+|**A user clicked through to a potentially malicious URL**|Generates an alert when a user protected by [Safe Links](/microsoft-365/security/office-365-security/safe-links) in your organization clicks a malicious link. This event is triggered when user clicks on a URL (which is identified as malicious or pending validation) and overrides the Safe Links warning page (based on your organization's Microsoft 365 for business Safe Links policy) to continue to the URL hosted page / content. This alert policy has a **High** severity setting. For Defender for Office 365 P2, E5, G5 customers, this alert automatically triggers [automated investigation and response in Office 365](/microsoft-365/security/office-365-security/office-365-air). For more information on events that trigger this alert, see [Set up Safe Links policies](/microsoft-365/security/office-365-security/set-up-safe-links-policies).|Threat management|Yes|E5/G5 or Defender for Office 365 P2 add-on subscription|

+For Exchange, Microsoft eDiscovery tools support items encrypted with Microsoft encryption technologies. These technologies are Azure Rights Management (Azure RMS)³ and Microsoft Purview Information Protection (specifically sensitivity labels). For more information about Microsoft encryption technologies, see [Encryption](encryption.md) and the various [email encryption](email-encryption.md#comparing-email-encryption-options-available-in-office-365) options available. Content encrypted by S/MIME or third-party encryption technologies isn't supported. For example, previewing or exporting content encrypted with non-Microsoft technologies isn't supported.

+¹ Encrypted files located on a local computer and copied to an email message arenΓÇÖt decrypted and indexed for eDiscovery. For eDiscovery (Premium), encrypted email and attachments in recipient mailbox needs to be advanced indexed to be decrypted. For more information about advanced indexing, see [Advanced indexing of custodian data](indexing-custodian-data.md).

+|[Apply S/MIME protection](#configure-a-label-to-apply-smime-protection-in-outlook) | Under review | Rolling out: 16.61+ ^\* | Rolling out: 4.2226+ | Rolling out: 4.2203+ | Under review |

+If you disabled Azure RMS, or if it was not automatically activated for any reason, you can activate it manually.

+For instructions, see [How to activate or confirm the status of the protection service](/azure/information-protection/activate-service#how-to-activate-or-confirm-the-status-of-the-protection-service).

+|[Next-generation protection](../defender-endpoint/microsoft-defender-antivirus-in-windows-10.md) <br/> (antivirus and antimalware protection for onboarded devices)|Yes |Yes |

+ Replace \\servername-or-dfs-space\share-name with the UNC path, using the file server's fully qualified domain name (FQDN), of the shared *install.ps1* file. The installer package md4ws.msi must be placed in the same directory. Ensure that the permissions of the UNC path allow write access to the computer account that is installing the package, to support creation of log files. If you wish to disable the creation of log files (not recommended), you can use the -noETL -noETW parameters.

+# Compare Microsoft endpoint security plans

+Microsoft endpoint security plans, such as Microsoft Defender for Endpoint and Microsoft 365 Defender, were designed to help enterprise organizations prevent, detect, investigate, and respond to advanced threats. Microsoft Defender for Business and Microsoft 365 Business Premium provide similar capabilities, optimized for small and medium-sized businesses. These plans provide advanced threat protection with antivirus and antimalware protection, ransomware mitigation, and more, together with centralized management and reporting.

+This article helps clarify what's included in the following plans:

+- [Microsoft Defender for Business](../defender-business/mdb-overview.md)

+- [Microsoft 365 Business Premium](../../business-premium/index.md)

+> [!IMPORTANT]

+> This article provides a summary of threat protection capabilities in Microsoft endpoint security plans; however, it's not intended to be a service description or licensing contract document. For more detailed information, see [Microsoft 365 licensing guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance).

+## Compare Microsoft endpoint security plans

+The following table summarizes what's included in Microsoft endpoint security plans.

+| [Defender for Endpoint Plan 1](defender-endpoint-plan-1.md) ^[[1](#fn1)] | <ul><li>[Next-generation protection](defender-endpoint-plan-1.md#next-generation-protection) (includes antimalware and antivirus)</li><li>[Attack surface reduction](defender-endpoint-plan-1.md#attack-surface-reduction)</li><li> [Manual response actions](defender-endpoint-plan-1.md#manual-response-actions)</li><li>[Centralized management](defender-endpoint-plan-1.md#centralized-management)</li><li>[Security reports](defender-endpoint-plan-1.md#reporting)</li><li>[APIs](defender-endpoint-plan-1.md#apis)</li><li>[Support for Windows 10, iOS, Android OS, and macOS devices](defender-endpoint-plan-1.md#cross-platform-support)</li></ul>|

+| [Defender for Endpoint Plan 2](microsoft-defender-endpoint.md) ^[[2](#fn2)] | All of the Defender for Endpoint Plan 1 capabilities, plus:<ul><li>[Device discovery](device-discovery.md)</li><li>[Device inventory](machines-view-overview.md)</li><li>[Core Defender Vulnerability Management capabilities](../defender-vulnerability-management/defender-vulnerability-management-capabilities.md)</li><li>[Threat Analytics](threat-analytics.md)</li><li>[Automated investigation and response](automated-investigations.md)</li><li>[Advanced hunting](advanced-hunting-overview.md)</li><li>[Endpoint detection and response](overview-endpoint-detection-response.md)</li><li>[Microsoft Threat Experts](microsoft-threat-experts.md)</li><li>Support for [Windows](configure-endpoints.md) (client and server) and [non-Windows platforms](configure-endpoints-non-windows.md) (macOS, iOS, Android, and Linux)</li></ul> |

+| [Defender Vulnerability Management add-on](../defender-vulnerability-management/defender-vulnerability-management-capabilities.md) | Additional Defender Vulnerability Management capabilities for Defender for Endpoint Plan 2:<ul><li>[Security baselines assessment](../defender-vulnerability-management/tvm-security-baselines.md)</li><li>[Block vulnerable applications](../defender-vulnerability-management/tvm-block-vuln-apps.md)</li><li>[Browser extensions](../defender-vulnerability-management/tvm-browser-extensions.md)</li><li>[Digital certificate assessment](../defender-vulnerability-management/tvm-certificate-inventory.md)</li><li>[Network share analysis](../defender-vulnerability-management/tvm-network-share-assessment.md)</li><li>Support for [Windows](configure-endpoints.md) (client and server) and [non-Windows platforms](configure-endpoints-non-windows.md) (macOS, iOS, Android, and Linux)</li></ul> |

+| [Defender for Business](../defender-business/mdb-overview.md) ^[[3](#fn3)] <br/>and<br/>[Microsoft 365 Business Premium](../../business-premium/index.md) | [Services optimized for small and medium-sized businesses](../defender-business/compare-mdb-m365-plans.md) include: <ul><li>Email protection</li><li>Antispam protection</li><li>Antimalware protection</li><li>Next-generation protection</li><li>Attack surface reduction</li><li>Endpoint detection and response</li><li>Automated investigation and response </li><li>Threat & vulnerability management</li><li>Centralized reporting</li><li>APIs (for integration with custom apps or reporting solutions)</li><li>[Integration with Microsoft 365 Lighthouse](../defender-business/mdb-lighthouse-integration.md)</li></ul> |

+(<a id="fn1">1</a>) Microsoft Defender for Endpoint Plan 1 is available as a standalone subscription for commercial and education customers. It's also included as part of Microsoft 365 E3/A3.

+(<a id="fn2">2</a>) Microsoft Defender for Endpoint Plan 2, which was previously called Microsoft Defender for Endpoint, is available as a standalone subscription. It's also included as part of the following plans:

+(<a id="fn3">3</a>) Microsoft Defender for Business is available as a standalone subscription for small and medium-sized businesses. It's also included as part of Microsoft 365 Business Premium. These plans feature advanced security capabilities with a simplified setup and configuration experience.

+## Options for onboarding servers

+The standalone versions of Defender for Business, Defender for Endpoint Plan 1 and 2, and Microsoft 365 Business Premium do not include server licenses. To onboard servers, choose from the following options:

+- **Defender for Servers Plan 1 or Plan 2** as part of the [Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction) offering. To learn more. see [Overview of Microsoft Defender for Servers](/azure/defender-for-cloud/defender-for-servers-introduction).

+- **Microsoft Defender for Business servers (preview)** for small and medium-sized businesses. See [How to get Microsoft Defender for Business servers (preview)](../defender-business/get-defender-business-servers.md).

+For more information on Microsoft Defender for Endpoint on other operating systems:

+- [What's new in Microsoft Defender for Endpoint on Linux](linux-whatsnew.md)

+- [What's new in Microsoft Defender for Endpoint on iOS](ios-whatsnew.md)</br>

+<details>

+ <summary>Jun-2022 (Build: 101.71.18 | Release version: 20.122052.17118.0)</summary>

+&ensp;Released: **Jul 7, 2022**<br/>

+&ensp;Published: **Jul 7, 2022**<br/>

+&ensp;Build: **101.71.18**<br/>

+&ensp;Release version: **20.122052.17118.0**<br/>

+**What's new**

+<br/>

+</details>

+<details>

+ <summary>Jun-2022 (Build: 101.70.19 | Release version: 20.122051.17019.0)</summary>

+&ensp;Released: **Jun 14, 2022**<br/>

+&ensp;Published: **Jun 14, 2022**<br/>

+&ensp;Build: **101.70.19**<br/>

+&ensp;Release version: **20.122051.17019.0**<br/>

+**What's new**

+<br/>

+</details>

+<details>

+ <summary>Jun-2022 (Build: 101.70.18 | Release version: 20.122042.17018.0)</summary>

+&ensp;Released: **Jun 2, 2022**<br/>

+&ensp;Published: **Jun 2, 2022**<br/>

+&ensp;Build: **101.70.18**<br/>

+&ensp;Release version: **20.122042.17018.0**<br/>

+**What's new**

+<br/>

+</details>

+<details>

+ <summary>May-2022 (Build: 101.66.54 | Release version: 20.122041.16654.0) </summary>

+&ensp;Released: **May 11, 2022**<br/>

+&ensp;Published: **May 11, 2022**<br/>

+&ensp;Build: **101.66.54**<br/>

+&ensp;Release version: **20.122041.16654.0**<br/>

+**What's new**

+<br/>

+</details>

+<details>

+ <summary>Apr-2022 (Build: 101.64.15 | Release version: 20.122032.16415.0)</summary>

+&ensp;Released: **Apr 26, 2022**<br/>

+&ensp;Published: **Apr 26, 2022**<br/>

+&ensp;Build: **101.64.15**<br/>

+&ensp;Release version: **20.122032.16415.0**<br/>

+**What's new**

+<br/>

+</details>

+<details>

+ <summary>Mar-2022 (Build: 101.61.69 | Release version: 20.122022.16169.0) </summary>

+&ensp;Released: **Mar 25, 2022**<br/>

+&ensp;Published: **Mar 25, 2022**<br/>

+&ensp;Build: **101.61.69**<br/>

+&ensp;Release version: **20.122022.16169.0**<br/>

+**What's new**

+<br/>

+</details>

+<details>

+ <summary>Mar-2022 (Build: 101.60.91 | Release version: 20.122021.16091.0)</summary>

+&ensp;Released: **Mar 8, 2022**<br/>

+&ensp;Published: **Mar 8, 2022**<br/>

+&ensp;Build: **101.60.91**<br/>

+&ensp;Release version: **20.122021.16091.0**<br/>

+**What's new**

+<br/>

+</details>

+<details>

+ <summary>Feb-2022 (Build: 101.59.50 | Release version: 20.122021.15950.0) </summary>

+&ensp;Released: **Feb 28, 2022**<br/>

+&ensp;Published: **Feb 28, 2022**<br/>

+&ensp;Build: **101.59.50**<br/>

+&ensp;Release version: **20.122021.15950.0**<br/>

+**What's new**

+<br/>

+</details>

+<details>

+ <summary>Feb-2022 (Build: 101.59.10 | Release version: 20.122012.15910.0)</summary>

+&ensp;Released: **Feb 22, 2022**<br/>

+&ensp;Published: **Feb 22, 2022**<br/>

+&ensp;Build: **101.59.10**<br/>

+&ensp;Release version: **20.122012.15910.0**<br/>

+**What's new**

+<br/>

+</details>

+<details>

+ <summary>Feb-2022 (Build: 101.56.62 | Release version: 20.121122.15662.0)</summary>

+&ensp;Released: **Feb 7, 2022**<br/>

+&ensp;Published: **Feb 7, 2022**<br/>

+&ensp;Build: **101.56.62**<br/>

+&ensp;Release version: **20.121122.15662.0**<br/>

+**What's new**

+- Bug fixes

+<br/>

+</details>

+<details>

+ <summary> Jan-2022 (Build: 101.56.35 | Release version: 20.121121.15635.0)</summary>

+&ensp;Released: **Jan 30, 2022**<br/>

+&ensp;Published: **Jan 30, 2022**<br/>

+&ensp;Build: **101.56.35**<br/>

+&ensp;Release version: **20.121121.15635.0**<br/>

+**What's new**

+- The application installation path has been changed from `/Application/Microsoft Defender ATP.app` to `/Applications/Microsoft Defender.app`.

+- Within the user experience, occurrences of "Microsoft Defender ATP" have been replaced with "Microsoft Defender"

+<br/>

+</details>

+<details>

+ <summary>Jan-2022 (Build: 101.54.16 | Release version: 20.121111.15416.0) </summary>

+&ensp;Released: **Jan 12, 2022**<br/>

+&ensp;Published: **Jan 12, 2022**<br/>

+&ensp;Build: **101.54.16**<br/>

+&ensp;Release version: **20.121111.15416.0**<br/>

+**What's new**

+

+<br/>

+</details>

+<details><summary>2021 releases </summary><blockquote>

+ <details><summary>(Build: 101.49.25 | Release version: 20.121092.14925.0)</summary>

+&ensp;Build:ΓÇ»**101.49.25**<br/>

+&ensp;Release version:ΓÇ»**20.121092.14925.0** <br/>

+**What's new**

+- Added a new switch to the command-line tool to control whether archives are scanned during on-demand scans. This can be configured through `mdatp config scan-archives --value [enabled/disabled]`. By default, this is set to enabled.

+- Bug fixes

+<br/>

+</details>

+

+<details><summary>(Build: 101.47.27 | Release version: 20.121082.14727.0)</summary>

+&ensp;Build:ΓÇ»**101.47.27**<br/>

+&ensp;Release version:ΓÇ»**20.121082.14727.0** <br/>

+**What's new**

+- Fix for a system freeze occurring on shutdown on macOS Mojave and macOS Catalina.

+<br/>

+</details>

+<details><summary>(Build: 101.43.84 | Release version: 20.121082.14384.0)</summary>

+&ensp;Build:ΓÇ»**101.43.84**<br/>

+&ensp;Release version:ΓÇ»**20.121082.14384.0** <br/>

+**What's new**

+- Candidate build for macOS 12 (Monterey)

+- Bug fixes

+<br/>

+</details>

+<details><summary>(Build: 101.41.10 | Release version: 20.121072.14110.0)</summary>

+&ensp;Build:ΓÇ»**101.41.10**<br/>

+&ensp;Release version:ΓÇ»**20.121072.14110.0** <br/>

+**What's new**

+- Added new switches to the command-line tool:

+ - Control degree of parallelism for on-demand scans. This can be configured through `mdatp config maximum-on-demand-scan-threads --value [number-between-1-and-64]`. By default, a degree of parallelism of 2 is used.

+ - Control whether scans after security intelligence updates are enabled or disabled. This can be configured through `mdatp config scan-after-definition-update --value [enabled/disabled]`. By default, this is set to enabled.

+- Changing the product log level now requires elevation.

+- Performance improvements & bug fixes

+<br/>

+</details>

+<details><summary>(Build: 101.40.84 | Release version: 20.121071.14084.0)</summary>

+&ensp;Build:ΓÇ»**101.40.84**<br/>

+&ensp;Release version:ΓÇ»**20.121071.14084.0** <br/>

+**What's new**

+- M1 chip native support

+- Performance improvements & bug fixes

+<br/>

+</details>

+<details><summary>(Build: 101.37.97 | Release version: 20.121062.13797.0)</summary>

+&ensp;Build:ΓÇ»**101.37.97**<br/>

+&ensp;Release version:ΓÇ»**20.121062.13797.0** <br/>

+**What's new**

+- Performance improvements & bug fixes

+<br/>

+</details>

+<details><summary>(Build: 101.34.28 | Release version: 20.121061.13428.0)</summary>

+&ensp;Build:ΓÇ»**101.34.28**<br/>

+&ensp;Release version:ΓÇ»**20.121061.13428.0** <br/>

+**What's new**

+- Bug fixes

+<br/>

+</details>

+<details><summary>(Build: 101.34.27 | Release version: 20.121052.13427.0)</summary>

+&ensp;Build:ΓÇ»**101.34.27**<br/>

+&ensp;Release version:ΓÇ»**20.121052.13427.0** <br/>

+**What's new**

+- Bug fixes

+<br/>

+</details>

+<details><summary>(Build: 101.34.20 | Release version: 20.121051.13420.0)</summary>

+&ensp;Build:ΓÇ»**101.34.20**<br/>

+&ensp;Release version:ΓÇ»**20.121051.13420.0** <br/>

+**What's new**

+- [Device control for macOS](mac-device-control-overview.md) is now in general availability.

+- Addressed an issue where a quick scan could not be started from the status menu on macOS 11 (Big Sur).

+- Other bug fixes

+<br/>

+</details>

+<details><summary>(Build: 101.32.69 | Release version: 20.121042.13269.0)</summary>

+&ensp;Build:ΓÇ»**101.32.69**<br/>

+&ensp;Release version:ΓÇ»**20.121042.13269.0** <br/>

+**What's new**

+<br/>

+</details>

+<details><summary>(Build: 101.29.64 | Release version: 20.121042.12964.0)</summary>

+&ensp;Build:ΓÇ»**101.29.64**<br/>

+&ensp;Release version:ΓÇ»**20.121042.12964.0** <br/>

+**What's new**

+- Starting with this version, threats detected during on-demand antivirus scans triggered through the command-line client are automatically remediated. Threats detected during scans triggered through the user interface still require manual action.

+- `mdatp diagnostic real-time-protection-statistics` now supports two additional switches:

+ - `--sort`: sorts the output descending by total number of files scanned

+ - `--top N`: displays the top N results (only works if `--sort` is also specified)

+- Performance improvements (specifically for when `YARN` is used) & bug fixes

+<br/>

+</details>

+<details><summary>(Build: 101.27.50 | Release version: 20.121022.12750.0)</summary>

+&ensp;Build:ΓÇ»**101.27.50**<br/>

+&ensp;Release version:ΓÇ»**20.121022.12750.0** <br/>

+**What's new**

+- Fix to accommodate for Apple certificate expiration for macOS Catalina and earlier. This fix restores Threat & Vulnerability Management (TVM) functionality.

+<br/>

+</details>

+<details><summary>(Build: 101.25.69 | Release version: 20.121022.12569.0)</summary>

+&ensp;Build:ΓÇ»**101.25.69**<br/>

+&ensp;Release version:ΓÇ»**20.121022.12569.0** <br/>

+**What's new**

+- Microsoft Defender for Endpoint on macOS is now available in preview for US Government customers. For more information, seeΓÇ»[Microsoft Defender for Endpoint for US Government customers](gov.md) .

+- Performance improvements (specifically for the situation when the XCode Simulator app is used) & bug fixes.

+<br/>

+</details>

+<details><summary>(Build: 101.23.64 | Release version: 20.121021.12364.0)</summary>

+&ensp;Build:ΓÇ»**101.23.64**<br/>

+&ensp;Release version:ΓÇ»**20.121021.12364.0** <br/>

+**What's new**

+- Added a new option to the command-line tool to view information about the last on-demand scan. To view information about the last on-demand scan, runΓÇ»`mdatp health --details antivirus`.

+- Performance improvements & bug fixes

+<br/>

+</details>

+</details>

+<details><summary>Prior releases </summary><blockquote>

+<details><summary>(Build: 101.22.79 | Release version: 20.121012.12279.0)</summary>

+&ensp;Build: **101.22.79** <br>

+&ensp;Release version: **20.121012.12279.0**<br>

+**What's new**

+- Performance improvements & bug fixes

+<br/>

+</details>

+<details><summary>(Build: 101.19.88 | Release version: 20.121011.11988.0)</summary>

+&ensp;Build:**101.19.88**<br>

+&ensp;Release version: **20.121011.11988.0**<br>

+**What's new**

+- Performance improvements & bug fixes

+<br/>

+</details>

+<details><summary>(Build: 101.19.48 | Release version: 20.120121.11948.0)</summary>

+&ensp;Build: **101.19.48**<br>

+&ensp;Release version: **20.120121.11948.0**<br>

+**What's new**

+> The old command-line tool syntax has been deprecated with this release. For information on the new syntax, seeΓÇ»[Resources](mac-resources.md#configuring-from-the-command-line).

+- Added a new command-line switch to disable the network extension:ΓÇ»`mdatp system-extension network-filter disable`. This command can be useful to troubleshoot networking issues that could be related to Microsoft Defender for Endpoint on Mac.

+- Performance improvements & bug fixes

+<br/>

+</details>

+<details><summary>(Build: 101.19.21 | Release version: 20.120101.11921.0)</summary>

+&ensp;Build: **101.19.21**<br>

+&ensp;Release version: **20.120101.11921.0** <br>

+**What's new**

+- Bug fixes

+<br/>

+</details>

+<details><summary>(Build: 101.15.26 | Release version: 20.120102.11526.0)</summary>

+&ensp;Build: **101.15.26**<br>

+&ensp;Release version: **20.120102.11526.0**<br>

+**What's new**

+- Improved the reliability of the agent when running on macOS 11 Big Sur.

+- Added a new command-line switch (`--ignore-exclusions`) to ignore AV exclusions during custom scans (`mdatp scan custom`).

+<br/>

+</details>

+<details><summary>(Build: 101.13.75 | Release version: 20.120101.11375.0)</summary>

+&ensp;Build: **101.13.75**<br>

+&ensp;Release version: **20.120101.11375.0**<br>

+**What's new**

+- Removed conditions when Microsoft Defender for Endpoint was triggering a macOS 11 (Big Sur) bug that manifests into a kernel panic.

+- Fixed a memory leak in the Endpoint Security system extension when running on mac 11 (Big Sur).

+- Bug fixes

+<br/>

+</details>

+<details><summary>(Build: 101.10.72)</summary>

+&ensp;Build: **101.10.72** <br>

+**What's new**

+- Bug fixes

+<br/>

+</details>

+<details><summary>(Build: 101.09.61)</summary>

+&ensp;Build: **101.09.61**<br>

+**What's new**

+- Added a new managed preference forΓÇ»[disabling the option to send feedback](mac-preferences.md#show--hide-option-to-send-feedback).

+- Status menu icon now shows a healthy state when the product settings are managed. Previously, the status menu icon was displaying a warning or error state, even though the product settings were managed by the administrator.

+- Performance improvements & bug fixes

+<br/>

+</details>

+<details><summary>(Build: 101.09.50)</summary>

+&ensp;Build: **101.09.50**<br>

+**What's new**

+- This product version has been validated on macOS Big Sur 11 beta 9.

+- The new syntax for the mdatp command-line tool is now the default one. For more information on the new syntax, see [Resources for Microsoft Defender for Endpoint on macOS](mac-resources.md#configuring-from-the-command-line).

+> [!NOTE]

+> The old command-line tool syntax will be removed from the product onΓÇ»**January 1st, 2021**.

+- Extended `mdatp diagnostic create` with a new parameter (`--path [directory]`) that allows the diagnostic logs to be saved to a different directory.

+- Performance improvements & bug fixes

+<br/>

+</details>

+<details><summary>(Build: 101.09.49)</summary>

+&ensp;Build: **101.09.49**<br>

+**What's new**

+- User interface improvements to differentiate exclusions that are managed by the IT administrator versus exclusions defined by the local user.

+- Improved CPU utilization during on-demand scans.

+- Performance improvements & bug fixes

+<br/>

+</details>

+<details><summary>(Build: 101.07.23)</summary>

+&ensp;Build: **101.07.23**<br>

+**What's new**

+- Added new fields to the output of `mdatp --health` for checking the status of passive mode and the EDR group ID.

+> [!NOTE]

+> `mdatp --health` will be replaced with `mdatp health` in a future product update.

+- Fixed a bug where automatic sample submission was not marked as managed in the user interface.

+- Added new settings for controlling the retention of items in the antivirus scan history. You can now [specify the number of days to retain items in the scan history](mac-preferences.md#antivirus-scan-history-retention-in-days) and [specify the maximum number of items in the scan history](mac-preferences.md#maximum-number-of-items-in-the-antivirus-scan-history).

+- Bug fixes

+<br/>

+</details>

+<details><summary>(Build: 101.06.63)</summary>

+&ensp;Build: **101.06.63**<br>

+**What's new**

+- Addressed a performance regression introduced in versionΓÇ»`101.05.17`. The regression was introduced with the fix to eliminate the kernel panics some customers have observed when accessing SMB shares. We have reverted this code change and are investigating alternative ways to eliminate the kernel panics.

+<br/>

+</details>

+<details><summary>(Build: 101.05.17)</summary>

+&ensp;Build: **101.05.17**<br>

+**What's new**

+> We are working on a new and enhanced syntax for the `mdatp` command-line tool. The new syntax is currently the default in the Insider Fast and Insider Slow update channels. We encourage you to famliliarize yourself with this new syntax.

+> We will continue supporting the old syntax in parallel with the new syntax and will provide more communication around the deprecation plan for the old syntax in the upcoming months.

+- Addressed a kernel panic that occurred sometimes when accessing SMB file shares.

+- Performance improvements & bug fixes

+<br/>

+</details>

+<details><summary>(Build: 101.05.16)</summary>

+&ensp;Build: **101.05.16**<br>

+**What's new**

+- Improvements to quick scan logic to significantly reduce the number of scanned files.

+- Added [autocompletion support](mac-resources.md#how-to-enable-autocompletion) for the command-line tool.

+- Bug fixes

+<br/>

+</details>

+<details><summary>(Build: 101.03.12)</summary>

+&ensp;Build: **101.03.12**<br>

+**What's new**

+- Performance improvements & bug fixes

+<br/>

+</details>

+<details><summary>(Build: 101.01.54)</summary>

+&ensp;Build: **101.01.54**<br>

+**What's new**

+- Improvements around compatibility with Time Machine

+- Accessibility improvements

+- Performance improvements & bug fixes

+<br/>

+</details>

+<details><summary>(Build: 101.00.31)</summary>

+&ensp;Build: **101.00.31** <br>

+**What's new**

+- ImprovedΓÇ»[product onboarding experience for Intune users](/mem/intune/apps/apps-advanced-threat-protection-macos)

+- AntivirusΓÇ»[exclusions now support wildcards](mac-exclusions.md#supported-exclusion-types)

+- Added the ability to trigger antivirus scans from the macOS contextual menu. You can now right-click a file or a folder in Finder and selectΓÇ»**Scan with Microsoft Defender for Endpoint**.

+- In-place product downgrades are now explicitly disallowed by the installer. If you need to downgrade, first uninstall the existing version and reconfigure your device.

+- Other performance improvements & bug fixes

+<br/>

+</details>

+<details><summary>(Build: 100.90.27)</summary>

+&ensp;Build: **100.90.27** <br>

+**What's new**

+- You can now [set an update channel](mac-updates.md#set-the-channel-name) for Microsoft Defender for Endpoint on macOS that is different from the system-wide update channel.

+- New product icon

+- Other user experience improvements

+- Bug fixes

+<br/>

+</details>

+<details><summary>(Build: 100.86.92)</summary>

+&ensp;Build: **100.86.92**<br>

+**What's new**

+- Improvements around compatibility with Time Machine

+- Addressed an issue where the product was sometimes not cleaning all files under `/Library/Application Support/Microsoft/Defender` during uninstallation.

+- Reduced the CPU utilization of the product when Microsoft products are updated through Microsoft AutoUpdate.

+- Other performance improvements & bug fixes

+<br/>

+</details>

+<details><summary>(Build: 100.86.91)</summary>

+&ensp;Build: **100.86.91**<br>

+**What's new**

+- Performance improvements & bug fixes

+<br/>

+</details>

+<details><summary>(Build: 100.83.73)</summary>

+&ensp;Build: **100.83.73**<br>

+**What's new**

+- Added more controls for IT administrators aroundΓÇ»[management of exclusions](mac-preferences.md#exclusion-merge-policy),ΓÇ»[management of threat type settings](mac-preferences.md#threat-type-settings-merge-policy), andΓÇ»[disallowed threat actions](mac-preferences.md#disallowed-threat-actions).

+- When Full Disk Access is not enabled on the device, a warning is now displayed in the status menu.

+

+<br/>

+</details>

+<details><summary>(Build: 100.82.60)</summary>

+&ensp;Build: **100.82.60** <br>

+**What's new**

+<br/>

+</details>

+<details><summary>(Build: 100.80.42)</summary>

+&ensp;Build: **100.80.42**<br>

+**What's new**

+<br/>

+</details>

+<details><summary>(Build: 100.79.42)</summary>

+&ensp;Build: **100.79.42**<br>

+**What's new**

+- Fixed an issue where Microsoft Defender for Endpoint on Mac was sometimes interfering with Time Machine.

+- Added a new switch to the command-line utility for testing the connectivity with the backend service

+

+- Added ability to view the full threat history in the user interface (can be accessed from the **Protection history** view).

+<br/>

+</details>

+<details><summary>(Build: 100.72.15)</summary>

+&ensp;Build: **100.72.15**<br>

+**What's new**

+- Bug fixes

+<br/>

+</details>

+<details><summary>(Build: 100.70.99)</summary>

+&ensp;Build: **100.70.99**<br>

+**What's new**

+<br/>

+</details>

+<details><summary>(Build: 100.68.99)</summary>

+&ensp;Build: **100.68.99**<br>

+**What's new**

+- Added the ability to configure the antivirus functionality to run inΓÇ»[passive mode](mac-preferences.md#enforcement-level-for-antivirus-engine).

+- Performance improvements & bug fixes

+<br/>

+</details>

+<details><summary>(Build: 100.65.28)</summary>

+&ensp;Build: **100.65.28**<br>

+**What's new**

+- Added support for macOS Catalina.

+> [!CAUTION]

+> macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default, applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without explicit consent. In the absence of this consent, Microsoft Defender for Endpoint is not able to fully protect your device.

+>

+> The mechanism for granting this consent depends on how you deployed Microsoft Defender for Endpoint:

+>

+> - For manual deployments, see the updated instructions in the [Manual deployment topic](mac-install-manually.md#how-to-allow-full-disk-access).

+> - For managed deployments, see the updated instructions in the [JAMF-based deployment](mac-install-with-jamf.md) and [Microsoft Intune-based deployment](mac-install-with-intune.md#create-system-configuration-profiles) topics.

+- Performance improvements & bug fixes

+<br/>

+</details>

+<br/><br/>

+</details>

+1. Download [Process Monitor v3.89](/sysinternals/downloads/procmon) to a folder like `C:\temp`.

+| `IsRootSignerMicrosoft` | `boolean` | Indicates whether the signer of the root certificate is Microsoft and the file is built-in to Windows OS |

+## Get the Report Message or the Report Phishing add-ins for the GCC and GCCH users

+If you're a Government Community Cloud High (GCCH) or a Government Community Cloud (GCC) admin, use the following steps to get the Report Message or the Report Phishing add-ins for your organization. Note that if you're an individual user, you can't get the add-in using Microsoft AppSource.

+> [!NOTE]

+> It could take up to 24 hours for the add-in to appear in your organization.

+1. In the Microsoft 365 admin center, go to **Settings** \> **Add-ins**, and select **Deploy Add-In**.

+2. The **Deploy a new add-in** flyout opens. Click **Next**, and then select **Upload custom apps**.

+3. Select **I have a URL for the manifest file**. Use the following URLs to get the [Report Message](https://ipagave.azurewebsites.net/ReportMessageManifest/ReportMessageAzure.xml) and the [Report Phishing](https://ipagave.azurewebsites.net/ReportMessageManifest/ReportPhishingAzure.xml) add-ins.

+4. Choose which users will have access to the add-in and select a deployment method, and then select **Deploy**.

+5. To fully configure the settings, see [User reported message settings](user-submission.md).

+## Use the Report Message or the Report Phishing add-ins

+You can use the Report Message or the Report Phishing add-ins to submit false positives (good email that was blocked or sent to junk folder) and false negatives (unwanted email or phish that was delivered to the inbox) in Outlook. For more information, see [Report false positives and false negatives in Outlook](report-false-positives-and-false-negatives.md).

+- An entry should be active within 30 minutes, but it might take up to 24 hours for the entry to be active.

+ :::image type="content" source="../../medio-quarantine-policy-page.png":::

+ :::image type="content" source="../../medio-quarantine-policy-quarantine-notification-settings.png":::

+ Title: Assess the impact of security configuration changes with Explorer

+description: Examples and walkthrough of using Explorer to determine the impact of a security control (configuration) change in Microsoft Defender for Office 365

+search.product:

+search.appverid:

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+f1.keywords:

+ - NOCSH

+ms.localizationpriority: medium

+audience: ITPro

+ms.technology: mdo

+# Assess the impact of security configuration changes with Explorer

+Before you make change(s) to your security configuration, such as policies or transport rules, itΓÇÖs important to understand the impact of the change(s) so that you can plan and ensure *minimal* disruption to your organization.

+This step-by-step guide will take you through assessing a change, and exporting the impacted emails for assessment. The procedure can be applied to many different changes, by altering the criteria (filters) you use in explorer.

+## What you'll need

+- Microsoft Defender for Office 365 Plan 2 (included as part of E5).

+- Sufficient permissions (Security reader minimum required to assess via Threat Explorer).

+- 5-10 minutes to perform the steps below.

+## Assess changing normal confidence phish delivery location to quarantine (from the Junk email folder)

+1. **Login** to the security portal and navigate to Explorer (underneath *Email & Collaboration* on the left nav) <https://security.microsoft.com/threatexplorer>.

+1. Select **Phish** from the top tab selection (*All email* is the default view).

+1. Press the **filter** button (defaulted to *Sender*) and select **Phish confidence level**.

+1. Select the **Phish confidence level** of **Normal**.

+1. Add an additional **filter** of **Original delivery location** set as **Junk folder**.

+1. Press **Refresh**. Explorer is now filtered to show all the mail that is detected as *high confidence phish* and gets delivered to the Junk folder due to the settings in the anti-spam policy.

+1. If you wish to pivot the data displayed in the chart, you can do by using the **data slicer top left of the chart (defaulted to *Delivery action*)**, selecting useful data such as **Sender IP**, or **Sender domain** to spot trends and top affected senders.

+1. Below the chart section, where the affected emails are displayed, select **Export email list**, which will generate a CSV for offline analysis. **This is a list of the emails which would be quarantined if the phish action was changed to Quarantine (recommended change for both standard and strict presets)**.

+## Assess removing a sender / domain override removal

+1. **Login** to the security portal and navigate to **Explorer** (underneath Email & Collaboration on the left nav) <https://security.microsoft.com/threatexplorer>.

+1. Select **All email** if not already selected.

+1. Press the **filter** button (defaulted to *Sender*) and add either a sender or sender domain filter, then add the entry where you wish to assess the impact of removal.

+1. Expand the date range to the maximum & press **Refresh** You should now see mail listed if the sender / sending domain is still active in messaging your organization. If *not* you may need to tweak the filter, or alternatively you no longer receive mail from that domain / sender and can remove the entry safely.

+1. If mail is listed, this means the entry is still an active sender. Pivot the data in the chart using the data slicer (defaulted to *Delivery action*) to **Detection technology**.

+1. The chart should refresh, and if it now displays no data, this means we have not detected any threats on any of the mail previously shown, which indicates an override is not needed, as there is no detection to override.

+1. If there is data displayed when the data is sliced by **Detection technology**, this means removing the override *would* have impact on this sender / domain due to the protection stack taking action.

+1. You should investigate the mail further to assess if it is truly malicious and the entry can be removed, or if it is a *false positive* and should be remediated so it is no longer incorrectly detected as a threat (authentication is the biggest cause of false positives).

+### Further reading

+Consider using secure presets [Ensuring you always have the optimal security controls with preset security policies](/microsoft-365/security/office-365-security/step-by-step-guides/ensuring-you-always-have-the-optimal-security-controls-with-preset-security-policies)

+You can also manage email authentication issues with spoof intelligence [Spoof intelligence insight](/microsoft-365/security/office-365-security/learn-about-spoof-intelligence)

+Learn more about email authentication [Email Authentication in Exchange Online Protection](/microsoft-365/security/office-365-security/email-validation-and-authentication)

+ Title: Deploy and configure the report message add-in

+description: The steps to deploy and configure Microsoft's phish reporting add-in(s) aimed at security administrators

+search.product:

+search.appverid:

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+f1.keywords:

+ - NOCSH

+ms.localizationpriority: medium

+audience: ITPro

+ms.technology: mdo

+# Deploy and configure the report message add-in to users.

+The Report message and report phishing add-in for Outlook makes it easy to report phishing to Microsoft and its affiliates for analysis, along with easy triage for admins in the [submissions portal](https://security.microsoft.com/reportsubmission?viewid=user).

+Depending on whether you are licensed for Defender for Office 365, you'll also get added functionality such as alerting & automated investigation and response (AIR), which will remove the burden from your security operations staff. This guide will walk you through configuring the add-in deployment as recommended by the Microsoft Defender for Office 365 team.

+## Choose between which add-in to deploy

+- The Report Phishing add-in provides the option to report only phishing messages

+- The Report Message add-in provides the option to report junk, not junk (false positive), and phishing messages

+## What you'll need

+- Exchange Online Protection (some features require Defender for Office 365 Plan 2)

+- Sufficient permissions (Global admin for add-in deployment, security admin for customisation)

+- 5-10 minutes to perform the steps below

+## Deploy the add-in for users

+1. **Login** to the Microsoft 365 admin center. https://admin.microsoft.com.

+1. On the left nav, press **Show All** then expand **Settings** and select **Integrated Apps**.

+1. On the page that loads, press **Get Apps**.

+1. In the page that appears, in the top right Search box, enter **Report Message** or **Report Phishing**, and then select **Search**.

+1. Press **Get it now** on your chosen app within the search results (publisher is **Microsoft Corporation**).

+1. On the flyout that appears, select who to deploy the add-in to. If testing you may wish to use a specific group, otherwise configure it for the **entire organisation** ΓÇô when youΓÇÖve made a selection press **Next**.

+1. Review the permissions, information and capabilities then press **Next**.

+1. Press **Finish deployment** (it can take 12-24 hours for the add-in to appear automatically in Outlook clients).

+## Configure the add-in for users

+1. **Login** to the Microsoft Security portal at https://security.microsoft.com.

+2. On the left nav, under **Email & collaboration**, select **Policies & rules**.

+3. Select **Threat policies**.

+4. Select **User reported message settings** underneath the **Others** heading.

+5. Ensure **Microsoft Outlook Report Message button** is toggled to **On**.

+6. Under **Send the reported messages to** choose **Microsoft** (Recommended).

+7. Ensure **Let users choose if they want to report** is unchecked and **Always report the message** is selected.

+8. Press **Save**.

+## Optional steps ΓÇô configure notifications

+1. On the configuration page from the earlier steps, underneath the **User reporting experience**, configure the before and after reporting pop-ups title and body if desired. The end users will see the before reporting pop up if **Ask me before reporting** is also enabled.

+2. If you wish for notifications to come from an internal organisational mailbox, select **Specify Office 365 email address to use as sender** and search for a valid mailbox in your organisation to send the notifications from.

+3. Press **Customize notifications** to set up the text sent to reporting users after admin reviews a reported message using Mark & Notify, configure the **Phishing**, **Junk** & **No threats** found options.

+4. On the **Footer** tab, select the global footer to be sent for notifications, along with your organisationΓÇÖs logo if appropriate.

+### Further reading

+Learn more about user reported message settings [User reported message settings - Office 365 | Microsoft Docs](../user-submission.md)

+Enable the report message or report phishing add-in [Enable the Report Message or the Report Phishing add-ins - Office 365 | Microsoft Docs](../enable-the-report-message-add-in.md)

+ Title: How to enable DMARC Reporting for Microsoft Online Email Routing Address (MOERA) and parked Domains

+description: The steps to configure DMARC for MOERA and parked domains.

+search.product:

+search.appverid:

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+f1.keywords:

+ - NOCSH

+ms.localizationpriority: medium

+audience: ITPro

+ms.technology: mdo

+# How to enable DMARC Reporting for Microsoft Online Email Routing Address (MOERA) and parked Domains

+Best practice for domain email security protection is to protect yourself from spoofing using Domain-based Message Authentication, Reporting, and Conformance (DMARC). If you havenΓÇÖt already enabled DMARC for your domains, that should be the first step, detailed here: [Domain-based Message Authentication, Reporting, and Conformance (DMARC)](/microsoft-365/security/office-365-security/use-dmarc-to-validate-email)

+This guide is designed to help you configure DMARC for the domains not covered in the above guide, both your Microsoft Online Email Routing Address (MOERA) aka contosocorp.onmicrosoft.com and parked domains which you may not be using for email yet, but could be leveraged by attackers until protected.

+## What youΓÇÖll need

+- Microsoft 365 admin centre and access to your DNS provider hosting your domains

+- Sufficient permissions as Global Admin to make the appropriate changes in the Microsoft 365 Admin Center

+- 10 Minutes to complete the following steps

+## Activate DMARC for MOERA Domain

+1. Login to the [Microsoft 365 Admin Center](https://admin.microsoft.com).

+1. On the left-hand navigation, select **Show All**.

+1. Expand Settings and press **Domains**.

+1. Select your tenant domain (contoso.onmicrosoft.com).

+1. On the page that loads, select **DNS records**.

+1. Select **+ Add record**.

+1. A flyout will appear on the right, ensure that the selected Type is **TXT (Text)**.

+1. Add _dmarc as TXT name.

+1. Add your specific DMARC value.

+1. Press **Save**.

+## Active DMARC for parked domains

+1. Check if SPF is already configured for your parked domain, following this guide: [Set up SPF to help prevent spoofing - Office 365 | Microsoft Docs](/microsoft-365/security/office-365-security/set-up-spf-in-office-365-to-help-prevent-spoofing#how-to-handle-subdomains)

+1. Contact your DNS Domain provider.

+1. Ask to add this DMARC txt record with your appropriate email addresses `v=DMARC1; p=reject; rua=mailto:d@rua.contoso.com;ruf=mailto:d@ruf.contoso.com`.

+## Next Steps

+Wait until the DNS changes are propagated and try to spoof the configured domains. Check if the attempt is blocked based in the DMARC record, and you receive a DMARC report.

+## More Information

+[Set up SPF to help prevent spoofing - Office 365 | Microsoft Docs](/microsoft-365/security/office-365-security/set-up-spf-in-office-365-to-help-prevent-spoofing)

+[Use DMARC to validate email, setup steps - Office 365 | Microsoft Docs](/microsoft-365/security/office-365-security/use-dmarc-to-validate-email)