Multiple live response sessions can't be executed on the same machine (if live response action is already running, subsequent requests are responded to with HTTP 400 - ActiveRequestAlreadyExists).
+ ## Minimum Requirements Before you can initiate a session on a device, make sure you fulfill the following requirements:
POST https://api.securitycenter.microsoft.com/API/machines/{machine_id}/runliver
|Parameter|Type|Description| |||| |Comment|String|Comment to associate with the action.|
-|Commands|Array|Commands to run. Allowed values are PutFile, RunScript, GetFile.|
+|Commands|Array|Commands to run. Allowed values are PutFile, RunScript, GetFile (must be in this order with no limit on repetitions). |
## Commands |Command Type|Parameters|Description| ||||
-|PutFile|Key: FileName <p> Value: \<file name\>|Puts a file from the library to the device. Files are saved in a working folder and are deleted when the device restarts by default.
+|PutFile|Key: FileName <p> Value: \<file name\>|Puts a file from the library to the device. Files are saved in a working folder and are deleted when the device restarts by default. NOTE: Doesn't have a response result. |
|RunScript|Key: ScriptName <br> Value: \<Script from library\> <p> Key: Args <br> Value: \<Script arguments\>|Runs a script from the library on a device. <p> The Args parameter is passed to your script. <p> Timeouts after 10 minutes.| |GetFile|Key: Path <br> Value: \<File path\>|Collect file from a device. NOTE: Backslashes in path must be escaped.|
POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2
Here's an example of the response.
+Possible values for each command status are "Created", "Completed", and "Failed".
+ ```HTTP HTTP/1.1 200 Ok ```