+Microsoft 365 Business Basic, Standard, and Premium all include antiphishing, antispam, and antimalware protection to protect your email online. Microsoft 365 Business Premium includes even more security capabilities, such as advanced cybersecurity protection for:

+- Devices, such as computers, tablets, and phones (also referred to as endpoints)

+- Email & collaboration content (such as Office documents)

+- Data (encryption, sensitivity labels, and Data Loss Prevention)

+For more information about what each plan includes, see [Microsoft 365 User Subscription Suites for Small and Medium-sized Businesses](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWR6bM).

+## Top 10 ways to secure your business data

+4. For the **Assign admin units** page: This configuration is currently in preview. If your organization is using [administrative units in Azure Active Directory](/azure/active-directory/roles/administrative-units), a retention label policy that doesn't include SharePoint sites can be automatically restricted to specific users by selecting administrative units. If your account has been [assigned administrative units](microsoft-365-compliance-center-permissions.md#administrative-units), you must select one or more administrative units.

+5. For the page **Assign admin units**: If your organization is using [administrative units in Azure Active Directory](/azure/active-directory/roles/administrative-units), auto-labeling policies for Exchange and OneDrive can be automatically restricted to specific users by selecting administrative units. If your account has been [assigned administrative units](microsoft-365-compliance-center-permissions.md#administrative-units), you must select one or more administrative units.

+- You have to be assigned the *Audit Logs* role in Exchange Online to turn auditing on or off in your Microsoft 365 organization. By default, this role is assigned to the *Compliance Management* and *Organization Management* role groups on the **Permissions** page in the Exchange admin center. Global admins in Microsoft 365 are members of the *Organization Management* role group in Exchange Online.

+ > Users have to be assigned permissions in Exchange Online to turn auditing on or off. If you assign users the *Audit Logs* role on the **Permissions** page in the compliance portal, they won't be able to turn auditing on or off. This is because the underlying cmdlet is an Exchange Online PowerShell cmdlet.

+Audit (Premium) in Microsoft 365 provides a default audit log retention policy for all organizations. This policy can't be modified and retains all Exchange Online, SharePoint Online, OneDrive for Business, and Azure Active Directory audit records for one year. This default policy retains audit records that contain the value of **AzureActiveDirectory**, **Exchange**, **OneDrive**, and **SharePoint** for the **Workload** property (which is the service in which the activity occurred). Specific workloads and record types can be changed to a different duration using a retention policy. See the [efault retention policy record types](#default-retention-policy-record-types) section in this article for a list of record types for each workload that are included in the default policy.

+- The audit item lifetime for data is determined when it's added to the auditing pipeline and is based on the licensing defaults or applicable retention policies. Any changes to licensing or applicable retention policies change the expiration time of the audit data after updating. These changes don't update any previously committed items.

+ 1. **Policy name:** The name of the audit log retention policy. This name must be unique in your organization, and it can't be changed after the policy is created.

+Audit records for operations in Azure Active Directory, Exchange Online, SharePoint Online, and OneDrive for Business, are retained for one year by default. The following table lists all the record types (for each of these services) included in the default audit log retention policy. This means that audit logs for any operation with this record type are retained for one year unless a custom audit log retention policy takes precedence for a specific record type, operation, or user. The Enum value (which is displayed as the value for the RecordType property in an audit record) for each record type is shown in parentheses.

+> [!IMPORTANT]

+> The audit item lifetime for data is determined when it is added to the auditing pipeline and is based on the licensing defaults or applicable retention policies. Any changes to licensing or applicable retention policies change the expiration time of the audit data after updating. These change don't change any previously committed items.

+4. For the **Assign admin units** page: This configuration is currently in preview. If your organization is using [administrative units in Azure Active Directory](/azure/active-directory/roles/administrative-units), a retention label policy that doesn't include SharePoint sites can be automatically restricted to specific users by selecting administrative units. If your account has been [assigned administrative units](microsoft-365-compliance-center-permissions.md#administrative-units), you must select one or more administrative units.

+3. For the **Assign admin units** page: This configuration is currently in preview. If your organization is using [administrative units in Azure Active Directory](/azure/active-directory/roles/administrative-units), the retention policy can be automatically restricted to specific users by selecting administrative units. If your account has been [assigned administrative units](microsoft-365-compliance-center-permissions.md#administrative-units), you must select one or more administrative units.

+3. For the **Assign admin units** page: This configuration is currently in preview. If your organization is using [administrative units in Azure Active Directory](/azure/active-directory/roles/administrative-units), the retention policy can be automatically restricted to specific users by selecting administrative units. If your account has been [assigned administrative units](microsoft-365-compliance-center-permissions.md#administrative-units), you must select one or more administrative units.

+> If your organization is using [administrative units](microsoft-365-compliance-center-permissions.md#administrative-units) and you're a restricted administrator assigned one or more adminsitrative units, you won't be able to configure a retention policy that includes SharePoint sites or Exchange public folders. For these locations, you must be an unrestricted administrator.

+3. For the **Assign admin units** page: This configuration is currently in preview. If your organization is using [administrative units in Azure Active Directory](/azure/active-directory/roles/administrative-units), a retention policy that doesn't include SharePoint sites or Exchange public folders can be automatically restricted to specific users by selecting administrative units. If your account has been [assigned administrative units](microsoft-365-compliance-center-permissions.md#administrative-units), you must select one or more administrative units.

+ > By default, tenants don't have any labels and you must create them. The labels in the example picture show default labels that were [migrated from Azure Information Protection](/azure/information-protection/configure-policy-migrate-labels). If you need guidance to create new labels, see [Get started with sensitivity labels](get-started-with-sensitivity-labels.md#guidance-sensitivity-label-names-descriptions).

+4. For the **Assign admin units**: If your organization is using [administrative units in Azure Active Directory](/azure/active-directory/roles/administrative-units), the label policy can be automatically restricted to specific users by selecting administrative units. If your account has been [assigned administrative units](microsoft-365-compliance-center-permissions.md#administrative-units), you must select one or more administrative units.

+2. Make sure that you have already [configured evidence collection](#endpoint-dlp-settings-configuration) for file activities on devices.

+

+3. Navigate to **Data classification** \> **Activity explorer**.

+4. Select a **rule match** event that was generated by an activity that you're monitoring. The events that you can preview evidence for depend on the policy selections you have made previously, as in the following example:

+5. In the flyout pane, select the file name link under **Evidence file**. The file with the matched content displays.

+1. [Administrative units](microsoft-365-compliance-center-permissions.md#administrative-units)

+To comply with regulatory requirements, make sure that the Azure storage accounts that you use are in the same geopolitical or regulatory boundaries as the devices that they're being copied from. Also, be aware of the geopolitical location of the DLP investigators who will be accessing the sensitive items once they're saved. Consider using [Administrative units](microsoft-365-compliance-center-permissions.md#administrative-units) to scope the administration of the users and devices that the DLP policy will be scoped to. To learn how to use data loss prevention to comply with data privacy regulations, see [Deploy information protection for data privacy regulations with Microsoft Purview](https://go.microsoft.com/fwlink/?linkid=2239593&clcid=0x409). Evidence collection for file activities on devices supports up to 10 Azure storage accounts.

+1. [Administrative units](microsoft-365-compliance-center-permissions.md#administrative-units)

+> Be sure you understand the difference between an unrestricted administrator and an administrative unit restricted administrator [Administrative units](microsoft-365-compliance-center-permissions.md#administrative-units) before you start.

+1. [Administrative units](microsoft-365-compliance-center-permissions.md#administrative-units)

+2. **Choose administrative scoping** - DLP supports assigning [Administrative Units](/azure/active-directory/roles/administrative-units) to policies. Administrators who are assigned to an administrative unit can only create and manage policies for the users, groups, distribution groups, and accounts that they're assigned to. So, policies can be applied to all users and groups by an unrestricted administrator, or they can be scoped to administrative units. See, [Policy Scoping](dlp-policy-reference.md#policy-scoping) for more DLP specific details. See, [Administrative units](microsoft-365-compliance-center-permissions.md#administrative-units) for the details on administrative units across Microsoft Purview Information Protection.

+1. [Administrative units](microsoft-365-compliance-center-permissions.md#administrative-units)

+If your organization has implemented [administrative units](microsoft-365-compliance-center-permissions.md#administrative-units), you can scope your DLP policies by administrative unit or leave the scope default, which applies policies to the full directory. For more information, see [Policy Scoping](dlp-policy-reference.md#policy-scoping).

+1. [Administrative units](microsoft-365-compliance-center-permissions.md#administrative-units)

+> Be sure you understand the difference between an unrestricted administrator and an administrative unit restricted administrator [Administrative units](microsoft-365-compliance-center-permissions.md#administrative-units) before you start.

+1. [Administrative units](microsoft-365-compliance-center-permissions.md#administrative-units)

+See, [Administrative units](microsoft-365-compliance-center-permissions.md#administrative-units) to make sure you understand the difference between an unrestricted admin and an administrative unit restricted admin.

+in your organization (depending on the locations that are selected) or to subgroups of your organization called [Administrative Unit restricted policies](#administrative-unit-restricted-policies).

+### Administrative Unit restricted policies

+DLP supports associating policies with administrative units. See [Administrative units](microsoft-365-compliance-center-permissions.md#administrative-units) for implementation details in the Microsoft Purview compliance portal. Administrative unit admins need to be assigned to one of the same roles or role groups as administrators of unrestricted DLP policies in order to create and manage DLP policies for their administrative unit

+- You must have a valid SMTP address to send the report to. For example: `dlp_admin@contoso.com`

+ For example:

+ `https://contoso.sharepoint.com/personal/user_contoso_com/Documents/test.docx`

+ ```PowerShell

+ $reportAddress = "email@contoso.com"

+ $siteName = "SITENAME@TENANT.onmicrosoft.com"

+ $filePath = "https://Contoso.sharepoint.com/sites/SOMESITENAME/Shared%20Documents/TESTFILE.pptx"

+ $r = Get-Mailbox -Identity $siteName -GroupMailbox

+ $e = $r.EmailAddresses | Where-Object {$_ -like '*SPO*'}

+ Test-DlpPolicies -SiteId $e.Substring(8,36) -FileUrl $filePath -Workload SPO -SendReportTo $reportAddress

+ ```

+3. For OneDrive use the following syntax to get the site ID and save it.

+ ```PowerShell

+ $reportAddress = "email@contoso.com"

+ $odbUser = "USER@TENANT.onmicrosoft.com"

+ $filePath = "https://contoso-my.sharepoint.com/personal/userid_contoso_onmicrosoft_com/Documents/TESTFILE.docx"

+ $r = Get-Mailbox -Identity $odbUser

+ $e = $r.EmailAddresses | Where-Object {$_ -like '*SPO*'}

+ Test-DlpPolicies -SiteId $e.Substring(8,36) -FileUrl $filePath -Workload ODB -SendReportTo $reportAddress

+ ```

+- Run the following syntax in the PowerShell window:

+ ```powershell

+ Test-DlpPolicies -workload <workload> -Fileurl <path/direct link> -SendReportTo <smtpaddress>

+ ```

+## See Also

+- [Test-DataClassification](/powershell/module/exchange/test-dataclassification) explains how to use the PowerShell cmdlet `Test-DataClassification `.

+- [Test-Message](/powershell/module/exchange/test-message) explains how to use the PowerShell cmdlet `Test-Message`.

+-

+### Files monitored via policy

+Endpoint DLP monitors these file types through policy in Windows 10, 11 and in the latest three major releases of macOS:

+| Windows 10, 11 | macOS |

+| -| |

+| .doc, .docx, .docm, .dot, .dotx, .dotm, .docb, .xls, .xlsx, .xlt, .xlm, .xlsm, .xltx, .xltm, .xlsb, .xlw, .ppt, .pptx, .pos, .pps, .pptm, .potx, .potm, .ppam, .ppsx, .pbix, .pdf, .csv, .tsv, .zip, .zipx, .rar, .7z, .tar, .war, .gz, .pst, .dlp, .txt, .c, .class, .cpp, .cs, .h, .java, .html, .htm, .rtf, .json, .config | .doc, .docx, .docm, .dot, .dotx, .dotm, .docb, .xls, .xlsx, .xlt, .xlm, .xlsm, .xltx, .xltm, .xlsb, .xlw, .ppt, .pptx, .pos, .pps, .pptm, .potx, .potm, .ppam, .ppsx, .pbix, .pdf, .csv, .tsv, .pst, .txt, .c, .cpp, .cs, .h, .java, .html, .htm, .rtf, .json, .config |

+> [!NOTE]

+> These file types can be monitored through policy settings in Windows 10, 11, if [OCR](ocr-learn-about.md#learn-about-optical-character-recognition-in-microsoft-purview-preview) is enabled:

+>

+> .jpg, .png, .tif, .tiff, .bmp, .jpeg

+### Files audited regardless of policy match

+Activities can be audited on these file types in Windows 10, 11, and in the latest three major releases of macOS, even if no policy match exists:

+| Windows 10, 11 | macOS |

+| -| |

+|.doc, .docx, .docm, .dot, .dotx, .dotm, .docb, .xls, .xlsx, .xlt, .xlm, .xlsm, .xltx, .xltm, .xlsb, .xlw, .ppt, .pptx, .pos, .pps, .pptm, .potx, .potm, .ppam, .ppsx, .pbix, .pdf, .csv, .tsv, .zip, .zipx, .rar, .7z, .tar, .war, .gz, .pst, .dlp | .doc, .docx, .docm, .dot, .dotx, .dotm, .docb, .xls, .xlsx, .xlt, .xlm, .xlsm, .xltx, .xltm, .xlsb, .xlw, .ppt, .pptx, .pos, .pps, .pptm, .potx, .potm, .ppam, .ppsx, .pbix, .pdf, .csv, .tsv, .pst |

+> [!NOTE]

+> These file types can be audited, regardless of a policy match, in Windows 10, 11, so long as [OCR](ocr-learn-about.md#learn-about-optical-character-recognition-in-microsoft-purview-preview) is enabled:

+>

+> .jpg, .png, .tif, .tiff, .bmp, .jpeg

+File types are a grouping of file formats. They are utilized to protect specific workflows or areas of business. You can use one or more file types as conditions in your DLP policies.

+| File Type | Apps | Monitored file extensions |

+| | -- | --|

+| word processing | Word, PDF | .doc, .docx, .docm, .dot, dotx, .dotm, .docb, .pdf |

+| spreadsheet | Excel, CSV, TSV | .xls, .xlsx, .xlt, .xlm, .xlsm, xltx, xltm, xlsb, .xlw, .csv, .tsv |

+| presentation | PowerPoint | .ppt, .pptx, .pos, .pps, .pptm, .potx, .potm, .ppam, .ppsx |

+| archive | File archive and compression tools | .zip, .zipx, .rar, .7z, .tar, .gz |

+| email | Outlook | .pst, .ost, .msg |

+> Be sure you understand the difference between an unrestricted administrator and an administrative unit restricted administrator [Administrative units](microsoft-365-compliance-center-permissions.md#administrative-units) before you start.

+For more information about how Microsoft Purview supports administrative units, see [Administrative units](microsoft-365-compliance-center-permissions.md#administrative-units).

+For more information about how Microsoft Purview supports administrative units, see [Administrative units](microsoft-365-compliance-center-permissions.md#administrative-units).

+<a name="guidance-sensitivity-label-names-descriptions"></a>

+1. **Create the labels.** Create and name your sensitivity labels according to your organization's classification taxonomy for different sensitivity levels of content. Use common names or terms that make sense to your users. If you don't already have an established taxonomy, consider starting with label names such as Personal, Public, General, Confidential, and Highly Confidential. You can then use sublabels to group similar labels by category.

+

+ For each label, specify a tooltip to help users select the appropriate label and consider including specific examples. However, don't make the tooltip so long that users won't read it, and be aware that some apps might truncate long tooltips.

+

+ > [!NOTE]

+ > For some recommended examples, see the label names and descriptions for the [default sensitivity labels](mip-easy-trials.md#default-sensitivity-labels). For more guidance about defining a classification taxonomy, see [Data classification & sensitivity label taxonomy](/assurance/assurance-data-classification-and-labels.md).

+ Always test and tailor your sensitivity label names and tooltips with the people who need to apply them.

+For more information about how Microsoft Purview supports administrative units, see [Administrative units](microsoft-365-compliance-center-permissions.md#administrative-units).

+# Set up a connector to import physical badging data

+> If you're already a [scoped admin](microsoft-365-compliance-center-permissions.md#administrative-units) for Microsoft Purview, you can't turn on quick setup.

+description: Learn about the Priority physical assets settings for Microsoft Purview Insider Risk Management.

+2. In the [Microsoft Purview compliance portal](https://compliance.microsoft.com), go to **Insider risk management**, select the **Settings** button, and then select **Priority physical assets**.

+3. On the **Priority physical assets** page, you can either manually add the physical asset IDs imported by the Physical badging connector or import a CSV file of all physical assets IDs imported by the Physical badging connector:

+1. In the [Microsoft Purview compliance portal](https://compliance.microsoft.com), go to **Insider risk management**, select the **Settings** button, and then select **Priority physical assets**.

+2. On the **Priority physical assets** page, select the asset you want to delete.

+## Administrative units

+> Support for administrative units is in preview for some Microsoft Purview solutions: data lifecycle management, communication compliance, and records management

+- For DLP: [Administrative Unit restricted policies](dlp-policy-reference.md#administrative-unit-restricted-policies)

+9. On the **Assign admin units** pane, select the checkbox for all the administrative units you want to assign to the users or groups. Select **Select**.

+13. On the **Assign admin units** pane, select the checkbox for all the administrative units you want to assign to the users or groups. Select **Select**.

+4. Follow the prompts in the configuration where you'll first be asked to assign an administrative unit. If your account has been [assigned administrative units](microsoft-365-compliance-center-permissions.md#administrative-units), you must select one administrative unit that will restrict the scope membership.

+- **In preview**: Now rolling out in preview, OneDrive locations for [auto-labeling policies](apply-sensitivity-label-automatically.md#how-to-configure-auto-labeling-policies-for-sharepoint-onedrive-and-exchange) are changing from sites specified by URLs to users and groups. This change of configuration means that [administrative units](microsoft-365-compliance-center-permissions.md#administrative-units) are now supported for OneDrive auto-labeling policies. Any existing OneDrive sites specified in auto-labeling policies as site URLs will continue to work but before you can add more OneDrive locations, or for restricted admins, you must first delete any existing OneDrive sites specified as URLs. Groups supported: distribution groups, Microsoft 365 groups, mail-enabled security groups, and security groups.

+- **In preview**: [Support for Azure Active Directory administrative units](/microsoft-365/compliance/microsoft-365-compliance-center-permissions#administrative-units). Administrative units let you subdivide your organization into smaller units, and then assign specific administrators that can manage only the members of those units.

+## Week of July 03, 2023

+| Published On |Topic title | Change |

+|||--|

+| 7/3/2023 | [Tamper resiliency with Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/tamper-resiliency?view=o365-worldwide) | modified |

+| 7/3/2023 | [Protect against threats in Microsoft Defender for Office 365, Anti-malware, Anti-Phishing, Anti-spam, Safe links, Safe attachments, Zero-hour auto purge (ZAP), MDO security configuration](/microsoft-365/security/office-365-security/protect-against-threats?view=o365-worldwide) | modified |

+| 7/3/2023 | [Manage quarantined messages and files as an admin](/microsoft-365/security/office-365-security/quarantine-admin-manage-messages-files?view=o365-worldwide) | modified |

+| 7/3/2023 | [Find and release quarantined messages as a user](/microsoft-365/security/office-365-security/quarantine-end-user?view=o365-worldwide) | modified |

+| 7/3/2023 | [Publish and apply retention labels](/microsoft-365/compliance/create-apply-retention-labels?view=o365-worldwide) | modified |

+| 7/4/2023 | [Microsoft 365 Copilot Early Access Program](/microsoft-365/admin/copilot/m365-early-access-program?view=o365-worldwide) | modified |

+| 7/4/2023 | [Learn about archive mailboxes for Microsoft Purview](/microsoft-365/compliance/archive-mailboxes?view=o365-worldwide) | modified |

+| 7/5/2023 | [Add your brand to encrypted messages](/microsoft-365/compliance/add-your-organization-brand-to-encrypted-messages?view=o365-worldwide) | modified |

+| 7/5/2023 | [What's new in Microsoft Purview risk and compliance solutions](/microsoft-365/compliance/whats-new?view=o365-worldwide) | modified |

+| 7/5/2023 | [Overview of the Alerts page in Microsoft 365 Lighthouse](/microsoft-365/lighthouse/m365-lighthouse-alerts-overview?view=o365-worldwide) | added |

+| 7/5/2023 | [Create and manage alert rules in Microsoft 365 Lighthouse](/microsoft-365/lighthouse/m365-lighthouse-create-manage-alert-rules?view=o365-worldwide) | added |

+| 7/5/2023 | [Overview of the Multifactor authentication page in Microsoft 365 Lighthouse](/microsoft-365/lighthouse/m365-lighthouse-mfa-overview?view=o365-worldwide) | added |

+| 7/5/2023 | [Manage multifactor authentication in Microsoft 365 Lighthouse](/microsoft-365/lighthouse/m365-lighthouse-manage-mfa?view=o365-worldwide) | modified |

+| 7/5/2023 | [Configure scanning options for Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/configure-advanced-scan-types-microsoft-defender-antivirus?view=o365-worldwide) | modified |

+| 7/5/2023 | [Overview of next-generation protection in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/next-generation-protection?view=o365-worldwide) | modified |

+| 7/6/2023 | [Commit a collection estimate to a review set](/microsoft-365/compliance/ediscovery-commit-draft-collection?view=o365-worldwide) | modified |

+| 7/6/2023 | [Data loss prevention policy tip reference for SharePoint Online and OneDrive for Business web client](/microsoft-365/compliance/dlp-spo-odbweb-policy-tips?view=o365-worldwide) | added |

+| 7/6/2023 | [Create and manage communication compliance policies](/microsoft-365/compliance/communication-compliance-policies?view=o365-worldwide) | modified |

+| 7/6/2023 | [Microsoft Defender for Identity in Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-365-security-center-mdi?view=o365-worldwide) | modified |

+| 7/6/2023 | Redirecting accounts from Microsoft Defender for Identity to Microsoft 365 Defender | removed |

+| 7/7/2023 | [Create and deploy a data loss prevention policy](/microsoft-365/compliance/dlp-create-deploy-policy?view=o365-worldwide) | modified |

+| 7/7/2023 | [Minimum versions for sensitivity labels in Microsoft 365 Apps](/microsoft-365/compliance/sensitivity-labels-versions?view=o365-worldwide) | modified |

+| 7/7/2023 | [Microsoft 365 monitoring](/microsoft-365/enterprise/microsoft-365-monitoring?view=o365-worldwide) | modified |

+| 7/7/2023 | [Set preferences for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-preferences?view=o365-worldwide) | modified |

+| 7/7/2023 | [Understanding detection technology within the email entity page in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/step-by-step-guides/understand-detection-technology-in-email-entity?view=o365-worldwide) | added |

+| 7/7/2023 | [Bookings with me](/microsoft-365/bookings/bookings-in-outlook?view=o365-worldwide) | modified |

+>[!TIP]

+>You can export your list of policies through the [Microsoft Intune admin center](https://intune.microsoft.com/).

+## Hide potential duplicate device records

+By enabling this feature, you can ensure that you're seeing the most accurate information about your devices by hiding potential duplicate device records. There are different reasons duplicate device records might occur, for example, the device discovery capability in Microsoft Defender for Endpoint might scan your network and discover a device that's already onboarded or a has recently been offboarded.

+This feature will identify potential duplicate devices based on their hostname and last seen time. The duplicate devices will be hidden from multiple experiences in the portal, such as, the Device Inventory, Microsoft Defender Vulnerability Management pages, and Public APIs for machine data, leaving the most accurate device record visible. However, the duplicates will still be visible in global search, advanced hunting, alerts, and incidents pages.

+This setting is turned on by default and is applied tenant wide. If you don't want to hide potential duplicate device records, you'll need to manually turn off the feature.

+Check out [Identify Defender for Endpoint architecture and deployment method](deployment-strategy.md) to see the various paths in deploying Defender for Endpoint.

+Check out [Identify Defender for Endpoint architecture and deployment method](deployment-strategy.md) to see the various paths in deploying Defender for Endpoint.

+Check out [Identify Defender for Endpoint architecture and deployment method](deployment-strategy.md) to see the various paths in deploying Defender for Endpoint.

+## Onboard devices

+After successfully onboarding devices to the service, you'll need to configure the individual components of Microsoft Defender for Endpoint. Follow [Configure capabilities](onboard-configure.md#configure-capabilities) to be guided on enabling the various components.

+ Title: Identify Defender for Endpoint architecture and deployment method

+# Identify Defender for Endpoint architecture and deployment method

+YouΓÇÖve already completed steps to set up your Microsoft Defender for Endpoint deployment and assigned roles and permissions for Defender for Endpoint. Next, plan for onboarding your devices by identifying your architecture and choosing your deployment method.

+We understand that every enterprise environment is unique, so we've provided several options to give you the flexibility in choosing how to deploy the service. Deciding how to onboard endpoints to the Defender for Endpoint service comes down to two important steps:

+## Step 1: Identify your architecture

+Depending on your environment, some tools are better suited for certain architectures. Use the table below to decide which Defender for Endpoint architecture best suits your organization.

+|Architecture |Description |

+|||

+|**Cloud-native**| We recommend using Microsoft Intune to onboard, configure, and remediate endpoints from the cloud for enterprises that don't have an on-premises configuration management solution or are looking to reduce their on-premises infrastructure. |

+|**Co-management**| For organizations that host both on-premises and cloud-based workloads we recommend using Microsoft's ConfigMgr and Intune for their management needs. These tools provide a comprehensive suite of cloud-powered management features, as well as unique co-management options to provision, deploy, manage, and secure endpoints and applications across an organization. |

+|**On-premise**|For enterprises that want to take advantage of the cloud-based capabilities of Microsoft Defender for Endpoint while also maximizing their investments in Configuration Manager or Active Directory Domain Services, we recommend this architecture.|

+|**Evaluation and local onboarding**|We recommend this architecture for SOCs (Security Operations Centers) that are looking to evaluate or run a Microsoft Defender for Endpoint pilot, but don't have existing management or deployment tools. This architecture can also be used to onboard devices in small environments without management infrastructure, such as a DMZ (Demilitarized Zone).|

+Once you have determined the architecture of your environment and have created an inventory as outlined in the [requirements section](../defender-endpoint/mde-planning-guide.md#requirements), use the table below to select the appropriate deployment tools for the endpoints in your environment. This will help you plan the deployment effectively.

+|**Windows servers<br>Linux servers** | [Integration with Microsoft Defender for Cloud](azure-server-integration.md)

+>[!Note]

+> For devices that aren't managed by Microsoft Intune or Microsoft Configuration Manager, you can use the Security Management for Microsoft Defender for Endpoint to receive security configurations for Microsoft Defender directly from Intune.

+## Next step

+After choosing your Defender for Endpoint architecture and deployment method continue to [Step 4 - Onboard devices](onboarding.md).

+- [Microsoft Defender for Business](/microsoft-365/security/defender-business)

+# Investigate a file

+- File details and PE metadata (if it exists)

+- Incidents and alerts

+- File content and capabilities (if a file has been analyzed by Microsoft)

+The file actions are above the file information cards at the top of the profile page. Actions you can perform here include:

+- Manage indicator

+- Ask Defender Experts

+- Go hunt

+- Deep analysis

+See [take response action on a file](respond-file-alerts.md) for more information on these actions.

+## File page overview

+The file page offers an overview of the fileΓÇÖs details and attributes, the incidents and alerts where the file is seen, file names used, the number of devices where the file was seen in the last 30 days, including the dates when the file was first and last seen in the organization, Virus Total detection ratio, Microsoft Defender Antivirus detection, the number of cloud apps connected to the file, and the fileΓÇÖs prevalence in devices outside of the organization.

+> Different users may see dissimilar values in the *devices in organization* section of the file prevalence card. This is because the card displays information based on the role-based access control (RBAC) scope that a user has. This means if a user has been granted visibility on a specific set of devices, they will only see the file organizational prevalence on those devices.

+The **Incidents and alerts** tab provides a list of incidents that are associated with the file and the alerts the file is linked to. This list covers much of the same information as the incidents queue. You can choose what kind of information is shown by selecting **Customize columns**. You can also filter the list by selecting **Filter**.

+The **Observed in organization** tab shows you the devices and cloud apps observed with the file. File history related to devices can be shown up to the last six months, whereas cloud apps-related history is up to the last 30 days

+### Devices

+This section shows all the devices where the file is detected. The section includes a trending report identifying the number of devices where the file has been observed in the past 30 days. Below the trendline, you can find detailed information on the file on each device where it is seen, including file execution status, first and last seen events on each device, initiating process and time, and file names associated with a device.

+You can click on a device on the list to explore the full six months file history on each device and pivot to the first seen event in the device timeline.

+### Cloud apps

+> [!NOTE]

+> The Defender for Cloud Apps workload must be enabled to see file information related to cloud apps.

+This section shows all the cloud applications where the file is observed. It also includes information like the fileΓÇÖs names, the users associated with the app, the number of matches to a specific cloud app policy, associated appsΓÇÖ names, when the file was last modified, and the fileΓÇÖs path.

+## File content and capabilities

+> [!NOTE]

+> The file content and capabilities views depend on whether Microsoft analyzed the file.

+The File content tab lists information about portable executable (PE) files, including process writes, process creation, network activities, file writes, file deletes, registry reads, registry writes, strings, imports, and exports. This tab also lists all the fileΓÇÖs capabilities.

+The file capabilities view lists a fileΓÇÖs activities as mapped to the MITRE ATT&CKΓäó techniques.

+- [Take response actions on a file](respond-file-alerts.md)

+### Incidents and alerts

+The **Incidents and alerts** tab provides a list of incidents and alerts that are associated with the device. This list is a filtered version of the [Alerts queue](alerts-queue.md), and shows a short description of the incident, alert, severity (high, medium, low, informational), status in the queue (new, in progress, resolved), classification (not set, false alert, true alert), investigation state, category of alert, who is addressing the alert, and last activity. You can also filter the alerts.

+When an alert is selected, a fly-out appears. From this panel you can manage the alert and view more details such as incident number and related devices. Multiple alerts can be selected at a time.

+To see a full page view of an alert, select the title of the alert.

+### Security policies

+The **Security policies** tab shows the endpoint security policies that are applied on the device. You'll see a list of policies, type, status, and last check-in time. Selecting the name of a policy, will take you to the policy details page where you can see the policy settings status, applied devices, and assigned groups.

+<details>

+ <summary> July-2023 (Build: 101.23052.0009 | Release version: 30.123052.0009.0)</summary>

+## July-2023 Build: 101.23052.0009 | Release version: 30.123052.0009.0

+&ensp;Released: **July 10,2023**<br/>

+&ensp;Published: **July 10,2023**<br/>

+&ensp;Build: **101.23052.0009**<br/>

+&ensp;Release version: **30.123052.0009.0**<br/>

+&ensp;Engine version: **1.1.20300.5**<br/>

+&ensp;Signature version: **1.391.2837.0**<br/>

+**What's new**

+- There are multiple fixes and new changes in this release

+ - The build version schema is updated from this release. While the major version number remains same as 101, the minor version number will now have 5 digits followed by 4 digit patch number i.e. 101.xxxxx.yyy

+ - Improved Network Protection memory consumption under stress

+ - Updated engine version to 1.1.20300.5 and signature version to 1.391.2837.0.

+ - Bug fixes.

+**Known issues**

+- While upgrading from mdatp version 101.75.43 or 101.78.13, you may encounter a kernel hang. Run the following commands before attempting to upgrade to version 101.98.05. More information about the underlying issue can be found at [System hang due to blocked tasks in fanotify code](https://access.redhat.com/solutions/2838901).

+There are two ways to mitigate this upgrade issue:

+1. Use your package manager to uninstall the 101.75.43 or 101.78.13 mdatp version.

+Example:

+```bash

+sudo apt purge mdatp

+sudo apt-get install mdatp

+```

+2. As an alternative you can follow the instructions to [uninstall](/microsoft-365/security/defender-endpoint/linux-resources#uninstall), then [install](/microsoft-365/security/defender-endpoint/linux-install-manually#application-installation) the latest version of the package.

+If you don't want to uninstall mdatp you can disable rtp and mdatp in sequence before upgrading.

+Some customers (<1%) experience issues with this method.

+ ```bash

+sudo mdatp config real-time-protection --value=disabled

+sudo systemctl disable mdatp

+```

+</details>

+ Title: Manage endpoint security policies in Microsoft Defender for Endpoint

+description: Learn how to set windows, mac, and linux endpoint security policies such as antivirus, firewall, endpoint detection and response in Microsoft Defender for Endpoint.

+keywords: policies, security policy, configure policies,

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+- m365-security

+- tier2

+search.appverid: met150

+# Manage endpoint security policies in Microsoft Defender for Endpoint

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 1](/microsoft-365/security/defender-endpoint/defender-endpoint-plan-1)

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)

+>[!NOTE]

+>The following capability is only available to customers who turn on preview features. For more information, see [Turn on preview features](preview.md#turn-on-preview-features).

+Use security policies to manage security settings on devices. As a security administrator, you can configure security policy settings in Microsoft 365 Defender.

+You'll find endpoint security policies under **Endpoints > Configuration management > Endpoint security policies**.

+The following list provides a brief description of each endpoint security policy type:

+- **Antivirus** - Antivirus policies help security admins focus on managing the discrete group of antivirus settings for managed devices.

+- **Disk encryption** - Endpoint security Disk encryption profiles focus on only the settings that are relevant for a devices built-in encryption method, like FileVault or BitLocker. This focus makes it easy for security admins to manage disk encryption settings without having to navigate a host of unrelated settings.

+- **Firewall** - Use the endpoint security Firewall policy in Intune to configure a devices built-in firewall for devices that run macOS and Windows 10/11.

+- **Endpoint detection and response** - When you integrate Microsoft Defender for Endpoint with Intune, use the endpoint security policies for endpoint detection and response (EDR) to manage the EDR settings and onboard devices to Microsoft Defender for Endpoint.

+- **Attack surface reduction** - When Defender antivirus is in use on your Windows 10/11 devices, use Intune endpoint security policies for Attack surface reduction to manage those settings for your devices.

+## Create an endpoint security policy

+>[!NOTE]

+>Currently, only antivirus policies are supported.

+1. Sign in to <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender</a> using at least a security admin role.

+2. Select **Endpoints > Configuration management > Endpoint security policies** and then select **Create new Policy**.

+3. Select a platform from the dropdown list.

+4. Select a template, then select **Create policy**.

+5. On the **Basics** page, enter a name and description for the profile, then choose **Next**.

+6. On the **Settings** page, expand each group of settings, and configure the settings you want to manage with this profile.

+ When you're done configuring settings, select **Next**.

+7. On the **Assignments** page, select the groups that will receive this profile.

+ Select **Next**.

+8. On the **Review + create** page, when you're done, select **Save**. The new profile is displayed in the list when you select the policy type for the profile you created.

+>[!NOTE]

+>To edit the scope tags, you'll need to go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).

+## To edit an endpoint security policy

+1. Select the new policy, and then select **Edit**.

+

+2. Select **Settings** to expand a list of the configuration settings in the policy. You can't modify the settings from this view, but you can review how they're configured.

+3. To modify the policy, select **Edit** for each category where you want to make a change:

+ - Basics

+ - Settings

+ - Assignments

+4. After you've made changes, select **Save** to save your edits. Edits to one category must be saved before you can introduce edits to additional categories.

+## Verify endpoint security policies

+To verify that you have successfully created a policy, select a policy name from the list of endpoint security policies.

+>[!NOTE]

+>It can take up to 90 minutes for a policy to reach a device. To expedite the process, for devices Managed by Defender for Enpoint, you can select **Policy sync** from the actions menu so that it is applied in approximately 10 minutes.

+> :::image type="content" source="./images/policy-sync.png" alt-text="Image showing policy sync button":::

+The policy page displays details that summarize the status of the policy. You can view a policy's status, which devices it has been applied to, and assigned groups.

+During an investigation, you can also view the **Security policies** tab in the device page to view the list of policies that are being applied to a particular device. For more information, see [Investigating devices](investigate-machines.md#security-policies).

+ Title: Get started with your Microsoft Defender for Endpoint deployment

+description: Learn how to get started with the deploy, setup, licensing validation, tenant configuration, network configuration stages

+keywords: deploy, setup, network configuration

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+ - m365-security

+ - m365solution-endpointprotect

+ - m365solution-scenario

+ - highpri

+ - tier1

+search.appverid: met150

+# Get started with your Microsoft Defender for Endpoint deployment

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)

+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

+Maximize available security capabilities and better protect your enterprise from cyber threats by deploying Microsoft Defender for Endpoint and onboarding your devices. Onboarding your devices will enable you to identify and stop threats quickly, prioritize risks, and evolve your defenses across operating systems and network devices.

+This guide provides five steps to help deploy Defender for Endpoint as your multi-platform endpoint protection solution. It will help you choose the best deployment tool, onboard devices, and configure capabilities. Each step corresponds to a separate article.

+The steps to deploy Defender for Endpoint are:

+1. [Step 1 - Set up Microsoft Defender for Endpoint deployment](production-deployment.md): This step focuses on getting your environment ready for deployment.

+2. [Step 2 - Assign roles and permissions](prepare-deployment.md): Identify and assign roles and permissions to view and manage Defender for Endpoint.

+3. [Step 3 - Identify your architecture and choose your deployment method](deployment-strategy.md): Identify your architecture and the deployment method that best suits your organization.

+4. [Step 4 - Onboard devices](onboarding.md): Assess and onboard your devices to Defender for Endpoint.

+5. [Step 5 - Configure capabilities](onboard-configure.md): You're now ready to configure Defender for Endpoint security capabilities to protect your devices.

+## Requirements

+The following is a list of pre-requisites required to deploy Defender for Endpoint:

+- You're a global admin

+- You meet the [minimum requirements](minimum-requirements.md)

+- You have a full inventory of your environment. The table below provides a starting point to gather information and ensure your environment is deeply understood by stakeholders, which will help identify potential dependencies and/or changes required in technologies or processes.

+|What|Description|

+|||

+|Endpoint count|Total count of endpoints by operating system.|

+|Server count|Total count of Servers by operating system version.|

+|Management engine|Management engine name and version (for example, System Center Configuration Manager Current Branch 1803).|

+|CDOC distribution|High level CDOC structure (for example, Tier 1 outsourced to Contoso, Tier 2 and Tier 3 in-house distributed across Europe and Asia).|

+|Security information and event (SIEM)|SIEM technology in use.|

+## Next step

+Start your deployment with [Step 1 - Set up Microsoft Defender for Endpoint deployment](production-deployment.md)

+- Beginning with platform version 4.18.2208.0 and later: If a server has been onboarded to Microsoft Defender for Endpoint, the "Turn off Windows Defender" [group policy setting](configure-endpoints-gp.md#update-endpoint-protection-configuration) will no longer completely disable Windows Defender Antivirus on Windows Server 2012 R2 and later operating systems. Instead, it is either ignored (if [ForceDefenderPassiveMode](switch-to-mde-phase-2.md#set-microsoft-defender-antivirus-to-passive-mode-on-windows-server) is configured explicitly) or it places Microsoft Defender Antivirus into [passive mode](microsoft-defender-antivirus-windows.md#comparing-active-mode-passive-mode-and-disabled-mode) (if `ForceDefenderPassiveMode` isn't configured). Moreover, [tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) allows a switch to active mode via changing `ForceDefenderPassiveMode` to `0`, but not to passive mode. These changes apply only to servers onboarded to Microsoft Defender for Endpoint. For more information, please refer to [Microsoft Defender Antivirus compatibility with other security products](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility#microsoft-defender-antivirus-and-non-microsoft-antivirusantimalware-solutions)

+# Configure Microsoft Defender for Endpoint capabilities

+In this step, you're ready to configure Microsoft Defender for Endpoint capabilities.

+## Configure capabilities

+In many cases, organizations will have existing endpoint security products in place. The bare minimum being an antivirus solution, but in some cases, an organization might have existing endpoint detection and response solution.

+It is common that Defender for Endpoint will need to exist along side these existing endpoint security products either indefinitely or during a cutover period. Fortunately, Defender for Endpoint and the endpoint security suite is modular and can be adopted in a systematic approach.

+Onboarding devices effectively enables the endpoint detection and response capability of Microsoft Defender for Endpoint. After onboarding the devices, you'll then need to configure the other capabilities of the service. The following table lists the capabilities you can configure to get the best protection for your environment and the order Microsoft recommends for how the endpoint security suite should be enabled.

+| Capability | Description |Adoption Order Rank|

+||||

+|[Endpoint Detection & Response (EDR)](overview-endpoint-detection-response.md)|Defender for Endpoint endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats. <p>|1|

+| [Configure Microsoft Defender Vulnerability Management](../defender-vulnerability-management/tvm-prerequisites.md) | Defender Vulnerability Management is a component of Microsoft Defender for Endpoint, and provides both security administrators and security operations teams with unique value, including: <br><br> - Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities. <br><br> - Invaluable device vulnerability context during incident investigations. <br><br> - Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager.|2|

+| [Configure Next-generation protection (NGP)](configure-microsoft-defender-antivirus-features.md) | Microsoft Defender Antivirus is a built-in antimalware solution that provides next-generation protection for desktops, portable computers, and servers. Microsoft Defender Antivirus includes:<br> <br>-Cloud-delivered protection for near-instant detection and blocking of new and emerging threats. Along with machine learning and the Intelligent Security Graph, cloud-delivered protection is part of the next-gen technologies that power Microsoft Defender Antivirus.<br> <br> - Always-on scanning using advanced file and process behavior monitoring and other heuristics (also known as "real-time protection").<br><br> - Dedicated protection updates based on machine learning, human and automated big-data analysis, and in-depth threat resistance research. |3|

+| [Configure attack surface reduction (ASR)](overview-attack-surface-reduction.md) | Attack surface reduction capabilities in Microsoft Defender for Endpoint help protect the devices and applications in the organization from new and emerging threats. |4|

+| [Configure Auto Investigation & Remediation (AIR) capabilities](configure-automated-investigations-remediation.md) | Microsoft Defender for Endpoint uses Automated investigations to significantly reduce the volume of alerts that need to be investigated individually. The Automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives.|Not applicable|

+| [Configure Microsoft Defender Experts capabilities](../defender/defender-experts-for-hunting.md) | Microsoft Experts is a managed hunting service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don't get missed.|Not applicable|

+You'll need to go through onboarding steps of the Defender for Endpoint portal to onboard any of the supported devices. Depending on the device, you'll be guided with appropriate steps and provided management and deployment tool options suitable for the device.

+This article acts as an example onboarding method.

+This article acts as an example onboarding method.

+ Title: Onboard to Microsoft Defender for Endpoint

+# Onboard to Microsoft Defender for Endpoint

+## Onboard devices using any of the supported management tools

+In the previous step you decided on which deployment method to use. The deployment tool you use influences how you onboard endpoints to the service.

+To start onboarding your devices:

+1. Go to [Select deployment method](../defender-endpoint/deployment-strategy.md#step-2-select-deployment-method).

+2. Choose the Operating System for the devices you wish to Onboard.

+3. Select the tool you plan to use.

+4. Follow the instructions to Onboard your devices.

+This video provides a quick overview of the onboarding process and the different tools and methods.

+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4bGqr]

+## Deploy using a ring-based approach

+### New deployments

+A ring-based approach is a method of identifying a set of endpoints to onboard and verifying that certain criteria are met before proceeding to deploy the service to a larger set of devices. You can define the exit criteria for each ring and ensure that they're satisfied before moving on to the next ring. Adopting a ring-based deployment helps reduce potential issues that could arise while rolling out the service.

+This table provides an example of the deployment rings you might use:

+|Deployment ring|Description|

+|||

+|Evaluate|Ring 1: Identify 50 devices to onboard to the service for testing.|

+|Pilot|Ring 2: Identify and onboard the next 50-100 endpoints in a production environment. Microsoft Defender for Endpoint supports various endpoints that you can onboard to the service, for more information, see [Select deployment method](deployment-strategy.md#step-2-select-deployment-method).|

+|Full deployment|Ring 3: Roll out service to the rest of environment in larger increments. For more information, see [Get started with your Microsoft Defender for Endpoint deployment](mde-planning-guide.md).

+### Exit criteria

+An example set of exit criteria for each ring can include:

+- Devices show up in the device inventory list

+- Alerts appear in dashboard

+- [Run a detection test](run-detection-test.md)

+- [Run a simulated attack on a device](attack-simulations.md)

+## Existing deployments

+### Windows endpoints

+For Windows and/or Windows Servers, you select several machines to test ahead of time (before patch Tuesday) by using the **Security Update Validation program (SUVP)**.

+For more information, see:

+- [What is the Security Update Validation Program](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/what-is-the-security-update-validation-program/ba-p/275767)

+- [Software Update Validation Program and Microsoft Malware Protection Center Establishment - TwC Interactive Timeline Part 4](https://www.microsoft.com/security/blog/2012/03/28/software-update-validation-program-and-microsoft-malware-protection-center-establishment-twc-interactive-timeline-part-4/)

+### Non-Windows endpoints

+With macOS and Linux, you could take a couple of systems and run in the Beta channel.

+> [!NOTE]

+> Ideally at least one security admin and one developer so that you are able to find compatibility, performance and reliability issues before the build makes it into the Current channel.

+The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in Beta are the first ones to receive updates and new features, followed later by Preview and lastly by Current.

+In order to preview new features and provide early feedback, it's recommended that you configure some devices in your enterprise to use either Beta or Preview.

+> [!WARNING]

+> Switching the channel after the initial installation requires the product to be reinstalled. To switch the product channel: uninstall the existing package, re-configure your device to use the new channel, and follow the steps in this document to install the package from the new location.

+To provide some guidance on your deployments, in this section we'll guide you through using two deployment tools to onboard endpoints.

+For some additional information and guidance, check out the [PDF](https://download.microsoft.com/download/5/6/0/5609001f-b8ae-412f-89eb-643976f6b79c/mde-deployment-strategy.pdf) or [Visio](https://download.microsoft.com/download/5/6/0/5609001f-b8ae-412f-89eb-643976f6b79c/mde-deployment-strategy.vsdx) to see the various paths for deploying Defender for Endpoint.

+The example deployments will guide you on configuring some of the Defender for Endpoint capabilities, but you'll find more detailed information on configuring Defender for Endpoint capabilities in the [next step](#next-step).

+## Next step

+After onboarding the endpoints move on to the next step where you'll configure the various capabilities such as endpoint detection and response, next-generation protection, and attack surface reduction.

+- [Step 5 - Configure capabilities](onboard-configure.md)

+ Title: Assign roles and permissions

+description: Configure permissions deploying Microsoft Defender for Endpoint

+keywords: deploy, prepare, permissions, environment, endpoint, server

+# Assign roles and permissions for Microsoft Defender for Endpoint deployment

+The next step when deploying Defender for Endpoint is to assign roles and permissions for The Defender for Endpoint deployment.

+After assigning roles and permissions to view and manage Defender for Endpoint it's time for [Step 3 - Identify your architecture and choose your deployment method](deployment-strategy.md).

+The first step when deploying Microsoft Defender for Endpoint is to set up your Defender for Endpoint environment.

+> For the purpose of guiding you through a typical deployment, this scenario will only cover the use of Microsoft Configuration Manager. Defender for Endpoint supports the use of other onboarding tools but we won't cover those scenarios in the deployment guide. For more information, see [Identify Defender for Endpoint architecture and deployment method](deployment-strategy.md).

+- Continue to [Step 2 - Assign roles and permissions](prepare-deployment.md)

+- Stop and quarantine file

+- Manage indicator

+- Manual actions

+- Go hunt

+- Deep analysis

+You can also submit files for deep analysis, to run the file in a secure cloud sandbox. When the analysis is complete, you'll get a detailed report that provides information about the behavior of the file. You can submit files for deep analysis and read past reports by selecting the **Deep analysis** action.

+Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for any other reason where you suspect malicious behavior. This feature is available at the top of the file's page. Select the three dots to access the **Deep analysis** action.

+Learn about deep analysis in the following video:

+> - This action is supported for macOS and Linux for client version 101.98.84 and above. It is in preview. You can also use live response to run the action. For more information on live response, see [Investigate entities on devices using live response](live-response.md)

+> - Isolating devices from the network is supported for macOS for client version 101.98.84 and above. It is in preview. You can also use live response to run the action. For more information on live response, see [Investigate entities on devices using live response](live-response.md)

+|Operating System|Windows 10 & 11|Windows Server 2012 R2 <sup>[1]</sup>, <br> 2016 <sup>[1]</sup>, <br> 2019 & 2022, <br> 1803+|macOS|Linux|

+|[Network Protection](network-protection.md)||| <sup>[2]</sup>| <sup>[2]</sup>|

+|[Web Protection](web-protection-overview.md)||| <sup>[2]</sup>| <sup>[2]</sup>|

+|[Custom network indicators](indicator-ip-domain.md)||| <sup>[2]</sup>| <sup>[2]</sup>|

+|[Device response capabilities: collect investigation package ](respond-machine-alerts.md) |  |  |  <sup>[3]</sup> |  <sup>[3]</sup> |

+|[Device response capabilities: run AV scan](respond-machine-alerts.md) |  |  |  <sup>[2]</sup> |  <sup>[2]</sup> |

+|[Device isolation](respond-machine-alerts.md) |  |  |  <sup>[2]</sup> |  <sup>[2]</sup> |

+|File response capabilities: collect file, deep analysis, block file, stop, and quarantine processes |  |  |  <sup>[4]</sup> |  <sup>[4]</sup> |

+<sup>[1]</sup> Refers to the modern, unified solution for Windows Server 2012 R2 and 2016. For more information, see [Onboard Windows Servers to the Defender for Endpoint service](configure-server-endpoints.md).

+<sup>[2]</sup> Feature is currently in preview ([Microsoft Defender for Endpoint preview features](preview.md))

+<sup>[3]</sup> Response capabilities using Live Response [2]

+<sup>[4]</sup> Collect file only, using Live Response [2]

+>[!NOTE]

+>Customers who have turned on [preview features](preview.md#turn-on-preview-features) will have early access to the endpoint security policies management that does not require Azure Active Directory registration for device management scenarios. The sections below that refer to Azure AD registration do not apply for customers enrolled in the public preview.

+## July 2023

+- [Manage endpoint security policies in Defender for Endpoint is now in public preview](manage-security-policies.md) <br> You can now configure security settings directly in Microsoft 365 Defender.

+

+- Microsoft Defender Antivirus scan is supported for macOS and Linux for client version 101.98.84 and above. It is in preview. See [Run Microsoft Defender Antivirus scan on devices](respond-machine-alerts.md#run-microsoft-defender-antivirus-scan-on-devices).

+- Isolating devices from the network is supported for macOS for client version 101.98.84 and above. It is in preview. See [Isolate devices from the network](respond-machine-alerts.md#isolate-devices-from-the-network).

+- Forcibly releasing devices from isolation is now available for public preview. This new capability allows you to forcibly release devices from isolation, when isolated devices become unresponsive. For more information, see [Forcibly release device from isolation](respond-machine-alerts.md#forcibly-release-device-from-isolation).

+ Title: List of fixed customer reported inaccuracies

+description: List the reported inaccuracies that were fixed.

+keywords: vulnerability management, Microsoft Defender Vulnerability Management, recommendations, report inaccuracy

+search.appverid: MET150

+ms.pagetype: security

+audience: ITPro

+ - m365-security

+ - tier2

+ms.localizationpriority: medium

+# Fixed customer reported inaccuracies

+The report inaccuracy capabilities provides a way to report false positive, inaccurate, or incomplete information identified in [Weaknesses](https://security.microsoft.com/vulnerabilities/cves) and [Recommendations](https://security.microsoft.com/security-recommendations) in the Microsoft 365 Defender portal. Microsoft uses the information in reported inaccuracies to:

+- Help update and correct the data for the organization that reported the inaccuracy

+- As a basis to continue to improve our vulnerability management capabilities

+You can use this article to find details on the inaccuracies that have been reported and are now fixed. The following tables present the fixed inaccuracies organized by month:

+## June 2023

+Inaccuracy report ID |Description |Fix date |

+:|:|:|

+24147 | Fixed inaccuracy in CVE-2023-29338 | 5-Jun-23

+24145 | Fixed inaccurate detections in product - dbeaver | 06-Jun-23

+23877 | Disabled Defender Vulnerability Management assessment for oracle_ bpftool | 06-Jun-23

+24620 | Disabled Defender Vulnerability Management for synology_chat | 12-Jun-23

+25091 | Updated inaccurate EOS date for oracle_jdk version 7 | 15-Jun-23

+23425 | Fixed inaccurate detections in mongodb & mongosh | 21-Jun-23

+23188 | Fixed inaccurate detections in oracle: vm_virtualbox & vm_virtualbox_guest_additions | 21-Jun-23

+25559 | Fixed inaccuracy in Halo version -1.0.0.0 | 22-Jun-23

+25762 | Fixed inaccuracy in CVE-2022-48435 | 28-Jun-23

+25639 | Fixed inaccurate file path detections in apache_commonsText | 28-Jun-23

+26367 | Fixed inaccurate file path detections in Winrar | 28-Jun-23

+27146 | Fixed inaccuracy in Windows 2012 r2 - KB5012170 | 28-Jun-23

+22866 | Fixed normalization issue in dell optiplex_7470_ firmware | 29-Jun-23

+- **Honor DMARC record policy when the message is detected as spoof**: This setting turns on honoring the sender's DMARC policy for explicit email authentication failures. When this setting is selected, the following settings are available:

+ - **Honor DMARC record policy when the message is detected as spoof**: This setting is selected by default, and allows you to control what happens to messages where the sender fails explicit [DMARC](email-authentication-dmarc-configure.md) checks and the DMARC policy is set to `p=quarantine` or `p=reject`:

+ - **Quarantine the message**

+ - **Reject the message**: This is the default value.

+- Honoring `p=quarantine` and `p=reject` in sender DMARC policies is on by default (we aren't using the _HonorDmarcPolicy_ parameter, and the default value is `$true`).

+ - Messages that fail DMARC where the sender's DMARC policy is `p=reject` are rejected (we aren't using the _DmarcRejectAction_ parameter, and the default value is Reject).

+New-AntiPhishPolicy -Name "Monitor Policy" -AdminDisplayName "Research department policy" -AuthenticationFailAction Quarantine

+ - **Honor DMARC record policy when the message is detected as spoof**: This setting is selected by default, and allows you to control what happens to messages where the sender fails explicit [DMARC](email-authentication-dmarc-configure.md) checks and the DMARC policy is set to `p=quarantine` or `p=reject`:

+ - **Quarantine the message**

+ - **Reject the message**: This is the default value.

+- Honoring `p=quarantine` and `p=reject` in sender DMARC policies is on by default (we aren't using the _HonorDmarcPolicy_ parameter, and the default value is `$true`).

+ - Messages that fail DMARC where the sender's DMARC policy is `p=reject` are rejected (we aren't using the _DmarcRejectAction_ parameter, and the default value is Reject).

+New-AntiPhishPolicy -Name "Monitor Policy" -AdminDisplayName "Research department policy" -EnableOrganizationDomainsProtection $true -EnableTargetedDomainsProtection $true -TargetedDomainsToProtect fabrikam.com -TargetedDomainProtectionAction Quarantine -EnableTargetedUserProtection $true -TargetedUsersToProtect "Mai Fujito;mfujito@fabrikam.com" -TargetedUserProtectionAction Quarantine -EnableMailboxIntelligence $true -EnableMailboxIntelligenceProtection $true -MailboxIntelligenceProtectionAction -AuthenticationFailAction Quarantine -EnableSimilarUsersSafetyTips $true -EnableSimilarDomainsSafetyTips $true -EnableUnusualCharactersSafetyTips $true

+## July 2023

+- Use anti-phishing policies to control what happens to messages where the sender fails explicit [DMARC](email-authentication-dmarc-configure.md) checks and the DMARC policy is set to `p=quarantine` or `p=reject`. For more information, see [Spoof protection and sender DMARC policies](anti-phishing-policies-about.md#spoof-protection-and-sender-dmarc-policies).

+DMARC `p=reject` is a policy that's set in the DMARC TXT record by domain owners to notify service providers to *reject* email that fails DMARC.

+It came about because when OReject is set as the default, rejected email was sent to quarantine in Enterprise, and to the Junk Email folder in Consumer (due to lack of quarantine in Consumer). However, with DMARC `p=reject`, the email is rejected.

+If the DMARC policy of the sending domain is `p=reject`, [Exchange Online Protection](eop-about.md) (EOP) rejects the message by default. You can configure anti-phishing policies to honor or not honor `p=quarantine` and `p=reject` in sender DMARC policies, and specify separate actions for `p=quarantine` and `p=reject`. For more information, see [Spoof protection and sender DMARC policies](anti-phishing-policies-about.md#spoof-protection-and-sender-dmarc-policies).

+When anti-phishing policies are configured to not honor `p=quarantine` or `p=reject` in DMARC policies, messages that fail DMARC are marked as spam and aren't rejected. Users can still get these messages in their inbox through these methods:

+ |2|High confidence Phish|CAT:HPHSH|[Configure anti-spam policies in EOP](anti-spam-policies-configure.md)|

+ |3|Phishing|CAT:PHSH|[Configure anti-spam policies in EOP](anti-spam-policies-configure.md)|

+ |4|High confidence spam|CAT:HSPM|[Configure anti-spam policies in EOP](anti-spam-policies-configure.md)|

+ |5|Spoofing|CAT:SPOOF|[Spoof intelligence insight in EOP](anti-spoofing-spoof-intelligence.md)|

+ |6<sup>\*</sup>|User impersonation (protected users)|UIMP|[Configure anti-phishing policies in Microsoft Defender for Office 365](anti-phishing-policies-mdo-configure.md)|

+ |7<sup>\*</sup>|Domain impersonation (protected domains)|DIMP|[Configure anti-phishing policies in Microsoft Defender for Office 365](anti-phishing-policies-mdo-configure.md)|

+ |8|Spam|CAT:SPM|[Configure anti-spam policies in EOP](anti-spam-policies-configure.md)|

+ |9|Bulk|CAT:BULK|[Configure anti-spam policies in EOP](anti-spam-policies-configure.md)|

+|`action`|Indicates the action taken by the spam filter based on the results of the DMARC check. For example: <ul><li>`oreject` or `o.reject`: Stands for override reject. In this case, Microsoft 365 uses this action when it receives a message that fails the DMARC check from a domain whose DMARC TXT record has a policy of `p=reject`. Instead of deleting or rejecting the message, Microsoft 365 marks the message as spam. For more information on why Microsoft 365 is configured this way, see [How Microsoft 365 handles inbound email that fails DMARC](email-authentication-dmarc-configure.md#how-microsoft-365-handles-inbound-email-that-fails-dmarc).</li><li>`pct.quarantine`: Indicates that a percentage less than 100% of messages that don't pass DMARC are delivered anyway. This result means that the message failed DMARC and the DMARC policy was set to `p=quarantine`. But, the pct field wasn't set to 100%, and the system randomly determined not to apply the DMARC action per the specified domain's DMARC policy.</li><li>`pct.reject`: Indicates that a percentage less than 100% of messages that don't pass DMARC are delivered anyway. This result means that the message failed DMARC and the DMARC policy was set to `p=reject`. But, the pct field wasn't set to 100% and the system randomly determined not to apply the DMARC action per the specified domain's DMARC policy.</li><li>`permerror`: A permanent error occurred during DMARC evaluation, such as encountering an incorrectly formed DMARC TXT record in DNS. Attempting to resend this message isn't likely to end with a different result. Instead, you might need to contact the domain's owner in order to resolve the issue.</li><li>`temperror`: A temporary error occurred during DMARC evaluation. You might be able to request that the sender resend the message later in order to process the email properly.</li></ul>|

+|`reason`|The reason the composite authentication passed or failed. The value is a three-digit code. For example: <ul><li>**000**: The message failed explicit authentication (`compauth=fail`). For example, the message received a DMARC fail and the DMARC policy action is `p=quarantine` or `p=reject`.</li><li>**001**: The message failed implicit authentication (`compauth=fail`). This result means that the sending domain didn't have email authentication records published, or if they did, they had a weaker failure policy (SPF `~all` or `?all`, or a DMARC policy of `p=none`).</li><li>**002**: The organization has a policy for the sender/domain pair that is explicitly prohibited from sending spoofed email. An admin manually configures this setting.</li><li>**010**: The message failed DMARC, the DMARC policy action is `p=reject` or `p=quarantine`, and the sending domain is one of your organization's accepted domains (self-to-self or intra-org spoofing).</li><li>**1xx** or **7xx**: The message passed authentication (`compauth=pass`). The last two digits are internal codes used by Microsoft 365.</li><li>**2xx**: The message soft-passed implicit authentication (`compauth=softpass`). The last two digits are internal codes used by Microsoft 365.</li><li>**3xx**: The message wasn't checked for composite authentication (`compauth=none`).</li><li>**4xx** or **9xx**: The message bypassed composite authentication (`compauth=none`). The last two digits are internal codes used by Microsoft 365.</li><li>**6xx**: The message failed implicit email authentication, and the sending domain is one of your organization's accepted domains (self-to-self or intra-org spoofing).</li></ul>|

+|**Honor DMARC record policy when the message is detected as spoof** (_HonorDmarcPolicy_)|Selected (`$true`)|Selected (`$true`)|Selected (`$true`)|When this setting is turned on, you control what happens to messages where the sender fails explicit [DMARC](email-authentication-dmarc-configure.md) checks when the policy action in the DMARC TXT record is set to `p=quarantine` or `p=reject`. For more information, see [Spoof protection and sender DMARC policies](anti-phishing-policies-about.md#spoof-protection-and-sender-dmarc-policies).|

+|**If the message is detected as spoof and DMARC Policy is set as p=quarantine** (_DmarcQuarantineAction_)|**Quarantine the message** (`Quarantine`)|**Quarantine the message** (`Quarantine`)|**Quarantine the message** (`Quarantine`)|This action is meaningful only when **Honor DMARC record policy when the message is detected as spoof** is turned on.|

+|**If the message is detected as spoof and DMARC Policy is set as p=reject** (_DmarcRejectAction_)|**Reject the message** (`Reject`)|**Reject the message** (`Reject`)|**Reject the message** (`Reject`)|This action is meaningful only when **Honor DMARC record policy when the message is detected as spoof** is turned on.|

+|DmarcRejectAction|Reject|

+|HonorDmarcPolicy|True|

+For _read or unread messages_ that are found to contain malware after delivery, ZAP quarantines the message that contains the malware attachment. By default, only admins can view and manage quarantined malware messages. But, admins can create and use _quarantine policies_ to define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy).

+For _read or unread messages_ that are identified as _phishing_ (not _high confidence phishing_) after delivery, the ZAP outcome depends on the action that's configured for a **Phishing** verdict in the applicable anti-spam policy. The available actions and the possible ZAP outcomes are described in the following list:

+- **Move message to Junk Email**: ZAP moves the message to the Junk Email folder.

+ This is the default action for a **Phishing** verdict in the default anti-spam policy and custom anti-spam policies that you create in PowerShell.

+ This is the default action for a **Phishing** verdict in the [Standard and Strict preset security policies](preset-security-policies.md#profiles-in-preset-security-policies), and in custom anti-spam policies that you create in the Defender portal.

+By default, ZAP for phishing is enabled in anti-spam policies.

+For _read or unread messages_ that are identified as _high confidence phishing_ after delivery, ZAP quarantines the message. By default, only admins can view and manage quarantined high confidence phishing messages. But, admins can create and use _quarantine policies_ to define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy).

+For _unread messages_ that are identified as _spam_ or _high confidence spam_ after delivery, the ZAP outcome depends on the action that's configured for a **Spam** or **High confidence spam** verdict in the applicable anti-spam policy. The available actions and the possible ZAP outcomes are described in the following list:

+- **Move message to Junk Email**: ZAP moves the message to the Junk Email folder.

+ For the **Spam** verdict, this is the default action in the default anti-spam policy, new custom anti-spam policies, and the [Standard preset security policy](preset-security-policies.md#profiles-in-preset-security-policies).

+ For the **High confidence spam** verdict, this is the default action in the default anti-spam policy and new custom anti-spam policies.

+- **Quarantine message**: ZAP quarantines the message.

+ For the **Spam** verdict, this is the default action in the [Strict preset security policy](preset-security-policies.md#profiles-in-preset-security-policies).

+ For the **High confidence spam** verdict, this is the default action in the [Standard and Strict preset security policies](preset-security-policies.md#profiles-in-preset-security-policies).

+By default, users can view and manage messages that were quarantined as spam or high confidence spam where they're a recipient. But, admins can create and use _quarantine policies_ to define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy).

+By default, ZAP for spam is enabled in anti-spam policies.

+- **Message details**: Use [Threat Explorer (or real-time detections)](threat-explorer-about.md) to filter **All email** events by the value **ZAP** for the **Additional action** column.

+- You're beyond the initial stage of onboarding devices and have a management tool in place to support future device onboarding. For more information on Onboarding devices, see [Onboarding and configuration tool options](../security/defender-endpoint/mde-planning-guide.md).

+|Unstructured document processing|The number of pages processed for Word, PDF, or TIFF files; the number of sheets for Excel files; the number of slides for PowerPoint files; or the number of files for other file types. Each of these counts as one transaction. You won't be charged for model training. You will be charged for processing whether or not there's a positive classification, or any entities extracted.<br><br>Processing occurs on document upload and on subsequent updates. Processing is counted for each model applied. For example, if you have two models applied to a library and you upload or update a five-page document in that library, the total pages processed is 10.|$0.05/transaction|