+- Your organization needs to have at least 50 monthly active users for one or more core workloads ΓÇô Teams, OneDrive for Business, SharePoint Online, Exchange Online and Office apps.

+<!-- [!VIDEO https://www.microsoft.com/videoplayer/embed/RWyGL7]-->

+This article shows you how to improve the performance of custom trainable classifiers by providing them more feedback.

+<!-- > [!VIDEO https://www.microsoft.com/videoplayer/embed/RWyGMs]-->

+As you use your classifiers, you may want to increase the precision of the classifications that they're making. You do this by evaluating the quality of the classifications made for items it has identified as being a match or not a match. After you make 30 evaluations for a classifier, it takes that feedback, and automatically retrains itself.

+3. Choose the trainable classifier you used in you auto-apply retention label policy. This is the trainable classifier you'll give feedback on.

+7. If there's another classifier that would be more appropriate for the item, you can choose it from the **Suggest other trainable classifiers** list. This will trigger the other classifier to evaluate the item.

+14. If you aren't satisfied with the results of the retraining, you can choose to provide more feedback to the classifier in the Content Explorer interface and start another retraining cycle or do nothing in which case the currently published version of the classifier will continue to be used.

+Here's a little information on how we formulate the recommendation to republish a retrained classifier or suggest further retraining. This requires a little deeper understanding of how trainable classifiers work.

+After a retrain, we evaluate the classifier's performance on both the items with feedback and any items originally used to train the classifier.

+> DLP supports (in preview) using trainable classifiers as a condition to detect sensitive documents. Content can be defined by trainable classifiers in Exchange Online, SharePoint Online sites, OneDrive for Business accounts, Teams Chat and Channels, and Devices. For more information, see [Trainable Classifiers](classifier-learn-about.md).

+- (preview) Audit or restricted activities when users access sensitive websites in Microsoft Edge browser on Windows devices. See, [Scenario 6 Monitor or restrict user activities on sensitive service domains (preview)](endpoint-dlp-using.md#scenario-6-monitor-or-restrict-user-activities-on-sensitive-service-domains-preview) for more information.

+- Exchange Online Plan 2

+- SharePoint Online Plan 2

+ > Users configuring the policy and selecting priority SharePoint sites can select SharePoint sites that they have permission to access. If SharePoint sites aren't available for selection in the policy by the current user, another user with the required permissions can select the sites for the policy later or the current user should be given access to the required sites.

+- **SharePoint sites**: Any activity associated with all file types in defined SharePoint sites is assigned a higher risk score. Users configuring the policy and selecting priority SharePoint sites can select SharePoint sites that they have permission to access. If SharePoint sites aren't available for selection in the policy by the current user, another user with the required permissions can select the sites for the policy later or the current user should be given access to the required sites.

+ >Users configuring the policy and selecting priority SharePoint sites can select SharePoint sites that they have permission to access. If SharePoint sites aren't available for selection in the policy by the current user, another user with the required permissions can select the sites for the policy later or the current user should be given access to the required sites.

+ >Users configuring the policy and selecting priority SharePoint sites can select SharePoint sites that they have permission to access. If SharePoint sites aren't available for selection in the policy by the current user, another user with the required permissions can select the sites for the policy later or the current user should be given access to the required sites.

+<!--Learn more about confidence levels in this short video.

+ > [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4Hx60]-->

+More features are planned and in development. If there's a specific feature that you're interested in, check the [Microsoft 365 roadmap](https://www.microsoft.com/microsoft-365/roadmap?filters=Microsoft%20Information%20Protection&searchterms=label) and consider joining the [Microsoft Information Protection in Office Private Preview](https://aka.ms/MIP/PreviewRing).

+The following tables list the minimum Office version that introduced specific capabilities for sensitivity labels that are built in to Office apps. Or, if the label capability is in public preview or under review for a future release. Use the [Microsoft 365 roadmap](https://www.microsoft.com/microsoft-365/roadmap?filters=Microsoft%20Information%20Protection&searchterms=label) for details about new capabilities that are planned for future releases.

+For more information about these and other scenarios that are supported by sensitivity labels, see [Common scenarios for sensitivity labels](get-started-with-sensitivity-labels.md#common-scenarios-for-sensitivity-labels). New features are being developed all the time that support sensitivity labels, so you might also find it useful to check the [Microsoft 365 roadmap](https://www.microsoft.com/microsoft-365/roadmap?filters=Microsoft%20Information%20Protection&searchterms=label).

+`abcdefghijklmnopqrstuvwxyz234567abcdefghijklmnopqrst`

+- Patterns of Base32 encoded 256-bits symmetric key.

+The patterns are designed to match actual credentials with reasonable confidence. The patterns don't match credentials formatted as examples. Mockup values, redacted values, and placeholders, like credential type or usage descriptions, in the position where an actual secret value should present won't be matched.

+You can use SharePoint Syntex to help you automatically generate standard repetitive business documents, such as contracts, statements of work, service agreements, letters of consent, sales pitches, and correspondence. You can do all this quicker, more consistentently, and with fewer errors by using content assembly in SharePoint Syntex.

+With content assembly, you can use an existing document to create a *modern template*, and then use that template to automatically generate new content using SharePoint lists or manual entries as a data source.

+ > [!NOTE]

+ > You can configure multiple date formatters such as MM/DD/YYYY, DD/MM/YYYY, YYYY/MM/DD, and Month DD, including setting time in both 12-hour and 24-hour format.

+ > When using the bidirectional option, the person scheduling the launch must have site owner permissions to both the new SharePoint portal and existing SharePoint portal. Additionally, the two site URLs must exist within the same tenant/domain in order to validate appropriate permissions.

+### Power Automate

+In most cases, Power Automate Flows will continue to work after a SharePoint site geo move. We recommend that you test them once the move has completed.

+- [Enhance communications and collaboration](#enhance-communications-and-collaboration)

+- [Transform employee experiences](#transform-employee-experiences)

+- [Increase frontline operational efficiency](#increase-frontline-operational-efficiency)

+- Helps [safeguard your business](#safeguard-your-business) with security and compliance offerings, including providing [support for modern devices](#secure-endpoints-and-apps-across-device-types-and-operating-systems)

+Microsoft 365 for frontline workers refers to the Microsoft 365 F3 and F1 licenses or Office 365 F3 license, but you can also use an Enterprise license (E1, E3, E5) to implement any of the frontline scenarios. Learn more about [licensing options for frontline workers](flw-licensing-options.md) and which license types you should use for different types of users in your organization.

+## Enhance communications and collaboration

+Streamline team and one-on-one communication across your entire organization with Microsoft 365 for frontline workers capabilities. You can enrich and expand corporate communications with Viva Connections to make sure each of your workers feels connected to your broader organization. Make sure your workforce is able to seamlessly communicate with Teams chats, notifications, Walkie Talkie, and more.

+## Transform employee experiences

+Foster an inclusive company culture and increase employee wellbeing while making sure all of your workers have the resources they need to succeed. Using Microsoft Teams, SharePoint, Viva Connections, and Viva Learning, you can connect employees with the tools, people, and devices they need to do their best work and build skills faster. For example:

+|:::image type="icon" source="/office/medi#wellbeing--engagement) | Nurture a sense of belonging with your frontline employees by helping them engage with your entire organization.|

+|:::image type="icon" source="/office/medi#training--onboarding) | Promote continual growth for your employees and encourage knowledge sharing and exchange.|

+## Increase frontline operational efficiency

+Microsoft 365 includes apps like Lists, Tasks, and Approvals that can help you streamline operations and bring them from paper-based to digitally tracked processes. You can enhance these by adding workflow automation, custom apps, and business data tracking with Power Automate, Power Apps, and Power BI from the Power Platform. Extend even further with solutions provided by our partners in the digital ecosystem.

+Enhance workforce management with [Shifts](shifts-for-teams-landing-page.md), the schedule management tool in Teams that keeps your frontline workforce connected and in sync. [Shifts connectors](shifts-connectors.md) enable you to integrate Shifts with your workforce management (WFM) system. After you set up a connection, your frontline workers can seamlessly view and manage their schedules in your WFM system from within Shifts.

+|:::image type="icon" source="/office/medi#schedule-management) | Simplify and streamline schedule coordination with your frontline workforce. Gain visibility into their schedules and enable them to arrange for cover and leave. |

+Safeguard your business with best-in-class security and compliance features. Microsoft 365 for frontline workers offers identity and access management, identity and threat protection, and security management. The offerings available to your workforce in these areas depends on the licenses you assign to your users in the Microsoft 365 admin center.

+### Manage identities and access with Azure Active Directory

+|Capability |License availability |

+|--||

+|[Azure Active Directory fundamentals](/azure/active-directory/fundamentals/active-directory-whatis) |Enterprise, F1, F3 |

+### Mitigate compliance and privacy risks

+|Capability |License availability |

+|--||

+|[Introduction to security in Microsoft 365](/learn/modules/security-in-m365/) |Enterprise, F1, F3 |

+|[Introduction to compliance tools in Microsoft 365](/learn/modules/compliance-in-m365/) |Enterprise, F1, F3 |

+|[Quick tasks for getting started with Microsoft Purview](/microsoft-365/compliance/compliance-quick-tasks) |Enterprise, available as an add-on for F3 |

+### Simplify deployment and management at scale

+|Capability |License availability |

+|--||

+|[Frontline worker onboarding wizard](flw-onboarding-wizard.md) |Enterprise, F1, F3 |

+|[Deploy Teams at scale](deploy-teams-at-scale.md) |Enterprise, F1, F3 |

+|[Teams policy packages for frontline workers](/microsoftteams/policy-packages-flw) |Enterprise, F1, F3 |

+### Secure endpoints and apps across device types and operating systems

+Equip your employees with industry-specific devices tailored for their needs, or provide a more secure way to communicate on shared or personal devices with Microsoft 365 and Microsoft Teams.

+|Capability |License availability |

+|--||

+|[Manage mobile devices for frontline workers](flw-devices.md) |Enterprise, F1, F3 |

+|[Manage devices with Intune](/microsoft-365/solutions/manage-devices-with-intune-overview) |Enterprise, F1, F3 |

+|[Microsoft Endpoint Manager overview](/mem/endpoint-manager-overview) |Enterprise, F1, F3 |

+|[Device partner integrations with Intune](/mem/intune/protect/device-compliance-partners) |Enterprise, F1, F3 |

+You can implement many helpful scenarios for frontline workers quickly, using out-of-the-box capabilities. For a list of scenarios we recommend and provide guidance for, see [Choose your scenarios](flw-choose-scenarios.md).

+However, it also pays to spend time thinking through exactly what you want to achieve organizationally and setting the appropriate groundwork. Particularly if you need to enhance out-of-the-box scenarios with integrated or custom solutions from solution providers or partners, you'll want to spend time planning and envisioning before you dive in.

+| Antivirus, antimalware, and ransomware protection capabilities for devices include: <ul><li>[Next-generation protection](../defender-endpoint/microsoft-defender-antivirus-in-windows-10.md) (antivirus/antimalware protection on devices together with cloud protection)</li><li>[Attack surface reduction](../defender-endpoint/overview-attack-surface-reduction.md) (network protection, firewall, and attack surface reduction rules) ^[[a](#fna)]</li><li>[Endpoint detection and response](../defender-endpoint/overview-endpoint-detection-response.md) (behavior-based detection and manual response actions)</li><li>[Automated investigation and response](../defender/m365d-autoir.md) (with self-healing for detected threats)</li><li>[Threat and vulnerability management](mdb-view-tvm-dashboard.md) (view exposed devices and recommendations)</li><li>[Cross-platform support for devices](mdb-onboard-devices.md) (Windows, Mac, iOS, and Android) ^[[b](#fnb)]</li><li>[Centralized management and reporting](mdb-get-started.md) (Microsoft 365 Defender portal)</li><li>[APIs for integration](../defender-endpoint/management-apis.md) (for Microsoft partners or your custom tools and apps)</li><li>[Microsoft Intune](/mem/intune/fundamentals/what-is-intune) (Endpoint security)</li></ul><br/><br/><br/><br/><br/><br/> | Productivity and security capabilities include:<ul><li>[Microsoft 365 Business Standard](../../admin/admin-overview/what-is-microsoft-365-for-business.md) (Office apps and services, and Microsoft Teams)</li><li>[Shared computer activation](/deployoffice/overview-shared-computer-activation) (for deploying Microsoft 365 Apps)</li><li>[Windows 10/11 Business](../../business-premium/m365bp-upgrade-windows-10-pro.md) (upgrade from previous versions of Windows Pro)</li><li>[Windows Autopilot](/mem/autopilot/windows-autopilot) (for setting up and configuring Windows devices)</li><li>[Exchange Online Protection](../office-365-security/exchange-online-protection-overview.md) (antiphishing, antispam, antimalware, and spoof intelligence for email)</li><li>[Defender for Business](mdb-overview.md) (everything listed in the "Defender for Business (standalone)" column) </li><li>[Microsoft Defender for Office 365 Plan 1](../office-365-security/overview.md) (advanced antiphishing, real-time detections, Safe Attachments, Safe Links)</li><li>[Auto-expanding archiving](../../compliance/autoexpanding-archiving.md) (for email)</li><li>[Azure Active Directory Premium Plan 1](/azure/active-directory/fundamentals/active-directory-whatis) (identity management)</li><li>[Microsoft Intune](/mem/intune/fundamentals/what-is-intune) (Endpoint security)</li><li>[Azure Information Protection Premium Plan 1](/azure/information-protection/what-is-information-protection) (protection for sensitive information)</li><li>[Azure Virtual Desktop](/azure/virtual-desktop/overview) (centrally managed, secure virtual machines in the cloud)</li></ul> |

+(<a id="fna">a</a>) Use Microsoft Intune to modify or customize attack surface reduction rules.

+(<a id="fnb">b</a>) Use Intune to onboard iOS, iPadOS, and Android devices. See [Onboard devices to Microsoft Defender for Business](mdb-onboard-devices.md).

+(<a id="fn1">1</a>) Onboard and manage devices in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) or by using Intune, managed in the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)).

+> You can use the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com/](https://endpoint.microsoft.com/)) to onboard devices, and to configure security settings. To learn more about Intune, see [Microsoft Intune is an MDM and MAM provider for your devices](/mem/intune/fundamentals/what-is-intune).

+| **Microsoft Intune connection**<br/>(we recommend you turn on this setting if you have Intune) | If your organization's subscription includes Microsoft Intune, this setting enables Defender for Business to share information about devices with Intune. |

+- [Microsoft Intune](#intune-for-windows-10-and-11)

+You can onboard Windows clients and other devices in Intune by using the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)). There are several methods available for enrolling devices in Intune. We recommend using one of the following methods:

+When you run the local script on a Mac, it creates a trust with Azure Active Directory, if that trust doesn't already exist; enrolls the Mac in Microsoft Intune, if it isn't already enrolled; and then onboards the Mac to Defender for Business. We recommend that you onboard up to 10 devices at a time using this method.

+You can enroll Mac computers in Intune by using the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)). There are several methods available for enrolling Mac in Intune. We recommend one of the following methods:

+You can use Microsoft Intune to onboard mobile devices, such as Android and iOS/iPadOS devices. See the following resources to get help enrolling these devices into Intune:

+- Use Microsoft Intune.

+| The simplified configuration experience in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) | The simplified configuration experience includes a [wizard-like experience](mdb-use-wizard.md) to help you set up and configure Defender for Business. Simplified configuration also includes default security settings and policies to help protect your company's devices as soon as they're onboarded to Defender for Business. You can view and edit your default policies to suit your business needs. To learn more, see [View or edit device policies in Microsoft Defender for Business](mdb-view-edit-policies.md).<br/><br/>With the simplified experience, your security team uses the Microsoft 365 Defender portal as a one-stop shop to: <ul><li>Set up and configure Defender for Business</li><li>View and manage incidents</li><li>Respond to and mitigate threats</li><li>View reports</li><li>Review pending or completed actions |

+| The Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) | Microsoft Intune is a cloud-based mobile device management (MDM) and mobile application management (MAM) provider for apps and devices. If you're already using Intune, you can continue to use the Endpoint Manager admin center to manage devices such as mobile phones, tablets, and laptops. See [Microsoft Intune: Device management](/mem/intune/fundamentals/what-is-device-management). |

+ | [Windows clients](mdb-onboard-devices.md) | Choose one of the following options to onboard Windows client devices to Defender for Business:<ul><li>Local script (for onboarding devices manually in the Microsoft 365 Defender portal)</li><li>Group Policy (if you're already using Group Policy and prefer this method)</li><li>Microsoft Intune (if you're already using Intune and prefer to continue using it)</li></ul> |

+ | [Mac](mdb-onboard-devices.md) | Choose one of the following options to onboard Mac:<ul><li>Local script for Mac (*recommended*)</li><li>Microsoft Intune for Mac </li></ul><p>We recommend you use a local script to onboard Mac. Although you can [set up enrollment for Mac devices in Intune](/mem/intune/enrollment/macos-enroll), the local script is the simplest method for onboarding Mac to Defender for Business. |

+ | [Mobile devices](mdb-onboard-devices.md) | Use Microsoft Intune to onboard mobile devices, such as Android and iOS/iPadOS devices. See the following resources to get help enrolling these devices into Intune:<ul><li>[Enroll Android devices](/mem/intune/enrollment/android-enroll)</li><li>[Enroll iOS or iPadOS devices](/mem/intune/enrollment/ios-enroll)</li></ul> |

+Dependencies: Microsoft Defender Antivirus

+Dependencies: Microsoft Defender Antivirus

+Dependencies: Microsoft Defender Antivirus

+Dependencies: Microsoft Defender Antivirus

+Dependencies: Microsoft Defender Antivirus, Cloud Protection

+Dependencies: Microsoft Defender Antivirus, AMSI

+Dependencies: Microsoft Defender Antivirus, AMSI

+Dependencies: Microsoft Defender Antivirus, RPC

+Dependencies: Microsoft Defender Antivirus

+Dependencies: Microsoft Defender Antivirus

+Dependencies: Microsoft Defender Antivirus, RPC

+Dependencies: Microsoft Defender Antivirus

+Dependencies: Microsoft Defender Antivirus

+Dependencies: Microsoft Defender Antivirus, AMSI

+Dependencies: Microsoft Defender Antivirus, Cloud Protection

+- IT Admin: For more information on how to enable auto-enrollment, see [Windows Enrollment](/intune/windows-enroll#enable-windows-10-automatic-enrollment)

+> [!NOTE]

+> You can use the Microsoft Defender for Endpoint app along with the Approved Client app policy in Intune to set Device Compliance and Conditional Access policies. There's no exclusion required for the Microsoft Defender for Endpoint app while setting up Conditional Access. Although Microsoft Defender for Endpoint on Android & iOS (App ID - dd47d17a-3194-4d86-bfd5-c6ae6f5651e3) isn't an approved app, it has permission to report device security posture. This permission enables the flow for compliance information to Conditional Access.

+> Please note that this change will be available starting September 30, 2022.

+If you've previously onboarded your servers using MMA, follow the guidance provided in [Server migration](server-migration.md) to migrate to the new solution.

+- Ensure connectivity requirements as specified in [Enable access to Microsoft Defender for Endpoint service URLs in the proxy server](/microsoft-365/security/defender-endpoint/configure-proxy-internet?enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server) are met. They're equivalent to those requirements for Windows Server 2019.

+- We've identified an issue with Windows Server 2012 R2 connectivity to cloud when static TelemetryProxyServer is used **and** the certificate revocation list (CRL) URLs aren't reachable from the SYSTEM account context. The immediate mitigation is to either use an alternative proxy option ("system-wide") that provides such connectivity, or configure the same proxy via the WinInet setting on the SYSTEM account context.

+- Previously, the use of the Microsoft Monitoring Agent (MMA) on Windows Server 2016 and below allowed for the OMS / Log Analytics gateway to provide connectivity to Defender cloud services. The new solution, like Microsoft Defender for Endpoint on Windows Server 2019, Windows Server 2022, and Windows 10, doesn't support this gateway.

+- On Windows Server 2012 R2, there's no user interface for Microsoft Defender Antivirus. In addition, the user interface on Windows Server 2016 only allows for basic operations. To perform operations on a device locally, refer to [Manage Microsoft Defender for Endpoint with PowerShell, WMI, and MPCmdRun.exe](/microsoft-365/security/defender-endpoint/manage-mde-post-migration-other-tools). As a result, features that specifically rely on user interaction, such as where the user is prompted to make a decision or perform a specific task, may not work as expected. It's recommended to disable or not enable the user interface nor require user interaction on any managed server as it may impact protection capability.

+- To enable [Network Protection](/microsoft-365/security/defender-endpoint/network-protection), more configurations are required:

+ In addition, on machines with a high volume of network traffic, performance testing in your environment is highly recommended before enabling this capability broadly. You may need to account for extra resource consumption.

+- Operating system upgrades aren't supported. Offboard then uninstall before upgrading.

+- Automatic exclusions for **server roles** aren't supported on Windows Server 2012 R2; however, built-in exclusions for operating system files are. For more information about adding exclusions, see [Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows](https://support.microsoft.com/topic/virus-scanning-recommendations-for-enterprise-computers-that-are-running-currently-supported-versions-of-windows-kb822158-c067a732-f24a-9079-d240-3733e39b40bc).

+- On machines that have been upgraded from the previous, MMA-based solution and the EDR sensor is a (preview) version older than 10.8047.22439.1056, uninstalling and reverting back to the MMA-based solution may lead to crashes. If you are on such a preview version, update using KB5005292.

+- To deploy and onboard the new solution using Microsoft Endpoint Manager, this process currently requires creating a package. For more information on how to deploy programs and scripts in Configuration Manager, see [Packages and programs in Configuration Manager](/configmgr/apps/deploy-use/packages-and-programs). MECM 2107 with the hotfix rollup or later is required to support policy configuration management using the Endpoint Protection node.

+-Using the TelemetryProxyServer proxy configuration; other methods aren't affected

+If you've fully updated your machines with the latest [monthly rollup](https://support.microsoft.com/topic/october-12-2021-kb5006714-monthly-rollup-4dc4a2cd-677c-477b-8079-dcfef2bda09e) package, there are **no** other prerequisites.

+- The Latest Cumulative Update (LCU) from September 20, 2018 or later must be installed. It's recommended to install the latest available SSU and LCU on the server

+- Enable the Microsoft Defender Antivirus (MDAV) feature and ensure it's up to date. For more information on enabling Defender Antivirus on Windows Server, see [Re-enable Defender Antivirus on Windows Server if it was disabled](enable-update-mdav-to-latest-ws.md#re-enable-microsoft-defender-antivirus-on-windows-server-if-it-was-disabled) and [Re-enable Defender Antivirus on Windows Server if it was uninstalled](enable-update-mdav-to-latest-ws.md#re-enable-microsoft-defender-antivirus-on-windows-server-if-it-was-uninstalled).

+- Download and install the latest platform version using Windows Update. Alternatively, download the update package manually from the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Search.aspx?q=KB4052623) or from [MMPC](https://go.microsoft.com/fwlink/?linkid=870379&arch=x64).

+> If you're installing Microsoft Defender for Endpoint on Servers with McAfee Endpoint Security (ENS) or VirusScan Enterprise (VSE), the version of the McAfee platform may need to be updated to ensure Microsoft Defender Antivirus is not removed or disabled. For more information including the specific version numbers required, see, [McAfee Knowledge Center article](https://kcm.trellix.com/corporate/index?page=content&id=KB88214).

+You'll need to download both the **installation** and **onboarding** packages from the portal.

+In this step, you'll install the prevention and detection components required before onboarding your device to the Microsoft Defender for Endpoint cloud environment, to prepare the machine for onboarding. Ensure all [prerequisites](#prerequisites) have been met.

+This script can be used in various scenarios, including those scenarios described in [Server migration scenarios from the previous, MMA-based Microsoft Defender for Endpoint solution](/microsoft-365/security/defender-endpoint/server-migration) and for deployment using Group Policy as described below.

+For more configuration settings, see [Configure sample collection settings](configure-endpoints-gp.md#configure-sample-collection-settings) and [Other recommended configuration settings](configure-endpoints-gp.md#other-recommended-configuration-settings).

+ The result should show it's running. If you encounter issues with onboarding, see [Troubleshoot onboarding](troubleshoot-onboarding.md).

+ Title: Enable and update Microsoft Defender Antivirus on Windows Server

+description: Learn how to enable and update Microsoft Defender Antivirus on Windows Server

+keywords: Windows Server, Defender Antivirus

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: high

+audience: ITPro

+ - M365-security-compliance

+ - m365-initiative-defender-endpoint

+ms.technology: mde

+# Enable and update Defender Antivirus to the latest version on Windows Server

+If you wish to use Microsoft Defender Antivirus on your Windows Server, and it had been previously disabled or uninstalled, you may need to take further steps to re-enable it and ensure it's fully updated.

+To enable and update Microsoft Defender Antivirus on Windows Server, perform the following steps:

+1. Install the latest Servicing Stack Update (SSU).

+2. Install the latest cumulative update (LCU).

+3. Reinstall Microsoft Defender Antivirus or re-enable it. For more information on how to reinstall or re-enable Microsoft Defender Antivirus on Windows Server, see [Re-enable Microsoft Defender Antivirus on Windows Server if it was disabled](#re-enable-microsoft-defender-antivirus-on-windows-server-if-it-was-disabled) and [Re-enable Microsoft Defender Antivirus on Windows Server if it was uninstalled](#re-enable-microsoft-defender-antivirus-on-windows-server-if-it-was-uninstalled).

+4. Reboot the system.

+5. Install the latest version of the platform update.

+ > [!NOTE]

+ > Re-enabling Microsoft Defender Antivirus doesn't automatically install the platform update. You can download and install the latest platform version using Windows update. Alternatively, you can download the update package from the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Search.aspx?q=KB4052623) or from the [Antimalware and cyber security portal](https://go.microsoft.com/fwlink/?linkid=870379&arch=x64).

+ >

+ > If you're preparing to install the modern, unified solution on Windows Server 2016, you can leverage the [Installer help script](https://github.com/microsoft/mdefordownlevelserver/blob/main/Install.ps1) to automate the platform update and the subsequent installation and onboarding. This script can also assist in re-enabling Microsoft Defender Antivirus.

+## Re-enable Microsoft Defender Antivirus on Windows Server if it was disabled

+First, ensure that Microsoft Defender Antivirus is not disabled either through Group Policy or registry. For more information, see [Troubleshoot Microsoft Defender Antivirus while migrating from a third-party solution](/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus-when-migrating).

+On Windows Server 2016, in some cases, you may need to use the [Malware Protection Command-Line Utility](command-line-arguments-microsoft-defender-antivirus.md) to re-enable Microsoft Defender Antivirus.

+As a local administrator on the server, perform the following steps:

+1. Open Command Prompt.

+2. Run the following command:

+ `MpCmdRun.exe -wdenable`.

+3. Restart the device.

+## Re-enable Microsoft Defender Antivirus on Windows Server if it was uninstalled

+In case the Defender feature was uninstalled/removed, you can add it back.

+As a local administrator on the server, perform the following steps:

+1. Open Windows PowerShell.

+2. Run the following commands:

+ ```powershell

+ # For Windows Server 2016

+ Dism /Online /Enable-Feature /FeatureName:Windows-Defender-Features

+ Dism /Online /Enable-Feature /FeatureName:Windows-Defender

+ Dism /Online /Enable-Feature /FeatureName:Windows-Defender-Gui

+

+ # For Windows Server 1803 and later, including Windows Server 2019 and 2022

+ Dism /Online /Enable-Feature /FeatureName:Windows-Defender

+ ```

+ When the DISM command is being used within a task sequence running PowerShell, the following path to cmd.exe is required.

+

+ ```powershell

+ C:\Windows\System32\cmd.exe /c Dism /Online /Enable-Feature /FeatureName:Windows-Defender-Features

+ C:\Windows\System32\cmd.exe /c Dism /Online /Enable-Feature /FeatureName:Windows-Defender

+ ```

+ > [!NOTE]

+ > You can also use Server Manager or PowerShell cmdlets to install the Microsoft Defender Antivirus feature.

+3. Reboot the system.

+Windows 10, version 2004 (with [KB4586853](https://support.microsoft.com/help/4586853) ¹)| <br /> Note: [Deprecated](/lifecycle/announcements/windows-10-version-2004-end-of-servicing), please upgrade| <br /> Note: [Deprecated](/lifecycle/announcements/windows-10-version-2004-end-of-servicing), please upgrade| <br /> Note: [Deprecated](/lifecycle/announcements/windows-10-version-2004-end-of-servicing), please upgrade

+Windows 10, version 1909 (with [KB4586819](https://support.microsoft.com/help/4586819) ¹)| <br /> Note: [Deprecated](/lifecycle/announcements/windows-10-1909-end-of-servicing), please upgrade| <br /> Note: [Deprecated](/lifecycle/announcements/windows-10-1909-end-of-servicing), please upgrade| <br /> Note: [Deprecated](/lifecycle/announcements/windows-10-1909-end-of-servicing), please upgrade

+Windows 10, version 1903 (with [KB4586819](https://support.microsoft.com/help/4586819) ¹)| <br /> Note: [Deprecated](/lifecycle/announcements/windows-10-1903-end-of-servicing), please upgrade| <br /> Note: [Deprecated](/lifecycle/announcements/windows-10-1903-end-of-servicing), please upgrade| <br /> Note: [Deprecated](/lifecycle/announcements/windows-10-1903-end-of-servicing), please upgrade

+Windows 10, version 1809 (with [KB4586839](https://support.microsoft.com/help/4586839) ¹)| <br /> Note: [Deprecated](/lifecycle/announcements/windows-10-1803-1809-end-of-servicing), please upgrade| <br /> Note: [Deprecated](/lifecycle/announcements/windows-10-1803-1809-end-of-servicing), please upgrade| <br /> Note: [Deprecated](/lifecycle/announcements/windows-10-1803-1809-end-of-servicing), please upgrade

+Windows 10, version 1803 (with [KB4598245](https://support.microsoft.com/help/4598245) ¹)| <br /> Note: [Deprecated](/lifecycle/announcements/windows-10-1803-1809-end-of-servicing), please upgrade| <br /> Note: [Deprecated](/lifecycle/announcements/windows-10-1803-1809-end-of-servicing), please upgrade| <br /> Note: [Deprecated](/lifecycle/announcements/windows-10-1803-1809-end-of-servicing), please upgrade

+ > Custom file indicators with the Allow, Block and Remediate actions are now also available in the [enhanced antimalware engine capabilities for macOS and Linux](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/enhanced-antimalware-engine-capabilities-for-linux-and-macos/ba-p/3292003).

+ - Scope - Define the scope of the device group (scoping isn't available in [Defender for Business](../defender-business/mdb-overview.md)).

+The current supported actions for file IOC are allow, audit and block, and remediate. After choosing to block a file, you can choose whether triggering an alert is needed. In this way, you'll be able to control the number of alerts getting to your security operations teams and make sure only required alerts are raised.

+> For more information on configuring this feature on Defender for Endpoint on Linux and macOS, see [Configure file hash computation feature on Linux](linux-preferences.md#configure-file-hash-computation-feature) and [Configure file hash computation feature on macOS](mac-preferences.md#configure-file-hash-computation-feature).

+Below are other thread names that can be used in the sample query from above:

+- If the file isn't allowed by Windows Defender Application Control and AppLocker enforce mode policy/policies, then **Block**

+

+The Microsoft Defender for Endpoint Client Analyzer (MDECA) can collect traces, logs, and diagnostic information in order to troubleshoot performance issues on [onboarded devices](/microsoft-365/security/defender-endpoint/onboard-configure) on macOS.

+>- The Microsoft Defender for Endpoint Client Analyzer tool is regularly used by Microsoft Customer Support Services (CSS) to collect information such as (but not limited to) IP addresses, PC names that will help troubleshoot issues you may be experiencing with Microsoft Defender for Endpoint. For more information about our privacy statement, see [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement).

+>- As a general best practice, it is recommended to update the [ Microsoft Defender for Endpoint agent to latest available version](mac-whatsnew.md)  and confirming that the issue still persists before investigating further.

+To run the client analyzer for troubleshooting performance issues, see [Run the client analyzer on macOS and Linux](run-analyzer-macos-linux.md).

+>[!NOTE]

+>In case after following the above steps, the performance problem persists, please contact customer support for further instructions and mitigation.

+

+>[!WARNING]

+>Before starting, please make sure that other security products are not currently running on the device. Multiple security products may conflict and impact the host performance.

+## Troubleshoot performance issues using Real-time Protection Statistics

+**Applies to:**

+- Only performance issues related to AV

+Real-time protection (RTP) is a feature of Defender for Endpoint on macOS that continuously monitors and protects your device against threats. It consists of file and process monitoring and other heuristics.

+## Troubleshoot performance issues using Microsoft Defender for Endpoint Client Analyzer

+**Applies to:**

+- Performance issues of all available Defender for Endpoint components such as AV and EDR

+The Microsoft Defender for Endpoint Client Analyzer (MDECA) can collect traces, logs, and diagnostic information in order to troubleshoot performance issues on [onboarded devices](/microsoft-365/security/defender-endpoint/onboard-configure) on macOS.

+> [!NOTE]

+>- The Microsoft Defender for Endpoint Client Analyzer tool is regularly used by Microsoft Customer Support Services (CSS) to collect information such as (but not limited to) IP addresses, PC names that will help troubleshoot issues you may be experiencing with Microsoft Defender for Endpoint. For more information about our privacy statement, see [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement).

+>- As a general best practice, it is recommended to update the [ Microsoft Defender for Endpoint agent to latest available version](linux-whatsnew.md)  and confirming that the issue still persists before investigating further.

+To run the client analyzer for troubleshooting performance issues, see [Run the client analyzer on macOS and Linux](run-analyzer-macos-linux.md).

+>[!NOTE]

+>In case after following the above steps, the performance problem persists, please contact customer support for further instructions and mitigation.

+## See also

+- [Investigate agent health issues](health-status.md)

+1. Fully update the machine including Microsoft Defender Antivirus (Windows Server 2016) ensuring [prerequisites](configure-server-endpoints.md#prerequisites) have been met. For more information on the prerequisites that have to be met, see [Prerequisites for Windows Server 2016](configure-server-endpoints.md#prerequisites-for-windows-server-2016).

+|Windows clients (such as endpoints running Windows 10 and Windows 11)|In general, you don't need to take any action for Windows clients (unless Microsoft Defender Antivirus has been uninstalled). In general, Microsoft Defender Antivirus should still be installed, but is most likely disabled at this point of the migration process. <br/><br/> When a non-Microsoft antivirus/antimalware solution is installed and the clients aren't yet onboarded to Defender for Endpoint, Microsoft Defender Antivirus is disabled automatically. Later, when the client endpoints are onboarded to Defender for Endpoint, if those endpoints are running a non-Microsoft antivirus solution, Microsoft Defender Antivirus goes into passive mode. <br/><br/> If the non-Microsoft antivirus solution is uninstalled, Microsoft Defender Antivirus goes into active mode automatically.|

+|Windows servers|On Windows Server, you'll need to reinstall Microsoft Defender Antivirus, and set it to passive mode manually. On Windows servers, when a non-Microsoft antivirus/antimalware is installed, Microsoft Defender Antivirus can't run alongside the non-Microsoft antivirus solution. In those cases, Microsoft Defender Antivirus is disabled or uninstalled manually. <br/><br/> To reinstall or enable Microsoft Defender Antivirus on Windows Server, perform the following tasks: <br/>- [Re-enable Defender Antivirus on Windows Server if it was disabled](enable-update-mdav-to-latest-ws.md#re-enable-microsoft-defender-antivirus-on-windows-server-if-it-was-disabled)<br/>- [Re-enable Defender Antivirus on Windows Server if it was uninstalled](enable-update-mdav-to-latest-ws.md#re-enable-microsoft-defender-antivirus-on-windows-server-if-it-was-uninstalled)<br/>- [Set Microsoft Defender Antivirus to passive mode on Windows Server](#set-microsoft-defender-antivirus-to-passive-mode-on-windows-server) <br/><br/>If you run into issues reinstalling or re-enabling Microsoft Defender Antivisrus on Windows Server, see [Troubleshooting: Microsoft Defender Antivirus is getting uninstalled on Windows Server](switch-to-mde-troubleshooting.md#microsoft-defender-antivirus-is-getting-uninstalled-on-windows-server).|

+- *Process exclusions* exclude whatever a process touches, but doesn't exclude the process itself.

+|[Device groups](/microsoft-365/security/defender-endpoint/machine-groups) (formerly called *machine groups*) enable your security operations team to configure security capabilities, such as automated investigation and remediation. <br/><br/> Device groups are also useful for assigning access to those devices so that your security operations team can take remediation actions if needed. <br/><br/> Device groups are created while the attack was detected and stopped, alerts, such as an "initial access alert," were triggered and appeared in the [Microsoft 365 Defender portal](/microsoft-365/security/defender/microsoft-365-defender).|1. Go to the Microsoft 365 Defender portal (<https://security.microsoft.com>).<br/><br/>2. In the navigation pane on the left, choose **Settings** \> **Endpoints** \> **Permissions** \> **Device groups**.<br/><br/>3. Choose **+ Add device group**.<br/><br/>4. Specify a name and description for the device group.<br/><br/>5. In the **Automation level** list, select an option. (We recommend **Full - remediate threats automatically**.) To learn more about the various automation levels, see [How threats are remediated](/microsoft-365/security/defender-endpoint/automated-investigations#how-threats-are-remediated).<br/><br/>6. Specify conditions for a matching rule to determine which devices belong to the device group. For example, you can choose a domain, OS versions, or even use [device tags](/microsoft-365/security/defender-endpoint/machine-tags).<br/><br/>7. On the **User access** tab, specify roles that should have access to the devices that are included in the device group.<br/><br/>8. Choose **Done**.|

+**Congratulations**! You've completed the Setup phase of [switching to Defender for Endpoint](switch-to-mde-overview.md#the-migration-process)!

+7. You can also use Advanced Hunting to search through audit logs of user, files, and site locations for your investigation. The **CloudAppEvents** table contains all audit logs across all locations like SharePoint, OneDrive, Exchange and Devices.

+|**Enable the common attachments filter** <br><br> _EnableFileFilter_|Selected <br><br> `$true`|Selected <br><br> `$true`|Selected <br><br> `$true`|This setting quarantines messages that contain attachments based on file type, regardless of the attachment content. For the list of file types, see [Anti-malware policies](anti-malware-protection.md#anti-malware-policies).|

+|Common attachment filter notifications (**When these file types are found**) <br><br> _FileTypeAction_|**Reject the messages with a non-delivery receipt (NDR)** <br><br> `Reject`|**Reject the messages with a non-delivery receipt (NDR)** <br><br> `Reject`|**Reject the messages with a non-delivery receipt (NDR)** <br><br> `Reject`||

+**To add a new Trusted ARC sealer in the Microsoft 365 Defender portal:**

+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Email Authentication Settings** in the **Rules** section \> **ARC** . To go directly to the ARC page, use [email authentication settings](https://security.microsoft.com/authentication?viewid=ARC).

+> [!NOTE]

+> [Guest settings for Microsoft 365 Groups](/microsoft-365/admin/create-groups/manage-guest-access-in-groups) must be enabled to use shared channels with external participants.

+> [!NOTE]

+> [Guest settings for Microsoft 365 Groups](/microsoft-365/admin/create-groups/manage-guest-access-in-groups) must be enabled to use shared channels with external participants.

+> [!NOTE]

+Whiteboard clients are currently being updated to support OneDrive for Business.

+> [!NOTE]

+[Manage sharing for Whiteboard - GCC High](manage-sharing-gcc-high.md)