+| Operating system | **Windows**: Windows 11, Windows 10, Windows 8.1, Windows Server 2019 or later, or Windows Server 2016<br/><br/>**Mac**: One of the three most recent versions of macOS |

+Once you've achieved these objectives, proceed to [bump up security](m365bp-security-overview.md).

+A "managed" device is one that is under control and being monitored by the organization, and is therefore regularly updated, and secure. Having devices under managed control is a critical objective. To bring these devices under control, enroll them in a device manager with Microsoft Intune and Azure Active Directory, both of which are included with Microsoft Business Premium.

+## Enroll devices in Intune

+1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in.

+2. Select **Devices** > **Enroll devices**.

+ :::image type="content" source="media/m365bp-endpoint-manager-enroll-devices.png" alt-text="Use Microsoft Endpoint Manager to enroll devices.":::

+3. Follow specific device enrollment guidance below.

+Use the following guidance to [onboard devices to Defender for Business capabilities](m365bp-onboard-devices-mdb.md).

+Microsoft 365 Business Premium includes [Microsoft Defender for Business](../security/defender-business/mdb-overview.md), an endpoint security solution for small and medium-sized businesses. Defender for Business provides next-generation protection (antivirus, antimalware, and cloud-delivered protection), firewall protection, web content filtering, and more for your company's devices. Protection is applied when you onboard devices and apply security policies to those devices.

+To onboard devices to Defender for Business, you can choose from several options:

+- [Automatic onboarding for Windows devices that are already enrolled in Microsoft Intune](#use-automatic-onboarding-for-windows-devices-that-are-already-enrolled-in-intune)

+- [A local script to onboard Windows and Mac devices to Defender for Business](#use-a-local-script-to-onboard-windows-and-mac-devices-to-defender-for-business) (for devices that are not already enrolled in Intune)

+- [Intune for enrolling new devices, including mobile devices](#use-intune-to-enroll-devices) (Windows, Mac, iOS, and Android) and then apply Defender for Business policies to those devices

+- [What about servers?](#what-about-servers) (NEW!)

+You can onboard Windows client devices to Defender for Business automatically if those devices are already enrolled in Intune. Defender for Business detects Windows client devices that are already enrolled in Intune, and prompts you to choose whether to onboard those devices automatically. Security policies and settings in Defender for Business are then applied to those devices. We call this process *automatic onboarding*.

+Automatic onboarding helps get your devices protected almost immediately.

+Note that the automatic onboarding option applies to Windows client devices only, if the following conditions are met:

+- Your organization was already using Intune or Mobile Device Management (MDM) in Intune before you got Defender for Business (Microsoft 365 Business Premium customers already have Microsoft Intune and MDM).

+- You already have Windows client devices enrolled in Intune.

+> If you're prompted to use automatic onboarding, we recommend selecting the "all devices enrolled" option. That way, when Windows devices are enrolled in Intune later on, they'll be onboarded to Defender for Business automatically.

+## Use a local script to onboard Windows and Mac devices to Defender for Business

+See [Onboard devices to Microsoft Defender for Business](../security/defender-business/mdb-onboard-devices.md) for detailed instructions.

+## Use Intune to enroll devices

+To enroll a device, you can enroll it yourself, or have users sign in to the company portal app, enroll their devices, and then install any apps that are needed.

+If you were already using Intune or Mobile Device Management before you got Defender for Business, you can continue to use Intune to onboard your organization's devices. With Intune, you can onboard computers, tablets, and phones, including iOS and Android devices.

+See [Device enrollment in Microsoft Intune](/mem/intune/enrollment/device-enrollment).

+## What about servers?

+Servers are not supported by default in Microsoft 365 Business Premium and Defender for Business. However, the ability to onboard a server, such as an endpoint running Windows Server or Linux Server, is now in preview. Make sure to review the requirements before onboarding a server:

+- You have a server license for each server instance in either Microsoft 365 Business Premium or Defender for Business (standalone).

+- The **Preview features** setting is turned on. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), go to **Settings** > **Endpoints** > **General** > **Advanced features** > **Preview features**.

+- The enforcement scope for Windows Server is turned on. Go to **Settings** > **Endpoints** > **Configuration management** > **Enforcement scope**. Select **Use MDE to enforce security configuration settings from MEM**, select **Windows Server**, and then select **Save**.

+See the **servers** tab in [Onboard devices to Microsoft Defender for Business](../security/defender-business/mdb-onboard-devices.md) for detailed instructions.

+ - Mac: [Uninstalling on Mac](../security/defender-endpoint/mac-resources.md#uninstalling)

+## [Mac](#tab/Mac)

+## Mac

+Microsoft 365 Business Premium includes a guided process. The following video shows the guided setup process for Microsoft 365 Business Standard, which also applies to Microsoft 365 Business Premium. As soon as you've completed the guided setup process, make sure to proceed to [bump up security](m365bp-security-overview.md).<br/><br/>

+> Make sure to proceed to [Bump up security](m365bp-security-overview.md).

+> [!NOTE]

+> The ability to onboard endpoints running Windows Server or Linux Server is now in preview! See [Onboard devices to Microsoft Defender for Business](../security/defender-business/mdb-onboard-devices.md).

+## Directives from the Reserve Bank of India

+Currently, some credit card transactions, especially transactions exceeding 5,000 INR, are blocked due to a directive by the Reserve Bank of India. This might affect automatic payments, which means that you might have to make payments manually in the Microsoft 365 admin center. This directive doesn't affect usage charges.

+[Learn more about the Reserve Bank of India directive for recurring payments](https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=11668&Mode=0).

+30 September 2022, Microsoft and other online merchants will no longer store credit card information. Microsoft will remove all stored card details from the Microsoft 365 admin center. To avoid service interruption, you must add and verify a payment method for all subscriptions and billing profiles.

+[Learn about the Reserve Bank of India directive for card storage](https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12211).

+Chat communications in both public and private Microsoft Teams channels and individual chats can be scanned. When users are assigned to a communication compliance policy with Microsoft Teams coverage selected, chat communications for the users are automatically detected across all Microsoft Teams where the users are a member. Microsoft Teams coverage is automatically included for pre-defined policy templates and is selected by default in the custom policy template. Teams chats matching communication compliance policy conditions may take up to 48 hours to process.

+- **For Teams chat communications with hybrid email environments**: Communication compliance can detect chat messages for users for organizations with an Exchange on-premises deployment or an external email provider that have enabled Microsoft Teams. You must create a distribution group for the users with on-premises or external mailboxes. When creating a communication compliance policy, you'll assign this distribution group as the **Supervised users and groups** selection in the policy wizard. For more information about the requirements and limitations for enabling cloud-based storage and Teams support for on-premises users, see [Search for Teams chat data for on-premises users](/microsoft-365/compliance/search-cloud-based-mailboxes-for-on-premises-users).

+Yammer must be in [Native Mode](/yammer/configure-your-yammer-network/overview-native-mode) for communication compliance policies to detect Yammer communications and attachments. In Native Mode, all Yammer users are in Azure Active Directory (AAD), all groups are Office 365 Groups, and all files are stored in SharePoint Online.

+When you assign a *distribution group* in the policy, the policy detects all emails and Teams chats from each user in the *distribution group*. When you assign a *Microsoft 365 group* in the policy, the policy detects all emails and Teams chats sent to the *Microsoft 365 group*,* not the individual emails and chats received by each group member. Using distribution groups in communication compliance policies are recommended so that individual emails and Teams chats from each user are automatically detected.

+If you're an organization with an Exchange on-premises deployment or an external email provider and you want to detect Microsoft Teams chats for your users, you must create a distribution group for the users with on-premises or external mailboxes. Later in these steps, you'll assign this distribution group as the **Supervised users and groups** selection in the policy wizard. For more information about the requirements and limitations for enabling cloud-based storage and Teams support for on-premises users, see [Search for Teams chat data for on-premises users](/microsoft-365/compliance/search-cloud-based-mailboxes-for-on-premises-users).

+To manage supervised users in large enterprise organizations, you may need to detect messages for all users across large groups. You can use PowerShell to configure a distribution group for a global communication compliance policy for the assigned group. This enables you to detect messages for thousands of users with a single policy and keep the communication compliance policy updated as new employees join your organization.

+ - Choose the users or groups to supervise, including choosing users or groups you'd like to exclude. When using the conflict of interest template, you'll select two groups or two users to detect internal communications.

+- **Escalate for investigation**: Using the **Escalate for investigation** control, you can create a new [eDiscovery (Premium) case](/microsoft-365/compliance/overview-ediscovery-20) for single or multiple messages. You'll provide a name and notes for the new case, and user who sent the message matching the policy is automatically assigned as the case custodian. You don't need any additional permissions to manage the case. Creating a case doesn't resolve or create a new tag for the message. You can select a total of 100 messages when creating an eDiscovery (Premium) case during the remediation process. Messages in all communication channels included in communication compliance are supported. For example, you could select 50 Microsoft Teams chats, 25 Exchange Online email messages, and 25 Yammer messages when you open a new eDiscovery (Premium) case for a user.

+Select dedicated stakeholders to investigate and review the alerts and cases on a regular cadence in the [Microsoft Purview compliance portal](https://compliance.microsoft.com/). Make sure you understand how you'll assign users and stakeholders to different communication compliance role groups in your organization.

+To simplify your setup, create groups for people who need their communications reviewed and groups for people who review those communications. If you're using groups, you might need several. For example, if you want to scan communications between two distinct groups of people, or if you want to specify a group that isn't supervised. When you assign a Distribution group in the policy, the policy detects all emails from each user in Distribution group. When you assign a Microsoft 365 group in the policy, the policy detects all emails sent to that group, not the individual emails received by each group member.

+- You can scan communications from [third-party sources](/microsoft-365/compliance/communication-compliance-channels#third-party-sources) for data imported into mailboxes in your Microsoft 365 organization. To include review of communications in these platforms, you'll need to configure a connector to these services before messages meeting policy conditions are detected by communication policy.

+- Policies can support detecting languages other than English in custom communication compliance policies. Build a [custom keyword dictionary](/microsoft-365/compliance/communication-compliance-policies#custom-keyword-dictionaries) of offensive words in the language of your choice or build your own machine learning model using [trainable classifiers](/microsoft-365/compliance/classifier-get-started-with) in Microsoft 365.

+A common need for organizations is to integrate communication compliance alerts and these SIEM solutions. With this integration, organizations can view communication compliance alerts in their SIEM solution and then remediate alerts within the communication compliance workflow and user experience. For example, an employee sends an offensive message to another employee and that message is detected by a communication compliance policy for inappropriate content. These events are tracked in Microsoft 365 Audit (also known as "unified audit log") by the communication compliance solution and imported into the SIEM solution. An alert is then triggered in the SIEM solution for the organization from events included in Microsoft 365 Audit that are associated with communication compliance alerts. Investigators are notified of the alert in the SIEM solutions and then they investigate and remediate the alert in the communication compliance solution.

+- **Exchange Online**: All mailboxes hosted on [Exchange Online](/Exchange/exchange-online) in your Microsoft 365 organization are eligible for scanning. Emails and attachments matching communication compliance policy conditions are instantly available for investigation and in compliance reports. Exchange Online is now an optional source channel and is no longer required in communication compliance policies.

+- **Monitor for conflict of interest**: Use this template to quickly create a policy to detect communications between two groups or two users to help avoid conflicts of interest.

+- **Custom policy**: Use this template to configure specific communication channels, individual detection conditions, and the amount of content to detect and review in your organization.

+### Maintain

+- **Review and report**: Use communication compliance dashboard widgets, export logs, and events recorded in the unified audit logs to continually evaluate and improve your compliance posture.

+- Check out the [case study for Contoso](/microsoft-365/compliance/communication-compliance-case-study) and see how they quickly configured a communication compliance policy to detect inappropriate content in Microsoft Teams, Exchange Online, and Yammer communications.

+To make it easier to manage encrypted content in the eDiscovery workflow, Microsoft 365 eDiscovery tools now incorporate the decryption of encrypted files attached to email messages and sent in Exchange Online.¹ Additionally, encrypted documents stored in SharePoint Online and OneDrive for Business are decrypted in eDiscovery (Premium)².

+Prior to this new capability, only the content of an email message protected by rights management (and not attached files) were decrypted. Encrypted documents in SharePoint and OneDrive couldn't be decrypted during the eDiscovery workflow. Now, files that are encrypted with a Microsoft encryption technology is located on a SharePoint or OneDrive account are searchable and decrypted when the search results are prepared for preview, added to a review set in eDiscovery (Premium), and exported. Additionally, encrypted documents in SharePoint and OneDrive that are attached to an email message (as a copy) are searchable. This decryption capability allows eDiscovery managers to view the content of encrypted email attachments and site documents when previewing search results, and review them after they have been added to a review set in eDiscovery (Premium).

+For Exchange, Microsoft eDiscovery tools support items encrypted with Microsoft encryption technologies. These technologies are Azure Rights Management (Azure RMS)³ and Microsoft Purview Information Protection (specifically sensitivity labels). For more information about Microsoft encryption technologies, see [Encryption](encryption.md). Content encrypted by S/MIME or third-party encryption technologies isn't supported. For example, previewing or exporting content encrypted with non-Microsoft technologies isn't supported.

+For SharePoint, content labeled with SharePoint online service will be decrypted. Items labeled or encrypted in the client before uploading to SharePoint, legacy document library RMS templates or settings and S/MIME or other standards are not supported².

+## Notes

+¹ Encrypted files located on a local computer and cloud attachments copied to an email message aren't decrypted and indexed for eDiscovery.

+² Only items labeled within SharePoint online service will be decrypted, everything else is unsupported including labeling or encrypting in the client before upload, legacy doc library RMS templates or settings, SMIME or any other standard etc. See [Enable sensitivity labels for Office files](sensitivity-labels-sharepoint-onedrive-files.md).

+³ The RMS keys need to be fully managed in M365/O365 cloud service - meaning DKE, BYOK, OnPrem RMS, etc. are not supported. See [Your Azure Information Protection tenant key](/azure/information-protection/plan-implement-tenant-key#tenant-root-keys-generated-by-microsoft).

+| **Explicit** | The IB policy of the Microsoft 365 resource is per the segments associated with the resource. The resource owner or SharePoint administrator has the ability to manage the segments on the resource. | A site created only for Sales segment members to collaborate by associating the Sales segment with the site. |

+| **Mixed (preview)** | Only applicable to OneDrive. The IB policy of the OneDrive is per the segments associated with the OneDrive. The resource owner or OneDrive administrator has the ability to manage the segments on the resource. | A OneDrive created for Sales segment members to collaborate is allowed to be shared with unsegmented users. |

+| **Segment** | **Can communicate with** | **Can't communicate with** |

+|:|:-|:|

+The audit log is automatically and immediately updated whenever detected activities occur and the log retains information about the activity for 180 days (about six months). After 180 days, the data for the activity is permanently deleted from the log.

+Areas included in activity detection include:

+To view feature activity detected for insider risk management, navigate to, and select the **Insider risk audit log** link in the top-right area of any insider risk management tab. By default, you'll see the following information displayed for insider risk management activities:

+[Insider risk settings](insider-risk-management-settings.md) apply to all insider risk management policies, regardless of the template you chose when creating a policy. Settings are configured using the **Insider risk settings** control located at the top of all insider risk management tabs. These settings control privacy, indicators, intelligent detections, and more.

+ - **Policy template**: The template used to define the types of risk indicators detected by the policy.

+To enable the detection of risk activities on Windows devices and include policy indicators for these activities, your Windows devices must meet the following requirements and you must complete the following onboarding steps.

+For example, your organization has a badging system for users that governs and approves physical access to normal working and sensitive project areas. You have several users working on a sensitive project and these users will return to other areas of your organization when the project is completed. As the sensitive project nears completion, you want to make sure that the project work remains confidential and that access to the project areas is tightly controlled.

+When a user is manually added to a policy, the user activities for the previous 90 days are scored and added to the **User activity** timeline. For example, you have a user not currently being assigned risk scores for an insider risk policy and the user has data leak activities reported to the legal department in your organization. The legal department recommends that you configure new short-term detection requirements for the user. You can temporarily assign the user to your *Data leaks* policy for a designated length of time (activation window). All users added temporarily are displayed in the **Users dashboard** because triggering event requirements are waived.

+[Insider risk management policies](insider-risk-management-policies.md) are created using pre-defined templates and policy conditions that define what triggering events and risk indicators are examined in your organization. These conditions include how risk indicators are used for alerts, what users are included in the policy, which services are prioritized, and the detection time period.

+In this scenario where the Azure chat service receives a delete command because of a retention policy, the corresponding message in the Teams client app is deleted for all users in the conversation. Sometimes, this [behavior might seem unexpected](/microsoftteams/troubleshoot/teams-im-presence/messages-unexpectedly-deleted-retention-policy) because some of these users can be from another organization, have a retention policy with a longer retention period, or no retention policy assigned to them. For these users, copies of the messages are still stored in their mailboxes and remain searchable for eDiscovery until the messages are permanently deleted by another retention policy.

+To use SharePoint Syntex, each Syntex user must have a license for it. If you cancel your SharePoint Syntex licenses at a future date (or your trial expires), users will no longer be able to create, publish, or run document understanding or form processing models. Additionally, term store reports, SKOS taxonomy import, and content type push will no longer be available. No models, content, or metadata will be deleted and site permissions will not be changed.

+For Azure Active Directory data locations, please visit [Data residency in Azure](https://azure.microsoft.com/global-infrastructure/data-residency/#overview).

+- **Change account type:** Select the account type for the user: Standard user (recommended) or Local administrator.

+Microsoft offers a wide variety of cloud solutions and services, including plans for small and medium-sized businesses. For example, [Microsoft 365 Business Premium](../../business/microsoft-365-business-overview.md) includes security and device-management capabilities, along with productivity features such as Office apps. This article describes the security features in Microsoft 365 Business Premium, Microsoft Defender for Business, and [Microsoft Defender for Endpoint](../defender-endpoint/microsoft-defender-endpoint.md).

+- [Compare Defender for Business (standalone) to Microsoft 365 Business Premium](#compare-security-features-in-microsoft-defender-for-business-to-microsoft-365-business-premium).

+- [Compare Defender for Business (standalone) to Defender for Endpoint enterprise offerings](#compare-microsoft-defender-for-business-to-microsoft-defender-for-endpoint-plans-1-and-2).

+> [!TIP]

+> Defender for Business is available as a standalone security solution for small and medium-sized businesses. It's also included in Microsoft 365 Business Premium. If you already have Microsoft 365 Business Basic or Standard, consider either upgrading to Microsoft 365 Business Premium, or adding Defender for Business to your subscription to get more threat protection capabilities for your devices.

+> This article provides a high-level overview of threat protection features included in Microsoft Defender for Business (as a standalone plan) and Microsoft 365 Business Premium (which includes Defender for Business). It's not intended to be a service description or licensing contract document. For more detailed information, see [Microsoft 365 licensing guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance).

+Defender for Business is also available as a standalone subscription, and is also included in Microsoft 365 Business Premium. The following table compares security features and capabilities in Defender for Business (standalone) to Microsoft 365 Business Premium.

+|Feature/capability|[Microsoft Defender for Business](mdb-overview.md)<br/>(standalone)|[Microsoft 365 Business Premium](../../business/microsoft-365-business-overview.md)<br/>(includes Defender for Business)|

+|Email protection|Yes <br/>[Email scanning with Microsoft Defender Antivirus](../defender-endpoint/configure-advanced-scan-types-microsoft-defender-antivirus.md)|Yes <ul><li>[Exchange Online Protection](../office-365-security/exchange-online-protection-overview.md)</li><li>[Email scanning with Microsoft Defender Antivirus](../defender-endpoint/configure-advanced-scan-types-microsoft-defender-antivirus.md)</li></ul>|

+|Antispam protection|Yes<br/>For devices|Yes <ul><li>For devices</li><li>For Microsoft 365 email content, such as messages and attachments</li></ul>|

+|Antimalware protection|Yes<br/>For devices|Yes<ul><li>For devices</li><li>For Microsoft 365 email content, such as messages and attachments</li></ul>|

+|[Next-generation protection](../defender-endpoint/microsoft-defender-antivirus-in-windows-10.md) <br/> (antivirus and antimalware protection)|Yes<br/>Microsoft Defender Antivirus is included in Windows 10 and later|Yes <ul><li>Microsoft Defender Antivirus is included in Windows 10 and later</li><li>Next-generation protection policies for onboarded devices</li></ul>|

+Defender for Business brings the enterprise-grade capabilities of Defender for Endpoint to small and medium-sized businesses. The following table compares security features and capabilities in Defender for Business to the enterprise offerings, Microsoft Defender for Endpoint Plans 1 and 2.

+|Feature/capability|[Defender for Business](mdb-overview.md)<br/>(standalone)|[Defender for Endpoint Plan 1](../defender-endpoint/defender-endpoint-plan-1.md)<br/>(for enterprise customers) |[Defender for Endpoint Plan 2](../defender-endpoint/microsoft-defender-endpoint.md)<br/>(for enterprise customers) |

+|[Cross-platform support](../defender-endpoint/minimum-requirements.md) <br/>(Windows, Mac, iOS, and Android OS)|Yes ^[[6](#fn6)]|Yes|Yes|

+(<a id="fn1">1</a>) Onboard and manage devices in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) or by using Microsoft Intune, managed in the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)).

+(<a id="fn2">2</a>) Endpoint detection and response (EDR) capabilities in Defender for Business include behavior-based detection and the following manual response actions:

+(<a id="fn3">3</a>) In Defender for Business, automated investigation and response is turned on by default, tenant wide. If you turn off automated investigation and response, that affects real-time protection. See [Review settings for advanced features](mdb-configure-security-settings.md#review-settings-for-advanced-features).

+(<a id="fn4">4</a>) There's no timeline view in Defender for Business.

+ Title: Get Microsoft Defender for Business servers

+description: Find out how to get Microsoft Defender for Business servers, currently in preview.

+search.appverid: MET150

+audience: Admin

+ms.technology: mdb

+ms.localizationpriority: none

+f1.keywords: NOCSH

+- SMB

+- m365-security-compliance

+# How to get Microsoft Defender for Business servers (preview)

+1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.

+2. Turn on preview settings.

+ 1. In the navigation pane, select **Settings** \> **Endpoints** \> **Advanced features** \> **Preview features**.

+ 2. Turn the setting to **On**, and then select **Save preferences**.

+3. Turn on the enforcement scope for Windows Server.

+ 1. Go to **Settings** \> **Endpoints** \> **Configuration management** \> **Enforcement scope**.

+ 2. Select **Use MDE to enforce security configuration settings from MEM**, select **Windows Server**, and then select **Save**.

+4. Proceed to follow the guidance for Windows Server and Linux Server in [Onboard devices to Microsoft Defender for Business](mdb-onboard-devices.md).

+> [!IMPORTANT]

+> Microsoft Defender for Business servers is currently in preview. When it becomes generally available (GA), it will be offered as an add-on to Microsoft 365 Business Premium and the standalone version of Defender for Business. At GA, Microsoft Defender for Business servers will be priced at $3 per server instance.

+## See also

+- [See the trial playbook: Microsoft Defender for Business](trial-playbook-defender-business.md).

+- [Use the setup wizard in Microsoft Defender for Business](mdb-use-wizard.md).

+- [See the setup and configuration process for Defender for Business](mdb-setup-configuration.md).

+- [See how to get help and support for Defender for Business](mdb-get-help.md) (just in case you need help).

+Defender for Business is a new endpoint security solution designed especially for small and medium-sized businesses (up to 300 employees). This article describes how to get Defender for Business.

+- [Try or buy the standalone version of Defender for Business](#try-or-buy-microsoft-defender-for-business).

+- [Get Microsoft 365 Business Premium](#get-microsoft-365-business-premium), which now includes Defender for Business.

+- [Work with a Microsoft solution provider](#work-with-a-microsoft-solution-provider) who can help you get everything set up and configured.

+4. Use one of the following procedures, depending on your scenario:<br/>

+As soon as you have signed up for Defender for Business, your first step is to add users and assign licenses. This article describes how to add users and includes next steps.

+> You must be a global administrator to perform this task. The person who signed up your company for Microsoft 365 or for Defender for Business is a global administrator by default.

+4. On the **Assign product licenses** page, select Defender for Business (or Microsoft 365 Business Premium). Then choose **Next**.

+- [Use the setup wizard in Defender for Business](mdb-use-wizard.md).

+# View and edit security policies and settings in Microsoft Defender for Business

+After you've onboarded your company's devices to Defender for Business, the next step is to review your security policies.

+> Defender for Business includes preconfigured security policies with recommended settings. You can edit these settings to suit your business needs.

+- **[Firewall protection and rules](#view-or-edit-your-firewall-policies-and-custom-rules)**, which determine what network traffic is allowed to flow to and from your company's devices

+- **[Web content filtering](#set-up-web-content-filtering)**, which prevents people from visiting certain websites (URLs) based on categories, such as adult content or legal liability

+- **[Advanced features](#review-settings-for-advanced-features)**, such as automated investigation and response and endpoint detection and response (EDR) in block mode

+In addition to your security policies, you can [view and edit settings](#view-and-edit-other-settings-in-the-microsoft-365-defender-portal), such as which time zone to use in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and whether to receive preview features as they become available.

+The following table can help you choose where to manage your security policies and devices.

+| **Use the Microsoft 365 Defender portal** (*recommended*) | The Microsoft 365 Defender portal ([https://security.microsoft.com/](https://security.microsoft.com/)) is a one-stop shop for managing your company's devices, security policies, and security settings. You can access your security policies and settings, use the [Threat & Vulnerability Management dashboard](mdb-view-tvm-dashboard.md), and [view and manage incidents](mdb-view-manage-incidents.md) all in one place. <p>If you're using Intune, devices that you onboard to Defender for Business and your security policies are visible in the Endpoint Manager admin center. To learn more, see the following articles:<ul><li>[Defender for Business default settings and Microsoft Intune](mdb-next-gen-configuration-settings.md#defender-for-business-default-settings-and-microsoft-intune)</li><li>[Firewall in Defender for Business](mdb-firewall.md)</li></ul> |

+| **Use the Microsoft Endpoint Manager admin center** | If your company is already using Intune to manage security policies, you can continue using the Endpoint Manager admin center to manage your devices and security policies. To learn more, see [Manage device security with endpoint security policies in Microsoft Intune](/mem/intune/protect/endpoint-security-policy). <p>If you decide to switch to the [simplified configuration process in Defender for Business](mdb-simplified-configuration.md), you'll be prompted to delete any existing security policies in Intune to avoid [policy conflicts](mdb-troubleshooting.yml) later. |

+> If you're managing security policies in the Microsoft 365 Defender portal, you can *view* those policies in the Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)), where they're listed as **Antivirus** or **Firewall** policies. When you view your firewall policies in the admin center, you'll see two policies listed: one policy for firewall protection and another for custom rules.

+Depending on whether you're using the Microsoft 365 Defender portal or the Microsoft Endpoint Manager admin center to manage your next-generation protection policies, use one of the following procedures:

+| Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) |<ol><li>Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), and sign in.</li><li>In the navigation pane, choose **Device configuration**. Policies are organized by operating system and policy type.</li><li>Select an operating system tab (such as **Windows clients**).</li><li>Expand **Next-generation protection** to view your list of policies.</li><li>Select a policy to view more details about the policy.</li><li>To make changes or to learn more about policy settings, see the following articles: <ul><li>[View or edit device policies](mdb-view-edit-policies.md)</li><li>[Understand next-generation configuration settings](mdb-next-gen-configuration-settings.md)</li></ul></li><ol> |

+| Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) |For help managing your security settings in Intune, start with [Manage endpoint security in Microsoft Intune](/mem/intune/protect/endpoint-security). <ol><li>Go to [https://endpoint.microsoft.com](https://endpoint.microsoft.com) and sign in. You're now in the Endpoint Manager admin center.</li><li>Select **Endpoint security**.</li><li>Select **Antivirus** to view your policies in that category.</li></ol>|

+Depending on whether you're using the Microsoft 365 Defender portal or the Microsoft Endpoint Manager admin center to manage your firewall protection, use one of the following procedures.

+| Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) |<ol><li>Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), and sign in.</li><li>In the navigation pane, choose **Device configuration**. Policies are organized by operating system and policy type.</li><li>Select an operating system tab (such as **Windows clients**).</li><li>Expand **Firewall** to view your list of policies.</li><li>Select a policy to view the details. </li><li>To make changes or to learn more about policy settings, see the following articles:<ul><li>[View or edit device policies](mdb-view-edit-policies.md)</li><li>[Firewall settings](mdb-firewall.md)</li><li>[Manage your custom rules for firewall policies](mdb-custom-rules-firewall.md)</li><ul></li><ol> |

+| Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) |For help managing your security settings in Intune, start with [Manage endpoint security in Microsoft Intune](/mem/intune/protect/endpoint-security). <ol><li>Go to [https://endpoint.microsoft.com](https://endpoint.microsoft.com) and sign in. You're now in the Endpoint Manager admin center.</li><li>Select **Endpoint security**.</li><li>Select **Firewall** to view your policies in that category. Custom rules that are defined for firewall protection are listed as separate policies.</li></ol>|

+Web content filtering enables your security team to track and regulate access to websites based on content categories, such as:

+Not all websites in these categories are malicious, but they could be problematic for your company because of compliance regulations, bandwidth usage, or other concerns. You can create an audit-only policy to get a better understanding of whether your security team should block any website categories.

+Web content filtering is available on the major web browsers, with blocks performed by Windows Defender SmartScreen (Microsoft Edge) and Network Protection (Chrome, Firefox, Brave, and Opera). For more information, see [Prerequisites for web content filtering](../defender-endpoint/web-content-filtering.md#prerequisites).

+3. Select the categories to block. Use the expand icon to fully expand each parent category, and then select specific web content categories. To set up an audit-only policy that doesn't block any websites, don't select any categories.

+ Don't select **Uncategorized**.

+4. Specify the policy scope by selecting device groups to apply the policy to. Only devices in the selected device groups will be prevented from accessing websites in the selected categories.

+5. Review the summary and save the policy. The policy refresh might take up to two hours to apply to your selected devices.

+In addition to next-generation protection, firewall, and web content-filtering policies, Defender for Business includes advanced security features. These features are preconfigured to recommended settings. You can review and edit the settings to suit your business needs.

+To access settings for advanced features in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), go to **Settings** > **Endpoints** > **General** > **Advanced features**.

+The following table describes advanced feature settings.

+| **Automated Investigation** <br/>(turned on by default) | As alerts are generated, automated investigations can occur. Each automated investigation determines whether a detected threat requires action and then takes or recommends remediation actions, such as sending a file to quarantine, stopping a process, isolating a device, or blocking a URL. While an investigation is running, any related alerts that arise are added to the investigation until it's completed. If an affected entity is seen elsewhere, the automated investigation expands its scope to include that entity, and the investigation process repeats.<p>You can view investigations on the **Incidents** page. Select an incident, and then select the **Investigations** tab.<p>By default, automated investigation and response capabilities are turned on, tenant wide. **We recommend keeping automated investigation turned on**. If you turn it off, real-time protection in Microsoft Defender Antivirus will be affected, and your overall level of protection will be reduced. <p>[Learn more about automated investigations](../defender-endpoint/automated-investigations.md). |

+| **Live Response** | Defender for Business includes the following types of manual response actions: <ul><li>Run antivirus scan</li><li>Isolate device</li><li>Stop and quarantine a file</li><li>Add an indicator to block or allow a file</li></ul> <p>[Learn more about response actions](../defender-endpoint/respond-machine-alerts.md). |

+| **Live Response for Servers** | (This setting is currently not available in Defender for Business.) |

+| **Live Response unsigned script execution** | (This setting is currently not available in Defender for Business.) |

+| **Enable EDR in block mode**<br/>(turned on by default) | Provides added protection from malicious artifacts when Microsoft Defender Antivirus isn't the primary antivirus product and is running in passive mode on a device. Endpoint detection and response (EDR) in block mode works behind the scenes to remediate malicious artifacts detected by EDR capabilities. Such artifacts might have been missed by the primary, non-Microsoft antivirus product.<p>[Learn more about EDR in block mode](../defender-endpoint/edr-in-block-mode.md). |

+| **Allow or block a file** <br/>(turned on by default) | Enables you to allow or block a file by using [indicators](../defender-endpoint/indicator-file.md). This capability requires Microsoft Defender Antivirus to be in active mode and [cloud protection](../defender-endpoint/cloud-protection-microsoft-defender-antivirus.md) turned on.<p>Blocking a file prevents it from being read, written, or executed on devices in your organization. <p>[Learn more about indicators for files](../defender-endpoint/indicator-file.md). |

+| **Custom network indicators**<br/>(turned on by default) | Enables you to allow or block an IP address, URL, or domain by using [network indicators](../defender-endpoint/indicator-ip-domain.md). This capability requires Microsoft Defender Antivirus to be in active mode and [network protection](../defender-endpoint/enable-network-protection.md) turned on.<p>You can allow or block IPs, URLs, or domains based on your threat intelligence. You can also prompt users if they open a risky app, but the prompt won't stop them from using the app.<p>[Learn more about network protection](../defender-endpoint/network-protection.md). |

+| **Tamper protection**<br/>(we recommend you turn on this setting) | Tamper protection prevents malicious apps from doing actions such as:<ul><li>Disable virus and threat protection</li><li>Disable real-time protection</li><li>Turn off behavior monitoring</li><li>Disable cloud protection</li><li>Remove security intelligence updates</li><li>Disable automatic actions on detected threats</li></ul><p>Tamper protection essentially locks Microsoft Defender Antivirus to its secure, default values and prevents your security settings from being changed by apps and unauthorized methods. <p>[Learn more about tamper protection](../defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection.md). |

+| **Show user details**<br/>(turned on by default) | Enables people in your organization to see details, such as employees' pictures, names, titles, and departments. These details are stored in Azure Active Directory (Azure AD).<p>[Learn more about user profiles in Azure AD](/azure/active-directory/fundamentals/active-directory-users-profile-azure-portal). |

+| **Skype for Business integration**<br/>(turned on by default) | Skype for Business was retired in July 2021. If you haven't already moved to Microsoft Teams, see [Set up Microsoft Teams in your small business](/microsoftteams/deploy-small-business). <p>Integration with Microsoft Teams (or the former Skype for Business) enables one-click communication between people in your business. |

+| **Web content filtering**<br/>(turned on by default) | Blocks access to websites that contain unwanted content and tracks web activity across all domains. See [Set up web content filtering](#set-up-web-content-filtering). |

+| **Microsoft Intune connection**<br/>(we recommend you turn on this setting if you have Intune) | If your organization's subscription includes Microsoft Intune (included in [Microsoft 365 Business Premium](../../business/index.yml)), this setting enables Defender for Business to share information about devices with Intune. |

+| **Device discovery**<br/>(turned on by default) | Enables your security team to find unmanaged devices that are connected to your company network. Unknown and unmanaged devices introduce significant risks to your network, whether it's an unpatched printer, a network device with a weak security configuration, or a server with no security controls.<p>Device discovery uses onboarded devices to discover unmanaged devices, so your security team can onboard the unmanaged devices and reduce your vulnerability. <p>[Learn more about device discovery](../defender-endpoint/device-discovery.md). |

+| **Preview features** | Microsoft is continually updating services such as Defender for Business to include new feature enhancements and capabilities. If you opt in to receive preview features, you'll be among the first to try upcoming features in the preview experience. <p>[Learn more about preview features](../defender-endpoint/preview.md). |

+In addition to security policies applied to devices, there are other settings you can view and edit in Defender for Business. For example, you specify the time zone to use, and you can onboard (or offboard) devices.

+The following table describes settings you can view and edit in Defender for Business:

+| **Security center** | **Time zone** | Select the time zone to use for the dates and times displayed in incidents, detected threats, and automated investigation and remediation. You can either use UTC or your local time zone (*recommended*). |

+| **Microsoft 365 Defender** | **Account** | View details such where your data is stored, your tenant ID, and your organization (org) ID. |

+| **Endpoints** | **Device management** > **Onboarding** | Onboard devices to Defender for Business by using a downloadable script. To learn more, see [Onboard devices to Defender for Business](mdb-onboard-devices.md). |

+- [Get started using Defender for Business](mdb-get-started.md)

+- [Manage devices in Defender for Business](mdb-manage-devices.md)

+- [View and manage incidents in Defender for Business](mdb-view-manage-incidents.md)

+- [View or edit policies in Defender for Business](mdb-view-edit-policies.md)

+In Defender for Business, policies are applied to devices through certain collections that are called device groups.

+A device group is a collection of devices that are grouped together because of certain specified criteria, such as operating system version. Devices that meet the criteria are included in that device group, unless you exclude them. In Defender for Business, policies are applied to devices by using device groups.

+> As you create policies in Defender for Business, an order of priority is assigned. If you apply multiple policies to a given set of devices, those devices will receive the first applied policy only. For more information, see [Understand policy order in Defender for Business](mdb-policy-order.md).

+ > To get help creating or editing a policy, see [View or edit policies in Defender for Business](mdb-view-edit-policies.md).

+ > To get help creating or editing a policy, see [View or edit policies in Defender for Business](mdb-view-edit-policies.md).

+- [View and manage incidents in Defender for Business](mdb-view-manage-incidents.md)

+- [Respond to and mitigate threats in Defender for Business](mdb-respond-mitigate-threats.md)

+Defender for Business includes firewall policies that help protect your devices from unwanted network traffic. You can use custom rules to define exceptions for your firewall policies. That is, you can use custom rules to block or allow specific connections.

+To learn more about firewall policies and settings, see [Firewall in Defender for Business](mdb-firewall.md).

+- [View and manage incidents in Defender for Business](mdb-view-manage-incidents.md)

+- [Respond to and mitigate threats in Defender for Business](mdb-respond-mitigate-threats.md)

+> Your security team can also choose **Incidents** in the navigation pane to view information. To learn more, see [View and manage incidents in Defender for Business](mdb-view-manage-incidents.md).

+- [Step 4: Onboard devices to Defender for Business](mdb-onboard-devices.md)

+Defender for Business includes firewall capabilities through [Windows Defender Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security). Firewall protection helps secure devices by establishing rules that determine what network traffic is permitted to flow to and from devices.

+You can use firewall protection to specify whether to allow or to block connections on devices in various locations. For example, your firewall settings can allow inbound connections on devices that are connected to your company's internal network but prevent connections when the device is on a network with untrusted devices.

+Defender for Business includes default firewall policies and settings to help protect your company's devices from day one. As soon as your company's devices are onboarded to Defender for Business, your default firewall policy works as follows:

+In Defender for Business, you can define exceptions to block or allow incoming connections. You define these exceptions by creating custom rules. See [Manage custom rules for firewall policies](mdb-custom-rules-firewall.md).

+Defender for Business includes firewall protection through Windows Defender Firewall. The following table lists settings that can be configured in Defender for Business.

+| **Domain network** | The domain network profile applies to your company's network. Firewall settings for your domain network apply to inbound connections that are initiated on other devices on the same network. By default, incoming connections is set to **Block all**. |

+| **Public network** | The public network profile applies to networks that you can use in a public location, such as a coffee shop or airport. Firewall settings for public networks apply to inbound connections that are initiated on other devices on the same network. Because a public network can include devices that you don't know or don't trust, incoming connections is set to **Block all** by default. |

+| **Private network** | The private network profile applies to networks in a private location, such as your home. Firewall settings for private networks apply to inbound connections that are initiated on other devices on the same network. In general, on a private network, it's assumed that all other devices on the same network are trusted devices. However, by default, incoming connections is set to **Block all**. |

+| **Custom rules** | [Custom rules](mdb-custom-rules-firewall.md) let you block or allow specific connections. For example, suppose that you want to block all incoming connections on devices that are connected to a private network except for connections through a specific app on a device. In this case, you'd set **Private network** to block all incoming connections, and then add a custom rule to define the exception. <p>You can use custom rules to define exceptions for specific files or apps, an Internet protocol (IP) address, or a range of IP addresses. Depending on the type of custom rule you're creating, here are some examples of values you could use:<ul><li>Application file path: `C:\Windows\System\Notepad.exe or %WINDIR%\Notepad.exe`</li><li>IP: A valid IPv4/IPv6 address, such as `192.168.11.0` or `192.168.1.0/24`</li><li>IP: A valid IPv4/IPv6 address range, formatted like `192.168.1.0-192.168.1.9` (with no spaces included)</li></ul> |

+- [Manage firewall settings in Defender for Business](mdb-custom-rules-firewall.md)

+- [View and manage incidents in Defender for Business](mdb-view-manage-incidents.md)

+- [Respond to and mitigate threats in Defender for Business](mdb-respond-mitigate-threats.md)

+If you need help with Defender for Business, select the Help icon (?) in the upper right corner of the screen. Type your question or issue. Several options, such as quick answers or help articles, will be listed.

+- [Defender for Business - Frequently asked questions and answers](mdb-faq.yml)

+- [Defender for Business troubleshooting](mdb-troubleshooting.yml)

+The Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) is your one-stop shop for using and managing Microsoft Defender for Business. It includes callouts to help you get started, cards that surface relevant information, and a navigation bar to give you easy access to various features and capabilities.

+| **Home** | Takes you to your home page in the Microsoft 365 Defender portal. The home page highlights any active threats that are detected, along with recommendations to help secure your company's data and devices. <br/><br/>Recommendations are included in Defender for Business to save your security team time and effort. The recommendations are based on industry best practices. To learn more, see [Security recommendations - threat and vulnerability management](../defender-endpoint/tvm-security-recommendation.md). |

+| **Incidents** | Takes you to your list of recent incidents. As alerts are triggered, incidents are created. An incident can include multiple alerts. Make sure to review your incidents regularly. <br/><br/>To learn more, see [View and manage incidents in Defender for Business](mdb-view-manage-incidents.md).|

+| **Actions & submissions** > **Action center** | Takes you to your list of response actions, including completed and pending actions.<ul><li>Select the **History** tab to see the actions that were taken. Some actions are taken automatically; others are taken manually or complete after they're approved.</li><li>Select the **Pending** tab to view actions that require approval to proceed.</li></ul><br/><br/>To learn more, see [Review remediation actions in the Action center](mdb-review-remediation-actions.md). |

+| **Actions & submissions** > **Submissions** | Takes you to the unified submissions portal, where you can submit files to Microsoft for analysis. To learn more, see [Submit files in Microsoft Defender for Endpoint](../defender-endpoint/admin-submissions-mde.md) (the process is similar for Defender for Business). |

+| **Threat analytics** | Takes you to a view of current threats, and provides an at-a-glance view of your threat landscape. Threat analytics also includes reports and information from Microsoft security researchers. <br/><br/>To learn more, see [Track and respond to emerging threats through threat analytics](../defender-endpoint/threat-analytics.md). |

+| **Secure score** | Provides a representation of your company's security position and offers suggestions to improve it.<br/><br/>To learn more, see [Microsoft Secure Score for Devices](../defender-endpoint/tvm-microsoft-secure-score-devices.md). |

+| **Learning hub** | Provides access to security training and other resources through learning paths that are included with your subscription. You can filter by product, skill level, role, and more. The Learning hub can help your security team ramp up on security features and capabilities in Defender for Business and more Microsoft offerings, such as [Microsoft Defender for Endpoint](../defender-endpoint/microsoft-defender-endpoint.md) and [Microsoft Defender for Office 365](../office-365-security/defender-for-office-365.md). |

+| **Trials** | Try additional security and compliance capabilities by adding on a trial subscription. |

+| **Endpoints** > **Device inventory** | Enables you to search for one or more devices that were onboarded to Defender for Business. |

+| **Endpoints** > **Vulnerability management** | Provides a dashboard, recommendations, remediation activities, a software inventory, and a list of potential weaknesses within your company. |

+| **Endpoints** > **Configuration management** > **Device configuration** | Lists your security policies by operating system and by type. <br/><br/>To learn more about your security policies, see [View or edit policies in Defender for Business](mdb-view-edit-policies.md). |

+| **Endpoints** > **Configuration management** > **Device management reporting** | Lists devices that are onboarded to Defender for Business, along with their operating system version, sensor health state, and when they were last updated. |

+| **Reports** | Lists available security reports. These reports enable you to see your security trends, view details about threat detections and alerts, and learn more about your company's vulnerable devices. |

+| **Health** | Enables you to view your service health status and plan for upcoming changes. <ul><li>Select **Service health** to view the health status of the Microsoft 365 services that are included in your company's subscription.</li><li>Select **Message center** to learn about planned changes and what to expect.</li></ul> |

+| **Permissions** | Enables you to assign permissions to the people in your company who manage your security and to view incidents and reports in the Microsoft 365 Defender portal. Also enables you to set up and manage device groups to onboard your company's devices and assign threat protection policies. |

+| **Settings** | Enables you to edit settings for the Microsoft 365 Defender portal and Defender for Business. For example, you can onboard (or offboard) your company's devices (also referred to as endpoints). You can also define rules, such as alert-suppression rules, and set up indicators to block or allow certain files or processes. |

+| **More resources** | Navigate to other portals, such as Azure Active Directory. But keep in mind that the Microsoft 365 Defender portal should meet your needs without requiring you to navigate to other portals. |

+- [Use the setup wizard in Defender for Business](mdb-use-wizard.md)

+- [See the overall setup and configuration process](mdb-setup-configuration.md)

+Microsoft 365 Lighthouse enables Microsoft CSPs to secure and manage devices, data, and users at scale for customers who are using one of the following subscriptions:

+- [Microsoft 365 E5](../../enterprise/microsoft-365-overview.md) (which includes [Defender for Endpoint Plan 2](../defender-endpoint/microsoft-defender-endpoint.md), [Defender for Office 365 Plan 2](../office-365-security/defender-for-office-365.md), [Defender for Identity](/defender-for-identity/what-is), and [other security capabilities](../defender/microsoft-365-defender.md))

+- [Windows 365 Business or Enterprise](/windows-365/overview)

+[Microsoft Defender for Business and managed service provider resources](mdb-partners.md) (provides information about RMM and PSA integration for MSPs)

+In Defender for Business, you can manage devices as follows:

+ If you don't have any devices listed yet, [Onboard devices to Defender for Business](mdb-onboard-devices.md)

+See [Onboard devices to Defender for Business](mdb-onboard-devices.md).

+- [View and manage incidents in Defender for Business](mdb-view-manage-incidents.md)

+- [Respond to and mitigate threats in Defender for Business](mdb-respond-mitigate-threats.md)

+Next-generation protection in Defender for Business includes robust antivirus and antimalware protection. The default policies are designed to protect your devices and users without hindering productivity. You can also customize the policies to suit your business needs. And, if you're using Microsoft Intune, you can use the Microsoft Endpoint Manager admin center to manage your security policies.

+The following table lists settings and options.

+| **Turn on real-time protection** | Enabled by default, real-time protection locates and stops malware from running on devices. *We recommend keeping real-time protection turned on.*<p>When real-time protection is turned on, it configures the following settings:<ul><li>Behavior monitoring is turned on ([AllowBehaviorMonitoring](/windows/client-management/mdm/policy-csp-defender#defender-allowbehaviormonitoring)).</li><li>All downloaded files and attachments are scanned ([AllowIOAVProtection](/windows/client-management/mdm/policy-csp-defender#defender-allowioavprotection)).</li><li>Scripts that are used in Microsoft browsers are scanned ([AllowScriptScanning](/windows/client-management/mdm/policy-csp-defender#defender-allowscriptscanning)).</li></ul> |

+| **Block at first sight** | Enabled by default, block at first sight blocks malware within seconds of detection, increases the time (in seconds) allowed to submit sample files for analysis, and sets your detection level to High. *We recommend keeping block at first sight turned on.*<p>When block at first sight is turned on, it configures the following settings for Microsoft Defender Antivirus:<ul><li>Blocking and scanning of suspicious files is set to the High blocking level ([CloudBlockLevel](/windows/client-management/mdm/policy-csp-defender#defender-cloudblocklevel)).</li><li>The number of seconds for a file to be blocked and checked is set to 50 seconds ([CloudExtendedTimeout](/windows/client-management/mdm/policy-csp-defender#defender-cloudextendedtimeout)).</li></ul> <p>**Important** If block at first sight is turned off, it affects `CloudBlockLevel` and `CloudExtendedTimeout` for Microsoft Defender Antivirus. |

+| **Turn on network protection** | When turned on, network protection helps protect against phishing scams, exploit-hosting sites, and malicious content on the internet. It also prevents users from turning network protection off.<p>Network protection can be set to the following modes:<ul><li>**Block mode** is the default setting. It prevents users from visiting sites that are considered unsafe. *We recommend keeping network protection set to Block mode.*</li><li>**Audit mode** allows users to visit sites that might be unsafe and tracks network activity to/from such sites.</li><li>**Disabled mode** neither blocks users from visiting sites that might be unsafe nor tracks network activity to/from such sites.</li></ul> |

+| **Action to take on potentially unwanted apps (PUA)** | PUA can include advertising software; bundling software that offers to install other, unsigned software; and evasion software that attempts to evade security features. Although PUA isn't necessarily a virus, malware, or other type of threat, it can affect device performance.<p>PUA protection blocks items that are detected as PUA. You can set PUA protection to the following:<ul><li>**Enabled** is the default setting. It blocks items detected as PUA on devices. *We recommend keeping PUA protection enabled.*</li><li>**Audit mode** takes no action on items detected as PUA.</li><li>**Disabled** doesn't detect or take action on items that might be PUA.</li></ul> |

+| **Scheduled scan type** | Consider running a weekly antivirus scan on your devices. You can choose from the following scan type options:<ul><li>**Quickscan** checks locations, such as registry keys and startup folders, where malware could be registered to start along with a device. *We recommend using the quickscan option.*</li><li>**Fullscan** checks all files and folders on a device.</li><li>**Disabled** means no scheduled scans will take place. Users can still run scans on their own devices. (In general, we don't recommend disabling scheduled scans.)</li></ul><p> [Learn more about scan types](../defender-endpoint/schedule-antivirus-scans.md). |

+| **Use low performance** | This setting is turned off by default. *We recommend keeping this setting turned off.* However, you can turn on this setting to limit the device memory and resources that are used during scheduled scans. <p>**Important** If you turn on **Use low performance**, it configures the following settings for Microsoft Defender Antivirus:<ul><li>Archive files aren't scanned ([AllowArchiveScanning](/windows/client-management/mdm/policy-csp-defender#defender-allowarchivescanning)).</li><li>Scans are assigned a low CPU priority ([EnableLowCPUPriority](/windows/client-management/mdm/policy-csp-defender#defender-enablelowcpupriority)).</li><li>If a full antivirus scan is missed, no catch-up scan will run ([DisableCatchupFullScan](/windows/client-management/mdm/policy-csp-defender#defender-disablecatchupfullscan)).</li><li>If a quick antivirus scan is missed, no catch-up scan will run ([DisableCatchupQuickScan](/windows/client-management/mdm/policy-csp-defender#defender-disablecatchupquickscan)).</li><li>Reduces the average CPU load factor during an antivirus scan from 50 percent to 20 percent ([AvgCPULoadFactor](/windows/client-management/mdm/policy-csp-defender#defender-avgcpuloadfactor)).</li></ul> |

+| **Allow users to access the Windows Security app** | Turn on this setting to enable users to open the Windows Security app on their devices. Users won't be able to override settings that you configure in Defender for Business, but they'll be able to run a quick scan or view any detected threats. |

+| **Antivirus exclusions** | Exclusions are processes, files, or folders that are skipped by Microsoft Defender Antivirus scans. *In general, you shouldn't need to define exclusions.* Microsoft Defender Antivirus includes many automatic exclusions that are based on known operating system behavior and typical management files.<p>[Learn more about exclusions](../defender-endpoint/configure-exclusions-microsoft-defender-antivirus.md). |

+| **Process exclusions** | Process exclusions prevent files that are opened by specific processes from being scanned by Microsoft Defender Antivirus. <p>[Learn more about process exclusions](../defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md). |

+| **File extension exclusions** | File extension exclusions prevent files with specific extensions from being scanned by Microsoft Defender Antivirus.<p>[Learn more about file extension exclusions](../defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus.md). |

+| **File and folder exclusions** | File and folder exclusions prevent files that are in specific folders from being scanned by Microsoft Defender Antivirus. <p>[Learn more about file and folder exclusions](../defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus.md). |

+- Scanning of removable drives is turned on ([AllowFullScanRemovableDriveScanning](/windows/client-management/mdm/policy-csp-defender#defender-allowfullscanremovabledrivescanning)).

+- Daily quick scans don't have a preset time ([ScheduleQuickScanTime](/windows/client-management/mdm/policy-csp-defender#defender-schedulequickscantime)).

+- Security intelligence updates are checked before an antivirus scan runs ([CheckForSignaturesBeforeRunningScan](/windows/client-management/mdm/policy-csp-defender#defender-checkforsignaturesbeforerunningscan)).

+- Security intelligence checks occur every four hours ([SignatureUpdateInterval](/windows/client-management/mdm/policy-csp-defender#defender-signatureupdateinterval)).

+| [Cloud protection](/windows/client-management/mdm/policy-csp-defender#defender-allowcloudprotection) | Sometimes referred to as cloud-delivered protection or Microsoft Advanced Protection Service (MAPS), cloud protection works with Microsoft Defender Antivirus and the Microsoft cloud to identify new threats, sometimes even before a single device is affected. By default, [AllowCloudProtection](/windows/client-management/mdm/policy-csp-defender#defender-allowcloudprotection) is turned on. <p>[Learn more about cloud protection](../defender-endpoint/cloud-protection-microsoft-defender-antivirus.md). |

+| [Number of days (0-90) to keep quarantined malware](/windows/client-management/mdm/policy-csp-defender#defender-daystoretaincleanedmalware) | By default, the [DaysToRetainCleanedMalware](/windows/client-management/mdm/policy-csp-defender#defender-daystoretaincleanedmalware) setting is set to zero (0) days. Artifacts that are in quarantine aren't removed automatically. |

+| [Submit samples consent](/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent) | By default, [SubmitSamplesConsent](/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent) is set to send safe samples automatically. Examples of safe samples include `.bat`, `.scr`, `.dll`, and `.exe` files that don't contain personally identifiable information (PII). If a file does contain PII, the user receives a request to allow the sample submission to proceed.<p>[Learn more about cloud protection and sample submission](../defender-endpoint/cloud-protection-microsoft-antivirus-sample-submission.md). |

+| [Scan removable drives](/windows/client-management/mdm/policy-csp-defender#defender-allowfullscanremovabledrivescanning) | By default, [AllowFullScanRemovableDriveScanning](/windows/client-management/mdm/policy-csp-defender#defender-allowfullscanremovabledrivescanning) is configured to scan removable drives, such as USB thumb drives on devices.<p>[Learn more about antimalware policy settings](/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#list-of-antimalware-policy-settings). |

+| [Run daily quick scan time](/windows/client-management/mdm/policy-csp-defender#defender-schedulequickscantime) | By default, [ScheduleQuickScanTime](/windows/client-management/mdm/policy-csp-defender#defender-schedulequickscantime) is set to 2:00 AM.<p>[Learn more about scan settings](/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#scan-settings). |

+| [Check for signature updates before running scan](/windows/client-management/mdm/policy-csp-defender#defender-checkforsignaturesbeforerunningscan) | By default, [CheckForSignaturesBeforeRunningScan](/windows/client-management/mdm/policy-csp-defender#defender-checkforsignaturesbeforerunningscan) is configured to check for security intelligence updates prior to running antivirus/antimalware scans.<p>[Learn more about scan settings](/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#scan-settings) and [Security intelligence updates](../defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus.md#security-intelligence-updates). |

+| [How often (0-24 hours) to check for security intelligence updates](/windows/client-management/mdm/policy-csp-defender#defender-signatureupdateinterval) | By default, [SignatureUpdateInterval](/windows/client-management/mdm/policy-csp-defender#defender-signatureupdateinterval) is configured to check for security intelligence updates every four hours.<p>[Learn more about scan settings](/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#scan-settings) and [Security intelligence updates](../defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus.md#security-intelligence-updates). |

+- [View and manage incidents in Defender for Business](mdb-view-manage-incidents.md)

+- [Respond to and mitigate threats in Defender for Business](mdb-respond-mitigate-threats.md)

+- [Manage firewall settings in Defender for Business](mdb-custom-rules-firewall.md)

+- [Offboard a Mac](#offboard-a-mac)

+## Offboard a Mac

+2. Right click on **Microsoft Defender for Business**, and then choose **Move to Trash**. <br/> or <br/> Use the following command: `sudo '/Library/Application Support/Microsoft/Defender/uninstall/uninstall'`.

+With Defender for Business, you have several options to choose from for onboarding your company's devices. This article walks you through these options and provides an overview of how onboarding works.

+1. Select a tab:

+ - **Windows 10 and 11**

+ - **Mac**

+ - **Servers** (NEW! Windows Server or Linux Server)

+ - **Mobile** (for iOS/iPadOS or Android devices)

+2. View your onboarding options, and follow the guidance on the selected tab.

+## [**Windows 10 and 11**](#tab/Windows10and11)

+## Windows 10 and 11

+- [Local script](#local-script-for-windows-10-and-11) (for onboarding devices manually in the Microsoft 365 Defender portal)

+- [Group Policy](#group-policy-for-windows-10-and-11) (if you're already using Group Policy in your organization)

+- [Microsoft Intune](#intune-for-windows-10-and-11) (included in [Microsoft 365 Business Premium](../../business-premium/index.md))

+### Local script for Windows 10 and 11

+You can use a local script to onboard Windows client devices. When you run the onboarding script on a device, it creates a trust with Azure Active Directory, if that trust doesn't already exist; enrolls the device in Microsoft Intune, if it isn't already enrolled; and then onboards the device to Defender for Business. The local script method works even if you don't currently have Intune, and this is the recommended method for Defender for Business customers.

+> We recommend that you onboard up to 10 devices at a time when you use the local script method.

+3. Select **Windows 10 and 11**, and then, in the **Deployment method** section, choose **Local script**.

+4. Select **Download onboarding package**. We recommend that you save the onboarding package to a removable drive.

+6. Open a command prompt as an administrator.

+8. After the script runs, [Run a detection test](#run-a-detection-test-on-a-windows-10-or-11-device).

+### Group Policy for Windows 10 and 11

+If you prefer to use Group Policy to onboard Windows clients, follow the guidance in [Onboard Windows devices using Group Policy](../defender-endpoint/configure-endpoints-gp.md). This article describes the steps for onboarding to Microsoft Defender for Endpoint. The steps for onboarding to Defender for Business are similar.

+### Intune for Windows 10 and 11

+If your subscription includes Intune, you can onboard Windows clients and other devices in the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)). For example, if you have [Microsoft 365 Business Premium](../../business/index.yml), you already have Intune as part of your subscription, and you can use Intune to onboard devices.

+There are several methods available for enrolling devices in Intune. We recommend using one of the following methods:

+#### To enable automatic enrollment for Windows 10 and 11

+When you set up automatic enrollment, users add their work account to the device. In the background, the device registers and joins Azure Active Directory (Azure AD) and is enrolled in Intune.

+1. Go to the Azure portal ([https://portal.azure.com/](https://portal.azure.com/)) and sign in.

+ - For MDM User scope, we recommend that you select **All** so that all users can automatically enroll their Windows devices.

+ - In the MAM user scope section, we recommend the following default values for the URLs:

+4. Select **Save**.

+5. After a device is enrolled in Intune, you can add it to a device group in Defender for Business. [Learn more about device groups in Defender for Business](mdb-create-edit-device-groups.md).

+> To learn more, see [Enable Windows automatic enrollment](/mem/intune/enrollment/windows-enroll).

+#### To have users enroll their own Windows 10 and 11 devices

+1. Watch the following video to see how enrollment works:<br/><br/>

+3. After a device is enrolled in Intune, you can add it to a device group in Defender for Business. [Learn more about device groups in Defender for Business](mdb-create-edit-device-groups.md).

+### Run a detection test on a Windows 10 or 11 device

+After you've onboarded Windows devices to Defender for Business, you can run a detection test on the device to make sure that everything is working correctly.

+2. Open a command prompt as an administrator.

+After the command runs, the Command Prompt window will close automatically. If successful, the detection test will be marked as completed, and a new alert will appear in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) for the newly onboarded device in about 10 minutes.

+To view the list of devices that are onboarded to Defender for Business, go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). On the navigation pane, under **Endpoints**, choose **Device inventory**.

+- If you have other devices to onboard, select the tab for those devices ([Windows 10 and 11, Mac, Servers, or Mobile devices](#what-to-do)), and follow the guidance on that tab.

+- If you're done onboarding devices, go to [Step 5: Configure your security settings and policies in Defender for Business](mdb-configure-security-settings.md)

+- See [Get started using Defender for Business](mdb-get-started.md).

+## [**Mac**](#tab/mac)

+## Mac

+> We recommend that you use a [local script to onboard Mac](#local-script-for-mac). Although you can [set up enrollment for Mac using Intune](/mem/intune/enrollment/macos-enroll), the local script is the simplest method for onboarding Mac to Defender for Business.

+Choose one of the following options to onboard Mac:

+- [Local script for Mac](#local-script-for-mac) (*recommended*)

+- [Intune for Mac](#intune-for-mac)

+### Local script for Mac

+When you run the local script on a Mac, it creates a trust with Azure Active Directory, if that trust doesn't already exist; enrolls the Mac in Microsoft Intune, if it isn't already enrolled; and then onboards the Mac to Defender for Business. The local script method works even if you don't currently have Intune. We recommend that you onboard up to 10 devices at a time using this method.

+3. Select **macOS**. In the **Deployment method** section, choose **Local script**.

+5. On a Mac, save the installation package as `wdav.pkg` to a local directory.

+8. Select **Continue**, agree with the license terms, and then enter your password when prompted.

+9. You'll be prompted to allow installation of a driver from Microsoft (either "System Extension Blocked" or "Installation is on hold", or both). You must allow the driver installation: Select **Open Security Preferences** or **Open System Preferences** > **Security & Privacy**, and then select **Allow**.

+After a Mac is enrolled in Intune, you can add it to a device group. [Learn more about device groups in Defender for Business](mdb-create-edit-device-groups.md).

+### Intune for Mac

+If your subscription includes Microsoft Intune, you can onboard Mac in the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)). For example, if you have [Microsoft 365 Business Premium](../../business/index.yml), you already have Intune as part of your subscription.

+There are several methods available for enrolling Mac in Intune. We recommend one of the following methods:

+- [Choose an option for company-owned Mac](#options-for-company-owned-mac)

+- [Ask users to enroll their own Mac in Intune](#ask-users-to-enroll-their-own-mac-in-intune)

+#### Options for company-owned Mac

+Choose one of the following options to enroll company-managed Mac devices in Intune:

+| Apple Automated Device Enrollment | Use this method to automate enrollment on devices purchased through Apple Business Manager or Apple School Manager. Automated device enrollment deploys the enrollment profile "over the air," so you don't need to have physical access to devices. <br/><br/>See [Automatically enroll Mac with the Apple Business Manager or Apple School Manager](/mem/intune/enrollment/device-enrollment-program-enroll-macos). |

+| Direct enrollment | Direct enrollment enrolls devices with no user affinity, so this method is best for devices that aren't associated with a single user. This method requires you to have physical access to the Macs you're enrolling. <br/><br/>See [Use Direct Enrollment for Mac](/mem/intune/enrollment/device-enrollment-direct-enroll-macos). |

+#### Ask users to enroll their own Mac in Intune

+If your business prefers to have people enroll their own devices in Intune, direct users to follow these steps:

+### Confirm that a Mac is onboarded

+1. To confirm that the device is associated with your company, use the following Python command in Bash:

+ `mdatp health --field org_id`.

+2. If you're using macOS 10.15 (Catalina) or later, grant Defender for Business consent to protect your device. Go to **System Preferences** > **Security & Privacy** > **Privacy** > **Full Disk Access**. Select the lock icon at the bottom of the dialog to make changes, and then select **Microsoft Defender for Business** (or **Defender for Endpoint**, if that's what you see).

+3. To verify that the device is onboarded, use the following command in Bash:

+ `mdatp health --field real_time_protection_enabled`

+After a device is enrolled in Intune, you can add it to a device group. [Learn more about device groups in Defender for Business](mdb-create-edit-device-groups.md).

+## View a list of onboarded devices

+To view the list of devices that are onboarded to Defender for Business, go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). In the navigation pane, under **Endpoints**, choose **Device inventory**.

+## Next steps

+- If you have other devices to onboard, select the tab for those devices ([Windows 10 and 11, Mac, Servers, or Mobile devices](#what-to-do)), and follow the guidance on that tab.

+- If you're done onboarding devices, go to [Step 5: Configure your security settings and policies in Defender for Business](mdb-configure-security-settings.md).

+- See [Get started using Defender for Business](mdb-get-started.md).

+## [**Servers**](#tab/Servers)

+## Servers

+> [!NOTE]

+> **The ability to onboard a server is currently in preview**.

+Choose the operating system for your server:

+- [Windows Server](#windows-server)

+- [Linux Server](#linux-server)

+## Windows Server

+> [!IMPORTANT]

+> **The ability to onboard Windows Server endpoints is currently in preview**. Make sure that you meet the following requirements before you onboard a Windows Server endpoint:

+> - The **Preview features** setting is turned on. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), go to **Settings** > **Endpoints** > **General** > **Advanced features** > **Preview features**.

+> - The enforcement scope for Windows Server is turned on. Go to **Settings** > **Endpoints** > **Configuration management** > **Enforcement scope**. Select **Use MDE to enforce security configuration settings from MEM**, select **Windows Server**, and then select **Save**.

+You can onboard an instance of Windows Server to Defender for Business by using a local script.

+### Local script for Windows Server

+1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), and sign in.

+2. In the navigation pane, choose **Settings** > **Endpoints**, and then under **Device management**, choose **Onboarding**.

+3. Select an operating system, such as **Windows Server 1803, 2019, and 2022**, and then in the **Deployment method** section, choose **Local script**.

+ If you select **Windows Server 2012 R2 and 2016**, you'll have two packages to download and run: an installation package and an onboarding package. The installation package contains an MSI file that installs the Defender for Business agent. The onboarding package contains the script to onboard your Windows Server endpoint to Defender for Business.

+4. Select **Download onboarding package**. We recommend that you save the onboarding package to a removable drive.

+ If you selected **Windows Server 2012 R2 and 2016**, also select **Download installation package**, and save the package to a removable drive

+5. On your Windows Server endpoint, extract the contents of the installation/onboarding package to a location such as the Desktop folder. You should have a file named `WindowsDefenderATPLocalOnboardingScript.cmd`.

+ If you're onboarding Windows Server 2012 R2 or Windows Server 2016, extract the installation package first.

+6. Open a command prompt as an administrator.

+7. If you're onboarding Windows Server 2012R2 or Windows Server 2016, run the following command:

+ `Msiexec /i md4ws.msi /quiet`

+ If you're onboarding Windows Server 1803, 2019, or 2022, skip this step, and go to step 8.

+8. Type the location of the script file. For example, if you copied the file to the Desktop folder, you would type `%userprofile%\Desktop\WindowsDefenderATPLocalOnboardingScript.cmd`, and then press Enter (or select **OK**).

+9. Go to [Run a detection test on Windows Server](#run-a-detection-test-on-windows-server).

+### Run a detection test on Windows Server

+After you onboard your Windows Server endpoint to Defender for Business, you can run a detection test to make sure that everything is working correctly:

+1. On the Windows Server device, create a folder: `C:\test-MDATP-test`.

+2. Open a command prompt as an administrator.

+3. In the Command Prompt window, run the following PowerShell command:

+ ```powershell

+ powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference = 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-MDATP-test\\invoice.exe');Start-Process 'C:\\test-MDATP-test\\invoice.exe'

+ ```

+After the command runs, the Command Prompt window will close automatically. If successful, the detection test will be marked as completed, and a new alert will appear in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) for the newly onboarded device in about 10 minutes.

+## Linux Server

+> [!IMPORTANT]

+> **The ability to onboard Linux Server endpoints is currently in preview**. Make sure that you meet the following requirements before you onboard a Linux Server endpoint:

+> - The **Preview features** setting is turned on. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), go to **Settings** > **Endpoints** > **General** > **Advanced features** > **Preview features**.

+> - You meet the [prerequisites for Microsoft Defender for Endpoint on Linux](../defender-endpoint/microsoft-defender-endpoint-linux.md#prerequisites).

+### Onboard Linux Server endpoints

+You can use the following methods to onboard an instance of Linux Server to Defender for Business:

+- **Local script:** See [Deploy Microsoft Defender for Endpoint on Linux manually](../defender-endpoint/linux-install-manually.md).

+- **Ansible:** See [Deploy Microsoft Defender for Endpoint on Linux with Ansible](../defender-endpoint/linux-install-with-ansible.md).

+- **Chef:** See [Deploy Defender for Endpoint on Linux with Chef](../defender-endpoint/linux-deploy-defender-for-endpoint-with-chef.md).

+- **Puppet:** See [Deploy Microsoft Defender for Endpoint on Linux with Puppet](../defender-endpoint/linux-install-with-puppet.md).

+> [!NOTE]

+> Onboarding an instance of Linux Server to Defender for Business is the same as onboarding to [Microsoft Defender for Endpoint on Linux](../defender-endpoint/microsoft-defender-endpoint-linux.md).

+To view the list of devices that are onboarded to Defender for Business, go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). In the navigation pane, under **Endpoints**, choose **Device inventory**.

+- If you have other devices to onboard, select the tab for those devices ([Windows 10 and 11, Mac, Servers, or Mobile devices](#what-to-do)), and follow the guidance on that tab.

+- If you're done onboarding devices, go to [Step 5: Configure your security settings and policies in Defender for Business](mdb-configure-security-settings.md).

+- See [Get started using Defender for Business](mdb-get-started.md).

+## [**Mobile devices**](#tab/mobiles)

+After a device is enrolled in Intune, you can add it to a device group. [Learn more about device groups in Defender for Business](mdb-create-edit-device-groups.md).

+- If you have other devices to onboard, select the tab for those devices ([Windows 10 and 11, Mac, Servers, or Mobile devices](#what-to-do)), and follow the guidance on that tab.

+- If you're done onboarding devices, go to [Step 5: Configure your security settings and policies in Defender for Business](mdb-configure-security-settings.md).

+- See [Get started using Defender for Business](mdb-get-started.md).

+Defender for Business is a new endpoint security solution that was designed especially for the small and medium-sized business (up to 300 employees). With this endpoint security solution, your company's devices are better protected from ransomware, malware, phishing, and other threats.

+- **Flexibility for your environment**. Defender for Business can work with your business environment, whether you're using Microsoft Intune or you're brand new to the Microsoft Cloud. Defender for Business works with components that are built into Windows, and with apps for Mac, iOS, and Android devices.

+- **Integration with Microsoft 365 Lighthouse, RMM tools, and PSA software**. If you're a Microsoft cloud solution provider (CSP) using [Microsoft 365 Lighthouse](../../lighthouse/m365-lighthouse-overview.md), you can view security incidents and alerts across your customers' tenants (see [Microsoft 365 Lighthouse and Defender for Business](mdb-lighthouse-integration.md)). If you're a Microsoft managed service provider (MSP), you can integrate Defender for Business with your remote monitoring and management (RMM) tools and professional service automation (PSA) software (see [Defender for Business and MSP resources](mdb-partners.md)).

+- **Provide you with an overview of Defender for Business** so you know what's included and how it works. Use this article as a starting point.

+ - [Compare security features in Defender for Business to other plans](compare-mdb-m365-plans.md).

+ - [Find out how to get Defender for Business](get-defender-business.md).

+- **Learn how to set up your threat protection capabilities**.

+ - [Use the trial playbook: Defender for Business](trial-playbook-defender-business.md).

+ - [Learn about the simplified configuration process](mdb-simplified-configuration.md).

+ - [See how to set up and configure Defender for Business](mdb-setup-configuration.md).

+- **Help you get started using Defender for Business**, starting with the Microsoft 365 Defender portal.

+ - [Navigate the Microsoft 365 Defender portal](mdb-get-started.md).

+ - [Try scenarios, tutorials, and simulations](mdb-tutorials.md).

+- **Provide guidance on managing devices and security policies**.

+ - [Monitor or manage devices](mdb-manage-devices.md).

+ - [View or edit security policies](mdb-view-edit-policies.md).

+- [Learn more about the simplified configuration process in Defender for Business](mdb-simplified-configuration.md)

+- [Find out how to get Defender for Business](get-defender-business.md)

+ Title: Microsoft Defender for Business and Microsoft partner resources

+# Microsoft Defender for Business and Microsoft partner resources

+Microsoft partners have access to resources, programs, and tools that empower partners to enable customers to succeed. This article provides an overview of resources that are available for Microsoft partners who serve customers using [Defender for Business](mdb-overview.md) or [Microsoft 365 Business Premium](../../business-premium/index.md).

+## Resources for partners to learn about Defender for Business and Microsoft 365 Business Premium

+| Resource | Description |

+|:|:|

+| [Microsoft Partner Network](https://partner.microsoft.com) | Visit the Microsoft Partner Network to learn how to become a Microsoft partner and join the Microsoft Partner Network. |

+| [Microsoft 365 Business Premium and Defender for Business partner webinar series](https://aka.ms/M365MDBseries) | This webinar series provides: <ul><li>Practical guidance about how to have conversations with your customers about security and drive upsell to Business Premium. </li><li>Demos and deep dive walkthroughs for Microsoft 365 Lighthouse and Defender for Business. </li><li>A panel of experts to help answer your questions.</li></ul> |

+| [Microsoft 365 Business Premium partner playbook and readiness series](https://aka.ms/M365BPPartnerPlaybook) | Practical guidance on building a profitable managed services practice, with: <ul><li>Examples of successful managed service offers from industry experts and peers. </li><li>Technical enablement and checklists from Microsoft experts. </li><li>Sales enablement and customer conversation aids to help you market your solution. </li></ul> |

+| [Defender for Business partner kit](https://aka.ms/MDBPartnerKit) | The Defender for Business partner kit provides you with practical guidance, technical information, and customer-ready resources to market and sell Defender for Business to small and medium-sized businesses. |

+## Resources for Microsoft managed service providers to build cybersecurity capabilities

+Most managed service providers (MSPs) offer a sophisticated stack of capabilities. For example, many MSPs offer software and services that include backup & recovery, network management, line of business apps, and cybersecurity capabilities. Small and medium-sized businesses recognize security as a key component to their success, but often don't have the capacity or expertise to have a dedicated security operations team. These customers often need help with managing the security of their endpoints and network, and addressing alerts or detected threats.

+If you're a Microsoft MSP and you want to integrate Microsoft endpoint security capabilities with your remote monitoring and management (RMM) tools and your professional service automation (PSA) software, you can use the [Defender for Endpoint APIs](../defender-endpoint/management-apis.md). Using the Defender for Endpoint APIs, with your RMM tools and PSA software, you can:

+## Resources for Cloud Solution Providers

+Microsoft Cloud Solution Providers (CSPs) can go beyond reselling licenses and be more involved in customers' business. For example, CSPs can use Microsoft 365 Lighthouse to manage small and medium-sized business customers' security settings and capabilities. CSPs can also view and manage detected threats, including running antivirus scans on devices.

+[Learn more about Microsoft 365 Lighthouse and Microsoft Defender for Business](mdb-lighthouse-integration.md).

+## Policy order in Defender for Business

+Defender for Business includes predefined policies to help ensure the devices your employees use are protected. Your security team can add new policies as well. For example, suppose that you want to apply certain settings to some devices, and different settings to other devices. You can do that by adding policies, such as next-generation protection policies or firewall policies.

+- [View and manage incidents in Defender for Business](mdb-view-manage-incidents.md)

+- [Respond to and mitigate threats in Defender for Business](mdb-respond-mitigate-threats.md)

+ Title: Microsoft Defender for Business preview features

+description: Learn how to access Microsoft Defender for Business preview features.

+keywords: preview, preview experience, Microsoft Defender for Business, features, updates

+search.product: eADQiWindows 10XVcnh

+search.appverid: met150

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: admin

+ - m365-security-compliance

+ms.technology: mdb

+# Microsoft Defender for Business preview features

+**Applies to:**

+- [Microsoft Defender for Business](mdb-overview.md)

+Defender for Business is constantly being updated to include new feature enhancements and capabilities.

+Learn about new features in Defender for Business preview releases, and be among the first to try upcoming features by turning on the preview experience.

+## What you need to know

+When working with features in public preview, these features:

+- Might have restricted or limited functionality. For example, the feature might only apply to one platform.

+- Typically go through feature changes before they're generally available (GA).

+- Are fully supported by Microsoft.

+- Might only be available in selected geographic regions or cloud environments. For example, a preview feature might not exist in the government cloud.

+- Individual features in preview might have more usage and support restrictions. If so, this information is typically noted in the feature documentation.

+- The preview versions are provided with a standard support level, and can be used for production environments.

+## Turn on preview features

+If you turn on preview features, you'll have access to upcoming features, enabling you to provide feedback and help improve the overall experience before these features are generally available.

+Turn on the preview experience setting to be among the first to try upcoming features.

+1. In the navigation pane, select **Settings** \> **Endpoints** \> **Advanced features** \> **Preview features**.

+2. Turn the setting to **On**, and then select **Save preferences**.

+## See also

+[How to get Microsoft Defender for Business servers (preview)](get-defender-business-servers.md)

+| **Threat protection** | The threat protection report provides information about alerts and alert trends. Use the **Alert trends** column to view information about alerts that were triggered over the last 30 days. Use the **Alert status** column to view current snapshot information about alerts, such as categories of unresolved alerts and their classification. To access this report, in the navigation pane, choose **Reports** > **Endpoints** > **Threat protection**. <br/><br/>**TIP**: You can also use the **Incidents** list to view information about alerts. In the navigation pane, choose **Incidents** to view and manage current incidents. To learn more, see [View and manage incidents in Defender for Business](mdb-view-manage-incidents.md). |

+| **Device health and compliance** | The device health and compliance report provides information about device health and trends. You can use this report to determine whether Defender for Business sensors are working correctly on devices and the current status of Microsoft Defender Antivirus. To access this report, in the navigation pane, choose **Reports** > **Endpoints** > **Device health and compliance**. <br/><br/>**TIP**: You can use the **Device inventory** list to view information about your company's devices. In the navigation pane, choose **Device inventory**. To learn more, see [Manage devices in Defender for Business](mdb-manage-devices.md). |

+| **Vulnerable devices** | The vulnerable devices report provides information about devices and trends. Use the **Trends** column to view information about devices that had alerts over the last 30 days. Use the **Status** column to view current snapshot information about devices that have alerts. To access this report, in the navigation pane, choose **Reports** > **Endpoints** > **Vulnerable devices**.<br/><br/>**TIP**: You can use the **Device inventory** list to view information about your company's devices. In the navigation pane, choose **Device inventory**. To learn more, see [Manage devices in Defender for Business](mdb-manage-devices.md). |

+| **Web protection** | The web protection report shows attempts to access phishing sites, malware vectors, exploit sites, untrusted or low-reputation sites, and sites that are explicitly blocked. Categories of blocked sites include adult content, leisure sites, legal liability sites, and more. To access this report, in the navigation pane, choose **Reports** > **Endpoints** > **Web protection**.<br/><br/>If you haven't yet configured web protection for your company, choose the **Settings** button in a report view. Then, under **Rules**, choose **Web content filtering**. To learn more about web content filtering, see [Web content filtering](../defender-endpoint/web-content-filtering.md). |

+| **Firewall** | The firewall report shows blocked inbound, outbound, and app connections. This report also shows remote IPs connected by multiple devices, and remote IPs with the most connection attempts. <br/><br/>If you haven't yet configured your firewall protection, in the navigation pane, choose **Endpoints** > **Configuration management** > **Device configuration**. To learn more, see [Firewall in Defender for Business](mdb-firewall.md). |

+| **Device control** | The device control report shows information about media usage, such as the use of removable storage devices in your organization. |

+- [Get started using Defender for Business](mdb-get-started.md)

+- [View and manage incidents in Defender for Business](mdb-view-manage-incidents.md)

+- [Manage devices in Defender for Business](mdb-manage-devices.md)

+This article describes the requirements for Defender for Business.

+The following table lists the basic requirements you need to configure and use Defender for Business.

+| Subscription | Microsoft 365 Business Premium or Defender for Business (standalone). See [How to get Defender for Business](get-defender-business.md).<p>Note that if you have multiple subscriptions, the highest subscription takes precedence. For example, if you have Microsoft Defender for Endpoint Plan 2 (purchased or trial subscription), and you get Defender for Business, Defender for Endpoint Plan 2 takes precedence. In this case, you won't see the Defender for Business experience. See [What happens if I have a mix of Microsoft 365 Defender subscriptions](mdb-faq.yml#what-happens-if-i-have-a-mix-of-microsoft-endpoint-security-subscriptions)? |

+| Datacenter | One of the following datacenter locations: <ul><li>European Union</li><li>United Kingdom</li><li>United States</li></ul> |

+| User accounts |<ul><li>User accounts are created in the Microsoft 365 admin center ([https://admin.microsoft.com](https://admin.microsoft.com)).</li><li>Licenses for Defender for Business (or Microsoft 365 Business Premium) are assigned in the Microsoft 365 admin center.</li></ul>To get help with this task, see [Add users and assign licenses](mdb-add-users.md). |

+| Permissions | To sign up for Defender for Business, you must be a Global Admin.<p>To access the Microsoft 365 Defender portal, users must have one of the following [roles in Azure AD](mdb-roles-permissions.md) assigned:<ul><li>Security Reader</li><li>Security Admin</li><li>Global Admin</li></ul>To learn more, see [Roles and permissions in Defender for Business](mdb-roles-permissions.md). |

+| Client device operating system | To manage devices in the Microsoft 365 Defender portal, your devices must be running one of the following operating systems: <ul><li>Windows 10 or 11 Business</li><li>Windows 10 or 11 Professional</li><li>Windows 10 or 11 Enterprise</li><li>Mac (the three most-current releases are supported)</li></ul><p>Make sure that [KB5006738](https://support.microsoft.com/topic/october-26-2021-kb5006738-os-builds-19041-1320-19042-1320-and-19043-1320-preview-ccbce6bf-ae00-4e66-9789-ce8e7ea35541) is installed on the Windows devices. <p>If you're already managing devices in Microsoft Intune, you can continue to use the Microsoft Endpoint Manager admin center. In that case, the following other operating systems are supported: <ul><li>iOS and iPadOS</li><li>Android OS</li></ul> |

+| Server requirements | If you're planning to onboard an instance of Windows Server or Linux Server, you must meet the following requirements: <ul><li>The **Preview features** setting is turned on. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), go to **Settings** > **Endpoints** > **General** > **Advanced features** > **Preview features**.</li><li>Enforcement scope for Windows Server is turned on. In the Microsoft 365 Defender portal, go to **Settings** > **Endpoints** > **Configuration management** > **Enforcement scope**. Select **Use MDE to enforce security configuration settings from MEM**, select **Windows Server**, and then select **Save**.</li><li>Linux Server endpoints meet the [prerequisites for Microsoft Defender for Endpoint on Linux](../defender-endpoint/microsoft-defender-endpoint-linux.md#prerequisites).</li></ul> |

+> - If you don't have a Microsoft 365 subscription before you start your trial, Azure AD will be provisioned for you during the activation process.

+> - If you're using [Microsoft 365 Business Premium](../../business/index.yml) when you start your Defender for Business trial, you have the option to manage your devices using Intune.

+Go to [Step 2: Assign roles and permissions in Defender for Business](mdb-roles-permissions.md).

+- [Manage devices in Defender for Business](mdb-manage-devices.md)

+- [View and manage incidents in Defender for Business](mdb-view-manage-incidents.md)

+As threats are detected, remediation actions come into play. Depending on the particular threat and how your security settings are configured, remediation actions might be taken automatically or only upon approval. Examples of remediation actions include:

+- Send a file to quarantine

+- Stop a process from running

+- Remove a scheduled task

+All remediation actions are tracked in the Action center.

+1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.

+3. Select the **Pending** tab to view and approve (or reject) any pending actions. Actions can arise from antivirus/antimalware protection, automated investigations, manual response activities, or live response sessions.

+4. Select the **History** tab to view a list of completed actions.

+Defender for Business includes several remediation actions. These actions include manual response actions, actions following automated investigation, and live response actions.

+The following table lists remediation actions that are available.

+| [Automated investigations](../defender-endpoint/automated-investigations.md) |<ul><li>Quarantine a file</li><li>Remove a registry key</li><li>Kill a process</li><li>Stop a service</li><li>Disable a driver</li><li>Remove a scheduled task </li></ul> |

+| [Manual response actions](../defender-endpoint/respond-machine-alerts.md) |<ul><li>Run antivirus scan</li><li>Isolate a device</li><li>Stop and quarantine</li><li>Add an indicator to block or allow a file</li></ul> |

+| [Live response](../defender-endpoint/live-response.md) |<ul><li>Collect forensic data</li><li>Analyze a file</li><li>Run a script</li><li>Send a suspicious entity to Microsoft for analysis</li><li>Remediate a file </li><li>Proactively hunt for threats</li></ul>|

+- [Respond to and mitigate threats in Defender for Business](mdb-respond-mitigate-threats.md)

+- [Manage devices in Defender for Business](mdb-manage-devices.md)

+To perform tasks in the Microsoft 365 Defender portal, such as configuring Defender for Business, viewing reports, or taking response actions on detected threats, appropriate permissions must be assigned to your security team. Permissions are granted through roles that are assigned in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) or in [Azure Active Directory](/azure/active-directory/roles/manage-roles-portal).

+| **Global administrators** (also referred to as global admins) <p> *As a best practice, limit the number of global admins.* | Global admins can perform all kinds of tasks. The person who signed up your company for Microsoft 365 or for Defender for Business is a global administrator by default. <p> Global admins are able to modify settings across all Microsoft 365 portals, such as: <ul><li>The Microsoft 365 admin center ([https://admin.microsoft.com](https://admin.microsoft.com))</li><li>Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com))</li></ul> |

+| **Security administrators** (also referred to as security admins) | Security admins can perform the following tasks: <ul><li>View and manage security policies</li><li>View and manage security threats and alerts (these activities include taking response actions on endpoints)</li><li>View security information and reports</li></ul> |

+| **Security reader** | Security readers can perform the following tasks:<ul><li>View security policies</li><li>View security threats and alerts</li><li>View security information and reports</li></ul> |

+ > Microsoft recommends that you grant people access to only what they need to perform their tasks. We call this concept *least privilege* for permissions. To learn more, see [Best practices for least-privileged access for applications](/azure/active-directory/develop/secure-least-privileged-access).

+4. In the side pane, select the **Manage members in Azure AD** link. This action takes you to Azure Active Directory (Azure AD), where you can view and manage your role assignments.

+Go to:

+- [Step 4: Onboard devices to Defender for Business](mdb-onboard-devices.md)

+Defender for Business provides a streamlined setup and configuration experience, designed especially for the small and medium-sized business. Use this article as a guide for the overall process.

+| 1 | [Review the requirements](mdb-requirements.md) | Review the requirements, including supported operating systems, for Defender for Business. See [Defender for Business requirements](mdb-requirements.md). |

+| 4 | [Onboard devices](mdb-onboard-devices.md) | Defender for Business is set up so that you can choose from several options to onboard your company's devices. See [Onboard devices to Defender for Business](mdb-onboard-devices.md). |

+| 5 | [Configure your security settings and policies](mdb-configure-security-settings.md) | You can choose from several options to configure your security settings and policies, such as the [simplified configuration process](mdb-simplified-configuration.md) in Defender for Business or the Microsoft Endpoint Manager admin center. See [Configure your security settings and policies](mdb-configure-security-settings.md). |

+Microsoft Defender for Business features a simplified configuration process designed especially for small and medium-sized businesses. A wizard-like experience takes the guesswork out of onboarding and managing devices. **We recommend using the simplified configuration process, but you're not limited to this option**.

+To onboard devices and configure security settings for your company's devices, you can choose from these experiences:

+- The simplified configuration process in Microsoft Defender for Business (*recommended*); or

+- Use Microsoft Intune (included in [Microsoft 365 Business Premium](../../business-premium/index.md)).

+1. [Review your setup and configuration options](#review-your-setup-and-configuration-options).

+2. [Learn more about the simplified configuration process in Defender for Business](#why-we-recommend-the-simplified-configuration-process).

+3. [Proceed to your next steps](#next-steps).

+The following table describes each experience.

+| The simplified configuration experience in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) <br/>(*This is the recommended option for most customers.*) | The simplified configuration experience includes a wizard-like experience to help you set up and configure Defender for Business. To learn more, see [Use the wizard to set up Microsoft Defender for Business](mdb-use-wizard.md).<br/><br/>Simplified configuration also includes default security settings and policies to help protect your company's devices as soon as they're onboarded to Defender for Business. You can view and edit the default policies to suit your business needs. To learn more, see [View or edit device policies in Microsoft Defender for Business](mdb-view-edit-policies.md).<br/><br/>With the simplified experience, your security team uses the Microsoft 365 Defender portal as a one-stop shop to: <ul><li>Set up and configure Defender for Business</li><li>View and manage incidents</li><li>Respond to and mitigate threats</li><li>View reports</li><li>Review pending or completed actions |

+| The Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) | Microsoft Intune is a cloud-based mobile device management (MDM) and mobile application management (MAM) provider for apps and devices. If you're already using Intune, you can continue to use the Endpoint Manager admin center to manage devices such as mobile phones, tablets, and laptops. See [Microsoft Intune: Device management](/mem/intune/fundamentals/what-is-device-management). <br/><br/>Intune isn't included in the standalone version of Defender for Business, but you can add it to your subscription if necessary. If you have [Microsoft 365 Business Premium](../../business-premium/index.md), then you already have Intune. |

+## Why we recommend the simplified configuration process

+We recommend the simplified configuration process in Defender for Business because it's streamlined especially for small and medium-sized businesses. The setup wizard helps you onboard devices and manage them in the Microsoft 365 Defender portal, where you'll also view and manage detected threats. As you onboard devices, they're protected right away with default security settings and policies. You can keep your default settings as they are, or make changes to suit your business needs. And, you can add new, custom policies to suit your business needs.

+- [Set up and configure Microsoft Defender for Business](mdb-setup-configuration.md).

+- [Get started using Microsoft Defender for Business](mdb-get-started.md).

+This article describes some scenarios to try and several tutorials and simulations that are available for Defender for Business. These resources show how Defender for Business can work for your company.

+The following table summarizes several scenarios to try with Defender for Business.

+| Onboard devices using a local script | In Defender for Business, you can onboard Windows and Mac devices by using a script that you download and run on each device. The script creates a trust with Azure Active Directory (Azure AD), if that trust doesn't already exist; enrolls the device with Microsoft Intune, if you have Intune; and onboards the device to Defender for Business. To learn more, see [Onboard devices to Defender for Business](mdb-onboard-devices.md). |

+| Onboard devices using the Microsoft Endpoint Manager admin center | If you were already using Intune before getting Defender for Business, you can continue to use Endpoint Manager admin center to onboard devices. Try onboarding your Windows, Mac, iOS, and Android devices with Microsoft Intune. To learn more, see [Device enrollment in Microsoft Intune](/mem/intune/enrollment/device-enrollment). |

+| Edit security policies | If you're managing your security policies in Defender for Business, use the **Device configuration** page to view and edit your policies. Defender for Business comes with default policies that use recommended settings to secure your company's devices as soon as they're onboarded. You can keep the default policies, edit them, and define your own policies to suit your business needs. To learn more, see [View or edit policies in Defender for Business](mdb-view-edit-policies.md). |

+| Run a simulated attack | Several tutorials and simulations are available in Defender for Business. These tutorials and simulations show how the threat-protection features of Defender for Business can work for your company. You can also use a simulated attack as a training exercise for your team. To try the tutorials, see [Recommended tutorials for Defender for Business](#recommended-tutorials-for-defender-for-business). |

+| View incidents in Microsoft 365 Lighthouse | If you're a [Microsoft Cloud Solution Provider](/partner-center/enrolling-in-the-csp-program) using Microsoft 365 Lighthouse, you can view incidents across your customers' tenants in your Microsoft 365 Lighthouse portal. To learn more, see [Microsoft 365 Lighthouse and Defender for Business](mdb-lighthouse-integration.md). |

+The following table describes the recommended tutorials for Defender for Business customers.

+| **Document Drops Backdoor** | Simulate an attack that introduces file-based malware on a test device. The tutorial describes how to use the simulation file and what to watch for in the Microsoft 365 Defender portal. <p>This tutorial requires that Microsoft Word is installed on your test device. |

+| **Live Response** | Learn how to use basic and advanced commands with Live Response. Learn how to locate a suspicious file, remediate the file, and gather information on a device. |

+| **Threat & Vulnerability Management (core scenarios)** | Learn about threat and vulnerability management through three scenarios:<ol><li>Reduce your company's threat and vulnerability exposure.</li><li>Request a remediation.</li><li>Create an exception for security recommendations.</li></ol> <p> Threat & Vulnerability Management uses a risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. |

+ - **Document Drops Backdoor**

+ - **Live Response**

+- [Manage devices in Defender for Business](mdb-manage-devices.md)

+- [View and manage incidents in Defender for Business](mdb-view-manage-incidents.md)

+- [Respond to and mitigate threats in Defender for Business](mdb-respond-mitigate-threats.md)

+Defender for Business was designed to save small and medium-sized businesses time and effort. For example, you can do initial setup and configuration with a setup wizard. The setup wizard guides you through granting access to your security team, setting up email notifications for your security team, and onboarding your company's Windows devices.

+> - [How to set up and configure Defender for Business](mdb-setup-configuration.md)

+> You must be a global administrator to run the setup wizard. The person who signed up your company for Microsoft 365 or for Defender for Business is a global administrator by default.

+ [Learn more about onboarding devices to Defender for Business](mdb-onboard-devices.md).

+To onboard other devices, see [Onboard devices to Defender for Business](mdb-onboard-devices.md).

+See [Set up and configure Defender for Business](mdb-setup-configuration.md) to walk through these steps:

+- [Onboard more devices to Defender for Business](mdb-onboard-devices.md)

+- [View and edit your security policies and settings in Defender for Business](mdb-configure-security-settings.md)

+In Defender for Business, security settings are configured through policies that are applied to devices. To help simplify your setup and configuration experience, Defender for Business includes preconfigured policies to help protect your company's devices as soon as they are onboarded. You can use the default policies, edit policies, or create your own policies.

+ - To set up a new device group, select **Create new group**, and then set up your device group. (To get help with this task, see [Device groups in Defender for Business](mdb-create-edit-device-groups.md).)

+8. On the **Configuration settings** tab, specify the settings for your policy, and then choose **Next**. For more information about the individual settings, see [Configuration settings for Defender for Business](mdb-next-gen-configuration-settings.md).

+- [Create a new policy in Defender for Business](mdb-create-new-policy.md)

+- [View and manage incidents in Defender for Business](mdb-view-manage-incidents.md)

+- [Respond to and mitigate threats in Defender for Business](mdb-respond-mitigate-threats.md)

+> Defender for Business is designed to help you address detected threats by offering up recommended actions. When you view an alert, look for the recommended actions to take. Also take note of the alert severity, which is determined not only on the basis of the threat severity, but also on the level of risk to your company.

+When Microsoft Defender Antivirus assigns an alert severity based on the absolute severity of a detected threat (malware) and the potential risk to an individual endpoint (if infected). Defender for Business assigns an alert severity based on the severity of the detected behavior, the actual risk to an endpoint (device), and more importantly, the potential risk to your company. The following table lists a few examples:

+| Scenario | Alert severity and reason |

+|:|:|

+| Microsoft Defender Antivirus detects and stops a threat before it does any damage. | Informational <br/><br/>The threat was stopped before any damage was done. |

+| Microsoft Defender Antivirus detects malware that was executing within your company. The malware is stopped and remediated. | Low <br/><br/>Although some damage might have been done to an individual endpoint, the malware now poses no threat to your company. |

+| Malware that is executing is detected by Defender for Business. The malware is blocked almost immediately. | Medium or High <br/><br/>The malware poses a threat to individual endpoints and to your company. |

+| Suspicious behavior is detected but no remediation actions are taken yet. | Low, Medium, or High <br/><br/>The severity depends on the degree to which the behavior poses a threat to your company. |

+- [Respond to and mitigate threats in Defender for Business](mdb-respond-mitigate-threats.md)

+- [View or edit device policies in Defender for Business](mdb-view-edit-policies.md)

+Defender for Business includes a vulnerability management dashboard that is designed to save your security team time and effort. In addition to providing an exposure score, you can also view information about exposed devices and security recommendations. You can use your threat & vulnerability management dashboard to:

+- [Tutorials and simulations in Defender for Business](mdb-tutorials.md)

+- [Onboard devices to Defender for Business](mdb-onboard-devices.md)

+- [View or edit policies in Defender for Business](mdb-view-edit-create-policies.md)

+**Welcome to the Defender for Business trial playbook!**

+This playbook is a simple guide to help you make the most of your 30-day free trial. Use the recommendations in this article from the Microsoft Defender team to learn how Defender for Business can help elevate your security from traditional antivirus protection to next-generation protection, endpoint detection and response, and threat and vulnerability management.

+## What is Defender for Business?

+Defender for Business is a new endpoint security solution designed especially for small and medium-sized businesses with up to 300 employees. With this endpoint security solution, your organization's devices are well-protected from ransomware, malware, phishing, and other threats.

+After you sign up for Defender for Business, the first step is to **[add users and assign licenses](mdb-add-users.md)**.

+The Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) is the one-stop shop where you use and manage Defender for Business. It includes callouts to help you get started, cards that surface relevant information, and a navigation bar that provides easy access to the various features and capabilities.

+- **[Explore the navigation bar](mdb-get-started.md#the-navigation-bar)** on the left side of the screen to access your incidents, view reports, and manage your security policies and settings.

+Defender for Business was designed to save small and medium-sized businesses time and effort. You can do initial setup and configuration through a setup wizard. The setup wizard helps you grant access to your security team, set up email notifications for your security team, and onboard your company's Windows devices. **[Use the setup wizard](mdb-use-wizard.md)**.

+> You can only use the setup wizard once.

+> **Using the setup wizard is optional.** (See [What happens if I don't use the wizard?](mdb-use-wizard.md#what-happens-if-i-dont-use-the-wizard)) If you choose not to use the wizard, or if the wizard is closed before your setup process is complete, you can complete the setup and configuration process on your own. See [Step 4](#step-4-set-up-and-configure-defender-for-business).

+ > When you use the setup wizard, the system detects if you have Windows devices that are already enrolled in Intune. You'll be asked if you want to use automatic onboarding for all or some of those devices. You can onboard all Windows devices at once or select specific devices at first and then add more devices later. [Learn more about automatic onboarding](mdb-use-wizard.md#what-is-automatic-onboarding).

+4. **[View and edit your security policies](mdb-configure-security-settings.md)**. Defender for Business includes default security policies for next-generation protection and firewall protection that can be applied to your company's devices. These preconfigured security policies use recommended settings, so you're protected as soon as your devices are onboarded to Defender for Business. And you can edit the policies or create new ones.

+If you choose not to use the setup wizard, see the following diagram that depicts the [overall setup and configuration process](mdb-setup-configuration.md#the-setup-and-configuration-process) for Defender for Business.

+[:::image type="content" source="medi)

+If you used the setup wizard but you need to onboard more devices, such as non-Windows devices, go directly to step 4 in the following procedure:

+4. **[Onboard devices](mdb-onboard-devices.md)**. With Defender for Business, you have several options to choose from for onboarding your company's devices. First, select the operating system you want to onboard.

+ | Device type | Onboarding methods |

+ | [Windows clients](mdb-onboard-devices.md) | Choose one of the following options to onboard Windows client devices to Defender for Business:<ul><li>Local script (for onboarding devices manually in the Microsoft 365 Defender portal)</li><li>Group Policy (if you're already using Group Policy and prefer this method)</li><li>Microsoft Intune (*recommended*; included in [Microsoft 365 Business Premium](../../business-premium/index.md))</li></ul> |

+ | [Mac](mdb-onboard-devices.md) | Choose one of the following options to onboard Mac:<ul><li>Local script for Mac (*recommended*)</li><li>Microsoft Intune for Mac (Intune is included in [Microsoft 365 Business Premium](../../business-premium/index.md))</li></ul><p>We recommend you use a local script to onboard Mac. Although you can [set up enrollment for Mac devices in Intune](/mem/intune/enrollment/macos-enroll), the local script is the simplest method for onboarding Mac to Defender for Business. |

+ | Windows Server and Linux servers | *The ability to onboard an instance of Windows Server or Linux Server is currently in preview and requires an additional license*. See the following articles to learn more: <ul><li>[Defender for Business requirements](mdb-requirements.md)</li><li>[Onboard devices to Defender for Business](mdb-onboard-devices.md)</li></ul> |

+ | [Mobile devices](mdb-onboard-devices.md) | You need Microsoft Intune to onboard mobile devices, such as Android and iOS/iPadOS devices. If you have [Microsoft 365 Business Premium](../../business-premium/index.md), Intune is part of your subscription. Intune can also be purchased separately. See the following resources to get help enrolling these devices into Intune:<ul><li>[Enroll Android devices](/mem/intune/enrollment/android-enroll)</li><li>[Enroll iOS or iPadOS devices](/mem/intune/enrollment/ios-enroll)</li></ul> |

+5. **[View and configure your security policies](mdb-configure-security-settings.md)**. After you onboard your company's devices to Defender for Business, the next step is to view and edit your security policies and settings. Defender for Business includes preconfigured security policies that use recommended settings. But you can edit the settings to suit your business needs.

+ | [Choose where to manage your security policies and devices](mdb-configure-security-settings.md#choose-where-to-manage-security-policies-and-devices). | If you select the [simplified configuration process](mdb-simplified-configuration.md), you can view and manage your security policies in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). But you're not limited to this option. If you've been using [Intune](/mem/intune/protect/), you can keep using the Microsoft Endpoint Manager admin center to manage your security policies and devices. |

+ | [View or edit your firewall policies](mdb-configure-security-settings.md#view-or-edit-your-firewall-policies-and-custom-rules). | Firewall protection determines what network traffic is allowed to flow to and from your company's devices. [Custom rules](mdb-custom-rules-firewall.md) can be used to define exceptions to your firewall policies. |

+ | [Review settings for advanced features](mdb-configure-security-settings.md#review-settings-for-advanced-features). | In Defender for Business, security features are preconfigured to recommended settings. You can review and edit the settings to suit your business needs. <br/><br/>To access settings for advanced features, in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) go to **Settings** > **Endpoints** > **General** > **Advanced features**. |

+- [Use your Threat & Vulnerability Management dashboard](#use-the-threat--vulnerability-management-dashboard)

+### Use the Threat & Vulnerability Management dashboard

+Defender for Business includes a Threat & Vulnerability Management dashboard that's designed to save your security team time and effort. [Use your Threat & Vulnerability Management dashboard](mdb-view-tvm-dashboard.md).

+- View your exposure score, which is associated with devices in your organization.

+- View your top security recommendations, such as address impaired communications with devices, turn on firewall protection, or update Microsoft Defender Antivirus definitions.

+- [Set up web content filtering](mdb-configure-security-settings.md#set-up-web-content-filtering). Web-content filtering enables your security team to track and regulate access to websites based on their content categories. It's not turned on by default, so you need to set it up if you want this capability for your organization.

+New security events, such as threat detection on a device, adding new devices, and employees joining or leaving the organization, will require you to manage security. In Defender for Business, there are many ways for you to manage device security.

+- [Overview of Defender for Business](mdb-overview.md)

+- [Tutorials and simulations in Defender for Business](mdb-tutorials.md)

+- [Get Defender for Business](get-defender-business.md)

+> Discuss the eligibility requirements with your Microsoft Technical Service provider and account team before you apply to Endpoint Attack Notifications managed threat hunting service.

+If you're a Defender for Endpoint customer, you need to apply for **Endpoint Attack Notifications** to get special insights and analysis to help identify the most critical threats, so you can respond to them quickly. Contact your account team or Microsoft representative to subscribe to **Microsoft Threat Experts - Experts on Demand** to consult with our threat experts on relevant detections and adversaries.

+## Apply for Endpoint Attack Notifications service

+1. From the navigation pane, go to **Settings > General > Advanced features > Endpoint Attack Notifications**.

+When accepted, you will receive a welcome email and you will see the **Apply** button change to a toggle that is "on". In case you want to take yourself out of the Endpoint Attack Notifications service, slide the toggle "off" and click **Save preferences** at the bottom of the page.

+## Where you'll see the Endpoint Attack Notifications from Microsoft Threat Experts

+To receive Endpoint Attack Notifications through email, create an email notification rule.

+## View the Endpoint Attack Notifications

+You'll start receiving Endpoint Attack Notifications from Microsoft Threat Experts in your email after you have configured your system to receive email notification.

+### Possible device compromise

+- We detected a phishing email that delivered a malicious Word document to a user. The malicious Word document caused a series of suspicious events, which triggered multiple Endpoint Attack Notifications alerts for [malware name] malware. Do you have any information on this malware? If yes, can you send me a link?

+- Can your incident response team help us address the Endpoint Attack Notifications that we got?

+- I received this Endpoint Attack Notifications from Microsoft Threat Experts. We don't have our own incident response team. What can we do now, and how can we contain the incident?

+- I received an Endpoint Attack Notifications from Microsoft Threat Experts. What data can you provide to us that we can pass on to our incident response team?

+5. Enable [removable storage protection](device-control-removable-storage-protection.md)

+6. [Turn on network protection](enable-network-protection.md).

+7. Enable [Web protection](web-protection-overview.md)

+- Controlled folder access

+- Device control

+For example, you can test attack surface reduction rules in audit mode prior to enabling (block mode) them. Attack surface reduction (ASR) rules are pre-defined to harden common, known attack surfaces. There are several methods you can use to implement attack surface reduction rules. The preferred method is documented in the following attack surface reduction (ASR) rules deployment topics:

+| [Attack surface reduction (ASR) rules reference](attack-surface-reduction-rules-reference.md) | Provides details about each attack surface reduction rule. |

+| [Attack surface reduction (ASR) rules deployment guide](attack-surface-reduction-rules-deployment.md) | Presents overview information and prerequisites for deploying attack surface reduction rules, followed by step-by-step guidance for testing (audit mode), enabling (block mode) and monitoring. |

+| [Exploit protection](exploit-protection.md) | Help protect the operating systems and apps your organization uses from being exploited. Exploit protection also works with third-party antivirus solutions. |

+| [Hardware-based isolation](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview) | Protect and maintain the integrity of a system as it starts and while it's running. Validate system integrity through local and remote attestation. Use container isolation for Microsoft Edge to help guard against malicious websites. |

+| [Network protection](network-protection.md) | Extend protection to your network traffic and connectivity on your organization's devices. (Requires Microsoft Defender Antivirus). |

+| [Web protection](web-protection-overview.md) | Web protection lets you secure your devices against web threats and helps you regulate unwanted content. |

+> Before you apply, make sure to discuss the eligibility requirements for Endpoint Attack Notifications managed threat hunting service with your Microsoft Technical Service provider and account team.

+To receive Endpoint Attack Notifications, you'll need to have Microsoft 365 Defender deployed with devices enrolled. Then, submit an application through the M365 portal for Endpoint Attack Notifications.

+## Apply for Endpoint Attack Notifications service

+If you already have Microsoft Defender for Endpoint and Microsoft 365 Defender, you can apply for Endpoint Attack Notifications through your Microsoft 365 Defender portal. Endpoint Attack Notifications grant you special insight and analysis to help identify the most critical threats to your organization, so you can respond to them quickly.

+1. From the navigation pane, go to **Settings > Endpoints > General > Advanced features > Endpoint Attack Notifications**.

+3. Enter your email address so that Microsoft can contact you about your application.

+5. After you receive your welcome email, you'll automatically start receiving Endpoint Attack Notifications.

+6. You can verify your status by visiting **Settings > Endpoints > General > Advanced features**. Once approved, the **Endpoint Attack Notification** toggle will be visible and switched **On**.

+## Where you'll see the Endpoint Attack Notifications from Microsoft Threat Experts

+You can receive Endpoint Attack Notifications from Microsoft Threat Experts through the following mediums:

+- Your inbox, if you choose to have Endpoint Attack Notifications sent to you via email. See [Create an email notification rule](#create-an-email-notification-rule) below.

+## View Endpoint Attack Notifications

+You'll start receiving Endpoint Attack Notifications from Microsoft Threat Experts in your email after you have configured your system to receive email notification.

+### Possible device compromise

+Other workloads are also available for protection (for example, [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](mdo-for-spo-odb-and-teams.md) and [Safe Links for supported Office apps](safe-links.md#safe-links-settings-for-office-apps).

+ > The policy is applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy is not applied to him.

+ > Likewise, if you use the same recipient filter as an exception to the policy, the policy is not applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy still applies to him.

+ > The policy is applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy is not applied to him.

+ > Likewise, if you use the same recipient filter as an exception to the policy, the policy is not applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy still applies to him.

+ > The policy is applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy is not applied to him.

+ > Likewise, if you use the same recipient filter as an exception to the policy, the policy is not applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy still applies to him.

+You configure most Safe Links settings in Safe Links policies, including [Safe Links settings for supported Office Apps](safe-links.md#safe-links-settings-for-office-apps). For instructions, see [Set up Safe Links policies in Microsoft Defender for Office 365](set-up-safe-links-policies.md).

+- Although there's no default Safe Links policy, the **Built-in protection** preset security policy provides Safe Links protection to all recipients (users who aren't defined in custom Safe Links policies or Standard or Strict preset security policies). For more information, see [Preset security policies in EOP and Microsoft Defender for Office 365](preset-security-policies.md). You can also create Safe Links policies to apply to specific users, group, or domains. For instructions, see [Set up Safe Links policies in Microsoft Defender for Office 365](set-up-safe-links-policies.md).

+ > The policy is applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy is not applied to him.

+ > Likewise, if you use the same recipient filter as an exception to the policy, the policy is not applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy still applies to him.

+ > The policy is applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy is not applied to him.

+ > Likewise, if you use the same recipient filter as an exception to the policy, the policy is not applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy still applies to him.

+ > The policy is applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy is not applied to him.

+ > Likewise, if you use the same recipient filter as an exception to the policy, the policy is not applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy still applies to him.

+ :::image type="content" source="../../media/m365-sc-impersonation-insight.png" alt-text="The impersonation insight on the Anti-phishing policy page in the Microsoft 365 Defender portal." lightbox="../../media/m365-sc-impersonation-insight.png":::

+> [!NOTE]

+> The **Built-in protection** preset security policy gives Safe Attachments protection to all recipients that aren't defined in any Safe Attachments policies. For more information, see [Preset security policies in EOP and Microsoft Defender for Office 365](preset-security-policies.md).

+> [!NOTE]

+> The **Built-in protection** preset security policy gives Safe Links protection to all recipients that aren't defined in any Safe Links policies. For more information, see [Preset security policies in EOP and Microsoft Defender for Office 365](preset-security-policies.md).

+ > The policy is applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy is not applied to him.

+ > Likewise, if you use the same recipient filter as an exception to the policy, the policy is not applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy still applies to him.

+1. Open the **Safe Links** page in the Microsoft 365 Defender portal at <https://security.microsoft.com/safelinksv2>, and then click .

+2. In the **Create Safe Links policy** wizard that opens, configure the following settings:

+ - **Wait for URL scanning to complete before delivering the message**: Select this setting (turn on).

+ - **Let users click through to the original URL**: Turn off this setting (not selected).

+ - **Display the organization branding on notification and warning pages**: Selecting this setting (turning it on) is meaningful only after you've followed the instructions in [Customize the Microsoft 365 theme for your organization](../../admin/setup/customize-your-organization-theme.md) to upload your company logo.

+3. When you're finished, click **Submit**, and then click **Done**.

+For detailed instructions for configuring Safe Links policies and global settings for Safe Links, see [Set up Safe Links policies in Microsoft Defender for Office 365](set-up-safe-links-policies.md).

+7. **Safe Links for Office clients** offers the same Safe Links time-of-click protection, natively, inside supported Office apps like Word, PowerPoint, and Excel.

+|**Bulk email threshold** <br><br> _BulkThreshold_|7|6|4|For details, see [Bulk complaint level (BCL) in EOP](bulk-complaint-level-values.md).|

+|**Contains specific languages** <br><br> _EnableLanguageBlockList_ <br><br> _LanguageBlockList_|**Off** <br><br> `$false` <br><br> Blank|**Off** <br><br> `$false` <br><br> Blank|**Off** <br><br> `$false` <br><br> Blank|We have no specific recommendation for this setting. You can block messages in specific languages based on your business needs.|

+|**From these countries** <br><br> _EnableRegionBlockList_ <br><br> _RegionBlockList_|**Off** <br><br> `$false` <br><br> Blank|**Off** <br><br> `$false` <br><br> Blank|**Off** <br><br> `$false` <br><br> Blank|We have no specific recommendation for this setting. You can block messages from specific countries based on your business needs.|

+|**Actions**||||Wherever you select **Quarantine message**, a **Select quarantine policy** box is available. Quarantine policies define what users are allowed to do to quarantined messages. <br><br> Standard and Strict preset security policies use the default quarantine policies (AdminOnlyAccessPolicy or DefaultFullAccessPolicy with no quarantine notifications) as described in the table [here](quarantine-policies.md#step-2-assign-a-quarantine-policy-to-supported-features). <br><br> When you create a new anti-spam policy, a blank value means the default quarantine policy is used to define the historical capabilities for messages that were quarantined by that particular verdict (AdminOnlyAccessPolicy with no quarantine notifications for **High confidence phishing**; DefaultFullAccessPolicy with no quarantine notifications for everything else). <br><br> Admins can create and select custom quarantine policies that define more restrictive or less restrictive capabilities for users in the default or custom anti-spam policies. For more information, see [Quarantine policies](quarantine-policies.md).|

+|**Spam** detection action <br><br> _SpamAction_|**Move message to Junk Email folder** <br><br> `MoveToJmf`|**Move message to Junk Email folder** <br><br> `MoveToJmf`|**Quarantine message** <br><br> `Quarantine`||

+|**High confidence spam** detection action <br><br> _HighConfidenceSpamAction_|**Move message to Junk Email folder** <br><br> `MoveToJmf`|**Quarantine message** <br><br> `Quarantine`|**Quarantine message** <br><br> `Quarantine`||

+|**Phishing** detection action <br><br> _PhishSpamAction_|**Move message to Junk Email folder**^\* <br><br> `MoveToJmf`|**Quarantine message** <br><br> `Quarantine`|**Quarantine message** <br><br> `Quarantine`|^\* The default value is **Move message to Junk Email folder** in the default anti-spam policy and in new anti-spam policies that you create in PowerShell. The default value is **Quarantine message** in new anti-spam policies that you create in the Microsoft 365 Defender portal.|

+|**High confidence phishing** detection action <br><br> _HighConfidencePhishAction_|**Quarantine message** <br><br> `Quarantine`|**Quarantine message** <br><br> `Quarantine`|**Quarantine message** <br><br> `Quarantine`||

+|**Bulk** detection action <br><br> _BulkSpamAction_|**Move message to Junk Email folder** <br><br> `MoveToJmf`|**Move message to Junk Email folder** <br><br> `MoveToJmf`|**Quarantine message** <br><br> `Quarantine`||

+|**Retain spam in quarantine for this many days** <br><br> _QuarantineRetentionPeriod_|15 days^\*|30 days|30 days|^\* The default value is 15 days in the default anti-spam policy and in new anti-spam policies that you create in PowerShell. The default value is 30 days in new anti-spam policies that you create in the Microsoft 365 Defender portal. <br><br> This value also affects messages that are quarantined by anti-phishing policies. For more information, see [Quarantined email messages in EOP](quarantine-email-messages.md).|

+|**Enable spam safety tips** <br><br> _InlineSafetyTipsEnabled_|Selected <br><br> `$true`|Selected <br><br> `$true`|Selected <br><br> `$true`||

+|Enable zero-hour auto purge (ZAP) for phishing messages <br><br> _PhishZapEnabled_|Selected <br><br> `$true`|Selected <br><br> `$true`|Selected <br><br> `$true`||

+|Enable ZAP for spam messages <br><br> _SpamZapEnabled_|Selected <br><br> `$true`|Selected <br><br> `$true`|Selected <br><br> `$true`||

+|Allowed senders <br><br> _AllowedSenders_|None|None|None||

+|Allowed sender domains <br><br> _AllowedSenderDomains_|None|None|None|Adding domains to the allowed senders list is a very bad idea. Attackers would be able to send you email that would otherwise be filtered out. <br><br> Use the [spoof intelligence insight](learn-about-spoof-intelligence.md) and the [Tenant Allow/Block List](tenant-allow-block-list.md) to review all senders who are spoofing sender email addresses in your organization's email domains or spoofing sender email addresses in external domains.|

+|Blocked senders <br><br> _BlockedSenders_|None|None|None||

+|Blocked sender domains <br><br> _BlockedSenderDomains_|None|None|None||

+|**Image links to remote sites** <br><br> _IncreaseScoreWithImageLinks_|Off|Off|Off||

+|**Numeric IP address in URL** <br><br> _IncreaseScoreWithNumericIps_|Off|Off|Off||

+|**URL redirect to other port** <br><br> _IncreaseScoreWithRedirectToOtherPort_|Off|Off|Off||

+|**Links to .biz or .info websites** <br><br> _IncreaseScoreWithBizOrInfoUrls_|Off|Off|Off||

+|**Empty messages** <br><br> _MarkAsSpamEmptyMessages_|Off|Off|Off||

+|**Embed tags in HTML** <br><br> _MarkAsSpamEmbedTagsInHtml_|Off|Off|Off||

+|**JavaScript or VBScript in HTML** <br><br> _MarkAsSpamJavaScriptInHtml_|Off|Off|Off||

+|**Form tags in HTML** <br><br> _MarkAsSpamFormTagsInHtml_|Off|Off|Off||

+|**Frame or iframe tags in HTML** <br><br> _MarkAsSpamFramesInHtml_|Off|Off|Off||

+|**Web bugs in HTML** <br><br> _MarkAsSpamWebBugsInHtml_|Off|Off|Off||

+|**Object tags in HTML** <br><br> _MarkAsSpamObjectTagsInHtml_|Off|Off|Off||

+|**Sensitive words** <br><br> _MarkAsSpamSensitiveWordList_|Off|Off|Off||

+|**SPF record: hard fail** <br><br> _MarkAsSpamSpfRecordHardFail_|Off|Off|Off||

+|**Sender ID filtering hard fail** <br><br> _MarkAsSpamFromAddressAuthFail_|Off|Off|Off||

+|**Backscatter** <br><br> _MarkAsSpamNdrBackscatter_|Off|Off|Off||

+|**Test mode** <br><br> _TestModeAction_)|None|None|None|For ASF settings that support **Test** as an action, you can configure the test mode action to **None**, **Add default X-Header text**, or **Send Bcc message** (`None`, `AddXHeader`, or `BccMessage`). For more information, see [Enable, disable, or test ASF settings](advanced-spam-filtering-asf-options.md#enable-disable-or-test-asf-settings).|

+|**Set an external message limit** <br><br> _RecipientLimitExternalPerHour_|0|500|400|The default value 0 means use the service defaults.|

+|**Set an internal message limit** <br><br> _RecipientLimitInternalPerHour_|0|1000|800|The default value 0 means use the service defaults.|

+|**Set a daily message limit** <br><br> _RecipientLimitPerDay_|0|1000|800|The default value 0 means use the service defaults.|

+|**Restriction placed on users who reach the message limit** <br><br> _ActionWhenThresholdReached_|**Restrict the user from sending mail until the following day** <br><br> `BlockUserForToday`|**Restrict the user from sending mail** <br><br> `BlockUser`|**Restrict the user from sending mail** <br><br> `BlockUser`||

+|**Automatic forwarding rules** <br><br> _AutoForwardingMode_|**Automatic - System-controlled** <br><br> `Automatic`|**Automatic - System-controlled** <br><br> `Automatic`|**Automatic - System-controlled** <br><br> `Automatic`|

+|**Send a copy of outbound messages that exceed these limits to these users and groups** <br><br> _BccSuspiciousOutboundMail_ <br><br> _BccSuspiciousOutboundAdditionalRecipients_|Not selected <br><br> `$false` <br><br> Blank|Not selected <br><br> `$false` <br><br> Blank|Not selected <br><br> `$false` <br><br> Blank|We have no specific recommendation for this setting. <br><br> This setting only works in the default outbound spam policy. It doesn't work in custom outbound spam policies that you create.|

+|**Notify these users and groups if a sender is blocked due to sending outbound spam** <br><br> _NotifyOutboundSpam_ <br><br> _NotifyOutboundSpamRecipients_|Not selected <br><br> `$false` <br><br> Blank|Not selected <br><br> `$false` <br><br> Blank|Not selected <br><br> `$false` <br><br> Blank|The default [alert policy](../../compliance/alert-policies.md) named **User restricted from sending email** already sends email notifications to members of the **TenantAdmins** (**Global admins**) group when users are blocked due to exceeding the limits in policy. **We strongly recommend that you use the alert policy rather than this setting in the outbound spam policy to notify admins and other users**. For instructions, see [Verify the alert settings for restricted users](removing-user-from-restricted-users-portal-after-spam.md#verify-the-alert-settings-for-restricted-users).|

+|**Enable the common attachments filter** <br><br> _EnableFileFilter_|Not selected <br><br> `$false`|Selected <br><br> `$true`|Selected <br><br> `$true`|This setting quarantines messages that contain attachments based on file type, regardless of the attachment content. For the list of file types, see [Anti-malware policies](anti-malware-protection.md#anti-malware-policies).|

+|**Enable zero-hour auto purge for malware** <br><br> _ZapEnabled_|Selected <br><br> `$true`|Selected <br><br> `$true`|Selected <br><br> `$true`||

+|**Quarantine policy**|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy|When you create a new anti-malware policy, a blank value means the default quarantine policy is used to define the historical capabilities for messages that were quarantined as malware (AdminOnlyAccessPolicy with no quarantine notifications). <br><br> Standard and Strict preset security policies use the default quarantine policy (AdminOnlyAccessPolicy with no quarantine notifications) as described in the table [here](quarantine-policies.md#step-2-assign-a-quarantine-policy-to-supported-features). <br><br> Admins can create and select custom quarantine policies that define more capabilities for users in the default or custom anti-malware policies. For more information, see [Quarantine policies](quarantine-policies.md).|

+|**Notify an admin about undelivered messages from internal senders** <br><br> _EnableInternalSenderAdminNotifications_ <br><br> _InternalSenderAdminAddress_|Not selected <br><br> `$false`|Not selected <br><br> `$false`|Not selected <br><br> `$false`|We have no specific recommendation for this setting.|

+|**Notify an admin about undelivered messages from external senders** <br><br> _EnableExternalSenderAdminNotifications_ <br><br> _ExternalSenderAdminAddress_|Not selected <br><br> `$false`|Not selected <br><br> `$false`|Not selected <br><br> `$false`|We have no specific recommendation for this setting.|

+|**Use customized notification text** <br><br> _CustomNotifications_|Not selected <br><br> `$false`|Not selected <br><br> `$false`|Not selected <br><br> `$false`||

+|**From name** <br><br> _CustomFromName_|Blank <br><br> `$null`|Blank <br><br> `$null`|Blank <br><br> `$null`||

+|**From address** <br><br> _CustomFromAddress_|Blank <br><br> `$null`|Blank <br><br> `$null`|Blank <br><br> `$null`||

+|**Subject** <br><br> _CustomInternalSubject_|Blank <br><br> `$null`|Blank <br><br> `$null`|Blank <br><br> `$null`||

+|**Message** <br><br> _CustomInternalBody_|Blank <br><br> `$null`|Blank <br><br> `$null`|Blank <br><br> `$null`||

+|**Subject** <br><br> _CustomExternalSubject_|Blank <br><br> `$null`|Blank <br><br> `$null`|Blank <br><br> `$null`||

+|**Message** <br><br> _CustomExternalBody_|Blank <br><br> `$null`|Blank <br><br> `$null`|Blank <br><br> `$null`||

+|**Enable spoof intelligence** <br><br> _EnableSpoofIntelligence_|Selected <br><br> `$true`|Selected <br><br> `$true`|Selected <br><br> `$true`||

+|**If message is detected as spoof** <br><br> _AuthenticationFailAction_|**Move message to the recipients' Junk Email folders** <br><br> `MoveToJmf`|**Move message to the recipients' Junk Email folders** <br><br> `MoveToJmf`|**Quarantine the message** <br><br> `Quarantine`|This setting applies to spoofed senders that were automatically blocked as shown in the [spoof intelligence insight](learn-about-spoof-intelligence.md) or manually blocked in the [Tenant Allow/Block List](tenant-allow-block-list.md). <br><br> If you select **Quarantine the message**, an **Apply quarantine policy** box is available to select the quarantine policy that defines what users are allowed to do to messages that are quarantined as spoofing. When you create a new anti-phishing policy, a blank value means the default quarantine policy is used to define the historical capabilities for messages that were quarantined as spoofing (DefaultFullAccessPolicy with no quarantine notifications). <br><br> Standard and Strict preset security policies use the default quarantine policy (DefaultFullAccessPolicy with no quarantine notifications) as described in the table [here](quarantine-policies.md#step-2-assign-a-quarantine-policy-to-supported-features). <br><br> Admins can create and select custom quarantine policies that define more restrictive or less restrictive capabilities for users in the default or custom anti-phishing policies. For more information, see [Quarantine policies](quarantine-policies.md).|

+|**Show first contact safety tip** <br><br> _EnableFirstContactSafetyTips_|Not selected <br><br> `$false`|Not selected <br><br> `$false`|Not selected <br><br> `$false`|For more information, see [First contact safety tip](set-up-anti-phishing-policies.md#first-contact-safety-tip).|

+|**Show (?) for unauthenticated senders for spoof** <br><br> _EnableUnauthenticatedSender_|Selected <br><br> `$true`|Selected <br><br> `$true`|Selected <br><br> `$true`|Adds a question mark (?) to the sender's photo in Outlook for unidentified spoofed senders. For more information, see [Unauthenticated sender indicators](set-up-anti-phishing-policies.md#unauthenticated-sender-indicators).|

+|**Show "via" tag** <br><br> _EnableViaTag_|Selected <br><br> `$true`|Selected <br><br> `$true`|Selected <br><br> `$true`|Adds a via tag (chris@contoso.com via fabrikam.com) to the From address if it's different from the domain in the DKIM signature or the **MAIL FROM** address. <br><br> For more information, see [Unauthenticated sender indicators](set-up-anti-phishing-policies.md#unauthenticated-sender-indicators).|

+|**Phishing email threshold** <br><br> _PhishThresholdLevel_|**1 - Standard** <br><br> `1`|**2 - Aggressive** <br><br> `2`|**3 - More aggressive** <br><br> `3`||

+|**Enable users to protect** (impersonated user protection) <br><br> _EnableTargetedUserProtection_ <br><br> _TargetedUsersToProtect_|Not selected <br><br> `$false` <br><br> none|Selected <br><br> `$true` <br><br> \<list of users\>|Selected <br><br> `$true` <br><br> \<list of users\>|We recommend adding users (message senders) in key roles. Internally, protected senders might be your CEO, CFO, and other senior leaders. Externally, protected senders could include council members or your board of directors.|

+|**Include domains I own** <br><br> _EnableOrganizationDomainsProtection_|Off <br><br> `$false`|Selected <br><br> `$true`|Selected <br><br> `$true`||

+|**Include custom domains** <br><br> _EnableTargetedDomainsProtection_ <br><br> _TargetedDomainsToProtect_|Off <br><br> `$false` <br><br> none|Selected <br><br> `$true` <br><br> \<list of domains\>|Selected <br><br> `$true` <br><br> \<list of domains\>|We recommend adding domains (sender domains) that you don't own, but you frequently interact with.|

+|**Add trusted senders and domains** <br><br> _ExcludedSenders_ <br><br> _ExcludedDomains_|None|None|None|Depending on your organization, we recommend adding senders or domains that are incorrectly identified as impersonation attempts.|

+|**Enable mailbox intelligence** <br><br> _EnableMailboxIntelligence_|Selected <br><br> `$true`|Selected <br><br> `$true`|Selected <br><br> `$true`||

+|**Enable intelligence for impersonation protection** <br><br> _EnableMailboxIntelligenceProtection_|Off <br><br> `$false`|Selected <br><br> `$true`|Selected <br><br> `$true`|This setting allows the specified action for impersonation detections by mailbox intelligence.|

+|**Actions**||||Wherever you select **Quarantine the message**, a **Select quarantine policy** box is available. Quarantine policies define what users are allowed to do to quarantined messages. <br><br> Standard and Strict preset security policies use the default quarantine policy (DefaultFullAccessPolicy with no quarantine notifications) as described in the table [here](quarantine-policies.md#step-2-assign-a-quarantine-policy-to-supported-features). <br><br> When you create a new anti-phishing policy, a blank value means the default quarantine policy is used to define the historical capabilities for messages that were quarantined by that verdict (DefaultFullAccessPolicy for all impersonation detection types). <br><br> Admins can create and select custom quarantine policies that define less restrictive or more restrictive capabilities for users in the default or custom anti-phishing policies. For more information, see [Quarantine policies](quarantine-policies.md).|

+|**If message is detected as an impersonated user** <br><br> _TargetedUserProtectionAction_|**Don't apply any action** <br><br> `NoAction`|**Quarantine the message** <br><br> `Quarantine`|**Quarantine the message** <br><br> `Quarantine`||

+|**If message is detected as an impersonated domain** <br><br> _TargetedDomainProtectionAction_|**Don't apply any action** <br><br> `NoAction`|**Quarantine the message** <br><br> `Quarantine`|**Quarantine the message** <br><br> `Quarantine`||

+|**If mailbox intelligence detects and impersonated user** <br><br> _MailboxIntelligenceProtectionAction_|**Don't apply any action** <br><br> `NoAction`|**Move message to the recipients' Junk Email folders** <br><br> `MoveToJmf`|**Quarantine the message** <br><br> `Quarantine`||

+|**Show user impersonation safety tip** <br><br> _EnableSimilarUsersSafetyTips_|Off <br><br> `$false`|Selected <br><br> `$true`|Selected <br><br> `$true`||

+|**Show domain impersonation safety tip** <br><br> _EnableSimilarDomainsSafetyTips_|Off <br><br> `$false`|Selected <br><br> `$true`|Selected <br><br> `$true`||

+|**Show user impersonation unusual characters safety tip** <br><br> _EnableUnusualCharactersSafetyTips_|Off <br><br> `$false`|Selected <br><br> `$true`|Selected <br><br> `$true`||

+|**Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams** <br><br> _EnableATPForSPOTeamsODB_|Off <br><br> `$false`|On <br><br> `$true`|To prevent users from downloading malicious files, see [Use SharePoint Online PowerShell to prevent users from downloading malicious files](turn-on-mdo-for-spo-odb-and-teams.md#step-2-recommended-use-sharepoint-online-powershell-to-prevent-users-from-downloading-malicious-files).|

+|**Turn on Safe Documents for Office clients** <br><br> _EnableSafeDocs_|Off <br><br> `$false`|On <br><br> `$true`|This feature is available and meaningful only with licenses that are not included in Defender for Office 365 (for example, Microsoft 365 E5 or Microsoft 365 E5 Security). For more information, see [Safe Documents in Microsoft 365 E5](safe-docs.md).|

+|**Allow people to click through Protected View even if Safe Documents identified the file as malicious** <br><br> _AllowSafeDocsOpen_|Off <br><br> `$false`|Off <br><br> `$false`|This setting is related to Safe Documents.|

+|**Safe Attachments unknown malware response** <br><br> _Enable_ and _Action_|**Off** <br><br> `-Enable $false` and `-Action Block`|**Block** <br><br> `-Enable $true` and `-Action Block`|**Block** <br><br> `-Enable $true` and `-Action Block`|**Block** <br><br> `-Enable $true` and `-Action Block`|When the _Enable_ parameter is $false, the value of the _Action_ parameter doesn't matter.|

+|**Quarantine policy** (_QuarantineTag_)|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy| <br><br> Standard and Strict preset security policies use the default quarantine policy (AdminOnlyAccessPolicy with no quarantine notifications) as described in the table [here](quarantine-policies.md#step-2-assign-a-quarantine-policy-to-supported-features). <br><br> When you create a new Safe Attachments policy, a blank value means the default quarantine policy is used to define the historical capabilities for messages that were quarantined by Safe Attachments (AdminOnlyAccessPolicy with no quarantine notifications). <br><br> Admins can create and select custom quarantine policies that define more capabilities for users. For more information, see [Quarantine policies](quarantine-policies.md).|

+|**Redirect attachment with detected attachments** : **Enable redirect** <br><br> _Redirect_ <br><br> _RedirectAddress_|Not selected and no email address specified. <br><br> `-Redirect $false` <br><br> _RedirectAddress_ is blank (`$null`)|Not selected and no email address specified. <br><br> `-Redirect $false` <br><br> _RedirectAddress_ is blank (`$null`)|Selected and specify an email address. <br><br> `$true` <br><br> an email address|Selected and specify an email address. <br><br> `$true` <br><br> an email address|Redirect messages to a security admin for review. <br><br> **Note**: This setting is not configured in the **Standard**, **Strict**, or **Built-in protection** preset security policies. The **Standard** and **Strict** values indicate our **recommended** values in new Safe Attachments policies that you create.|

+|**Apply the Safe Attachments detection response if scanning can't complete (timeout or errors)** <br><br> _ActionOnError_|Selected <br><br> `$true`|Selected <br><br> `$true`|Selected <br><br> `$true`|Selected <br><br> `$true`||

+Although there's no default Safe Links policy, the **Built-in protection** preset security policy provides Safe Links protection to all recipients (users who aren't defined in custom Safe Links policies or Standard or Strict preset security policies). For more information, see [Preset security policies in EOP and Microsoft Defender for Office 365](preset-security-policies.md).

+|**Block the following URLs** <br><br> _ExcludedUrls_|Blank <br><br> `$null`|Blank <br><br> `$null`|We have no specific recommendation for this setting. <br><br> For more information, see ["Block the following URLs" list for Safe Links](safe-links.md#block-the-following-urls-list-for-safe-links). <br><br> **Note**: You can now manage block URL entries in the [Tenant Allow/Block List](allow-block-urls.md#create-block-url-entries-in-the-tenant-allowblock-list). The "Block the following URLs" list is in the process of being deprecated. We'll attempt to migrate existing entries from the "Block the following URLs" list to block URL entries in the Tenant Allow/Block List. Messages containing the blocked URL will be quarantined.|

+|**On: Safe Links checks a list of known, malicious links when users click links in email** <br><br> _EnableSafeLinksForEmail_|Not selected <br><br> `$false`|Selected <br><br> `$true`|Selected <br><br> `$true`|Selected <br><br> `$true`||

+|**Apply Safe Links to email messages sent within the organization** <br><br> _EnableForInternalSenders_|Not selected <br><br> `$false`|Selected <br><br> `$true`|Selected <br><br> `$true`|Selected <br><br> `$true`||

+|**Apply real-time URL scanning for suspicious links and links that point to files** <br><br> _ScanUrls_|Not selected <br><br> `$false`|Selected <br><br> `$true`|Selected <br><br> `$true`|Selected <br><br> `$true`||

+|**Wait for URL scanning to complete before delivering the message** <br><br> _DeliverMessageAfterScan_|Not selected <br><br> `$false`|Selected <br><br> `$true`|Selected <br><br> `$true`|Selected <br><br> `$true`||

+|**Do not rewrite URLs, do checks via Safe Links API only** <br><br> _DisableURLRewrite_|Not selected <br><br> `$false`|Selected <br><br> `$true`|Not selected <br><br> `$false`|Not selected <br><br> `$false`||

+|**Do not rewrite the following URLs in email** <br><br> _DoNotRewriteUrls_|Blank <br><br> `$null`|Blank <br><br> `$null`|Blank <br><br> `$null`|Blank <br><br> `$null`|We have no specific recommendation for this setting. <br><br> **Note**: The purpose of the "Do not rewrite the following URLs" list is to skip the Safe Links wrapping of the specified URLs. Instead of using this list, you can now [create allow URL entries in the Tenant Allow/Block List](allow-block-urls.md#create-allow-url-entries).|

+|**On: Safe Links checks a list of known, malicious links when users click links in Microsoft Teams** <br><br> _EnableSafeLinksForTeams_|Not selected <br><br> `$false`|Selected <br><br> `$true`|Selected <br><br> `$true`|Selected <br><br> `$true`||

+|**Action for potentially malicious URLs in Microsoft Office apps**||||||

+|**On: Safe Links checks a list of known, malicious links when users click links in Microsoft Office apps** <br><br> _EnableSafeLinksForO365Clients_|Not selected <br><br> `$false`|Selected <br><br> `$true`|Selected <br><br> `$true`|Selected <br><br> `$true`|Use Safe Links in supported Office 365 desktop and mobile (iOS and Android) apps. For more information, see [Safe Links settings for Office apps](safe-links.md#safe-links-settings-for-office-apps).|

+|**Track user clicks** <br><br> _TrackUserClicks_|Selected <br><br> `$true`|Selected <br><br> `$true`|Selected <br><br> `$true`|Selected <br><br> `$true`||

+|**Let users click through to the original URL** <br><br> _AllowClickThrough_|Selected <br><br> `$true`|Selected <br><br> `$true`|Not selected <br><br> `$false`|Not selected <br><br> `$false`|Turning off this setting (setting _AllowClickThrough_ to `$false`) prevents click through to the original URL.|

+|**Display the organization branding on notification and warning pages** <br><br> _EnableOrganizationBranding_|Not selected <br><br> `$false`|Not selected <br><br> `$false`|Not selected <br><br> `$false`|Not selected <br><br> `$false`|We have no specific recommendation for this setting. <br><br> Before you turn on this setting, you need to follow the instructions in [Customize the Microsoft 365 theme for your organization](../../admin/setup/customize-your-organization-theme.md) to upload your company logo.|

+|**How would you like to notify your users?** <br><br> _CustomNotificationText_ <br><br> _UseTranslatedNotificationText_|**Use the default notification text** <br><br> Blank (`$null`) <br><br> `$false`|**Use the default notification text** <br><br> Blank (`$null`) <br><br> `$false`|**Use the default notification text** <br><br> Blank (`$null`) <br><br> `$false`|**Use the default notification text** <br><br> Blank (`$null`) <br><br> `$false`|We have no specific recommendation for this setting. <br><br> You can select **Use custom notification text** (`-CustomNotificationText "<Custom text>"`) to enter and use customized notification text. If you specify custom text, you can also select **Use Microsoft Translator for automatic localization** (`-UseTranslatedNotificationText $true`) to automatically translate the text into the user's language.|

+ > The policy is applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy is not applied to him.

+ > Likewise, if you use the same recipient filter as an exception to the policy, the policy is not applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy still applies to him.

+- You configured the Dynamic Delivery action in a Safe Attachments policy, but the recipient doesn't support Dynamic Delivery (for example, the recipient is a mailbox in an on-premises Exchange organization). However, [Safe Links in Microsoft Defender for Office 365](set-up-safe-links-policies.md) is able to scan Office file attachments that contain URLs (if Safe Links scanning of support Office apps is turned on in the applicable Safe Links policy).

+f1.keywords:

+f1_keywords:

+search.appverid:

+Watch this short video on how to protect against malicious links with Safe Links in Microsoft Defender for Office 365.

+> [!NOTE]

+> Although there's no default Safe Links policy, the **Built-in protection** preset security policy provides Safe Links protection in e-mail messages, Microsoft Teams, and files in supported Office apps to all recipients (users who aren't defined in custom Safe Links policies or Standard or Strict preset security policies) who are licensed for Defender for Office 365. For more information, see [Preset security policies in EOP and Microsoft Defender for Office 365](preset-security-policies.md). You can also create Safe Links policies that apply to specific users, group, or domains. For instructions, see [Set up Safe Links policies in Microsoft Defender for Office 365](set-up-safe-links-policies.md).

+- **Email messages**: Safe Links protections for links in email messages is controlled by Safe Links policies.

+- **Microsoft Teams**: Safe Links protection for links in Teams conversations, group chats, or from channels is controlled by Safe Links policies.

+- **Office apps**: Safe Links protection for supported Office desktop, mobile, and web apps is controlled by Safe Links policies.

+ For more information about Safe Links protection in Office apps, see the [Safe Links settings for Office apps](#safe-links-settings-for-office-apps) section later in this article.

+ - [Safe Links settings for Office apps](#safe-links-settings-for-office-apps)

+|Jean is a member of the marketing department. Safe Links protection for Office apps is turned on in a Safe Links policy that applies to members of the marketing department. Jean opens a PowerPoint presentation in an email message, and then clicks a URL in the presentation.|Jean is protected by Safe Links. <p> Jean is included in a Safe Links policy where Safe Links protection for Office apps is turned on. <p> For more information about the requirements for Safe Links protection in Office apps, see the [Safe Links settings for Office apps](#safe-links-settings-for-office-apps) section later in this article.|

+|Chris's Microsoft 365 E5 organization has no Safe Links policies configured. Chris receives an email from an external sender that contains a URL to a malicious website that he ultimately clicks.|Chris is protected by Safe Links. <p> The **Built-in protection** preset security policy provides Safe Links protection to all recipients (users who aren't defined in custom Safe Links policies or Standard or Strict preset security policies). For more information, see [Preset security policies in EOP and Microsoft Defender for Office 365](preset-security-policies.md).|

+|In Pat's organization, admins have created a Safe Links policy that applies Pat, but Safe Links protection for Office apps is turned off. Pat opens a Word document and clicks a URL in the file.|Pat is not protected by Safe Links. <p> Although Pat is included in an active Safe Links policy, Safe Links protection for Office apps is turned off in that policy, so the protection can't be applied.|

+## Recipient filters in Safe Links policies

+You need to specify the recipient conditions and exceptions that determine who the policy applies to. You can use these properties for conditions and exceptions:

+- **The recipient is**

+- **The recipient domain is**

+- **The recipient is a member of**

+You can only use a condition or exception once, but the condition or exception can contain multiple values. Multiple values of the same condition or exception use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). Different conditions or exceptions use AND logic (for example, _\<recipient1\>_ and _\<member of group 1\>_).

+> [!IMPORTANT]

+> Multiple different conditions or exceptions are not additive; they're inclusive. The policy is applied _only_ to those recipients that match _all_ of the specified recipient filters. For example, you configure a recipient filter condition in the policy with the following values:

+>

+> - The recipient is: romain@contoso.com

+> - The recipient is a member of: Executives

+>

+> The policy is applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy is not applied to him.

+>

+> Likewise, if you use the same recipient filter as an exception to the policy, the policy is not applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy still applies to him.

+After Safe Links rewrites a URL, the URL remains rewritten even if the message is _manually_ forwarded or replied to (both to internal and external recipients). Additional links that are added to the forwarded or replied-to message are not rewritten. However, in the case of _automatic_ forwarding by Inbox rules or SMTP forwarding, the URL will not be rewritten in the message that's intended for the final recipient _unless_ that recipient is also protected by Safe Links, or the URL had already been rewritten in a previous communication. As long as Safe Links is turned on, URLs are still scanned prior to delivery, regardless of whether they were rewritten or not. Unwrapped URLs will also still be checked by a client-side API call to Safe Links at the time of click in Outlook for Desktop version 16.0.12513 or later.

+- **On: Safe Links checks a list of known, malicious links when users click links in email**: Turn on or turn off Safe Links scanning in email messages. The recommended value is selected (on), and results in the following actions:

+ - Safe Links scanning is turned on in Outlook (C2R) on Windows.

+ The following settings are available only if Safe Links scanning in email messages is turned on:

+ - **Apply Safe Links to email messages sent within the organization**: Turn on or turn off Safe Links scanning on messages sent between internal senders and internal recipients within the same Exchange Online organization. The recommended value is selected (on).

+ - **Apply real-time URL scanning for suspicious links and links that point to files**: Turns on real-time scanning of links, including links in email messages that point to downloadable content. The recommended value is selected (on).

+ - **Wait for URL scanning to complete before delivering the message**:

+ - Selected (on): Messages that contain URLs are held until scanning is finished. Messages are delivered only after the URLs are confirmed to be safe. This is the recommended value.

+ - Not selected (off): If URL scanning can't complete, deliver the message anyway.

+ - **Do not rewrite URLs, do checks via SafeLinks API only**: If this setting is selected (on), no URL wrapping takes place. Safe Links is called exclusively via APIs at the time of URL click by Outlook clients that support it. The recommend value is selected (on).

+ - If the URL points to a downloadable file, and the **Apply real-time URL scanning for suspicious links and links that point to files** setting is turned on in the policy that applies to the user, the downloadable file is checked.

+You turn on or turn off Safe Links protection for Microsoft Teams in Safe Links policies. Specifically, you use the **On: Safe Links checks a list of known, malicious links when users click links in Microsoft Teams** setting. The recommended value is on (selected).

+- Depending on how the **Let users click through to the original URL** setting in the policy is configured, the user will or will not be allowed to click through to the original URL (**Continue anyway (not recommended)** in the screenshot). We recommend that you don't select the **Let users click through to the original URL** setting so users can't click through to the original URL.

+If the user who sent the link isn't protected by a Safe Links policy where Teams protection is turned on, the user is free to click through to the original URL on their computer or device.

+2. Microsoft 365 verifies that the user's organization includes Microsoft Defender for Office 365, and that the user is included in an active Safe Links policy where protection for Microsoft Teams is turned on.

+## Safe Links settings for Office apps

+Safe Links protection for Office apps checks links in Office documents, not links in email messages. But, it can check links in attached Office documents in email messages after the document is opened.

+You turn on or turn off Safe Links protection for Office apps in Safe Links policies. Specifically, you use the **On: Safe Links checks a list of known, malicious links when users click links in Microsoft Office apps** setting. The recommended value is on (selected).

+Safe Links protection for Office apps has the following client requirements:

+- Office apps are configured to use modern authentication. For more information, see [How modern authentication works for Office 2013, Office 2016, and Office 2019 client apps](../../enterprise/modern-auth-for-office-2013-and-2016.md).

+### How Safe Links works in Office apps

+At a high level, here's how Safe Links protection works for URLs in Office apps. The supported Office apps are described in the previous section.

+> It may take several seconds at the beginning of each session to verify that Safe Links for Office apps is available to the user.

+## Click protection settings in Safe Links policies

+These settings apply to Safe Links in email, Teams, and Office apps:

+- **Track user clicks**: Turn on or turn off storing Safe Links click data for URLs clicked. We recommend that you leave this setting selected (on).

+ In Safe Links for Office apps, this setting applies to the desktop versions Word, Excel, PowerPoint, and Visio.

+ URL click tracking for links in email messages sent between internal senders and internal recipients is currently not supported.

+ If you select this setting, the following settings are available:

+ - **Let users click through to the original URL**: Controls whether users can clicking through the [warning page](#warning-pages-from-safe-links) to the original URL. The recommend value is not selected (off).

+ In Safe Links for Office apps, this setting applies to the original URL in the desktop versions Word, Excel, PowerPoint, and Visio.

+ - **Display the organization branding on notification and warning pages**: This option shows your organization's branding on warning pages. Branding helps users identify legitimate warnings, because default Microsoft warning pages are often used by attackers. For more information about customized branding, see [Customize the Microsoft 365 theme for your organization](../../admin/setup/customize-your-organization-theme.md).

+## Priority of Safe Links policies

+After you create multiple policies, you can specify the order that they're applied. No two policies can have the same priority, and policy processing stops after the first policy is applied. The **Built-in protection** policy is always applied last. The Safe Links policies associated **Standard** and **Strict** preset security policies are always applied before custom Safe Links policies.

+For more information about the order of precedence and how multiple policies are evaluated and applied, see [Order of precedence for preset security policies and other policies](preset-security-policies.md#order-of-precedence-for-preset-security-policies-and-other-policies) and [Order and precedence of email protection](how-policies-and-protections-are-combined.md).

+- Documents in Office apps in Windows and Mac.

+ > The policy is applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy is not applied to him.

+ > Likewise, if you use the same recipient filter as an exception to the policy, the policy is not applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy still applies to him.

+ > The policy is applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy is not applied to him.

+ > Likewise, if you use the same recipient filter as an exception to the policy, the policy is not applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy still applies to him.

+Although there's no default Safe Links policy, the **Built-in protection** preset security policy provides Safe Links protection to all recipients (users who aren't defined in custom Safe Links or Standard or Strict preset security policies). For more information, see [Preset security policies in EOP and Microsoft Defender for Office 365](preset-security-policies.md).

+> You configure the "Block the following URLs" list in the global settings for Safe Links protection **outside** of Safe Links policies. For instructions, see [Configure global settings for Safe Links in Microsoft Defender for Office 365](configure-global-settings-for-safe-links.md).

+ > The policy is applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy is not applied to him.

+ > Likewise, if you use the same recipient filter as an exception to the policy, the policy is not applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy still applies to him.

+5. On the **URL & click protection settings** page that appears, configure the following settings:

+ - **Action on potentially malicious URLs within Emails** section:

+ - **On: Safe Links checks a list of known, malicious links when users click links in email**: Select this option to turn on Safe Links protection for links in email messages. If you select this option, the following settings are available:

+ - **Apply Safe Links to email messages sent within the organization**: Select this option to apply the Safe Links policy to messages between internal senders and internal recipients.

+ - **Apply real-time URL scanning for suspicious links and links that point to files**: Select this option to turn on real-time scanning of links in email messages. If you select this option, the following setting is available:

+ - **Wait for URL scanning to complete before delivering the message**: Select this option to wait for real-time URL scanning to complete before delivering the message.

+ - **Do not rewrite URLs, do checks via SafeLinks API only**: Select this option to prevent URL wrapping. Safe Links is called exclusively via APIs at the time of URL click by Outlook clients that support it.

+ - **Do not rewrite the following URLs in email** section: Click **Manage (nn) URLs** to allow access to specific URLs that would otherwise be blocked by Safe Links.

+ > The purpose of the "Do not rewrite the following URLs" list is to skip Safe Links wrapping of those URLs. Instead of using this list, you can now [create allow URL entries in the Tenant Allow/Block List](allow-block-urls.md#create-allow-url-entries).

+ 1. In the **Manage URLs to not rewrite** flyout that appears, click  **Add URLs**.

+ 2. In the **Add URLs** flyout that appears, type the URL or value that you want, select the entry that appears below the box, and then click **Save**. Repeat this step as many times as necessary.

+ For entry syntax, see [Entry syntax for the "Do not rewrite the following URLs" list](safe-links.md#entry-syntax-for-the-do-not-rewrite-the-following-urls-list).

+ To remove an entry, click  next to the entry.

+ When you're finished, click **Save**.

+ 3. Back on the **Manage URLs to not rewrite** flyout, click **Done** or do maintenance on the list of entries:

+ To remove entries from the list, can use the  **Search** box to find the entry.

+ To select a single entry, click on the value in the **URLs** column.

+ To select multiple entries one at a time, click the blank area to the left of the value.

+ To select all entries at one, click the blank area to the left of the **URLs** column header.

+ With one or more entries selected, click the  or  icons that appear.

+ When you're finished, click **Done**.

+ - **Actions for potentially malicious URLs in Microsoft Teams** section:

+ - **On: Safe Links checks a list of known, malicious links when users click links in Microsoft Teams**: Select this option to enable Safe Links protection for links in Teams. Note that this setting might take up to 24 hours to take effect.

+ > Currently, Safe Links protection for Microsoft Teams is not available in Microsoft 365 GCC High or Microsoft 365 DoD.

+ - **Actions for potentially malicious URLs in Microsoft Office apps** section:

+ - **On: Safe Links checks a list of known, malicious links when users click links in Microsoft Office apps**: Select this option to enable Safe Links protection for links in files in supported Office desktop, mobile, and web apps.

+ - **Click protection settings** section:

+ - **Track user clicks**: Leave this option selected to enable the tracking user clicks on URLs. If you select this option, the following options are available:

+ - **Let users click through to the original URL**: Clear this option to block users from clicking through to the original URL in [warning pages](safe-links.md#warning-pages-from-safe-links).

+ - **Display the organization branding on notification and warning pages**: For more information about customized branding, see [Customize the Microsoft 365 theme for your organization](../../admin/setup/customize-your-organization-theme.md).

+ For detailed information about these settings, see:

+ - [Safe Links settings for email messages](safe-links.md#safe-links-settings-for-email-messages).

+ - [Safe Links settings for Microsoft Teams](safe-links.md#safe-links-settings-for-microsoft-teams).

+ - [Safe Links settings for Office apps](safe-links.md#safe-links-settings-for-office-apps).

+ - [Click protection settings in Safe Links policies](safe-links.md#click-protection-settings-in-safe-links-policies)

+ - **Use custom notification text**: If you select this value, the following settings appear:

+ - **Custom notification text**: Enter the custom notification text in this box (the length can't exceed 200 characters).

+New-SafeLinksPolicy -Name "<PolicyName>" [-AdminDisplayName "<Comments>"] [-EnableSafeLinksForEmail <$true | $false>] [-EnableSafeLinksForOffice <$true | $false>] [-EnableSafeLinksForTeams <$true | $false>] [-ScanUrls <$true | $false>] [-DeliverMessageAfterScan <$true | $false>] [-EnableForInternalSenders <$true | $false>] [-AllowClickThrough <$true | $false>] [-TrackUserClicks <$true | $false>] [-DoNotRewriteUrls "Entry1","Entry2",..."EntryN"]

+- Turn on URL scanning and URL rewriting in email messages.

+ - Turn on URL scanning and rewriting for internal messages.

+ - Turn on real-time scanning of clicked URLs, including clicked links that point to files.

+ - Wait for URL scanning to complete before delivering the message.

+- Turn on URL scanning in supported Office apps.

+New-SafeLinksPolicy -Name "Contoso All" -EnableSafeLinksForEmail $true -EnableSafeLinksForOffice $true -EnableSafeLinksForTeams $true -ScanUrls $true -DeliverMessageAfterScan $true -EnableForInternalSenders $true -AllowClickThrough $false

+ Title: Assess the impact of security configuration changes with Explorer

+description: Examples and walkthrough of using Explorer to determine the impact of a security control (configuration) change in Microsoft Defender for Office 365

+search.product:

+search.appverid:

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+f1.keywords:

+ - NOCSH

+ms.localizationpriority: medium

+audience: ITPro

+ms.technology: mdo

+# Assess the impact of security configuration changes with Explorer

+Before you make change(s) to your security configuration, such as policies or transport rules, itΓÇÖs important to understand the impact of the change(s) so that you can plan and ensure *minimal* disruption to your organization.

+This step-by-step guide will take you through assessing a change, and exporting the impacted emails for assessment. The procedure can be applied to many different changes, by altering the criteria (filters) you use in explorer.

+## What you'll need

+- Microsoft Defender for Office 365 Plan 2 (included as part of E5).

+- Sufficient permissions (Security reader minimum required to assess via Threat Explorer).

+- 5-10 minutes to perform the steps below.

+## Assess changing normal confidence phish delivery location to quarantine (from the Junk email folder)

+1. **Login** to the security portal and navigate to Explorer (underneath *Email & Collaboration* on the left nav) https://security.microsoft.com/threatexplorer.

+1. Select **Phish** from the top tab selection (*All email* is the default view).

+1. Press the **filter** button (defaulted to *Sender*) and select **Phish confidence level**.

+1. Select the **Phish confidence level** of **Normal**.

+1. Add an additional **filter** of **Original delivery location** set as **Junk folder**.

+1. Press **Refresh**. Explorer is now filtered to show all the mail that is detected as *high confidence phish* and gets delivered to the Junk folder due to the settings in the anti-spam policy.

+1. If you wish to pivot the data displayed in the chart, you can do by using the **data slicer top left of the chart (defaulted to *Delivery action*)**, selecting useful data such as **Sender IP**, or **Sender domain** to spot trends and top affected senders.

+1. Below the chart section, where the affected emails are displayed, select **Export email list**, which will generate a CSV for offline analysis. **This is a list of the emails which would be quarantined if the phish action was changed to Quarantine (recommended change for both standard and strict presets)**.

+## Assess removing a sender / domain override removal

+1. **Login** to the security portal and navigate to **Explorer** (underneath Email & Collaboration on the left nav) https://security.microsoft.com/threatexplorer.

+1. Select **All email** if not already selected.

+1. Press the **filter** button (defaulted to *Sender*) and add either a sender or sender domain filter, then add the entry where you wish to assess the impact of removal.

+1. Expand the date range to the maximum & press **Refresh** You should now see mail listed if the sender / sending domain is still active in messaging your organization. If *not* you may need to tweak the filter, or alternatively you no longer receive mail from that domain / sender and can remove the entry safely.

+1. If mail is listed, this means the entry is still an active sender. Pivot the data in the chart using the data slicer (defaulted to *Delivery action*) to **Detection technology**.

+1. The chart should refresh, and if it now displays no data, this means we have not detected any threats on any of the mail previously shown, which indicates an override is not needed, as there is no detection to override.

+1. If there is data displayed when the data is sliced by **Detection technology**, this means removing the override *would* have impact on this sender / domain due to the protection stack taking action.

+1. You should investigate the mail further to assess if it is truly malicious and the entry can be removed, or if it is a *false positive* and should be remediated so it is no longer incorrectly detected as a threat (authentication is the biggest cause of false positives).

+### Further reading

+Consider using secure presets [Ensuring you always have the optimal security controls with preset security policies](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/step-by-step-guides/ensuring-you-always-have-the-optimal-security-controls-with-preset-security-policies)

+You can also manage email authentication issues with spoof intelligence [Spoof intelligence insight](https://docs.microsoft.com/microsoft-365/security/office-365-security/learn-about-spoof-intelligence)

+Learn more about email authentication [Email Authentication in Exchange Online Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/email-validation-and-authentication)

+ Title: Deploy & configure the report message add-in

+description: The steps to deploy and configure Microsoft's phish reporting add-in(s) aimed at security administrators

+search.product:

+search.appverid:

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+f1.keywords:

+ - NOCSH

+ms.localizationpriority: medium

+audience: ITPro

+ms.technology: mdo

+# Deploy & configure the report message add-in to users.

+The Report message & report phishing add-in for Outlook makes it easy to report phishing to Microsoft and its affiliates for analysis, along with easy triage for admins in the [submissions portal](https://security.microsoft.com/reportsubmission?viewid=user).

+Depending on whether you are licensed for Defender for Office 365, you'll also get added functionality such as alerting & automated investigation and response (AIR), which will remove the burden from your security operations staff. This guide will walk you through configuring the add-in deployment as recommended by the Microsoft Defender for Office 365 team.

+## Choose between which add-in to deploy

+- The Report Phishing add-in provides the option to report only phishing messages

+- The Report Message add-in provides the option to report junk, not junk (false positive), and phishing messages

+## What you'll need

+- Exchange Online Protection (some features require Defender for Office 365 Plan 2)

+- Sufficient permissions (Global admin for add-in deployment, security admin for customisation)

+- 5-10 minutes to perform the steps below

+## Deploy the add-in for users

+1. **Login** to the Microsoft 365 admin center. https://admin.microsoft.com.

+1. On the left nav, press **Show All** then expand **Settings** and select **Integrated Apps**.

+1. On the page that loads, press **Get Apps**.

+1. In the page that appears, in the top right Search box, enter **Report Message** or **Report Phishing**, and then select **Search**.

+1. Press **Get it now** on your chosen app within the search results (publisher is **Microsoft Corporation**).

+1. On the flyout that appears, select who to deploy the add-in to. If testing you may wish to use a specific group, otherwise configure it for the **entire organisation** ΓÇô when youΓÇÖve made a selection press **Next**.

+1. Review the permissions, information and capabilities then press **Next**.

+1. Press **Finish deployment** (it can take 12-24 hours for the add-in to appear automatically in Outlook clients).

+## Configure the add-in for users

+1. **Login** to the Microsoft Security portal at https://security.microsoft.com.

+2. On the left nav, under **Email & collaboration**, select **Policies & rules**.

+3. Select **Threat policies**.

+4. Select **User reported message settings** underneath the **Others** heading.

+5. Ensure **Microsoft Outlook Report Message button** is toggled to **On**.

+6. Under **Send the reported messages to** choose **Microsoft** (Recommended).

+7. Ensure **Let users choose if they want to report** is unchecked and **Always report the message** is selected.

+8. Press **Save**.

+## Optional steps ΓÇô configure notifications

+1. On the configuration page from the earlier steps, underneath the **User reporting experience**, configure the before and after reporting pop-ups title and body if desired. The end users will see the before reporting pop up if **Ask me before reporting** is also enabled.

+2. If you wish for notifications to come from an internal organisational mailbox, select **Specify Office 365 email address to use as sender** and search for a valid mailbox in your organisation to send the notifications from.

+3. Press **Customize notifications** to set up the text sent to reporting users after admin reviews a reported message using Mark & Notify, configure the **Phishing**, **Junk** & **No threats** found options.

+4. On the **Footer** tab, select the global footer to be sent for notifications, along with your organisationΓÇÖs logo if appropriate.

+### Further reading

+Learn more about user reported message settings [User reported message settings - Office 365 | Microsoft Docs](../user-submission.md)

+Enable the report message or report phishing add-in [Enable the Report Message or the Report Phishing add-ins - Office 365 | Microsoft Docs](../enable-the-report-message-add-in.md)

+|**Safe Links in Microsoft Defender for Office 365**|No|Create a Safe Links policy as described here: [Configure Safe Links settings in Microsoft Defender for Office 365](protect-against-threats.md#safe-links-policies-in-microsoft-defender-for-office-365). <p> More information: <ul><li>[Recommended Safe Links settings](recommended-settings-for-eop-and-office365.md#safe-links-settings)</li><li>[Set up Safe Links policies](set-up-safe-links-policies.md)</li><li>[Safe Links in Microsoft Defender for Office 365](safe-links.md)</li></ul>|